[  185.654201] Bluetooth: hci5: command 0x0406 tx timeout
[  185.660467] Bluetooth: hci2: command 0x0406 tx timeout
[  193.770563] ieee802154 phy0 wpan0: encryption failed: -22
[  193.776262] ieee802154 phy1 wpan1: encryption failed: -22
[  255.203654] ieee802154 phy0 wpan0: encryption failed: -22
[  255.209435] ieee802154 phy1 wpan1: encryption failed: -22
[  316.647864] ieee802154 phy0 wpan0: encryption failed: -22
[  316.653551] ieee802154 phy1 wpan1: encryption failed: -22
[  378.076275] ieee802154 phy0 wpan0: encryption failed: -22
[  378.082125] ieee802154 phy1 wpan1: encryption failed: -22
[  421.166238] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  421.173800] batman_adv: batadv0: Removing interface: batadv_slave_0
[  421.182217] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  421.189700] batman_adv: batadv0: Removing interface: batadv_slave_1
[  421.198125] ==================================================================
[  421.205836] BUG: KASAN: use-after-free in batadv_iv_ogm_schedule+0xe46/0xf30
[  421.213949] Write of size 2 at addr ffff8800af2636a6 by task kworker/u4:7/10069
[  421.222727] 
[  421.224605] CPU: 0 PID: 10069 Comm: kworker/u4:7 Not tainted 4.19.0-rc7-syzkaller #0
[  421.232921] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  421.242529] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
[  421.249627] Call Trace:
[  421.252611]  dump_stack+0x15a/0x20d
[  421.256315]  print_address_description.cold.6+0x9/0x244
[  421.262137]  kasan_report.cold.7+0x242/0x305
[  421.267681]  ? batadv_iv_ogm_schedule+0xe46/0xf30
[  421.273068]  __asan_report_store2_noabort+0x17/0x20
[  421.278601]  batadv_iv_ogm_schedule+0xe46/0xf30
[  421.283477]  ? _raw_spin_unlock_irqrestore+0x63/0xd0
[  421.288668]  ? trace_hardirqs_off+0x41/0x180
[  421.293241]  ? batadv_iv_ogm_neigh_dump+0x580/0x580
[  421.298751]  batadv_iv_send_outstanding_bat_ogm_packet+0x4b2/0x7b0
[  421.305350]  process_one_work+0x7b9/0x14f0
[  421.309973]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[  421.315125]  ? lock_acquire+0x180/0x3a0
[  421.319247]  ? kasan_check_write+0x14/0x20
[  421.324229]  ? do_raw_spin_lock+0xc1/0x200
[  421.328616]  worker_thread+0x85/0xb60
[  421.332418]  ? __kthread_parkme+0x47/0x190
[  421.336907]  kthread+0x324/0x3e0
[  421.340587]  ? process_one_work+0x14f0/0x14f0
[  421.345247]  ? kthread_park+0x120/0x120
[  421.349210]  ret_from_fork+0x24/0x30
[  421.353105] 
[  421.354738] Allocated by task 8646:
[  421.358348]  kasan_kmalloc.part.1+0x62/0xf0
[  421.363178]  kasan_kmalloc+0xaf/0xc0
[  421.366884]  kmem_cache_alloc_trace+0x13a/0x2f0
[  421.372003]  batadv_iv_ogm_iface_enable+0x11c/0x370
[  421.377100]  batadv_hardif_enable_interface+0x24d/0x9d0
[  421.382470]  batadv_softif_slave_add+0x7f/0xd0
[  421.387210]  do_set_master+0x171/0x200
[  421.391252]  do_setlink+0x94c/0x2e40
[  421.395560]  rtnl_newlink+0x96a/0x1300
[  421.399593]  rtnetlink_rcv_msg+0x34f/0x950
[  421.404867]  netlink_rcv_skb+0x142/0x390
[  421.409260]  rtnetlink_rcv+0x10/0x20
[  421.413793]  netlink_unicast+0x443/0x660
[  421.418349]  netlink_sendmsg+0x667/0xc60
[  421.422504]  sock_sendmsg+0xac/0xf0
[  421.426208]  __sys_sendto+0x1f2/0x2e0
[  421.430227]  __x64_sys_sendto+0xdc/0x1a0
[  421.434994]  do_syscall_64+0xda/0x540
[  421.439422]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  421.445117] 
[  421.446845] Freed by task 3144:
[  421.450276]  __kasan_slab_free+0x167/0x240
[  421.454513]  kasan_slab_free+0xe/0x10
[  421.458507]  kfree+0x130/0x360
[  421.461713]  batadv_iv_ogm_iface_disable+0x34/0x70
[  421.466644]  batadv_hardif_disable_interface.cold.8+0x85f/0xdb4
[  421.472683]  batadv_softif_destroy_netlink+0x94/0x100
[  421.477937]  default_device_exit_batch+0x239/0x3d0
[  421.483001]  ops_exit_list.isra.3+0xd3/0x120
[  421.487567]  cleanup_net+0x363/0x840
[  421.491468]  process_one_work+0x7b9/0x14f0
[  421.495772]  worker_thread+0x85/0xb60
[  421.499642]  kthread+0x324/0x3e0
[  421.503171]  ret_from_fork+0x24/0x30
[  421.506857] 
[  421.508479] The buggy address belongs to the object at ffff8800af263690
[  421.508479]  which belongs to the cache kmalloc-32 of size 32
[  421.521298] The buggy address is located 22 bytes inside of
[  421.521298]  32-byte region [ffff8800af263690, ffff8800af2636b0)
[  421.533240] The buggy address belongs to the page:
[  421.538146] page:ffffea0002bc98c0 count:1 mapcount:0 mapping:ffff88013ffbb800 index:0xffff8800af263d50
[  421.547584] flags: 0xfff00000000100(slab)
[  421.551898] raw: 00fff00000000100 ffffea0002a774c8 ffffea0002d2f508 ffff88013ffbb800
[  421.560039] raw: ffff8800af263d50 0000000000550053 00000001ffffffff 0000000000000000
[  421.568584] page dumped because: kasan: bad access detected
[  421.575260] page allocated via order 0, migratetype Unmovable, gfp_mask 0x6012c0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
[  421.586706]  get_page_from_freelist+0x3033/0x4530
[  421.591640]  __alloc_pages_nodemask+0x39e/0x2670
[  421.596648]  alloc_pages_current+0xd6/0x1b0
[  421.600980]  new_slab+0x4a9/0x850
[  421.604553]  ___slab_alloc+0x648/0x980
[  421.608516]  __slab_alloc.isra.22+0x78/0xe0
[  421.612819]  __kmalloc+0x292/0x340
[  421.616425]  shmem_initxattrs+0x11a/0x1e0
[  421.620811]  security_inode_init_security+0x17f/0x2d0
[  421.626253]  shmem_mknod+0x98/0x1a0
[  421.629863]  vfs_mknod+0x419/0x6c0
[  421.633404]  handle_create+0x19e/0x4d0
[  421.637366]  devtmpfsd+0x1ed/0x490
[  421.641038]  kthread+0x324/0x3e0
[  421.644409]  ret_from_fork+0x24/0x30
[  421.648116] 
[  421.649737] Memory state around the buggy address:
[  421.654814]  ffff8800af263580: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
[  421.662559]  ffff8800af263600: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
[  421.670430] >ffff8800af263680: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc 00 00
[  421.677887]                                ^
[  421.682286]  ffff8800af263700: 00 05 fc fc 00 00 00 05 fc fc 00 00 00 05 fc fc
[  421.689731]  ffff8800af263780: 00 00 00 05 fc fc 00 00 00 05 fc fc 00 00 00 05
[  421.697354] ==================================================================
[  421.704795] Disabling lock debugging due to kernel taint
[  421.713930] Kernel panic - not syncing: panic_on_warn set ...
[  421.713930] 
[  421.721312] CPU: 0 PID: 10069 Comm: kworker/u4:7 Tainted: G    B             4.19.0-rc7-syzkaller #0
[  421.730704] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  421.740319] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
[  421.747758] Call Trace:
[  421.750323]  dump_stack+0x15a/0x20d
[  421.753928]  panic+0x1c6/0x36b
[  421.757160]  ? __warn_printk+0xd6/0xd6
[  421.761246]  ? ___preempt_schedule+0x16/0x18
[  421.765630]  kasan_end_report+0x47/0x4f
[  421.769678]  kasan_report.cold.7+0x76/0x305
[  421.773980]  ? batadv_iv_ogm_schedule+0xe46/0xf30
[  421.778809]  __asan_report_store2_noabort+0x17/0x20
[  421.783865]  batadv_iv_ogm_schedule+0xe46/0xf30
[  421.788583]  ? _raw_spin_unlock_irqrestore+0x63/0xd0
[  421.793677]  ? trace_hardirqs_off+0x41/0x180
[  421.798126]  ? batadv_iv_ogm_neigh_dump+0x580/0x580
[  421.803706]  batadv_iv_send_outstanding_bat_ogm_packet+0x4b2/0x7b0
[  421.810210]  process_one_work+0x7b9/0x14f0
[  421.814574]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[  421.819254]  ? lock_acquire+0x180/0x3a0
[  421.823335]  ? kasan_check_write+0x14/0x20
[  421.827807]  ? do_raw_spin_lock+0xc1/0x200
[  421.832040]  worker_thread+0x85/0xb60
[  421.835833]  ? __kthread_parkme+0x47/0x190
[  421.840056]  kthread+0x324/0x3e0
[  421.843628]  ? process_one_work+0x14f0/0x14f0
[  421.848195]  ? kthread_park+0x120/0x120
[  421.852238]  ret_from_fork+0x24/0x30
[  421.856273] Kernel Offset: disabled
[  421.859891] Rebooting in 86400 seconds..