Warning: Permanently added '10.128.0.17' (ED25519) to the list of known hosts. 1970/01/01 00:00:57 parsed 1 programs [ 58.599281][ T6885] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 62.764417][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 62.766210][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 62.767127][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 62.767454][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 62.767636][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 63.473294][ T14] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.473325][ T14] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.479394][ T14] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 63.479426][ T14] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 63.997123][ T6955] chnl_net:caif_netlink_parms(): no params data found [ 64.016425][ T6955] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.016464][ T6955] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.016520][ T6955] bridge_slave_0: entered allmulticast mode [ 64.016957][ T6955] bridge_slave_0: entered promiscuous mode [ 64.017530][ T6955] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.017546][ T6955] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.017589][ T6955] bridge_slave_1: entered allmulticast mode [ 64.017953][ T6955] bridge_slave_1: entered promiscuous mode [ 64.029308][ T6955] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 64.030743][ T6955] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 64.037604][ T6955] team0: Port device team_slave_0 added [ 64.038606][ T6955] team0: Port device team_slave_1 added [ 64.075455][ T6955] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 64.075480][ T6955] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 64.075494][ T6955] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 64.076006][ T6955] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 64.076013][ T6955] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 64.076026][ T6955] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 64.091216][ T6955] hsr_slave_0: entered promiscuous mode [ 64.091508][ T6955] hsr_slave_1: entered promiscuous mode [ 64.502456][ T24] cfg80211: failed to load regulatory.db [ 64.504883][ T2454] ieee802154 phy0 wpan0: encryption failed: -22 [ 64.505076][ T2454] ieee802154 phy1 wpan1: encryption failed: -22 [ 64.524714][ T6955] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 64.528738][ T6955] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 64.532710][ T6955] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 64.535457][ T6955] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 64.601021][ T6955] 8021q: adding VLAN 0 to HW filter on device bond0 [ 64.604878][ T6955] 8021q: adding VLAN 0 to HW filter on device team0 [ 64.610757][ T968] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.610808][ T968] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.617582][ T266] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.617629][ T266] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.675463][ T6955] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 64.685699][ T6955] veth0_vlan: entered promiscuous mode [ 64.689227][ T6955] veth1_vlan: entered promiscuous mode [ 64.704016][ T6955] veth0_macvtap: entered promiscuous mode [ 64.706443][ T6955] veth1_macvtap: entered promiscuous mode [ 64.718522][ T6955] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.723459][ T6955] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.729712][ T968] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.729786][ T968] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.730657][ T968] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.730705][ T968] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.914818][ T266] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 64.973982][ T266] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 65.022059][ T266] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:05 executed programs: 0 [ 65.073730][ T266] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 65.093724][ T6153] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 65.095158][ T6153] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 65.096450][ T6153] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 65.098146][ T6153] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 65.098827][ T6153] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 65.153785][ T7076] chnl_net:caif_netlink_parms(): no params data found [ 65.177072][ T7076] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.178443][ T7076] bridge0: port 1(bridge_slave_0) entered disabled state [ 65.179735][ T7076] bridge_slave_0: entered allmulticast mode [ 65.181725][ T7076] bridge_slave_0: entered promiscuous mode [ 65.183588][ T7076] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.184831][ T7076] bridge0: port 2(bridge_slave_1) entered disabled state [ 65.186148][ T7076] bridge_slave_1: entered allmulticast mode [ 65.187557][ T7076] bridge_slave_1: entered promiscuous mode [ 65.199839][ T7076] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 65.203039][ T7076] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 65.213283][ T7076] team0: Port device team_slave_0 added [ 65.215088][ T7076] team0: Port device team_slave_1 added [ 65.223077][ T7076] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 65.224155][ T7076] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 65.227915][ T7076] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 65.230282][ T7076] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 65.231438][ T7076] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 65.235258][ T7076] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 65.250029][ T7076] hsr_slave_0: entered promiscuous mode [ 65.251445][ T7076] hsr_slave_1: entered promiscuous mode [ 65.252630][ T7076] debugfs: 'hsr0' already exists in 'hsr' [ 65.253597][ T7076] Cannot create hsr debugfs directory [ 67.140447][ T6153] Bluetooth: hci0: command tx timeout [ 68.289186][ T266] bridge_slave_1: left allmulticast mode [ 68.291660][ T266] bridge_slave_1: left promiscuous mode [ 68.292802][ T266] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.295490][ T266] bridge_slave_0: left allmulticast mode [ 68.295513][ T266] bridge_slave_0: left promiscuous mode [ 68.295600][ T266] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.463840][ T266] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 68.501313][ T266] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 68.550994][ T266] bond0 (unregistering): Released all slaves [ 68.625608][ T266] hsr_slave_0: left promiscuous mode [ 68.626780][ T266] hsr_slave_1: left promiscuous mode [ 68.627308][ T266] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 68.627320][ T266] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 68.631777][ T266] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 68.631811][ T266] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 68.638875][ T266] veth1_macvtap: left promiscuous mode [ 68.639912][ T266] veth0_macvtap: left promiscuous mode [ 68.641153][ T266] veth1_vlan: left promiscuous mode [ 68.642167][ T266] veth0_vlan: left promiscuous mode [ 68.758733][ T266] team0 (unregistering): Port device team_slave_1 removed [ 68.765123][ T266] team0 (unregistering): Port device team_slave_0 removed [ 69.112920][ T7076] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 69.115513][ T7076] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 69.121640][ T7076] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 69.124212][ T7076] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 69.163255][ T7076] 8021q: adding VLAN 0 to HW filter on device bond0 [ 69.167796][ T7076] 8021q: adding VLAN 0 to HW filter on device team0 [ 69.171100][ T14] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.171156][ T14] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.174861][ T968] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.174922][ T968] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.220307][ T6153] Bluetooth: hci0: command tx timeout [ 69.253033][ T7076] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 69.264500][ T7076] veth0_vlan: entered promiscuous mode [ 69.265974][ T7076] veth1_vlan: entered promiscuous mode [ 69.274052][ T7076] veth0_macvtap: entered promiscuous mode [ 69.275019][ T7076] veth1_macvtap: entered promiscuous mode [ 69.278448][ T7076] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 69.279350][ T7076] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 69.281259][ T14] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.281322][ T14] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.281448][ T14] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.281508][ T14] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.305041][ T968] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 69.306397][ T968] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 69.313668][ T41] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 69.313704][ T41] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 69.590400][ T6564] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 69.771823][ T6564] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 69.774716][ T6564] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=fc.a0 [ 69.774745][ T6564] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 69.774757][ T6564] usb 1-1: Product: syz [ 69.774765][ T6564] usb 1-1: Manufacturer: syz [ 69.774771][ T6564] usb 1-1: SerialNumber: syz [ 69.776700][ T6564] usb 1-1: config 0 descriptor?? [ 69.782320][ T6564] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (eb1a:e303, interface 0, class 0) [ 69.782353][ T6564] em28xx 1-1:0.0: Video interface 0 found: [ 70.040298][ T6564] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 70.138440][ T6564] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 70.138477][ T6564] em28xx 1-1:0.0: board has no eeprom [ 70.190162][ T6564] em28xx 1-1:0.0: Identified as Kaiomy TVnPC U2 (card=63) [ 70.190198][ T6564] em28xx 1-1:0.0: analog set to bulk mode. [ 70.191544][ T6571] em28xx 1-1:0.0: Registering V4L2 extension [ 70.195422][ T6564] usb 1-1: USB disconnect, device number 2 [ 70.196069][ T6564] em28xx 1-1:0.0: Disconnecting em28xx [ 70.209927][ T6571] i2c i2c-1: Invalid 7-bit I2C address 0x00 [ 70.218442][ T6571] tuner: 1-0061: Tuner -1 found with type(s) Radio TV. [ 70.218918][ T6571] xc2028 1-0061: creating new instance [ 70.218928][ T6571] xc2028 1-0061: type set to XCeive xc2028/xc3028 tuner [ 70.219045][ T6571] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 70.219052][ T6571] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 70.219057][ T6571] em28xx 1-1:0.0: No AC97 audio processor [ 70.221618][ T6571] em28xx 1-1:0.0: Registered radio device as radio2 [ 70.221641][ T6571] usb 1-1: Decoder not found [ 70.221648][ T6571] em28xx 1-1:0.0: failed to create media graph [ 70.221663][ T6571] em28xx 1-1:0.0: V4L2 device radio2 deregistered [ 70.222600][ T6571] em28xx 1-1:0.0: V4L2 device video11 deregistered [ 70.223312][ T6571] xc2028 1-0061: destroying instance [ 70.223715][ T6571] em28xx 1-1:0.0: Registering input extension [ 70.224777][ T6564] em28xx 1-1:0.0: Closing input extension [ 70.227919][ T6564] em28xx 1-1:0.0: Freeing device [ 70.233823][ T6571] usb 1-1:0.0: Direct firmwar ** replaying previous printk message ** [ 70.233823][ T6571] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw failed with error -2 [ 70.233858][ T6571] usb 1-1:0.0: Falling back to sysfs fallback for: xc3028-v27.fw [ 70.233906][ T6571] kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1:0.0) [ 70.233923][ T6571] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed [ 70.233957][ T6571] ================================================================== [ 70.233961][ T6571] BUG: KASAN: slab-use-after-free in load_firmware_cb+0xbc/0x14f4 [ 70.233977][ T6571] Read of size 8 at addr ffff0000c8900318 by task kworker/1:4/6571 [ 70.233983][ T6571] [ 70.233987][ T6571] CPU: 1 UID: 0 PID: 6571 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT [ 70.233993][ T6571] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 70.233997][ T6571] Workqueue: events request_firmware_work_func [ 70.234010][ T6571] Call trace: [ 70.234012][ T6571] show_stack+0x2c/0x3c (C) [ 70.234021][ T6571] __dump_stack+0x30/0x40 [ 70.234027][ T6571] dump_stack_lvl+0xd8/0x12c [ 70.234032][ T6571] print_address_description+0xa8/0x238 [ 70.234042][ T6571] print_report+0x68/0x84 [ 70.234048][ T6571] kasan_report+0xb0/0x110 [ 70.234054][ T6571] __asan_report_load8_noabort+0x20/0x2c [ 70.234061][ T6571] load_firmware_cb+0xbc/0x14f4 [ 70.234067][ T6571] request_firmware_work_func+0xe8/0x19c [ 70.234073][ T6571] process_one_work+0x7e8/0x155c [ 70.234079][ T6571] worker_thread+0x958/0xed8 [ 70.234084][ T6571] kthread+0x5fc/0x75c [ 70.234091][ T6571] ret_from_fork+0x10/0x20 [ 70.234096][ T6571] [ 70.234098][ T6571] Allocated by task 6571: [ 70.234101][ T6571] kasan_save_track+0x40/0x78 [ 70.234105][ T6571] kasan_save_alloc_info+0x44/0x54 [ 70.234110][ T6571] __kasan_kmalloc+0x9c/0xb4 [ 70.234114][ T6571] __kmalloc_cache_noprof+0x3a4/0x65c [ 70.234118][ T6571] tuner_probe+0xc4/0x1690 [ 70.234124][ T6571] i2c_device_probe+0x868/0x9c8 [ 70.234129][ T6571] really_probe+0x3b4/0x944 [ 70.234135][ T6571] __driver_probe_device+0x180/0x2d4 [ 70.234141][ T6571] driver_probe_device+0x78/0x330 [ 70.234147][ T6571] __device_attach_driver+0x290/0x4e0 [ 70.234152][ T6571] bus_for_each_drv+0x220/0x2b4 [ 70.234157][ T6571] __device_attach+0x26c/0x388 [ 70.234163][ T6571] device_initial_probe+0x24/0x34 [ 70.234168][ T6571] bus_probe_device+0x178/0x240 [ 70.234173][ T6571] device_add+0x71c/0xa60 [ 70.234177][ T6571] device_register+0x28/0x38 [ 70.234181][ T6571] i2c_new_client_device+0x834/0xe9c [ 70.234186][ T6571] v4l2_i2c_new_subdev_board+0xb0/0x224 [ 70.234192][ T6571] v4l2_i2c_new_subdev+0x138/0x1c0 [ 70.234196][ T6571] em28xx_v4l2_init+0x6f4/0x2918 [ 70.234203][ T6571] em28xx_init_extension+0x10c/0x1b4 [ 70.234208][ T6571] request_module_async+0x68/0x98 [ 70.234214][ T6571] process_one_work+0x7e8/0x155c [ 70.234218][ T6571] worker_thread+0x958/0xed8 [ 70.234222][ T6571] kthread+0x5fc/0x75c [ 70.234227][ T6571] ret_from_fork+0x10/0x20 [ 70.234231][ T6571] [ 70.234233][ T6571] Freed by task 6571: [ 70.234235][ T6571] kasan_save_track+0x40/0x78 [ 70.234239][ T6571] __kasan_save_free_info+0x58/0x70 [ 70.234244][ T6571] __kasan_slab_free+0x74/0xa4 [ 70.234247][ T6571] kfree+0x184/0x600 [ 70.234251][ T6571] tuner_remove+0x1d8/0x1f4 [ 70.234256][ T6571] i2c_device_remove+0x8c/0x1d0 [ 70.234261][ T6571] device_release_driver_internal+0x3a8/0x68c [ 70.234266][ T6571] device_release_driver+0x28/0x38 [ 70.234272][ T6571] bus_remove_device+0x310/0x3b0 [ 70.234277][ T6571] device_del+0x47c/0x808 [ 70.234281][ T6571] device_unregister+0x2c/0xcc [ 70.234285][ T6571] i2c_unregister_device+0x1ac/0x208 [ 70.234291][ T6571] v4l2_i2c_subdev_unregister+0x68/0x78 [ 70.234295][ T6571] v4l2_device_unregister+0x170/0x248 [ 70.234300][ T6571] em28xx_v4l2_init+0x1328/0x2918 [ 70.234305][ T6571] em28xx_init_extension+0x10c/0x1b4 [ 70.234310][ T6571] request_module_async+0x68/0x98 [ 70.234316][ T6571] process_one_work+0x7e8/0x155c [ 70.234320][ T6571] worker_thread+0x958/0xed8 [ 70.234324][ T6571] kthread+0x5fc/0x75c [ 70.234329][ T6571] ret_from_fork+0x10/0x20 [ 70.234333][ T6571] [ 70.234334][ T6571] The buggy address belongs to the object at ffff0000c8900000 [ 70.234334][ T6571] which belongs to the cache kmalloc-2k of size 2048 [ 70.234339][ T6571] The buggy address is located 792 bytes inside of [ 70.234339][ T6571] freed 2048-byte region [ffff0000c8900000, ffff0000c8900800) [ 70.234344][ T6571] [ 70.234346][ T6571] The buggy address belongs to the physical page: [ 70.234350][ T6571] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108900 [ 70.234355][ T6571] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 70.234360][ T6571] anon flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 70.234366][ T6571] page_type: f5(slab) [ 70.234372][ T6571] raw: 05ffc00000000040 ffff0000c0002000 0000000000000000 dead000000000001 [ 70.234376][ T6571] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 70.234380][ T6571] head: 05ffc00000000040 ffff0000c0002000 0000000000000000 dead000000000001 [ 70.234384][ T6571] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 70.234388][ T6571] head: 05ffc00000000003 fffffdffc3224001 00000000ffffffff 00000000ffffffff [ 70.234392][ T6571] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 70.234394][ T6571] page dumped because: kasan: bad access detected [ 70.234396][ T6571] [ 70.234397][ T6571] Memory state around the buggy address: [ 70.234400][ T6571] ffff0000c8900200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.234403][ T6571] ffff0000c8900280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.234406][ T6571] >ffff0000c8900300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.234409][ T6571] ^ [ 70.234411][ T6571] ffff0000c8900380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.234414][ T6571] ffff0000c8900400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.234416][ T6571] ================================================================== [ 70.234420][ T6571] Disabling lock debugging due to kernel taint [ 70.234430][ T6571] Unable to handle kernel paging request at virtual address dfff800000000005 [ 70.234434][ T6571] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 70.234438][ T6571] Mem abort info: [ 70.234440][ T6571] ESR = 0x0000000096000005 [ 70.234443][ T6571] EC = 0x25: DABT (current EL), IL = 32 bits [ 70.234446][ T6571] SET = 0, FnV = 0 [ 70.234449][ T6571] EA = 0, S1PTW = 0 [ 70.234452][ T6571] FSC = 0x05: level 1 translation fault [ 70.234455][ T6571] Data abort info: [ 70.234457][ T6571] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 70.234460][ T6571] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 70.234463][ T6571] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 70.234467][ T6571] [dfff800000000005] address between user and kernel address ranges [ 70.234472][ T6571] Internal error: Oops: 0000000096000005 [#1] SMP [ 70.328363][ T6571] Modules linked in: [ 70.328958][ T6571] CPU: 1 UID: 0 PID: 6571 Comm: kworker/1:4 Tainted: G B syzkaller #0 PREEMPT [ 70.330485][ T6571] Tainted: [B]=BAD_PAGE [ 70.331092][ T6571] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 [ 70.332576][ T6571] Workqueue: events request_firmware_work_func [ 70.333485][ T6571] pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 70.334645][ T6571] pc : load_firmware_cb+0x22c/0x14f4 [ 70.335387][ T6571] lr : load_firmware_cb+0xe0/0x14f4 [ 70.336146][ T6571] sp : ffff8000a10b78a0 [ 70.336735][ T6571] x29: ffff8000a10b79f0 x28: 1ffff00011eb0278 x27: 0000000000000000 [ 70.337871][ T6571] x26: dfff800000000000 x25: ffff700014216f28 x24: 1fffe00019120063 [ 70.339020][ T6571] x23: ffff8000a10b7940 x22: 0000000000000000 x21: 0000000000000000 [ 70.340158][ T6571] x20: 0000000000000000 x19: ffff0000c8900318 x18: 00000000ffffffff [ 70.341269][ T6571] x17: 3d3d3d3d3d3d3d3d x16: ffff800082debe40 x15: 0000000000000001 [ 70.342399][ T6571] x14: 1ffff000125cd314 x13: 0000000000000000 x12: 0000000000000000 [ 70.343529][ T6571] x11: ffff7000125cd315 x10: 0000000000ff0100 x9 : 0000000000000000 [ 70.344641][ T6571] x8 : 0000000000000005 x7 : 0000000000000001 x6 : ffff8000805653c0 [ 70.345746][ T6571] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000803c084c [ 70.346871][ T6571] x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000028 [ 70.347977][ T6571] Call trace: [ 70.348420][ T6571] load_firmware_cb+0x22c/0x14f4 (P) [ 70.349129][ T6571] request_firmware_work_func+0xe8/0x19c [ 70.349879][ T6571] process_one_work+0x7e8/0x155c [ 70.350542][ T6571] worker_thread+0x958/0xed8 [ 70.351172][ T6571] kthread+0x5fc/0x75c [ 70.351717][ T6571] ret_from_fork+0x10/0x20 [ 70.352316][ T6571] Code: b5fff65b f9403bf6 9100a2c0 d343fc08 (387a6908) [ 70.353242][ T6571] ---[ end trace 0000000000000000 ]--- [ 70.540709][ T6571] Kernel panic - not syncing: Oops: Fatal exception [ 70.541555][ T6571] SMP: stopping secondary CPUs [ 70.542303][ T6571] Kernel Offset: disabled [ 70.542981][ T6571] CPU features: 0x100000,0001e000,42702281,5427fea7 [ 70.544009][ T6571] Memory Limit: none [ 70.731596][ T6571] Rebooting in 86400 seconds..