IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready device veth0_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800adf90281 Read of size 4 by task syz-executor.4/7705 CPU: 1 PID: 7705 Comm: syz-executor.4 Not tainted 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff880128167878 ffffffff82c7f386 ffff8800adf9027f ffff880128167908 ffff8800adf90268 ffff8800bb9c4f00 ffff8801281678f8 ffffffff81740207 ffff880129502a40 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800adf90268, in cache ip_fib_alias Object not allocated yet Memory state around the buggy address: ffff8800adf90180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800adf90280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800adf90300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800adf90281 Read of size 4 by task syz-executor.4/7709 CPU: 1 PID: 7709 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ad87f878 ffffffff82c7f386 ffff8800adf9027f ffff8800ad87f908 ffff8800adf90268 ffff8800bb9c4f00 ffff8800ad87f8f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800adf90268, in cache ip_fib_alias Object not allocated yet Memory state around the buggy address: ffff8800adf90180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800adf90280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800adf90300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800adf90281 Read of size 4 by task syz-executor.4/7713 CPU: 1 PID: 7713 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800adf77878 ffffffff82c7f386 ffff8800adf9027f ffff8800adf77908 ffff8800adf90268 ffff8800bb9c4f00 ffff8800adf778f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800adf90268, in cache ip_fib_alias Object not allocated yet Memory state around the buggy address: ffff8800adf90180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800adf90280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800adf90300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800adf90281 Read of size 4 by task syz-executor.4/7717 CPU: 1 PID: 7717 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ad87f878 ffffffff82c7f386 ffff8800adf9027f ffff8800ad87f908 ffff8800adf90268 ffff8800bb9c4f00 ffff8800ad87f8f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800adf90268, in cache ip_fib_alias Object not allocated yet Memory state around the buggy address: ffff8800adf90180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800adf90280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800adf90300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800adf90281 Read of size 4 by task syz-executor.4/7721 CPU: 1 PID: 7721 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800adf77878 ffffffff82c7f386 ffff8800adf9027f ffff8800adf77908 ffff8800adf90268 ffff8800bb9c4f00 ffff8800adf778f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800adf90268, in cache ip_fib_alias Object not allocated yet Memory state around the buggy address: ffff8800adf90180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800adf90280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800adf90300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800adf90281 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800adf90281 Read of size 4 by task syz-executor.4/7725 CPU: 1 PID: 7725 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff880128187878 ffffffff82c7f386 ffff8800adf9027f ffff880128187908 ffff8800adf90268 ffff8800bb9c4f00 ffff8801281878f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800adf90268, in cache ip_fib_alias Object not allocated yet Memory state around the buggy address: ffff8800adf90180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800adf90280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800adf90300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800adf90380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready device veth1_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready device veth0_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready device veth1_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready device veth0_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready ================================================================== BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800adf81a81 BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800adf81a81 BUG: KASAN: use-after-free in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800adf81a81 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready Read of size 4 by task syz-executor.3/7811 device veth1_vlan entered promiscuous mode page:ffffea0002b7e040 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0xfffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7811 Comm: syz-executor.3 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ad827878 ffffffff82c7f386 ffff8800adf81a7f ffff8800ad827908 ffff8800adf81a81 ffff8800b19862c0 ffff8800ad8278f8 ffffffff817405ba ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready device veth0_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800adf81980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800adf81a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800adf81a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8800adf81b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800adf81b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready device veth0_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready device veth1_vlan entered promiscuous mode ================================================================== device veth1_vlan entered promiscuous mode ================================================================== BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad955ac1 BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad955ac1 BUG: KASAN: use-after-free in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad955ac1 Read of size 4 by task syz-executor.2/7865 CPU: 1 PID: 7865 Comm: syz-executor.2 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ad9df878 ffffffff82c7f386 ffff8800ad955abf ffff8800ad9df908 ffff8800ad9546c0 ffff88012bd1ab00 ffff8800ad9df8f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad9546c0, in cache task_struct Object freed, allocated with size 5888 bytes Allocation: PID = 2261 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482 [] kmem_cache_alloc_node+0x154/0x6b0 mm/slab.c:3471 [] alloc_task_struct_node kernel/fork.c:142 [inline] [] dup_task_struct kernel/fork.c:350 [inline] [] copy_process.part.37+0x1fd/0x5ae0 kernel/fork.c:1311 [] copy_process kernel/fork.c:1282 [inline] [] _do_fork+0x158/0xbb0 kernel/fork.c:1731 [] kernel_thread+0x24/0x30 kernel/fork.c:1792 [] call_usermodehelper_exec_sync kernel/kmod.c:275 [inline] [] call_usermodehelper_exec_work+0xdb/0x1f0 kernel/kmod.c:327 [] process_one_work+0x69b/0x1570 kernel/workqueue.c:2122 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2256 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 Deallocation: PID = 2261 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_slab_free+0x9b/0xb0 mm/kasan/kasan.c:501 [] __cache_free mm/slab.c:3332 [inline] [] kmem_cache_free+0x94/0x500 mm/slab.c:3583 [] free_task_struct kernel/fork.c:147 [inline] [] free_task+0xd0/0x170 kernel/fork.c:240 [] __put_task_struct+0x17e/0x390 kernel/fork.c:271 [] put_task_struct include/linux/sched.h:2068 [inline] [] delayed_put_task_struct+0x148/0x2b0 kernel/exit.c:164 [] __rcu_reclaim kernel/rcu/rcu.h:118 [inline] [] rcu_do_batch kernel/rcu/tree.c:2681 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:2947 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:2914 [inline] [] rcu_process_callbacks+0xe73/0x15d0 kernel/rcu/tree.c:2931 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 Memory state around the buggy address: ffff8800ad955980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800ad955a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8800ad955a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8800ad955b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800ad955b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad95a0c1 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad95a0c1 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad95a0c1 Read of size 4 by task syz-executor.3/7879 CPU: 1 PID: 7879 Comm: syz-executor.3 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ada47878 ffffffff82c7f386 ffff8800ad95a0bf ffff8800ada47908 ffff8800ad95a080 ffff88012bc00200 ffff8800ada478f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad95a080, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 4 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] dst_cow_metrics_generic+0x43/0xb0 net/core/dst.c:318 [] ipv6_cow_metrics+0x5f/0x150 net/ipv6/route.c:188 [] dst_metrics_write_ptr include/net/dst.h:143 [inline] [] dst_metric_set include/net/dst.h:204 [inline] [] icmp6_dst_alloc+0x463/0x560 net/ipv6/route.c:1637 [] ndisc_send_skb+0xb13/0x1010 net/ipv6/ndisc.c:451 [] ndisc_send_ns+0x283/0x6e0 net/ipv6/ndisc.c:595 [] addrconf_dad_work+0x645/0x980 net/ipv6/addrconf.c:3813 [] process_one_work+0x69b/0x1570 kernel/workqueue.c:2122 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2256 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 Memory state around the buggy address: ffff8800ad959f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800ad95a000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8800ad95a080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8800ad95a100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800ad95a180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad958281 BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad958281 BUG: KASAN: use-after-free in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad958281 Read of size 4 by task syz-executor.1/7924 page:ffffea0002b65600 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0xfffe0000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 7924 Comm: syz-executor.1 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ad9ef878 ffffffff82c7f386 ffff8800ad95827f ffff8800ad9ef908 ffff8800ad958281 ffff8800b1b76340 ffff8800ad9ef8f8 ffffffff817405ba ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800ad958180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad958200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8800ad958280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8800ad958300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad958380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad959341 BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad959341 BUG: KASAN: use-after-free in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad959341 Read of size 4 by task syz-executor.5/7934 page:ffffea0002b65640 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0xfffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7934 Comm: syz-executor.5 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ad89f878 ffffffff82c7f386 ffff8800ad95933f ffff8800ad89f908 ffff8800ad959341 ffff8800ade224c0 ffff8800ad89f8f8 ffffffff817405ba ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800ad959200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad959280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8800ad959300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8800ad959380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad959400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad95a5c1 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad95a5c1 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad95a5c1 Read of size 4 by task syz-executor.4/7930 CPU: 1 PID: 7930 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ada8f878 ffffffff82c7f386 ffff8800ad95a5bf ffff8800ada8f908 ffff8800ad95a580 ffff88012bc00200 ffff8800ada8f8f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad95a580, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 4 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] dst_cow_metrics_generic+0x43/0xb0 net/core/dst.c:318 [] ipv6_cow_metrics+0x5f/0x150 net/ipv6/route.c:188 [] dst_metrics_write_ptr include/net/dst.h:143 [inline] [] dst_metric_set include/net/dst.h:204 [inline] [] icmp6_dst_alloc+0x463/0x560 net/ipv6/route.c:1637 [] mld_sendpack+0x578/0xb80 net/ipv6/mcast.c:1633 [] mld_send_initial_cr.part.30+0xd4/0x110 net/ipv6/mcast.c:2049 [] mld_send_initial_cr net/ipv6/mcast.c:2033 [inline] [] ipv6_mc_dad_complete+0x85/0x110 net/ipv6/mcast.c:2056 [] addrconf_dad_completed+0x3ef/0x760 net/ipv6/addrconf.c:3867 [] addrconf_dad_work+0x7cb/0x980 net/ipv6/addrconf.c:3800 [] process_one_work+0x69b/0x1570 kernel/workqueue.c:2122 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2256 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 Memory state around the buggy address: ffff8800ad95a480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800ad95a500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8800ad95a580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8800ad95a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800ad95a680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad958001 BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad958001 BUG: KASAN: use-after-free in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad958001 Read of size 4 by task syz-executor.4/7958 page:ffffea0002b65600 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0xfffe0000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 7958 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ada8f878 ffffffff82c7f386 ffff8800ad957fff ffff8800ada8f908 ffff8800ad958001 ffff8800ae6ca100 ffff8800ada8f8f8 ffffffff817405ba ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800ad957f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800ad957f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800ad958000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8800ad958080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad958100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad95a0c1 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad95a0c1 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad95a0c1 Read of size 4 by task syz-executor.3/7970 CPU: 0 PID: 7970 Comm: syz-executor.3 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800adaa7878 ffffffff82c7f386 ffff8800ad95a0bf ffff8800adaa7908 ffff8800ad95a080 ffff88012bc00200 ffff8800adaa78f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad95a080, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 4 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] dst_cow_metrics_generic+0x43/0xb0 net/core/dst.c:318 [] ipv6_cow_metrics+0x5f/0x150 net/ipv6/route.c:188 [] dst_metrics_write_ptr include/net/dst.h:143 [inline] [] dst_metric_set include/net/dst.h:204 [inline] [] icmp6_dst_alloc+0x463/0x560 net/ipv6/route.c:1637 [] ndisc_send_skb+0xb13/0x1010 net/ipv6/ndisc.c:451 [] ndisc_send_ns+0x283/0x6e0 net/ipv6/ndisc.c:595 [] addrconf_dad_work+0x645/0x980 net/ipv6/addrconf.c:3813 [] process_one_work+0x69b/0x1570 kernel/workqueue.c:2122 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2256 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 Memory state around the buggy address: ffff8800ad959f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad95a000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8800ad95a080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8800ad95a100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800ad95a180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad84e341 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad84e341 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad84e341 Read of size 4 by task syz-executor.1/7975 CPU: 0 PID: 7975 Comm: syz-executor.1 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ada87878 ffffffff82c7f386 ffff8800ad84e33f ffff8800ada87908 ffff8800ad84e040 ffff88012bc00700 ffff8800ada878f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad84e040, in cache kmalloc-1024 Object allocated with size 704 bytes. Allocation: PID = 3408 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] __do_kmalloc mm/slab.c:3545 [inline] [] __kmalloc+0x169/0x6d0 mm/slab.c:3554 [] kmalloc include/linux/slab.h:483 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1ea/0x19f0 net/core/neighbour.c:457 [] ip6_finish_output2+0x841/0x1b90 net/ipv6/ip6_output.c:111 [] ip6_finish_output+0x353/0x700 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:233 [inline] [] ip6_output+0x167/0x530 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:504 [inline] [] NF_HOOK_THRESH.constprop.24+0xc9/0x290 include/linux/netfilter.h:219 [] NF_HOOK include/linux/netfilter.h:242 [inline] [] ndisc_send_skb+0x7a4/0x1010 net/ipv6/ndisc.c:471 [] ndisc_send_rs+0x116/0x3d0 net/ipv6/ndisc.c:646 [] addrconf_rs_timer+0x28a/0x410 net/ipv6/addrconf.c:3622 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 Memory state around the buggy address: ffff8800ad84e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800ad84e280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800ad84e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800ad84e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800ad84e400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad953001 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad953001 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad953001 Read of size 4 by task syz-executor.4/7990 CPU: 0 PID: 7990 Comm: syz-executor.4 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800adad7878 ffffffff82c7f386 ffff8800ad952fff ffff8800adad7908 ffff8800ad953040 ffff8801de721300 ffff8800adad78f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad953040, in cache skbuff_head_cache Object allocated with size 232 bytes. Allocation: PID = 7990 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482 [] kmem_cache_alloc_node+0x154/0x6b0 mm/slab.c:3471 [] __alloc_skb+0xa8/0x5b0 net/core/skbuff.c:218 [] alloc_skb include/linux/skbuff.h:895 [inline] [] alloc_skb_with_frags+0x8d/0x4b0 net/core/skbuff.c:4557 [] sock_alloc_send_pskb+0x5c9/0x740 net/core/sock.c:1851 [] packet_alloc_skb net/packet/af_packet.c:2799 [inline] [] packet_snd net/packet/af_packet.c:2885 [inline] [] packet_sendmsg+0x1843/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800ad952f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff8800ad952f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800ad953000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff8800ad953080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800ad953100: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad958281 BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad958281 BUG: KASAN: use-after-free in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad958281 Read of size 4 by task syz-executor.3/7993 page:ffffea0002b65600 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0xfffe0000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 7993 Comm: syz-executor.3 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800adaf7878 ffffffff82c7f386 ffff8800ad95827f ffff8800adaf7908 ffff8800ad958281 ffff8800b19862c0 ffff8800adaf78f8 ffffffff817405ba ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8800ad958180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad958200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8800ad958280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8800ad958300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ad958380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad95a5c1 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad95a5c1 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad95a5c1 Read of size 4 by task syz-executor.2/8011 CPU: 1 PID: 8011 Comm: syz-executor.2 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8800ad997878 ffffffff82c7f386 ffff8800ad95a5bf ffff8800ad997908 ffff8800ad95a580 ffff88012bc00200 ffff8800ad9978f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad95a580, in cache kmalloc-64 Object allocated with size 64 bytes. Allocation: PID = 4 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kmem_cache_alloc_trace+0x142/0x6b0 mm/slab.c:3447 [] kmalloc include/linux/slab.h:478 [inline] [] dst_cow_metrics_generic+0x43/0xb0 net/core/dst.c:318 [] ipv6_cow_metrics+0x5f/0x150 net/ipv6/route.c:188 [] dst_metrics_write_ptr include/net/dst.h:143 [inline] [] dst_metric_set include/net/dst.h:204 [inline] [] icmp6_dst_alloc+0x463/0x560 net/ipv6/route.c:1637 [] mld_sendpack+0x578/0xb80 net/ipv6/mcast.c:1633 [] mld_send_initial_cr.part.30+0xd4/0x110 net/ipv6/mcast.c:2049 [] mld_send_initial_cr net/ipv6/mcast.c:2033 [inline] [] ipv6_mc_dad_complete+0x85/0x110 net/ipv6/mcast.c:2056 [] addrconf_dad_completed+0x3ef/0x760 net/ipv6/addrconf.c:3867 [] addrconf_dad_work+0x7cb/0x980 net/ipv6/addrconf.c:3800 [] process_one_work+0x69b/0x1570 kernel/workqueue.c:2122 [] worker_thread+0xd7/0xf10 kernel/workqueue.c:2256 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 Memory state around the buggy address: ffff8800ad95a480: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800ad95a500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8800ad95a580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8800ad95a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8800ad95a680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] at addr ffff8800ad953501 BUG: KASAN: slab-out-of-bounds in mc_hash drivers/net/macvlan.c:225 [inline] at addr ffff8800ad953501 BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 at addr ffff8800ad953501 Read of size 4 by task syz-executor.5/8007 CPU: 0 PID: 8007 Comm: syz-executor.5 Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0dd577e ffff8801281c7878 ffffffff82c7f386 ffff8800ad9534ff ffff8801281c7908 ffff8800ad953400 ffff8801de721300 ffff8801281c78f8 ffffffff81740207 ffffffff816afd26 0000000000000286 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:179 [inline] [] kasan_report_error+0x1e7/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load_n_noabort+0x3a/0x40 mm/kasan/report.c:328 [] __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] [] mc_hash drivers/net/macvlan.c:225 [inline] [] macvlan_broadcast+0x48f/0x5b0 drivers/net/macvlan.c:251 [] macvlan_queue_xmit drivers/net/macvlan.c:482 [inline] [] macvlan_start_xmit+0x316/0x610 drivers/net/macvlan.c:525 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] packet_direct_xmit+0x429/0x610 net/packet/af_packet.c:271 [] packet_snd net/packet/af_packet.c:2938 [inline] [] packet_sendmsg+0x1f94/0x4eb0 net/packet/af_packet.c:2963 [] sock_sendmsg_nosec net/socket.c:612 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:622 [] SYSC_sendto+0x1c9/0x300 net/socket.c:1648 [] SyS_sendto+0x9/0x10 net/socket.c:1616 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800ad953400, in cache skbuff_head_cache Object freed, allocated with size 232 bytes Allocation: PID = 7843 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_kmalloc+0xc9/0xe0 mm/kasan/kasan.c:532 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482 [] kmem_cache_alloc_node+0x154/0x6b0 mm/slab.c:3471 [] __alloc_skb+0xa8/0x5b0 net/core/skbuff.c:218 [] alloc_skb include/linux/skbuff.h:895 [inline] [] new_skb+0x20/0x1d0 drivers/block/aoe/aoecmd.c:67 [] aoecmd_cfg_pkts drivers/block/aoe/aoecmd.c:427 [inline] [] aoecmd_cfg+0x1a3/0x580 drivers/block/aoe/aoecmd.c:1433 [] discover_timer+0xdc/0x130 drivers/block/aoe/aoemain.c:44 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 Deallocation: PID = 2415 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:450 [] set_track mm/kasan/kasan.c:462 [inline] [] kasan_slab_free+0x9b/0xb0 mm/kasan/kasan.c:501 [] __cache_free mm/slab.c:3332 [inline] [] kmem_cache_free+0x94/0x500 mm/slab.c:3583 [] kfree_skbmem+0xac/0xd0 net/core/skbuff.c:622 [] __kfree_skb+0x15/0x20 net/core/skbuff.c:684 [] kfree_skb+0x90/0x2f0 net/core/skbuff.c:704 [] nr_xmit+0xaa/0x100 net/netrom/nr_dev.c:148 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] xmit_one net/core/dev.c:2871 [inline] [] dev_hard_start_xmit+0x6b9/0x1140 net/core/dev.c:2887 [] __dev_queue_xmit+0x1b85/0x1f40 net/core/dev.c:3358 [] dev_queue_xmit+0xb/0x10 net/core/dev.c:3392 [] tx+0x68/0xb0 drivers/block/aoe/aoenet.c:63 [] kthread+0x1c4/0x360 drivers/block/aoe/aoecmd.c:1300 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x22/0x50 arch/x86/entry/entry_64.S:392 Memory state around the buggy address: ffff8800ad953400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800ad953480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc >ffff8800ad953500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8800ad953580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800ad953600: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ==================================================================