Warning: Permanently added '10.128.1.7' (ED25519) to the list of known hosts. 1970/01/01 00:00:53 parsed 1 programs Setting up swapspace version 1, size = 127995904 bytes [ 54.598376][ T5048] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 58.586903][ T5065] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.586978][ T5065] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.587028][ T5065] bridge_slave_0: entered allmulticast mode [ 58.587444][ T5065] bridge_slave_0: entered promiscuous mode [ 58.588778][ T5065] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.588828][ T5065] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.588872][ T5065] bridge_slave_1: entered allmulticast mode [ 58.589285][ T5065] bridge_slave_1: entered promiscuous mode [ 58.602868][ T5065] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 58.603813][ T5065] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 58.611429][ T5065] team0: Port device team_slave_0 added [ 58.612110][ T5065] team0: Port device team_slave_1 added [ 58.619649][ T5065] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 58.619670][ T5065] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 58.619693][ T5065] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 58.620175][ T5065] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 58.620187][ T5065] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 58.620205][ T5065] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 58.637975][ T5065] hsr_slave_0: entered promiscuous mode [ 58.639613][ T5065] hsr_slave_1: entered promiscuous mode [ 59.046361][ T5065] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 59.049300][ T5065] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 59.051025][ T5065] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 59.053243][ T5065] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 59.055038][ T5065] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 59.057371][ T5065] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 59.059146][ T5065] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 59.061214][ T5065] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 59.071109][ T5065] bridge0: port 2(bridge_slave_1) entered blocking state [ 59.071156][ T5065] bridge0: port 2(bridge_slave_1) entered forwarding state [ 59.071250][ T5065] bridge0: port 1(bridge_slave_0) entered blocking state [ 59.071289][ T5065] bridge0: port 1(bridge_slave_0) entered forwarding state [ 59.092370][ T5065] 8021q: adding VLAN 0 to HW filter on device bond0 [ 59.096844][ T5065] 8021q: adding VLAN 0 to HW filter on device team0 [ 59.100695][ T3024] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.102032][ T3024] bridge0: port 2(bridge_slave_1) entered disabled state [ 59.116626][ T3024] bridge0: port 1(bridge_slave_0) entered blocking state [ 59.116674][ T3024] bridge0: port 1(bridge_slave_0) entered forwarding state [ 59.117007][ T3024] bridge0: port 2(bridge_slave_1) entered blocking state [ 59.117025][ T3024] bridge0: port 2(bridge_slave_1) entered forwarding state [ 59.219956][ T5065] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 59.235207][ T5065] veth0_vlan: entered promiscuous mode [ 59.241633][ T5065] veth1_vlan: entered promiscuous mode [ 59.249405][ T5065] veth0_macvtap: entered promiscuous mode [ 59.252459][ T5065] veth1_macvtap: entered promiscuous mode [ 59.257139][ T5065] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 59.262840][ T5065] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 59.268423][ T3024] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 59.268641][ T3024] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 59.268659][ T3024] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 59.268677][ T3024] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 59.386774][ T3024] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 59.469611][ T3024] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 59.526795][ T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 59.527142][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 59.527337][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 59.527638][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 59.527934][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 59.546666][ T3024] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 59.619795][ T3024] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 59.847287][ T3083] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 59.847319][ T3083] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 59.857596][ T3083] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 59.857628][ T3083] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:01:00 executed programs: 0 [ 60.354724][ T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 60.356260][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 60.357148][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 60.357485][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 60.357704][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 60.494649][ T5315] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.494694][ T5315] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.495194][ T5315] bridge_slave_0: entered allmulticast mode [ 60.495706][ T5315] bridge_slave_0: entered promiscuous mode [ 60.496511][ T5315] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.496529][ T5315] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.496587][ T5315] bridge_slave_1: entered allmulticast mode [ 60.497010][ T5315] bridge_slave_1: entered promiscuous mode [ 60.507980][ T5315] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 60.509694][ T5315] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 60.517129][ T5315] team0: Port device team_slave_0 added [ 60.518889][ T5315] team0: Port device team_slave_1 added [ 60.525765][ T5315] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 60.526088][ T5315] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 60.526355][ T5315] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 60.527457][ T5315] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 60.527465][ T5315] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 60.527478][ T5315] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 60.549694][ T5315] hsr_slave_0: entered promiscuous mode [ 60.550039][ T5315] hsr_slave_1: entered promiscuous mode [ 60.550257][ T5315] debugfs: 'hsr0' already exists in 'hsr' [ 60.550267][ T5315] Cannot create hsr debugfs directory [ 62.407941][ T4699] Bluetooth: hci0: command tx timeout [ 63.017870][ T3024] bridge_slave_1: left allmulticast mode [ 63.017903][ T3024] bridge_slave_1: left promiscuous mode [ 63.018016][ T3024] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.021655][ T3024] bridge_slave_0: left allmulticast mode [ 63.021680][ T3024] bridge_slave_0: left promiscuous mode [ 63.021741][ T3024] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.143298][ T3024] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 63.179071][ T3024] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 63.198676][ T3024] bond0 (unregistering): Released all slaves [ 63.263726][ T3024] hsr_slave_0: left promiscuous mode [ 63.264019][ T3024] hsr_slave_1: left promiscuous mode [ 63.265344][ T3024] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 63.265358][ T3024] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 63.266511][ T3024] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 63.266522][ T3024] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 63.273919][ T3024] veth1_macvtap: left promiscuous mode [ 63.273955][ T3024] veth0_macvtap: left promiscuous mode [ 63.273987][ T3024] veth1_vlan: left promiscuous mode [ 63.274011][ T3024] veth0_vlan: left promiscuous mode [ 63.368320][ T3024] team0 (unregistering): Port device team_slave_1 removed [ 63.372276][ T3024] team0 (unregistering): Port device team_slave_0 removed [ 63.430856][ T4362] 8021q: adding VLAN 0 to HW filter on device eth0 [ 63.677358][ T5315] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 63.678900][ T5315] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 63.679315][ T5315] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.681056][ T5315] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 63.682884][ T5315] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.685259][ T5315] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 63.686863][ T5315] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.691742][ T5315] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 63.718858][ T5315] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.724430][ T5315] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.728525][ T3083] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.728575][ T3083] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.729307][ T3083] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.729326][ T3083] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.043013][ T5315] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 64.056181][ T5315] veth0_vlan: entered promiscuous mode [ 64.062668][ T5315] veth1_vlan: entered promiscuous mode [ 64.082035][ T5315] veth0_macvtap: entered promiscuous mode [ 64.083108][ T5315] veth1_macvtap: entered promiscuous mode [ 64.086287][ T5315] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.087623][ T5315] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.089742][ T3083] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.089981][ T3083] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.090066][ T3083] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.090122][ T3083] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.113861][ T39] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.113883][ T39] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.160687][ T39] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.160720][ T39] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.417911][ T5211] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 64.487857][ T4699] Bluetooth: hci0: command tx timeout [ 64.488858][ T1574] ieee802154 phy0 wpan0: encryption failed: -22 [ 64.488894][ T1574] ieee802154 phy1 wpan1: encryption failed: -22 [ 64.490356][ T24] cfg80211: failed to load regulatory.db [ 64.569559][ T5211] usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x82 has invalid wMaxPacketSize 0 [ 64.571119][ T5211] usb 1-1: New USB device found, idVendor=eb1a, idProduct=e303, bcdDevice=fc.a0 [ 64.571132][ T5211] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 64.571141][ T5211] usb 1-1: Product: syz [ 64.571147][ T5211] usb 1-1: Manufacturer: syz [ 64.571153][ T5211] usb 1-1: SerialNumber: syz [ 64.573393][ T5211] usb 1-1: config 0 descriptor?? [ 64.577124][ T5211] em28xx 1-1:0.0: New device syz syz @ 480 Mbps (eb1a:e303, interface 0, class 0) [ 64.577140][ T5211] em28xx 1-1:0.0: Video interface 0 found: [ 64.838337][ T5211] em28xx 1-1:0.0: unknown em28xx chip ID (0) [ 64.934666][ T5211] em28xx 1-1:0.0: reading from i2c device at 0xa0 failed (error=-5) [ 64.934699][ T5211] em28xx 1-1:0.0: board has no eeprom [ 64.987792][ T5211] em28xx 1-1:0.0: Identified as Kaiomy TVnPC U2 (card=63) [ 64.987821][ T5211] em28xx 1-1:0.0: analog set to bulk mode. [ 64.990893][ T24] em28xx 1-1:0.0: Registering V4L2 extension [ 64.992012][ T5211] usb 1-1: USB disconnect, device number 2 [ 64.992696][ T5211] em28xx 1-1:0.0: Disconnecting em28xx [ 65.006878][ T24] i2c i2c-1: Invalid 7-bit I2C address 0x00 [ 65.015845][ T24] tuner: 1-0061: Tuner -1 found with type(s) Radio TV. [ 65.016339][ T24] xc2028 1-0061: creating new instance [ 65.016349][ T24] xc2028 1-0061: type set to XCeive xc2028/xc3028 tuner [ 65.016467][ T24] em28xx 1-1:0.0: Config register raw data: 0xffffffed [ 65.016475][ T24] em28xx 1-1:0.0: AC97 chip type couldn't be determined [ 65.016481][ T24] em28xx 1-1:0.0: No AC97 audio processor [ 65.019634][ T24] em28xx 1-1:0.0: Registered radio device as radio2 [ 65.019657][ T24] usb 1-1: Decoder not found [ 65.019663][ T24] em28xx 1-1:0.0: failed to create media graph [ 65.019680][ T24] em28xx 1-1:0.0: V4L2 device radio2 deregistered [ 65.020756][ T24] em28xx 1-1:0.0: V4L2 device video11 deregistered [ 65.021787][ T24] xc2028 1-0061: destroying instance [ 65.022678][ T24] em28xx 1-1:0.0: Registering input extension [ 65.022921][ T5211] em28xx 1-1:0.0: Closing input extension [ 65.029960][ T5211] em28xx 1-1:0.0: Freeing device [ 65.035507][ T24] usb 1-1:0.0: Direct firmware l ** replaying previous printk message ** [ 65.035507][ T24] usb 1-1:0.0: Direct firmware load for xc3028-v27.fw failed with error -2 [ 65.035548][ T24] usb 1-1:0.0: Falling back to sysfs fallback for: xc3028-v27.fw [ 65.035591][ T24] kobject: kobject_add_internal failed for firmware (error: -2 parent: 1-1:0.0) [ 65.035609][ T24] firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed [ 65.035639][ T24] ================================================================== [ 65.035643][ T24] BUG: KASAN: slab-use-after-free in load_firmware_cb+0xa0/0x14b8 [ 65.035658][ T24] Read of size 8 at addr ffff0000ddab4318 by task kworker/1:0/24 [ 65.035664][ T24] [ 65.035669][ T24] CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted syzkaller #0 PREEMPT [ 65.035677][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 65.035681][ T24] Workqueue: events request_firmware_work_func [ 65.035693][ T24] Call trace: [ 65.035695][ T24] show_stack+0x2c/0x3c (C) [ 65.035707][ T24] __dump_stack+0x30/0x40 [ 65.035715][ T24] dump_stack_lvl+0xd8/0x12c [ 65.035724][ T24] print_address_description+0xb0/0x238 [ 65.035734][ T24] print_report+0x68/0x84 [ 65.035743][ T24] kasan_report+0x8c/0xc4 [ 65.035752][ T24] __asan_report_load8_noabort+0x20/0x2c [ 65.035761][ T24] load_firmware_cb+0xa0/0x14b8 [ 65.035769][ T24] request_firmware_work_func+0xe8/0x19c [ 65.035777][ T24] process_scheduled_works+0x79c/0x1098 [ 65.035786][ T24] worker_thread+0x754/0xba0 [ 65.035793][ T24] kthread+0x2f8/0x3c8 [ 65.035803][ T24] ret_from_fork+0x10/0x20 [ 65.035812][ T24] [ 65.035814][ T24] Allocated by task 24: [ 65.035818][ T24] kasan_save_track+0x40/0x78 [ 65.035824][ T24] kasan_save_alloc_info+0x44/0x54 [ 65.035832][ T24] __kasan_kmalloc+0x9c/0xb4 [ 65.035838][ T24] __kmalloc_cache_noprof+0x2d4/0x624 [ 65.035845][ T24] tuner_probe+0xc8/0x12e4 [ 65.035851][ T24] i2c_device_probe+0x72c/0xa10 [ 65.035859][ T24] really_probe+0x2a8/0x7e8 [ 65.035866][ T24] __driver_probe_device+0x1e0/0x33c [ 65.035873][ T24] driver_probe_device+0x6c/0x19c [ 65.035880][ T24] __device_attach_driver+0x194/0x2f4 [ 65.035887][ T24] bus_for_each_drv+0x144/0x1dc [ 65.035893][ T24] __device_attach+0x250/0x394 [ 65.035899][ T24] device_initial_probe+0x90/0xcc [ 65.035906][ T24] bus_probe_device+0x58/0x120 [ 65.035911][ T24] device_add+0x6c4/0x9e4 [ 65.035919][ T24] device_register+0x28/0x38 [ 65.035926][ T24] i2c_new_client_device+0x598/0xac8 [ 65.035933][ T24] v4l2_i2c_new_subdev_board+0xa8/0x214 [ 65.035939][ T24] v4l2_i2c_new_subdev+0x144/0x1d4 [ 65.035944][ T24] em28xx_v4l2_init+0x6b8/0x24fc [ 65.035951][ T24] em28xx_init_extension+0x10c/0x1b4 [ 65.035957][ T24] request_module_async+0x68/0x98 [ 65.035963][ T24] process_scheduled_works+0x79c/0x1098 [ 65.035969][ T24] worker_thread+0x754/0xba0 [ 65.035975][ T24] kthread+0x2f8/0x3c8 [ 65.035983][ T24] ret_from_fork+0x10/0x20 [ 65.035991][ T24] [ 65.035992][ T24] Freed by task 24: [ 65.035995][ T24] kasan_save_track+0x40/0x78 [ 65.036001][ T24] kasan_save_free_info+0x58/0x70 [ 65.036009][ T24] __kasan_slab_free+0x74/0xa4 [ 65.036015][ T24] kfree+0x188/0x690 [ 65.036020][ T24] tuner_remove+0x140/0x15c [ 65.036026][ T24] i2c_device_remove+0x8c/0x1f0 [ 65.036032][ T24] device_remove+0xc4/0x134 [ 65.036039][ T24] device_release_driver_internal+0x124/0x208 [ 65.036046][ T24] device_release_driver+0x28/0x38 [ 65.036053][ T24] bus_remove_device+0x2d0/0x3f8 [ 65.036059][ T24] device_del+0x3f0/0x710 [ 65.036066][ T24] device_unregister+0x2c/0xf0 [ 65.036074][ T24] i2c_unregister_device+0x1ac/0x204 [ 65.036081][ T24] v4l2_i2c_subdev_unregister+0x68/0x78 [ 65.036087][ T24] v4l2_device_unregister+0x184/0x228 [ 65.036092][ T24] em28xx_v4l2_init+0xfc8/0x24fc [ 65.036098][ T24] em28xx_init_extension+0x10c/0x1b4 [ 65.036104][ T24] request_module_async+0x68/0x98 [ 65.036110][ T24] process_scheduled_works+0x79c/0x1098 [ 65.036116][ T24] worker_thread+0x754/0xba0 [ 65.036122][ T24] kthread+0x2f8/0x3c8 [ 65.036130][ T24] ret_from_fork+0x10/0x20 [ 65.036138][ T24] [ 65.036139][ T24] The buggy address belongs to the object at ffff0000ddab4000 [ 65.036139][ T24] which belongs to the cache kmalloc-2k of size 2048 [ 65.036145][ T24] The buggy address is located 792 bytes inside of [ 65.036145][ T24] freed 2048-byte region [ffff0000ddab4000, ffff0000ddab4800) [ 65.036152][ T24] [ 65.036154][ T24] The buggy address belongs to the physical page: [ 65.036158][ T24] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11dab0 [ 65.036164][ T24] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 65.036170][ T24] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 65.036178][ T24] page_type: f5(slab) [ 65.036184][ T24] raw: 05ffc00000000040 ffff0000c0002000 dead000000000100 dead000000000122 [ 65.036190][ T24] raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 [ 65.036196][ T24] head: 05ffc00000000040 ffff0000c0002000 dead000000000100 dead000000000122 [ 65.036201][ T24] head: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 [ 65.036207][ T24] head: 05ffc00000000003 fffffdffc376ac01 00000000ffffffff 00000000ffffffff [ 65.036212][ T24] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 65.036221][ T24] page dumped because: kasan: bad access detected [ 65.036224][ T24] [ 65.036225][ T24] Memory state around the buggy address: [ 65.036229][ T24] ffff0000ddab4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.036233][ T24] ffff0000ddab4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.036237][ T24] >ffff0000ddab4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.036240][ T24] ^ [ 65.036244][ T24] ffff0000ddab4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.036248][ T24] ffff0000ddab4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.036251][ T24] ================================================================== [ 65.036255][ T24] Disabling lock debugging due to kernel taint [ 65.036265][ T24] Unable to handle kernel paging request at virtual address dfff800000000005 [ 65.036270][ T24] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 65.036274][ T24] Mem abort info: [ 65.036277][ T24] ESR = 0x0000000096000005 [ 65.036280][ T24] EC = 0x25: DABT (current EL), IL = 32 bits [ 65.036285][ T24] SET = 0, FnV = 0 [ 65.036288][ T24] EA = 0, S1PTW = 0 [ 65.036292][ T24] FSC = 0x05: level 1 translation fault [ 65.036296][ T24] Data abort info: [ 65.036298][ T24] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 65.036302][ T24] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 65.036307][ T24] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 65.036312][ T24] [dfff800000000005] address between user and kernel address ranges [ 65.036318][ T24] Internal error: Oops: 0000000096000005 [#1] SMP [ 65.143659][ T24] Modules linked in: [ 65.144287][ T24] CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Tainted: G B syzkaller #0 PREEMPT [ 65.145843][ T24] Tainted: [B]=BAD_PAGE [ 65.146508][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 65.147963][ T24] Workqueue: events request_firmware_work_func [ 65.148836][ T24] pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 65.149938][ T24] pc : load_firmware_cb+0x214/0x14b8 [ 65.150703][ T24] lr : load_firmware_cb+0xc4/0x14b8 [ 65.151462][ T24] sp : ffff80008eae7900 [ 65.152037][ T24] x29: ffff80008eae7a50 x28: ffff80008eae79a0 x27: 0000000000000000 [ 65.153118][ T24] x26: dfff800000000000 x25: ffff700011d5cf34 x24: dfff800000000000 [ 65.154259][ T24] x23: 1fffe0001bb56863 x22: 0000000000000000 x21: 0000000000000000 [ 65.155489][ T24] x20: 0000000000000000 x19: ffff0000ddab4318 x18: 00000000ffffffff [ 65.156841][ T24] x17: 3d3d3d3d3d3d3d3d x16: 3d3d3d3d3d3d3d3d x15: 3d3d3d3d3d3d3d3d [ 65.158240][ T24] x14: 3d3d3d3d3d3d3d3d x13: 0000000000000001 x12: 0000000000000000 [ 65.159580][ T24] x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000 [ 65.160896][ T24] x8 : 0000000000000005 x7 : 0000000000000000 x6 : ffff80008047caa0 [ 65.162136][ T24] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800083879d24 [ 65.163353][ T24] x2 : 0000000000000000 x1 : ffff0000c1b2d700 x0 : 0000000000000028 [ 65.164617][ T24] Call trace: [ 65.165189][ T24] load_firmware_cb+0x214/0x14b8 (P) [ 65.166016][ T24] request_firmware_work_func+0xe8/0x19c [ 65.166896][ T24] process_scheduled_works+0x79c/0x1098 [ 65.167768][ T24] worker_thread+0x754/0xba0 [ 65.168526][ T24] kthread+0x2f8/0x3c8 [ 65.169196][ T24] ret_from_fork+0x10/0x20 [ 65.170007][ T24] Code: b5fff63b f9403bf6 9100a2c0 d343fc08 (387a6908) [ 65.171153][ T24] ---[ end trace 0000000000000000 ]--- [ 65.423925][ T24] Kernel panic - not syncing: Oops: Fatal exception [ 65.424807][ T24] SMP: stopping secondary CPUs [ 65.425573][ T24] Kernel Offset: disabled [ 65.426167][ T24] CPU features: 0x08000000,003c0008,27020501,5427fea7 [ 65.427175][ T24] Memory Limit: none [ 65.659434][ T24] Rebooting in 86400 seconds..