wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready ================================================================== BUG: KASAN: slab-out-of-bounds in ether_addr_equal include/linux/etherdevice.h:321 [inline] BUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:605 [inline] BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0x9d2/0x18e0 drivers/net/ipvlan/ipvlan_core.c:651 Read of size 4 at addr ffff8880aaf6d4ff by task syz-executor370/8107 CPU: 1 PID: 8107 Comm: syz-executor370 Not tainted 4.19.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432 ether_addr_equal include/linux/etherdevice.h:321 [inline] ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0x9d2/0x18e0 drivers/net/ipvlan/ipvlan_core.c:651 ipvlan_start_xmit+0x4f/0x190 drivers/net/ipvlan/ipvlan_main.c:290 __netdev_start_xmit include/linux/netdevice.h:4333 [inline] netdev_start_xmit include/linux/netdevice.h:4347 [inline] dev_direct_xmit+0x3f9/0x6d0 net/core/dev.c:3905 packet_snd net/packet/af_packet.c:2988 [inline] packet_sendmsg+0x2474/0x6aff net/packet/af_packet.c:3013 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:632 sock_write_iter+0x287/0x3c0 net/socket.c:901 call_write_iter include/linux/fs.h:1821 [inline] aio_write+0x37f/0x5c0 fs/aio.c:1574 __io_submit_one fs/aio.c:1858 [inline] io_submit_one+0xecd/0x20c0 fs/aio.c:1909 __do_sys_io_submit fs/aio.c:1953 [inline] __se_sys_io_submit+0x11b/0x4a0 fs/aio.c:1924 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x443ea9 Code: e8 5c 0b 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdb3402108 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443ea9 RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007fc68ccd8000 RBP: 00316e616c767069 R08: 0000001e00000140 R09: 0000001e00000140 R10: 0000001e00000140 R11: 0000000000000246 R12: 0000000000000003 R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000004 Allocated by task 1: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 kmem_cache_zalloc include/linux/slab.h:699 [inline] __alloc_file+0x21/0x330 fs/file_table.c:100 alloc_empty_file+0x6d/0x170 fs/file_table.c:150 path_openat+0xe9/0x2df0 fs/namei.c:3526 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0x8ff/0x18b0 kernel/rcu/tree.c:2881 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880aaf6d300 which belongs to the cache filp of size 456 The buggy address is located 55 bytes to the right of 456-byte region [ffff8880aaf6d300, ffff8880aaf6d4c8) The buggy address belongs to the page: page:ffffea0002abdb40 count:1 mapcount:0 mapping:ffff88823b846200 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002acc108 ffffea0002aba008 ffff88823b846200 raw: 0000000000000000 ffff8880aaf6d080 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880aaf6d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880aaf6d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880aaf6d480: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ^ ffff8880aaf6d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880aaf6d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================