================================================================== BUG: KASAN: use-after-free in erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706 Read of size 2 at addr ffff8880928ef50b by task syz-executor.1/7916 CPU: 1 PID: 7916 Comm: syz-executor.1 Not tainted 4.14.112 #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x19c lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440 erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706 erspan_xmit net/ipv4/ip_gre.c:748 [inline] erspan_xmit+0x3ec/0x11c0 net/ipv4/ip_gre.c:725 __netdev_start_xmit include/linux/netdevice.h:4033 [inline] netdev_start_xmit include/linux/netdevice.h:4042 [inline] packet_direct_xmit+0x438/0x640 net/packet/af_packet.c:269 packet_snd net/packet/af_packet.c:2969 [inline] packet_sendmsg+0x31e1/0x5990 net/packet/af_packet.c:2994 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xd0/0x110 net/socket.c:656 ___sys_sendmsg+0x70c/0x850 net/socket.c:2062 __sys_sendmsg+0xb9/0x140 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2103 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x458c29 RSP: 002b:00007f94a1fa4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94a1fa56d4 R13: 00000000004c64a3 R14: 00000000004dadd8 R15: 00000000ffffffff Allocated by task 7140: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 __do_kmalloc_node mm/slab.c:3682 [inline] __kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3696 __kmalloc_reserve.isra.0+0x40/0xe0 net/core/skbuff.c:137 __alloc_skb+0xcf/0x500 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:980 [inline] __tcp_send_ack.part.0+0x67/0x5b0 net/ipv4/tcp_output.c:3596 __tcp_send_ack net/ipv4/tcp_output.c:3623 [inline] tcp_send_ack+0x7a/0xa0 net/ipv4/tcp_output.c:3623 tcp_cleanup_rbuf+0x15a/0x4b0 net/ipv4/tcp.c:1581 tcp_recvmsg+0x668/0x1cd0 net/ipv4/tcp.c:1998 inet_recvmsg+0x101/0x500 net/ipv4/af_inet.c:793 sock_recvmsg_nosec net/socket.c:819 [inline] sock_recvmsg net/socket.c:826 [inline] sock_recvmsg+0xc8/0x110 net/socket.c:822 sock_read_iter+0x22f/0x340 net/socket.c:903 call_read_iter include/linux/fs.h:1768 [inline] new_sync_read fs/read_write.c:401 [inline] __vfs_read+0x4ab/0x6b0 fs/read_write.c:413 vfs_read+0x137/0x350 fs/read_write.c:447 SYSC_read fs/read_write.c:573 [inline] SyS_read+0xb8/0x180 fs/read_write.c:566 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 7140: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xcc/0x270 mm/slab.c:3815 skb_free_head+0x8b/0xb0 net/core/skbuff.c:554 skb_release_data+0x4b9/0x6f0 net/core/skbuff.c:574 skb_release_all+0x4d/0x60 net/core/skbuff.c:631 __kfree_skb net/core/skbuff.c:645 [inline] consume_skb+0xaf/0x340 net/core/skbuff.c:705 __dev_kfree_skb_any+0x84/0xb0 net/core/dev.c:2533 dev_consume_skb_any include/linux/netdevice.h:3271 [inline] free_old_xmit_skbs.isra.0+0x17c/0x2a0 drivers/net/virtio_net.c:1137 start_xmit+0x14e/0x1420 drivers/net/virtio_net.c:1299 __netdev_start_xmit include/linux/netdevice.h:4033 [inline] netdev_start_xmit include/linux/netdevice.h:4042 [inline] xmit_one net/core/dev.c:3009 [inline] dev_hard_start_xmit+0x191/0x8c0 net/core/dev.c:3025 sch_direct_xmit+0x27a/0x550 net/sched/sch_generic.c:186 __dev_xmit_skb net/core/dev.c:3218 [inline] __dev_queue_xmit+0x1b7c/0x25f0 net/core/dev.c:3493 dev_queue_xmit+0x18/0x20 net/core/dev.c:3558 neigh_hh_output include/net/neighbour.h:490 [inline] neigh_output include/net/neighbour.h:498 [inline] ip_finish_output2+0xdd8/0x1490 net/ipv4/ip_output.c:229 ip_finish_output+0x578/0xc70 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip_output+0x1e6/0x590 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:459 [inline] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124 ip_queue_xmit+0x7d7/0x1b10 net/ipv4/ip_output.c:504 __tcp_transmit_skb+0x1744/0x3000 net/ipv4/tcp_output.c:1130 __tcp_send_ack.part.0+0x3c8/0x5b0 net/ipv4/tcp_output.c:3617 __tcp_send_ack net/ipv4/tcp_output.c:3623 [inline] tcp_send_ack+0x7a/0xa0 net/ipv4/tcp_output.c:3623 tcp_cleanup_rbuf+0x15a/0x4b0 net/ipv4/tcp.c:1581 tcp_recvmsg+0x668/0x1cd0 net/ipv4/tcp.c:1998 inet_recvmsg+0x101/0x500 net/ipv4/af_inet.c:793 sock_recvmsg_nosec net/socket.c:819 [inline] sock_recvmsg net/socket.c:826 [inline] sock_recvmsg+0xc8/0x110 net/socket.c:822 sock_read_iter+0x22f/0x340 net/socket.c:903 call_read_iter include/linux/fs.h:1768 [inline] new_sync_read fs/read_write.c:401 [inline] __vfs_read+0x4ab/0x6b0 fs/read_write.c:413 vfs_read+0x137/0x350 fs/read_write.c:447 SYSC_read fs/read_write.c:573 [inline] SyS_read+0xb8/0x180 fs/read_write.c:566 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff8880928ef200 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 779 bytes inside of 1024-byte region [ffff8880928ef200, ffff8880928ef600) The buggy address belongs to the page: page:ffffea00024a3b80 count:1 mapcount:0 mapping:ffff8880928ee000 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000008100(slab|head) raw: 01fffc0000008100 ffff8880928ee000 0000000000000000 0000000100000007 raw: ffffea00024cf720 ffffea00025506a0 ffff8880aa800ac0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880928ef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880928ef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880928ef500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880928ef580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880928ef600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================