------------[ cut here ]------------
WARNING: CPU: 0 PID: 8038 at kernel/kcov.c:871 kcov_remote_start+0x5a2/0x7e0 kernel/kcov.c:871
Modules linked in:
CPU: 0 PID: 8038 Comm: syz.2.590 Not tainted 6.10.0-rc7-syzkaller-00012-g34afb82a3c67 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:kcov_remote_start+0x5a2/0x7e0 kernel/kcov.c:871
Code: 24 00 00 00 00 9c 8f 04 24 f7 04 24 00 02 00 00 0f 85 a6 01 00 00 41 f7 c6 00 02 00 00 0f 84 93 fa ff ff fb e9 8d fa ff ff 90 <0f> 0b 90 e8 66 cd ef 09 89 c0 48 c7 c7 c8 d4 02 00 48 03 3c c5 e0
RSP: 0018:ffffc900000063d0 EFLAGS: 00010002
RAX: 0000000000010303 RBX: ffff888020e55a00 RCX: 0000000000000002
RDX: dffffc0000000000 RSI: ffffffff8bcaccc0 RDI: ffffffff8c1fe980
RBP: 0100000000000004 R08: ffffffff92fa75f7 R09: 1ffffffff25f4ebe
R10: dffffc0000000000 R11: fffffbfff25f4ebf R12: ffffffff8196315e
R13: ffff888074584000 R14: 0000000000000006 R15: ffff8880b942d4c8
FS:  0000000000000000(0000) GS:ffff8880b9400000(0063) knlGS:00000000f5cdbb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000000c2b3d95 CR3: 00000000714c0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 kcov_remote_start_usb include/linux/kcov.h:55 [inline]
 kcov_remote_start_usb_softirq include/linux/kcov.h:89 [inline]
 __usb_hcd_giveback_urb+0x405/0x6e0 drivers/usb/core/hcd.c:1649
 dummy_timer+0x830/0x45d0 drivers/usb/gadget/udc/dummy_hcd.c:1987
 __run_hrtimer kernel/time/hrtimer.c:1689 [inline]
 __hrtimer_run_queues+0x59b/0xd50 kernel/time/hrtimer.c:1753
 hrtimer_interrupt+0x396/0x990 kernel/time/hrtimer.c:1815
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
 __sysvec_apic_timer_interrupt+0x110/0x3f0 arch/x86/kernel/apic/apic.c:1049
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:236 [inline]
RIP: 0010:__sanitizer_cov_trace_switch+0x9d/0x120 kernel/kcov.c:341
Code: 00 00 4d 85 d2 0f 84 8b 00 00 00 4c 8b 4c 24 20 65 4c 8b 1c 25 c0 d4 03 00 31 d2 eb 08 48 ff c2 49 39 d2 74 71 4c 8b 74 d6 10 <65> 8b 05 f4 a6 6d 7e a9 00 01 ff 00 74 11 a9 00 01 00 00 74 de 41
RSP: 0018:ffffc90000006b60 EFLAGS: 00000246
RAX: 0000000000000003 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8e1a1400 RDI: 0000000000000001
RBP: ffffffff90c4764a R08: 0000000000000005 R09: ffffffff8141095f
R10: 0000000000000003 R11: ffff888020e55a00 R12: ffffc90000007d38
R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff92000000d8c
 unwind_next_frame+0x196f/0x2a00 arch/x86/kernel/unwind_orc.c:641
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2196 [inline]
 slab_free mm/slub.c:4438 [inline]
 kmem_cache_free+0x145/0x350 mm/slub.c:4513
 netlink_broadcast_filtered+0x1168/0x1290 net/netlink/af_netlink.c:1546
 nlmsg_multicast_filtered include/net/netlink.h:1125 [inline]
 genlmsg_multicast_netns_filtered include/net/genetlink.h:491 [inline]
 genlmsg_multicast_netns+0x93/0xd0 include/net/genetlink.h:508
 nl80211_send_mlme_event+0x686/0x880 net/wireless/nl80211.c:17884
 cfg80211_rx_unprot_mlme_mgmt+0x404/0x680 net/wireless/nl80211.c:17983
 ieee80211_rx_h_decrypt net/mac80211/rx.c:1990 [inline]
 ieee80211_rx_handlers+0x2b13/0xb820 net/mac80211/rx.c:4187
 ieee80211_invoke_rx_handlers net/mac80211/rx.c:4235 [inline]
 ieee80211_prepare_and_rx_handle+0x31ab/0x6360 net/mac80211/rx.c:5083
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5324 [inline]
 ieee80211_rx_list+0x2cde/0x3780 net/mac80211/rx.c:5459
 ieee80211_rx_napi+0x18a/0x3c0 net/mac80211/rx.c:5482
 ieee80211_rx include/net/mac80211.h:5093 [inline]
 ieee80211_handle_queued_frames+0xe7/0x1e0 net/mac80211/main.c:438
 tasklet_action_common+0x321/0x4d0 kernel/softirq.c:785
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_is_held_type+0x5/0x190 kernel/locking/lockdep.c:5810
Code: 90 90 eb b5 e8 2c fc ff ff 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 04 25 28 00 00 00
RSP: 0018:ffffc9000365f1f8 EFLAGS: 00000282
RAX: 0000000000000002 RBX: 0000000000000001 RCX: ffff888020e55a00
RDX: ffff888020e55a00 RSI: 00000000ffffffff RDI: ffff888071afa498
RBP: ffff888071afa498 R08: ffffffff81cc7ed4 R09: 1ffffd40002facce
R10: dffffc0000000000 R11: fffff940002faccf R12: ffffc9000365f420
R13: 1ffff920006cbe84 R14: ffffea00017d6640 R15: ffff8880252098c0
 lock_is_held include/linux/lockdep.h:231 [inline]
 xa_entry include/linux/xarray.h:1220 [inline]
 xas_reload+0xfd/0x470 include/linux/xarray.h:1605
 next_uptodate_folio+0x202/0xb10 mm/filemap.c:3478
 filemap_map_pages+0x1338/0x1e70 mm/filemap.c:3652
 do_fault_around mm/memory.c:4879 [inline]
 do_read_fault mm/memory.c:4912 [inline]
 do_fault mm/memory.c:5051 [inline]
 do_pte_missing mm/memory.c:3897 [inline]
 handle_pte_fault+0x3b9b/0x7090 mm/memory.c:5381
 __handle_mm_fault mm/memory.c:5524 [inline]
 handle_mm_fault+0x10df/0x1ba0 mm/memory.c:5689
 faultin_page mm/gup.c:1290 [inline]
 __get_user_pages+0x6ef/0x1590 mm/gup.c:1589
 populate_vma_page_range+0x264/0x330 mm/gup.c:2029
 __mm_populate+0x27a/0x460 mm/gup.c:2132
 mm_populate include/linux/mm.h:3469 [inline]
 vm_mmap_pgoff+0x2c3/0x3d0 mm/util.c:578
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0xb4/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x34/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf73c2579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f5cdb57c EFLAGS: 00000206 ORIG_RAX: 00000000000000c0
RAX: ffffffffffffffda RBX: 0000000020000000 RCX: 0000000000b36000
RDX: 0000000006ebbeee RSI: 0000000000008031 RDI: 00000000ffffffff
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	4d 85 d2             	test   %r10,%r10
   5:	0f 84 8b 00 00 00    	je     0x96
   b:	4c 8b 4c 24 20       	mov    0x20(%rsp),%r9
  10:	65 4c 8b 1c 25 c0 d4 	mov    %gs:0x3d4c0,%r11
  17:	03 00
  19:	31 d2                	xor    %edx,%edx
  1b:	eb 08                	jmp    0x25
  1d:	48 ff c2             	inc    %rdx
  20:	49 39 d2             	cmp    %rdx,%r10
  23:	74 71                	je     0x96
  25:	4c 8b 74 d6 10       	mov    0x10(%rsi,%rdx,8),%r14
* 2a:	65 8b 05 f4 a6 6d 7e 	mov    %gs:0x7e6da6f4(%rip),%eax        # 0x7e6da725 <-- trapping instruction
  31:	a9 00 01 ff 00       	test   $0xff0100,%eax
  36:	74 11                	je     0x49
  38:	a9 00 01 00 00       	test   $0x100,%eax
  3d:	74 de                	je     0x1d
  3f:	41                   	rex.B