================================================================== BUG: KASAN: slab-out-of-bounds in ____bpf_clone_redirect /net/core/filter.c:1768 [inline] BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2de/0x2f0 /net/core/filter.c:1759 Read of size 8 at addr ffff8880a1388ed0 by task syz-executor.2/24932 CPU: 0 PID: 24932 Comm: syz-executor.2 Not tainted 4.14.133 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack /lib/dump_stack.c:17 [inline] dump_stack+0x138/0x19c /lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc /mm/kasan/report.c:252 kasan_report_error /mm/kasan/report.c:351 [inline] kasan_report /mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af /mm/kasan/report.c:393 __asan_report_load8_noabort+0x14/0x20 /mm/kasan/report.c:430 ____bpf_clone_redirect /net/core/filter.c:1768 [inline] bpf_clone_redirect+0x2de/0x2f0 /net/core/filter.c:1759 bpf_prog_952a9deb36fe58b9+0x7e7/0x1000 Allocated by task 7383: save_stack_trace+0x16/0x20 /arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 /mm/kasan/kasan.c:447 set_track /mm/kasan/kasan.c:459 [inline] kasan_kmalloc /mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 /mm/kasan/kasan.c:529 kasan_slab_alloc+0xf/0x20 /mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x780 /mm/slab.c:3552 kmem_cache_zalloc /./include/linux/slab.h:651 [inline] get_empty_filp+0x8c/0x3b0 /fs/file_table.c:123 alloc_file+0x23/0x440 /fs/file_table.c:164 create_pipe_files+0x527/0x880 /fs/pipe.c:783 __do_pipe_flags+0x38/0x210 /fs/pipe.c:816 SYSC_pipe2 /fs/pipe.c:864 [inline] SyS_pipe2+0x69/0x120 /fs/pipe.c:858 do_syscall_64+0x1e8/0x640 /arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 7240: save_stack_trace+0x16/0x20 /arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 /mm/kasan/kasan.c:447 set_track /mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 /mm/kasan/kasan.c:524 __cache_free /mm/slab.c:3496 [inline] kmem_cache_free+0x83/0x2b0 /mm/slab.c:3758 file_free_rcu+0x63/0xa0 /fs/file_table.c:50 __rcu_reclaim /kernel/rcu/rcu.h:195 [inline] rcu_do_batch /kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks /kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks /kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x7b8/0x12b0 /kernel/rcu/tree.c:2946 __do_softirq+0x244/0x9a0 /kernel/softirq.c:288 The buggy address belongs to the object at ffff8880a1388cc0 which belongs to the cache filp of size 456 The buggy address is located 72 bytes to the right of 456-byte region [ffff8880a1388cc0, ffff8880a1388e88) The buggy address belongs to the page: page:ffffea000284e200 count:1 mapcount:0 mapping:ffff8880a1388040 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff8880a1388040 0000000000000000 0000000100000006 raw: ffffea00029f2f60 ffffea00027fd3a0 ffff8880aa9e09c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a1388d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a1388e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a1388e80: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a1388f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a1388f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================