wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:378 [inline]
BUG: KASAN: use-after-free in ieee80211_ibss_build_presp+0xcfb/0x1a30 net/mac80211/ibss.c:171
Read of size 135 at addr ffff8880a9c06d00 by task kworker/u4:4/236

CPU: 1 PID: 236 Comm: kworker/u4:4 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: phy77 ieee80211_iface_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x96/0xe0 lib/dump_stack.c:118
 print_address_description.constprop.4.cold.6+0x9/0x341 mm/kasan/report.c:374
 __kasan_report.cold.7+0x7a/0x97 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192
 memcpy+0x1f/0x50 mm/kasan/common.c:122
 memcpy include/linux/string.h:378 [inline]
 ieee80211_ibss_build_presp+0xcfb/0x1a30 net/mac80211/ibss.c:171
 __ieee80211_sta_join_ibss+0x5c7/0x1b20 net/mac80211/ibss.c:317
 ieee80211_sta_create_ibss.cold.19+0x118/0x1de net/mac80211/ibss.c:1353
 ieee80211_sta_find_ibss net/mac80211/ibss.c:1483 [inline]
 ieee80211_ibss_work.cold.27+0x10f/0x4f2 net/mac80211/ibss.c:1707
 process_one_work+0x8ca/0x16c0 kernel/workqueue.c:2269
 worker_thread+0x82/0xb50 kernel/workqueue.c:2415
 kthread+0x31d/0x3e0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 20027:
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:510 [inline]
 __kasan_kmalloc.constprop.12+0xc1/0xd0 mm/kasan/common.c:483
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc_track_caller+0x11c/0x470 mm/slab.c:3670
 kmemdup+0x17/0x40 mm/util.c:127
 kmemdup include/linux/string.h:451 [inline]
 ieee80211_ibss_join+0x918/0x10d0 net/mac80211/ibss.c:1818
 rdev_join_ibss net/wireless/rdev-ops.h:522 [inline]
 __cfg80211_join_ibss+0x6b5/0xfc0 net/wireless/ibss.c:144
 nl80211_join_ibss+0xa49/0x10e0 net/wireless/nl80211.c:9571
 genl_family_rcv_msg+0x5ff/0xf40 net/netlink/genetlink.c:629
 genl_rcv_msg+0xb3/0x160 net/netlink/genetlink.c:654
 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2477
 genl_rcv+0x1f/0x30 net/netlink/genetlink.c:665
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x3fc/0x5c0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x71e/0xb70 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:657
 ___sys_sendmsg+0x653/0x950 net/socket.c:2311
 __sys_sendmsg+0xce/0x170 net/socket.c:2356
 do_syscall_64+0x8e/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 20026:
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:471
 __cache_free mm/slab.c:3425 [inline]
 kfree+0xdd/0x270 mm/slab.c:3756
 ieee80211_ibss_leave+0x7b/0xd0 net/mac80211/ibss.c:1870
 rdev_leave_ibss net/wireless/rdev-ops.h:532 [inline]
 __cfg80211_leave_ibss+0x14c/0x630 net/wireless/ibss.c:212
 cfg80211_leave+0x23/0x30 net/wireless/core.c:1200
 cfg80211_netdev_notifier_call+0x99d/0x15b1 net/wireless/core.c:1309
 notifier_call_chain+0x86/0x150 kernel/notifier.c:95
 call_netdevice_notifiers_extack net/core/dev.c:1680 [inline]
 call_netdevice_notifiers net/core/dev.c:1694 [inline]
 __dev_close_many+0xd4/0x2c0 net/core/dev.c:1382
 __dev_close net/core/dev.c:1420 [inline]
 __dev_change_flags+0x1f8/0x520 net/core/dev.c:7880
 dev_change_flags+0x75/0x160 net/core/dev.c:7953
 dev_ifsioc+0x551/0x750 net/core/dev_ioctl.c:237
 dev_ioctl+0x14b/0xaf8 drivers/usb/gadget/legacy/inode.c:1259
 sock_do_ioctl+0x16f/0x240 net/socket.c:1061
 sock_ioctl+0x484/0x610 net/socket.c:1189
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x18b/0x1040 fs/ioctl.c:696
 ksys_ioctl+0x5b/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:718
 do_syscall_64+0x8e/0x4e0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a9c06d00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 192-byte region [ffff8880a9c06d00, ffff8880a9c06dc0)
The buggy address belongs to the page:
page:ffffea0002a70180 refcount:1 mapcount:0 mapping:ffff8880b5800000 index:0x0
raw: 00fff00000000200 ffffea00020b2a48 ffffea00028b7b48 ffff8880b5800000
raw: 0000000000000000 ffff8880a9c06000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a9c06c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a9c06c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>ffff8880a9c06d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880a9c06d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a9c06e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================