------------[ cut here ]------------
WARNING: CPU: 0 PID: 13529 at net/mac80211/tx.c:5031 __ieee80211_beacon_update_cntdwn net/mac80211/tx.c:5031 [inline]
WARNING: CPU: 0 PID: 13529 at net/mac80211/tx.c:5031 __ieee80211_beacon_get+0x1233/0x1600 net/mac80211/tx.c:5442
Modules linked in:
CPU: 0 PID: 13529 Comm: syz.1.1648 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:__ieee80211_beacon_update_cntdwn net/mac80211/tx.c:5031 [inline]
RIP: 0010:__ieee80211_beacon_get+0x1233/0x1600 net/mac80211/tx.c:5442
Code: 24 4c 89 e7 e8 8e b0 c0 f7 45 31 f6 4c 8b bc 24 a0 00 00 00 e9 7a fe ff ff e8 39 ef 82 f7 0f 0b e9 f6 f7 ff ff e8 2d ef 82 f7 <0f> 0b e9 48 fb ff ff e8 21 ef 82 f7 48 c7 c7 80 7c 64 8e 4c 89 e6
RSP: 0018:ffffc90000007a18 EFLAGS: 00010246
RAX: ffffffff8a0432a3 RBX: ffffffff8a0420a6 RCX: ffff8880287b9e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff8880287b9e00 R09: 0000000000000003
R10: 0000000000000007 R11: 0000000000000100 R12: ffff88805e91a3c0
R13: dffffc0000000000 R14: ffff88805e91a8b0 R15: ffff88802e92a424
FS:  00005555878f9500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fad3e5e9f00 CR3: 00000000216d6000 CR4: 00000000003506f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000080083
DR3: ffffffffefffff16 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 ieee80211_beacon_get_tim+0xbf/0x580 net/mac80211/tx.c:5569
 ieee80211_beacon_get include/net/mac80211.h:5440 [inline]
 mac80211_hwsim_beacon_tx+0x3c7/0x780 drivers/net/wireless/virtual/mac80211_hwsim.c:2265
 __iterate_interfaces+0x243/0x500 net/mac80211/util.c:766
 ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:802
 mac80211_hwsim_beacon+0xbb/0x1b0 drivers/net/wireless/virtual/mac80211_hwsim.c:2295
 __run_hrtimer kernel/time/hrtimer.c:1750 [inline]
 __hrtimer_run_queues+0x520/0xc40 kernel/time/hrtimer.c:1814
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1831
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:raw_spin_rq_unlock_irq+0x13/0x90 kernel/sched/sched.h:1392
Code: 5d 41 5e 41 5f 5d c3 e8 6b 45 27 09 66 2e 0f 1f 84 00 00 00 00 00 90 41 57 41 56 53 eb 11 e8 e4 ee 30 09 e8 cf b4 2e 00 fb 5b <41> 5e 41 5f c3 49 be 00 00 00 00 00 fc ff df 49 89 ff 48 8d 9f 58
RSP: 0018:ffffc900036c7868 EFLAGS: 00000286
RAX: d2a9bd5eeb941c00 RBX: ffff8880b8e3cd48 RCX: d2a9bd5eeb941c00
RDX: dffffc0000000000 RSI: ffffffff8acac9e0 RDI: ffffffff8b1c8de0
RBP: ffffc900036c7a90 R08: ffffffff8e8b0c2f R09: 1ffffffff1d16185
R10: dffffc0000000000 R11: fffffbfff1d16186 R12: dffffc0000000000
R13: ffff8880287b9e00 R14: dffffc0000000000 R15: ffff8880b8e3cd48
 __schedule+0x179f/0x45a0 kernel/sched/core.c:6704
 preempt_schedule_common+0x82/0xc0 kernel/sched/core.c:6867
 preempt_schedule+0xc0/0xd0 kernel/sched/core.c:6891
 preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:45
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
 _raw_spin_unlock_irqrestore+0x111/0x120 kernel/locking/spinlock.c:194
 hrtimer_start_expires include/linux/hrtimer.h:435 [inline]
 hrtimer_sleeper_start_expires kernel/time/hrtimer.c:2012 [inline]
 do_nanosleep+0x17f/0x600 kernel/time/hrtimer.c:2088
 hrtimer_nanosleep+0x175/0x370 kernel/time/hrtimer.c:2139
 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1397 [inline]
 __se_sys_clock_nanosleep+0x30f/0x3a0 kernel/time/posix-timers.c:1374
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fad3e55d04e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007ffe8952f1b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 00005555878f9500 RCX: 00007fad3e55d04e
RDX: 00007ffe8952f210 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fad3e817da0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000c1650
R13: 00007fad3e81609c R14: 00000000000c15de R15: 00007fad3e816090
 </TASK>
----------------
Code disassembly (best guess):
   0:	5d                   	pop    %rbp
   1:	41 5e                	pop    %r14
   3:	41 5f                	pop    %r15
   5:	5d                   	pop    %rbp
   6:	c3                   	ret
   7:	e8 6b 45 27 09       	call   0x9274577
   c:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  13:	00 00 00
  16:	90                   	nop
  17:	41 57                	push   %r15
  19:	41 56                	push   %r14
  1b:	53                   	push   %rbx
  1c:	eb 11                	jmp    0x2f
  1e:	e8 e4 ee 30 09       	call   0x930ef07
  23:	e8 cf b4 2e 00       	call   0x2eb4f7
  28:	fb                   	sti
  29:	5b                   	pop    %rbx
* 2a:	41 5e                	pop    %r14 <-- trapping instruction
  2c:	41 5f                	pop    %r15
  2e:	c3                   	ret
  2f:	49 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%r14
  36:	fc ff df
  39:	49 89 ff             	mov    %rdi,%r15
  3c:	48                   	rex.W
  3d:	8d                   	.byte 0x8d
  3e:	9f                   	lahf
  3f:	58                   	pop    %rax