device veth0_vlan entered promiscuous mode device veth1_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:255 [inline] BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x4b9/0x5c0 drivers/net/macvlan.c:281 Read of size 4 at addr ffff888095c0da01 by task syz-executor172/7098 CPU: 0 PID: 7098 Comm: syz-executor172 Not tainted 4.14.162-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440 protocol 88fb is buggy, dev hsr_slave_0 __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] mc_hash drivers/net/macvlan.c:255 [inline] macvlan_broadcast+0x4b9/0x5c0 drivers/net/macvlan.c:281 protocol 88fb is buggy, dev hsr_slave_1 macvlan_queue_xmit drivers/net/macvlan.c:522 [inline] macvlan_start_xmit+0x56b/0x72d drivers/net/macvlan.c:565 __netdev_start_xmit include/linux/netdevice.h:4038 [inline] netdev_start_xmit include/linux/netdevice.h:4047 [inline] packet_direct_xmit+0x431/0x640 net/packet/af_packet.c:269 packet_snd net/packet/af_packet.c:2994 [inline] packet_sendmsg+0x1dd4/0x5a60 net/packet/af_packet.c:3019 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 net/socket.c:656 SYSC_sendto+0x206/0x310 net/socket.c:1763 IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready SyS_sendto+0x40/0x50 net/socket.c:1731 IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 protocol 88fb is buggy, dev hsr_slave_0 entry_SYSCALL_64_after_hwframe+0x42/0xb7 protocol 88fb is buggy, dev hsr_slave_1 RIP: 0033:0x4429d9 RSP: 002b:00007ffc6e0d9a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004429d9 RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007ffc6e0d9aa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000403f70 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6943: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552 kmem_cache_zalloc include/linux/slab.h:651 [inline] get_empty_filp+0x8c/0x3f0 fs/file_table.c:123 path_openat+0x8f/0x3f70 fs/namei.c:3542 do_filp_open+0x18e/0x250 fs/namei.c:3600 do_sys_open+0x2c5/0x430 fs/open.c:1084 SYSC_open fs/open.c:1102 [inline] SyS_open+0x2d/0x40 fs/open.c:1097 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 0: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x83/0x2b0 mm/slab.c:3758 file_free_rcu+0x63/0xa0 fs/file_table.c:50 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x7b8/0x12b0 kernel/rcu/tree.c:2946 __do_softirq+0x244/0x9a0 kernel/softirq.c:288 The buggy address belongs to the object at ffff888095c0d7c0 which belongs to the cache filp of size 456 The buggy address is located 121 bytes to the right of 456-byte region [ffff888095c0d7c0, ffff888095c0d988) The buggy address belongs to the page: page:ffffea0002570340 count:1 mapcount:0 mapping:ffff888095c0d040 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff888095c0d040 0000000000000000 0000000100000006 raw: ffffea000253a220 ffffea00025708a0 ffff8880aa9e99c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888095c0d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888095c0d980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888095c0da00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff888095c0da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888095c0db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================