platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 platform regulatory.0: Falling back to sysfs fallback for: regulatory.db ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x88/0xf4 lib/list_debug.c:23 Read of size 8 at addr ffff000012d132c8 by task syz-executor.1/5856 CPU: 0 PID: 5856 Comm: syz-executor.1 Not tainted 5.12.0-rc2-syzkaller-00487-gf296bfd5cd04 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3e0 arch/arm64/include/asm/pointer_auth.h:76 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:191 __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x120/0x1a8 lib/dump_stack.c:120 print_address_description.constprop.0+0x2c/0x300 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report+0x1ec/0x200 mm/kasan/report.c:416 __asan_report_load8_noabort+0x34/0x60 mm/kasan/report_generic.c:309 __list_add_valid+0x88/0xf4 lib/list_debug.c:23 __list_add include/linux/list.h:67 [inline] list_add include/linux/list.h:86 [inline] fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:516 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:581 [inline] firmware_fallback_sysfs+0x350/0xaa0 drivers/base/firmware_loader/fallback.c:657 _request_firmware+0x4bc/0xaa4 drivers/base/firmware_loader/main.c:831 request_firmware+0x48/0x6c drivers/base/firmware_loader/main.c:875 reg_reload_regdb+0x90/0x1dc net/wireless/reg.c:1095 nl80211_reload_regdb+0x10/0x1c net/wireless/nl80211.c:7235 genl_family_rcv_msg_doit+0x1b8/0x2a0 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x24c/0x42c net/netlink/genetlink.c:800 netlink_rcv_skb+0x198/0x34c net/netlink/af_netlink.c:2502 genl_rcv+0x38/0x50 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x3e0/0x670 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x610/0xa20 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xc0/0xf4 net/socket.c:674 ____sys_sendmsg+0x548/0x6d0 net/socket.c:2350 ___sys_sendmsg+0xf4/0x170 net/socket.c:2404 __sys_sendmsg+0xbc/0x150 net/socket.c:2433 __do_sys_sendmsg net/socket.c:2442 [inline] __se_sys_sendmsg net/socket.c:2440 [inline] __arm64_sys_sendmsg+0x70/0xa0 net/socket.c:2440 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xa4/0xd0 arch/arm64/kernel/syscall.c:168 el0_svc+0x24/0x34 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:432 el0_sync+0x170/0x180 arch/arm64/kernel/entry.S:699 Allocated by task 3697: stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] __kasan_kmalloc+0x88/0xb0 mm/kasan/common.c:515 kasan_kmalloc include/linux/kasan.h:233 [inline] __kmalloc+0x264/0x4b0 mm/slub.c:4055 kmalloc_array include/linux/slab.h:594 [inline] alloc_indirect_split drivers/virtio/virtio_ring.c:406 [inline] virtqueue_add_split+0x8b4/0x1060 drivers/virtio/virtio_ring.c:448 virtqueue_add drivers/virtio/virtio_ring.c:1706 [inline] virtqueue_add_sgs+0x10c/0x140 drivers/virtio/virtio_ring.c:1740 virtblk_add_req drivers/block/virtio_blk.c:111 [inline] virtio_queue_rq+0x50c/0x10e0 drivers/block/virtio_blk.c:278 __blk_mq_issue_directly block/blk-mq.c:1985 [inline] __blk_mq_try_issue_directly+0x2d4/0x5f0 block/blk-mq.c:2037 blk_mq_request_issue_directly block/blk-mq.c:2085 [inline] blk_mq_try_issue_list_directly+0x1a8/0x79c block/blk-mq.c:2103 blk_mq_sched_insert_requests+0x3bc/0x680 block/blk-mq-sched.c:484 blk_mq_flush_plug_list+0x2bc/0x500 block/blk-mq.c:1942 blk_flush_plug_list block/blk-core.c:1749 [inline] blk_finish_plug block/blk-core.c:1766 [inline] blk_finish_plug+0x88/0xe0 block/blk-core.c:1762 jbd2_journal_commit_transaction+0x16e4/0x4390 fs/jbd2/commit.c:838 kjournald2+0x190/0x730 fs/jbd2/journal.c:213 kthread+0x320/0x3bc kernel/kthread.c:292 ret_from_fork+0x10/0x3c arch/arm64/kernel/entry.S:958 Freed by task 4023: stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38 kasan_set_track+0x28/0x40 mm/kasan/common.c:46 kasan_set_free_info+0x28/0x50 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free+0xfc/0x160 mm/kasan/common.c:325 __kasan_slab_free+0x14/0x20 mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x8c/0x260 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kfree+0x154/0x7d0 mm/slub.c:4213 detach_buf_split+0x3a8/0x620 drivers/virtio/virtio_ring.c:665 virtqueue_get_buf_ctx_split+0x25c/0x794 drivers/virtio/virtio_ring.c:720 virtqueue_get_buf_ctx drivers/virtio/virtio_ring.c:1900 [inline] virtqueue_get_buf+0x68/0x90 drivers/virtio/virtio_ring.c:1906 virtblk_done+0x160/0x2f0 drivers/block/virtio_blk.c:186 vring_interrupt drivers/virtio/virtio_ring.c:2049 [inline] vring_interrupt+0x154/0x2b0 drivers/virtio/virtio_ring.c:2035 __handle_irq_event_percpu+0x1c4/0x9a4 kernel/irq/handle.c:156 handle_irq_event_percpu kernel/irq/handle.c:196 [inline] handle_irq_event+0x10c/0x2dc kernel/irq/handle.c:213 handle_fasteoi_irq+0x214/0x820 kernel/irq/chip.c:714 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] generic_handle_irq kernel/irq/irqdesc.c:652 [inline] __handle_domain_irq+0x11c/0x1f0 kernel/irq/irqdesc.c:689 handle_domain_irq include/linux/irqdesc.h:176 [inline] gic_handle_irq+0x5c/0x1b0 drivers/irqchip/irq-gic.c:370 el1_irq+0xb4/0x180 arch/arm64/kernel/entry.S:669 arch_local_irq_enable arch/arm64/include/asm/irqflags.h:37 [inline] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] _raw_spin_unlock_irq+0x80/0x15c kernel/locking/spinlock.c:199 finish_lock_switch kernel/sched/core.c:4076 [inline] finish_task_switch.isra.0+0x1b0/0x690 kernel/sched/core.c:4193 context_switch kernel/sched/core.c:4327 [inline] __schedule+0x814/0x1ac0 kernel/sched/core.c:5075 preempt_schedule_common+0xa4/0x2a0 kernel/sched/core.c:5235 preempt_schedule+0x60/0x6c kernel/sched/core.c:5260 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline] _raw_spin_unlock_irqrestore+0x118/0x180 kernel/locking/spinlock.c:191 spin_unlock_irqrestore include/linux/spinlock.h:409 [inline] __wake_up_common_lock+0xe0/0x130 kernel/sched/wait.c:140 __wake_up+0x18/0x24 kernel/sched/wait.c:157 stop_this_handle+0x3bc/0x470 fs/jbd2/transaction.c:737 jbd2_journal_stop+0x430/0xf54 fs/jbd2/transaction.c:1907 __ext4_journal_stop+0xa4/0x1b4 fs/ext4/ext4_jbd2.c:127 ext4_mkdir+0x46c/0x7b0 fs/ext4/namei.c:2845 vfs_mkdir+0x14c/0x2ac fs/namei.c:3817 do_mkdirat+0x1f8/0x240 fs/namei.c:3842 __do_sys_mkdirat fs/namei.c:3855 [inline] __se_sys_mkdirat fs/namei.c:3853 [inline] __arm64_sys_mkdirat+0x6c/0xa0 fs/namei.c:3853 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xa4/0xd0 arch/arm64/kernel/syscall.c:168 el0_svc+0x24/0x34 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:432 el0_sync+0x170/0x180 arch/arm64/kernel/entry.S:699 Last potentially related work creation: stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38 kasan_record_aux_stack+0xf8/0x130 mm/kasan/generic.c:345 insert_work+0x50/0x2a0 kernel/workqueue.c:1331 __queue_work+0x4d0/0x11a0 kernel/workqueue.c:1497 queue_work_on+0xc4/0x110 kernel/workqueue.c:1524 queue_work include/linux/workqueue.h:507 [inline] call_usermodehelper_exec+0x268/0x430 kernel/umh.c:433 kobject_uevent_env+0xaf8/0x10d0 lib/kobject_uevent.c:617 kobject_uevent+0x14/0x20 lib/kobject_uevent.c:641 rx_queue_add_kobject net/core/net-sysfs.c:1020 [inline] net_rx_queue_update_kobjects+0x1d4/0x3ec net/core/net-sysfs.c:1060 register_queue_kobjects net/core/net-sysfs.c:1742 [inline] netdev_register_kobject+0x1e8/0x35c net/core/net-sysfs.c:1990 register_netdevice+0x834/0xee0 net/core/dev.c:10178 register_netdev+0x24/0x4c net/core/dev.c:10302 vti6_init_net+0x444/0x6c0 net/ipv6/ip6_vti.c:1160 ops_init+0x8c/0x370 net/core/net_namespace.c:140 setup_net+0x390/0x86c net/core/net_namespace.c:333 copy_net_ns+0x238/0x7f0 net/core/net_namespace.c:474 create_new_namespaces+0x300/0x820 kernel/nsproxy.c:110 copy_namespaces+0x288/0x320 kernel/nsproxy.c:178 copy_process+0x1bc0/0x51c0 kernel/fork.c:2102 kernel_clone+0x128/0x9c0 kernel/fork.c:2493 __do_sys_clone+0xac/0xec kernel/fork.c:2610 __se_sys_clone kernel/fork.c:2578 [inline] __arm64_sys_clone+0xa4/0x100 kernel/fork.c:2578 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xa4/0xd0 arch/arm64/kernel/syscall.c:168 el0_svc+0x24/0x34 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:432 el0_sync+0x170/0x180 arch/arm64/kernel/entry.S:699 Second to last potentially related work creation: stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121 kasan_save_stack+0x28/0x60 mm/kasan/common.c:38 kasan_record_aux_stack+0xf8/0x130 mm/kasan/generic.c:345 __call_rcu kernel/rcu/tree.c:3039 [inline] call_rcu+0xb4/0x8b0 kernel/rcu/tree.c:3114 free_fib_info net/ipv4/fib_semantics.c:256 [inline] fib_create_info+0x186c/0x389c net/ipv4/fib_semantics.c:1549 fib_table_insert+0x164/0x1e10 net/ipv4/fib_trie.c:1224 fib_magic+0x2f0/0x410 net/ipv4/fib_frontend.c:1085 fib_add_ifaddr+0x144/0x3f0 net/ipv4/fib_frontend.c:1107 fib_netdev_event+0x28c/0x4b4 net/ipv4/fib_frontend.c:1466 notifier_call_chain+0xc0/0x180 kernel/notifier.c:83 raw_notifier_call_chain+0x18/0x24 kernel/notifier.c:410 call_netdevice_notifiers_info+0x84/0xec net/core/dev.c:2063 call_netdevice_notifiers_extack net/core/dev.c:2075 [inline] call_netdevice_notifiers net/core/dev.c:2089 [inline] __dev_notify_flags+0x144/0x1f0 net/core/dev.c:8695 dev_change_flags+0xe0/0x15c net/core/dev.c:8733 do_setlink+0x5d8/0x2840 net/core/rtnetlink.c:2708 __rtnl_newlink+0x8b8/0xfe4 net/core/rtnetlink.c:3376 rtnl_newlink+0x70/0xac net/core/rtnetlink.c:3491 rtnetlink_rcv_msg+0x300/0x744 net/core/rtnetlink.c:5553 netlink_rcv_skb+0x198/0x34c net/netlink/af_netlink.c:2502 rtnetlink_rcv+0x18/0x24 net/core/rtnetlink.c:5571 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x3e0/0x670 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x610/0xa20 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xc0/0xf4 net/socket.c:674 __sys_sendto+0x16c/0x22c net/socket.c:1977 __do_sys_sendto net/socket.c:1989 [inline] __se_sys_sendto net/socket.c:1985 [inline] __arm64_sys_sendto+0xc0/0x134 net/socket.c:1985 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] el0_svc_common.constprop.0+0xf0/0x2c0 arch/arm64/kernel/syscall.c:129 do_el0_svc+0xa4/0xd0 arch/arm64/kernel/syscall.c:168 el0_svc+0x24/0x34 arch/arm64/kernel/entry-common.c:416 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:432 el0_sync+0x170/0x180 arch/arm64/kernel/entry.S:699 The buggy address belongs to the object at ffff000012d13200 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 200 bytes inside of 256-byte region [ffff000012d13200, ffff000012d13300) The buggy address belongs to the page: page:000000001df8f3df refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52d12 head:000000001df8f3df order:1 compound_mapcount:0 flags: 0x1ffc00000010200(slab|head) raw: 01ffc00000010200 fffffc0000490d00 0000000600000006 ffff00000ac02480 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000012d13180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff000012d13200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff000012d13280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff000012d13300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff000012d13380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================