==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 lib/list_debug.c:23
Read of size 8 at addr ffff8880363358c8 by task syz-executor.1/22532

CPU: 1 PID: 22532 Comm: syz-executor.1 Not tainted 5.14.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 __list_add_valid+0x81/0xa0 lib/list_debug.c:23
 __list_add include/linux/list.h:67 [inline]
 list_add include/linux/list.h:86 [inline]
 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:516 [inline]
 fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:581 [inline]
 firmware_fallback_sysfs+0x455/0xe10 drivers/base/firmware_loader/fallback.c:657
 _request_firmware+0xa80/0xe80 drivers/base/firmware_loader/main.c:833
 request_firmware+0x32/0x50 drivers/base/firmware_loader/main.c:877
 reg_reload_regdb+0x7a/0x240 net/wireless/reg.c:1095
 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739
 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
 genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
 sock_sendmsg_nosec net/socket.c:703 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:723
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2392
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2446
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2475
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff4c2872188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffdc7e4020f R14: 00007ff4c2872300 R15: 0000000000022000

Allocated by task 9902:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 fib6_info_alloc+0xc1/0x210 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x33e/0x1aa0 net/ipv6/route.c:3762
 addrconf_f6i_alloc+0x2b5/0x4c0 net/ipv6/route.c:4580
 ipv6_add_addr+0x3a6/0x1f00 net/ipv6/addrconf.c:1089
 addrconf_add_linklocal+0x1ca/0x590 net/ipv6/addrconf.c:3182
 addrconf_addr_gen+0x3a4/0x3e0 net/ipv6/addrconf.c:3313
 addrconf_dev_config+0x253/0x420 net/ipv6/addrconf.c:3360
 addrconf_notify+0x366/0x2400 net/ipv6/addrconf.c:3593
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2123
 netdev_state_change net/core/dev.c:1514 [inline]
 netdev_state_change+0x100/0x130 net/core/dev.c:1507
 linkwatch_do_dev+0x151/0x1b0 net/core/link_watch.c:167
 __linkwatch_run_queue+0x1ea/0x630 net/core/link_watch.c:212
 linkwatch_event+0x4a/0x60 net/core/link_watch.c:251
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3029 [inline]
 call_rcu+0xb1/0x750 kernel/rcu/tree.c:3109
 fib6_info_release include/net/ip6_fib.h:337 [inline]
 fib6_info_release include/net/ip6_fib.h:334 [inline]
 __ip6_del_rt net/ipv6/route.c:3883 [inline]
 ip6_del_rt+0x1be/0x200 net/ipv6/route.c:3894
 __ipv6_ifa_notify+0x4f3/0xa90 net/ipv6/addrconf.c:6110
 addrconf_ifdown.isra.0+0xa4b/0x15b0 net/ipv6/addrconf.c:3820
 addrconf_notify+0x606/0x2400 net/ipv6/addrconf.c:3631
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2123
 call_netdevice_notifiers_extack net/core/dev.c:2135 [inline]
 call_netdevice_notifiers net/core/dev.c:2149 [inline]
 dev_close_many+0x2ff/0x620 net/core/dev.c:1724
 unregister_netdevice_many+0x3ff/0x1790 net/core/dev.c:11070
 default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:11623
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:178
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348
 kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3594
 drop_sysctl_table+0x3c0/0x4e0 fs/proc/proc_sysctl.c:1647
 unregister_sysctl_table fs/proc/proc_sysctl.c:1685 [inline]
 unregister_sysctl_table+0xc2/0x190 fs/proc/proc_sysctl.c:1660
 sysctl_core_net_exit+0x58/0x90 net/core/sysctl_net_core.c:647
 ops_exit_list+0xb0/0x160 net/core/net_namespace.c:175
 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595
 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff888036335800
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 200 bytes inside of
 256-byte region [ffff888036335800, ffff888036335900)
The buggy address belongs to the page:
page:ffffea0000d8cd00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888036334800 pfn:0x36334
head:ffffea0000d8cd00 order:1 compound_mapcount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea00019ba008 ffffea000186fa08 ffff888010841b40
raw: ffff888036334800 0000000000100008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8486, ts 122901071923, free_ts 119493242911
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4169
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5391
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244
 alloc_slab_page mm/slub.c:1688 [inline]
 allocate_slab+0x32e/0x4b0 mm/slub.c:1828
 new_slab mm/slub.c:1891 [inline]
 new_slab_objects mm/slub.c:2637 [inline]
 ___slab_alloc+0x4ba/0x820 mm/slub.c:2800
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840
 slab_alloc_node mm/slub.c:2922 [inline]
 slab_alloc mm/slub.c:2964 [inline]
 kmem_cache_alloc_trace+0x30f/0x3c0 mm/slub.c:2981
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 fib6_info_alloc+0xc1/0x210 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x33e/0x1aa0 net/ipv6/route.c:3762
 ip6_route_add+0x24/0x150 net/ipv6/route.c:3856
 addrconf_add_mroute+0x1e1/0x310 net/ipv6/addrconf.c:2479
 addrconf_add_dev+0x162/0x1d0 net/ipv6/addrconf.c:2497
 inet6_addr_add+0x1a4/0xae0 net/ipv6/addrconf.c:2913
 inet6_rtm_newaddr+0xf00/0x1970 net/ipv6/addrconf.c:4871
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5574
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1346 [inline]
 free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397
 free_unref_page_prepare mm/page_alloc.c:3332 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3411
 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:375
 apply_to_pte_range mm/memory.c:2532 [inline]
 apply_to_pmd_range mm/memory.c:2576 [inline]
 apply_to_pud_range mm/memory.c:2612 [inline]
 apply_to_p4d_range mm/memory.c:2648 [inline]
 __apply_to_page_range+0x694/0x1080 mm/memory.c:2682
 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:485
 __purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1670
 _vm_unmap_aliases.part.0+0x3f0/0x500 mm/vmalloc.c:2073
 _vm_unmap_aliases mm/vmalloc.c:2047 [inline]
 vm_unmap_aliases+0x47/0x50 mm/vmalloc.c:2096
 change_page_attr_set_clr+0x241/0x500 arch/x86/mm/pat/set_memory.c:1740
 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1797 [inline]
 set_memory_ro+0x78/0xa0 arch/x86/mm/pat/set_memory.c:1943
 bpf_jit_binary_lock_ro include/linux/filter.h:866 [inline]
 bpf_int_jit_compile+0xe36/0x11e0 arch/x86/net/bpf_jit_comp.c:2319
 bpf_prog_select_runtime+0x464/0x6a0 kernel/bpf/core.c:1914
 bpf_migrate_filter+0x2dc/0x380 net/core/filter.c:1294
 bpf_prepare_filter net/core/filter.c:1342 [inline]
 __get_filter+0x357/0x4e0 net/core/filter.c:1511
 sk_attach_filter+0x1c/0x170 net/core/filter.c:1526
 sock_setsockopt+0x1d5e/0x24b0 net/core/sock.c:1163

Memory state around the buggy address:
 ffff888036335780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888036335800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888036335880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff888036335900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888036335980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	ff c3                	inc    %ebx
   2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	0f 1f 40 00          	nopl   0x0(%rax)
  10:	48 89 f8             	mov    %rdi,%rax
  13:	48 89 f7             	mov    %rsi,%rdi
  16:	48 89 d6             	mov    %rdx,%rsi
  19:	48 89 ca             	mov    %rcx,%rdx
  1c:	4d 89 c2             	mov    %r8,%r10
  1f:	4d 89 c8             	mov    %r9,%r8
  22:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  27:	0f 05                	syscall 
  29:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax <-- trapping instruction
  2f:	73 01                	jae    0x32
  31:	c3                   	retq   
  32:	48 c7 c1 bc ff ff ff 	mov    $0xffffffffffffffbc,%rcx
  39:	f7 d8                	neg    %eax
  3b:	64 89 01             	mov    %eax,%fs:(%rcx)
  3e:	48                   	rex.W