program: sendmmsg$inet(0xffffffffffffffff, &(0x7f0000000cc0)=[{{0x0, 0x0, 0x0, 0x0, &(0x7f0000000200)=[@ip_tos_int={{0x14, 0x0, 0x1, 0x4}}], 0x18}}], 0x1, 0x0) r0 = socket$inet_tcp(0x2, 0x1, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f00000002c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f0000000040)=@device_b, &(0x7f0000000280)=ANY=[@ANYBLOB="50000000080211000001ffffffffffff0802110000000000000000000000000064000100000602020202020201010b"], 0x48) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) r7 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r7, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) r8 = socket$nl_generic(0x10, 0x3, 0x10) r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r8, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r9, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r8, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000a00)={0x28, r9, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) r11 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r11, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000040)="2e00000010008108040f80ecdb4cb92e0a480e000f000000e8bd6efb250314000e000100240248ff05000500", 0x2c}, {&(0x7f00000019c0)="06bb", 0x2}], 0x2}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000440)=ANY=[@ANYBLOB="10000000080211000001080211000000080211000000200004a000000c0001"], 0x3c) r12 = socket$nl_generic(0x10, 0x3, 0x10) r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000380), 0xffffffffffffffff) sendmsg$NL80211_CMD_TDLS_MGMT(r12, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000740)={0x44, r13, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_STATUS_CODE={0x6, 0x48, 0x52}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_IE={0x4}, @NL80211_ATTR_TDLS_DIALOG_TOKEN={0x5, 0x89, 0x3}, @NL80211_ATTR_TDLS_ACTION={0x5, 0x88, 0x3}]}, 0x44}}, 0x0) syz_80211_inject_frame(&(0x7f0000000000)=@device_b, &(0x7f00000007c0)=@data_frame={@msdu=@type00={{0x0, 0x2, 0x8, 0x0, 0x0, 0x1, 0x1, 0x0, 0x0, 0x0, 0x1}, {0xf}, @device_a, @device_b, @initial, {0x1, 0x9a}, "", @value={0x0, 0x0, 0x2}, @value=@ver_80211n={0x0, 0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x1}}, @a_msdu=[{@device_b, @device_b, 0x91, "eaf8fb0a08af54cf9d8c60be270baefbfd8e14a97546d21b7e7206646171569ca94f110a753fc7a6d850b4904a1b5e71b55202127f43f1b867e88f7e61633e81936b3bb0d2ec28300bb0584f8c3d531efa5108f7f670925668755f0b5cc8a76a37a4043f5aa0d6589019881bd88d057ce4a1260532659686e8d56c8610f61cc83b1816720c8a3cd75dce682ce3ab506166"}, {@device_b, @broadcast, 0xc4, "dae2b989560071dcd7033ddaf47c13bda7f66ec1b5e87b96a50df6c80b840082ad20bb310a211b4f9885e15dd5c2de03ddf4f84906aac52977ad2889cc8517901e004c973dcbdbfaf6cc53e857060af6fdd8684ee2cf85c50ff0e87baa48704cbd03fcfe896775ed391bda65cdbd8d44b54644ea272eaeb600769910b896de16729cf0286f08bbd44203d5cdab38e2735827d7e211cb657fda4b35b05fd46080f3d833ad64b8ccb5dd02fe7e16e2969bde9fed6c8cd5783bc11de46324d39bf46fec4557"}, {@device_b, @device_b, 0xa9, "f959dfd93ee4e30abb27b5d6db51f9d806c80076271126fb9a044a364e577686b4d2d71bee20438d60eeacece7740e7e74519598a6ea5710975e93a3ca6f3cdb04ba5aa9353ca93740e1b37af16c31e7ec991585f09b3b88146da2dad7d3e9c01fcd3b8cd19c7d6e8640c4b24f74361ff68e7c22e77056a127d531484ad310509e03b1f9f2669ae8647b7b377993d3481507e8f7e62e0766a6a0a8ea3c3caa0a5294e0fbb573e5b67f"}, {@device_b, @device_a, 0x27, "981a8705fbb9e04b9b2cd7160ac4aefe99abdcc7b74c320052d0934fb15e8ddb18ed6f3e04f0c9"}]}, 0x282) r14 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCBRDELBR(r14, 0x89a2, &(0x7f0000000200)='bridge0\x00') ioctl$sock_SIOCBRDELBR(r0, 0x89a3, &(0x7f0000000200)='bridge0\x00') [ 160.745047][ T1317] ieee802154 phy0 wpan0: encryption failed: -22 [ 160.748422][ T1317] ieee802154 phy1 wpan1: encryption failed: -22 [ 160.752757][ T5320] Bluetooth: hci0: command tx timeout [ 160.998913][ T5341] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 161.026978][ T55] wlan1: No basic rates, using min rate instead [ 161.031536][ T55] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 161.036208][ T55] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 161.057919][ T5341] netlink: 'syz.0.0': attribute type 10 has an invalid length. [ 161.061531][ T5341] wlan1: aborting authentication with 08:02:11:00:00:00 by local choice (Reason: 3=DEAUTH_LEAVING) [ 161.081991][ T5341] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 161.090082][ T5341] wlan1: No basic rates, using min rate instead [ 161.098535][ T5341] wlan1: authenticate with 08:02:11:00:00:00 (local address=aa:aa:aa:aa:aa:17) [ 161.104565][ T5341] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 161.118877][ T5341] bond0: entered promiscuous mode [ 161.120991][ T5341] bond_slave_0: entered promiscuous mode [ 161.123425][ T5341] bond_slave_1: entered promiscuous mode [ 161.126622][ T5341] mac80211_hwsim hwsim3 wlan1: entered promiscuous mode [ 161.136836][ T5341] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 161.142788][ T5341] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 161.151355][ T5341] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 161.159134][ T5341] bridge0: port 3(gretap0) entered blocking state [ 161.162487][ T5341] bridge0: port 3(gretap0) entered disabled state [ 161.165837][ T5341] gretap0: entered allmulticast mode [ 161.169994][ T5341] gretap0: entered promiscuous mode [ 161.173368][ T5341] bridge0: port 3(gretap0) entered blocking state [ 161.177114][ T5341] bridge0: port 3(gretap0) entered forwarding state [ 161.183367][ T5341] gretap0: left allmulticast mode [ 161.186836][ T5341] gretap0: left promiscuous mode [ 161.189999][ T5341] bridge0: port 3(gretap0) entered disabled state [ 161.214246][ T12] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 161.324210][ T13] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 161.433774][ T1037] wlan1: authentication with 08:02:11:00:00:00 timed out [ 161.438316][ T1037] ================================================================== [ 161.443044][ T1037] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 [ 161.446503][ T1037] Read of size 1 at addr ffff88804cccaf80 by task kworker/u4:7/1037 [ 161.449915][ T1037] [ 161.450990][ T1037] CPU: 0 UID: 0 PID: 1037 Comm: kworker/u4:7 Not tainted 6.16.0-rc2-syzkaller-00162-g41687a5c6f8b #0 PREEMPT(full) [ 161.451006][ T1037] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 161.451013][ T1037] Workqueue: events_unbound cfg80211_wiphy_work [ 161.451069][ T1037] Call Trace: [ 161.451075][ T1037] [ 161.451081][ T1037] dump_stack_lvl+0x189/0x250 [ 161.451098][ T1037] ? rcu_is_watching+0x15/0xb0 [ 161.451112][ T1037] ? __kasan_check_byte+0x12/0x40 [ 161.451150][ T1037] ? __pfx_dump_stack_lvl+0x10/0x10 [ 161.451163][ T1037] ? rcu_is_watching+0x15/0xb0 [ 161.451177][ T1037] ? lock_release+0x4b/0x3e0 [ 161.451191][ T1037] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 161.451206][ T1037] ? __virt_addr_valid+0x1c8/0x5c0 [ 161.451218][ T1037] ? __virt_addr_valid+0x4a5/0x5c0 [ 161.451228][ T1037] print_report+0xd2/0x2b0 [ 161.451241][ T1037] ? _raw_spin_lock+0x2e/0x40 [ 161.451251][ T1037] kasan_report+0x118/0x150 [ 161.451260][ T1037] ? _raw_spin_lock+0x2e/0x40 [ 161.451273][ T1037] ? lockref_get+0x15/0x60 [ 161.451288][ T1037] __kasan_check_byte+0x2a/0x40 [ 161.451297][ T1037] lock_acquire+0x8d/0x360 [ 161.451311][ T1037] ? do_raw_spin_lock+0x121/0x290 [ 161.451323][ T1037] _raw_spin_lock+0x2e/0x40 [ 161.451335][ T1037] ? lockref_get+0x15/0x60 [ 161.451346][ T1037] lockref_get+0x15/0x60 [ 161.451358][ T1037] simple_recursive_removal+0x35/0x690 [ 161.451374][ T1037] ? mntput+0x65/0xc0 [ 161.451404][ T1037] ? __pfx_remove_one+0x10/0x10 [ 161.451416][ T1037] debugfs_remove+0x5b/0x70 [ 161.451425][ T1037] ieee80211_sta_debugfs_remove+0x40/0x70 [ 161.451448][ T1037] __sta_info_destroy_part2+0x352/0x450 [ 161.451461][ T1037] sta_info_destroy_addr+0xf5/0x140 [ 161.451471][ T1037] ieee80211_destroy_auth_data+0x12d/0x260 [ 161.451484][ T1037] ieee80211_sta_work+0x11cf/0x3600 [ 161.451494][ T1037] ? __lock_acquire+0xab9/0xd20 [ 161.451511][ T1037] ? __lock_acquire+0xab9/0xd20 [ 161.451530][ T1037] ? __lock_acquire+0xab9/0xd20 [ 161.451542][ T1037] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 161.451554][ T1037] ? do_raw_spin_lock+0x121/0x290 [ 161.451566][ T1037] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 161.451579][ T1037] ? lockdep_hardirqs_on+0x9c/0x150 [ 161.451594][ T1037] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 161.451606][ T1037] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 161.451619][ T1037] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 161.451631][ T1037] ? skb_dequeue+0x10e/0x150 [ 161.451641][ T1037] ? ieee80211_iface_work+0xcdb/0xfe0 [ 161.451657][ T1037] ? ieee80211_iface_work+0xeef/0xfe0 [ 161.451670][ T1037] ? rcu_is_watching+0x15/0xb0 [ 161.451685][ T1037] cfg80211_wiphy_work+0x2dc/0x460 [ 161.451696][ T1037] ? process_scheduled_works+0x9ef/0x17b0 [ 161.451711][ T1037] process_scheduled_works+0xae1/0x17b0 [ 161.451731][ T1037] ? __pfx_process_scheduled_works+0x10/0x10 [ 161.451748][ T1037] worker_thread+0x8a0/0xda0 [ 161.451762][ T1037] kthread+0x70e/0x8a0 [ 161.451774][ T1037] ? __pfx_worker_thread+0x10/0x10 [ 161.451788][ T1037] ? __pfx_kthread+0x10/0x10 [ 161.451798][ T1037] ? _raw_spin_unlock_irq+0x23/0x50 [ 161.451811][ T1037] ? lockdep_hardirqs_on+0x9c/0x150 [ 161.451823][ T1037] ? __pfx_kthread+0x10/0x10 [ 161.451833][ T1037] ret_from_fork+0x3f9/0x770 [ 161.451849][ T1037] ? __pfx_ret_from_fork+0x10/0x10 [ 161.451863][ T1037] ? __pfx_kthread+0x10/0x10 [ 161.451873][ T1037] ret_from_fork_asm+0x1a/0x30 [ 161.451888][ T1037] [ 161.451892][ T1037] [ 161.580846][ T1037] Allocated by task 5341: [ 161.582641][ T1037] kasan_save_track+0x3e/0x80 [ 161.584491][ T1037] __kasan_slab_alloc+0x6c/0x80 [ 161.586516][ T1037] kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 [ 161.588889][ T1037] __d_alloc+0x31/0x6f0 [ 161.590629][ T1037] d_alloc_parallel+0xe0/0x14e0 [ 161.592320][ T1037] __lookup_slow+0x116/0x3d0 [ 161.593979][ T1037] start_creating+0x22e/0x3c0 [ 161.595632][ T1037] debugfs_create_dir+0x28/0x420 [ 161.597719][ T1037] ieee80211_sta_debugfs_add+0x12c/0x850 [ 161.600301][ T1037] sta_info_insert_rcu+0xfac/0x1940 [ 161.602630][ T1037] sta_info_insert+0x16/0xc0 [ 161.604673][ T1037] ieee80211_prep_connection+0x10cd/0x1600 [ 161.607017][ T1037] ieee80211_mgd_auth+0xee3/0x1770 [ 161.608864][ T1037] cfg80211_mlme_auth+0x62f/0x9c0 [ 161.610643][ T1037] cfg80211_conn_do_work+0x501/0xd10 [ 161.612769][ T1037] cfg80211_connect+0x1862/0x21a0 [ 161.614995][ T1037] nl80211_connect+0x17bc/0x1cd0 [ 161.617261][ T1037] genl_family_rcv_msg_doit+0x212/0x300 [ 161.619660][ T1037] genl_rcv_msg+0x60e/0x790 [ 161.621722][ T1037] netlink_rcv_skb+0x205/0x470 [ 161.623889][ T1037] genl_rcv+0x28/0x40 [ 161.625681][ T1037] netlink_unicast+0x758/0x8d0 [ 161.627863][ T1037] netlink_sendmsg+0x805/0xb30 [ 161.630062][ T1037] __sock_sendmsg+0x219/0x270 [ 161.632058][ T1037] ____sys_sendmsg+0x505/0x830 [ 161.633920][ T1037] ___sys_sendmsg+0x21f/0x2a0 [ 161.635746][ T1037] __x64_sys_sendmsg+0x19b/0x260 [ 161.637872][ T1037] do_syscall_64+0xfa/0x3b0 [ 161.639633][ T1037] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 161.641992][ T1037] [ 161.642877][ T1037] Freed by task 15: [ 161.644516][ T1037] kasan_save_track+0x3e/0x80 [ 161.646959][ T1037] kasan_save_free_info+0x46/0x50 [ 161.649205][ T1037] __kasan_slab_free+0x62/0x70 [ 161.651329][ T1037] kmem_cache_free+0x18f/0x400 [ 161.653451][ T1037] rcu_core+0xca5/0x1710 [ 161.655036][ T1037] handle_softirqs+0x286/0x870 [ 161.657031][ T1037] run_ksoftirqd+0x9b/0x100 [ 161.659025][ T1037] smpboot_thread_fn+0x53f/0xa60 [ 161.661217][ T1037] kthread+0x70e/0x8a0 [ 161.663066][ T1037] ret_from_fork+0x3f9/0x770 [ 161.665173][ T1037] ret_from_fork_asm+0x1a/0x30 [ 161.667361][ T1037] [ 161.668637][ T1037] Last potentially related work creation: [ 161.671695][ T1037] kasan_save_stack+0x3e/0x60 [ 161.674204][ T1037] kasan_record_aux_stack+0xbd/0xd0 [ 161.677096][ T1037] call_rcu+0x142/0x990 [ 161.679287][ T1037] __dentry_kill+0x4d2/0x660 [ 161.681621][ T1037] dput+0x19f/0x2b0 [ 161.683619][ T1037] find_next_child+0x1e5/0x250 [ 161.685954][ T1037] simple_recursive_removal+0xf4/0x690 [ 161.688423][ T1037] debugfs_remove+0x5b/0x70 [ 161.690442][ T1037] ieee80211_debugfs_recreate_netdev+0xbf/0x1460 [ 161.693866][ T1037] drv_remove_interface+0x1fa/0x590 [ 161.696221][ T1037] ieee80211_change_mac+0x912/0x12c0 [ 161.698844][ T1037] netif_set_mac_address+0x2f9/0x4c0 [ 161.701575][ T1037] dev_set_mac_address+0x12b/0x260 [ 161.704044][ T1037] bond_set_mac_address+0x26c/0x7b0 [ 161.706507][ T1037] netif_set_mac_address+0x2f9/0x4c0 [ 161.708917][ T1037] do_setlink+0x88c/0x41c0 [ 161.710886][ T1037] rtnl_newlink+0x160b/0x1c70 [ 161.712969][ T1037] rtnetlink_rcv_msg+0x7cf/0xb70 [ 161.715154][ T1037] netlink_rcv_skb+0x205/0x470 [ 161.717380][ T1037] netlink_unicast+0x758/0x8d0 [ 161.719480][ T1037] netlink_sendmsg+0x805/0xb30 [ 161.721758][ T1037] __sock_sendmsg+0x219/0x270 [ 161.724003][ T1037] ____sys_sendmsg+0x505/0x830 [ 161.726272][ T1037] ___sys_sendmsg+0x21f/0x2a0 [ 161.728440][ T1037] __x64_sys_sendmsg+0x19b/0x260 [ 161.730709][ T1037] do_syscall_64+0xfa/0x3b0 [ 161.732707][ T1037] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 161.735363][ T1037] [ 161.736484][ T1037] The buggy address belongs to the object at ffff88804cccaeb0 [ 161.736484][ T1037] which belongs to the cache dentry of size 312 [ 161.742531][ T1037] The buggy address is located 208 bytes inside of [ 161.742531][ T1037] freed 312-byte region [ffff88804cccaeb0, ffff88804cccafe8) [ 161.748746][ T1037] [ 161.749982][ T1037] The buggy address belongs to the physical page: [ 161.752945][ T1037] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ccca [ 161.756491][ T1037] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 161.759759][ T1037] memcg:ffff888036582901 [ 161.761648][ T1037] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 161.764939][ T1037] page_type: f5(slab) [ 161.766843][ T1037] raw: 04fff00000000040 ffff888030413780 dead000000000122 0000000000000000 [ 161.770505][ T1037] raw: 0000000000000000 0000000000150015 00000000f5000000 ffff888036582901 [ 161.773742][ T1037] head: 04fff00000000040 ffff888030413780 dead000000000122 0000000000000000 [ 161.777456][ T1037] head: 0000000000000000 0000000000150015 00000000f5000000 ffff888036582901 [ 161.781374][ T1037] head: 04fff00000000001 ffffea0001333281 00000000ffffffff 00000000ffffffff [ 161.785042][ T1037] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 161.788683][ T1037] page dumped because: kasan: bad access detected [ 161.791481][ T1037] page_owner tracks the page as allocated [ 161.793992][ T1037] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5341, tgid 5340 (syz.0.0), ts 161075180657, free_ts 0 [ 161.804215][ T1037] post_alloc_hook+0x240/0x2a0 [ 161.806266][ T1037] get_page_from_freelist+0x21e4/0x22c0 [ 161.808609][ T1037] __alloc_frozen_pages_noprof+0x181/0x370 [ 161.811198][ T1037] alloc_pages_mpol+0x232/0x4a0 [ 161.813318][ T1037] allocate_slab+0x8a/0x3b0 [ 161.815305][ T1037] ___slab_alloc+0xbfc/0x1480 [ 161.817428][ T1037] kmem_cache_alloc_lru_noprof+0x288/0x3d0 [ 161.819875][ T1037] __d_alloc+0x31/0x6f0 [ 161.821510][ T1037] d_alloc_parallel+0xe0/0x14e0 [ 161.823438][ T1037] __lookup_slow+0x116/0x3d0 [ 161.825405][ T1037] start_creating+0x22e/0x3c0 [ 161.827337][ T1037] __debugfs_create_file+0x79/0x4f0 [ 161.829585][ T1037] debugfs_create_file_short+0x3f/0x60 [ 161.831635][ T1037] ieee80211_debugfs_recreate_netdev+0xc3f/0x1460 [ 161.834308][ T1037] drv_remove_interface+0x1fa/0x590 [ 161.836656][ T1037] ieee80211_do_stop+0x15cb/0x1fa0 [ 161.838838][ T1037] page_owner free stack trace missing [ 161.840915][ T1037] [ 161.841831][ T1037] Memory state around the buggy address: [ 161.844026][ T1037] ffff88804cccae80: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb [ 161.847478][ T1037] ffff88804cccaf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 161.851123][ T1037] >ffff88804cccaf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 161.854866][ T1037] ^ [ 161.857026][ T1037] ffff88804cccb000: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb [ 161.860838][ T1037] ffff88804cccb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 161.864032][ T1037] ================================================================== [ 161.868015][ T1037] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 161.870698][ T1037] CPU: 0 UID: 0 PID: 1037 Comm: kworker/u4:7 Not tainted 6.16.0-rc2-syzkaller-00162-g41687a5c6f8b #0 PREEMPT(full) [ 161.875643][ T1037] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 161.879940][ T1037] Workqueue: events_unbound cfg80211_wiphy_work [ 161.882501][ T1037] Call Trace: [ 161.883987][ T1037] [ 161.885312][ T1037] dump_stack_lvl+0x99/0x250 [ 161.887364][ T1037] ? __asan_memcpy+0x40/0x70 [ 161.889356][ T1037] ? __pfx_dump_stack_lvl+0x10/0x10 [ 161.891654][ T1037] ? __pfx__printk+0x10/0x10 [ 161.893768][ T1037] panic+0x2db/0x790 [ 161.895418][ T1037] ? lockdep_hardirqs_on+0x9c/0x150 [ 161.897982][ T1037] ? __pfx_panic+0x10/0x10 [ 161.899923][ T1037] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 161.902376][ T1037] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 161.904747][ T1037] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 161.907619][ T1037] ? _raw_spin_lock+0x2e/0x40 [ 161.909588][ T1037] check_panic_on_warn+0x89/0xb0 [ 161.911466][ T1037] ? _raw_spin_lock+0x2e/0x40 [ 161.913310][ T1037] end_report+0x78/0x160 [ 161.915144][ T1037] kasan_report+0x129/0x150 [ 161.916742][ T1037] ? _raw_spin_lock+0x2e/0x40 [ 161.918751][ T1037] ? lockref_get+0x15/0x60 [ 161.920328][ T1037] __kasan_check_byte+0x2a/0x40 [ 161.922183][ T1037] lock_acquire+0x8d/0x360 [ 161.924029][ T1037] ? do_raw_spin_lock+0x121/0x290 [ 161.926098][ T1037] _raw_spin_lock+0x2e/0x40 [ 161.928071][ T1037] ? lockref_get+0x15/0x60 [ 161.929962][ T1037] lockref_get+0x15/0x60 [ 161.931767][ T1037] simple_recursive_removal+0x35/0x690 [ 161.934006][ T1037] ? mntput+0x65/0xc0 [ 161.935760][ T1037] ? __pfx_remove_one+0x10/0x10 [ 161.937811][ T1037] debugfs_remove+0x5b/0x70 [ 161.939626][ T1037] ieee80211_sta_debugfs_remove+0x40/0x70 [ 161.941891][ T1037] __sta_info_destroy_part2+0x352/0x450 [ 161.944092][ T1037] sta_info_destroy_addr+0xf5/0x140 [ 161.946352][ T1037] ieee80211_destroy_auth_data+0x12d/0x260 [ 161.948807][ T1037] ieee80211_sta_work+0x11cf/0x3600 [ 161.951195][ T1037] ? __lock_acquire+0xab9/0xd20 [ 161.953373][ T1037] ? __lock_acquire+0xab9/0xd20 [ 161.955547][ T1037] ? __lock_acquire+0xab9/0xd20 [ 161.957642][ T1037] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 161.959823][ T1037] ? do_raw_spin_lock+0x121/0x290 [ 161.961966][ T1037] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 161.964630][ T1037] ? lockdep_hardirqs_on+0x9c/0x150 [ 161.967615][ T1037] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 161.970269][ T1037] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 161.973110][ T1037] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 161.975558][ T1037] ? skb_dequeue+0x10e/0x150 [ 161.977737][ T1037] ? ieee80211_iface_work+0xcdb/0xfe0 [ 161.980126][ T1037] ? ieee80211_iface_work+0xeef/0xfe0 [ 161.982423][ T1037] ? rcu_is_watching+0x15/0xb0 [ 161.984537][ T1037] cfg80211_wiphy_work+0x2dc/0x460 [ 161.986820][ T1037] ? process_scheduled_works+0x9ef/0x17b0 [ 161.989313][ T1037] process_scheduled_works+0xae1/0x17b0 [ 161.991812][ T1037] ? __pfx_process_scheduled_works+0x10/0x10 [ 161.994419][ T1037] worker_thread+0x8a0/0xda0 [ 161.996541][ T1037] kthread+0x70e/0x8a0 [ 161.998482][ T1037] ? __pfx_worker_thread+0x10/0x10 [ 162.000927][ T1037] ? __pfx_kthread+0x10/0x10 [ 162.003243][ T1037] ? _raw_spin_unlock_irq+0x23/0x50 [ 162.005816][ T1037] ? lockdep_hardirqs_on+0x9c/0x150 [ 162.008151][ T1037] ? __pfx_kthread+0x10/0x10 [ 162.010235][ T1037] ret_from_fork+0x3f9/0x770 [ 162.012200][ T1037] ? __pfx_ret_from_fork+0x10/0x10 [ 162.014365][ T1037] ? __pfx_kthread+0x10/0x10 [ 162.016502][ T1037] ret_from_fork_asm+0x1a/0x30 [ 162.018626][ T1037] [ 162.020398][ T1037] Kernel Offset: disabled [ 162.022106][ T1037] Rebooting in 86400 seconds..