Warning: Permanently added '10.128.1.145' (ED25519) to the list of known hosts. 1970/01/01 00:01:32 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:34 parsed 1 programs [ 97.520152][ T6998] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 109.642835][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 109.644197][ T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 109.644851][ T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 109.645595][ T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 109.646145][ T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 110.086426][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.086479][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 110.097990][ T297] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 110.098046][ T297] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 110.665777][ T7081] chnl_net:caif_netlink_parms(): no params data found [ 110.826893][ T7081] bridge0: port 1(bridge_slave_0) entered blocking state [ 110.826971][ T7081] bridge0: port 1(bridge_slave_0) entered disabled state [ 110.827108][ T7081] bridge_slave_0: entered allmulticast mode [ 110.827926][ T7081] bridge_slave_0: entered promiscuous mode [ 110.829783][ T7081] bridge0: port 2(bridge_slave_1) entered blocking state [ 110.829832][ T7081] bridge0: port 2(bridge_slave_1) entered disabled state [ 110.829947][ T7081] bridge_slave_1: entered allmulticast mode [ 110.830736][ T7081] bridge_slave_1: entered promiscuous mode [ 110.886103][ T7081] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 110.887825][ T7081] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 110.914100][ T7081] team0: Port device team_slave_0 added [ 110.916016][ T7081] team0: Port device team_slave_1 added [ 110.932369][ T7081] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 110.932427][ T7081] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 110.932461][ T7081] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 110.933581][ T7081] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 110.933606][ T7081] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 110.933635][ T7081] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 110.957922][ T7081] hsr_slave_0: entered promiscuous mode [ 110.958424][ T7081] hsr_slave_1: entered promiscuous mode [ 111.879769][ T7081] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 111.884114][ T7081] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 111.887933][ T7081] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 111.891875][ T7081] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 111.935896][ T7081] 8021q: adding VLAN 0 to HW filter on device bond0 [ 111.947908][ T7081] 8021q: adding VLAN 0 to HW filter on device team0 [ 111.953764][ T297] bridge0: port 1(bridge_slave_0) entered blocking state [ 111.953842][ T297] bridge0: port 1(bridge_slave_0) entered forwarding state [ 111.954704][ T297] bridge0: port 2(bridge_slave_1) entered blocking state [ 111.954780][ T297] bridge0: port 2(bridge_slave_1) entered forwarding state [ 112.066105][ T7081] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 112.088242][ T7081] veth0_vlan: entered promiscuous mode [ 112.091893][ T7081] veth1_vlan: entered promiscuous mode [ 112.114697][ T7081] veth0_macvtap: entered promiscuous mode [ 112.116484][ T7081] veth1_macvtap: entered promiscuous mode [ 112.124087][ T7081] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 112.127539][ T7081] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 112.134298][ T7081] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 112.134370][ T7081] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 112.134402][ T7081] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 112.134433][ T7081] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 112.447060][ T12] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 112.554628][ T12] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 112.620172][ T12] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 112.695769][ T12] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:52 executed programs: 0 [ 113.005655][ T6088] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 113.008509][ T6088] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 113.011207][ T6088] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 113.016036][ T6088] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 113.018655][ T6088] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 113.119071][ T7235] chnl_net:caif_netlink_parms(): no params data found [ 113.170700][ T7235] bridge0: port 1(bridge_slave_0) entered blocking state [ 113.173010][ T7235] bridge0: port 1(bridge_slave_0) entered disabled state [ 113.175277][ T7235] bridge_slave_0: entered allmulticast mode [ 113.178068][ T7235] bridge_slave_0: entered promiscuous mode [ 113.181401][ T7235] bridge0: port 2(bridge_slave_1) entered blocking state [ 113.185554][ T7235] bridge0: port 2(bridge_slave_1) entered disabled state [ 113.187849][ T7235] bridge_slave_1: entered allmulticast mode [ 113.190525][ T7235] bridge_slave_1: entered promiscuous mode [ 113.215750][ T7235] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 113.220195][ T7235] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 113.245043][ T7235] team0: Port device team_slave_0 added [ 113.248333][ T7235] team0: Port device team_slave_1 added [ 113.270066][ T7235] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 113.272197][ T7235] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 113.279804][ T7235] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 113.290300][ T7235] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 113.292493][ T7235] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 113.299911][ T7235] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 113.325081][ T7235] hsr_slave_0: entered promiscuous mode [ 113.325589][ T7235] hsr_slave_1: entered promiscuous mode [ 113.325899][ T7235] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 113.325937][ T7235] Cannot create hsr debugfs directory [ 115.032206][ T6088] Bluetooth: hci0: command tx timeout [ 115.987490][ T12] bridge_slave_1: left allmulticast mode [ 115.987551][ T12] bridge_slave_1: left promiscuous mode [ 115.987668][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 116.001675][ T12] bridge_slave_0: left allmulticast mode [ 116.009862][ T12] bridge_slave_0: left promiscuous mode [ 116.010032][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 117.112198][ T6088] Bluetooth: hci0: command tx timeout [ 117.484590][ T12] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 117.524484][ T12] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 117.583963][ T12] bond0 (unregistering): Released all slaves [ 117.681662][ T12] hsr_slave_0: left promiscuous mode [ 117.685996][ T12] hsr_slave_1: left promiscuous mode [ 117.686455][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 117.686493][ T12] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 117.688890][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 117.688925][ T12] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 117.700576][ T12] veth1_macvtap: left promiscuous mode [ 117.700677][ T12] veth0_macvtap: left promiscuous mode [ 117.700795][ T12] veth1_vlan: left promiscuous mode [ 117.700868][ T12] veth0_vlan: left promiscuous mode [ 119.202203][ T6088] Bluetooth: hci0: command tx timeout [ 119.625060][ T12] team0 (unregistering): Port device team_slave_1 removed [ 119.863264][ T12] team0 (unregistering): Port device team_slave_0 removed [ 121.272243][ T6088] Bluetooth: hci0: command tx timeout [ 122.746424][ T7235] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 122.748601][ T7235] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 122.751461][ T7235] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 122.756181][ T7235] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 122.890169][ T7235] 8021q: adding VLAN 0 to HW filter on device bond0 [ 122.908251][ T7235] 8021q: adding VLAN 0 to HW filter on device team0 [ 122.921418][ T636] bridge0: port 1(bridge_slave_0) entered blocking state [ 122.921501][ T636] bridge0: port 1(bridge_slave_0) entered forwarding state [ 122.922465][ T636] bridge0: port 2(bridge_slave_1) entered blocking state [ 122.922508][ T636] bridge0: port 2(bridge_slave_1) entered forwarding state [ 123.133507][ T7235] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 123.161312][ T7235] veth0_vlan: entered promiscuous mode [ 123.171166][ T7235] veth1_vlan: entered promiscuous mode [ 123.191332][ T7235] veth0_macvtap: entered promiscuous mode [ 123.193686][ T7235] veth1_macvtap: entered promiscuous mode [ 123.199162][ T7235] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 123.200902][ T7235] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 123.202937][ T7235] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.202977][ T7235] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.203008][ T7235] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.203038][ T7235] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 123.245090][ T14] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 123.245148][ T14] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 123.261450][ T14] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 123.261508][ T14] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:02:02 executed programs: 2 [ 123.572481][ T24] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 123.725359][ T24] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 123.727269][ T24] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=fc.a0 [ 123.727305][ T24] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 123.727330][ T24] usb 1-1: Product: syz [ 123.727351][ T24] usb 1-1: Manufacturer: syz [ 123.727372][ T24] usb 1-1: SerialNumber: syz [ 123.731496][ T24] usb 1-1: config 0 descriptor?? [ 123.736236][ T24] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (eb1a:e303, interface 0, class 0) [ 123.736290][ T24] em28xx 1-1:0.0: Video interface 0 found: [ 123.994598][ T24] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 124.092549][ T24] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 124.092665][ T24] em28xx 1-1:0.0: board has no eeprom [ 124.152694][ T24] em28xx 1-1:0.0: Identified as Kaiomy TVnPC U2 (card=63) [ 124.152777][ T24] em28xx 1-1:0.0: analog set to bulk mode. [ 124.154435][ T3909] em28xx 1-1:0.0: Registering V4L2 extension [ 124.165871][ T24] usb 1-1: USB disconnect, device number 2 [ 124.167157][ T24] em28xx 1-1:0.0: Disconnecting em28xx [ 124.189573][ T3909] i2c i2c-1: Invalid 7-bit I2C address 0x00 [ 124.210372][ T3909] tuner: 1-0061: Tuner -1 found with type(s) Radio TV. [ 124.212005][ T3909] xc2028 1-0061: creating new instance [ 124.212055][ T3909] xc2028 1-0061: type set to XCeive xc2028/xc3028 tuner [ 124.216143][ T3909] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 124.216176][ T3909] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 124.216197][ T3909] em28xx 1-1:0.0: No AC97 audio processor [ 124.218629][ T3909] em28xx 1-1:0.0: Registered radio device as radio2 [ 124.218675][ T3909] usb 1-1: Decoder not found [ 124.218697][ T3909] em28xx 1-1:0.0: failed to create media graph [ 124.218757][ T3909] em28xx 1-1:0.0: V4L2 device radio2 deregistered [ 124.220664][ T3909] em28xx 1-1:0.0: V4L2 device video11 deregistered [ 124.222031][ T3909] xc2028 1-0061: destroying instance [ 124.224398][ T3909] em28xx 1-1:0.0: Registering input extension [ 124.225601][ T24] em28xx 1-1:0.0: Closing input extension [ 124.231871][ T24] em28xx 1-1:0.0: Freeing device [ 124.245448][ T3909] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw failed with error -2 [ 124.245516][ T3909] usb 1-1:0.0: Falling back to sysfs fallback for: xc3028-v27.fw [ 124.245595][ T3909] kobject: kobject ** replaying previous printk message ** [ 124.245595][ T3909] kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1:0.0) [ 124.245665][ T3909] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed [ 124.245774][ T3909] ================================================================== [ 124.245788][ T3909] BUG: KASAN: slab-use-after-free in load_firmware_cb+0xbc/0x14f4 [ 124.245811][ T3909] Read of size 8 at addr ffff0000db465318 by task kworker/1:2/3909 [ 124.245827][ T3909] [ 124.245838][ T3909] CPU: 1 UID: 0 PID: 3909 Comm: kworker/1:2 Not tainted 6.16.0-rc2-syzkaller-00009-g9aa9b43d689e #0 PREEMPT [ 124.245851][ T3909] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 124.245859][ T3909] Workqueue: events request_firmware_work_func [ 124.245876][ T3909] Call trace: [ 124.245880][ T3909] show_stack+0x2c/0x3c (C) [ 124.245896][ T3909] __dump_stack+0x30/0x40 [ 124.245910][ T3909] dump_stack_lvl+0xd8/0x12c [ 124.245924][ T3909] print_address_description+0xa8/0x254 [ 124.245937][ T3909] print_report+0x68/0x84 [ 124.245949][ T3909] kasan_report+0xb0/0x110 [ 124.245960][ T3909] __asan_report_load8_noabort+0x20/0x2c [ 124.245972][ T3909] load_firmware_cb+0xbc/0x14f4 [ 124.245984][ T3909] request_firmware_work_func+0xe8/0x19c [ 124.245998][ T3909] process_one_work+0x7e8/0x155c [ 124.246012][ T3909] worker_thread+0x958/0xed8 [ 124.246026][ T3909] kthread+0x5fc/0x75c [ 124.246038][ T3909] ret_from_fork+0x10/0x20 [ 124.246049][ T3909] [ 124.246134][ T3909] Allocated by task 3909: [ 124.246146][ T3909] kasan_save_track+0x40/0x78 [ 124.246165][ T3909] kasan_save_alloc_info+0x44/0x54 [ 124.246181][ T3909] __kasan_kmalloc+0x9c/0xb4 [ 124.246198][ T3909] __kmalloc_cache_noprof+0x2a4/0x3fc [ 124.246214][ T3909] tuner_probe+0xc4/0x1690 [ 124.246230][ T3909] i2c_device_probe+0x864/0x9d0 [ 124.246246][ T3909] really_probe+0x394/0x910 [ 124.246262][ T3909] __driver_probe_device+0x180/0x2d4 [ 124.246277][ T3909] driver_probe_device+0x78/0x330 [ 124.246293][ T3909] __device_attach_driver+0x290/0x4e0 [ 124.246308][ T3909] bus_for_each_drv+0x220/0x2b4 [ 124.246326][ T3909] __device_attach+0x26c/0x388 [ 124.246341][ T3909] device_initial_probe+0x24/0x34 [ 124.246356][ T3909] bus_probe_device+0x178/0x240 [ 124.246374][ T3909] device_add+0x71c/0xa60 [ 124.246390][ T3909] device_register+0x28/0x38 [ 124.246406][ T3909] i2c_new_client_device+0x834/0xe9c [ 124.246421][ T3909] v4l2_i2c_new_subdev_board+0xb0/0x224 [ 124.246441][ T3909] v4l2_i2c_new_subdev+0x138/0x1c0 [ 124.246459][ T3909] em28xx_v4l2_init+0x6f4/0x2918 [ 124.246475][ T3909] em28xx_init_extension+0x10c/0x1b4 [ 124.246490][ T3909] request_module_async+0x68/0x98 [ 124.246509][ T3909] process_one_work+0x7e8/0x155c [ 124.246527][ T3909] worker_thread+0x958/0xed8 [ 124.246544][ T3909] kthread+0x5fc/0x75c [ 124.246560][ T3909] ret_from_fork+0x10/0x20 [ 124.246575][ T3909] [ 124.246583][ T3909] Freed by task 3909: [ 124.246595][ T3909] kasan_save_track+0x40/0x78 [ 124.246612][ T3909] kasan_save_free_info+0x58/0x70 [ 124.246628][ T3909] __kasan_slab_free+0x68/0x88 [ 124.246645][ T3909] kfree+0x17c/0x474 [ 124.246664][ T3909] tuner_remove+0x1d8/0x1f4 [ 124.246679][ T3909] i2c_device_remove+0x8c/0x1dc [ 124.246695][ T3909] device_release_driver_internal+0x3a8/0x658 [ 124.246711][ T3909] device_release_driver+0x28/0x38 [ 124.246740][ T3909] bus_remove_device+0x310/0x3b0 [ 124.246758][ T3909] device_del+0x47c/0x808 [ 124.246774][ T3909] device_unregister+0x2c/0xcc [ 124.246791][ T3909] i2c_unregister_device+0x1a4/0x200 [ 124.246807][ T3909] v4l2_i2c_subdev_unregister+0xa8/0xbc [ 124.246825][ T3909] v4l2_device_unregister+0x170/0x248 [ 124.246841][ T3909] em28xx_v4l2_init+0x1328/0x2918 [ 124.246861][ T3909] em28xx_init_extension+0x10c/0x1b4 [ 124.246876][ T3909] request_module_async+0x68/0x98 [ 124.246891][ T3909] process_one_work+0x7e8/0x155c [ 124.246908][ T3909] worker_thread+0x958/0xed8 [ 124.246926][ T3909] kthread+0x5fc/0x75c [ 124.246942][ T3909] ret_from_fork+0x10/0x20 [ 124.246956][ T3909] [ 124.246965][ T3909] The buggy address belongs to the object at ffff0000db465000 [ 124.246965][ T3909] which belongs to the cache kmalloc-2k of size 2048 [ 124.246981][ T3909] The buggy address is located 792 bytes inside of [ 124.246981][ T3909] freed 2048-byte region [ffff0000db465000, ffff0000db465800) [ 124.246999][ T3909] [ 124.247008][ T3909] The buggy address belongs to the physical page: [ 124.247019][ T3909] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000db461000 pfn:0x11b460 [ 124.247038][ T3909] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 124.247053][ T3909] flags: 0x5ffc00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff) [ 124.247072][ T3909] page_type: f5(slab) [ 124.247089][ T3909] raw: 05ffc00000000240 ffff0000c0002000 fffffdffc3385010 fffffdffc3762210 [ 124.247106][ T3909] raw: ffff0000db461000 0000000000080006 00000000f5000000 0000000000000000 [ 124.247122][ T3909] head: 05ffc00000000240 ffff0000c0002000 fffffdffc3385010 fffffdffc3762210 [ 124.247139][ T3909] head: ffff0000db461000 0000000000080006 00000000f5000000 0000000000000000 [ 124.247155][ T3909] head: 05ffc00000000003 fffffdffc36d1801 00000000ffffffff 00000000ffffffff [ 124.247171][ T3909] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 124.247183][ T3909] page dumped because: kasan: bad access detected [ 124.247194][ T3909] [ 124.247202][ T3909] Memory state around the buggy address: [ 124.247214][ T3909] ffff0000db465200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 124.247228][ T3909] ffff0000db465280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 124.247242][ T3909] >ffff0000db465300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 124.247254][ T3909] ^ [ 124.247266][ T3909] ffff0000db465380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 124.247280][ T3909] ffff0000db465400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 124.247291][ T3909] ================================================================== [ 124.250429][ T3909] Disabling lock debugging due to kernel taint [ 124.250460][ T3909] Unable to handle kernel paging request at virtual address dfff800000000005 [ 124.250478][ T3909] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 124.250530][ T3909] Mem abort info: [ 124.250544][ T3909] ESR = 0x0000000096000005 [ 124.250560][ T3909] EC = 0x25: DABT (current EL), IL = 32 bits [ 124.250577][ T3909] SET = 0, FnV = 0 [ 124.250747][ T3909] EA = 0, S1PTW = 0 [ 124.250763][ T3909] FSC = 0x05: level 1 translation fault [ 124.250922][ T3909] Data abort info: [ 124.250939][ T3909] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 124.250955][ T3909] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 124.250972][ T3909] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 124.251127][ T3909] [dfff800000000005] address between user and kernel address ranges [ 124.251148][ T3909] Internal error: Oops: 0000000096000005 [#1] SMP [ 124.431254][ T3909] Modules linked in: [ 124.432386][ T3909] CPU: 1 UID: 0 PID: 3909 Comm: kworker/1:2 Tainted: G B 6.16.0-rc2-syzkaller-00009-g9aa9b43d689e #0 PREEMPT [ 124.436122][ T3909] Tainted: [B]=BAD_PAGE [ 124.437304][ T3909] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 124.440116][ T3909] Workqueue: events request_firmware_work_func [ 124.441928][ T3909] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 124.444058][ T3909] pc : load_firmware_cb+0x22c/0x14f4 [ 124.445519][ T3909] lr : load_firmware_cb+0xe0/0x14f4 [ 124.447007][ T3909] sp : ffff8000a4217880 [ 124.448189][ T3909] x29: ffff8000a42179d0 x28: 1ffff00011ec629b x27: 0000000000000000 [ 124.450450][ T3909] x26: dfff800000000000 x25: ffff700014842f24 x24: 1fffe0001b68ca63 [ 124.452735][ T3909] x23: ffff8000a4217920 x22: 0000000000000000 x21: 0000000000000000 [ 124.455023][ T3909] x20: 0000000000000000 x19: ffff0000db465318 x18: 1fffe000337e1476 [ 124.457264][ T3909] x17: 0000000000000000 x16: ffff80008aecb65c x15: 0000000000000001 [ 124.459553][ T3909] x14: 1ffff000125d0af8 x13: 0000000000000000 x12: 0000000000000000 [ 124.461844][ T3909] x11: ffff7000125d0af9 x10: 0000000000ff0100 x9 : 0000000000000000 [ 124.464127][ T3909] x8 : 0000000000000005 x7 : 0000000000000001 x6 : 0000000000000001 [ 124.466423][ T3909] x5 : ffff8000a42170f8 x4 : ffff80008f727060 x3 : ffff8000803b70c8 [ 124.468694][ T3909] x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000028 [ 124.470997][ T3909] Call trace: [ 124.471910][ T3909] load_firmware_cb+0x22c/0x14f4 (P) [ 124.473412][ T3909] request_firmware_work_func+0xe8/0x19c [ 124.475043][ T3909] process_one_work+0x7e8/0x155c [ 124.476385][ T3909] worker_thread+0x958/0xed8 [ 124.477655][ T3909] kthread+0x5fc/0x75c [ 124.478749][ T3909] ret_from_fork+0x10/0x20 [ 124.479973][ T3909] Code: b5fff65b f9403bf6 9100a2c0 d343fc08 (387a6908) [ 124.481912][ T3909] ---[ end trace 0000000000000000 ]--- [ 124.873527][ T3909] Kernel panic - not syncing: Oops: Fatal exception [ 124.875358][ T3909] SMP: stopping secondary CPUs [ 124.876665][ T3909] Kernel Offset: disabled [ 124.877860][ T3909] CPU features: 0x2000,000081c0,020004a1,04017203 [ 124.879599][ T3909] Memory Limit: none [ 125.238036][ T3909] Rebooting in 86400 seconds..