================================================================== BUG: KASAN: slab-out-of-bounds in __list_add_valid+0x36/0xc0 lib/list_debug.c:23 Read of size 8 at addr ffff8881e4733388 by task syz-executor.3/11965 CPU: 0 PID: 11965 Comm: syz-executor.3 Not tainted 5.4.120-syzkaller-00711-gabfb4e00f51b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x24e lib/dump_stack.c:118 print_address_description+0x9b/0x650 mm/kasan/report.c:384 __kasan_report+0x182/0x260 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:641 __list_add_valid+0x36/0xc0 lib/list_debug.c:23 __list_add include/linux/list.h:60 [inline] list_add include/linux/list.h:79 [inline] fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:515 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:580 [inline] firmware_fallback_sysfs+0x480/0xb20 drivers/base/firmware_loader/fallback.c:654 _request_firmware+0x1287/0x1770 drivers/base/firmware_loader/main.c:788 request_firmware+0x33/0x50 drivers/base/firmware_loader/main.c:831 reg_reload_regdb+0xa0/0x220 net/wireless/reg.c:1083 genl_family_rcv_msg net/netlink/genetlink.c:629 [inline] genl_rcv_msg+0xed9/0x13b0 net/netlink/genetlink.c:654 netlink_rcv_skb+0x200/0x480 net/netlink/af_netlink.c:2478 genl_rcv+0x24/0x40 net/netlink/genetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x865/0x9f0 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x9ab/0xd40 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg net/socket.c:658 [inline] ____sys_sendmsg+0x583/0x8c0 net/socket.c:2298 ___sys_sendmsg net/socket.c:2352 [inline] __sys_sendmsg+0x2c4/0x3b0 net/socket.c:2398 do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f033167b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000007 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffd7470110f R14: 00007f033167b300 R15: 0000000000022000 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8881e4733300 which belongs to the cache bridge_fdb_cache of size 128 The buggy address is located 8 bytes to the right of 128-byte region [ffff8881e4733300, ffff8881e4733380) The buggy address belongs to the page: page:ffffea000791ccc0 refcount:1 mapcount:0 mapping:ffff8881f0164c80 index:0xffff8881e4733840 flags: 0x8000000000000200(slab) raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f0164c80 raw: ffff8881e4733840 0000000080150014 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x19a/0x380 mm/page_alloc.c:2171 get_page_from_freelist+0x550/0x8b0 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x3a2/0x880 mm/page_alloc.c:4855 alloc_slab_page+0x39/0x3e0 mm/slub.c:342 allocate_slab mm/slub.c:1675 [inline] new_slab+0x97/0x460 mm/slub.c:1741 new_slab_objects mm/slub.c:2498 [inline] ___slab_alloc+0x330/0x4c0 mm/slub.c:2659 __slab_alloc mm/slub.c:2699 [inline] slab_alloc_node mm/slub.c:2784 [inline] slab_alloc mm/slub.c:2829 [inline] kmem_cache_alloc+0x18b/0x290 mm/slub.c:2834 fdb_create+0xba/0xf40 net/bridge/br_fdb.c:492 fdb_insert+0x129/0x260 net/bridge/br_fdb.c:536 br_fdb_insert+0x36/0x50 net/bridge/br_fdb.c:552 br_add_if+0x114d/0x1ce0 net/bridge/br_if.c:648 do_set_master net/core/rtnetlink.c:2391 [inline] do_setlink+0xdf1/0x3b50 net/core/rtnetlink.c:2526 __rtnl_newlink net/core/rtnetlink.c:3160 [inline] rtnl_newlink+0x1653/0x1ce0 net/core/rtnetlink.c:3286 rtnetlink_rcv_msg+0xb74/0xd00 net/core/rtnetlink.c:5255 netlink_rcv_skb+0x200/0x480 net/netlink/af_netlink.c:2478 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x865/0x9f0 net/netlink/af_netlink.c:1329 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] free_pcp_prepare+0x1a9/0x270 mm/page_alloc.c:1233 free_unref_page_prepare mm/page_alloc.c:3085 [inline] free_unref_page mm/page_alloc.c:3134 [inline] free_the_page mm/page_alloc.c:4915 [inline] __free_pages+0x9c/0x250 mm/page_alloc.c:4923 __free_slab+0x237/0x2f0 mm/slub.c:1766 free_slab mm/slub.c:1781 [inline] discard_slab mm/slub.c:1787 [inline] unfreeze_partials+0x14f/0x180 mm/slub.c:2279 put_cpu_partial+0xb5/0x150 mm/slub.c:2315 __slab_free mm/slub.c:2963 [inline] do_slab_free mm/slub.c:3060 [inline] ___cache_free+0x352/0x4e0 mm/slub.c:3079 qlist_free_all mm/kasan/quarantine.c:167 [inline] quarantine_reduce+0x17a/0x1e0 mm/kasan/quarantine.c:260 __kasan_kmalloc+0x43/0x1e0 mm/kasan/common.c:495 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2821 [inline] slab_alloc mm/slub.c:2829 [inline] kmem_cache_alloc+0x115/0x290 mm/slub.c:2834 getname_flags+0xba/0x640 fs/namei.c:141 user_path_at_empty+0x28/0x50 fs/namei.c:2683 do_readlinkat+0x11b/0x3b0 fs/stat.c:399 __do_sys_readlinkat fs/stat.c:426 [inline] __se_sys_readlinkat fs/stat.c:423 [inline] __x64_sys_readlinkat+0x96/0xb0 fs/stat.c:423 do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Memory state around the buggy address: ffff8881e4733280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881e4733300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881e4733380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881e4733400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881e4733480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== list_add corruption. next->prev should be prev (ffffffff86106580), but was 0000000000000000. (next=ffff8881e4733380). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:25! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 11965 Comm: syz-executor.3 Tainted: G B 5.4.120-syzkaller-00711-gabfb4e00f51b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__list_add_valid+0xa0/0xc0 lib/list_debug.c:23 Code: e0 7e 03 85 4c 89 fe 4c 89 e2 4c 89 f1 31 c0 e8 c2 53 22 ff 0f 0b 48 c7 c7 a0 7d 03 85 4c 89 e6 4c 89 f1 31 c0 e8 ac 53 22 ff <0f> 0b 48 c7 c7 60 7e 03 85 4c 89 f6 4c 89 e1 31 c0 e8 96 53 22 ff RSP: 0018:ffff8881dc27f2c8 EFLAGS: 00010246 RAX: 0000000000000075 RBX: ffff8881e4733388 RCX: c22ed53877614500 RDX: ffffc9000178e000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffff8881e4733380 R08: ffffffff814e8397 R09: ffffed103ede5e08 R10: ffffed103ede5e08 R11: 0000000000000000 R12: ffffffff86106580 R13: dffffc0000000000 R14: ffff8881e4733380 R15: ffff8881af353d80 FS: 00007f033167b700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001000 CR3: 00000001ddfa2000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_add include/linux/list.h:60 [inline] list_add include/linux/list.h:79 [inline] fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:515 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:580 [inline] firmware_fallback_sysfs+0x480/0xb20 drivers/base/firmware_loader/fallback.c:654 _request_firmware+0x1287/0x1770 drivers/base/firmware_loader/main.c:788 request_firmware+0x33/0x50 drivers/base/firmware_loader/main.c:831 reg_reload_regdb+0xa0/0x220 net/wireless/reg.c:1083 genl_family_rcv_msg net/netlink/genetlink.c:629 [inline] genl_rcv_msg+0xed9/0x13b0 net/netlink/genetlink.c:654 netlink_rcv_skb+0x200/0x480 net/netlink/af_netlink.c:2478 genl_rcv+0x24/0x40 net/netlink/genetlink.c:665 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x865/0x9f0 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x9ab/0xd40 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:638 [inline] sock_sendmsg net/socket.c:658 [inline] ____sys_sendmsg+0x583/0x8c0 net/socket.c:2298 ___sys_sendmsg net/socket.c:2352 [inline] __sys_sendmsg+0x2c4/0x3b0 net/socket.c:2398 do_syscall_64+0xcb/0x1e0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f033167b188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000007 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffd7470110f R14: 00007f033167b300 R15: 0000000000022000 Modules linked in: ---[ end trace 3df13e980eacdedc ]--- RIP: 0010:__list_add_valid+0xa0/0xc0 lib/list_debug.c:23 Code: e0 7e 03 85 4c 89 fe 4c 89 e2 4c 89 f1 31 c0 e8 c2 53 22 ff 0f 0b 48 c7 c7 a0 7d 03 85 4c 89 e6 4c 89 f1 31 c0 e8 ac 53 22 ff <0f> 0b 48 c7 c7 60 7e 03 85 4c 89 f6 4c 89 e1 31 c0 e8 96 53 22 ff RSP: 0018:ffff8881dc27f2c8 EFLAGS: 00010246 RAX: 0000000000000075 RBX: ffff8881e4733388 RCX: c22ed53877614500 RDX: ffffc9000178e000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffff8881e4733380 R08: ffffffff814e8397 R09: ffffed103ede5e08 R10: ffffed103ede5e08 R11: 0000000000000000 R12: ffffffff86106580 R13: dffffc0000000000 R14: ffff8881e4733380 R15: ffff8881af353d80 FS: 00007f033167b700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffdcb843fe8 CR3: 00000001ddfa2000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400