==================================================================
BUG: KASAN: use-after-free in batadv_interface_tx+0xa45/0x14a0 net/batman-adv/soft-interface.c:227
Read of size 2 at addr ffff8880a623d30b by task syz-executor3/31020

CPU: 1 PID: 31020 Comm: syz-executor3 Not tainted 5.0.0-rc4+ #47
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
 batadv_interface_tx+0xa45/0x14a0 net/batman-adv/soft-interface.c:227
 __netdev_start_xmit include/linux/netdevice.h:4385 [inline]
 netdev_start_xmit include/linux/netdevice.h:4394 [inline]
 dev_direct_xmit+0x346/0x640 net/core/dev.c:3930
 packet_direct_xmit+0xfb/0x170 net/packet/af_packet.c:246
 packet_snd net/packet/af_packet.c:2933 [inline]
 packet_sendmsg+0x3879/0x5ab0 net/packet/af_packet.c:2958
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 ___sys_sendmsg+0x3e2/0x930 net/socket.c:2138
 __sys_sendmmsg+0x1c3/0x4e0 net/socket.c:2233
 __do_sys_sendmmsg net/socket.c:2262 [inline]
 __se_sys_sendmmsg net/socket.c:2259 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2259
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457e39
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f082bf53c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457e39
RDX: 0000000000000300 RSI: 0000000020008a80 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f082bf546d4
R13: 00000000004c4d7a R14: 00000000004d8948 R15: 00000000ffffffff

Allocated by task 9:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc mm/kasan/common.c:504 [inline]
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:411
 kmem_cache_alloc_node+0x144/0x710 mm/slab.c:3633
 __alloc_skb+0xd5/0x5e0 net/core/skbuff.c:196
 alloc_skb include/linux/skbuff.h:1011 [inline]
 nlmsg_new include/net/netlink.h:658 [inline]
 fdb_notify+0x9f/0x190 net/bridge/br_fdb.c:706
 br_fdb_update net/bridge/br_fdb.c:601 [inline]
 br_fdb_update+0x2fd/0xa70 net/bridge/br_fdb.c:562
 br_handle_frame_finish+0x84f/0x14c0 net/bridge/br_input.c:97
 br_nf_hook_thresh+0x2ec/0x380 net/bridge/br_netfilter_hooks.c:1004
 br_nf_pre_routing_finish_ipv6+0x708/0xdc0 net/bridge/br_netfilter_ipv6.c:210
 NF_HOOK include/linux/netfilter.h:289 [inline]
 br_nf_pre_routing_ipv6+0x3c4/0x740 net/bridge/br_netfilter_ipv6.c:238
 br_nf_pre_routing+0xe80/0x13a0 net/bridge/br_netfilter_hooks.c:482
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 br_handle_frame+0x95b/0x1450 net/bridge/br_input.c:305
 __netif_receive_skb_core+0xa96/0x3010 net/core/dev.c:4902
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
 __do_softirq+0x266/0x95a kernel/softirq.c:292

Freed by task 9:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3749
 kfree_skbmem net/core/skbuff.c:585 [inline]
 kfree_skbmem+0xc5/0x150 net/core/skbuff.c:579
 __kfree_skb net/core/skbuff.c:642 [inline]
 consume_skb net/core/skbuff.c:701 [inline]
 consume_skb+0xea/0x380 net/core/skbuff.c:695
 netlink_broadcast_filtered+0x316/0xb20 net/netlink/af_netlink.c:1520
 netlink_broadcast net/netlink/af_netlink.c:1542 [inline]
 nlmsg_multicast include/net/netlink.h:738 [inline]
 nlmsg_notify+0x93/0x1c0 net/netlink/af_netlink.c:2528
 rtnl_notify+0xc5/0xf0 net/core/rtnetlink.c:742
 fdb_notify+0xfa/0x190 net/bridge/br_fdb.c:717
 br_fdb_update net/bridge/br_fdb.c:601 [inline]
 br_fdb_update+0x2fd/0xa70 net/bridge/br_fdb.c:562
 br_handle_frame_finish+0x84f/0x14c0 net/bridge/br_input.c:97
 br_nf_hook_thresh+0x2ec/0x380 net/bridge/br_netfilter_hooks.c:1004
 br_nf_pre_routing_finish_ipv6+0x708/0xdc0 net/bridge/br_netfilter_ipv6.c:210
 NF_HOOK include/linux/netfilter.h:289 [inline]
 br_nf_pre_routing_ipv6+0x3c4/0x740 net/bridge/br_netfilter_ipv6.c:238
 br_nf_pre_routing+0xe80/0x13a0 net/bridge/br_netfilter_hooks.c:482
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 br_handle_frame+0x95b/0x1450 net/bridge/br_input.c:305
 __netif_receive_skb_core+0xa96/0x3010 net/core/dev.c:4902
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
 __do_softirq+0x266/0x95a kernel/softirq.c:292

The buggy address belongs to the object at ffff8880a623d2c0
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 75 bytes inside of
 224-byte region [ffff8880a623d2c0, ffff8880a623d3a0)
The buggy address belongs to the page:
page:ffffea0002988f40 count:1 mapcount:0 mapping:ffff8880a9972e00 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea00025e6508 ffffea0002143588 ffff8880a9972e00
raw: 0000000000000000 ffff8880a623d040 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a623d200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8880a623d280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880a623d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880a623d380: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a623d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================