IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready device veth1_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready ================================================================== IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready BUG: KASAN: slab-out-of-bounds in ether_addr_equal include/linux/etherdevice.h:321 [inline] BUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:542 [inline] BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0xfe2/0x11e0 drivers/net/ipvlan/ipvlan_core.c:583 Read of size 4 at addr ffff88809bbb3cbf by task syz-executor.2/9611 CPU: 0 PID: 9611 Comm: syz-executor.2 Not tainted 4.14.227-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x14b/0x1e7 lib/dump_stack.c:58 print_address_description.cold.6+0x9/0x1ca mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold.7+0x11a/0x2d3 mm/kasan/report.c:393 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 ether_addr_equal include/linux/etherdevice.h:321 [inline] ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:542 [inline] ipvlan_queue_xmit+0xfe2/0x11e0 drivers/net/ipvlan/ipvlan_core.c:583 ipvlan_start_xmit+0x4a/0x150 drivers/net/ipvlan/ipvlan_main.c:286 __netdev_start_xmit include/linux/netdevice.h:4051 [inline] netdev_start_xmit include/linux/netdevice.h:4060 [inline] packet_direct_xmit+0x3ed/0x630 net/packet/af_packet.c:269 packet_snd.isra.30+0x9b6/0x2820 net/packet/af_packet.c:3024 packet_sendmsg+0x1081/0x2c10 net/packet/af_packet.c:3049 IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:656 sock_write_iter+0x20d/0x400 net/socket.c:925 call_write_iter include/linux/fs.h:1778 [inline] aio_write+0x291/0x4e0 fs/aio.c:1553 io_submit_one fs/aio.c:1641 [inline] do_io_submit+0xb66/0x1290 fs/aio.c:1709 device veth0_macvtap entered promiscuous mode SYSC_io_submit fs/aio.c:1734 [inline] SyS_io_submit+0xb/0x10 fs/aio.c:1731 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x465a59 IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready RSP: 002b:00007f8e993c1188 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 RAX: ffffffffffffffda RBX: 000000000055bf40 RCX: 0000000000465a59 RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007f8e993a0000 RBP: 00000000004af682 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000055bf40 R13: 00007fffcfa1f37f R14: 00007f8e993c1300 R15: 0000000000022000 Allocated by task 1: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:551 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:536 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x3e0 mm/slab.c:3552 getname_flags+0xb8/0x510 fs/namei.c:138 getname+0xd/0x10 fs/namei.c:209 do_sys_open+0x14b/0x350 fs/open.c:1075 SYSC_open fs/open.c:1099 [inline] SyS_open+0x19/0x20 fs/open.c:1094 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 1: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xab/0x190 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x80/0x2d0 mm/slab.c:3758 putname+0xa8/0xe0 fs/namei.c:259 do_sys_open+0x16d/0x350 fs/open.c:1090 SYSC_open fs/open.c:1099 [inline] SyS_open+0x19/0x20 fs/open.c:1094 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb The buggy address belongs to the object at ffff88809bbb21c0 which belongs to the cache names_cache of size 4096 The buggy address is located 2815 bytes to the right of 4096-byte region [ffff88809bbb21c0, ffff88809bbb31c0) The buggy address belongs to the page: page:ffffea00026eec80 count:1 mapcount:0 mapping:ffff88809bbb21c0 index:0x0 compound_mapcount: 0 flags: 0xfff00000008100(slab|head) raw: 00fff00000008100 ffff88809bbb21c0 0000000000000000 0000000100000001 raw: ffffea00026d1320 ffffea0002651fa0 ffff88823f830dc0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809bbb3b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809bbb3c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809bbb3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc device veth1_macvtap entered promiscuous mode ^ ffff88809bbb3d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809bbb3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================