batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:352 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:550 [inline]
BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x327/0xec0 net/batman-adv/bat_iv_ogm.c:646
Read of size 60 at addr ffff8880aef47120 by task kworker/u4:3/727

CPU: 0 PID: 727 Comm: kworker/u4:3 Not tainted 5.0.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x86/0xca lib/dump_stack.c:113
 print_address_description.cold.3+0x9/0x244 mm/kasan/report.c:187
 kasan_report.cold.4+0x1b/0x35 mm/kasan/report.c:317
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x13c/0x1b0 mm/kasan/generic.c:191
 memcpy+0x23/0x50 mm/kasan/common.c:130
 memcpy include/linux/string.h:352 [inline]
 batadv_iv_ogm_aggregate_new net/batman-adv/bat_iv_ogm.c:550 [inline]
 batadv_iv_ogm_queue_add+0x327/0xec0 net/batman-adv/bat_iv_ogm.c:646
 batadv_iv_ogm_schedule+0xb47/0xe80 net/batman-adv/bat_iv_ogm.c:819
 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1681
 process_one_work+0x7b9/0x15e0 kernel/workqueue.c:2173
 worker_thread+0x85/0xb60 kernel/workqueue.c:2319
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 727:
 save_stack mm/kasan/common.c:73 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x66/0x100 mm/kasan/common.c:495
 __kasan_kmalloc.constprop.1+0xb5/0xc0 mm/kasan/common.c:476
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:509
 __kmalloc+0x148/0x320 mm/slub.c:3801
 kmalloc include/linux/slab.h:550 [inline]
 batadv_tvlv_realloc_packet_buff net/batman-adv/tvlv.c:289 [inline]
 batadv_tvlv_container_ogm_append+0x16f/0x4b0 net/batman-adv/tvlv.c:330
 batadv_iv_ogm_schedule+0xc39/0xe80 net/batman-adv/bat_iv_ogm.c:782
 batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 net/batman-adv/bat_iv_ogm.c:1681
 process_one_work+0x7b9/0x15e0 kernel/workqueue.c:2173
 worker_thread+0x85/0xb60 kernel/workqueue.c:2319
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 7:
 save_stack mm/kasan/common.c:73 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x167/0x240 mm/kasan/common.c:457
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:465
 slab_free_hook mm/slub.c:1430 [inline]
 slab_free_freelist_hook mm/slub.c:1457 [inline]
 slab_free mm/slub.c:3005 [inline]
 kfree+0xf2/0x310 mm/slub.c:3957
 batadv_iv_ogm_iface_disable+0x34/0x70 net/batman-adv/bat_iv_ogm.c:232
 batadv_hardif_disable_interface.cold.8+0x607/0xef7 net/batman-adv/hard-interface.c:883
 batadv_softif_destroy_netlink+0x94/0x100 net/batman-adv/soft-interface.c:1158
 default_device_exit_batch+0x239/0x3d0 net/core/dev.c:9756
 ops_exit_list.isra.0+0xd3/0x120 net/core/net_namespace.c:156
 cleanup_net+0x363/0x840 net/core/net_namespace.c:551
 process_one_work+0x7b9/0x15e0 kernel/workqueue.c:2173
 worker_thread+0x85/0xb60 kernel/workqueue.c:2319
 kthread+0x324/0x3e0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880aef47120
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff8880aef47120, ffff8880aef47160)
The buggy address belongs to the page:
page:ffffea0002bbd1c0 count:1 mapcount:0 mapping:ffff88813ff35600 index:0x0
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea000294b100 0000000300000003 ffff88813ff35600
raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page allocated via order 0, migratetype Unmovable, gfp_mask 0x6012c0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:1950 [inline]
 prep_new_page mm/page_alloc.c:1958 [inline]
 get_page_from_freelist.part.22+0x300d/0x45b0 mm/page_alloc.c:3512
 get_page_from_freelist mm/page_alloc.c:3402 [inline]
 __alloc_pages_nodemask+0x2a6/0x2500 mm/page_alloc.c:4547
 alloc_pages_current+0xd6/0x1b0 mm/mempolicy.c:2106
 alloc_pages include/linux/gfp.h:509 [inline]
 alloc_slab_page mm/slub.c:1498 [inline]
 allocate_slab mm/slub.c:1643 [inline]
 new_slab+0x48f/0x750 mm/slub.c:1715
 new_slab_objects mm/slub.c:2469 [inline]
 ___slab_alloc+0x5b7/0x900 mm/slub.c:2621
 __slab_alloc.isra.23+0x4f/0x80 mm/slub.c:2661
 slab_alloc_node mm/slub.c:2724 [inline]
 kmem_cache_alloc_node_trace+0xc8/0x330 mm/slub.c:2808
 kmalloc_node include/linux/slab.h:583 [inline]
 kzalloc_node include/linux/slab.h:751 [inline]
 __get_vm_area_node+0x99/0x2e0 mm/vmalloc.c:1389
 __vmalloc_node_range+0xb5/0x680 mm/vmalloc.c:1745
 __vmalloc_node mm/vmalloc.c:1795 [inline]
 __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
 vzalloc+0x6a/0x80 mm/vmalloc.c:1848
 xt_counters_alloc+0x20/0x30 net/netfilter/x_tables.c:1353
 __do_replace+0x9a/0x9b0 net/ipv6/netfilter/ip6_tables.c:1069
 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
 do_ip6t_set_ctl+0x27e/0x3eb net/ipv6/netfilter/ip6_tables.c:1684
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x5c/0xb0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt+0x95/0xf0 net/ipv6/ipv6_sockglue.c:951
 tcp_setsockopt net/ipv4/tcp.c:3108 [inline]
 tcp_setsockopt+0x6a/0xd0 net/ipv4/tcp.c:3102

Memory state around the buggy address:
 ffff8880aef47000: 00 00 00 00 00 fc fc fc fc fc fc fc 00 00 00 00
 ffff8880aef47080: 00 fc fc fc fc fc fc fc 00 00 00 00 00 fc fc fc
>ffff8880aef47100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
                               ^
 ffff8880aef47180: 00 00 00 00 00 fc fc fc fc fc fc fc fb fb fb fb
 ffff8880aef47200: fb fb fb fb fc fc fc fc 00 00 00 00 00 fc fc fc
==================================================================