syzbot

==================================================================
8021q: adding VLAN 0 to HW filter on device batadv2
BUG: KASAN: user-memory-access in atomic_add include/asm-generic/atomic-instrumented.h:143 [inline]
BUG: KASAN: user-memory-access in do_profile_hits.constprop.0+0x2ae/0x610 kernel/profile.c:324
Write of size 4 at addr 00000007fffc4414 by task syz-executor.2/8370

CPU: 1 PID: 8370 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
netlink: 'syz-executor.1': attribute type 5 has an invalid length.
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 kasan_report_error.cold+0x15b/0x1b9 mm/kasan/report.c:352
device dummy0 entered promiscuous mode
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 atomic_add include/asm-generic/atomic-instrumented.h:143 [inline]
 do_profile_hits.constprop.0+0x2ae/0x610 kernel/profile.c:324
 profile_hits kernel/profile.c:398 [inline]
 profile_hit include/linux/profile.h:64 [inline]
 profile_tick+0xd7/0xf0 kernel/profile.c:408
device macvlan2 entered promiscuous mode
 tick_sched_timer+0xfc/0x290 kernel/time/tick-sched.c:1278
 __run_hrtimer kernel/time/hrtimer.c:1465 [inline]
 __hrtimer_run_queues+0x3f6/0xe60 kernel/time/hrtimer.c:1527
 hrtimer_interrupt+0x326/0x9e0 kernel/time/hrtimer.c:1585
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1071 [inline]
 smp_apic_timer_interrupt+0x10c/0x550 arch/x86/kernel/apic/apic.c:1096
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
IPv6: ADDRCONF(NETDEV_UP): macvlan2: link is not ready
 </IRQ>
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x50/0x80 kernel/locking/spinlock.c:192
Code: c0 98 82 f1 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 31 48 83 3d 01 31 d8 01 00 74 25 fb 66 0f 1f 44 00 00 <bf> 01 00 00 00 e8 26 1b 28 f9 65 8b 05 9f 8d e8 77 85 c0 74 02 5d
RSP: 0018:ffff88804d8b7890 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13e3053 RBX: ffff888093150340 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888093150bc4
RBP: ffff8880ba12b0c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880ba12b0c0
R13: ffff8880b4cde440 R14: 0000000000000000 R15: 0000000000000000
 finish_lock_switch kernel/sched/core.c:2578 [inline]
 finish_task_switch+0x146/0x760 kernel/sched/core.c:2678
 context_switch kernel/sched/core.c:2831 [inline]
 __schedule+0x88f/0x2040 kernel/sched/core.c:3517
 schedule+0x8d/0x1b0 kernel/sched/core.c:3561
 freezable_schedule include/linux/freezer.h:172 [inline]
 futex_wait_queue_me+0x2fc/0x5e0 kernel/futex.c:2722
 futex_wait+0x1ef/0x610 kernel/futex.c:2837
 do_futex+0x268/0x1880 kernel/futex.c:3889
 __do_sys_futex kernel/futex.c:3950 [inline]
 __se_sys_futex+0x28f/0x3b0 kernel/futex.c:3918
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f47f62bd049
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc6f913538 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f47f63cff6c RCX: 00007f47f62bd049
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f47f63cff6c
RBP: 00007f47f63cff60 R08: 00000088ae6be76f R09: 0000000000000000
R10: 00007ffc6f913620 R11: 0000000000000246 R12: 0000000000081722
R13: 00007ffc6f913620 R14: 00007ffc6f913640 R15: 0000000000000032
==================================================================
----------------
Code disassembly (best guess), 5 bytes skipped:
   0:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
   7:	fc ff df
   a:	48 c1 e8 03          	shr    $0x3,%rax
   e:	80 3c 10 00          	cmpb   $0x0,(%rax,%rdx,1)
  12:	75 31                	jne    0x45
  14:	48 83 3d 01 31 d8 01 	cmpq   $0x0,0x1d83101(%rip)        # 0x1d8311d
  1b:	00
  1c:	74 25                	je     0x43
  1e:	fb                   	sti
  1f:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
* 25:	bf 01 00 00 00       	mov    $0x1,%edi <-- trapping instruction
  2a:	e8 26 1b 28 f9       	callq  0xf9281b55
  2f:	65 8b 05 9f 8d e8 77 	mov    %gs:0x77e88d9f(%rip),%eax        # 0x77e88dd5
  36:	85 c0                	test   %eax,%eax
  38:	74 02                	je     0x3c
  3a:	5d                   	pop    %rbp