bridge0: port 2(bridge_slave_1) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
hrtimer: interrupt took 29740 ns
==================================================================
BUG: KASAN: use-after-free in is_multicast_ether_addr_64bits include/linux/etherdevice.h:139 [inline]
BUG: KASAN: use-after-free in eth_type_trans+0x52d/0x650 net/ethernet/eth.c:168
Read of size 8 at addr ffff8801013f0040 by task syz-executor.0/7765

CPU: 0 PID: 7765 Comm: syz-executor.0 Not tainted 4.14.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x145/0x1e1 lib/dump_stack.c:52
 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.8+0x121/0x2da mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 is_multicast_ether_addr_64bits include/linux/etherdevice.h:139 [inline]
 eth_type_trans+0x52d/0x650 net/ethernet/eth.c:168
 napi_frags_finish net/core/dev.c:4978 [inline]
 napi_gro_frags+0x62e/0xcb0 net/core/dev.c:5052
 tun_get_user+0x262a/0x39f0 drivers/net/tun.c:1751
 tun_chr_write_iter+0xd1/0x1a0 drivers/net/tun.c:1794
 call_write_iter include/linux/fs.h:1770 [inline]
 do_iter_readv_writev+0x60c/0xbd0 fs/read_write.c:673
 do_iter_write+0x131/0x520 fs/read_write.c:952
 vfs_writev+0x16b/0x320 fs/read_write.c:997
 do_writev+0xf3/0x340 fs/read_write.c:1032
 SYSC_writev fs/read_write.c:1105 [inline]
 SyS_writev+0xb/0x10 fs/read_write.c:1102
 entry_SYSCALL_64_fastpath+0x23/0xc2
RIP: 0033:0x45a7d1
RSP: 002b:00007fd1743f8ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000207843 RCX: 000000000045a7d1
RDX: 0000000000000001 RSI: 00007fd1743f8c00 RDI: 00000000000000f0
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000075bf2c
R13: 00007fff3762ae1f R14: 00007fd1743f99c0 R15: 000000000075bf2c

The buggy address belongs to the page:
page:ffffea000404fc00 count:0 mapcount:0 mapping:          (null) index:0x1
flags: 0x17ffe0000000000()
raw: 017ffe0000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801013eff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801013eff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801013f0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff8801013f0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801013f0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================