==================================================================
BUG: KASAN: use-after-free in __tcp_hdrlen include/linux/tcp.h:31 [inline]
BUG: KASAN: use-after-free in qdisc_pkt_len_segs_init+0x7f8/0xa30 net/core/dev.c:4140
Read of size 2 at addr ffff888162f053f4 by task kworker/u8:5/84

CPU: 1 UID: 0 PID: 84 Comm: kworker/u8:5 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: events_unbound macvlan_process_broadcast
Call Trace:
 <IRQ>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __tcp_hdrlen include/linux/tcp.h:31 [inline]
 qdisc_pkt_len_segs_init+0x7f8/0xa30 net/core/dev.c:4140
 __dev_queue_xmit+0x29a/0x3950 net/core/dev.c:4782
 dev_queue_xmit include/linux/netdevice.h:3418 [inline]
 br_dev_queue_push_xmit+0x370/0x4b0 net/bridge/br_forward.c:53
 NF_HOOK+0x360/0x3f0 include/linux/netfilter.h:318
 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66
 NF_HOOK+0x360/0x3f0 include/linux/netfilter.h:318
 __br_forward+0x397/0x540 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver net/bridge/br_forward.c:191 [inline]
 br_flood+0x6ee/0xb80 net/bridge/br_forward.c:238
 br_handle_frame_finish+0x1521/0x1c80 net/bridge/br_input.c:229
 nf_hook_bridge_pre net/bridge/br_input.c:313 [inline]
 br_handle_frame+0x80f/0x1510 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x98f/0x3170 net/core/dev.c:6089
 __netif_receive_skb_one_core net/core/dev.c:6200 [inline]
 __netif_receive_skb net/core/dev.c:6315 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6666
 __napi_poll+0xae/0x340 net/core/dev.c:7733
 napi_poll net/core/dev.c:7796 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7953
 handle_softirqs+0x22a/0x840 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 netif_rx+0x83/0x90 net/core/dev.c:5775
 macvlan_broadcast+0x373/0x630 drivers/net/macvlan.c:292
 macvlan_multicast_rx drivers/net/macvlan.c:-1 [inline]
 macvlan_process_broadcast+0x440/0x660 drivers/net/macvlan.c:344
 process_one_work kernel/workqueue.c:3314 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478
 kthread+0x389/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x162f05
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea00058bc148 ffffea00058bc148 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff888162f05280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888162f05300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888162f05380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff888162f05400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888162f05480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================