==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in nf_hook include/linux/netfilter.h:198 [inline]
BUG: KASAN: use-after-free in NF_HOOK include/linux/netfilter.h:248 [inline]
BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450 net/ipv4/ip_input.c:257
Read of size 8 at addr ffff8881a7095790 by task syz-executor4/21756

CPU: 0 PID: 21756 Comm: syz-executor4 Not tainted 4.14.97+ #3
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x10e lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393

Allocated by task 21756:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slub.c:2723 [inline]
 slab_alloc mm/slub.c:2731 [inline]
 kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
 __build_skb+0x2e/0x2d0 net/core/skbuff.c:281
 build_skb+0x1a/0x1f0 net/core/skbuff.c:312
 tun_build_skb drivers/net/tun.c:1354 [inline]
 tun_get_user+0x248b/0x3790 drivers/net/tun.c:1467
 tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596
 call_write_iter include/linux/fs.h:1784 [inline]
 do_iter_readv_writev+0x379/0x580 fs/read_write.c:678
 do_iter_write fs/read_write.c:957 [inline]
 do_iter_write+0x152/0x550 fs/read_write.c:938
 vfs_writev+0x146/0x2d0 fs/read_write.c:1002
 do_writev+0xc9/0x240 fs/read_write.c:1037
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289

Freed by task 21756:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kmem_cache_free+0xc4/0x330 mm/slub.c:2988
 kfree_skbmem net/core/skbuff.c:582 [inline]
 kfree_skbmem+0xa0/0x100 net/core/skbuff.c:576
 __kfree_skb net/core/skbuff.c:642 [inline]
 kfree_skb+0xcd/0x350 net/core/skbuff.c:659
 ip_frag_queue net/ipv4/ip_fragment.c:507 [inline]
 ip_defrag+0x5f4/0x3b50 net/ipv4/ip_fragment.c:699
 ip_local_deliver+0x165/0x450 net/ipv4/ip_input.c:253
 dst_input include/net/dst.h:465 [inline]
 ip_rcv_finish+0x5c9/0x1490 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ip_rcv+0xa1c/0xf41 net/ipv4/ip_input.c:494
 __netif_receive_skb_core+0x1364/0x2c60 net/core/dev.c:4477
 __netif_receive_skb+0x55/0x1f0 net/core/dev.c:4515
 netif_receive_skb_internal+0xec/0x5c0 net/core/dev.c:4588
 tun_rx_batched.isra.0+0x45d/0x730 drivers/net/tun.c:1218
 tun_get_user+0xd95/0x3790 drivers/net/tun.c:1570
 tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596
 call_write_iter include/linux/fs.h:1784 [inline]
 do_iter_readv_writev+0x379/0x580 fs/read_write.c:678
 do_iter_write fs/read_write.c:957 [inline]
 do_iter_write+0x152/0x550 fs/read_write.c:938
 vfs_writev+0x146/0x2d0 fs/read_write.c:1002
 do_writev+0xc9/0x240 fs/read_write.c:1037
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289

The buggy address belongs to the object at ffff8881a7095780
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 16 bytes inside of
 224-byte region [ffff8881a7095780, ffff8881a7095860)
The buggy address belongs to the page:
page:ffffea00069c2540 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8881dab58200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881a7095680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881a7095700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881a7095780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8881a7095800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8881a7095880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================