8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
protocol 8847 is buggy, dev sit0
==================================================================
BUG: KASAN: use-after-free in skb_is_gso include/linux/skbuff.h:4035 [inline]
BUG: KASAN: use-after-free in iptunnel_handle_offloads+0x62b/0x710 net/ipv4/ip_tunnel_core.c:170
Read of size 2 at addr ffff8801c737e644 by task syzkaller584760/4483

CPU: 0 PID: 4483 Comm: syzkaller584760 Not tainted 4.16.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
 skb_is_gso include/linux/skbuff.h:4035 [inline]
 iptunnel_handle_offloads+0x62b/0x710 net/ipv4/ip_tunnel_core.c:170
 sit_tunnel_xmit__+0x2a/0x160 net/ipv6/sit.c:1008
 sit_tunnel_xmit+0x1275/0x30b0 net/ipv6/sit.c:1033
protocol 8847 is buggy, dev sit0
protocol 8847 is buggy, dev sit0
protocol 8847 is buggy, dev sit0
protocol 8847 is buggy, dev sit0
protocol 8847 is buggy, dev sit0
 __netdev_start_xmit include/linux/netdevice.h:4087 [inline]
 netdev_start_xmit include/linux/netdevice.h:4096 [inline]
 xmit_one net/core/dev.c:3053 [inline]
 dev_hard_start_xmit+0x264/0xc10 net/core/dev.c:3069
protocol 8847 is buggy, dev sit0
protocol 8847 is buggy, dev sit0
protocol 8847 is buggy, dev sit0
protocol 8847 is buggy, dev sit0
 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x411c/0x60b0 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x525/0x940 net/socket.c:2117
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
 SYSC_sendmmsg net/socket.c:2241 [inline]
 SyS_sendmmsg+0x32/0x40 net/socket.c:2238
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441bf9
RSP: 002b:00007fff0dfa5d08 EFLAGS: 00000213 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441bf9
RDX: 0000000000000001 RSI: 0000000020003080 RDI: 0000000000000004
RBP: 00000000006cd018 R08: 00007fff0000f094 R09: 00007fff0000f094
R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000402840
R13: 00000000004028d0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 4483:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.38+0x3a/0xe0 net/core/skbuff.c:137
 __alloc_skb+0x14d/0x780 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:987 [inline]
 alloc_skb_with_frags+0x137/0x760 net/core/skbuff.c:5249
 sock_alloc_send_pskb+0x87a/0xae0 net/core/sock.c:2088
 packet_alloc_skb net/packet/af_packet.c:2803 [inline]
 packet_snd net/packet/af_packet.c:2894 [inline]
 packet_sendmsg+0x1bd1/0x60b0 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x525/0x940 net/socket.c:2117
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
 SYSC_sendmmsg net/socket.c:2241 [inline]
 SyS_sendmmsg+0x32/0x40 net/socket.c:2238
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 4483:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 skb_free_head+0x99/0xc0 net/core/skbuff.c:550
 skb_release_data+0x690/0x860 net/core/skbuff.c:570
 skb_release_all+0x4a/0x60 net/core/skbuff.c:627
 __kfree_skb net/core/skbuff.c:641 [inline]
 consume_skb+0x18b/0x550 net/core/skbuff.c:701
 packet_rcv+0x16a/0x1800 net/packet/af_packet.c:2162
 dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
 xmit_one net/core/dev.c:3049 [inline]
 dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x411c/0x60b0 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x525/0x940 net/socket.c:2117
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212
 SYSC_sendmmsg net/socket.c:2241 [inline]
 SyS_sendmmsg+0x32/0x40 net/socket.c:2238
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8801c737e580
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 196 bytes inside of
 512-byte region [ffff8801c737e580, ffff8801c737e780)
The buggy address belongs to the page:
page:ffffea00071cdf80 count:1 mapcount:0 mapping:ffff8801c737e080 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801c737e080 0000000000000000 0000000100000006
raw: ffffea00070c6ba0 ffffea000710b8a0 ffff8801dac00940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c737e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801c737e580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c737e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801c737e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c737e700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================