Warning: Permanently added '10.128.0.86' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 74.213910][ T8488] netlink: 'syz-executor629': attribute type 61 has an invalid length. [ 74.228128][ T8490] netlink: 'syz-executor629': attribute type 61 has an invalid length. [ 74.233905][ T8493] netlink: 'syz-executor629': attribute type 61 has an invalid length. [ 74.242445][ T8492] netlink: 'syz-executor629': attribute type 61 has an invalid length. [ 74.254396][ T8494] netlink: 'syz-executor629': attribute type 61 has an invalid length. [ 74.259236][ T8495] netlink: 'syz-executor629': attribute type 61 has an invalid length. [ 74.263138][ T8488] netlink: 'syz-executor629': attribute type 3 has an invalid length. [ 74.285475][ T8490] netlink: 'syz-executor629': attribute type 3 has an invalid length. [ 74.295673][ T8494] netlink: 'syz-executor629': attribute type 3 has an invalid length. [ 74.305750][ T8493] netlink: 'syz-executor629': attribute type 3 has an invalid length. [ 74.307510][ T8492] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.327373][ T8490] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.333334][ T8493] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.339703][ T8494] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.358533][ T8495] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.371117][ T8488] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.405804][ T8493] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 [ 74.421657][ T8493] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db executing program executing program executing program executing program executing program executing program [ 74.510955][ T8510] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.511123][ T8507] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.525036][ T8511] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.533883][ T8513] netlink: 194488 bytes leftover after parsing attributes in process `syz-executor629'. [ 74.544226][ T8510] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 [ 74.569545][ T8510] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db [ 74.580497][ T8510] ================================================================== [ 74.589059][ T8510] BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 [ 74.596909][ T8510] Read of size 8 at addr ffff88814640d4c8 by task syz-executor629/8510 [ 74.605214][ T8510] [ 74.607567][ T8510] CPU: 1 PID: 8510 Comm: syz-executor629 Not tainted 5.13.0-rc3-syzkaller #0 [ 74.616446][ T8510] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.628937][ T8510] Call Trace: [ 74.632686][ T8510] dump_stack+0x141/0x1d7 [ 74.637575][ T8510] ? __list_add_valid+0x81/0xa0 [ 74.642770][ T8510] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 74.649859][ T8510] ? __list_add_valid+0x81/0xa0 [ 74.654963][ T8510] ? __list_add_valid+0x81/0xa0 [ 74.659861][ T8510] kasan_report.cold+0x7c/0xd8 [ 74.665192][ T8510] ? __list_add_valid+0x81/0xa0 [ 74.670391][ T8510] __list_add_valid+0x81/0xa0 [ 74.675102][ T8510] firmware_fallback_sysfs+0x455/0xe20 [ 74.680931][ T8510] _request_firmware+0xa80/0xe80 [ 74.687103][ T8510] request_firmware+0x32/0x50 [ 74.692357][ T8510] reg_reload_regdb+0x7a/0x240 [ 74.697390][ T8510] ? is_world_regdom+0xe0/0xe0 [ 74.703333][ T8510] ? nl80211_set_qos_map+0x800/0x800 [ 74.708696][ T8510] ? nl80211_pre_doit+0xa6/0x620 [ 74.713826][ T8510] genl_family_rcv_msg_doit+0x228/0x320 [ 74.719573][ T8510] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290 [ 74.727291][ T8510] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.734471][ T8510] ? ns_capable+0xde/0x100 [ 74.738939][ T8510] genl_rcv_msg+0x328/0x580 [ 74.743622][ T8510] ? genl_get_cmd+0x480/0x480 [ 74.748327][ T8510] ? nl80211_stop_sched_scan+0x3a0/0x3a0 [ 74.753995][ T8510] ? lock_release+0x720/0x720 [ 74.758688][ T8510] netlink_rcv_skb+0x153/0x420 [ 74.763487][ T8510] ? genl_get_cmd+0x480/0x480 [ 74.768216][ T8510] ? netlink_ack+0xaa0/0xaa0 [ 74.772832][ T8510] ? __vmalloc_node_range+0x6e0/0x970 [ 74.778361][ T8510] genl_rcv+0x24/0x40 [ 74.782526][ T8510] netlink_unicast+0x533/0x7d0 [ 74.787440][ T8510] ? netlink_attachskb+0x870/0x870 [ 74.793261][ T8510] ? __virt_addr_valid+0x5d/0x2d0 [ 74.798677][ T8510] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 74.805501][ T8510] ? __phys_addr_symbol+0x2c/0x70 [ 74.811353][ T8510] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 74.817238][ T8510] ? __check_object_size+0x171/0x3f0 [ 74.822553][ T8510] netlink_sendmsg+0x856/0xd90 [ 74.827340][ T8510] ? netlink_unicast+0x7d0/0x7d0 [ 74.832437][ T8510] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.838932][ T8510] ? netlink_unicast+0x7d0/0x7d0 [ 74.844021][ T8510] sock_sendmsg+0xcf/0x120 [ 74.848615][ T8510] ____sys_sendmsg+0x6e8/0x810 [ 74.853407][ T8510] ? kernel_sendmsg+0x50/0x50 [ 74.858116][ T8510] ? do_recvmmsg+0x6d0/0x6d0 [ 74.862726][ T8510] ? do_huge_pmd_anonymous_page+0x124b/0x2570 [ 74.869008][ T8510] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 74.875033][ T8510] ___sys_sendmsg+0xf3/0x170 [ 74.879650][ T8510] ? sendmsg_copy_msghdr+0x160/0x160 [ 74.884970][ T8510] ? __fget_files+0x266/0x3d0 [ 74.889717][ T8510] ? lock_downgrade+0x6e0/0x6e0 [ 74.894689][ T8510] ? __fget_files+0x288/0x3d0 [ 74.899535][ T8510] ? __fget_light+0xea/0x280 [ 74.904144][ T8510] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 74.910699][ T8510] __sys_sendmsg+0xe5/0x1b0 [ 74.915431][ T8510] ? __sys_sendmsg_sock+0x30/0x30 [ 74.920503][ T8510] ? syscall_enter_from_user_mode+0x27/0x70 [ 74.926702][ T8510] do_syscall_64+0x3a/0xb0 [ 74.931245][ T8510] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.937170][ T8510] RIP: 0033:0x44e5b9 [ 74.941831][ T8510] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 74.961814][ T8510] RSP: 002b:00007f7705c62208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.970979][ T8510] RAX: ffffffffffffffda RBX: 00000000004cc4a8 RCX: 000000000044e5b9 [ 74.979464][ T8510] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 74.987822][ T8510] RBP: 00000000004cc4a0 R08: 0000000000000000 R09: 0000000000000000 [ 74.997047][ T8510] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cc4ac [ 75.005274][ T8510] R13: 00007ffefc1029af R14: 00007f7705c62300 R15: 0000000000022000 [ 75.014008][ T8510] [ 75.016709][ T8510] Allocated by task 8493: [ 75.021222][ T8510] kasan_save_stack+0x1b/0x40 [ 75.026572][ T8510] __kasan_kmalloc+0x9b/0xd0 [ 75.031321][ T8510] _request_firmware+0x2de/0xe80 [ 75.037182][ T8510] request_firmware+0x32/0x50 [ 75.041989][ T8510] reg_reload_regdb+0x7a/0x240 [ 75.048173][ T8510] genl_family_rcv_msg_doit+0x228/0x320 [ 75.056037][ T8510] genl_rcv_msg+0x328/0x580 [ 75.061407][ T8510] netlink_rcv_skb+0x153/0x420 [ 75.066457][ T8510] genl_rcv+0x24/0x40 [ 75.070869][ T8510] netlink_unicast+0x533/0x7d0 [ 75.076152][ T8510] netlink_sendmsg+0x856/0xd90 [ 75.081260][ T8510] sock_sendmsg+0xcf/0x120 [ 75.086360][ T8510] ____sys_sendmsg+0x6e8/0x810 [ 75.091149][ T8510] ___sys_sendmsg+0xf3/0x170 [ 75.099240][ T8510] __sys_sendmsg+0xe5/0x1b0 [ 75.103853][ T8510] do_syscall_64+0x3a/0xb0 [ 75.108357][ T8510] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.114619][ T8510] [ 75.117118][ T8510] Freed by task 8493: [ 75.121738][ T8510] kasan_save_stack+0x1b/0x40 [ 75.126616][ T8510] kasan_set_track+0x1c/0x30 [ 75.131514][ T8510] kasan_set_free_info+0x20/0x30 [ 75.136617][ T8510] __kasan_slab_free+0xfb/0x130 [ 75.141794][ T8510] slab_free_freelist_hook+0xdf/0x240 [ 75.147368][ T8510] kfree+0xe5/0x7f0 [ 75.151185][ T8510] free_fw_priv+0x2b1/0x4d0 [ 75.155899][ T8510] release_firmware.part.0+0xc7/0xf0 [ 75.161200][ T8510] _request_firmware+0x709/0xe80 [ 75.166168][ T8510] request_firmware+0x32/0x50 [ 75.170980][ T8510] reg_reload_regdb+0x7a/0x240 [ 75.175922][ T8510] genl_family_rcv_msg_doit+0x228/0x320 [ 75.181486][ T8510] genl_rcv_msg+0x328/0x580 [ 75.186005][ T8510] netlink_rcv_skb+0x153/0x420 [ 75.190862][ T8510] genl_rcv+0x24/0x40 [ 75.194876][ T8510] netlink_unicast+0x533/0x7d0 [ 75.199756][ T8510] netlink_sendmsg+0x856/0xd90 [ 75.204635][ T8510] sock_sendmsg+0xcf/0x120 [ 75.209163][ T8510] ____sys_sendmsg+0x6e8/0x810 [ 75.214077][ T8510] ___sys_sendmsg+0xf3/0x170 [ 75.219076][ T8510] __sys_sendmsg+0xe5/0x1b0 [ 75.223675][ T8510] do_syscall_64+0x3a/0xb0 [ 75.228890][ T8510] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.234934][ T8510] [ 75.237277][ T8510] The buggy address belongs to the object at ffff88814640d400 [ 75.237277][ T8510] which belongs to the cache kmalloc-256 of size 256 [ 75.252222][ T8510] The buggy address is located 200 bytes inside of [ 75.252222][ T8510] 256-byte region [ffff88814640d400, ffff88814640d500) [ 75.265926][ T8510] The buggy address belongs to the page: [ 75.273085][ T8510] page:ffffea0005190300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14640c [ 75.283888][ T8510] head:ffffea0005190300 order:1 compound_mapcount:0 [ 75.291394][ T8510] flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) [ 75.300545][ T8510] raw: 057ff00000010200 ffffea0000882680 0000000900000009 ffff888011041b40 [ 75.309584][ T8510] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 75.319648][ T8510] page dumped because: kasan: bad access detected [ 75.326462][ T8510] page_owner tracks the page as allocated [ 75.333395][ T8510] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 10876638703, free_ts 0 [ 75.352712][ T8510] get_page_from_freelist+0x1033/0x2b60 [ 75.358282][ T8510] __alloc_pages+0x1b2/0x500 [ 75.362899][ T8510] alloc_page_interleave+0x1e/0x1d0 [ 75.368154][ T8510] alloc_pages+0x238/0x2a0 [ 75.372620][ T8510] allocate_slab+0x2c5/0x4c0 [ 75.377254][ T8510] ___slab_alloc+0x4a1/0x810 [ 75.381862][ T8510] __slab_alloc.constprop.0+0xa7/0xf0 [ 75.387595][ T8510] kmem_cache_alloc_trace+0x2a3/0x2c0 [ 75.393314][ T8510] usb_string+0x10b/0x540 [ 75.397952][ T8510] usb_cache_string+0x82/0x120 [ 75.402890][ T8510] usb_new_device+0x1c8/0x7a0 [ 75.407592][ T8510] usb_add_hcd.cold+0x140c/0x1816 [ 75.412719][ T8510] vhci_hcd_probe+0x150/0x3a0 [ 75.417428][ T8510] platform_probe+0xfc/0x1f0 [ 75.422256][ T8510] really_probe+0x291/0xf60 [ 75.426781][ T8510] driver_probe_device+0x298/0x410 [ 75.431905][ T8510] page_owner free stack trace missing [ 75.437283][ T8510] [ 75.439607][ T8510] Memory state around the buggy address: [ 75.445441][ T8510] ffff88814640d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.454237][ T8510] ffff88814640d400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.462472][ T8510] >ffff88814640d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program [ 75.470929][ T8510] ^ [ 75.477653][ T8510] ffff88814640d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.485868][ T8510] ffff88814640d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.494201][ T8510] ================================================================== [ 75.502363][ T8510] Disabling lock debugging due to kernel taint executing program executing program executing program [ 75.531449][ T8510] Kernel panic - not syncing: panic_on_warn set ... [ 75.538201][ T8510] CPU: 0 PID: 8510 Comm: syz-executor629 Tainted: G B 5.13.0-rc3-syzkaller #0 [ 75.548398][ T8510] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.558564][ T8510] Call Trace: [ 75.561859][ T8510] dump_stack+0x141/0x1d7 [ 75.566215][ T8510] panic+0x306/0x73d [ 75.570144][ T8510] ? __warn_printk+0xf3/0xf3 [ 75.574766][ T8510] ? preempt_schedule_common+0x59/0xc0 executing program executing program executing program [ 75.580527][ T8510] ? __list_add_valid+0x81/0xa0 [ 75.585500][ T8510] ? preempt_schedule_thunk+0x16/0x18 [ 75.591177][ T8510] ? trace_hardirqs_on+0x38/0x1c0 [ 75.596232][ T8510] ? trace_hardirqs_on+0x51/0x1c0 [ 75.601295][ T8510] ? __list_add_valid+0x81/0xa0 [ 75.606195][ T8510] ? __list_add_valid+0x81/0xa0 [ 75.611085][ T8510] end_report.cold+0x5a/0x5a [ 75.615791][ T8510] kasan_report.cold+0x6a/0xd8 [ 75.620588][ T8510] ? __list_add_valid+0x81/0xa0 [ 75.625561][ T8510] __list_add_valid+0x81/0xa0 [ 75.630279][ T8510] firmware_fallback_sysfs+0x455/0xe20 [ 75.635774][ T8510] _request_firmware+0xa80/0xe80 [ 75.640740][ T8510] request_firmware+0x32/0x50 [ 75.645542][ T8510] reg_reload_regdb+0x7a/0x240 [ 75.650329][ T8510] ? is_world_regdom+0xe0/0xe0 [ 75.655206][ T8510] ? nl80211_set_qos_map+0x800/0x800 [ 75.660593][ T8510] ? nl80211_pre_doit+0xa6/0x620 [ 75.665645][ T8510] genl_family_rcv_msg_doit+0x228/0x320 [ 75.671248][ T8510] ? genl_family_rcv_msg_attrs_parse.constprop.0+0x290/0x290 [ 75.679294][ T8510] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 75.685586][ T8510] ? ns_capable+0xde/0x100 [ 75.690039][ T8510] genl_rcv_msg+0x328/0x580 [ 75.695193][ T8510] ? genl_get_cmd+0x480/0x480 [ 75.700827][ T8510] ? nl80211_stop_sched_scan+0x3a0/0x3a0 [ 75.706953][ T8510] ? lock_release+0x720/0x720 [ 75.711849][ T8510] netlink_rcv_skb+0x153/0x420 [ 75.716664][ T8510] ? genl_get_cmd+0x480/0x480 [ 75.721371][ T8510] ? netlink_ack+0xaa0/0xaa0 [ 75.727016][ T8510] ? __vmalloc_node_range+0x6e0/0x970 [ 75.732712][ T8510] genl_rcv+0x24/0x40 [ 75.736933][ T8510] netlink_unicast+0x533/0x7d0 [ 75.742494][ T8510] ? netlink_attachskb+0x870/0x870 [ 75.747922][ T8510] ? __virt_addr_valid+0x5d/0x2d0 [ 75.752996][ T8510] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 75.759731][ T8510] ? __phys_addr_symbol+0x2c/0x70 [ 75.765251][ T8510] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 75.772672][ T8510] ? __check_object_size+0x171/0x3f0 [ 75.778275][ T8510] netlink_sendmsg+0x856/0xd90 [ 75.784493][ T8510] ? netlink_unicast+0x7d0/0x7d0 [ 75.790400][ T8510] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 75.796691][ T8510] ? netlink_unicast+0x7d0/0x7d0 [ 75.801852][ T8510] sock_sendmsg+0xcf/0x120 [ 75.806407][ T8510] ____sys_sendmsg+0x6e8/0x810 [ 75.811984][ T8510] ? kernel_sendmsg+0x50/0x50 [ 75.816690][ T8510] ? do_recvmmsg+0x6d0/0x6d0 [ 75.821319][ T8510] ? do_huge_pmd_anonymous_page+0x124b/0x2570 [ 75.827620][ T8510] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.833641][ T8510] ___sys_sendmsg+0xf3/0x170 [ 75.838357][ T8510] ? sendmsg_copy_msghdr+0x160/0x160 [ 75.843671][ T8510] ? __fget_files+0x266/0x3d0 [ 75.848374][ T8510] ? lock_downgrade+0x6e0/0x6e0 [ 75.853552][ T8510] ? __fget_files+0x288/0x3d0 [ 75.858355][ T8510] ? __fget_light+0xea/0x280 [ 75.863410][ T8510] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 75.869696][ T8510] __sys_sendmsg+0xe5/0x1b0 [ 75.874828][ T8510] ? __sys_sendmsg_sock+0x30/0x30 [ 75.880651][ T8510] ? syscall_enter_from_user_mode+0x27/0x70 [ 75.886677][ T8510] do_syscall_64+0x3a/0xb0 [ 75.891116][ T8510] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.897028][ T8510] RIP: 0033:0x44e5b9 [ 75.900936][ T8510] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 75.920918][ T8510] RSP: 002b:00007f7705c62208 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.929454][ T8510] RAX: ffffffffffffffda RBX: 00000000004cc4a8 RCX: 000000000044e5b9 [ 75.938631][ T8510] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 75.947142][ T8510] RBP: 00000000004cc4a0 R08: 0000000000000000 R09: 0000000000000000 [ 75.955598][ T8510] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cc4ac [ 75.967133][ T8510] R13: 00007ffefc1029af R14: 00007f7705c62300 R15: 0000000000022000 [ 75.976627][ T8510] Kernel Offset: disabled [ 75.981388][ T8510] Rebooting in 86400 seconds..