================================================================== BUG: KASAN: use-after-free in batadv_interface_tx+0x1194/0x1880 net/batman-adv/soft-interface.c:226 Read of size 2 at addr ffff8880a4fea78b by task syz-executor1/10780 CPU: 1 PID: 10780 Comm: syz-executor1 Not tainted 5.0.0-rc2+ #13 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 batadv_interface_tx+0x1194/0x1880 net/batman-adv/soft-interface.c:226 __netdev_start_xmit include/linux/netdevice.h:4384 [inline] netdev_start_xmit include/linux/netdevice.h:4393 [inline] dev_direct_xmit+0x368/0x670 net/core/dev.c:3930 packet_direct_xmit+0xfb/0x170 net/packet/af_packet.c:246 packet_snd net/packet/af_packet.c:2932 [inline] packet_sendmsg+0x2754/0x6860 net/packet/af_packet.c:2957 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:631 sock_write_iter+0x379/0x5e0 net/socket.c:900 call_write_iter include/linux/fs.h:1862 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x764/0xb40 fs/read_write.c:487 vfs_write+0x20c/0x580 fs/read_write.c:549 ksys_write+0x105/0x260 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x458099 Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fdd6a864c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099 RDX: 000000000000000e RSI: 0000000020000000 RDI: 0000000000000003 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdd6a8656d4 R13: 00000000004c3dd9 R14: 00000000004dc370 R15: 00000000ffffffff Allocated by task 8052: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc mm/kasan/common.c:496 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469 kasan_kmalloc mm/kasan/common.c:504 [inline] kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:411 kmem_cache_alloc+0x12d/0x710 mm/slab.c:3543 getname_flags fs/namei.c:140 [inline] getname_flags+0xd6/0x5b0 fs/namei.c:129 getname fs/namei.c:211 [inline] user_path_create fs/namei.c:3693 [inline] do_mkdirat+0xba/0x2f0 fs/namei.c:3831 __do_sys_mkdir fs/namei.c:3855 [inline] __se_sys_mkdir fs/namei.c:3853 [inline] __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3853 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8052: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 __cache_free mm/slab.c:3487 [inline] kmem_cache_free+0x86/0x260 mm/slab.c:3749 putname+0xef/0x130 fs/namei.c:261 filename_create+0x29d/0x5a0 fs/namei.c:3658 user_path_create fs/namei.c:3693 [inline] do_mkdirat+0xcf/0x2f0 fs/namei.c:3831 __do_sys_mkdir fs/namei.c:3855 [inline] __se_sys_mkdir fs/namei.c:3853 [inline] __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3853 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a4fea3c0 which belongs to the cache names_cache of size 4096 The buggy address is located 971 bytes inside of 4096-byte region [ffff8880a4fea3c0, ffff8880a4feb3c0) The buggy address belongs to the page: page:ffffea000293fa80 count:1 mapcount:0 mapping:ffff8880aa16adc0 index:0x0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea00028e7308 ffffea00025d6a08 ffff8880aa16adc0 raw: 0000000000000000 ffff8880a4fea3c0 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a4fea680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4fea700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a4fea780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a4fea800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a4fea880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== kobject: 'loop0' (00000000a249c74f): fill_kobj_path: path = '/devices/virtual/block/loop0'