Warning: Permanently added '10.128.10.16' (ED25519) to the list of known hosts. 1970/01/01 00:01:28 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:29 parsed 1 programs [ 93.251100][ T6930] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 104.022927][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 104.023944][ T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 104.024391][ T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 104.025165][ T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 104.025623][ T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 104.452328][ T7039] chnl_net:caif_netlink_parms(): no params data found [ 104.499595][ T7039] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.499700][ T7039] bridge0: port 1(bridge_slave_0) entered disabled state [ 104.499797][ T7039] bridge_slave_0: entered allmulticast mode [ 104.500622][ T7039] bridge_slave_0: entered promiscuous mode [ 104.502158][ T7039] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.502237][ T7039] bridge0: port 2(bridge_slave_1) entered disabled state [ 104.502332][ T7039] bridge_slave_1: entered allmulticast mode [ 104.503597][ T7039] bridge_slave_1: entered promiscuous mode [ 104.554518][ T7039] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.556838][ T7039] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.572470][ T7039] team0: Port device team_slave_0 added [ 104.573996][ T7039] team0: Port device team_slave_1 added [ 104.588529][ T7039] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.588590][ T7039] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.588623][ T7039] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.590424][ T7039] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.590454][ T7039] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.590485][ T7039] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 104.626648][ T7039] hsr_slave_0: entered promiscuous mode [ 104.627200][ T7039] hsr_slave_1: entered promiscuous mode [ 105.546562][ T7039] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 105.550815][ T7039] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 105.555080][ T7039] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 105.561010][ T7039] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 105.607510][ T7039] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.618220][ T7039] 8021q: adding VLAN 0 to HW filter on device team0 [ 105.625838][ T2249] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.625938][ T2249] bridge0: port 1(bridge_slave_0) entered forwarding state [ 105.632325][ T2685] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.632404][ T2685] bridge0: port 2(bridge_slave_1) entered forwarding state [ 105.756483][ T7039] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 105.778268][ T7039] veth0_vlan: entered promiscuous mode [ 105.781244][ T7039] veth1_vlan: entered promiscuous mode [ 105.806488][ T7039] veth0_macvtap: entered promiscuous mode [ 105.808413][ T7039] veth1_macvtap: entered promiscuous mode [ 105.817853][ T7039] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 105.825370][ T7039] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 105.828846][ T7039] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 105.829283][ T7039] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 105.829316][ T7039] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 105.829347][ T7039] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 106.256849][ T2685] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 106.342888][ T2685] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 106.443513][ T2685] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 106.547694][ T2685] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 107.609280][ T2249] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.616155][ T2249] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 107.628754][ T2249] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.628834][ T2249] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:01:48 executed programs: 0 [ 108.558269][ T6088] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 108.561113][ T6088] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 108.565778][ T6088] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 108.568594][ T6088] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 108.569978][ T6088] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 108.673732][ T7317] chnl_net:caif_netlink_parms(): no params data found [ 108.724903][ T7317] bridge0: port 1(bridge_slave_0) entered blocking state [ 108.727042][ T7317] bridge0: port 1(bridge_slave_0) entered disabled state [ 108.728951][ T7317] bridge_slave_0: entered allmulticast mode [ 108.729867][ T7317] bridge_slave_0: entered promiscuous mode [ 108.731912][ T7317] bridge0: port 2(bridge_slave_1) entered blocking state [ 108.732669][ T7317] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.732819][ T7317] bridge_slave_1: entered allmulticast mode [ 108.733982][ T7317] bridge_slave_1: entered promiscuous mode [ 108.758142][ T7317] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 108.765042][ T7317] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 108.796756][ T7317] team0: Port device team_slave_0 added [ 108.800829][ T7317] team0: Port device team_slave_1 added [ 108.841008][ T7317] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 108.841080][ T7317] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 108.841459][ T7317] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 108.856675][ T7317] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 108.856755][ T7317] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 108.856797][ T7317] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 108.960329][ T2685] bridge_slave_1: left allmulticast mode [ 108.960391][ T2685] bridge_slave_1: left promiscuous mode [ 108.960551][ T2685] bridge0: port 2(bridge_slave_1) entered disabled state [ 108.975687][ T2685] bridge_slave_0: left allmulticast mode [ 108.975756][ T2685] bridge_slave_0: left promiscuous mode [ 108.975884][ T2685] bridge0: port 1(bridge_slave_0) entered disabled state [ 110.404536][ T2685] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 110.445006][ T2685] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 110.504366][ T2685] bond0 (unregistering): Released all slaves [ 110.514417][ T7317] hsr_slave_0: entered promiscuous mode [ 110.515039][ T7317] hsr_slave_1: entered promiscuous mode [ 110.515402][ T7317] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 110.515434][ T7317] Cannot create hsr debugfs directory [ 110.596632][ T2685] hsr_slave_0: left promiscuous mode [ 110.598632][ T2685] hsr_slave_1: left promiscuous mode [ 110.599119][ T2685] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 110.599166][ T2685] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 110.600804][ T2685] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 110.600843][ T2685] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 110.622242][ T6088] Bluetooth: hci0: command tx timeout [ 110.625873][ T2685] veth1_macvtap: left promiscuous mode [ 110.626324][ T2685] veth0_macvtap: left promiscuous mode [ 110.626432][ T2685] veth1_vlan: left promiscuous mode [ 110.626531][ T2685] veth0_vlan: left promiscuous mode [ 112.294192][ T2685] team0 (unregistering): Port device team_slave_1 removed [ 112.453250][ T2685] team0 (unregistering): Port device team_slave_0 removed [ 112.702519][ T6088] Bluetooth: hci0: command tx timeout [ 114.782276][ T6088] Bluetooth: hci0: command tx timeout [ 115.205008][ T7317] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 115.207469][ T7317] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 115.209822][ T7317] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 115.213784][ T7317] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 115.623521][ T7317] 8021q: adding VLAN 0 to HW filter on device bond0 [ 115.633105][ T7317] 8021q: adding VLAN 0 to HW filter on device team0 [ 115.638113][ T4529] bridge0: port 1(bridge_slave_0) entered blocking state [ 115.638211][ T4529] bridge0: port 1(bridge_slave_0) entered forwarding state [ 115.662829][ T4529] bridge0: port 2(bridge_slave_1) entered blocking state [ 115.663361][ T4529] bridge0: port 2(bridge_slave_1) entered forwarding state [ 115.926455][ T7317] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 116.008727][ T7317] veth0_vlan: entered promiscuous mode [ 116.014752][ T7317] veth1_vlan: entered promiscuous mode [ 116.034045][ T7317] veth0_macvtap: entered promiscuous mode [ 116.037990][ T7317] veth1_macvtap: entered promiscuous mode [ 116.046718][ T7317] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 116.210885][ T7317] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 116.222560][ T7317] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.225188][ T7317] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.227964][ T7317] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.230687][ T7317] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 116.364394][ T4449] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 116.364468][ T4449] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 116.387593][ T4529] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 116.387650][ T4529] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:01:56 executed programs: 2 [ 116.692398][ T1810] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 116.847645][ T1810] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 116.847735][ T1810] usb 1-1: config 0 interface 0 altsetting 0 bulk endpoint 0x82 has invalid maxpacket 0 [ 116.847774][ T1810] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice= 1.a0 [ 116.847800][ T1810] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 116.851719][ T1810] usb 1-1: config 0 descriptor?? [ 116.861347][ T1810] em28xx 1-1:0.0: New device @ 480 Mbps (eb1a:e303, interface 0, class 0) [ 116.861431][ T1810] em28xx 1-1:0.0: Video interface 0 found: bulk [ 116.872129][ T6088] Bluetooth: hci0: command tx timeout [ 117.123228][ T1810] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 117.222333][ T1810] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 117.222435][ T1810] em28xx 1-1:0.0: board has no eeprom [ 117.282428][ T1810] em28xx 1-1:0.0: Identified as Kaiomy TVnPC U2 (card=63) [ 117.282503][ T1810] em28xx 1-1:0.0: analog set to bulk mode. [ 117.283859][ T11] em28xx 1-1:0.0: Registering V4L2 extension [ 117.291522][ T1810] usb 1-1: USB disconnect, device number 2 [ 117.298002][ T1810] em28xx 1-1:0.0: Disconnecting em28xx [ 117.320985][ T11] i2c i2c-1: Invalid 7-bit I2C address 0x00 [ 117.339390][ T11] tuner: 1-0061: Tuner -1 found with type(s) Radio TV. [ 117.340207][ T11] xc2028 1-0061: creating new instance [ 117.340255][ T11] xc2028 1-0061: type set to XCeive xc2028/xc3028 tuner [ 117.340455][ T11] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 117.340484][ T11] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 117.340506][ T11] em28xx 1-1:0.0: No AC97 audio processor [ 117.349093][ T11] em28xx 1-1:0.0: Registered radio device as radio2 [ 117.349158][ T11] usb 1-1: Decoder not found [ 117.349180][ T11] em28xx 1-1:0.0: failed to create media graph [ 117.349219][ T11] em28xx 1-1:0.0: V4L2 device radio2 deregistered [ 117.351546][ T11] em28xx 1-1:0.0: V4L2 device video11 deregistered [ 117.353978][ T11] xc2028 1-0061: destroying instance [ 117.354722][ T11] em28xx 1-1:0.0: Registering input extension [ 117.356441][ T1810] em28xx 1-1:0.0: Closing input extension [ 117.366092][ T1810] em28xx 1-1:0.0: Freeing device [ 117.378433][ T11] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw faile ** replaying previous printk message ** [ 117.378433][ T11] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw failed with error -2 [ 117.378515][ T11] usb 1-1:0.0: Falling back to sysfs fallback for: xc3028-v27.fw [ 117.378590][ T11] kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1:0.0) [ 117.378669][ T11] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed [ 117.378762][ T11] ================================================================== [ 117.378776][ T11] BUG: KASAN: slab-use-after-free in load_firmware_cb+0xbc/0x14f4 [ 117.378799][ T11] Read of size 8 at addr ffff0000ea6e7318 by task kworker/0:1/11 [ 117.378815][ T11] [ 117.378826][ T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-syzkaller-00009-g9aa9b43d689e #0 PREEMPT [ 117.378840][ T11] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 117.378847][ T11] Workqueue: events request_firmware_work_func [ 117.378864][ T11] Call trace: [ 117.378868][ T11] show_stack+0x2c/0x3c (C) [ 117.378885][ T11] __dump_stack+0x30/0x40 [ 117.378899][ T11] dump_stack_lvl+0xd8/0x12c [ 117.378912][ T11] print_address_description+0xa8/0x254 [ 117.378926][ T11] print_report+0x68/0x84 [ 117.378938][ T11] kasan_report+0xb0/0x110 [ 117.378949][ T11] __asan_report_load8_noabort+0x20/0x2c [ 117.378961][ T11] load_firmware_cb+0xbc/0x14f4 [ 117.378973][ T11] request_firmware_work_func+0xe8/0x19c [ 117.378987][ T11] process_one_work+0x7e8/0x155c [ 117.379001][ T11] worker_thread+0x958/0xed8 [ 117.379015][ T11] kthread+0x5fc/0x75c [ 117.379027][ T11] ret_from_fork+0x10/0x20 [ 117.379038][ T11] [ 117.379135][ T11] Allocated by task 11: [ 117.379147][ T11] kasan_save_track+0x40/0x78 [ 117.379166][ T11] kasan_save_alloc_info+0x44/0x54 [ 117.379182][ T11] __kasan_kmalloc+0x9c/0xb4 [ 117.379200][ T11] __kmalloc_cache_noprof+0x2a4/0x3fc [ 117.379215][ T11] tuner_probe+0xc4/0x1690 [ 117.379231][ T11] i2c_device_probe+0x864/0x9d0 [ 117.379248][ T11] really_probe+0x394/0x910 [ 117.379264][ T11] __driver_probe_device+0x180/0x2d4 [ 117.379279][ T11] driver_probe_device+0x78/0x330 [ 117.379294][ T11] __device_attach_driver+0x290/0x4e0 [ 117.379310][ T11] bus_for_each_drv+0x220/0x2b4 [ 117.379362][ T11] __device_attach+0x26c/0x388 [ 117.379377][ T11] device_initial_probe+0x24/0x34 [ 117.379391][ T11] bus_probe_device+0x178/0x240 [ 117.379409][ T11] device_add+0x71c/0xa60 [ 117.379425][ T11] device_register+0x28/0x38 [ 117.379441][ T11] i2c_new_client_device+0x834/0xe9c [ 117.379457][ T11] v4l2_i2c_new_subdev_board+0xb0/0x224 [ 117.379476][ T11] v4l2_i2c_new_subdev+0x138/0x1c0 [ 117.379494][ T11] em28xx_v4l2_init+0x6f4/0x2918 [ 117.379510][ T11] em28xx_init_extension+0x10c/0x1b4 [ 117.379525][ T11] request_module_async+0x68/0x98 [ 117.379540][ T11] process_one_work+0x7e8/0x155c [ 117.379557][ T11] worker_thread+0x958/0xed8 [ 117.379575][ T11] kthread+0x5fc/0x75c [ 117.379591][ T11] ret_from_fork+0x10/0x20 [ 117.379605][ T11] [ 117.379614][ T11] Freed by task 11: [ 117.379625][ T11] kasan_save_track+0x40/0x78 [ 117.379642][ T11] kasan_save_free_info+0x58/0x70 [ 117.379658][ T11] __kasan_slab_free+0x68/0x88 [ 117.379676][ T11] kfree+0x17c/0x474 [ 117.379693][ T11] tuner_remove+0x1d8/0x1f4 [ 117.379709][ T11] i2c_device_remove+0x8c/0x1dc [ 117.379724][ T11] device_release_driver_internal+0x3a8/0x658 [ 117.379740][ T11] device_release_driver+0x28/0x38 [ 117.379755][ T11] bus_remove_device+0x310/0x3b0 [ 117.379772][ T11] device_del+0x47c/0x808 [ 117.379788][ T11] device_unregister+0x2c/0xcc [ 117.379805][ T11] i2c_unregister_device+0x1a4/0x200 [ 117.379820][ T11] v4l2_i2c_subdev_unregister+0xa8/0xbc [ 117.379839][ T11] v4l2_device_unregister+0x170/0x248 [ 117.379854][ T11] em28xx_v4l2_init+0x1328/0x2918 [ 117.379869][ T11] em28xx_init_extension+0x10c/0x1b4 [ 117.379884][ T11] request_module_async+0x68/0x98 [ 117.379899][ T11] process_one_work+0x7e8/0x155c [ 117.379916][ T11] worker_thread+0x958/0xed8 [ 117.379933][ T11] kthread+0x5fc/0x75c [ 117.379949][ T11] ret_from_fork+0x10/0x20 [ 117.379963][ T11] [ 117.379972][ T11] The buggy address belongs to the object at ffff0000ea6e7000 [ 117.379972][ T11] which belongs to the cache kmalloc-2k of size 2048 [ 117.379988][ T11] The buggy address is located 792 bytes inside of [ 117.379988][ T11] freed 2048-byte region [ffff0000ea6e7000, ffff0000ea6e7800) [ 117.380006][ T11] [ 117.380015][ T11] The buggy address belongs to the physical page: [ 117.380027][ T11] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12a6e0 [ 117.380044][ T11] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 117.380064][ T11] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 117.380082][ T11] page_type: f5(slab) [ 117.380099][ T11] raw: 05ffc00000000040 ffff0000c0002000 fffffdffc341f000 dead000000000002 [ 117.380115][ T11] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 117.380131][ T11] head: 05ffc00000000040 ffff0000c0002000 fffffdffc341f000 dead000000000002 [ 117.380147][ T11] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 117.380163][ T11] head: 05ffc00000000003 fffffdffc3a9b801 00000000ffffffff 00000000ffffffff [ 117.380179][ T11] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 117.380191][ T11] page dumped because: kasan: bad access detected [ 117.380202][ T11] [ 117.380210][ T11] Memory state around the buggy address: [ 117.380222][ T11] ffff0000ea6e7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.380236][ T11] ffff0000ea6e7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.380250][ T11] >ffff0000ea6e7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.380261][ T11] ^ [ 117.380273][ T11] ffff0000ea6e7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.380287][ T11] ffff0000ea6e7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.380299][ T11] ================================================================== [ 117.380312][ T11] Disabling lock debugging due to kernel taint [ 117.380339][ T11] Unable to handle kernel paging request at virtual address dfff800000000005 [ 117.380357][ T11] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 117.380375][ T11] Mem abort info: [ 117.380389][ T11] ESR = 0x0000000096000005 [ 117.380404][ T11] EC = 0x25: DABT (current EL), IL = 32 bits [ 117.380421][ T11] SET = 0, FnV = 0 [ 117.380436][ T11] EA = 0, S1PTW = 0 [ 117.380452][ T11] FSC = 0x05: level 1 translation fault [ 117.380467][ T11] Data abort info: [ 117.380481][ T11] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 117.380497][ T11] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 117.380514][ T11] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 117.380532][ T11] [dfff800000000005] address between user and kernel address ranges [ 117.380550][ T11] Internal error: Oops: 0000000096000005 [#1] SMP [ 117.567700][ T11] Modules linked in: [ 117.568784][ T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Tainted: G B 6.16.0-rc2-syzkaller-00009-g9aa9b43d689e #0 PREEMPT [ 117.572380][ T11] Tainted: [B]=BAD_PAGE [ 117.573636][ T11] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 117.576389][ T11] Workqueue: events request_firmware_work_func [ 117.578103][ T11] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 117.580247][ T11] pc : load_firmware_cb+0x22c/0x14f4 [ 117.581744][ T11] lr : load_firmware_cb+0xe0/0x14f4 [ 117.583162][ T11] sp : ffff800097a37880 [ 117.584330][ T11] x29: ffff800097a379d0 x28: 1ffff00011ec629b x27: 0000000000000000 [ 117.586534][ T11] x26: dfff800000000000 x25: ffff700012f46f24 x24: 1fffe0001d4dce63 [ 117.588774][ T11] x23: ffff800097a37920 x22: 0000000000000000 x21: 0000000000000000 [ 117.591080][ T11] x20: 0000000000000000 x19: ffff0000ea6e7318 x18: 00000000ffffffff [ 117.593368][ T11] x17: 0000000000000000 x16: ffff80008aecb65c x15: 0000000000000001 [ 117.595605][ T11] x14: 1ffff000125d0af8 x13: 0000000000000000 x12: 0000000000000000 [ 117.597785][ T11] x11: ffff7000125d0af9 x10: 0000000000ff0100 x9 : 0000000000000000 [ 117.600014][ T11] x8 : 0000000000000005 x7 : 0000000000000001 x6 : 0000000000000001 [ 117.602271][ T11] x5 : ffff800097a370f8 x4 : ffff80008f727060 x3 : ffff8000803b70c8 [ 117.604488][ T11] x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000028 [ 117.606841][ T11] Call trace: [ 117.607806][ T11] load_firmware_cb+0x22c/0x14f4 (P) [ 117.609373][ T11] request_firmware_work_func+0xe8/0x19c [ 117.610920][ T11] process_one_work+0x7e8/0x155c [ 117.612266][ T11] worker_thread+0x958/0xed8 [ 117.613486][ T11] kthread+0x5fc/0x75c [ 117.614641][ T11] ret_from_fork+0x10/0x20 [ 117.615920][ T11] Code: b5fff65b f9403bf6 9100a2c0 d343fc08 (387a6908) [ 117.617818][ T11] ---[ end trace 0000000000000000 ]--- [ 117.980488][ T11] Kernel panic - not syncing: Oops: Fatal exception [ 117.982363][ T11] SMP: stopping secondary CPUs [ 117.983653][ T11] Kernel Offset: disabled [ 117.984853][ T11] CPU features: 0x2000,000081c0,020004a1,04017203 [ 117.986654][ T11] Memory Limit: none [ 118.349430][ T11] Rebooting in 86400 seconds..