==================================================================
BUG: KASAN: use-after-free in batadv_interface_tx+0x1194/0x1880 net/batman-adv/soft-interface.c:226
Read of size 2 at addr ffff8880a4fea78b by task syz-executor1/10780

CPU: 1 PID: 10780 Comm: syz-executor1 Not tainted 5.0.0-rc2+ #13
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
 batadv_interface_tx+0x1194/0x1880 net/batman-adv/soft-interface.c:226
 __netdev_start_xmit include/linux/netdevice.h:4384 [inline]
 netdev_start_xmit include/linux/netdevice.h:4393 [inline]
 dev_direct_xmit+0x368/0x670 net/core/dev.c:3930
 packet_direct_xmit+0xfb/0x170 net/packet/af_packet.c:246
 packet_snd net/packet/af_packet.c:2932 [inline]
 packet_sendmsg+0x2754/0x6860 net/packet/af_packet.c:2957
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 sock_write_iter+0x379/0x5e0 net/socket.c:900
 call_write_iter include/linux/fs.h:1862 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x764/0xb40 fs/read_write.c:487
 vfs_write+0x20c/0x580 fs/read_write.c:549
 ksys_write+0x105/0x260 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:607
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458099
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fdd6a864c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099
RDX: 000000000000000e RSI: 0000000020000000 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdd6a8656d4
R13: 00000000004c3dd9 R14: 00000000004dc370 R15: 00000000ffffffff

Allocated by task 8052:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc mm/kasan/common.c:504 [inline]
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:411
 kmem_cache_alloc+0x12d/0x710 mm/slab.c:3543
 getname_flags fs/namei.c:140 [inline]
 getname_flags+0xd6/0x5b0 fs/namei.c:129
 getname fs/namei.c:211 [inline]
 user_path_create fs/namei.c:3693 [inline]
 do_mkdirat+0xba/0x2f0 fs/namei.c:3831
 __do_sys_mkdir fs/namei.c:3855 [inline]
 __se_sys_mkdir fs/namei.c:3853 [inline]
 __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3853
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8052:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3749
 putname+0xef/0x130 fs/namei.c:261
 filename_create+0x29d/0x5a0 fs/namei.c:3658
 user_path_create fs/namei.c:3693 [inline]
 do_mkdirat+0xcf/0x2f0 fs/namei.c:3831
 __do_sys_mkdir fs/namei.c:3855 [inline]
 __se_sys_mkdir fs/namei.c:3853 [inline]
 __x64_sys_mkdir+0x5c/0x80 fs/namei.c:3853
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a4fea3c0
 which belongs to the cache names_cache of size 4096
The buggy address is located 971 bytes inside of
 4096-byte region [ffff8880a4fea3c0, ffff8880a4feb3c0)
The buggy address belongs to the page:
page:ffffea000293fa80 count:1 mapcount:0 mapping:ffff8880aa16adc0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00028e7308 ffffea00025d6a08 ffff8880aa16adc0
raw: 0000000000000000 ffff8880a4fea3c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4fea680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a4fea700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a4fea780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880a4fea800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a4fea880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
kobject: 'loop0' (00000000a249c74f): fill_kobj_path: path = '/devices/virtual/block/loop0'