device geneve0 entered promiscuous mode
device geneve1 entered promiscuous mode
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_1
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:717 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x2dc/0xe00 net/batman-adv/bat_iv_ogm.c:813
Read of size 24 at addr ffff88809c03c200 by task kworker/u4:14/12943

CPU: 0 PID: 12943 Comm: kworker/u4:14 Not tainted 4.14.171-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:347 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:717 [inline]
 batadv_iv_ogm_queue_add+0x2dc/0xe00 net/batman-adv/bat_iv_ogm.c:813
 batadv_iv_ogm_schedule+0x70e/0xdf0 net/batman-adv/bat_iv_ogm.c:966
 batadv_iv_send_outstanding_bat_ogm_packet+0x4ad/0x6a0 net/batman-adv/bat_iv_ogm.c:1809
 process_one_work+0x813/0x1540 kernel/workqueue.c:2114
 worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 20055:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 batadv_iv_ogm_iface_enable+0xf7/0x2e0 net/batman-adv/bat_iv_ogm.c:374
 batadv_hardif_enable_interface+0x23d/0x9e0 net/batman-adv/hard-interface.c:746
 batadv_softif_slave_add+0x8a/0xf0 net/batman-adv/soft-interface.c:889
 do_set_master net/core/rtnetlink.c:1961 [inline]
 do_set_master+0x19e/0x200 net/core/rtnetlink.c:1936
 do_setlink+0x994/0x2c00 net/core/rtnetlink.c:2098
 rtnl_newlink+0x11bb/0x1720 net/core/rtnetlink.c:2660
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
 netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
 netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
 netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xc5/0x100 net/socket.c:656
 SYSC_sendto+0x1c4/0x2b0 net/socket.c:1763
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 17241:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcb/0x260 mm/slab.c:3815
 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:393
 batadv_hardif_disable_interface.cold+0x61e/0x867 net/batman-adv/hard-interface.c:836
 batadv_softif_destroy_netlink+0xa3/0x140 net/batman-adv/soft-interface.c:1134
 default_device_exit_batch+0x209/0x380 net/core/dev.c:8734
 ops_exit_list.isra.0+0xef/0x140 net/core/net_namespace.c:145
 cleanup_net+0x3bb/0x820 net/core/net_namespace.c:484
 process_one_work+0x813/0x1540 kernel/workqueue.c:2114
 worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff88809c03c200
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
 32-byte region [ffff88809c03c200, ffff88809c03c220)
The buggy address belongs to the page:
page:ffffea0002700f00 count:1 mapcount:0 mapping:ffff88809c03c000 index:0xffff88809c03cfc1
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809c03c000 ffff88809c03cfc1 000000010000003f
raw: ffffea00029588a0 ffffea0002a11be0 ffff88812fe561c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809c03c100: 00 06 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc
 ffff88809c03c180: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
>ffff88809c03c200: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc
                   ^
 ffff88809c03c280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff88809c03c300: 00 03 fc fc fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================