------------[ cut here ]------------
WARNING: CPU: 0 PID: 4297 at net/mac80211/tx.c:4851 __ieee80211_beacon_get+0x183d/0x2080 net/mac80211/tx.c:5075
Modules linked in:
CPU: 0 PID: 4297 Comm: syz-executor214 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:__ieee80211_beacon_update_cntdwn net/mac80211/tx.c:4851 [inline]
RIP: 0010:__ieee80211_beacon_get+0x183d/0x2080 net/mac80211/tx.c:5075
Code: ff e8 17 a0 a9 f7 0f 0b e9 4b fa ff ff e8 0b a0 a9 f7 0f 0b e9 3b fe ff ff e8 ff 9f a9 f7 0f 0b e9 06 ee ff ff e8 f3 9f a9 f7 <0f> 0b e9 91 f0 ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 2d ea
RSP: 0018:ffffc90000007840 EFLAGS: 00010246
RAX: ffffffff89d6fccd RBX: 0000000000000000 RCX: ffff888029ae0000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000007a70 R08: ffffffff89d6ed58 R09: ffffffff89d6e72b
R10: 0000000000000003 R11: ffff888029ae0000 R12: dffffc0000000000
R13: ffff888072890c80 R14: ffff888072892298 R15: 1ffff92000000f18
FS:  000055558a74f380(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000400000858000 CR3: 000000001f25d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 ieee80211_beacon_get_tim+0xb7/0x950 net/mac80211/tx.c:5194
 ieee80211_beacon_get include/net/mac80211.h:4981 [inline]
 mac80211_hwsim_beacon_tx+0xe2/0x8a0 drivers/net/wireless/mac80211_hwsim.c:1812
 __iterate_interfaces+0x21e/0x4b0 net/mac80211/util.c:793
 ieee80211_iterate_active_interfaces_atomic+0xaf/0x140 net/mac80211/util.c:829
 mac80211_hwsim_beacon+0xa7/0x180 drivers/net/wireless/mac80211_hwsim.c:1865
 __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
 __hrtimer_run_queues+0x598/0xcf0 kernel/time/hrtimer.c:1752
 hrtimer_run_softirq+0x196/0x2c0 kernel/time/hrtimer.c:1769
 handle_softirqs+0x3a7/0x930 kernel/softirq.c:558
 __do_softirq kernel/softirq.c:592 [inline]
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x157/0x240 kernel/softirq.c:641
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:653
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:135 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x26d/0x290 mm/kasan/generic.c:189
Code: 29 06 4c 89 cd 4d 85 c9 0f 84 5a ff ff ff 4c 8d 4c 3e ff 4c 89 cb 48 c1 eb 03 4c 01 c3 48 39 dd 75 11 41 83 e1 07 48 0f be 2b <49> 39 e9 0f 8c 35 ff ff ff 0f b6 d2 e8 42 f3 ff ff 34 01 e9 26 ff
RSP: 0018:ffffc900031af498 EFLAGS: 00000206
RAX: 0000000000000001 RBX: fffffbfff2d5cfe0 RCX: ffffffff81acbd64
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff96ae7f00
RBP: 0000000000000004 R08: dffffc0000000000 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff8880b8e35510
R13: 000000000000000d R14: fffffbfff2d5cfe1 R15: ffffea0001b3a208
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
 lru_cache_disabled include/linux/swap.h:355 [inline]
 pagevec_add_and_need_flush mm/swap.c:223 [inline]
 lru_cache_add+0x524/0x7e0 mm/swap.c:452
 wp_page_copy+0xec3/0x2070 mm/memory.c:3117
 handle_pte_fault mm/memory.c:4668 [inline]
 __handle_mm_fault mm/memory.c:4785 [inline]
 handle_mm_fault+0x2a3d/0x5960 mm/memory.c:4883
 do_user_addr_fault arch/x86/mm/fault.c:1357 [inline]
 handle_page_fault arch/x86/mm/fault.c:1445 [inline]
 exc_page_fault+0x271/0x700 arch/x86/mm/fault.c:1501
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x40 arch/x86/lib/copy_user_64.S:206
Code: 89 d1 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 31 c0 0f 01 ca c3 0f 1f 80 00 00 00 00 0f 01 cb 83 fa 40 0f 82 70 ff ff ff 89 d1 <f3> a4 31 c0 0f 01 ca c3 66 2e 0f 1f 84 00 00 00 00 00 89 d1 83 f8
RSP: 0018:ffffc900031afa70 EFLAGS: 00050206
RAX: ffffffff84124601 RBX: 0000400000858e80 RCX: 0000000000000e80
RDX: 0000000000001000 RSI: ffff88800f78b180 RDI: 0000400000858000
RBP: ffffc900031afcd0 R08: dffffc0000000000 R09: ffffed1001ef1800
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000400000857e80
R13: 0000000000001000 R14: ffff88800f78b000 R15: 00007ffffffff000
 copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:58 [inline]
 copyout lib/iov_iter.c:157 [inline]
 copy_page_to_iter_iovec lib/iov_iter.c:228 [inline]
 __copy_page_to_iter lib/iov_iter.c:861 [inline]
 copy_page_to_iter+0x49a/0x10d0 lib/iov_iter.c:889
 process_vm_rw_pages mm/process_vm_access.c:45 [inline]
 process_vm_rw_single_vec mm/process_vm_access.c:117 [inline]
 process_vm_rw_core mm/process_vm_access.c:215 [inline]
 process_vm_rw+0x886/0xcc0 mm/process_vm_access.c:283
 __do_sys_process_vm_readv mm/process_vm_access.c:295 [inline]
 __se_sys_process_vm_readv mm/process_vm_access.c:291 [inline]
 __x64_sys_process_vm_readv+0xdc/0xf0 mm/process_vm_access.c:291
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f49b8c4ceb9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc6bba6ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000136
RAX: ffffffffffffffda RBX: 0000000000011b2e RCX: 00007f49b8c4ceb9
RDX: 0000000000000002 RSI: 0000400000008400 RDI: 000000000000001b
RBP: 0000000000000000 R08: 0000000000000286 R09: 0000000000000000
R10: 0000400000008640 R11: 0000000000000246 R12: 00007ffc6bba6edc
R13: 00007ffc6bba6f10 R14: 00007ffc6bba6ef0 R15: 0000000000000019
 </TASK>
----------------
Code disassembly (best guess):
   0:	29 06                	sub    %eax,(%rsi)
   2:	4c 89 cd             	mov    %r9,%rbp
   5:	4d 85 c9             	test   %r9,%r9
   8:	0f 84 5a ff ff ff    	je     0xffffff68
   e:	4c 8d 4c 3e ff       	lea    -0x1(%rsi,%rdi,1),%r9
  13:	4c 89 cb             	mov    %r9,%rbx
  16:	48 c1 eb 03          	shr    $0x3,%rbx
  1a:	4c 01 c3             	add    %r8,%rbx
  1d:	48 39 dd             	cmp    %rbx,%rbp
  20:	75 11                	jne    0x33
  22:	41 83 e1 07          	and    $0x7,%r9d
  26:	48 0f be 2b          	movsbq (%rbx),%rbp
* 2a:	49 39 e9             	cmp    %rbp,%r9 <-- trapping instruction
  2d:	0f 8c 35 ff ff ff    	jl     0xffffff68
  33:	0f b6 d2             	movzbl %dl,%edx
  36:	e8 42 f3 ff ff       	call   0xfffff37d
  3b:	34 01                	xor    $0x1,%al
  3d:	e9                   	.byte 0xe9
  3e:	26                   	es
  3f:	ff                   	.byte 0xff