==================================================================
BUG: KASAN: use-after-free in erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706
Read of size 2 at addr ffff8880928ef50b by task syz-executor.1/7916

CPU: 1 PID: 7916 Comm: syz-executor.1 Not tainted 4.14.112 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
 erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706
 erspan_xmit net/ipv4/ip_gre.c:748 [inline]
 erspan_xmit+0x3ec/0x11c0 net/ipv4/ip_gre.c:725
 __netdev_start_xmit include/linux/netdevice.h:4033 [inline]
 netdev_start_xmit include/linux/netdevice.h:4042 [inline]
 packet_direct_xmit+0x438/0x640 net/packet/af_packet.c:269
 packet_snd net/packet/af_packet.c:2969 [inline]
 packet_sendmsg+0x31e1/0x5990 net/packet/af_packet.c:2994
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xd0/0x110 net/socket.c:656
 ___sys_sendmsg+0x70c/0x850 net/socket.c:2062
 __sys_sendmsg+0xb9/0x140 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2103
 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007f94a1fa4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94a1fa56d4
R13: 00000000004c64a3 R14: 00000000004dadd8 R15: 00000000ffffffff

Allocated by task 7140:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3696
 __kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137
 __alloc_skb+0xcf/0x500 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:980 [inline]
 __tcp_send_ack.part.0+0x67/0x5b0 net/ipv4/tcp_output.c:3596
 __tcp_send_ack net/ipv4/tcp_output.c:3623 [inline]
 tcp_send_ack+0x7a/0xa0 net/ipv4/tcp_output.c:3623
 tcp_cleanup_rbuf+0x15a/0x4b0 net/ipv4/tcp.c:1581
 tcp_recvmsg+0x668/0x1cd0 net/ipv4/tcp.c:1998
 inet_recvmsg+0x101/0x500 net/ipv4/af_inet.c:793
 sock_recvmsg_nosec net/socket.c:819 [inline]
 sock_recvmsg net/socket.c:826 [inline]
 sock_recvmsg+0xc8/0x110 net/socket.c:822
 sock_read_iter+0x22f/0x340 net/socket.c:903
 call_read_iter include/linux/fs.h:1768 [inline]
 new_sync_read fs/read_write.c:401 [inline]
 __vfs_read+0x4ab/0x6b0 fs/read_write.c:413
 vfs_read+0x137/0x350 fs/read_write.c:447
 SYSC_read fs/read_write.c:573 [inline]
 SyS_read+0xb8/0x180 fs/read_write.c:566
 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7140:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcc/0x270 mm/slab.c:3815
 skb_free_head+0x8b/0xb0 net/core/skbuff.c:554
 skb_release_data+0x4b9/0x6f0 net/core/skbuff.c:574
 skb_release_all+0x4d/0x60 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb+0xaf/0x340 net/core/skbuff.c:705
 __dev_kfree_skb_any+0x84/0xb0 net/core/dev.c:2533
 dev_consume_skb_any include/linux/netdevice.h:3271 [inline]
 free_old_xmit_skbs.isra.0+0x17c/0x2a0 drivers/net/virtio_net.c:1137
 start_xmit+0x14e/0x1420 drivers/net/virtio_net.c:1299
 __netdev_start_xmit include/linux/netdevice.h:4033 [inline]
 netdev_start_xmit include/linux/netdevice.h:4042 [inline]
 xmit_one net/core/dev.c:3009 [inline]
 dev_hard_start_xmit+0x191/0x8c0 net/core/dev.c:3025
 sch_direct_xmit+0x27a/0x550 net/sched/sch_generic.c:186
 __dev_xmit_skb net/core/dev.c:3218 [inline]
 __dev_queue_xmit+0x1b7c/0x25f0 net/core/dev.c:3493
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3558
 neigh_hh_output include/net/neighbour.h:490 [inline]
 neigh_output include/net/neighbour.h:498 [inline]
 ip_finish_output2+0xdd8/0x1490 net/ipv4/ip_output.c:229
 ip_finish_output+0x578/0xc70 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_output+0x1e6/0x590 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:459 [inline]
 ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124
 ip_queue_xmit+0x7d7/0x1b10 net/ipv4/ip_output.c:504
 __tcp_transmit_skb+0x1744/0x3000 net/ipv4/tcp_output.c:1130
 __tcp_send_ack.part.0+0x3c8/0x5b0 net/ipv4/tcp_output.c:3617
 __tcp_send_ack net/ipv4/tcp_output.c:3623 [inline]
 tcp_send_ack+0x7a/0xa0 net/ipv4/tcp_output.c:3623
 tcp_cleanup_rbuf+0x15a/0x4b0 net/ipv4/tcp.c:1581
 tcp_recvmsg+0x668/0x1cd0 net/ipv4/tcp.c:1998
 inet_recvmsg+0x101/0x500 net/ipv4/af_inet.c:793
 sock_recvmsg_nosec net/socket.c:819 [inline]
 sock_recvmsg net/socket.c:826 [inline]
 sock_recvmsg+0xc8/0x110 net/socket.c:822
 sock_read_iter+0x22f/0x340 net/socket.c:903
 call_read_iter include/linux/fs.h:1768 [inline]
 new_sync_read fs/read_write.c:401 [inline]
 __vfs_read+0x4ab/0x6b0 fs/read_write.c:413
 vfs_read+0x137/0x350 fs/read_write.c:447
 SYSC_read fs/read_write.c:573 [inline]
 SyS_read+0xb8/0x180 fs/read_write.c:566
 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8880928ef200
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 779 bytes inside of
 1024-byte region [ffff8880928ef200, ffff8880928ef600)
The buggy address belongs to the page:
page:ffffea00024a3b80 count:1 mapcount:0 mapping:ffff8880928ee000 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff8880928ee000 0000000000000000 0000000100000007
raw: ffffea00024cf720 ffffea00025506a0 ffff8880aa800ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880928ef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880928ef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880928ef500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880928ef580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880928ef600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================