platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x8c/0x100 lib/list_debug.c:23
Read of size 8 at addr ffff00002ce1a2c8 by task syz-executor.1/31471

CPU: 0 PID: 31471 Comm: syz-executor.1 Not tainted 5.11.0-rc5-syzkaller-00037-g2ab38c17aac1 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x0/0x3e0 arch/arm64/include/asm/pointer_auth.h:76
 show_stack+0x1c/0x70 arch/arm64/kernel/stacktrace.c:196
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x110/0x188 lib/dump_stack.c:120
 print_address_description.constprop.0+0x2c/0x300 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report+0x1e8/0x200 mm/kasan/report.c:413
 __asan_report_load8_noabort+0x38/0x6c mm/kasan/report_generic.c:309
 __list_add_valid+0x8c/0x100 lib/list_debug.c:23
 __list_add include/linux/list.h:67 [inline]
 list_add include/linux/list.h:86 [inline]
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:516 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:581 [inline]
 firmware_fallback_sysfs+0x350/0xaa0 drivers/base/firmware_loader/fallback.c:657
 _request_firmware+0xa1c/0x1130 drivers/base/firmware_loader/main.c:831
 request_firmware+0x4c/0x70 drivers/base/firmware_loader/main.c:875
 reg_reload_regdb+0x90/0x1dc net/wireless/reg.c:1088
 nl80211_reload_regdb+0x14/0x20 net/wireless/nl80211.c:7144
 genl_family_rcv_msg_doit+0x1b8/0x2a0 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x24c/0x42c net/netlink/genetlink.c:800
 netlink_rcv_skb+0x198/0x34c net/netlink/af_netlink.c:2494
 genl_rcv+0x3c/0x54 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x3e0/0x670 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x610/0xa20 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xc4/0x100 net/socket.c:672
 ____sys_sendmsg+0x548/0x6d0 net/socket.c:2345
 ___sys_sendmsg+0xf4/0x170 net/socket.c:2399
 __sys_sendmsg+0xbc/0x150 net/socket.c:2432
 __do_sys_sendmsg net/socket.c:2441 [inline]
 __se_sys_sendmsg net/socket.c:2439 [inline]
 __arm64_sys_sendmsg+0x74/0xa4 net/socket.c:2439
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
 el0_svc_common.constprop.0+0x110/0x3c0 arch/arm64/kernel/syscall.c:159
 do_el0_svc+0xa8/0xd4 arch/arm64/kernel/syscall.c:198
 el0_svc+0x20/0x30 arch/arm64/kernel/entry-common.c:365
 el0_sync_handler+0x1a8/0x1b0 arch/arm64/kernel/entry-common.c:381
 el0_sync+0x174/0x180 arch/arm64/kernel/entry.S:699

Allocated by task 31464:
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121
 kasan_save_stack+0x2c/0x5c mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x8c/0xb4 mm/kasan/common.c:429
 __kasan_kmalloc+0x14/0x20 mm/kasan/common.c:443
 kasan_kmalloc include/linux/kasan.h:219 [inline]
 kmem_cache_alloc_trace+0x248/0x460 mm/slub.c:2919
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:682 [inline]
 __allocate_fw_priv drivers/base/firmware_loader/main.c:186 [inline]
 alloc_lookup_fw_priv drivers/base/firmware_loader/main.c:250 [inline]
 _request_firmware_prepare drivers/base/firmware_loader/main.c:744 [inline]
 _request_firmware+0x2b4/0x1130 drivers/base/firmware_loader/main.c:806
 request_firmware+0x4c/0x70 drivers/base/firmware_loader/main.c:875
 reg_reload_regdb+0x90/0x1dc net/wireless/reg.c:1088
 nl80211_reload_regdb+0x14/0x20 net/wireless/nl80211.c:7144
 genl_family_rcv_msg_doit+0x1b8/0x2a0 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x24c/0x42c net/netlink/genetlink.c:800
 netlink_rcv_skb+0x198/0x34c net/netlink/af_netlink.c:2494
 genl_rcv+0x3c/0x54 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x3e0/0x670 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x610/0xa20 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xc4/0x100 net/socket.c:672
 ____sys_sendmsg+0x548/0x6d0 net/socket.c:2345
 ___sys_sendmsg+0xf4/0x170 net/socket.c:2399
 __sys_sendmsg+0xbc/0x150 net/socket.c:2432
 __do_sys_sendmsg net/socket.c:2441 [inline]
 __se_sys_sendmsg net/socket.c:2439 [inline]
 __arm64_sys_sendmsg+0x74/0xa4 net/socket.c:2439
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
 el0_svc_common.constprop.0+0x110/0x3c0 arch/arm64/kernel/syscall.c:159
 do_el0_svc+0xa8/0xd4 arch/arm64/kernel/syscall.c:198
 el0_svc+0x20/0x30 arch/arm64/kernel/entry-common.c:365
 el0_sync_handler+0x1a8/0x1b0 arch/arm64/kernel/entry-common.c:381
 el0_sync+0x174/0x180 arch/arm64/kernel/entry.S:699

Freed by task 31464:
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:121
 kasan_save_stack+0x2c/0x5c mm/kasan/common.c:38
 kasan_set_track+0x2c/0x40 mm/kasan/common.c:46
 kasan_set_free_info+0x2c/0x50 mm/kasan/generic.c:356
 ____kasan_slab_free+0xf0/0x154 mm/kasan/common.c:362
 __kasan_slab_free+0x18/0x24 mm/kasan/common.c:369
 kasan_slab_free include/linux/kasan.h:192 [inline]
 slab_free_hook mm/slub.c:1547 [inline]
 slab_free_freelist_hook+0x8c/0x240 mm/slub.c:1580
 slab_free mm/slub.c:3143 [inline]
 kfree+0x154/0x5fc mm/slub.c:4125
 __free_fw_priv drivers/base/firmware_loader/main.c:282 [inline]
 kref_put include/linux/kref.h:65 [inline]
 free_fw_priv drivers/base/firmware_loader/main.c:289 [inline]
 firmware_free_data drivers/base/firmware_loader/main.c:584 [inline]
 release_firmware.part.0+0x2b0/0x454 drivers/base/firmware_loader/main.c:1053
 release_firmware drivers/base/firmware_loader/main.c:840 [inline]
 _request_firmware+0x970/0x1130 drivers/base/firmware_loader/main.c:839
 request_firmware+0x4c/0x70 drivers/base/firmware_loader/main.c:875
 reg_reload_regdb+0x90/0x1dc net/wireless/reg.c:1088
 nl80211_reload_regdb+0x14/0x20 net/wireless/nl80211.c:7144
 genl_family_rcv_msg_doit+0x1b8/0x2a0 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x24c/0x42c net/netlink/genetlink.c:800
 netlink_rcv_skb+0x198/0x34c net/netlink/af_netlink.c:2494
 genl_rcv+0x3c/0x54 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x3e0/0x670 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x610/0xa20 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xc4/0x100 net/socket.c:672
 ____sys_sendmsg+0x548/0x6d0 net/socket.c:2345
 ___sys_sendmsg+0xf4/0x170 net/socket.c:2399
 __sys_sendmsg+0xbc/0x150 net/socket.c:2432
 __do_sys_sendmsg net/socket.c:2441 [inline]
 __se_sys_sendmsg net/socket.c:2439 [inline]
 __arm64_sys_sendmsg+0x74/0xa4 net/socket.c:2439
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
 el0_svc_common.constprop.0+0x110/0x3c0 arch/arm64/kernel/syscall.c:159
 do_el0_svc+0xa8/0xd4 arch/arm64/kernel/syscall.c:198
 el0_svc+0x20/0x30 arch/arm64/kernel/entry-common.c:365
 el0_sync_handler+0x1a8/0x1b0 arch/arm64/kernel/entry-common.c:381
 el0_sync+0x174/0x180 arch/arm64/kernel/entry.S:699

The buggy address belongs to the object at ffff00002ce1a200
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 200 bytes inside of
 256-byte region [ffff00002ce1a200, ffff00002ce1a300)
The buggy address belongs to the page:
page:00000000b546daf9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6ce1a
flags: 0x1ffc00000000200(slab)
raw: 01ffc00000000200 0000000000000000 0000000100000001 ffff00000c401a80
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff00002ce1a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00002ce1a200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff00002ce1a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff00002ce1a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00002ce1a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================