[ 82.987852][ T40] kauditd_printk_skb: 74 callbacks suppressed
[ 82.987880][ T40] audit: type=1400 audit(1661949924.821:189): avc: denied { transition } for pid=3847 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '[localhost]:14612' (ECDSA) to the list of known hosts.
2022/08/31 12:45:27 ignoring optional flag "sandboxArg"="0"
2022/08/31 12:45:27 parsed 1 programs
[ 85.839743][ T40] audit: type=1400 audit(1661949927.671:190): avc: denied { mounton } for pid=3890 comm="syz-executor" path="/syzcgroup/unified" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=dir permissive=1
[ 85.846862][ T3890] cgroup: Unknown subsys name 'net'
[ 85.870491][ T3890] cgroup: Unknown subsys name 'rlimit'
[ 85.883646][ T40] audit: type=1400 audit(1661949927.721:191): avc: denied { mounton } for pid=3890 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
2022/08/31 12:45:27 executed programs: 0
[ 85.902290][ T40] audit: type=1400 audit(1661949927.721:192): avc: denied { mount } for pid=3890 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[ 85.923873][ T40] audit: type=1400 audit(1661949927.721:193): avc: denied { create } for pid=3890 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 85.940781][ T40] audit: type=1400 audit(1661949927.721:194): avc: denied { write } for pid=3890 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 85.954945][ T40] audit: type=1400 audit(1661949927.721:195): avc: denied { read } for pid=3890 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 85.968191][ T40] audit: type=1400 audit(1661949927.771:196): avc: denied { create } for pid=3899 comm="syz-executor.0" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1
[ 85.980441][ T40] audit: type=1400 audit(1661949927.771:197): avc: denied { create } for pid=3891 comm="dhcpcd-run-hook" name="resolv.conf.eth4.ipv4ll" scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 85.995044][ T40] audit: type=1400 audit(1661949927.771:198): avc: denied { write open } for pid=3891 comm="dhcpcd-run-hook" path="/run/dhcpcd/hook-state/resolv.conf.eth4.ipv4ll" dev="tmpfs" ino=1572 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 87.018726][ T63] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 87.026064][ T63] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 87.032519][ T63] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 87.040999][ T63] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 87.047688][ T63] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 87.055132][ T63] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 87.157660][ T3899] chnl_net:caif_netlink_parms(): no params data found
[ 87.248950][ T3899] bridge0: port 1(bridge_slave_0) entered blocking state
[ 87.254487][ T3899] bridge0: port 1(bridge_slave_0) entered disabled state
[ 87.261529][ T3899] device bridge_slave_0 entered promiscuous mode
[ 87.268310][ T3899] bridge0: port 2(bridge_slave_1) entered blocking state
[ 87.273910][ T3899] bridge0: port 2(bridge_slave_1) entered disabled state
[ 87.279847][ T3899] device bridge_slave_1 entered promiscuous mode
[ 87.333789][ T3899] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 87.342849][ T3899] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 87.385010][ T3899] team0: Port device team_slave_0 added
[ 87.392092][ T3899] team0: Port device team_slave_1 added
[ 87.444102][ T3899] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 87.450343][ T3899] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 87.468207][ T3899] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 87.477971][ T3899] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 87.483058][ T3899] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 87.502049][ T3899] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 87.554369][ T3899] device hsr_slave_0 entered promiscuous mode
[ 87.559993][ T3899] device hsr_slave_1 entered promiscuous mode
[ 87.714278][ T3899] bridge0: port 2(bridge_slave_1) entered blocking state
[ 87.719922][ T3899] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 87.724860][ T3899] bridge0: port 1(bridge_slave_0) entered blocking state
[ 87.729406][ T3899] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 87.810181][ T3899] 8021q: adding VLAN 0 to HW filter on device bond0
[ 87.838608][ T3708] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 87.847322][ T3708] bridge0: port 1(bridge_slave_0) entered disabled state
[ 87.852937][ T3708] bridge0: port 2(bridge_slave_1) entered disabled state
[ 87.860683][ T3708] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 87.872726][ T3899] 8021q: adding VLAN 0 to HW filter on device team0
[ 87.887556][ T3699] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 87.896554][ T3699] bridge0: port 1(bridge_slave_0) entered blocking state
[ 87.902341][ T3699] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 87.915078][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 87.921259][ T15] bridge0: port 2(bridge_slave_1) entered blocking state
[ 87.927009][ T15] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 87.951383][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 87.957508][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 87.983001][ T3899] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 87.992789][ T3899] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 88.002813][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 88.011226][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 88.018552][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 88.025517][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 88.048897][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 88.055222][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 88.065837][ T3899] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 88.372228][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 88.379533][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 88.410084][ T3899] device veth0_vlan entered promiscuous mode
[ 88.417917][ T3699] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 88.425749][ T3699] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 88.433258][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 88.439913][ T24] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 88.451872][ T3899] device veth1_vlan entered promiscuous mode
[ 88.481290][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 88.488295][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 88.496101][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 88.503772][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 88.514868][ T3899] device veth0_macvtap entered promiscuous mode
[ 88.527778][ T3899] device veth1_macvtap entered promiscuous mode
[ 88.543872][ T3899] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 88.550037][ T34] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 88.557591][ T34] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 88.564667][ T34] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 88.573329][ T34] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 88.586038][ T3899] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 88.593666][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 88.600207][ T15] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 88.651840][ T40] kauditd_printk_skb: 6 callbacks suppressed
[ 88.651857][ T40] audit: type=1400 audit(1661949930.481:205): avc: denied { mounton } for pid=3899 comm="syz-executor.0" path="/dev/binderfs" dev="devtmpfs" ino=2383 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[ 88.719662][ T40] audit: type=1400 audit(1661949930.551:206): avc: denied { ioctl } for pid=3945 comm="syz-executor.0" path="/dev/raw-gadget" dev="devtmpfs" ino=760 ioctlcmd=0x5500 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 88.993894][ T24] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 89.095018][ T3700] Bluetooth: hci0: command 0x0409 tx timeout
[ 89.243823][ T24] usb 5-1: Using ep0 maxpacket: 32
[ 89.384705][ T24] usb 5-1: config 0 has an invalid interface number: 254 but max is 0
[ 89.391929][ T24] usb 5-1: config 0 has no interface number 0
[ 89.398439][ T24] usb 5-1: config 0 interface 254 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7
[ 89.564286][ T24] usb 5-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=29.3d
[ 89.570936][ T24] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 89.577592][ T24] usb 5-1: Product: syz
[ 89.580902][ T24] usb 5-1: Manufacturer: syz
[ 89.584328][ T24] usb 5-1: SerialNumber: syz
[ 89.594644][ T24] usb 5-1: config 0 descriptor??
[ 89.896284][ T24] em28xx 5-1:0.254: New device syz syz @ 480 Mbps (eb1a:e303, interface 254, class 254)
[ 89.917883][ T24] em28xx 5-1:0.254: Video interface 254 found:
[ 90.055330][ T24] em28xx 5-1:0.254: unknown em28xx chip ID (0)
[ 90.374499][ T24] em28xx 5-1:0.254: reading from i2c device at 0xa0 failed (error=-5)
[ 90.382996][ T24] em28xx 5-1:0.254: board has no eeprom
[ 90.493644][ T24] em28xx 5-1:0.254: Identified as Kaiomy TVnPC U2 (card=63)
[ 90.499074][ T24] em28xx 5-1:0.254: analog set to bulk mode.
[ 90.514004][ T24] usb 5-1: USB disconnect, device number 2
[ 90.522213][ T3700] em28xx 5-1:0.254: Registering V4L2 extension
[ 90.530062][ T24] em28xx 5-1:0.254: Disconnecting em28xx
[ 90.570832][ T3700] i2c i2c-2: Invalid 7-bit I2C address 0x00
[ 90.597309][ T3700] tuner: 2-0061: Tuner -1 found with type(s) Radio TV.
[ 90.607533][ T3700] xc2028 2-0061: creating new instance
[ 90.612556][ T3700] xc2028 2-0061: type set to XCeive xc2028/xc3028 tuner
[ 90.620945][ T3700] em28xx 5-1:0.254: Config register raw data: 0xffffffed
[ 90.629520][ T3700] em28xx 5-1:0.254: AC97 chip type couldn't be determined
[ 90.635894][ T3700] em28xx 5-1:0.254: No AC97 audio processor
[ 90.647412][ T3700] em28xx 5-1:0.254: Registered radio device as radio32
[ 90.653849][ T3700] usb 5-1: Decoder not found
[ 90.657714][ T3700] em28xx 5-1:0.254: failed to create media graph
[ 90.663123][ T3700] em28xx 5-1:0.254: V4L2 device radio32 deregistered
[ 90.672018][ T3700] em28xx 5-1:0.254: V4L2 device video71 deregistered
[ 90.680416][ T3700] xc2028 2-0061: destroying instance
[ 90.685184][ T3700] em28xx 5-1:0.254: Registering input extension
[ 90.690257][ T24] em28xx 5-1:0.254: Closing input extension
[ 90.702244][ T3700] em28xx 5-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2
[ 90.710274][ T24] em28xx 5-1:0.254: Freeing device
[ 90.716364][ T3700] usb 5-1:0.254: Falling back to sysfs fallback for: xc3028-v27.fw
[ 90.721565][ T3700] kobject_add_internal failed for firmware (error: -2 parent: 5-1:0.254)
[ 90.731571][ T3700] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed
[ 90.737544][ T3700] ==================================================================
[ 90.742735][ T3700] BUG: KASAN: use-after-free in load_firmware_cb+0x269/0x290
[ 90.747205][ T3700] Read of size 8 at addr ffff888021c28318 by task kworker/1:5/3700
[ 90.751645][ T3700]
[ 90.754324][ T3700] CPU: 1 PID: 3700 Comm: kworker/1:5 Not tainted 6.0.0-rc3-syzkaller-00792-gdcf8e5633e2e #0
[ 90.765844][ T3700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
[ 90.773090][ T3700] Workqueue: events request_firmware_work_func
[ 90.778262][ T3700] Call Trace:
[ 90.781000][ T3700]
[ 90.783429][ T3700] dump_stack_lvl+0xcd/0x134
[ 90.787029][ T3700] print_report.cold+0x2ba/0x6e9
[ 90.790485][ T3700] ? load_firmware_cb+0x269/0x290
[ 90.794058][ T3700] kasan_report+0xb1/0x1e0
[ 90.797554][ T3700] ? load_firmware_cb+0x269/0x290
[ 90.801283][ T3700] ? seek_firmware.isra.0+0x610/0x610
[ 90.805537][ T3700] load_firmware_cb+0x269/0x290
[ 90.808769][ T3700] ? kfree+0x25b/0x390
[ 90.811392][ T3700] ? _request_firmware+0x5e4/0x9e0
[ 90.814717][ T3700] ? lockdep_hardirqs_on+0x79/0x100
[ 90.818018][ T3700] ? seek_firmware.isra.0+0x610/0x610
[ 90.821439][ T3700] ? assign_fw+0x640/0x640
[ 90.824542][ T3700] ? seek_firmware.isra.0+0x610/0x610
[ 90.828437][ T3700] request_firmware_work_func+0x12c/0x230
[ 90.833173][ T3700] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 90.837679][ T3700] process_one_work+0x991/0x1610
[ 90.840611][ T3700] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 90.843600][ T3700] ? rwlock_bug.part.0+0x90/0x90
[ 90.846484][ T3700] ? _raw_spin_lock_irq+0x41/0x50
[ 90.849910][ T3700] worker_thread+0x665/0x1080
[ 90.853517][ T3700] ? __kthread_parkme+0x15f/0x220
[ 90.857180][ T3700] ? process_one_work+0x1610/0x1610
[ 90.860547][ T3700] kthread+0x2e4/0x3a0
[ 90.862973][ T3700] ? kthread_complete_and_exit+0x40/0x40
[ 90.866439][ T3700] ret_from_fork+0x1f/0x30
[ 90.869009][ T3700]
[ 90.871279][ T3700]
[ 90.873098][ T3700] Allocated by task 3700:
[ 90.876379][ T3700] kasan_save_stack+0x1e/0x40
[ 90.879449][ T3700] __kasan_kmalloc+0xa6/0xd0
[ 90.882309][ T3700] kmem_cache_alloc_trace+0x25a/0x460
[ 90.886284][ T3700] tuner_probe+0xa4/0x1180
[ 90.889999][ T3700] i2c_device_probe+0xa1b/0xba0
[ 90.893848][ T3700] really_probe+0x249/0xb90
[ 90.897192][ T3700] __driver_probe_device+0x1df/0x4d0
[ 90.901089][ T3700] driver_probe_device+0x4c/0x1a0
[ 90.905217][ T3700] __device_attach_driver+0x206/0x2e0
[ 90.909336][ T3700] bus_for_each_drv+0x15f/0x1e0
[ 90.912799][ T3700] __device_attach+0x1e4/0x530
[ 90.915855][ T3700] bus_probe_device+0x1e4/0x290
[ 90.918875][ T3700] device_add+0xbd5/0x1e90
[ 90.922451][ T3700] i2c_new_client_device+0x61d/0xb00
[ 90.926236][ T3700] v4l2_i2c_new_subdev_board+0xaf/0x2c0
[ 90.930699][ T3700] v4l2_i2c_new_subdev+0x102/0x170
[ 90.934838][ T3700] em28xx_v4l2_init.cold+0x9cb/0x3268
[ 90.939612][ T3700] em28xx_init_extension+0x12f/0x1f0
[ 90.943736][ T3700] request_module_async+0x5d/0x70
[ 90.947891][ T3700] process_one_work+0x991/0x1610
[ 90.951815][ T3700] worker_thread+0x665/0x1080
[ 90.955151][ T3700] kthread+0x2e4/0x3a0
[ 90.958151][ T3700] ret_from_fork+0x1f/0x30
[ 90.961110][ T3700]
[ 90.962681][ T3700] Freed by task 3700:
[ 90.965420][ T3700] kasan_save_stack+0x1e/0x40
[ 90.969033][ T3700] kasan_set_track+0x21/0x30
[ 90.972519][ T3700] kasan_set_free_info+0x20/0x30
[ 90.975819][ T3700] ____kasan_slab_free+0x13d/0x1a0
[ 90.979213][ T3700] kfree+0x173/0x390
[ 90.981782][ T3700] tuner_remove+0x198/0x200
[ 90.984651][ T3700] i2c_device_remove+0x76/0x250
[ 90.987805][ T3700] device_remove+0xc8/0x170
[ 90.990721][ T3700] device_release_driver_internal+0x4a1/0x700
[ 90.994440][ T3700] bus_remove_device+0x2e3/0x590
[ 90.997415][ T3700] device_del+0x4f3/0xc80
[ 91.000094][ T3700] device_unregister+0x1a/0xc0
[ 91.003064][ T3700] i2c_unregister_device+0x38/0x40
[ 91.006210][ T3700] v4l2_i2c_subdev_unregister+0xa2/0xc0
[ 91.009409][ T3700] v4l2_device_unregister+0x20d/0x2e0
[ 91.012762][ T3700] em28xx_v4l2_init.cold+0xca7/0x3268
[ 91.015732][ T3700] em28xx_init_extension+0x12f/0x1f0
[ 91.018899][ T3700] request_module_async+0x5d/0x70
[ 91.022712][ T3700] process_one_work+0x991/0x1610
[ 91.026507][ T3700] worker_thread+0x665/0x1080
[ 91.030145][ T3700] kthread+0x2e4/0x3a0
[ 91.033244][ T3700] ret_from_fork+0x1f/0x30
[ 91.036898][ T3700]
[ 91.038834][ T3700] The buggy address belongs to the object at ffff888021c28000
[ 91.038834][ T3700] which belongs to the cache kmalloc-2k of size 2048
[ 91.049555][ T3700] The buggy address is located 792 bytes inside of
[ 91.049555][ T3700] 2048-byte region [ffff888021c28000, ffff888021c28800)
[ 91.059594][ T3700]
[ 91.061537][ T3700] The buggy address belongs to the physical page:
[ 91.066836][ T3700] page:ffffea0000870a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21c28
[ 91.075115][ T3700] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 91.081238][ T3700] raw: 00fff00000000200 ffffea000087a848 ffffea000052d508 ffff888010c40800
[ 91.087129][ T3700] raw: 0000000000000000 ffff888021c28000 0000000100000001 0000000000000000
[ 91.093086][ T3700] page dumped because: kasan: bad access detected
[ 91.096881][ T3700] page_owner tracks the page as allocated
[ 91.100703][ T3700] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2c2220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 2673, tgid 2673 (kworker/3:2), ts 66713261328, free_ts 65903756468
[ 91.114791][ T3700] get_page_from_freelist+0x109b/0x2ce0
[ 91.118921][ T3700] __alloc_pages_slowpath.constprop.0+0x2d7/0x2240
[ 91.123325][ T3700] __alloc_pages+0x43d/0x510
[ 91.126608][ T3700] cache_grow_begin+0x75/0x360
[ 91.130221][ T3700] cache_alloc_refill+0x27f/0x380
[ 91.133985][ T3700] kmem_cache_alloc_node_trace+0x50a/0x570
[ 91.138489][ T3700] __kmalloc_node_track_caller+0x38/0x60
[ 91.142722][ T3700] __alloc_skb+0xd9/0x2f0
[ 91.145883][ T3700] inet6_ifinfo_notify+0x72/0x150
[ 91.149850][ T3700] addrconf_notify+0x49b/0x1b90
[ 91.153021][ T3700] notifier_call_chain+0xb5/0x200
[ 91.156519][ T3700] call_netdevice_notifiers_info+0xb5/0x130
[ 91.161077][ T3700] netdev_state_change+0x100/0x130
[ 91.164611][ T3700] linkwatch_do_dev+0x10e/0x150
[ 91.168203][ T3700] __linkwatch_run_queue+0x23f/0x6a0
[ 91.172597][ T3700] linkwatch_event+0x4a/0x60
[ 91.176831][ T3700] page last free stack trace:
[ 91.180607][ T3700] free_pcp_prepare+0x5e4/0xd20
[ 91.184007][ T3700] free_unref_page+0x19/0x4d0
[ 91.187482][ T3700] drain_freelist.isra.0+0xc6/0x130
[ 91.191057][ T3700] cache_reap+0x1b9/0x2e0
[ 91.193517][ T3700] process_one_work+0x991/0x1610
[ 91.196474][ T3700] worker_thread+0x665/0x1080
[ 91.199317][ T3700] kthread+0x2e4/0x3a0
[ 91.201915][ T3700] ret_from_fork+0x1f/0x30
[ 91.204845][ T3700]
[ 91.206362][ T3700] Memory state around the buggy address:
[ 91.211136][ T3700] ffff888021c28200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.217203][ T3700] ffff888021c28280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.223206][ T3700] >ffff888021c28300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.229224][ T3700] ^
[ 91.232533][ T3700] ffff888021c28380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.238252][ T3700] ffff888021c28400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 91.244483][ T3700] ==================================================================
[ 91.252218][ T3700] Kernel panic - not syncing: panic_on_warn set ...
[ 91.256405][ T3700] CPU: 1 PID: 3700 Comm: kworker/1:5 Not tainted 6.0.0-rc3-syzkaller-00792-gdcf8e5633e2e #0
[ 91.262623][ T3700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
[ 91.268220][ T3700] Workqueue: events request_firmware_work_func
[ 91.272100][ T3700] Call Trace:
[ 91.274401][ T3700]
[ 91.276668][ T3700] dump_stack_lvl+0xcd/0x134
[ 91.279689][ T3700] panic+0x2c8/0x627
[ 91.282421][ T3700] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 91.286646][ T3700] ? preempt_schedule_common+0x59/0xc0
[ 91.290400][ T3700] ? preempt_schedule_thunk+0x16/0x18
[ 91.294275][ T3700] ? load_firmware_cb+0x269/0x290
[ 91.298120][ T3700] end_report.part.0+0x3f/0x7c
[ 91.301747][ T3700] kasan_report.cold+0xa/0xf
[ 91.304865][ T3700] ? load_firmware_cb+0x269/0x290
[ 91.308463][ T3700] ? seek_firmware.isra.0+0x610/0x610
[ 91.312435][ T3700] load_firmware_cb+0x269/0x290
[ 91.315541][ T3700] ? kfree+0x25b/0x390
[ 91.318372][ T3700] ? _request_firmware+0x5e4/0x9e0
[ 91.322848][ T3700] ? lockdep_hardirqs_on+0x79/0x100
[ 91.326776][ T3700] ? seek_firmware.isra.0+0x610/0x610
[ 91.330809][ T3700] ? assign_fw+0x640/0x640
[ 91.334158][ T3700] ? seek_firmware.isra.0+0x610/0x610
[ 91.338623][ T3700] request_firmware_work_func+0x12c/0x230
[ 91.342337][ T3700] ? request_partial_firmware_into_buf+0xa0/0xa0
[ 91.346967][ T3700] process_one_work+0x991/0x1610
[ 91.350453][ T3700] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 91.354702][ T3700] ? rwlock_bug.part.0+0x90/0x90
[ 91.359207][ T3700] ? _raw_spin_lock_irq+0x41/0x50
[ 91.363012][ T3700] worker_thread+0x665/0x1080
[ 91.365887][ T3700] ? __kthread_parkme+0x15f/0x220
[ 91.369160][ T3700] ? process_one_work+0x1610/0x1610
[ 91.373025][ T3700] kthread+0x2e4/0x3a0
[ 91.376064][ T3700] ? kthread_complete_and_exit+0x40/0x40
[ 91.379873][ T3700] ret_from_fork+0x1f/0x30
[ 91.382602][ T3700]
[ 91.385634][ T3700] Kernel Offset: disabled
[ 91.388278][ T3700] Rebooting in 86400 seconds..