------------[ cut here ]------------ wlan1: Failed check-sdata-in-driver check, flags: 0x0 WARNING: net/mac80211/driver-ops.c:366 at 0x0, CPU#1: syz.1.1507/11699 Modules linked in: CPU: 1 UID: 0 PID: 11699 Comm: syz.1.1507 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:drv_unassign_vif_chanctx+0x4d4/0x7b0 net/mac80211/driver-ops.c:366 Code: 00 48 8d b0 20 01 00 00 49 8d 8d c8 0a 00 00 48 85 c0 48 0f 44 f1 42 0f b6 44 3d 00 84 c0 0f 85 95 01 00 00 41 8b 16 48 89 df <67> 48 0f b9 3a e9 15 fd ff ff e8 6d e6 90 f7 90 0f 0b 90 e9 4e fe RSP: 0018:ffffc900055c72f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffff8ee8b8a0 RCX: ffff88802fe219c8 RDX: 0000000000000000 RSI: ffff88802fe20120 RDI: ffffffff8ee8b8a0 RBP: 1ffff11005fc4337 R08: 0000000000000000 R09: 0000000000000000 R10: dffffc0000000000 R11: fffffbfff1db2a2f R12: ffff88802fe23090 R13: ffff88802fe20f00 R14: ffff88802fe219b8 R15: dffffc0000000000 FS: 00007f08b28fc6c0(0000) GS:ffff888126e81000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2f816ffc CR3: 00000000623d4000 CR4: 00000000003526f0 Call Trace: ieee80211_assign_link_chanctx+0x1ec/0xd70 net/mac80211/chan.c:905 __ieee80211_link_release_channel+0x33b/0x4a0 net/mac80211/chan.c:1879 ieee80211_if_change_type+0x13c/0x940 net/mac80211/iface.c:2015 ieee80211_change_iface+0xd5/0x510 net/mac80211/cfg.c:254 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline] cfg80211_change_iface+0x786/0xed0 net/wireless/util.c:1238 nl80211_set_interface+0x764/0xa80 net/wireless/nl80211.c:4632 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:733 __sys_sendto+0x3c7/0x520 net/socket.c:2222 __do_sys_sendto net/socket.c:2229 [inline] __se_sys_sendto net/socket.c:2225 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2225 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08b46e15dc Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b RSP: 002b:00007f08b28fae20 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f08b28fafa0 RCX: 00007f08b46e15dc RDX: 0000000000000024 RSI: 00007f08b28faff0 RDI: 0000000000000008 RBP: 0000000000000000 R08: 00007f08b28fae74 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000008 R13: 0000000000000000 R14: 00007f08b28faff0 R15: 0000000000000000 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 48 8d b0 20 01 00 00 lea 0x120(%rax),%rsi 7: 49 8d 8d c8 0a 00 00 lea 0xac8(%r13),%rcx e: 48 85 c0 test %rax,%rax 11: 48 0f 44 f1 cmove %rcx,%rsi 15: 42 0f b6 44 3d 00 movzbl 0x0(%rbp,%r15,1),%eax 1b: 84 c0 test %al,%al 1d: 0f 85 95 01 00 00 jne 0x1b8 23: 41 8b 16 mov (%r14),%edx 26: 48 89 df mov %rbx,%rdi * 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2e: e9 15 fd ff ff jmp 0xfffffd48 33: e8 6d e6 90 f7 call 0xf790e6a5 38: 90 nop 39: 0f 0b ud2 3b: 90 nop 3c: e9 .byte 0xe9 3d: 4e rex.WRX 3e: fe .byte 0xfe