wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0xe3f/0x1aa0 net/mac80211/ibss.c:171
Read of size 135 at addr ffff88802996f400 by task kworker/u4:1/24

CPU: 0 PID: 24 Comm: kworker/u4:1 Not tainted 5.12.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: phy43 ieee80211_iface_work
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x93/0xc2 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 memcpy+0x20/0x60 mm/kasan/shadow.c:65
 memcpy include/linux/fortify-string.h:191 [inline]
 ieee80211_ibss_build_presp+0xe3f/0x1aa0 net/mac80211/ibss.c:171
 __ieee80211_sta_join_ibss+0x572/0x1430 net/mac80211/ibss.c:317
 ieee80211_sta_create_ibss.cold+0xb5/0x101 net/mac80211/ibss.c:1354
 ieee80211_sta_find_ibss net/mac80211/ibss.c:1484 [inline]
 ieee80211_ibss_work.cold+0x23b/0x4c6 net/mac80211/ibss.c:1708
 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275
 worker_thread+0x598/0xf80 kernel/workqueue.c:2421
 kthread+0x36f/0x450 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 13789:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc mm/kasan/common.c:506 [inline]
 __kasan_kmalloc+0x7a/0x90 mm/kasan/common.c:515
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:684 [inline]
 call_usermodehelper_setup+0x7f/0x300 kernel/umh.c:363
 kobject_uevent_env+0xc5b/0x12c0 lib/kobject_uevent.c:613
 rx_queue_add_kobject net/core/net-sysfs.c:1020 [inline]
 net_rx_queue_update_kobjects+0xa5/0x390 net/core/net-sysfs.c:1060
 register_queue_kobjects net/core/net-sysfs.c:1742 [inline]
 netdev_register_kobject+0x241/0x3c0 net/core/net-sysfs.c:1990
 register_netdevice+0xa91/0x1210 net/core/dev.c:10178
 bond_newlink drivers/net/bonding/bond_netlink.c:458 [inline]
 bond_newlink+0x25/0x60 drivers/net/bonding/bond_netlink.c:448
 __rtnl_newlink+0xcbf/0x1350 net/core/rtnetlink.c:3443
 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3491
 rtnetlink_rcv_msg+0x32f/0x860 net/core/rtnetlink.c:5553
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x70e/0xbe0 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:674
 __sys_sendto+0x1a4/0x270 net/socket.c:1977
 __do_sys_sendto net/socket.c:1989 [inline]
 __se_sys_sendto net/socket.c:1985 [inline]
 __x64_sys_sendto+0xd8/0x1b0 net/socket.c:1985
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 14735:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xda/0x110 mm/kasan/common.c:367
 kasan_slab_free include/linux/kasan.h:199 [inline]
 slab_free_hook mm/slub.c:1562 [inline]
 slab_free_freelist_hook+0x51/0x130 mm/slub.c:1600
 slab_free mm/slub.c:3161 [inline]
 kfree+0xdb/0x3c0 mm/slub.c:4213
 ieee80211_ibss_leave+0x7b/0xd0 net/mac80211/ibss.c:1876
 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
 __cfg80211_leave_ibss+0x148/0x390 net/wireless/ibss.c:213
 cfg80211_leave net/wireless/core.c:1252 [inline]
 cfg80211_netdev_notifier_call+0x639/0x1040 net/wireless/core.c:1416
 notifier_call_chain+0x94/0x170 kernel/notifier.c:83
 call_netdevice_notifiers_extack net/core/dev.c:2075 [inline]
 call_netdevice_notifiers net/core/dev.c:2089 [inline]
 __dev_close_many+0xd9/0x2a0 net/core/dev.c:1609
 __dev_close net/core/dev.c:1647 [inline]
 __dev_change_flags+0x24f/0x650 net/core/dev.c:8655
 dev_change_flags+0x86/0x150 net/core/dev.c:8728
 dev_ifsioc+0x2c7/0x7b0 net/core/dev_ioctl.c:254
 dev_ioctl+0x144/0x9b0 net/core/dev_ioctl.c:505
 sock_do_ioctl+0x156/0x210 net/socket.c:1062
 sock_ioctl+0x3bf/0x570 net/socket.c:1179
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x11f/0x190 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xc5/0xf0 mm/kasan/generic.c:345
 insert_work+0x42/0x300 kernel/workqueue.c:1331
 __queue_work+0x497/0xcb0 kernel/workqueue.c:1497
 queue_work_on+0x64/0x70 kernel/workqueue.c:1524
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x1b8/0x430 kernel/umh.c:433
 kobject_uevent_env+0xc6f/0x12c0 lib/kobject_uevent.c:617
 rx_queue_add_kobject net/core/net-sysfs.c:1020 [inline]
 net_rx_queue_update_kobjects+0xa5/0x390 net/core/net-sysfs.c:1060
 register_queue_kobjects net/core/net-sysfs.c:1742 [inline]
 netdev_register_kobject+0x241/0x3c0 net/core/net-sysfs.c:1990
 register_netdevice+0xa91/0x1210 net/core/dev.c:10178
 bond_newlink drivers/net/bonding/bond_netlink.c:458 [inline]
 bond_newlink+0x25/0x60 drivers/net/bonding/bond_netlink.c:448
 __rtnl_newlink+0xcbf/0x1350 net/core/rtnetlink.c:3443
 rtnl_newlink+0x5a/0x90 net/core/rtnetlink.c:3491
 rtnetlink_rcv_msg+0x32f/0x860 net/core/rtnetlink.c:5553
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x70e/0xbe0 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:674
 __sys_sendto+0x1a4/0x270 net/socket.c:1977
 __do_sys_sendto net/socket.c:1989 [inline]
 __se_sys_sendto net/socket.c:1985 [inline]
 __x64_sys_sendto+0xd8/0x1b0 net/socket.c:1985
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88802996f400
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 192-byte region [ffff88802996f400, ffff88802996f4c0)
The buggy address belongs to the page:
page:0000000060f455aa refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802996fa00 pfn:0x2996f
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea00004bbf88 ffffea0000f9c508 ffff88800ec41a00
raw: ffff88802996fa00 000000000010000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802996f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88802996f380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88802996f400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88802996f480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88802996f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================