wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready ================================================================== BUG: KASAN: use-after-free in memcpy include/linux/string.h:373 [inline] BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0xcab/0x1aa0 net/mac80211/ibss.c:173 Read of size 135 at addr ffff8881d7424a00 by task kworker/u4:5/1240 IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready CPU: 0 PID: 1240 Comm: kworker/u4:5 Not tainted 4.19.161-syzkaller #0 IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy18 ieee80211_iface_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x22a lib/dump_stack.c:118 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13c/0x1b0 mm/kasan/kasan.c:267 memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:373 [inline] ieee80211_ibss_build_presp+0xcab/0x1aa0 net/mac80211/ibss.c:173 __ieee80211_sta_join_ibss+0x5b3/0x1a80 net/mac80211/ibss.c:319 ieee80211_sta_create_ibss.cold.10+0xb7/0x147 net/mac80211/ibss.c:1346 wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 ieee80211_sta_find_ibss net/mac80211/ibss.c:1476 [inline] ieee80211_ibss_work.cold.17+0x259/0x505 net/mac80211/ibss.c:1700 ieee80211_iface_work+0x4d2/0x6e0 net/mac80211/iface.c:1366 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2155 wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 worker_thread+0x85/0xb60 kernel/workqueue.c:2298 kthread+0x347/0x410 kernel/kthread.c:259 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 11225: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538 __do_kmalloc mm/slab.c:3727 [inline] __kmalloc_track_caller+0x159/0x3d0 mm/slab.c:3742 kmemdup+0x1d/0x40 mm/util.c:118 kmemdup include/linux/string.h:446 [inline] ieee80211_ibss_join+0x74d/0xe10 net/mac80211/ibss.c:1811 ieee80211_join_ibss+0x13/0x20 net/mac80211/cfg.c:2264 rdev_join_ibss net/wireless/rdev-ops.h:521 [inline] __cfg80211_join_ibss+0x60d/0xfa0 net/wireless/ibss.c:138 nl80211_join_ibss+0xb86/0x12f0 net/wireless/nl80211.c:9068 genl_family_rcv_msg+0x599/0x1000 net/netlink/genetlink.c:602 genl_rcv_msg+0xa7/0x140 net/netlink/genetlink.c:627 netlink_rcv_skb+0x13e/0x3d0 net/netlink/af_netlink.c:2455 genl_rcv+0x23/0x40 net/netlink/genetlink.c:638 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x666/0xc50 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xac/0xf0 net/socket.c:632 ___sys_sendmsg+0x647/0x950 net/socket.c:2115 __sys_sendmsg+0xd9/0x180 net/socket.c:2153 __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2160 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 11228: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 ieee80211_ibss_leave+0x80/0xd7 net/mac80211/ibss.c:1863 ieee80211_leave_ibss+0x10/0x20 net/mac80211/cfg.c:2269 rdev_leave_ibss net/wireless/rdev-ops.h:531 [inline] __cfg80211_leave_ibss+0x139/0x5a0 net/wireless/ibss.c:206 __cfg80211_leave+0x206/0x410 net/wireless/core.c:1079 cfg80211_leave+0x28/0x40 net/wireless/core.c:1130 cfg80211_netdev_notifier_call+0xd34/0x1c03 net/wireless/core.c:1229 notifier_call_chain+0x8a/0x160 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 call_netdevice_notifiers_info+0x28/0x60 net/core/dev.c:1744 call_netdevice_notifiers net/core/dev.c:1762 [inline] __dev_close_many+0xe5/0x2b0 net/core/dev.c:1459 __dev_close net/core/dev.c:1497 [inline] __dev_change_flags+0x214/0x590 net/core/dev.c:7669 dev_change_flags+0x7b/0x150 net/core/dev.c:7740 dev_ifsioc+0x509/0x710 net/core/dev_ioctl.c:237 dev_ioctl+0x149/0xad0 net/core/dev_ioctl.c:488 sock_do_ioctl+0x16f/0x230 net/socket.c:973 sock_ioctl+0x281/0x500 net/socket.c:1074 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:688 ksys_ioctl+0x62/0x90 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:710 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8881d7424a00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 0 bytes inside of 192-byte region [ffff8881d7424a00, ffff8881d7424ac0) The buggy address belongs to the page: page:ffffea00075d0900 count:1 mapcount:0 mapping:ffff8881f6000040 index:0xffff8881d7424300 flags: 0x17ff00000000100(slab) raw: 017ff00000000100 ffffea0007a46908 ffffea0007a18048 ffff8881f6000040 raw: ffff8881d7424300 ffff8881d7424000 000000010000000e 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d7424900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d7424980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8881d7424a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d7424a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881d7424b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================