[   26.383005] ==================================================================
[   26.383611] BUG: KASAN: use-after-free in ieee80211_update_bss_from_elems (net/mac80211/scan.c:104) 
[   26.384260] Read of size 1 at addr ffff88800befa00a by task ksoftirqd/1/20
[   26.384847]
[   26.385622] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[   26.386546] Call Trace:
[   26.386762]  <TASK>
[   26.386948] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) 
[   26.387292] print_report.cold (mm/kasan/report.c:318 mm/kasan/report.c:433) 
[   26.387727] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) 
[   26.388115] ? ieee80211_update_bss_from_elems (net/mac80211/scan.c:104) 
[   26.388694] ? ieee80211_update_bss_from_elems (net/mac80211/scan.c:104) 
[   26.389270] kasan_check_range (mm/kasan/generic.c:190) 
[   26.389707] memcpy (mm/kasan/shadow.c:65) 
[   26.390033] ieee80211_update_bss_from_elems (net/mac80211/scan.c:104) 
[   26.390593] ? ieee80211_bss_info_update (net/mac80211/scan.c:225 (discriminator 2)) 
[   26.391118] ieee80211_bss_info_update (net/mac80211/scan.c:235) 
[   26.391626] ? ieee80211_rx_bss_put (net/mac80211/scan.c:148) 
[   26.392104] ? reacquire_held_locks (kernel/locking/lockdep.c:5674) 
[   26.392604] ? lock_is_held_type (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5710) 
[   26.393145] ieee80211_scan_rx (net/mac80211/scan.c:328) 
[   26.393667] ieee80211_rx_list (net/mac80211/rx.c:4940 net/mac80211/rx.c:5131) 
[   26.394290] ? ieee80211_rx_for_interface (net/mac80211/rx.c:5022) 
[   26.394863] ? lock_acquire (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5668 kernel/locking/lockdep.c:5631) 
[   26.395339] ? lock_acquire (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5668 kernel/locking/lockdep.c:5631) 
[   26.395813] ? lock_downgrade (kernel/locking/lockdep.c:5634) 
[   26.396306] ? lock_release (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5688) 
[   26.396778] ? skb_dequeue (net/core/skbuff.c:3299) 
[   26.397239] ? reacquire_held_locks (kernel/locking/lockdep.c:5674) 
[   26.397791] ieee80211_rx_napi (./include/linux/rcupdate.h:735 net/mac80211/rx.c:5155) 
[   26.398281] ? ieee80211_rx_list (net/mac80211/rx.c:5143) 
[   26.398824] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4383) 
[   26.399356] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) 
[   26.399960] ieee80211_tasklet_handler (./include/net/mac80211.h:4779 net/mac80211/main.c:315) 
[   26.400535] tasklet_action_common.constprop.0 (./include/linux/instrumented.h:86 ./include/asm-generic/bitops/instrumented-atomic.h:41 kernel/softirq.c:893 kernel/softirq.c:801) 
[   26.401218] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) 
[   26.401648] ? smpboot_thread_fn (kernel/smpboot.c:112) 
[   26.402007] ? __entry_text_end (kernel/softirq.c:529) 
[   26.402401] ? run_ksoftirqd (kernel/softirq.c:420 kernel/softirq.c:928) 
[   26.402717] ? lockdep_hardirqs_off (./arch/x86/include/asm/current.h:15 kernel/locking/lockdep.c:4415) 
[   26.403084] ? smpboot_thread_fn (kernel/smpboot.c:112) 
[   26.403432] run_ksoftirqd (kernel/softirq.c:425 kernel/softirq.c:935 kernel/softirq.c:926) 
[   26.403734] smpboot_thread_fn (kernel/smpboot.c:164 (discriminator 3)) 
[   26.404115] ? sort_range (kernel/smpboot.c:109) 
[   26.404553] kthread (kernel/kthread.c:376) 
[   26.404844] ? kthread_complete_and_exit (kernel/kthread.c:335) 
[   26.405243] ret_from_fork (arch/x86/entry/entry_64.S:312) 
[   26.405547]  </TASK>
[   26.405738]
[   26.405875] Allocated by task 20:
[   26.406155] kasan_save_stack (mm/kasan/common.c:39) 
[   26.406478] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) 
[   26.406793] ieee802_11_parse_elems_full (net/mac80211/util.c:1510) 
[   26.407212] ieee802_11_parse_elems_crc.constprop.0 (net/mac80211/ieee80211_i.h:2210) 
[   26.407687] ieee80211_bss_info_update (net/mac80211/ieee80211_i.h:2231 net/mac80211/scan.c:228) 
[   26.408085] ieee80211_scan_rx (net/mac80211/scan.c:328) 
[   26.408426] ieee80211_rx_list (net/mac80211/rx.c:4940 net/mac80211/rx.c:5131) 
[   26.408800] ieee80211_rx_napi (./include/linux/rcupdate.h:735 net/mac80211/rx.c:5155) 
[   26.409136] ieee80211_tasklet_handler (./include/net/mac80211.h:4779 net/mac80211/main.c:315) 
[   26.409529] tasklet_action_common.constprop.0 (./include/linux/instrumented.h:86 ./include/asm-generic/bitops/instrumented-atomic.h:41 kernel/softirq.c:893 kernel/softirq.c:801) 
[   26.409983] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) 
[   26.410291]
[   26.410427] Freed by task 20:
[   26.410682] kasan_save_stack (mm/kasan/common.c:39) 
[   26.411004] kasan_set_track (mm/kasan/common.c:45) 
[   26.411320] kasan_set_free_info (mm/kasan/generic.c:372) 
[   26.411662] __kasan_slab_free (mm/kasan/common.c:369 mm/kasan/common.c:329 mm/kasan/common.c:375) 
[   26.412008] kfree (mm/slub.c:1785 mm/slub.c:3539 mm/slub.c:4567) 
[   26.412262] ieee802_11_parse_elems_full (net/mac80211/util.c:1499) 
[   26.412681] ieee802_11_parse_elems_crc.constprop.0 (net/mac80211/ieee80211_i.h:2210) 
[   26.413156] ieee80211_bss_info_update (net/mac80211/ieee80211_i.h:2231 net/mac80211/scan.c:228) 
[   26.413554] ieee80211_scan_rx (net/mac80211/scan.c:328) 
[   26.413899] ieee80211_rx_list (net/mac80211/rx.c:4940 net/mac80211/rx.c:5131) 
[   26.414259] ieee80211_rx_napi (./include/linux/rcupdate.h:735 net/mac80211/rx.c:5155) 
[   26.414596] ieee80211_tasklet_handler (./include/net/mac80211.h:4779 net/mac80211/main.c:315) 
[   26.414994] tasklet_action_common.constprop.0 (./include/linux/instrumented.h:86 ./include/asm-generic/bitops/instrumented-atomic.h:41 kernel/softirq.c:893 kernel/softirq.c:801) 
[   26.415449] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) 
[   26.415761]
[   26.415898] The buggy address belongs to the object at ffff88800befa000
[   26.415898]  which belongs to the cache kmalloc-512 of size 512
[   26.416979] The buggy address is located 10 bytes inside of
[   26.416979]  512-byte region [ffff88800befa000, ffff88800befa200)
[   26.417968]
[   26.418106] The buggy address belongs to the physical page:
[   26.418571] page:ffffea00002fbe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbef8
[   26.419374] head:ffffea00002fbe00 order:3 compound_mapcount:0 compound_pincount:0
[   26.420155] flags: 0x100000000010200(slab|head|node=0|zone=1)
[   26.420764] raw: 0100000000010200 ffffea00002f6808 ffff888007040d28 ffff888007042f40
[   26.421567] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000
[   26.422377] page dumped because: kasan: bad access detected
[   26.422960]
[   26.423135] Memory state around the buggy address:
[   26.423641]  ffff88800bef9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.424393]  ffff88800bef9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.425261] >ffff88800befa000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.425986]                       ^
[   26.426291]  ffff88800befa080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.426957]  ffff88800befa100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.427786] ==================================================================
[   26.428698] Disabling lock debugging due to kernel taint
[   26.429334] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium