[ 47.044447][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 47.045539][ T12] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 47.047239][ T12] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 47.047264][ T12] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 47.053740][ T12] veth1_macvtap: left promiscuous mode [ 47.053964][ T12] veth0_macvtap: left promiscuous mode [ 47.054013][ T12] veth1_vlan: left promiscuous mode [ 47.054049][ T12] veth0_vlan: left promiscuous mode [ 47.172631][ T12] team0 (unregistering): Port device team_slave_1 removed [ 47.178831][ T12] team0 (unregistering): Port device team_slave_0 removed Warning: Permanently added '10.128.1.105' (ED25519) to the list of known hosts. 1970/01/01 00:01:02 parsed 1 programs [ 63.645458][ T6853] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 64.488077][ T2415] ieee802154 phy0 wpan0: encryption failed: -22 [ 64.488130][ T2415] ieee802154 phy1 wpan1: encryption failed: -22 [ 64.489040][ T26] cfg80211: failed to load regulatory.db [ 69.030206][ T6602] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.031730][ T6602] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 69.033045][ T6602] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.035045][ T6602] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.036721][ T6602] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 69.275759][ T6900] chnl_net:caif_netlink_parms(): no params data found [ 69.341047][ T6900] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.341124][ T6900] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.341173][ T6900] bridge_slave_0: entered allmulticast mode [ 69.341580][ T6900] bridge_slave_0: entered promiscuous mode [ 69.342299][ T6900] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.342336][ T6900] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.342375][ T6900] bridge_slave_1: entered allmulticast mode [ 69.342759][ T6900] bridge_slave_1: entered promiscuous mode [ 69.355497][ T6900] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 69.356390][ T6900] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 69.365603][ T6900] team0: Port device team_slave_0 added [ 69.366285][ T6900] team0: Port device team_slave_1 added [ 69.374142][ T6900] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 69.374166][ T6900] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 69.374181][ T6900] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 69.374721][ T6900] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 69.374727][ T6900] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 69.374739][ T6900] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 69.393253][ T6900] hsr_slave_0: entered promiscuous mode [ 69.394635][ T6900] hsr_slave_1: entered promiscuous mode [ 69.716028][ T6900] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 69.719671][ T6900] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 69.730193][ T6900] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 69.734338][ T6900] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 69.794599][ T6900] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.794647][ T6900] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.794716][ T6900] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.794739][ T6900] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.810643][ T6900] 8021q: adding VLAN 0 to HW filter on device bond0 [ 69.822372][ T6900] 8021q: adding VLAN 0 to HW filter on device team0 [ 69.845609][ T6900] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 69.845647][ T6900] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 69.921134][ T6900] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 69.938447][ T6900] veth0_vlan: entered promiscuous mode [ 69.942888][ T6900] veth1_vlan: entered promiscuous mode [ 69.951515][ T6900] veth0_macvtap: entered promiscuous mode [ 69.953731][ T6900] veth1_macvtap: entered promiscuous mode [ 69.958923][ T6900] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 69.962335][ T6900] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 69.965967][ T717] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.972638][ T717] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.974525][ T717] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.982959][ T717] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 70.148858][ T717] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.219289][ T717] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.285708][ T717] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.354432][ T717] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 70.416241][ T14] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 70.416270][ T14] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 70.423206][ T2011] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 70.423235][ T2011] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:01:10 executed programs: 0 [ 70.680094][ T6602] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 70.681880][ T6602] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 70.683665][ T6602] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 70.688112][ T6602] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 70.689922][ T6602] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 70.748416][ T7083] chnl_net:caif_netlink_parms(): no params data found [ 70.772938][ T7083] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.774253][ T7083] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.776001][ T7083] bridge_slave_0: entered allmulticast mode [ 70.778650][ T7083] bridge_slave_0: entered promiscuous mode [ 70.780768][ T7083] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.782245][ T7083] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.783919][ T7083] bridge_slave_1: entered allmulticast mode [ 70.785515][ T7083] bridge_slave_1: entered promiscuous mode [ 70.795476][ T7083] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 70.796368][ T7083] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 70.806549][ T7083] team0: Port device team_slave_0 added [ 70.809299][ T7083] team0: Port device team_slave_1 added [ 70.816821][ T7083] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 70.818658][ T7083] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.823819][ T7083] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 70.826467][ T7083] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 70.828006][ T7083] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.832166][ T7083] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 70.845286][ T7083] hsr_slave_0: entered promiscuous mode [ 70.846651][ T7083] hsr_slave_1: entered promiscuous mode [ 70.848178][ T7083] debugfs: 'hsr0' already exists in 'hsr' [ 70.849214][ T7083] Cannot create hsr debugfs directory [ 72.726879][ T6602] Bluetooth: hci0: command tx timeout [ 73.290648][ T717] bridge_slave_1: left allmulticast mode [ 73.293122][ T717] bridge_slave_1: left promiscuous mode [ 73.293235][ T717] bridge0: port 2(bridge_slave_1) entered disabled state [ 73.298081][ T717] bridge_slave_0: left allmulticast mode [ 73.298109][ T717] bridge_slave_0: left promiscuous mode [ 73.298178][ T717] bridge0: port 1(bridge_slave_0) entered disabled state [ 73.430852][ T717] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 73.478668][ T717] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 73.527985][ T717] bond0 (unregistering): Released all slaves [ 73.613942][ T717] hsr_slave_0: left promiscuous mode [ 73.615246][ T717] hsr_slave_1: left promiscuous mode [ 73.616643][ T717] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 73.619092][ T717] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 73.620751][ T717] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 73.622129][ T717] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 73.628054][ T717] veth1_macvtap: left promiscuous mode [ 73.629302][ T717] veth0_macvtap: left promiscuous mode [ 73.629388][ T717] veth1_vlan: left promiscuous mode [ 73.631304][ T717] veth0_vlan: left promiscuous mode [ 73.749507][ T717] team0 (unregistering): Port device team_slave_1 removed [ 73.755738][ T717] team0 (unregistering): Port device team_slave_0 removed [ 74.081751][ T7083] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 74.085922][ T7083] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 74.090317][ T7083] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 74.094161][ T7083] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 74.122991][ T7083] 8021q: adding VLAN 0 to HW filter on device bond0 [ 74.126314][ T7083] 8021q: adding VLAN 0 to HW filter on device team0 [ 74.128420][ T14] bridge0: port 1(bridge_slave_0) entered blocking state [ 74.128442][ T14] bridge0: port 1(bridge_slave_0) entered forwarding state [ 74.131852][ T2011] bridge0: port 2(bridge_slave_1) entered blocking state [ 74.131903][ T2011] bridge0: port 2(bridge_slave_1) entered forwarding state [ 74.142265][ T7083] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 74.144528][ T7083] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 74.257702][ T7083] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 74.273102][ T7083] veth0_vlan: entered promiscuous mode [ 74.274720][ T7083] veth1_vlan: entered promiscuous mode [ 74.280852][ T7083] veth0_macvtap: entered promiscuous mode [ 74.282427][ T7083] veth1_macvtap: entered promiscuous mode [ 74.285716][ T7083] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 74.286546][ T7083] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 74.291213][ T14] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 74.291306][ T14] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 74.291536][ T14] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 74.291547][ T14] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 74.324307][ T717] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 74.324339][ T717] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 74.335009][ T717] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 74.335035][ T717] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 74.607647][ T6596] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 74.758509][ T6596] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 74.758535][ T6596] usb 1-1: config 0 interface 0 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 0 [ 74.758552][ T6596] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice= 1.a0 [ 74.758561][ T6596] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 74.760205][ T6596] usb 1-1: config 0 descriptor?? [ 74.765511][ T6596] em28xx 1-1:0.0: New device @ 480 Mbps (eb1a:e303, interface 0, class 0) [ 74.766562][ T6596] em28xx 1-1:0.0: Video interface 0 found: bulk [ 74.807299][ T6602] Bluetooth: hci0: command tx timeout [ 75.017072][ T6596] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 75.113877][ T6596] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 75.113919][ T6596] em28xx 1-1:0.0: board has no eeprom [ 75.166911][ T6596] em28xx 1-1:0.0: Identified as Kaiomy TVnPC U2 (card=63) [ 75.166944][ T6596] em28xx 1-1:0.0: analog set to bulk mode. [ 75.170363][ T6596] usb 1-1: USB disconnect, device number 2 [ 75.171877][ T10] em28xx 1-1:0.0: Registering V4L2 extension [ 75.177915][ T6596] em28xx 1-1:0.0: Disconnecting em28xx [ 75.187959][ T10] i2c i2c-1: Invalid 7-bit I2C address 0x00 [ 75.196040][ T10] tuner: 1-0061: Tuner -1 found with type(s) Radio TV. [ 75.197149][ T10] xc2028 1-0061: creating new instance [ 75.197158][ T10] xc2028 1-0061: type set to XCeive xc2028/xc3028 tuner [ 75.197283][ T10] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 75.197290][ T10] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 75.197295][ T10] em28xx 1-1:0.0: No AC97 audio processor [ 75.198467][ T10] em28xx 1-1:0.0: Registered radio device as radio2 [ 75.198484][ T10] usb 1-1: Decoder not found [ 75.198489][ T10] em28xx 1-1:0.0: failed to create media graph [ 75.198502][ T10] em28xx 1-1:0.0: V4L2 device radio2 deregistered [ 75.199183][ ** replaying previous printk message ** [ 75.199183][ T10] em28xx 1-1:0.0: V4L2 device video11 deregistered [ 75.199901][ T10] xc2028 1-0061: destroying instance [ 75.200235][ T10] em28xx 1-1:0.0: Registering input extension [ 75.200442][ T6596] em28xx 1-1:0.0: Closing input extension [ 75.202621][ T6596] em28xx 1-1:0.0: Freeing device [ 75.206321][ T10] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw failed with error -2 [ 75.206334][ T10] usb 1-1:0.0: Falling back to sysfs fallback for: xc3028-v27.fw [ 75.206376][ T10] kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1:0.0) [ 75.206394][ T10] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed [ 75.206425][ T10] ================================================================== [ 75.206430][ T10] BUG: KASAN: slab-use-after-free in load_firmware_cb+0xbc/0x14f4 [ 75.206445][ T10] Read of size 8 at addr ffff0000d8f2d318 by task kworker/0:1/10 [ 75.206452][ T10] [ 75.206456][ T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted syzkaller #0 PREEMPT [ 75.206463][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 75.206467][ T10] Workqueue: events request_firmware_work_func [ 75.206479][ T10] Call trace: [ 75.206481][ T10] show_stack+0x2c/0x3c (C) [ 75.206489][ T10] __dump_stack+0x30/0x40 [ 75.206495][ T10] dump_stack_lvl+0xd8/0x12c [ 75.206500][ T10] print_address_description+0xa8/0x238 [ 75.206507][ T10] print_report+0x68/0x84 [ 75.206513][ T10] kasan_report+0xb0/0x110 [ 75.206521][ T10] __asan_report_load8_noabort+0x20/0x2c [ 75.206526][ T10] load_firmware_cb+0xbc/0x14f4 [ 75.206531][ T10] request_firmware_work_func+0xe8/0x19c [ 75.206537][ T10] process_one_work+0x7e8/0x155c [ 75.206543][ T10] worker_thread+0x958/0xed8 [ 75.206548][ T10] kthread+0x5fc/0x75c [ 75.206555][ T10] ret_from_fork+0x10/0x20 [ 75.206560][ T10] [ 75.206562][ T10] Allocated by task 10: [ 75.206565][ T10] kasan_save_track+0x40/0x78 [ 75.206572][ T10] kasan_save_alloc_info+0x44/0x54 [ 75.206576][ T10] __kasan_kmalloc+0x9c/0xb4 [ 75.206581][ T10] __kmalloc_cache_noprof+0x2a4/0x3fc [ 75.206588][ T10] tuner_probe+0xc4/0x1690 [ 75.206592][ T10] i2c_device_probe+0x82c/0x9a0 [ 75.206598][ T10] really_probe+0x3b4/0x944 [ 75.206605][ T10] __driver_probe_device+0x180/0x2d4 [ 75.206610][ T10] driver_probe_device+0x78/0x330 [ 75.206616][ T10] __device_attach_driver+0x290/0x4e0 [ 75.206622][ T10] bus_for_each_drv+0x220/0x2b4 [ 75.206627][ T10] __device_attach+0x26c/0x388 [ 75.206633][ T10] device_initial_probe+0x24/0x34 [ 75.206638][ T10] bus_probe_device+0x178/0x240 [ 75.206643][ T10] device_add+0x71c/0xa60 [ 75.206648][ T10] device_register+0x28/0x38 [ 75.206651][ T10] i2c_new_client_device+0x834/0xe9c [ 75.206657][ T10] v4l2_i2c_new_subdev_board+0xb0/0x224 [ 75.206663][ T10] v4l2_i2c_new_subdev+0x138/0x1c0 [ 75.206668][ T10] em28xx_v4l2_init+0x6f4/0x2918 [ 75.206675][ T10] em28xx_init_extension+0x10c/0x1b4 [ 75.206680][ T10] request_module_async+0x68/0x98 [ 75.206685][ T10] process_one_work+0x7e8/0x155c [ 75.206689][ T10] worker_thread+0x958/0xed8 [ 75.206693][ T10] kthread+0x5fc/0x75c [ 75.206699][ T10] ret_from_fork+0x10/0x20 [ 75.206703][ T10] [ 75.206705][ T10] Freed by task 10: [ 75.206708][ T10] kasan_save_track+0x40/0x78 [ 75.206713][ T10] kasan_save_free_info+0x58/0x70 [ 75.206717][ T10] __kasan_slab_free+0x74/0x98 [ 75.206722][ T10] kfree+0x17c/0x474 [ 75.206728][ T10] tuner_remove+0x1d8/0x1f4 [ 75.206731][ T10] i2c_device_remove+0x8c/0x1dc [ 75.206737][ T10] device_release_driver_internal+0x3a8/0x68c [ 75.206743][ T10] device_release_driver+0x28/0x38 [ 75.206749][ T10] bus_remove_device+0x310/0x3b0 [ 75.206754][ T10] device_del+0x47c/0x808 [ 75.206758][ T10] device_unregister+0x2c/0xcc [ 75.206762][ T10] i2c_unregister_device+0x1ac/0x208 [ 75.206768][ T10] v4l2_i2c_subdev_unregister+0x68/0x78 [ 75.206774][ T10] v4l2_device_unregister+0x170/0x248 [ 75.206779][ T10] em28xx_v4l2_init+0x1328/0x2918 [ 75.206784][ T10] em28xx_init_extension+0x10c/0x1b4 [ 75.206790][ T10] request_module_async+0x68/0x98 [ 75.206795][ T10] process_one_work+0x7e8/0x155c [ 75.206799][ T10] worker_thread+0x958/0xed8 [ 75.206803][ T10] kthread+0x5fc/0x75c [ 75.206808][ T10] ret_from_fork+0x10/0x20 [ 75.206813][ T10] [ 75.206814][ T10] The buggy address belongs to the object at ffff0000d8f2d000 [ 75.206814][ T10] which belongs to the cache kmalloc-2k of size 2048 [ 75.206819][ T10] The buggy address is located 792 bytes inside of [ 75.206819][ T10] freed 2048-byte region [ffff0000d8f2d000, ffff0000d8f2d800) [ 75.206824][ T10] [ 75.206831][ T10] The buggy address belongs to the physical page: [ 75.206835][ T10] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118f28 [ 75.206841][ T10] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 75.206845][ T10] anon flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 75.206852][ T10] page_type: f5(slab) [ 75.206857][ T10] raw: 05ffc00000000040 ffff0000c0002000 0000000000000000 dead000000000001 [ 75.206862][ T10] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 75.206866][ T10] head: 05ffc00000000040 ffff0000c0002000 0000000000000000 dead000000000001 [ 75.206870][ T10] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 75.206874][ T10] head: 05ffc00000000003 fffffdffc363ca01 00000000ffffffff 00000000ffffffff [ 75.206878][ T10] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 75.206880][ T10] page dumped because: kasan: bad access detected [ 75.206883][ T10] [ 75.206884][ T10] Memory state around the buggy address: [ 75.206887][ T10] ffff0000d8f2d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.206890][ T10] ffff0000d8f2d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.206894][ T10] >ffff0000d8f2d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.206896][ T10] ^ [ 75.206899][ T10] ffff0000d8f2d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.206902][ T10] ffff0000d8f2d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.206905][ T10] ================================================================== [ 75.206992][ T10] Disabling lock debugging due to kernel taint [ 75.207004][ T10] Unable to handle kernel paging request at virtual address dfff800000000005 [ 75.207011][ T10] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 75.207015][ T10] Mem abort info: [ 75.207018][ T10] ESR = 0x0000000096000005 [ 75.207021][ T10] EC = 0x25: DABT (current EL), IL = 32 bits [ 75.207025][ T10] SET = 0, FnV = 0 [ 75.207028][ T10] EA = 0, S1PTW = 0 [ 75.207031][ T10] FSC = 0x05: level 1 translation fault [ 75.207034][ T10] Data abort info: [ 75.207036][ T10] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 75.207039][ T10] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 75.207043][ T10] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 75.207047][ T10] [dfff800000000005] address between user and kernel address ranges [ 75.207052][ T10] Internal error: Oops: 0000000096000005 [#1] SMP [ 75.312014][ T10] Modules linked in: [ 75.312628][ T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G B syzkaller #0 PREEMPT [ 75.314261][ T10] Tainted: [B]=BAD_PAGE [ 75.314855][ T10] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 [ 75.316357][ T10] Workqueue: events request_firmware_work_func [ 75.317274][ T10] pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 75.318404][ T10] pc : load_firmware_cb+0x22c/0x14f4 [ 75.319203][ T10] lr : load_firmware_cb+0xe0/0x14f4 [ 75.319967][ T10] sp : ffff800097c17880 [ 75.320577][ T10] x29: ffff800097c179d0 x28: 1ffff00011efc299 x27: 0000000000000000 [ 75.321758][ T10] x26: dfff800000000000 x25: ffff700012f82f24 x24: 1fffe0001b1e5a63 [ 75.322921][ T10] x23: ffff800097c17920 x22: 0000000000000000 x21: 0000000000000000 [ 75.324080][ T10] x20: 0000000000000000 x19: ffff0000d8f2d318 x18: 00000000ffffffff [ 75.325311][ T10] x17: 3d3d3d3d3d3d3d3d x16: ffff80008b00ff28 x15: 0000000000000001 [ 75.326502][ T10] x14: 1ffff000126110fc x13: 0000000000000000 x12: 0000000000000000 [ 75.327724][ T10] x11: ffff7000126110fd x10: 0000000000ff0100 x9 : 0000000000000000 [ 75.328934][ T10] x8 : 0000000000000005 x7 : 0000000000000001 x6 : ffff800080563d2c [ 75.330095][ T10] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000803c0884 [ 75.331448][ T10] x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000028 [ 75.332776][ T10] Call trace: [ 75.333279][ T10] load_firmware_cb+0x22c/0x14f4 (P) [ 75.334047][ T10] request_firmware_work_func+0xe8/0x19c [ 75.335015][ T10] process_one_work+0x7e8/0x155c [ 75.335785][ T10] worker_thread+0x958/0xed8 [ 75.336485][ T10] kthread+0x5fc/0x75c [ 75.337067][ T10] ret_from_fork+0x10/0x20 [ 75.337718][ T10] Code: b5fff65b f9403bf6 9100a2c0 d343fc08 (387a6908) [ 75.338710][ T10] ---[ end trace 0000000000000000 ]--- [ 75.593151][ T10] Kernel panic - not syncing: Oops: Fatal exception [ 75.594035][ T10] SMP: stopping secondary CPUs [ 75.594899][ T10] Kernel Offset: disabled [ 75.595592][ T10] CPU features: 0x080000,0000f000,21381141,5427fea7 [ 75.596651][ T10] Memory Limit: none [ 75.846183][ T10] Rebooting in 86400 seconds..