bisecting fixing commit since 13d2ce42de8cb98ff952f8de6307f896203854c2
building syzkaller on 8f160dd5d603e9cd86705baad260794afa3e5cb3
testing commit 13d2ce42de8cb98ff952f8de6307f896203854c2 with gcc (GCC) 8.4.1 20210217
kernel signature: 4d42d6152c0fb650d0cf12807c3f9afe85d2932792be8c50ccf053dbbbc713c5
run #0: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #1: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #2: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #3: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #4: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #5: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #6: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #7: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #8: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #9: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #10: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #11: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #12: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #13: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #14: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #15: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #16: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #17: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #18: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #19: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
testing current HEAD 255b58a2b3af0baa0ee11507390349217b8b73b0
testing commit 255b58a2b3af0baa0ee11507390349217b8b73b0 with gcc (GCC) 8.4.1 20210217
kernel signature: 41700fd73e44e1d3dad6a23b085aa1c73abaac82ce31d564828e853e263de9f1
run #0: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #1: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #2: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #3: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #4: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #5: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #6: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #7: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
run #8: crashed: KASAN: use-after-free Read in ipvlan_queue_xmit
run #9: crashed: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
revisions tested: 2, total time: 22m54.331411636s (build: 15m3.325641693s, test: 6m57.151013348s)
the crash still happens on HEAD
commit msg: Linux 4.19.176
crash: KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
device veth0_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
==================================================================
device veth1_macvtap entered promiscuous mode
BUG: KASAN: slab-out-of-bounds in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:533 [inline]
BUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:593 [inline]
BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0x89d/0x1630 drivers/net/ipvlan/ipvlan_core.c:654
Read of size 4 at addr ffff888099994c7f by task syz-executor.1/9789

CPU: 1 PID: 9789 Comm: syz-executor.1 Not tainted 4.19.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x17c/0x226 lib/dump_stack.c:118
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:396
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:533 [inline]
 ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:593 [inline]
 ipvlan_queue_xmit+0x89d/0x1630 drivers/net/ipvlan/ipvlan_core.c:654
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
 ipvlan_start_xmit+0x4a/0x150 drivers/net/ipvlan/ipvlan_main.c:290
 __netdev_start_xmit include/linux/netdevice.h:4333 [inline]
 netdev_start_xmit include/linux/netdevice.h:4347 [inline]
 dev_direct_xmit+0x2db/0x620 net/core/dev.c:3905
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
 packet_direct_xmit+0xd6/0x140 net/packet/af_packet.c:246
 packet_snd net/packet/af_packet.c:2988 [inline]
 packet_sendmsg+0x343e/0x6030 net/packet/af_packet.c:3013
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:632
 sock_write_iter+0x215/0x420 net/socket.c:901
 call_write_iter include/linux/fs.h:1821 [inline]
 aio_write+0x2e4/0x560 fs/aio.c:1574
 __io_submit_one fs/aio.c:1858 [inline]
 io_submit_one+0x764/0x1db0 fs/aio.c:1909
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 __do_sys_io_submit fs/aio.c:1953 [inline]
 __se_sys_io_submit+0x112/0x390 fs/aio.c:1924
 __x64_sys_io_submit+0x6e/0xb0 fs/aio.c:1924
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x465a49
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
RSP: 002b:00007ff958cab188 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1
RAX: ffffffffffffffda RBX: 000000000055bfe8 RCX: 0000000000465a49
RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007ff958c8a000
RBP: 00000000004af682 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000055bfe8
R13: 00007ffd3cafacbf R14: 00007ff958cab300 R15: 0000000000022000

Allocated by task 8433:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x390 mm/slab.c:3559
 kmem_cache_zalloc include/linux/slab.h:699 [inline]
 __alloc_file+0x2b/0x2f0 fs/file_table.c:100
 alloc_empty_file+0x45/0x110 fs/file_table.c:150
 path_openat+0x107/0x2900 fs/namei.c:3526
 do_filp_open+0x177/0x250 fs/namei.c:3567
 do_sys_open+0x1dc/0x350 fs/open.c:1085
 __do_sys_openat fs/open.c:1112 [inline]
 __se_sys_openat fs/open.c:1106 [inline]
 __x64_sys_openat+0x98/0xf0 fs/open.c:1106
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
Freed by task 8433:
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3765
 file_free_rcu+0x5d/0x90 fs/file_table.c:49
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0x93a/0x19b0 kernel/rcu/tree.c:2881
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 __do_softirq+0x25f/0x919 kernel/softirq.c:292

batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
The buggy address belongs to the object at ffff888099994a80
 which belongs to the cache filp of size 456
The buggy address is located 55 bytes to the right of
 456-byte region [ffff888099994a80, ffff888099994c48)
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
The buggy address belongs to the page:
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
page:ffffea0002666500 count:1 mapcount:0 mapping:ffff88823b845500 index:0x0
batman_adv: batadv0: Interface activated: batadv_slave_0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea000255f0c8 ffffea0002ce5408 ffff88823b845500
raw: 0000000000000000 ffff888099994080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888099994b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099994b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888099994c00: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
                                                                ^
 ffff888099994c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888099994d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================