================================================================== BUG: KASAN: use-after-free in __skb_flow_dissect+0xf74/0x4dd0 net/core/flow_dissector.c:1044 Read of size 1 at addr ffff8881750e000e by task syz-executor.0/5876 CPU: 1 PID: 5876 Comm: syz-executor.0 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 __skb_flow_dissect+0xf74/0x4dd0 net/core/flow_dissector.c:1044 skb_flow_dissect_flow_keys include/linux/skbuff.h:1339 [inline] ___skb_get_hash net/core/flow_dissector.c:1569 [inline] __skb_get_hash+0xaf/0x200 net/core/flow_dissector.c:1635 skb_get_hash include/linux/skbuff.h:1381 [inline] ip_tunnel_xmit+0x1164/0x2360 net/ipv4/ip_tunnel.c:728 ipip_tunnel_xmit+0x331/0x430 net/ipv4/ipip.c:307 __netdev_start_xmit include/linux/netdevice.h:4944 [inline] netdev_start_xmit include/linux/netdevice.h:4958 [inline] xmit_one net/core/dev.c:3659 [inline] dev_hard_start_xmit+0x1a5/0x700 net/core/dev.c:3675 __dev_queue_xmit+0x212f/0x2de0 net/core/dev.c:4285 neigh_output include/net/neighbour.h:510 [inline] ip_finish_output2+0x659/0x1da0 net/ipv4/ip_output.c:230 iptunnel_xmit+0x533/0x970 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x133c/0x2360 net/ipv4/ip_tunnel.c:810 ipgre_xmit+0x3dd/0x870 net/ipv4/ip_gre.c:655 __netdev_start_xmit include/linux/netdevice.h:4944 [inline] netdev_start_xmit include/linux/netdevice.h:4958 [inline] xmit_one net/core/dev.c:3659 [inline] dev_hard_start_xmit+0x1a5/0x700 net/core/dev.c:3675 __dev_queue_xmit+0x212f/0x2de0 net/core/dev.c:4285 __bpf_tx_skb net/core/filter.c:2113 [inline] __bpf_redirect_no_mac net/core/filter.c:2138 [inline] __bpf_redirect+0x4d9/0xc20 net/core/filter.c:2161 ____bpf_clone_redirect net/core/filter.c:2445 [inline] bpf_clone_redirect+0x275/0x3f0 net/core/filter.c:2417 bpf_prog_801cabf80fc815cd+0x59/0x304 bpf_dispatcher_nop_func include/linux/bpf.h:687 [inline] bpf_test_run+0x40d/0x930 net/bpf/test_run.c:118 bpf_prog_test_run_skb+0x96b/0x1bd0 net/bpf/test_run.c:657 bpf_prog_test_run kernel/bpf/syscall.c:3207 [inline] __sys_bpf+0x1bf3/0x3c90 kernel/bpf/syscall.c:4487 __do_sys_bpf kernel/bpf/syscall.c:4573 [inline] __se_sys_bpf kernel/bpf/syscall.c:4571 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:4571 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fbef08be209 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbef0033168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fbef09d0f60 RCX: 00007fbef08be209 RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a RBP: 00007fbef0918161 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd192e67ef R14: 00007fbef0033300 R15: 0000000000022000 The buggy address belongs to the page: page:ffffea0005d43800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1750e0 flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) raw: 057ff00000000000 ffffea0005d43808 ffffea0005d43808 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffff8881750dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881750dff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881750e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881750e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881750e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================