IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready syz-executor366 (8184) used greatest stack depth: 24576 bytes left syz-executor366 (8185) used greatest stack depth: 24496 bytes left ================================================================== BUG: KASAN: use-after-free in ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850 Write of size 2 at addr ffff88816b700836 by task syz-executor366/8187 CPU: 1 PID: 8187 Comm: syz-executor366 Not tainted 4.14.290-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_store_n_noabort+0x6b/0x80 mm/kasan/report.c:446 ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850 dev_hard_header include/linux/netdevice.h:2723 [inline] neigh_connected_output+0x355/0x580 net/core/neighbour.c:1393 neigh_output include/net/neighbour.h:500 [inline] ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237 ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398 dst_output include/net/dst.h:470 [inline] ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125 iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91 ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799 ipip_tunnel_xmit+0x1ea/0x240 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4054 [inline] netdev_start_xmit include/linux/netdevice.h:4063 [inline] xmit_one net/core/dev.c:3005 [inline] dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521 neigh_output include/net/neighbour.h:500 [inline] ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237 ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398 dst_output include/net/dst.h:470 [inline] ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125 iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91 ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799 ipgre_xmit+0x412/0x780 net/ipv4/ip_gre.c:670 __netdev_start_xmit include/linux/netdevice.h:4054 [inline] netdev_start_xmit include/linux/netdevice.h:4063 [inline] xmit_one net/core/dev.c:3005 [inline] dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521 __bpf_tx_skb net/core/filter.c:1715 [inline] __bpf_redirect_common net/core/filter.c:1754 [inline] __bpf_redirect+0x5cf/0x9c0 net/core/filter.c:1761 ____bpf_clone_redirect net/core/filter.c:1794 [inline] bpf_clone_redirect+0x1e1/0x2c0 net/core/filter.c:1766 ___bpf_prog_run+0x2459/0x5630 kernel/bpf/core.c:1133 The buggy address belongs to the page: page:ffffea0005adc000 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ff00000000000() raw: 057ff00000000000 0000000000000000 0000000000000000 00000000ffffffff raw: ffffea0005adc020 ffffea0005adc020 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88816b700700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88816b700780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88816b700800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88816b700880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88816b700900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================