wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0xe3f/0x1aa0 net/mac80211/ibss.c:171
Read of size 135 at addr ffff88801d831600 by task kworker/u4:3/122

CPU: 1 PID: 122 Comm: kworker/u4:3 Not tainted 5.12.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: phy27 ieee80211_iface_work
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x93/0xc2 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 memcpy+0x20/0x60 mm/kasan/shadow.c:65
 memcpy include/linux/fortify-string.h:191 [inline]
 ieee80211_ibss_build_presp+0xe3f/0x1aa0 net/mac80211/ibss.c:171
 __ieee80211_sta_join_ibss+0x572/0x1430 net/mac80211/ibss.c:317
 ieee80211_sta_create_ibss.cold+0xb5/0x101 net/mac80211/ibss.c:1354
 ieee80211_sta_find_ibss net/mac80211/ibss.c:1484 [inline]
 ieee80211_ibss_work.cold+0x23b/0x4c6 net/mac80211/ibss.c:1708
 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275
 worker_thread+0x598/0xf80 kernel/workqueue.c:2421
 kthread+0x36f/0x450 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 13786:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc mm/kasan/common.c:506 [inline]
 __kasan_kmalloc+0x78/0x90 mm/kasan/common.c:515
 kasan_kmalloc include/linux/kasan.h:233 [inline]
 __do_kmalloc mm/slab.c:3695 [inline]
 __kmalloc_track_caller+0x209/0x440 mm/slab.c:3710
 kmemdup+0x1a/0x40 mm/util.c:128
 kmemdup include/linux/fortify-string.h:270 [inline]
 ieee80211_ibss_join+0x7a6/0xf70 net/mac80211/ibss.c:1824
 rdev_join_ibss net/wireless/rdev-ops.h:535 [inline]
 __cfg80211_join_ibss+0x69b/0x1180 net/wireless/ibss.c:145
 nl80211_join_ibss+0xa63/0x11b0 net/wireless/nl80211.c:10364
 genl_family_rcv_msg_doit+0x1e4/0x2f0 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x27a/0x4a0 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x118/0x370 net/netlink/af_netlink.c:2502
 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x42e/0x700 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x70e/0xbe0 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xab/0xe0 net/socket.c:674
 ____sys_sendmsg+0x5bf/0x7a0 net/socket.c:2350
 ___sys_sendmsg+0xd3/0x150 net/socket.c:2404
 __sys_sendmsg+0xb2/0x140 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 13830:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xac/0xe0 mm/kasan/common.c:367
 kasan_slab_free include/linux/kasan.h:199 [inline]
 __cache_free mm/slab.c:3440 [inline]
 kfree+0xe9/0x260 mm/slab.c:3796
 ieee80211_ibss_leave+0x7b/0xd0 net/mac80211/ibss.c:1876
 rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
 __cfg80211_leave_ibss+0x148/0x390 net/wireless/ibss.c:213
 cfg80211_leave net/wireless/core.c:1252 [inline]
 cfg80211_netdev_notifier_call+0x639/0x1040 net/wireless/core.c:1416
 notifier_call_chain+0x94/0x170 kernel/notifier.c:83
 call_netdevice_notifiers_extack net/core/dev.c:2075 [inline]
 call_netdevice_notifiers net/core/dev.c:2089 [inline]
 __dev_close_many+0xd9/0x2a0 net/core/dev.c:1609
 __dev_close net/core/dev.c:1647 [inline]
 __dev_change_flags+0x24f/0x650 net/core/dev.c:8655
 dev_change_flags+0x86/0x150 net/core/dev.c:8728
 dev_ifsioc+0x2c7/0x7b0 net/core/dev_ioctl.c:254
 dev_ioctl+0x144/0x9b0 net/core/dev_ioctl.c:505
 sock_do_ioctl+0x156/0x210 net/socket.c:1062
 sock_ioctl+0x3bf/0x570 net/socket.c:1179
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x11f/0x190 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801d831600
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 192-byte region [ffff88801d831600, ffff88801d8316c0)
The buggy address belongs to the page:
page:0000000034f3543f refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801d831200 pfn:0x1d831
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea0000837c48 ffffea0000480a08 ffff88800f040000
raw: ffff88801d831200 ffff88801d831000 000000010000000f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88801d831500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801d831580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88801d831600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88801d831680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88801d831700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================