IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
==================================================================
BUG: KASAN: use-after-free in batadv_interface_tx+0x16b7/0x1950
Read of size 2 at addr ffff8881d71f6d4b by task syz-executor.0/4245

CPU: 0 PID: 4245 Comm: syz-executor.0 Not tainted 4.20.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 dump_stack+0x1c2/0x2af
 print_address_description.cold+0x4b/0x2a1
 kasan_report.part.0.cold+0x192/0x282
 __asan_report_load_n_noabort+0x3b/0x40
 batadv_interface_tx+0x16b7/0x1950
 dev_direct_xmit+0x48b/0x8c0
 packet_direct_xmit+0xfe/0x170
 packet_sendmsg+0x293c/0x7150
 sock_sendmsg+0xd5/0x120
 __sys_sendto+0x3a8/0x5e0
 __x64_sys_sendto+0xe0/0x1a0
 do_syscall_64+0x183/0x270
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f448452ff69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f44838b00c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f448465df80 RCX: 00007f448452ff69
RDX: 000000000000000e RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00007f448457c4a4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f448465df80 R15: 00007ffd5961da38

Allocated by task 3714:
 save_stack+0x43/0xc0
 kasan_kmalloc+0xce/0xf0
 __kmalloc+0x153/0x2c0
 kmalloc_array+0x47/0x70
 bpf_convert_filter+0xff/0x57b0
 bpf_prepare_filter+0xded/0x13a0
 bpf_prog_create_from_user+0x1e6/0x2d0
 do_seccomp+0x420/0x2810
 prctl_set_seccomp+0x4c/0x70
 __do_sys_prctl+0x782/0xf80
 __x64_sys_prctl+0xbd/0x140
 do_syscall_64+0x183/0x270
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3714:
 save_stack+0x43/0xc0
 __kasan_slab_free+0xfe/0x140
 kasan_slab_free+0xe/0x10
 kfree+0xcd/0x220
 bpf_convert_filter+0x302a/0x57b0
 bpf_prepare_filter+0xded/0x13a0
 bpf_prog_create_from_user+0x1e6/0x2d0
 do_seccomp+0x420/0x2810
 prctl_set_seccomp+0x4c/0x70
 __do_sys_prctl+0x782/0xf80
 __x64_sys_prctl+0xbd/0x140
 do_syscall_64+0x183/0x270
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881d71f6d40
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 11 bytes inside of
 512-byte region [ffff8881d71f6d40, ffff8881d71f6f40)
The buggy address belongs to the page:
page:ffffea00075c7d80 count:1 mapcount:0 mapping:ffff8881f6000940 index:0xffff8881d71f6340
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea00075c8388 ffffea00075c8488 ffff8881f6000940
raw: ffff8881d71f6340 ffff8881d71f60c0 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d71f6c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d71f6c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8881d71f6d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff8881d71f6d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d71f6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
