Starting sshd: OK
syzkaller
syzkaller login: [ 14.854486][ T22] kauditd_printk_skb: 37 callbacks suppressed
[ 14.854492][ T22] audit: type=1400 audit(1634716977.300:71): avc: denied { transition } for pid=266 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 14.860157][ T22] audit: type=1400 audit(1634716977.300:72): avc: denied { write } for pid=266 comm="sh" path="pipe:[9861]" dev="pipefs" ino=9861 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1
[ 14.870800][ T256] sshd (256) used greatest stack depth: 23280 bytes left
[ 15.489979][ T267] sshd (267) used greatest stack depth: 22736 bytes left
Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts.
executing program
[ 21.301511][ T22] audit: type=1400 audit(1634716983.740:73): avc: denied { execmem } for pid=299 comm="syz-executor965" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 21.321778][ T22] audit: type=1400 audit(1634716983.760:74): avc: denied { create } for pid=300 comm="syz-executor965" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 21.342367][ T22] audit: type=1400 audit(1634716983.770:75): avc: denied { write } for pid=300 comm="syz-executor965" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 21.362877][ T22] audit: type=1400 audit(1634716983.770:76): avc: denied { read } for pid=300 comm="syz-executor965" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
executing program
[ 26.321040][ T70] cfg80211: failed to load regulatory.db
[ 26.338367][ T302] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 26.347855][ T302] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 26.356764][ T302] ==================================================================
[ 26.364807][ T302] BUG: KASAN: use-after-free in __list_add_valid+0x36/0xc0
[ 26.371968][ T302] Read of size 8 at addr ffff8881eefcaf88 by task syz-executor965/302
[ 26.380078][ T302]
[ 26.382377][ T302] CPU: 1 PID: 302 Comm: syz-executor965 Not tainted 5.4.125-syzkaller-00029-g5970ec26e0c8 #0
[ 26.392488][ T302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 26.402553][ T302] Call Trace:
[ 26.405816][ T302] dump_stack+0x1d8/0x24e
[ 26.410113][ T302] ? show_regs_print_info+0x12/0x12
[ 26.415275][ T302] ? printk+0xcf/0x114
[ 26.419314][ T302] print_address_description+0x9b/0x650
[ 26.424824][ T302] ? devkmsg_release+0x11c/0x11c
[ 26.429724][ T302] ? device_add+0x5d8/0x18a0
[ 26.434283][ T302] __kasan_report+0x182/0x260
[ 26.438930][ T302] ? __list_add_valid+0x36/0xc0
[ 26.443747][ T302] kasan_report+0x30/0x60
[ 26.448041][ T302] __list_add_valid+0x36/0xc0
[ 26.452682][ T302] firmware_fallback_sysfs+0x480/0xb20
[ 26.458108][ T302] _request_firmware+0x1287/0x1770
[ 26.463185][ T302] ? request_firmware+0x50/0x50
[ 26.468001][ T302] ? __nla_validate+0x50/0x50
[ 26.472644][ T302] request_firmware+0x33/0x50
[ 26.477294][ T302] reg_reload_regdb+0xa0/0x220
[ 26.482023][ T302] ? reg_query_regdb_wmm+0x510/0x510
[ 26.487272][ T302] ? nl80211_pre_doit+0x156/0x590
[ 26.492265][ T302] genl_rcv_msg+0xed8/0x13b0
[ 26.496828][ T302] ? genl_rcv+0x40/0x40
[ 26.500949][ T302] ? rhashtable_jhash2+0x1bf/0x2e0
[ 26.506024][ T302] ? jhash+0x740/0x740
[ 26.510056][ T302] ? rht_key_hashfn+0x112/0x1e0
[ 26.514870][ T302] ? rht_lock+0x100/0x100
[ 26.519179][ T302] ? __sys_sendmsg+0x2c4/0x3b0
[ 26.523907][ T302] ? rht_key_hashfn+0x1e0/0x1e0
[ 26.528723][ T302] ? netlink_hash+0xd0/0xd0
[ 26.533191][ T302] netlink_rcv_skb+0x200/0x480
[ 26.537919][ T302] ? genl_rcv+0x40/0x40
[ 26.542040][ T302] ? netlink_ack+0xab0/0xab0
[ 26.546594][ T302] ? __down_read+0xf1/0x210
[ 26.551061][ T302] ? __init_rwsem+0x200/0x200
[ 26.555704][ T302] ? __rcu_read_lock+0x50/0x50
[ 26.560436][ T302] ? selinux_vm_enough_memory+0x170/0x170
[ 26.566120][ T302] genl_rcv+0x24/0x40
[ 26.570066][ T302] netlink_unicast+0x865/0x9f0
[ 26.574794][ T302] ? netlink_detachskb+0x40/0x40
[ 26.579697][ T302] ? _copy_from_iter_full+0x29e/0x830
[ 26.585035][ T302] ? __virt_addr_valid+0x1fd/0x290
[ 26.590112][ T302] netlink_sendmsg+0x9ab/0xd40
[ 26.594840][ T302] ? netlink_getsockopt+0x8e0/0x8e0
[ 26.600014][ T302] ? import_iovec+0x1bc/0x380
[ 26.604660][ T302] ? security_socket_sendmsg+0x9d/0xb0
[ 26.610082][ T302] ? netlink_getsockopt+0x8e0/0x8e0
[ 26.615245][ T302] ____sys_sendmsg+0x583/0x8c0
[ 26.619974][ T302] ? __sys_sendmsg_sock+0x2b0/0x2b0
[ 26.625137][ T302] ? __lru_cache_add+0x1c4/0x210
[ 26.630049][ T302] __sys_sendmsg+0x2c4/0x3b0
[ 26.634604][ T302] ? ____sys_sendmsg+0x8c0/0x8c0
[ 26.639510][ T302] ? __down_read+0x210/0x210
[ 26.644066][ T302] ? check_preemption_disabled+0x154/0x330
[ 26.649846][ T302] ? do_user_addr_fault+0x6b0/0xb40
[ 26.655010][ T302] do_syscall_64+0xcb/0x1e0
[ 26.659478][ T302] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 26.665336][ T302] RIP: 0033:0x7f325ba87879
[ 26.669726][ T302] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 26.689302][ T302] RSP: 002b:00007ffe963f36d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 26.697680][ T302] RAX: ffffffffffffffda RBX: 0000000000005333 RCX: 00007f325ba87879
[ 26.705618][ T302] RDX: 0000000000000000 RSI: 0000000020001000 RDI: 0000000000000003
[ 26.713553][ T302] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe963f3878
[ 26.721488][ T302] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe963f36ec
[ 26.729464][ T302] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
[ 26.737403][ T302]
[ 26.739736][ T302] Allocated by task 70:
[ 26.743862][ T302] __kasan_kmalloc+0x137/0x1e0
[ 26.748588][ T302] kmem_cache_alloc_trace+0x139/0x2b0
[ 26.753924][ T302] _request_firmware+0x524/0x1770
[ 26.758909][ T302] request_firmware_work_func+0x121/0x260
[ 26.764592][ T302] process_one_work+0x679/0x1030
[ 26.769492][ T302] worker_thread+0xa6f/0x1400
[ 26.774135][ T302] kthread+0x30f/0x330
[ 26.778201][ T302] ret_from_fork+0x1f/0x30
[ 26.782579][ T302]
[ 26.784911][ T302] Freed by task 70:
[ 26.788722][ T302] __kasan_slab_free+0x18a/0x240
[ 26.793622][ T302] slab_free_freelist_hook+0x7b/0x150
[ 26.798955][ T302] kfree+0xe0/0x660
[ 26.802728][ T302] release_firmware+0x47f/0x4d0
[ 26.807543][ T302] _request_firmware+0x145a/0x1770
[ 26.812617][ T302] request_firmware_work_func+0x121/0x260
[ 26.818296][ T302] process_one_work+0x679/0x1030
[ 26.823195][ T302] worker_thread+0xa6f/0x1400
[ 26.827839][ T302] kthread+0x30f/0x330
[ 26.831870][ T302] ret_from_fork+0x1f/0x30
[ 26.836247][ T302]
[ 26.838544][ T302] The buggy address belongs to the object at ffff8881eefcaf00
[ 26.838544][ T302] which belongs to the cache kmalloc-192 of size 192
[ 26.852559][ T302] The buggy address is located 136 bytes inside of
[ 26.852559][ T302] 192-byte region [ffff8881eefcaf00, ffff8881eefcafc0)
[ 26.865786][ T302] The buggy address belongs to the page:
[ 26.871381][ T302] page:ffffea0007bbf280 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0
[ 26.880444][ T302] flags: 0x8000000000000200(slab)
[ 26.885444][ T302] raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5c02a00
[ 26.893994][ T302] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 26.902567][ T302] page dumped because: kasan: bad access detected
[ 26.908941][ T302] page_owner tracks the page as allocated
[ 26.914636][ T302] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
[ 26.926571][ T302] prep_new_page+0x19a/0x380
[ 26.931122][ T302] get_page_from_freelist+0x550/0x8b0
[ 26.936457][ T302] __alloc_pages_nodemask+0x3a2/0x880
[ 26.941792][ T302] alloc_slab_page+0x39/0x3e0
[ 26.946440][ T302] new_slab+0x97/0x460
[ 26.950481][ T302] ___slab_alloc+0x330/0x4c0
[ 26.955043][ T302] kmem_cache_alloc_trace+0x199/0x2b0
[ 26.960379][ T302] bus_add_driver+0xd1/0x520
[ 26.964932][ T302] driver_register+0x2e9/0x3e0
[ 26.969661][ T302] do_one_initcall+0x1d3/0x6b0
[ 26.974390][ T302] do_initcall_level+0x101/0x256
[ 26.979292][ T302] do_initcalls+0x4b/0x8c
[ 26.983595][ T302] kernel_init_freeable+0x27e/0x409
[ 26.988760][ T302] kernel_init+0xd/0x3a0
[ 26.992967][ T302] ret_from_fork+0x1f/0x30
[ 26.997341][ T302] page_owner free stack trace missing
[ 27.002674][ T302]
[ 27.004966][ T302] Memory state around the buggy address:
[ 27.010561][ T302] ffff8881eefcae80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 27.018584][ T302] ffff8881eefcaf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 27.026609][ T302] >ffff8881eefcaf80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 27.034631][ T302] ^
[ 27.038926][ T302] ffff8881eefcb000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 27.046952][ T302] ffff8881eefcb080: 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00
[ 27.054973][ T302] ==================================================================
[ 27.062994][ T302] Disabling lock debugging due to kernel taint
executing program
[ 31.324423][ T302] syz-executor965 (302) used greatest stack depth: 21840 bytes left
[ 31.328807][ T304] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 31.341920][ T304] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
executing program
[ 36.331008][ T306] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 36.340525][ T306] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db