================================================================== BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698 Read of size 2 at addr ffff8801cc880a8b by task syz-executor4/14344 CPU: 0 PID: 14344 Comm: syz-executor4 Not tainted 4.15.0-rc9+ #190 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440 erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698 erspan_xmit+0x3b8/0x13b0 net/ipv4/ip_gre.c:740 __netdev_start_xmit include/linux/netdevice.h:4042 [inline] netdev_start_xmit include/linux/netdevice.h:4051 [inline] packet_direct_xmit+0x315/0x6b0 net/packet/af_packet.c:266 packet_snd net/packet/af_packet.c:2943 [inline] packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2968 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg+0xca/0x110 net/socket.c:648 SYSC_sendto+0x361/0x5c0 net/socket.c:1729 SyS_sendto+0x40/0x50 net/socket.c:1697 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 RIP: 0023:0xf7fe6c79 RSP: 002b:00000000f77e208c EFLAGS: 00000296 ORIG_RAX: 0000000000000171 RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 000000002000a000 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000020008000 RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 14072: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 kmem_cache_zalloc include/linux/slab.h:678 [inline] get_empty_filp+0xfb/0x4f0 fs/file_table.c:123 alloc_file+0x26/0x390 fs/file_table.c:164 sock_alloc_file+0x1f3/0x560 net/socket.c:417 sock_map_fd+0x34/0x90 net/socket.c:444 SYSC_socket net/socket.c:1341 [inline] SyS_socket+0x125/0x1d0 net/socket.c:1317 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129 Freed by task 14068: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3488 [inline] kmem_cache_free+0x83/0x2a0 mm/slab.c:3746 file_free_rcu+0x5c/0x70 fs/file_table.c:50 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2758 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline] rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2996 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 The buggy address belongs to the object at ffff8801cc880840 which belongs to the cache filp of size 456 The buggy address is located 131 bytes to the right of 456-byte region [ffff8801cc880840, ffff8801cc880a08) The buggy address belongs to the page: page:ffffea0007322000 count:1 mapcount:0 mapping:ffff8801cc8800c0 index:0xffff8801cc880340 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801cc8800c0 ffff8801cc880340 0000000100000005 raw: ffffea00074e6060 ffffea0007622260 ffff8801dae2c180 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cc880980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cc880a00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801cc880a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8801cc880b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cc880b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================