[ 72.817828] ==================================================================rame_data+0xb20-use-after-free-read-8-0001-wifi.pcap [ 72.818808] BUG: KASAN: use-after-free in cfg80211_inform_bss_frame_data (net/wireless/scan.c:2536) [ 72.819747] Read of size 8 at addr ffff888008d04478 by task ksoftirqd/1/20 [ 72.820572] [ 72.821728] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 72.823094] Call Trace: [ 72.823403] [ 72.823646] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) [ 72.824047] print_report.cold (mm/kasan/report.c:318 mm/kasan/report.c:433) [ 72.824484] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) [ 72.824869] ? cfg80211_inform_bss_frame_data (net/wireless/scan.c:2536) [ 72.825450] ? cfg80211_inform_bss_frame_data (net/wireless/scan.c:2536) [ 72.826029] cfg80211_inform_bss_frame_data (net/wireless/scan.c:2536) [ 72.826659] ? find_held_lock (kernel/locking/lockdep.c:5156) [ 72.827231] ? lock_release (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5688) [ 72.827780] ? ieee80211_bss_info_update (./include/linux/rcupdate.h:738 net/mac80211/scan.c:188) [ 72.828414] ? cfg80211_inform_single_bss_frame_data (net/wireless/scan.c:2509) [ 72.829064] ? mark_lock (./arch/x86/include/asm/bitops.h:228 ./arch/x86/include/asm/bitops.h:240 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/locking/lockdep.c:227 kernel/locking/lockdep.c:4610) [ 72.829508] ? lock_is_held_type (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5710) [ 72.829972] ieee80211_bss_info_update (net/mac80211/scan.c:190) [ 72.830493] ? ieee80211_rx_bss_put (net/mac80211/scan.c:148) [ 72.830972] ? reacquire_held_locks (kernel/locking/lockdep.c:5674) [ 72.831469] ? lock_is_held_type (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5710) [ 72.831939] ieee80211_scan_rx (net/mac80211/scan.c:328) [ 72.832450] ieee80211_rx_list (net/mac80211/rx.c:4940 net/mac80211/rx.c:5131) [ 72.832986] ? ieee80211_rx_for_interface (net/mac80211/rx.c:5022) [ 72.833607] ? lock_acquire (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5668 kernel/locking/lockdep.c:5631) [ 72.834082] ? lock_acquire (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5668 kernel/locking/lockdep.c:5631) [ 72.834557] ? lock_downgrade (kernel/locking/lockdep.c:5634) [ 72.835054] ? lock_release (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5688) [ 72.835532] ? skb_dequeue (net/core/skbuff.c:3299) [ 72.836013] ? reacquire_held_locks (kernel/locking/lockdep.c:5674) [ 72.836580] ieee80211_rx_napi (./include/linux/rcupdate.h:735 net/mac80211/rx.c:5155) [ 72.837073] ? ieee80211_rx_list (net/mac80211/rx.c:5143) [ 72.837620] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4383) [ 72.838157] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) [ 72.838763] ieee80211_tasklet_handler (./include/net/mac80211.h:4779 net/mac80211/main.c:315) [ 72.839340] tasklet_action_common.constprop.0 (./include/linux/instrumented.h:86 ./include/asm-generic/bitops/instrumented-atomic.h:41 kernel/softirq.c:893 kernel/softirq.c:801) [ 72.840010] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) [ 72.840440] ? smpboot_thread_fn (kernel/smpboot.c:112) [ 72.840880] ? __entry_text_end (kernel/softirq.c:529) [ 72.841383] ? run_ksoftirqd (kernel/softirq.c:420 kernel/softirq.c:928) [ 72.841783] ? lockdep_hardirqs_off (./arch/x86/include/asm/current.h:15 kernel/locking/lockdep.c:4415) [ 72.842268] ? smpboot_thread_fn (kernel/smpboot.c:112) [ 72.842725] run_ksoftirqd (kernel/softirq.c:425 kernel/softirq.c:935 kernel/softirq.c:926) [ 72.843125] smpboot_thread_fn (kernel/smpboot.c:164 (discriminator 3)) [ 72.843570] ? sort_range (kernel/smpboot.c:109) [ 72.843960] kthread (kernel/kthread.c:376) [ 72.844324] ? kthread_complete_and_exit (kernel/kthread.c:335) [ 72.844833] ret_from_fork (arch/x86/entry/entry_64.S:312) [ 72.845189] [ 72.845439] [ 72.845618] Allocated by task 20: [ 72.845980] kasan_save_stack (mm/kasan/common.c:39) [ 72.846339] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) [ 72.846698] cfg80211_bss_update (./include/linux/slab.h:605 ./include/linux/slab.h:733 net/wireless/scan.c:1738) [ 72.847147] cfg80211_inform_single_bss_frame_data (net/wireless/scan.c:2484 (discriminator 10)) [ 72.847793] cfg80211_inform_bss_frame_data (net/wireless/scan.c:2517) [ 72.848331] ieee80211_bss_info_update (net/mac80211/scan.c:190) [ 72.848847] ieee80211_scan_rx (net/mac80211/scan.c:328) [ 72.849273] ieee80211_rx_list (net/mac80211/rx.c:4940 net/mac80211/rx.c:5131) [ 72.849701] ieee80211_rx_napi (./include/linux/rcupdate.h:735 net/mac80211/rx.c:5155) [ 72.850115] ieee80211_tasklet_handler (./include/net/mac80211.h:4779 net/mac80211/main.c:315) [ 72.850622] tasklet_action_common.constprop.0 (./include/linux/instrumented.h:86 ./include/asm-generic/bitops/instrumented-atomic.h:41 kernel/softirq.c:893 kernel/softirq.c:801) [ 72.851202] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) [ 72.851600] [ 72.851752] Freed by task 20: [ 72.852069] kasan_save_stack (mm/kasan/common.c:39) [ 72.852462] kasan_set_track (mm/kasan/common.c:45) [ 72.852837] kasan_set_free_info (mm/kasan/generic.c:372) [ 72.853269] __kasan_slab_free (mm/kasan/common.c:369 mm/kasan/common.c:329 mm/kasan/common.c:375) [ 72.853712] kfree (mm/slub.c:1785 mm/slub.c:3539 mm/slub.c:4567) [ 72.854057] cfg80211_put_bss (net/wireless/scan.c:183 net/wireless/scan.c:2582) [ 72.854452] cfg80211_parse_mbssid_data (net/wireless/scan.c:2157) [ 72.854960] cfg80211_inform_bss_frame_data (net/wireless/core.h:119 net/wireless/scan.c:2531) [ 72.855481] ieee80211_bss_info_update (net/mac80211/scan.c:190) [ 72.856012] ieee80211_scan_rx (net/mac80211/scan.c:328) [ 72.856467] ieee80211_rx_list (net/mac80211/rx.c:4940 net/mac80211/rx.c:5131) [ 72.856870] ieee80211_rx_napi (./include/linux/rcupdate.h:735 net/mac80211/rx.c:5155) [ 72.857306] ieee80211_tasklet_handler (./include/net/mac80211.h:4779 net/mac80211/main.c:315) [ 72.857820] tasklet_action_common.constprop.0 (./include/linux/instrumented.h:86 ./include/asm-generic/bitops/instrumented-atomic.h:41 kernel/softirq.c:893 kernel/softirq.c:801) [ 72.858411] __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) [ 72.858813] [ 72.858991] The buggy address belongs to the object at ffff888008d04400 [ 72.858991] which belongs to the cache kmalloc-512 of size 512 [ 72.860361] The buggy address is located 120 bytes inside of [ 72.860361] 512-byte region [ffff888008d04400, ffff888008d04600) [ 72.861606] [ 72.861782] The buggy address belongs to the physical page: [ 72.862385] page:ffffea0000234000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888008d07a00 pfn:0x8d00 [ 72.863460] head:ffffea0000234000 order:3 compound_mapcount:0 compound_pincount:0 [ 72.864231] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 72.864828] raw: 0100000000010200 ffff888007040d08 ffff888007040d08 ffff888007042f40 [ 72.865612] raw: ffff888008d07a00 0000000000150014 00000001ffffffff 0000000000000000 [ 72.866582] page dumped because: kasan: bad access detected [ 72.867196] [ 72.867418] Memory state around the buggy address: [ 72.867984] ffff888008d04300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.868679] ffff888008d04380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.869352] >ffff888008d04400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.870082] ^ [ 72.870765] ffff888008d04480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.871491] ffff888008d04500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.872277] ==================================================================