================================================================== BUG: KASAN: slab-out-of-bounds in macvlan_forward_source+0x5d8/0x700 drivers/net/macvlan.c:442 Read of size 2 at addr ffff88807a882dfc by task syz.3.2715/15571 CPU: 1 UID: 0 PID: 15571 Comm: syz.3.2715 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 macvlan_forward_source+0x5d8/0x700 drivers/net/macvlan.c:442 macvlan_handle_frame+0x1ba/0x12e0 drivers/net/macvlan.c:501 __netif_receive_skb_core+0x98f/0x30a0 net/core/dev.c:6039 __netif_receive_skb_one_core net/core/dev.c:6150 [inline] __netif_receive_skb net/core/dev.c:6265 [inline] netif_receive_skb_internal net/core/dev.c:6351 [inline] netif_receive_skb+0x1fe/0xbb0 net/core/dev.c:6410 tun_rx_batched+0x1de/0x790 drivers/net/tun.c:1485 tun_get_user+0x2a78/0x3dd0 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x61d/0xb90 fs/read_write.c:686 ksys_write+0x150/0x270 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f582115b78e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007f5822061fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f58220626c0 RCX: 00007f582115b78e RDX: 000000000000004a RSI: 00002000000001c0 RDI: 00000000000000c8 RBP: 00007f5821208c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5821416038 R14: 00007f5821415fa0 R15: 00007ffcdb958878 Allocated by task 5489: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kvmalloc_node_noprof+0x59a/0x8d0 mm/slub.c:7140 alloc_netdev_mqs+0xa6/0x11b0 net/core/dev.c:12012 bpq_new_device drivers/net/hamradio/bpqether.c:467 [inline] bpq_device_event+0x413/0x6a0 drivers/net/hamradio/bpqether.c:523 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_notify_flags+0x1a9/0x310 net/core/dev.c:9788 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9817 dev_change_flags+0x130/0x260 net/core/dev_api.c:68 devinet_ioctl+0x9f2/0x1b30 net/ipv4/devinet.c:1199 inet_ioctl+0x42a/0x560 net/ipv4/af_inet.c:1009 sock_do_ioctl+0x101/0x320 net/socket.c:1254 sock_ioctl+0x5c6/0x7f0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807a882000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 76 bytes to the right of allocated 3504-byte region [ffff88807a882000, ffff88807a882db0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7a880 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff888028896601 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88813fe30500 ffffea0001e7b800 dead000000000002 raw: 0000000000000000 0000000000040004 00000000f5000000 ffff888028896601 head: 00fff00000000040 ffff88813fe30500 ffffea0001e7b800 dead000000000002 head: 0000000000000000 0000000000040004 00000000f5000000 ffff888028896601 head: 00fff00000000003 ffffea0001ea2001 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5823, tgid 5823 (syz-executor), ts 81166092506, free_ts 81150906465 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3945 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5240 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486 alloc_slab_page mm/slub.c:3075 [inline] allocate_slab+0x86/0x3a0 mm/slub.c:3248 new_slab mm/slub.c:3302 [inline] ___slab_alloc+0xd82/0x1760 mm/slub.c:4656 __slab_alloc+0x65/0x100 mm/slub.c:4779 __slab_alloc_node mm/slub.c:4855 [inline] slab_alloc_node mm/slub.c:5251 [inline] __do_kmalloc_node mm/slub.c:5656 [inline] __kmalloc_node_track_caller_noprof+0x5b7/0x7f0 mm/slub.c:5768 kmemdup_noprof+0x2b/0x70 mm/util.c:138 kmemdup_noprof include/linux/fortify-string.h:765 [inline] __addrconf_sysctl_register+0xa7/0x4d0 net/ipv6/addrconf.c:7305 addrconf_sysctl_register+0x168/0x1c0 net/ipv6/addrconf.c:7371 ipv6_add_dev+0xd26/0x13a0 net/ipv6/addrconf.c:460 addrconf_notify+0x771/0x1050 net/ipv6/addrconf.c:3650 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] register_netdevice+0x171a/0x1cd0 net/core/dev.c:11444 rtnl_newlink_create+0x329/0xb70 net/core/rtnetlink.c:3840 page last free pid 5836 tgid 5836 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xbf8/0xd70 mm/page_alloc.c:2973 discard_slab mm/slub.c:3346 [inline] __put_partials+0x146/0x170 mm/slub.c:3886 __slab_free+0x294/0x320 mm/slub.c:5956 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x370/0x6e0 mm/slub.c:5270 __kernfs_new_node+0xe9/0x8e0 fs/kernfs/dir.c:637 kernfs_new_node+0x102/0x210 fs/kernfs/dir.c:718 kernfs_create_dir_ns+0x44/0x130 fs/kernfs/dir.c:1088 sysfs_create_dir_ns+0x12f/0x2a0 fs/sysfs/dir.c:59 create_dir lib/kobject.c:73 [inline] kobject_add_internal+0x62b/0xd00 lib/kobject.c:240 kobject_add_varg lib/kobject.c:374 [inline] kobject_add+0x163/0x240 lib/kobject.c:426 device_add+0x408/0xb70 drivers/base/core.c:3627 netdev_register_kobject+0x178/0x310 net/core/net-sysfs.c:2358 register_netdevice+0x12a0/0x1cd0 net/core/dev.c:11406 Memory state around the buggy address: ffff88807a882c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807a882d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807a882d80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff88807a882e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807a882e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================