IPVS: nq: UDP 224.0.0.2:0 - no destination available
==================================================================
BUG: KASAN: use-after-free in __tcp_hdrlen include/linux/tcp.h:31 [inline]
BUG: KASAN: use-after-free in qdisc_pkt_len_segs_init+0xa51/0xb30 net/core/dev.c:4140
Read of size 2 at addr ffff88815f1460f4 by task kworker/u8:10/757

CPU: 1 UID: 0 PID: 757 Comm: kworker/u8:10 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: events_unbound macvlan_process_broadcast
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x13d/0x4b0 mm/kasan/report.c:482
 kasan_report+0xdf/0x1d0 mm/kasan/report.c:595
 __tcp_hdrlen include/linux/tcp.h:31 [inline]
 qdisc_pkt_len_segs_init+0xa51/0xb30 net/core/dev.c:4140
 __dev_queue_xmit+0x270/0x4950 net/core/dev.c:4782
 dev_queue_xmit include/linux/netdevice.h:3418 [inline]
 br_dev_queue_push_xmit+0x361/0x530 net/bridge/br_forward.c:53
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 br_forward_finish+0x102/0x4d0 net/bridge/br_forward.c:66
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 __br_forward+0x6ba/0x970 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver+0xf0/0x180 net/bridge/br_forward.c:191
 br_flood+0x193/0x650 net/bridge/br_forward.c:238
 br_handle_frame_finish+0xff4/0x1f60 net/bridge/br_input.c:229
 nf_hook_bridge_pre net/bridge/br_input.c:313 [inline]
 br_handle_frame+0x977/0x1520 net/bridge/br_input.c:442
 __netif_receive_skb_core.constprop.0+0x6c5/0x3530 net/core/dev.c:6089
 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:6200
 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6315
 process_backlog+0x37a/0x1580 net/core/dev.c:6666
 __napi_poll.constprop.0+0xaf/0x450 net/core/dev.c:7730
 napi_poll net/core/dev.c:7793 [inline]
 net_rx_action+0xa40/0xf20 net/core/dev.c:7950
 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622
 do_softirq kernel/softirq.c:523 [inline]
 do_softirq+0xac/0xe0 kernel/softirq.c:510
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 netif_rx net/core/dev.c:5775 [inline]
 netif_rx+0x93/0xb0 net/core/dev.c:5764
 macvlan_broadcast+0x37d/0x680 drivers/net/macvlan.c:292
 macvlan_multicast_rx drivers/net/macvlan.c:304 [inline]
 macvlan_multicast_rx+0xd8/0x100 drivers/net/macvlan.c:298
 macvlan_process_broadcast+0x3e4/0x690 drivers/net/macvlan.c:344
 process_one_work+0xa0e/0x1980 kernel/workqueue.c:3302
 process_scheduled_works kernel/workqueue.c:3385 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3466
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15f146
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea00057c5188 ffffea00057c5188 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff88815f145f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88815f146000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88815f146080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                             ^
 ffff88815f146100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88815f146180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================