Warning: Permanently added '10.128.0.226' (ECDSA) to the list of known hosts.
executing program
[ 49.911918][ T22] audit: type=1400 audit(1634401162.019:73): avc: denied { execmem } for pid=299 comm="syz-executor220" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 49.932735][ T22] audit: type=1400 audit(1634401162.039:74): avc: denied { create } for pid=300 comm="syz-executor220" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 49.953473][ T22] audit: type=1400 audit(1634401162.039:75): avc: denied { write } for pid=300 comm="syz-executor220" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 49.974156][ T22] audit: type=1400 audit(1634401162.039:76): avc: denied { read } for pid=300 comm="syz-executor220" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
executing program
[ 54.931339][ T98] cfg80211: failed to load regulatory.db
[ 54.958574][ T302] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 54.968225][ T302] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 54.977412][ T302] ==================================================================
[ 54.985473][ T302] BUG: KASAN: use-after-free in __list_add_valid+0x36/0xc0
[ 54.992681][ T302] Read of size 8 at addr ffff8881ee676a88 by task syz-executor220/302
[ 55.000919][ T302]
[ 55.003233][ T302] CPU: 1 PID: 302 Comm: syz-executor220 Not tainted 5.4.125-syzkaller-00028-g73e6d86c30ee #0
[ 55.013359][ T302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 55.023761][ T302] Call Trace:
[ 55.027053][ T302] dump_stack+0x1d8/0x24e
[ 55.031384][ T302] ? show_regs_print_info+0x12/0x12
[ 55.036569][ T302] ? printk+0xcf/0x114
[ 55.040630][ T302] print_address_description+0x9b/0x650
[ 55.046152][ T302] ? devkmsg_release+0x11c/0x11c
[ 55.051278][ T302] ? device_add+0x5d8/0x18a0
[ 55.056064][ T302] __kasan_report+0x182/0x260
[ 55.060791][ T302] ? __list_add_valid+0x36/0xc0
[ 55.065768][ T302] kasan_report+0x30/0x60
[ 55.070107][ T302] __list_add_valid+0x36/0xc0
[ 55.074844][ T302] firmware_fallback_sysfs+0x480/0xb20
[ 55.080307][ T302] _request_firmware+0x1287/0x1770
[ 55.085940][ T302] ? request_firmware+0x50/0x50
[ 55.090783][ T302] ? __nla_validate+0x50/0x50
[ 55.095442][ T302] request_firmware+0x33/0x50
[ 55.100103][ T302] reg_reload_regdb+0xa0/0x220
[ 55.105142][ T302] ? reg_query_regdb_wmm+0x510/0x510
[ 55.110605][ T302] ? nl80211_pre_doit+0x156/0x590
[ 55.115716][ T302] genl_rcv_msg+0xed8/0x13b0
[ 55.120309][ T302] ? genl_rcv+0x40/0x40
[ 55.124466][ T302] ? rhashtable_jhash2+0x1bf/0x2e0
[ 55.129588][ T302] ? jhash+0x740/0x740
[ 55.133866][ T302] ? rht_key_hashfn+0x112/0x1e0
[ 55.138991][ T302] ? rht_lock+0x100/0x100
[ 55.143422][ T302] ? __sys_sendmsg+0x2c4/0x3b0
[ 55.148164][ T302] ? rht_key_hashfn+0x1e0/0x1e0
[ 55.152987][ T302] ? netlink_hash+0xd0/0xd0
[ 55.157477][ T302] netlink_rcv_skb+0x200/0x480
[ 55.162326][ T302] ? genl_rcv+0x40/0x40
[ 55.166473][ T302] ? netlink_ack+0xab0/0xab0
[ 55.171385][ T302] ? __down_read+0xf1/0x210
[ 55.176051][ T302] ? __init_rwsem+0x200/0x200
[ 55.180721][ T302] ? __rcu_read_lock+0x50/0x50
[ 55.185469][ T302] ? selinux_vm_enough_memory+0x170/0x170
[ 55.191255][ T302] genl_rcv+0x24/0x40
[ 55.195651][ T302] netlink_unicast+0x865/0x9f0
[ 55.200644][ T302] ? netlink_detachskb+0x40/0x40
[ 55.206015][ T302] ? _copy_from_iter_full+0x29e/0x830
[ 55.212055][ T302] ? __virt_addr_valid+0x1fd/0x290
[ 55.217173][ T302] netlink_sendmsg+0x9ab/0xd40
[ 55.222018][ T302] ? netlink_getsockopt+0x8e0/0x8e0
[ 55.227293][ T302] ? import_iovec+0x1bc/0x380
[ 55.232022][ T302] ? security_socket_sendmsg+0x9d/0xb0
[ 55.237586][ T302] ? netlink_getsockopt+0x8e0/0x8e0
[ 55.242764][ T302] ____sys_sendmsg+0x583/0x8c0
[ 55.247505][ T302] ? __sys_sendmsg_sock+0x2b0/0x2b0
[ 55.252776][ T302] ? netlink_getsockopt+0x8e0/0x8e0
[ 55.257951][ T302] __sys_sendmsg+0x2c4/0x3b0
[ 55.262512][ T302] ? ____sys_sendmsg+0x8c0/0x8c0
[ 55.267429][ T302] ? check_preemption_disabled+0x154/0x330
[ 55.273412][ T302] do_syscall_64+0xcb/0x1e0
[ 55.278172][ T302] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 55.284043][ T302] RIP: 0033:0x7fb2327c67e9
[ 55.288443][ T302] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 55.309155][ T302] RSP: 002b:00007ffe854e5348 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 55.317791][ T302] RAX: ffffffffffffffda RBX: 000000000000c2f4 RCX: 00007fb2327c67e9
[ 55.325741][ T302] RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003
[ 55.333692][ T302] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe854e54e8
[ 55.341648][ T302] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe854e535c
[ 55.349780][ T302] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[ 55.357747][ T302]
[ 55.360356][ T302] Allocated by task 98:
[ 55.364783][ T302] __kasan_kmalloc+0x137/0x1e0
[ 55.369663][ T302] kmem_cache_alloc_trace+0x139/0x2b0
[ 55.375039][ T302] _request_firmware+0x524/0x1770
[ 55.380170][ T302] request_firmware_work_func+0x121/0x260
[ 55.385951][ T302] process_one_work+0x679/0x1030
[ 55.390884][ T302] worker_thread+0xa6f/0x1400
[ 55.395682][ T302] kthread+0x30f/0x330
[ 55.399725][ T302] ret_from_fork+0x1f/0x30
[ 55.404111][ T302]
[ 55.406499][ T302] Freed by task 98:
[ 55.410286][ T302] __kasan_slab_free+0x18a/0x240
[ 55.415456][ T302] slab_free_freelist_hook+0x7b/0x150
[ 55.421060][ T302] kfree+0xe0/0x660
[ 55.424845][ T302] release_firmware+0x47f/0x4d0
[ 55.429692][ T302] _request_firmware+0x145a/0x1770
[ 55.435077][ T302] request_firmware_work_func+0x121/0x260
[ 55.440943][ T302] process_one_work+0x679/0x1030
[ 55.446156][ T302] worker_thread+0xa6f/0x1400
[ 55.451256][ T302] kthread+0x30f/0x330
[ 55.455424][ T302] ret_from_fork+0x1f/0x30
[ 55.459819][ T302]
[ 55.462129][ T302] The buggy address belongs to the object at ffff8881ee676a00
[ 55.462129][ T302] which belongs to the cache kmalloc-192 of size 192
[ 55.476354][ T302] The buggy address is located 136 bytes inside of
[ 55.476354][ T302] 192-byte region [ffff8881ee676a00, ffff8881ee676ac0)
[ 55.490450][ T302] The buggy address belongs to the page:
[ 55.496685][ T302] page:ffffea0007b99d80 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0
[ 55.505945][ T302] flags: 0x8000000000000200(slab)
[ 55.511084][ T302] raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5c02a00
[ 55.519871][ T302] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 55.528554][ T302] page dumped because: kasan: bad access detected
[ 55.534948][ T302] page_owner tracks the page as allocated
[ 55.540647][ T302] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
[ 55.552618][ T302] prep_new_page+0x19a/0x380
[ 55.557312][ T302] get_page_from_freelist+0x550/0x8b0
[ 55.562922][ T302] __alloc_pages_nodemask+0x3a2/0x880
[ 55.568289][ T302] alloc_slab_page+0x39/0x3e0
[ 55.572983][ T302] new_slab+0x97/0x460
[ 55.577179][ T302] ___slab_alloc+0x330/0x4c0
[ 55.582048][ T302] __kmalloc_track_caller+0x1d1/0x2e0
[ 55.587510][ T302] kmemdup+0x21/0x50
[ 55.591521][ T302] neigh_parms_alloc+0x77/0x460
[ 55.596446][ T302] inetdev_init+0x12e/0x530
[ 55.600961][ T302] inetdev_event+0x205/0x1100
[ 55.605833][ T302] raw_notifier_call_chain+0x9e/0x110
[ 55.611372][ T302] register_netdevice+0xee6/0x1480
[ 55.616496][ T302] register_netdev+0x37/0x50
[ 55.621179][ T302] ip6gre_init_net+0x242/0x310
[ 55.625964][ T302] ops_init+0x26e/0x340
[ 55.630273][ T302] page_owner free stack trace missing
[ 55.637116][ T302]
[ 55.639536][ T302] Memory state around the buggy address:
[ 55.645161][ T302] ffff8881ee676980: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 55.653591][ T302] ffff8881ee676a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 55.661667][ T302] >ffff8881ee676a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 55.670038][ T302] ^
[ 55.674811][ T302] ffff8881ee676b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 55.682958][ T302] ffff8881ee676b80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 55.691108][ T302] ==================================================================
[ 55.699243][ T302] Disabling lock debugging due to kernel taint
executing program
[ 59.935736][ T302] syz-executor220 (302) used greatest stack depth: 21840 bytes left
[ 59.940671][ T304] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 59.953382][ T304] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
executing program
[ 64.942352][ T306] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 64.952195][ T306] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db