==================================================================
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2ef/0x340 fs/ext4/dir.c:75
Read of size 1 at addr ffff8880b021d000 by task syz-executor.2/16824

CPU: 0 PID: 16824 Comm: syz-executor.2 Not tainted 4.14.202-syzkaller #0
audit: type=1804 audit(1603655230.898:82): pid=16835 uid=0 auid=0 ses=4 op="invalid_pcr" cause="open_writers" comm="syz-executor.1" name="/root/syzkaller-testdir756769413/syzkaller.13Ez93/2479/bus" dev="sda1" ino=16209 res=1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 __ext4_check_dir_entry+0x2ef/0x340 fs/ext4/dir.c:75
 ext4_readdir+0x7fd/0x27e0 fs/ext4/dir.c:240
 iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
 SYSC_getdents fs/readdir.c:269 [inline]
 SyS_getdents+0x125/0x240 fs/readdir.c:250
audit: type=1804 audit(1603655230.898:83): pid=16835 uid=0 auid=0 ses=4 op="invalid_pcr" cause="ToMToU" comm="syz-executor.1" name="/root/syzkaller-testdir756769413/syzkaller.13Ez93/2479/bus" dev="sda1" ino=16209 res=1
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45de59
RSP: 002b:00007f4f80771c78 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 0000000000003f80 RCX: 000000000045de59
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffe53895f8f R14: 00007f4f807729c0 R15: 000000000118bf2c

Allocated by task 9308:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_node+0x146/0x410 mm/slab.c:3642
 __alloc_skb+0x5c/0x510 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:980 [inline]
 nlmsg_new include/net/netlink.h:511 [inline]
 fdb_notify+0x89/0x150 net/bridge/br_fdb.c:689
 fdb_delete+0x137/0x400 net/bridge/br_fdb.c:181
 fdb_delete_local+0x516/0x6b0 net/bridge/br_fdb.c:217
 br_fdb_delete_by_port+0x157/0x1f0 net/bridge/br_fdb.c:397
 del_nbp+0x382/0x9a0 net/bridge/br_if.c:282
 br_dev_delete+0x95/0x190 net/bridge/br_if.c:310
 default_device_exit_batch+0x204/0x380 net/core/dev.c:8741
 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:145
 cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 9308:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
 kfree_skbmem+0x98/0x100 net/core/skbuff.c:586
 __kfree_skb net/core/skbuff.c:646 [inline]
 consume_skb+0xed/0x380 net/core/skbuff.c:705
 netlink_broadcast_filtered+0x2ab/0x9e0 net/netlink/af_netlink.c:1489
 netlink_broadcast net/netlink/af_netlink.c:1511 [inline]
 nlmsg_multicast include/net/netlink.h:591 [inline]
 nlmsg_notify+0x126/0x170 net/netlink/af_netlink.c:2476
 fdb_notify+0xdb/0x150 net/bridge/br_fdb.c:700
 fdb_delete+0x137/0x400 net/bridge/br_fdb.c:181
 fdb_delete_local+0x516/0x6b0 net/bridge/br_fdb.c:217
 br_fdb_delete_by_port+0x157/0x1f0 net/bridge/br_fdb.c:397
 del_nbp+0x382/0x9a0 net/bridge/br_if.c:282
 br_dev_delete+0x95/0x190 net/bridge/br_if.c:310
 default_device_exit_batch+0x204/0x380 net/core/dev.c:8741
 ops_exit_list+0xf9/0x150 net/core/net_namespace.c:145
 cleanup_net+0x3b3/0x840 net/core/net_namespace.c:484
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff8880b021d0c0
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 192 bytes to the left of
 232-byte region [ffff8880b021d0c0, ffff8880b021d1a8)
The buggy address belongs to the page:
page:ffffea0002c08740 count:1 mapcount:0 mapping:ffff8880b021d0c0 index:0xffff8880b021d200
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880b021d0c0 ffff8880b021d200 0000000100000007
raw: ffffea0002719620 ffffea000269eb60 ffff8880b552fa80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b021cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880b021cf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880b021d000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8880b021d080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880b021d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================