IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
==================================================================
BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x57c/0x660 drivers/net/macvlan.c:281
Read of size 4 at addr ffff88808dec1841 by task syz-executor650/7871

CPU: 0 PID: 7871 Comm: syz-executor650 Not tainted 4.19.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
 __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
 mc_hash drivers/net/macvlan.c:255 [inline]
 macvlan_broadcast+0x57c/0x660 drivers/net/macvlan.c:281
 macvlan_queue_xmit drivers/net/macvlan.c:524 [inline]
 macvlan_start_xmit+0x408/0x785 drivers/net/macvlan.c:563
 __netdev_start_xmit include/linux/netdevice.h:4308 [inline]
 netdev_start_xmit include/linux/netdevice.h:4317 [inline]
 dev_direct_xmit+0x34d/0x650 net/core/dev.c:3909
 packet_direct_xmit+0xf9/0x170 net/packet/af_packet.c:246
 packet_snd net/packet/af_packet.c:2958 [inline]
 packet_sendmsg+0x3bb2/0x6440 net/packet/af_packet.c:2983
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 __sys_sendto+0x262/0x380 net/socket.c:1787
 __do_sys_sendto net/socket.c:1799 [inline]
 __se_sys_sendto net/socket.c:1795 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1795
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x442529
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe90cc3aa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442529
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000403aa0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6576:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x700 mm/slab.c:3559
 kmem_cache_zalloc include/linux/slab.h:699 [inline]
 file_alloc_security security/selinux/hooks.c:390 [inline]
 selinux_file_alloc_security+0xb4/0x190 security/selinux/hooks.c:3597
 security_file_alloc+0x63/0xa0 security/security.c:884
 __alloc_file+0xcf/0x330 fs/file_table.c:105
 alloc_empty_file+0x72/0x170 fs/file_table.c:150
 alloc_file+0x5e/0x4d0 fs/file_table.c:192
 alloc_file_pseudo+0x189/0x280 fs/file_table.c:231
 create_pipe_files+0x3f1/0x730 fs/pipe.c:764
 __do_pipe_flags+0x48/0x250 fs/pipe.c:795
 do_pipe2+0x84/0x160 fs/pipe.c:843
 __do_sys_pipe fs/pipe.c:866 [inline]
 __se_sys_pipe fs/pipe.c:864 [inline]
 __x64_sys_pipe+0x33/0x40 fs/pipe.c:864
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 6579:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3765
 file_free_security security/selinux/hooks.c:405 [inline]
 selinux_file_free_security+0x49/0x60 security/selinux/hooks.c:3602
 security_file_free+0x41/0x80 security/security.c:889
 file_free fs/file_table.c:54 [inline]
 __fput+0x43d/0x8b0 fs/file_table.c:294
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x145/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88808dec1840
 which belongs to the cache selinux_file_security of size 16
The buggy address is located 1 bytes inside of
 16-byte region [ffff88808dec1840, ffff88808dec1850)
The buggy address belongs to the page:
page:ffffea000237b040 count:1 mapcount:0 mapping:ffff8880aa44b080 index:0xffff88808dec1f84
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00027b2048 ffffea0002910108 ffff8880aa44b080
raw: ffff88808dec1f84 ffff88808dec1000 0000000100000044 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808dec1700: fb fb fc fc 00 00 fc fc fb fb fc fc fb fb fc fc
 ffff88808dec1780: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
>ffff88808dec1800: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
                                           ^
 ffff88808dec1880: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
 ffff88808dec1900: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
==================================================================