IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready ================================================================== BUG: KASAN: use-after-free in skb_network_protocol+0x462/0x4a0 net/core/dev.c:2519 Read of size 2 at addr ffff8801c978bb8b by task syz-executor0/4095 CPU: 1 PID: 4095 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 6d2f812ce534b1f1 ffff8800bb317708 ffffffff81d067bd ffffea000725e2c0 ffff8801c978bb8b 0000000000000000 ffff8801c978bb8b 0000000000005865 ffff8800bb317740 ffffffff814fea83 ffff8801c978bb8b Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439 [] skb_network_protocol+0x462/0x4a0 net/core/dev.c:2519 [] harmonize_features net/core/dev.c:2688 [inline] [] netif_skb_features+0x369/0x6a0 net/core/dev.c:2744 [] validate_xmit_skb.isra.101.part.102+0x28/0x970 net/core/dev.c:2809 [] validate_xmit_skb net/core/dev.c:2863 [inline] [] validate_xmit_skb_list+0xae/0x110 net/core/dev.c:2865 [] packet_direct_xmit+0xa5/0x4f0 net/packet/af_packet.c:260 [] packet_snd net/packet/af_packet.c:2828 [inline] [] packet_sendmsg+0x29b2/0x47e0 net/packet/af_packet.c:2853 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 The buggy address belongs to the page: page:ffffea000725e2c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000000() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c978ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c978bb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c978bb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c978bc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c978bc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================