device geneve0 entered promiscuous mode device geneve1 entered promiscuous mode batman_adv: batadv0: Removing interface: batadv_slave_0 batman_adv: batadv0: Removing interface: batadv_slave_1 ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline] BUG: KASAN: use-after-free in batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:717 [inline] BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x2dc/0xe00 net/batman-adv/bat_iv_ogm.c:813 Read of size 24 at addr ffff88809c03c200 by task kworker/u4:14/12943 CPU: 0 PID: 12943 Comm: kworker/u4:14 Not tainted 4.14.171-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x13e/0x194 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393 memcpy+0x20/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:347 [inline] batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:717 [inline] batadv_iv_ogm_queue_add+0x2dc/0xe00 net/batman-adv/bat_iv_ogm.c:813 batadv_iv_ogm_schedule+0x70e/0xdf0 net/batman-adv/bat_iv_ogm.c:966 batadv_iv_send_outstanding_bat_ogm_packet+0x4ad/0x6a0 net/batman-adv/bat_iv_ogm.c:1809 process_one_work+0x813/0x1540 kernel/workqueue.c:2114 worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 Allocated by task 20055: save_stack+0x32/0xa0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529 kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618 kmalloc include/linux/slab.h:488 [inline] batadv_iv_ogm_iface_enable+0xf7/0x2e0 net/batman-adv/bat_iv_ogm.c:374 batadv_hardif_enable_interface+0x23d/0x9e0 net/batman-adv/hard-interface.c:746 batadv_softif_slave_add+0x8a/0xf0 net/batman-adv/soft-interface.c:889 do_set_master net/core/rtnetlink.c:1961 [inline] do_set_master+0x19e/0x200 net/core/rtnetlink.c:1936 do_setlink+0x994/0x2c00 net/core/rtnetlink.c:2098 rtnl_newlink+0x11bb/0x1720 net/core/rtnetlink.c:2660 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315 netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xc5/0x100 net/socket.c:656 SYSC_sendto+0x1c4/0x2b0 net/socket.c:1763 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 17241: save_stack+0x32/0xa0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xcb/0x260 mm/slab.c:3815 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:393 batadv_hardif_disable_interface.cold+0x61e/0x867 net/batman-adv/hard-interface.c:836 batadv_softif_destroy_netlink+0xa3/0x140 net/batman-adv/soft-interface.c:1134 default_device_exit_batch+0x209/0x380 net/core/dev.c:8734 ops_exit_list.isra.0+0xef/0x140 net/core/net_namespace.c:145 cleanup_net+0x3bb/0x820 net/core/net_namespace.c:484 process_one_work+0x813/0x1540 kernel/workqueue.c:2114 worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 The buggy address belongs to the object at ffff88809c03c200 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 0 bytes inside of 32-byte region [ffff88809c03c200, ffff88809c03c220) The buggy address belongs to the page: page:ffffea0002700f00 count:1 mapcount:0 mapping:ffff88809c03c000 index:0xffff88809c03cfc1 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff88809c03c000 ffff88809c03cfc1 000000010000003f raw: ffffea00029588a0 ffffea0002a11be0 ffff88812fe561c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809c03c100: 00 06 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc ffff88809c03c180: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc >ffff88809c03c200: fb fb fb fb fc fc fc fc 00 00 01 fc fc fc fc fc ^ ffff88809c03c280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff88809c03c300: 00 03 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================