Warning: Permanently added '10.128.1.252' (ED25519) to the list of known hosts. 1970/01/01 00:01:35 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:36 parsed 1 programs [ 99.882120][ T6921] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 101.848390][ T6083] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 101.851805][ T6083] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 101.854832][ T6083] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 101.858353][ T6083] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 101.860740][ T6083] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 102.050570][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.050653][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.091023][ T546] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 102.091083][ T546] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 102.871109][ T7032] chnl_net:caif_netlink_parms(): no params data found [ 102.910090][ T7032] bridge0: port 1(bridge_slave_0) entered blocking state [ 102.910202][ T7032] bridge0: port 1(bridge_slave_0) entered disabled state [ 102.910629][ T7032] bridge_slave_0: entered allmulticast mode [ 102.911471][ T7032] bridge_slave_0: entered promiscuous mode [ 103.060148][ T7032] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.060230][ T7032] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.060384][ T7032] bridge_slave_1: entered allmulticast mode [ 103.061214][ T7032] bridge_slave_1: entered promiscuous mode [ 103.078627][ T7032] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 103.080245][ T7032] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 103.095001][ T7032] team0: Port device team_slave_0 added [ 103.097876][ T7032] team0: Port device team_slave_1 added [ 103.158775][ T7032] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 103.160791][ T7032] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 103.160857][ T7032] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 103.162058][ T7032] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 103.162085][ T7032] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 103.162116][ T7032] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 103.192535][ T7032] hsr_slave_0: entered promiscuous mode [ 103.194056][ T7032] hsr_slave_1: entered promiscuous mode [ 104.187400][ T7032] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 104.191076][ T7032] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 104.197708][ T7032] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 104.207711][ T7032] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 104.251786][ T7032] 8021q: adding VLAN 0 to HW filter on device bond0 [ 104.260295][ T7032] 8021q: adding VLAN 0 to HW filter on device team0 [ 104.266384][ T546] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.266464][ T546] bridge0: port 1(bridge_slave_0) entered forwarding state [ 104.280525][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.280606][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 104.385747][ T7032] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 104.402532][ T7032] veth0_vlan: entered promiscuous mode [ 104.410498][ T7032] veth1_vlan: entered promiscuous mode [ 104.429164][ T7032] veth0_macvtap: entered promiscuous mode [ 104.430955][ T7032] veth1_macvtap: entered promiscuous mode [ 104.440999][ T7032] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 104.445287][ T7032] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 104.449498][ T7032] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 104.449896][ T7032] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 104.449929][ T7032] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 104.449959][ T7032] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 104.816848][ T14] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 104.926730][ T14] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 104.984228][ T14] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 105.086573][ T14] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:01:46 executed programs: 0 [ 106.667178][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 106.668063][ T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 106.668482][ T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 106.669232][ T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 106.669721][ T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 106.777797][ T7275] chnl_net:caif_netlink_parms(): no params data found [ 106.826811][ T7275] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.829039][ T7275] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.831316][ T7275] bridge_slave_0: entered allmulticast mode [ 106.836028][ T7275] bridge_slave_0: entered promiscuous mode [ 106.839431][ T7275] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.841564][ T7275] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.844841][ T7275] bridge_slave_1: entered allmulticast mode [ 106.847639][ T7275] bridge_slave_1: entered promiscuous mode [ 106.870850][ T7275] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 106.877563][ T7275] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 106.899114][ T7275] team0: Port device team_slave_0 added [ 106.902602][ T7275] team0: Port device team_slave_1 added [ 106.921172][ T7275] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 106.921224][ T7275] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 106.921275][ T7275] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 106.922442][ T7275] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 106.922468][ T7275] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 106.922500][ T7275] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 106.958098][ T7275] hsr_slave_0: entered promiscuous mode [ 106.958726][ T7275] hsr_slave_1: entered promiscuous mode [ 106.959093][ T7275] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 106.959122][ T7275] Cannot create hsr debugfs directory [ 108.208341][ T14] bridge_slave_1: left allmulticast mode [ 108.208425][ T14] bridge_slave_1: left promiscuous mode [ 108.208548][ T14] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.214808][ T14] bridge_slave_0: left allmulticast mode [ 108.214866][ T14] bridge_slave_0: left promiscuous mode [ 108.218242][ T14] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.682994][ T6083] Bluetooth: hci0: command tx timeout [ 109.785424][ T14] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 109.825505][ T14] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 109.894690][ T14] bond0 (unregistering): Released all slaves [ 109.980726][ T14] hsr_slave_0: left promiscuous mode [ 109.982525][ T14] hsr_slave_1: left promiscuous mode [ 109.983047][ T14] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 109.983090][ T14] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 109.984823][ T14] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 109.984860][ T14] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 109.998340][ T14] veth1_macvtap: left promiscuous mode [ 109.998447][ T14] veth0_macvtap: left promiscuous mode [ 109.998543][ T14] veth1_vlan: left promiscuous mode [ 109.999055][ T14] veth0_vlan: left promiscuous mode [ 110.762894][ T6083] Bluetooth: hci0: command tx timeout [ 111.825438][ T14] team0 (unregistering): Port device team_slave_1 removed [ 112.044546][ T14] team0 (unregistering): Port device team_slave_0 removed [ 112.842878][ T6083] Bluetooth: hci0: command tx timeout [ 114.608438][ T7275] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 114.612568][ T7275] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 114.618599][ T7275] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 114.622557][ T7275] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 114.717178][ T7275] 8021q: adding VLAN 0 to HW filter on device bond0 [ 114.726523][ T7275] 8021q: adding VLAN 0 to HW filter on device team0 [ 114.731702][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 114.731781][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 114.742292][ T42] bridge0: port 2(bridge_slave_1) entered blocking state [ 114.742378][ T42] bridge0: port 2(bridge_slave_1) entered forwarding state [ 114.926336][ T6083] Bluetooth: hci0: command tx timeout [ 115.113918][ T7275] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 115.140508][ T7275] veth0_vlan: entered promiscuous mode [ 115.178215][ T7275] veth1_vlan: entered promiscuous mode [ 115.200181][ T7275] veth0_macvtap: entered promiscuous mode [ 115.202068][ T7275] veth1_macvtap: entered promiscuous mode [ 115.297363][ T7275] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 115.299237][ T7275] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 115.300680][ T7275] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.300723][ T7275] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.300754][ T7275] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.300785][ T7275] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 115.556131][ T1645] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.556198][ T1645] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 115.578470][ T1645] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 115.578533][ T1645] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:01:55 executed programs: 2 [ 115.903159][ T6540] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 116.055522][ T6540] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 116.055608][ T6540] usb 1-1: config 0 interface 0 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 0 [ 116.058227][ T6540] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=fc.a0 [ 116.058276][ T6540] usb 1-1: New USB device strings: Mfr=214, Product=33, SerialNumber=3 [ 116.058302][ T6540] usb 1-1: Product: syz [ 116.058324][ T6540] usb 1-1: Manufacturer: syz [ 116.058345][ T6540] usb 1-1: SerialNumber: syz [ 116.065548][ T6540] usb 1-1: config 0 descriptor?? [ 116.070397][ T6540] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (eb1a:e303, interface 0, class 0) [ 116.070457][ T6540] em28xx 1-1:0.0: Video interface 0 found: bulk [ 116.333161][ T6540] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 116.435712][ T6540] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 116.435885][ T6540] em28xx 1-1:0.0: board has no eeprom [ 116.493114][ T6540] em28xx 1-1:0.0: Identified as Kaiomy TVnPC U2 (card=63) [ 116.493273][ T6540] em28xx 1-1:0.0: analog set to bulk mode. [ 116.503080][ T26] em28xx 1-1:0.0: Registering V4L2 extension [ 116.509786][ T6540] usb 1-1: USB disconnect, device number 2 [ 116.511117][ T6540] em28xx 1-1:0.0: Disconnecting em28xx [ 116.539760][ T26] i2c i2c-1: Invalid 7-bit I2C address 0x00 [ 116.559578][ T26] tuner: 1-0061: Tuner -1 found with type(s) Radio TV. [ 116.560835][ T26] xc2028 1-0061: creating new instance [ 116.560892][ T26] xc2028 1-0061: type set to XCeive xc2028/xc3028 tuner [ 116.561109][ T26] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 116.561140][ T26] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 116.561162][ T26] em28xx 1-1:0.0: No AC97 audio processor [ 116.566595][ T26] em28xx 1-1:0.0: Registered radio device as radio2 [ 116.566646][ T26] usb 1-1: Decoder not found [ 116.566667][ T26] em28xx 1-1:0.0: failed to create media graph [ 116.566704][ T26] em28xx 1-1:0.0: V4L2 device radio2 deregistered [ 116.567620][ T26] em28xx 1-1:0.0: V4L2 device video11 deregistered [ 116.570342][ T26] xc2028 1-0061: destroying instance [ 116.570993][ T26] em28xx 1-1:0.0: Registering input extension [ 116.571292][ T6540] em28xx 1-1:0.0: Closing input extension [ 116.577740][ T6540] em28xx 1-1:0.0: Freeing device [ 116.591407][ T24] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw failed with error -2 [ 116.591479][ T24] usb 1-1:0.0: Falling back to sysfs fallback for: xc3028-v27.fw [ 116.591704][ T24] kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1:0.0) [ 116.591785][ T24] firmware xc3028-v27.fw: f ** replaying previous printk message ** [ 116.591785][ T24] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed [ 116.591879][ T24] ================================================================== [ 116.591892][ T24] BUG: KASAN: slab-use-after-free in load_firmware_cb+0xbc/0x14f4 [ 116.591917][ T24] Read of size 8 at addr ffff0000c78bd318 by task kworker/1:0/24 [ 116.591933][ T24] [ 116.591943][ T24] CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted 6.16.0-rc2-syzkaller-00009-g9aa9b43d689e #0 PREEMPT [ 116.591957][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 116.591965][ T24] Workqueue: events request_firmware_work_func [ 116.591982][ T24] Call trace: [ 116.591986][ T24] show_stack+0x2c/0x3c (C) [ 116.592002][ T24] __dump_stack+0x30/0x40 [ 116.592016][ T24] dump_stack_lvl+0xd8/0x12c [ 116.592029][ T24] print_address_description+0xa8/0x254 [ 116.592043][ T24] print_report+0x68/0x84 [ 116.592055][ T24] kasan_report+0xb0/0x110 [ 116.592067][ T24] __asan_report_load8_noabort+0x20/0x2c [ 116.592079][ T24] load_firmware_cb+0xbc/0x14f4 [ 116.592092][ T24] request_firmware_work_func+0xe8/0x19c [ 116.592107][ T24] process_one_work+0x7e8/0x155c [ 116.592121][ T24] worker_thread+0x958/0xed8 [ 116.592146][ T24] kthread+0x5fc/0x75c [ 116.592157][ T24] ret_from_fork+0x10/0x20 [ 116.592169][ T24] [ 116.592266][ T24] Allocated by task 26: [ 116.592278][ T24] kasan_save_track+0x40/0x78 [ 116.592297][ T24] kasan_save_alloc_info+0x44/0x54 [ 116.592312][ T24] __kasan_kmalloc+0x9c/0xb4 [ 116.592330][ T24] __kmalloc_cache_noprof+0x2a4/0x3fc [ 116.592345][ T24] tuner_probe+0xc4/0x1690 [ 116.592362][ T24] i2c_device_probe+0x864/0x9d0 [ 116.592385][ T24] really_probe+0x394/0x910 [ 116.592401][ T24] __driver_probe_device+0x180/0x2d4 [ 116.592417][ T24] driver_probe_device+0x78/0x330 [ 116.592432][ T24] __device_attach_driver+0x290/0x4e0 [ 116.592447][ T24] bus_for_each_drv+0x220/0x2b4 [ 116.592470][ T24] __device_attach+0x26c/0x388 [ 116.592485][ T24] device_initial_probe+0x24/0x34 [ 116.592499][ T24] bus_probe_device+0x178/0x240 [ 116.592517][ T24] device_add+0x71c/0xa60 [ 116.592533][ T24] device_register+0x28/0x38 [ 116.592549][ T24] i2c_new_client_device+0x834/0xe9c [ 116.592565][ T24] v4l2_i2c_new_subdev_board+0xb0/0x224 [ 116.592584][ T24] v4l2_i2c_new_subdev+0x138/0x1c0 [ 116.592602][ T24] em28xx_v4l2_init+0x6f4/0x2918 [ 116.592618][ T24] em28xx_init_extension+0x10c/0x1b4 [ 116.592633][ T24] request_module_async+0x68/0x98 [ 116.592648][ T24] process_one_work+0x7e8/0x155c [ 116.592665][ T24] worker_thread+0x958/0xed8 [ 116.592682][ T24] kthread+0x5fc/0x75c [ 116.592702][ T24] ret_from_fork+0x10/0x20 [ 116.592717][ T24] [ 116.592725][ T24] Freed by task 26: [ 116.592737][ T24] kasan_save_track+0x40/0x78 [ 116.592754][ T24] kasan_save_free_info+0x58/0x70 [ 116.592770][ T24] __kasan_slab_free+0x68/0x88 [ 116.592788][ T24] kfree+0x17c/0x474 [ 116.592805][ T24] tuner_remove+0x1d8/0x1f4 [ 116.592821][ T24] i2c_device_remove+0x8c/0x1dc [ 116.592836][ T24] device_release_driver_internal+0x3a8/0x658 [ 116.592852][ T24] device_release_driver+0x28/0x38 [ 116.592867][ T24] bus_remove_device+0x310/0x3b0 [ 116.592884][ T24] device_del+0x47c/0x808 [ 116.592901][ T24] device_unregister+0x2c/0xcc [ 116.592917][ T24] i2c_unregister_device+0x1a4/0x200 [ 116.592932][ T24] v4l2_i2c_subdev_unregister+0xa8/0xbc [ 116.592951][ T24] v4l2_device_unregister+0x170/0x248 [ 116.592966][ T24] em28xx_v4l2_init+0x1328/0x2918 [ 116.592981][ T24] em28xx_init_extension+0x10c/0x1b4 [ 116.592996][ T24] request_module_async+0x68/0x98 [ 116.593010][ T24] process_one_work+0x7e8/0x155c [ 116.593028][ T24] worker_thread+0x958/0xed8 [ 116.593045][ T24] kthread+0x5fc/0x75c [ 116.593061][ T24] ret_from_fork+0x10/0x20 [ 116.593075][ T24] [ 116.593084][ T24] The buggy address belongs to the object at ffff0000c78bd000 [ 116.593084][ T24] which belongs to the cache kmalloc-2k of size 2048 [ 116.593099][ T24] The buggy address is located 792 bytes inside of [ 116.593099][ T24] freed 2048-byte region [ffff0000c78bd000, ffff0000c78bd800) [ 116.593118][ T24] [ 116.593127][ T24] The buggy address belongs to the physical page: [ 116.593138][ T24] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1078b8 [ 116.593155][ T24] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 116.593171][ T24] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 116.593189][ T24] page_type: f5(slab) [ 116.593205][ T24] raw: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000 [ 116.593221][ T24] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 116.593237][ T24] head: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000 [ 116.593259][ T24] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 116.593275][ T24] head: 05ffc00000000003 fffffdffc31e2e01 00000000ffffffff 00000000ffffffff [ 116.593291][ T24] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 116.593303][ T24] page dumped because: kasan: bad access detected [ 116.593314][ T24] [ 116.593323][ T24] Memory state around the buggy address: [ 116.593335][ T24] ffff0000c78bd200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.593348][ T24] ffff0000c78bd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.593362][ T24] >ffff0000c78bd300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.593374][ T24] ^ [ 116.593414][ T24] ffff0000c78bd380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.593427][ T24] ffff0000c78bd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 116.593439][ T24] ================================================================== [ 116.599967][ T24] Disabling lock debugging due to kernel taint [ 116.600001][ T24] Unable to handle kernel paging request at virtual address dfff800000000005 [ 116.600020][ T24] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 116.600037][ T24] Mem abort info: [ 116.600051][ T24] ESR = 0x0000000096000005 [ 116.600066][ T24] EC = 0x25: DABT (current EL), IL = 32 bits [ 116.600083][ T24] SET = 0, FnV = 0 [ 116.600098][ T24] EA = 0, S1PTW = 0 [ 116.600113][ T24] FSC = 0x05: level 1 translation fault [ 116.600129][ T24] Data abort info: [ 116.600142][ T24] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 116.600158][ T24] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 116.600175][ T24] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 116.600193][ T24] [dfff800000000005] address between user and kernel address ranges [ 116.600211][ T24] Internal error: Oops: 0000000096000005 [#1] SMP [ 116.782503][ T24] Modules linked in: [ 116.783631][ T24] CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Tainted: G B 6.16.0-rc2-syzkaller-00009-g9aa9b43d689e #0 PREEMPT [ 116.787431][ T24] Tainted: [B]=BAD_PAGE [ 116.788728][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 116.791719][ T24] Workqueue: events request_firmware_work_func [ 116.793581][ T24] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 116.795792][ T24] pc : load_firmware_cb+0x22c/0x14f4 [ 116.797330][ T24] lr : load_firmware_cb+0xe0/0x14f4 [ 116.798832][ T24] sp : ffff800097b17880 [ 116.800106][ T24] x29: ffff800097b179d0 x28: 1ffff00011ec629b x27: 0000000000000000 [ 116.802662][ T24] x26: dfff800000000000 x25: ffff700012f62f24 x24: 1fffe00018f17a63 [ 116.804935][ T24] x23: ffff800097b17920 x22: 0000000000000000 x21: 0000000000000000 [ 116.807356][ T24] x20: 0000000000000000 x19: ffff0000c78bd318 x18: 1fffe000337e1476 [ 116.809697][ T24] x17: 0000000000000000 x16: ffff80008ae33808 x15: 0000000000000001 [ 116.811992][ T24] x14: 1ffff000125d0af8 x13: 0000000000000000 x12: 0000000000000000 [ 116.814311][ T24] x11: ffff7000125d0af9 x10: 0000000000ff0100 x9 : 0000000000000000 [ 116.816622][ T24] x8 : 0000000000000005 x7 : 0000000000000001 x6 : 0000000000000001 [ 116.818875][ T24] x5 : ffff800097b170f8 x4 : ffff80008f727060 x3 : ffff8000803b70c8 [ 116.821162][ T24] x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000028 [ 116.823474][ T24] Call trace: [ 116.824501][ T24] load_firmware_cb+0x22c/0x14f4 (P) [ 116.826060][ T24] request_firmware_work_func+0xe8/0x19c [ 116.827707][ T24] process_one_work+0x7e8/0x155c [ 116.829121][ T24] worker_thread+0x958/0xed8 [ 116.830457][ T24] kthread+0x5fc/0x75c [ 116.831639][ T24] ret_from_fork+0x10/0x20 [ 116.832925][ T24] Code: b5fff65b f9403bf6 9100a2c0 d343fc08 (387a6908) [ 116.834932][ T24] ---[ end trace 0000000000000000 ]--- [ 117.209728][ T24] Kernel panic - not syncing: Oops: Fatal exception [ 117.211540][ T24] SMP: stopping secondary CPUs [ 117.212919][ T24] Kernel Offset: disabled [ 117.214128][ T24] CPU features: 0x2000,000081c0,020004a1,04017203 [ 117.215912][ T24] Memory Limit: none [ 117.580120][ T24] Rebooting in 86400 seconds..