usb 2-1: Direct firmware load for ath9k_htc/htc_9271-1.4.0.fw failed with error -2
usb 2-1: Falling back to sysfs fallback for: ath9k_htc/htc_9271-1.4.0.fw
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x88/0xf4 lib/list_debug.c:23
Read of size 8 at addr ffff00000d1bd0c8 by task kworker/1:14/25119

CPU: 1 PID: 25119 Comm: kworker/1:14 Not tainted 5.12.0-rc2-syzkaller-00059-g144c79ef3353 #0
Hardware name: linux,dummy-virt (DT)
Workqueue: events request_firmware_work_func
Call trace:
 dump_backtrace+0x0/0x3e0 arch/arm64/include/asm/pointer_auth.h:76
 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:191
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x120/0x1a8 lib/dump_stack.c:120
 print_address_description.constprop.0+0x2c/0x300 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report+0x1ec/0x200 mm/kasan/report.c:416
 __asan_report_load8_noabort+0x34/0x60 mm/kasan/report_generic.c:309
 __list_add_valid+0x88/0xf4 lib/list_debug.c:23
 __list_add include/linux/list.h:67 [inline]
 list_add include/linux/list.h:86 [inline]
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:516 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:581 [inline]
 firmware_fallback_sysfs+0x350/0xaa0 drivers/base/firmware_loader/fallback.c:657
 _request_firmware+0xa1c/0x1130 drivers/base/firmware_loader/main.c:831
 request_firmware_work_func+0xe4/0x224 drivers/base/firmware_loader/main.c:1077
 process_one_work+0x798/0x1764 kernel/workqueue.c:2275
 worker_thread+0x3d4/0xcd0 kernel/workqueue.c:2421
 kthread+0x320/0x3bc kernel/kthread.c:292
 ret_from_fork+0x10/0x3c arch/arm64/kernel/entry.S:958

Allocated by task 381:
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121
 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc mm/kasan/common.c:506 [inline]
 __kasan_kmalloc+0x88/0xb0 mm/kasan/common.c:515
 kasan_kmalloc include/linux/kasan.h:233 [inline]
 kmem_cache_alloc_trace+0x250/0x464 mm/slub.c:2934
 kmalloc include/linux/slab.h:554 [inline]
 kzalloc include/linux/slab.h:684 [inline]
 omfs_fill_super+0xac/0x14fc fs/omfs/inode.c:464
 mount_bdev+0x298/0x364 fs/super.c:1367
 omfs_mount+0x18/0x24 fs/omfs/inode.c:603
 legacy_get_tree+0xd0/0x190 fs/fs_context.c:592
 vfs_get_tree+0x74/0x2a0 fs/super.c:1497
 do_new_mount fs/namespace.c:2903 [inline]
 path_mount+0xe84/0x1da0 fs/namespace.c:3233
 do_mount fs/namespace.c:3246 [inline]
 __do_sys_mount fs/namespace.c:3454 [inline]
 __se_sys_mount fs/namespace.c:3431 [inline]
 __arm64_sys_mount+0x2ec/0x520 fs/namespace.c:3431
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
 el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129
 do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:174
 el0_svc_compat+0x24/0x3c arch/arm64/kernel/entry-common.c:494
 el0_sync_compat_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:503
 el0_sync_compat+0x174/0x180 arch/arm64/kernel/entry.S:708

Last potentially related work creation:
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121
 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38
 kasan_record_aux_stack+0xf8/0x130 mm/kasan/generic.c:345
 insert_work+0x50/0x2a0 kernel/workqueue.c:1331
 __queue_work+0x4d0/0x11a0 kernel/workqueue.c:1497
 queue_work_on+0xc4/0x110 kernel/workqueue.c:1524
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x268/0x430 kernel/umh.c:433
 kobject_uevent_env+0xaf8/0x10d0 lib/kobject_uevent.c:617
 kobject_uevent+0x14/0x20 lib/kobject_uevent.c:641
 __loop_clr_fd+0x454/0xbb0 drivers/block/loop.c:1248
 loop_clr_fd drivers/block/loop.c:1336 [inline]
 lo_ioctl+0x574/0x1300 drivers/block/loop.c:1694
 lo_compat_ioctl+0x8c/0x230 drivers/block/loop.c:1869
 compat_blkdev_ioctl+0x7ac/0x9e0 block/ioctl.c:651
 __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
 __se_compat_sys_ioctl fs/ioctl.c:793 [inline]
 __arm64_compat_sys_ioctl+0x178/0x1c0 fs/ioctl.c:793
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
 el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129
 do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:174
 el0_svc_compat+0x24/0x3c arch/arm64/kernel/entry-common.c:494
 el0_sync_compat_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:503
 el0_sync_compat+0x174/0x180 arch/arm64/kernel/entry.S:708

Second to last potentially related work creation:
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121
 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38
 kasan_record_aux_stack+0xf8/0x130 mm/kasan/generic.c:345
 insert_work+0x50/0x2a0 kernel/workqueue.c:1331
 __queue_work+0x4d0/0x11a0 kernel/workqueue.c:1497
 queue_work_on+0xc4/0x110 kernel/workqueue.c:1524
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x268/0x430 kernel/umh.c:433
 kobject_uevent_env+0xaf8/0x10d0 lib/kobject_uevent.c:617
 kobject_uevent+0x14/0x20 lib/kobject_uevent.c:641
 loop_configure+0xb74/0xed0 drivers/block/loop.c:255
 lo_ioctl+0x7e4/0x1300 drivers/block/loop.c:1681
 lo_compat_ioctl+0x8c/0x230 drivers/block/loop.c:1869
 compat_blkdev_ioctl+0x7ac/0x9e0 block/ioctl.c:651
 __do_compat_sys_ioctl fs/ioctl.c:842 [inline]
 __se_compat_sys_ioctl fs/ioctl.c:793 [inline]
 __arm64_compat_sys_ioctl+0x178/0x1c0 fs/ioctl.c:793
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
 el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129
 do_el0_svc_compat+0x40/0x70 arch/arm64/kernel/syscall.c:174
 el0_svc_compat+0x24/0x3c arch/arm64/kernel/entry-common.c:494
 el0_sync_compat_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:503
 el0_sync_compat+0x174/0x180 arch/arm64/kernel/entry.S:708

The buggy address belongs to the object at ffff00000d1bd000
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 200 bytes inside of
 256-byte region [ffff00000d1bd000, ffff00000d1bd100)
The buggy address belongs to the page:
page:000000006453c522 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000d1bd000 pfn:0x4d1bc
head:000000006453c522 order:1 compound_mapcount:0
flags: 0x1ffc00000010200(slab|head)
raw: 01ffc00000010200 fffffc0000583c08 fffffc0000593308 ffff00000c802480
raw: ffff00000d1bd000 000000000010000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff00000d1bcf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00000d1bd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00000d1bd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff00000d1bd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00000d1bd180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================