program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000280)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x8}]}, 0x24}}, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r4, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @void}, 0x2f) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x1, 0x0, @default, @val, @void}, 0x20) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000540)=ANY=[@ANYBLOB="8000000008021100000108021100000108021100000000000000000000660000006400010005037c200925030002042d1a080007"], 0x52) syz_mount_image$vfat(&(0x7f0000000240), &(0x7f0000000280)='./file0\x00', 0x0, &(0x7f0000000140)={[{@fat=@nfs}, {@shortname_mixed}, {@uni_xlate}, {@rodir}, {@rodir}, {@shortname_winnt}, {@shortname_winnt}, {@uni_xlate}, {@iocharset={'iocharset', 0x3d, 'cp737'}}, {@utf8no}]}, 0x1, 0x22f, &(0x7f0000000b00)="$eJzs2k+LW1UYB+D3jpWOKdNE/FNaEA+6UDeXJmsXHaQFMaBoI1RBeuskGnJNhtwwEBE7K936EVyLS3eCdOlmNn4CF93NZpZdiFemqXamRrGUNqLPs8kL7/nlnsO5HM7i7r/61SejQZUPilmsZVmsXYjduJVFK9bid7vxyktXfnzunSvvvbHZ7V58O6VLm5fbnZTS6ed/eP+zb1+4MTv17nenvz8Ze60P9g86N/ee3Tu7/+vlj4dVGlZpPJmlIl2bTGbFtbKftobVKE/prfUoqn4ajqv+9Fh/UE62t+epGG9tNLan/apKxXieRv15mk3SbDpPxUfFcJzyPE8bjeBB9L65VddxUD9+Neq6fuLrOHUjNn6OZmRPpuypC9kzV7Mzu9nZg7purnqqPBT2///tyKG+HlF+udPb6S1+F/3NQQyjjH6cj2b8EoevyR2L+tLr3Yvn022t+KK8fid/faf32PF8O5rRWp5vL/LpeP5kNI7mO9GMp5fnO0vz6/Hyi0fyeTTjpw9jEmVsxWH2bv7zdkqvvdm9J3/u9jgAgP+aPP1h6f0tz/+qv8jfx/3wnvvViTh3YrVrJ6KafzoqyrI/fehF4xE+S6FQ/OPi8Bz+U2vVJxOPwt1NX/VMAAAAAAAAAAAAuB8P9vHgzTOLf/n7wateIwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8O/2WwAAAP//oHHQCw==") r6 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r6, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) r7 = socket$nl_generic(0x10, 0x3, 0x10) bpf$MAP_CREATE(0x300000000000000, &(0x7f0000000100)=@base={0x17, 0x4, 0x41, 0x0, 0x1, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x2, 0x6}, 0x50) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r7, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r8, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r7, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000a00)={0x28, r8, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) r10 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r10, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000040)="2e00000010008108040f80ecdb4cb92e0a480e000f000000e8bd6efb250314000e000100240248ff05000500", 0x2c}, {&(0x7f00000019c0)="06bb", 0x2}], 0x2}, 0x0) lstat(&(0x7f0000000000)='./file0\x00', &(0x7f00000000c0)) syz_mount_image$msdos(&(0x7f0000000800), &(0x7f0000000840)='.\x00', 0x104821, &(0x7f00000002c0)=ANY=[], 0x0, 0x0, &(0x7f00000007c0)) open_by_handle_at(0xffffffffffffff9c, &(0x7f00000000c0)=ANY=[@ANYBLOB="2000000002"], 0x0) [ 74.597561][ T4706] Bluetooth: hci0: command tx timeout [ 74.675953][ T5357] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.710478][ T55] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 74.714542][ T55] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 74.737646][ T53] wlan1: authenticated [ 74.739922][ T5357] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.746489][ T53] wlan1: associate with 08:02:11:00:00:00 (try 1/3) [ 74.751473][ T5357] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.756544][ T53] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0x1 status=0 aid=1) [ 74.760441][ T53] wlan1: associated [ 74.764873][ T5357] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.774729][ T5357] loop0: detected capacity change from 0 to 128 [ 74.796265][ T5357] netlink: 'syz.0.0': attribute type 10 has an invalid length. [ 74.804436][ T5357] wlan1: deauthenticating from 08:02:11:00:00:00 by local choice (Reason: 3=DEAUTH_LEAVING) [ 74.839716][ T5357] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 74.855196][ T5357] wlan1: authenticate with 08:02:11:00:00:00 (local address=aa:aa:aa:aa:aa:17) [ 74.860668][ T5357] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 74.881315][ T5357] bond0: entered promiscuous mode [ 74.883631][ T5357] bond_slave_0: entered promiscuous mode [ 74.888382][ T5357] bond_slave_1: entered promiscuous mode [ 74.891153][ T5357] mac80211_hwsim hwsim3 wlan1: entered promiscuous mode [ 74.965753][ T31] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 75.076647][ T31] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 75.188028][ T1044] wlan1: authentication with 08:02:11:00:00:00 timed out [ 75.191867][ T1044] ================================================================== [ 75.195469][ T1044] BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 [ 75.198822][ T1044] Read of size 1 at addr ffff888052154248 by task kworker/u4:8/1044 [ 75.202280][ T1044] [ 75.203398][ T1044] CPU: 0 UID: 0 PID: 1044 Comm: kworker/u4:8 Not tainted 6.16.0-syzkaller-12288-g2b38afce25c4 #0 PREEMPT(full) [ 75.203414][ T1044] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.203422][ T1044] Workqueue: events_unbound cfg80211_wiphy_work [ 75.203485][ T1044] Call Trace: [ 75.203493][ T1044] [ 75.203498][ T1044] dump_stack_lvl+0x189/0x250 [ 75.203513][ T1044] ? __virt_addr_valid+0x1c8/0x5c0 [ 75.203527][ T1044] ? rcu_is_watching+0x15/0xb0 [ 75.203575][ T1044] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.203588][ T1044] ? rcu_is_watching+0x15/0xb0 [ 75.203597][ T1044] ? lock_release+0x4b/0x3e0 [ 75.203612][ T1044] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 75.203627][ T1044] ? __virt_addr_valid+0x1c8/0x5c0 [ 75.203639][ T1044] ? __virt_addr_valid+0x4a5/0x5c0 [ 75.203652][ T1044] print_report+0xca/0x240 [ 75.203662][ T1044] ? _raw_spin_lock+0x2e/0x40 [ 75.203672][ T1044] kasan_report+0x118/0x150 [ 75.203687][ T1044] ? _raw_spin_lock+0x2e/0x40 [ 75.203699][ T1044] ? lockref_get+0x15/0x60 [ 75.203713][ T1044] __kasan_check_byte+0x2a/0x40 [ 75.203724][ T1044] lock_acquire+0x8d/0x360 [ 75.203740][ T1044] ? do_raw_spin_lock+0x121/0x290 [ 75.203755][ T1044] _raw_spin_lock+0x2e/0x40 [ 75.203766][ T1044] ? lockref_get+0x15/0x60 [ 75.203779][ T1044] lockref_get+0x15/0x60 [ 75.203789][ T1044] __simple_recursive_removal+0x33/0x510 [ 75.203800][ T1044] ? mntput+0x65/0xc0 [ 75.203811][ T1044] ? __pfx_remove_one+0x10/0x10 [ 75.203826][ T1044] debugfs_remove+0x5b/0x70 [ 75.203838][ T1044] ieee80211_sta_debugfs_remove+0x40/0x70 [ 75.203854][ T1044] __sta_info_destroy_part2+0x352/0x450 [ 75.203872][ T1044] sta_info_destroy_addr+0xf5/0x140 [ 75.203885][ T1044] ieee80211_destroy_auth_data+0x12d/0x260 [ 75.203903][ T1044] ieee80211_sta_work+0x11cf/0x3600 [ 75.203918][ T1044] ? trace_pelt_se_tp+0x39/0x130 [ 75.203932][ T1044] ? __lock_acquire+0xab9/0xd20 [ 75.203948][ T1044] ? __lock_acquire+0xab9/0xd20 [ 75.203962][ T1044] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 75.203978][ T1044] ? do_raw_spin_lock+0x121/0x290 [ 75.203993][ T1044] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 75.204003][ T1044] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.204016][ T1044] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 75.204027][ T1044] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.204039][ T1044] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.204053][ T1044] ? skb_dequeue+0x10e/0x150 [ 75.204064][ T1044] ? ieee80211_iface_work+0xfc4/0x12d0 [ 75.204078][ T1044] ? ieee80211_iface_work+0x11d6/0x12d0 [ 75.204088][ T1044] ? rcu_is_watching+0x15/0xb0 [ 75.204095][ T1044] cfg80211_wiphy_work+0x2b8/0x470 [ 75.204105][ T1044] ? process_scheduled_works+0x9ef/0x17b0 [ 75.204112][ T1044] process_scheduled_works+0xade/0x17b0 [ 75.204123][ T1044] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.204136][ T1044] worker_thread+0x8a0/0xda0 [ 75.204151][ T1044] kthread+0x70e/0x8a0 [ 75.204165][ T1044] ? __pfx_worker_thread+0x10/0x10 [ 75.204174][ T1044] ? __pfx_kthread+0x10/0x10 [ 75.204186][ T1044] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.204197][ T1044] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.204208][ T1044] ? __pfx_kthread+0x10/0x10 [ 75.204219][ T1044] ret_from_fork+0x3f9/0x770 [ 75.204230][ T1044] ? __pfx_ret_from_fork+0x10/0x10 [ 75.204241][ T1044] ? __pfx_kthread+0x10/0x10 [ 75.204254][ T1044] ret_from_fork_asm+0x1a/0x30 [ 75.204272][ T1044] [ 75.204277][ T1044] [ 75.353771][ T1044] Allocated by task 5357: [ 75.355815][ T1044] kasan_save_track+0x3e/0x80 [ 75.358467][ T1044] __kasan_slab_alloc+0x6c/0x80 [ 75.360667][ T1044] kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 [ 75.363146][ T1044] __d_alloc+0x36/0x7a0 [ 75.364945][ T1044] d_alloc_parallel+0xe5/0x15e0 [ 75.367047][ T1044] __lookup_slow+0x116/0x3d0 [ 75.369091][ T1044] simple_start_creating+0xfd/0x1e0 [ 75.371355][ T1044] start_creating+0x10f/0x180 [ 75.373444][ T1044] debugfs_create_dir+0x28/0x420 [ 75.375698][ T1044] ieee80211_sta_debugfs_add+0x12c/0x850 [ 75.378333][ T1044] sta_info_insert_rcu+0xfac/0x1940 [ 75.380637][ T1044] sta_info_insert+0x16/0xc0 [ 75.382689][ T1044] ieee80211_prep_connection+0xfce/0x13f0 [ 75.385205][ T1044] ieee80211_mgd_auth+0xee3/0x1770 [ 75.387539][ T1044] cfg80211_mlme_auth+0x632/0x9c0 [ 75.389803][ T1044] cfg80211_conn_do_work+0x501/0xd10 [ 75.392153][ T1044] cfg80211_connect+0x1862/0x21a0 [ 75.394445][ T1044] nl80211_connect+0x17bc/0x1cd0 [ 75.396645][ T1044] genl_family_rcv_msg_doit+0x215/0x300 [ 75.399073][ T1044] genl_rcv_msg+0x60e/0x790 [ 75.401132][ T1044] netlink_rcv_skb+0x205/0x470 [ 75.403382][ T1044] genl_rcv+0x28/0x40 [ 75.405368][ T1044] netlink_unicast+0x82c/0x9e0 [ 75.407544][ T1044] netlink_sendmsg+0x805/0xb30 [ 75.409735][ T1044] __sock_sendmsg+0x21c/0x270 [ 75.411914][ T1044] ____sys_sendmsg+0x505/0x830 [ 75.414030][ T1044] ___sys_sendmsg+0x21f/0x2a0 [ 75.416182][ T1044] __x64_sys_sendmsg+0x19b/0x260 [ 75.418418][ T1044] do_syscall_64+0xfa/0x3b0 [ 75.420613][ T1044] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.423544][ T1044] [ 75.424719][ T1044] Freed by task 15: [ 75.426527][ T1044] kasan_save_track+0x3e/0x80 [ 75.428615][ T1044] kasan_save_free_info+0x46/0x50 [ 75.430836][ T1044] __kasan_slab_free+0x5b/0x80 [ 75.433020][ T1044] kmem_cache_free+0x18f/0x400 [ 75.435185][ T1044] rcu_core+0xca8/0x1770 [ 75.437042][ T1044] handle_softirqs+0x283/0x870 [ 75.439183][ T1044] run_ksoftirqd+0x9b/0x100 [ 75.441114][ T1044] smpboot_thread_fn+0x53f/0xa60 [ 75.443290][ T1044] kthread+0x70e/0x8a0 [ 75.445081][ T1044] ret_from_fork+0x3f9/0x770 [ 75.447082][ T1044] ret_from_fork_asm+0x1a/0x30 [ 75.449192][ T1044] [ 75.450297][ T1044] Last potentially related work creation: [ 75.452721][ T1044] kasan_save_stack+0x3e/0x60 [ 75.454787][ T1044] kasan_record_aux_stack+0xbd/0xd0 [ 75.457019][ T1044] call_rcu+0x157/0x9c0 [ 75.458843][ T1044] __dentry_kill+0x4d2/0x660 [ 75.460860][ T1044] dput+0x19f/0x2b0 [ 75.462551][ T1044] find_next_child+0x1e5/0x250 [ 75.464657][ T1044] __simple_recursive_removal+0x10b/0x510 [ 75.467167][ T1044] debugfs_remove+0x5b/0x70 [ 75.469139][ T1044] ieee80211_debugfs_recreate_netdev+0xbf/0x1460 [ 75.471968][ T1044] drv_remove_interface+0x1fa/0x590 [ 75.474151][ T1044] ieee80211_change_mac+0x912/0x12d0 [ 75.476479][ T1044] netif_set_mac_address+0x2f9/0x4c0 [ 75.478793][ T1044] dev_set_mac_address+0x12b/0x260 [ 75.481054][ T1044] bond_set_mac_address+0x26c/0x7b0 [ 75.483282][ T1044] netif_set_mac_address+0x2f9/0x4c0 [ 75.485535][ T1044] do_setlink+0x88c/0x41c0 [ 75.487417][ T1044] rtnl_newlink+0x160b/0x1c70 [ 75.489407][ T1044] rtnetlink_rcv_msg+0x7cc/0xb70 [ 75.491578][ T1044] netlink_rcv_skb+0x205/0x470 [ 75.493615][ T1044] netlink_unicast+0x82c/0x9e0 [ 75.495710][ T1044] netlink_sendmsg+0x805/0xb30 [ 75.497731][ T1044] __sock_sendmsg+0x21c/0x270 [ 75.499824][ T1044] ____sys_sendmsg+0x505/0x830 [ 75.501912][ T1044] ___sys_sendmsg+0x21f/0x2a0 [ 75.504030][ T1044] __x64_sys_sendmsg+0x19b/0x260 [ 75.506270][ T1044] do_syscall_64+0xfa/0x3b0 [ 75.508293][ T1044] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.510899][ T1044] [ 75.511993][ T1044] The buggy address belongs to the object at ffff888052154178 [ 75.511993][ T1044] which belongs to the cache dentry of size 312 [ 75.518049][ T1044] The buggy address is located 208 bytes inside of [ 75.518049][ T1044] freed 312-byte region [ffff888052154178, ffff8880521542b0) [ 75.524011][ T1044] [ 75.525135][ T1044] The buggy address belongs to the physical page: [ 75.528092][ T1044] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52154 [ 75.532005][ T1044] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 75.535901][ T1044] memcg:ffff8880369ed201 [ 75.537778][ T1044] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 75.541230][ T1044] page_type: f5(slab) [ 75.543261][ T1044] raw: 04fff00000000040 ffff88801b6cc780 dead000000000122 0000000000000000 [ 75.547455][ T1044] raw: 0000000000000000 0000000000150015 00000000f5000000 ffff8880369ed201 [ 75.551195][ T1044] head: 04fff00000000040 ffff88801b6cc780 dead000000000122 0000000000000000 [ 75.555058][ T1044] head: 0000000000000000 0000000000150015 00000000f5000000 ffff8880369ed201 [ 75.558833][ T1044] head: 04fff00000000001 ffffea0001485501 00000000ffffffff 00000000ffffffff [ 75.562561][ T1044] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 75.566371][ T1044] page dumped because: kasan: bad access detected [ 75.569136][ T1044] page_owner tracks the page as allocated [ 75.571664][ T1044] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5357, tgid 5356 (syz.0.0), ts 74852320885, free_ts 0 [ 75.581266][ T1044] post_alloc_hook+0x240/0x2a0 [ 75.583361][ T1044] get_page_from_freelist+0x21e4/0x22c0 [ 75.585760][ T1044] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.588294][ T1044] alloc_pages_mpol+0x232/0x4a0 [ 75.590419][ T1044] allocate_slab+0x8a/0x370 [ 75.592344][ T1044] ___slab_alloc+0xbeb/0x1410 [ 75.594375][ T1044] kmem_cache_alloc_lru_noprof+0x288/0x3d0 [ 75.596898][ T1044] __d_alloc+0x36/0x7a0 [ 75.598832][ T1044] d_alloc_parallel+0xe5/0x15e0 [ 75.601036][ T1044] __lookup_slow+0x116/0x3d0 [ 75.603222][ T1044] simple_start_creating+0xfd/0x1e0 [ 75.605589][ T1044] start_creating+0x10f/0x180 [ 75.607691][ T1044] __debugfs_create_file+0x79/0x4f0 [ 75.609997][ T1044] debugfs_create_file_unsafe+0x3a/0x50 [ 75.612493][ T1044] ieee80211_debugfs_recreate_netdev+0x1260/0x1460 [ 75.615448][ T1044] ieee80211_if_change_type+0x53a/0x990 [ 75.617897][ T1044] page_owner free stack trace missing [ 75.620368][ T1044] [ 75.621428][ T1044] Memory state around the buggy address: [ 75.623908][ T1044] ffff888052154100: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa [ 75.627356][ T1044] ffff888052154180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.630895][ T1044] >ffff888052154200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.634466][ T1044] ^ [ 75.637323][ T1044] ffff888052154280: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb [ 75.640812][ T1044] ffff888052154300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.644279][ T1044] ================================================================== [ 75.648306][ T1044] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.651545][ T1044] CPU: 0 UID: 0 PID: 1044 Comm: kworker/u4:8 Not tainted 6.16.0-syzkaller-12288-g2b38afce25c4 #0 PREEMPT(full) [ 75.656653][ T1044] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.661078][ T1044] Workqueue: events_unbound cfg80211_wiphy_work [ 75.663590][ T1044] Call Trace: [ 75.665120][ T1044] [ 75.666483][ T1044] dump_stack_lvl+0x99/0x250 [ 75.668587][ T1044] ? __asan_memcpy+0x40/0x70 [ 75.670582][ T1044] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.672975][ T1044] ? __pfx__printk+0x10/0x10 [ 75.675085][ T1044] vpanic+0x281/0x750 [ 75.676889][ T1044] ? __pfx_vpanic+0x10/0x10 [ 75.678926][ T1044] ? irqentry_exit+0x74/0x90 [ 75.680978][ T1044] panic+0xb9/0xc0 [ 75.682545][ T1044] ? __pfx_panic+0x10/0x10 [ 75.684357][ T1044] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 75.686796][ T1044] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 75.689173][ T1044] ? is_module_address+0x17/0xf0 [ 75.691227][ T1044] ? _raw_spin_lock+0x2e/0x40 [ 75.693166][ T1044] check_panic_on_warn+0x89/0xb0 [ 75.695220][ T1044] ? _raw_spin_lock+0x2e/0x40 [ 75.697348][ T1044] end_report+0x78/0x160 [ 75.699260][ T1044] kasan_report+0x129/0x150 [ 75.701313][ T1044] ? _raw_spin_lock+0x2e/0x40 [ 75.703439][ T1044] ? lockref_get+0x15/0x60 [ 75.705592][ T1044] __kasan_check_byte+0x2a/0x40 [ 75.708002][ T1044] lock_acquire+0x8d/0x360 [ 75.710185][ T1044] ? do_raw_spin_lock+0x121/0x290 [ 75.712410][ T1044] _raw_spin_lock+0x2e/0x40 [ 75.714295][ T1044] ? lockref_get+0x15/0x60 [ 75.716075][ T1044] lockref_get+0x15/0x60 [ 75.717771][ T1044] __simple_recursive_removal+0x33/0x510 [ 75.720006][ T1044] ? mntput+0x65/0xc0 [ 75.721625][ T1044] ? __pfx_remove_one+0x10/0x10 [ 75.723646][ T1044] debugfs_remove+0x5b/0x70 [ 75.725481][ T1044] ieee80211_sta_debugfs_remove+0x40/0x70 [ 75.727840][ T1044] __sta_info_destroy_part2+0x352/0x450 [ 75.730305][ T1044] sta_info_destroy_addr+0xf5/0x140 [ 75.732611][ T1044] ieee80211_destroy_auth_data+0x12d/0x260 [ 75.735269][ T1044] ieee80211_sta_work+0x11cf/0x3600 [ 75.737534][ T1044] ? trace_pelt_se_tp+0x39/0x130 [ 75.739721][ T1044] ? __lock_acquire+0xab9/0xd20 [ 75.741817][ T1044] ? __lock_acquire+0xab9/0xd20 [ 75.743858][ T1044] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 75.746334][ T1044] ? do_raw_spin_lock+0x121/0x290 [ 75.748713][ T1044] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 75.751185][ T1044] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.753459][ T1044] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 75.756402][ T1044] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.759205][ T1044] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.761627][ T1044] ? skb_dequeue+0x10e/0x150 [ 75.763637][ T1044] ? ieee80211_iface_work+0xfc4/0x12d0 [ 75.766290][ T1044] ? ieee80211_iface_work+0x11d6/0x12d0 [ 75.768853][ T1044] ? rcu_is_watching+0x15/0xb0 [ 75.771035][ T1044] cfg80211_wiphy_work+0x2b8/0x470 [ 75.773161][ T1044] ? process_scheduled_works+0x9ef/0x17b0 [ 75.775716][ T1044] process_scheduled_works+0xade/0x17b0 [ 75.778166][ T1044] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.780718][ T1044] worker_thread+0x8a0/0xda0 [ 75.782680][ T1044] kthread+0x70e/0x8a0 [ 75.784483][ T1044] ? __pfx_worker_thread+0x10/0x10 [ 75.786706][ T1044] ? __pfx_kthread+0x10/0x10 [ 75.788779][ T1044] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.791041][ T1044] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.793262][ T1044] ? __pfx_kthread+0x10/0x10 [ 75.795308][ T1044] ret_from_fork+0x3f9/0x770 [ 75.797391][ T1044] ? __pfx_ret_from_fork+0x10/0x10 [ 75.799600][ T1044] ? __pfx_kthread+0x10/0x10 [ 75.801435][ T1044] ret_from_fork_asm+0x1a/0x30 [ 75.803441][ T1044] [ 75.805118][ T1044] Kernel Offset: disabled [ 75.807006][ T1044] Rebooting in 86400 seconds..