syzbot

IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
==================================================================
BUG: KASAN: use-after-free in ether_addr_equal include/linux/etherdevice.h:321 [inline]
BUG: KASAN: use-after-free in ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:542 [inline]
BUG: KASAN: use-after-free in ipvlan_queue_xmit+0x1323/0x15a0 drivers/net/ipvlan/ipvlan_core.c:583
Read of size 4 at addr ffff8880b08e4abf by task syz-executor717/7972

CPU: 0 PID: 7972 Comm: syz-executor717 Not tainted 4.14.212-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load4_noabort+0x68/0x70 mm/kasan/report.c:429
 ether_addr_equal include/linux/etherdevice.h:321 [inline]
 ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:542 [inline]
 ipvlan_queue_xmit+0x1323/0x15a0 drivers/net/ipvlan/ipvlan_core.c:583
 ipvlan_start_xmit+0x4f/0x180 drivers/net/ipvlan/ipvlan_main.c:286
 __netdev_start_xmit include/linux/netdevice.h:4039 [inline]
 netdev_start_xmit include/linux/netdevice.h:4048 [inline]
 packet_direct_xmit+0x410/0x610 net/packet/af_packet.c:269
 packet_snd+0x1393/0x21e0 net/packet/af_packet.c:3024
 packet_sendmsg+0x1139/0x2aca net/packet/af_packet.c:3049
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 sock_write_iter+0x22c/0x370 net/socket.c:925
 call_write_iter include/linux/fs.h:1778 [inline]
 aio_write+0x2ed/0x560 fs/aio.c:1553
 io_submit_one fs/aio.c:1641 [inline]
 do_io_submit+0x847/0x1570 fs/aio.c:1709
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x449669
RSP: 002b:00007fff4ee97858 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000449669
RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007facdef08000
RBP: 00316e616c767069 R08: 00000000000000ff R09: 00000000000000ff
R10: 00000000000000ff R11: 0000000000000246 R12: 00007fff4ee978e0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0002c23900 count:0 mapcount:0 mapping:          (null) index:0xffff8880b08e4400
flags: 0xfff00000000000()
raw: 00fff00000000000 0000000000000000 ffff8880b08e4400 00000000ffffffff
raw: dead000000000100 dead000000000200 ffff88823f8bb200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b08e4980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880b08e4a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880b08e4a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff8880b08e4b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880b08e4b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================