WARNING in __ieee80211_beacon

WARNING in __ieee80211_beacon_get (3)
Status: upstream: reported on 2021/10/16 16:09
Reported-by: syzbot+d5924d5cffddfccab68e@syzkaller.appspotmail.com
First crash: 50d, last: 50d

similar bugs (4):
Kernel	Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
upstream	WARNING in __ieee80211_beacon_get	C	done	295	13h37m	426d	0/22	upstream: reported C repro on 2020/10/05 08:38
linux-4.19	WARNING in __ieee80211_beacon_get			2	337d	341d	0/1	auto-closed as invalid on 2021/05/02 15:33
linux-4.14	WARNING in __ieee80211_beacon_get			1	409d	409d	0/1	auto-closed as invalid on 2021/02/20 01:09
linux-4.19	WARNING in __ieee80211_beacon_get (2)			4	184d	211d	0/1	auto-closed as invalid on 2021/10/02 04:19

Sample crash report:

WARNING: CPU: 1 PID: 4953 at net/mac80211/tx.c:4154 __ieee80211_csa_update_counter net/mac80211/tx.c:4154 [inline]
WARNING: CPU: 1 PID: 4953 at net/mac80211/tx.c:4154 __ieee80211_csa_update_counter net/mac80211/tx.c:4149 [inline]
WARNING: CPU: 1 PID: 4953 at net/mac80211/tx.c:4154 __ieee80211_beacon_get+0x1678/0x1a30 net/mac80211/tx.c:4347
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 4953 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 panic+0x26a/0x50e kernel/panic.c:186
 __warn.cold+0x20/0x5a kernel/panic.c:541
 report_bug+0x262/0x2b0 lib/bug.c:183
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 fixup_bug arch/x86/kernel/traps.c:173 [inline]
 do_error_trap+0x1d7/0x310 arch/x86/kernel/traps.c:296
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1038
RIP: 0010:__ieee80211_csa_update_counter net/mac80211/tx.c:4154 [inline]
RIP: 0010:__ieee80211_csa_update_counter net/mac80211/tx.c:4149 [inline]
RIP: 0010:__ieee80211_beacon_get+0x1678/0x1a30 net/mac80211/tx.c:4347
Code: 85 70 03 00 00 41 0f b6 45 24 31 ff 44 8d 60 ff 45 88 65 24 44 89 e6 e8 e6 9f bf f9 45 84 e4 0f 85 4f f5 ff ff e8 a8 9e bf f9 <0f> 0b e9 43 f5 ff ff e8 9c 9e bf f9 e8 c7 c6 ad f9 31 ff 41 89 c4
RSP: 0018:ffff8880ba107c18 EFLAGS: 00010206
RAX: ffff8880a8548080 RBX: ffff88803c0e1c78 RCX: ffffffff87a2e6ba
RDX: 0000000000000100 RSI: ffffffff87a2e6c8 RDI: 0000000000000001
RBP: ffff88803c059b40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880af808440 R14: 0000000000000000 R15: ffff8880ba107d60
 ieee80211_beacon_get_tim+0x88/0x890 net/mac80211/tx.c:4463
 ieee80211_beacon_get include/net/mac80211.h:4484 [inline]
 mac80211_hwsim_beacon_tx+0xff/0x680 drivers/net/wireless/mac80211_hwsim.c:1577
 __iterate_interfaces+0x2e1/0x4a0 net/mac80211/util.c:614
 ieee80211_iterate_active_interfaces_atomic+0x8d/0x170 net/mac80211/util.c:650
 mac80211_hwsim_beacon+0xc9/0x190 drivers/net/wireless/mac80211_hwsim.c:1615
 __tasklet_hrtimer_trampoline+0x29/0xa0 kernel/softirq.c:601
 tasklet_action_common.constprop.0+0x265/0x360 kernel/softirq.c:522
 __do_softirq+0x265/0x980 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x215/0x260 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:deref_stack_reg+0x4d/0x1d0 arch/x86/kernel/unwind_orc.c:330
Code: 08 b3 8a b5 41 48 8d 5c 24 08 48 c7 44 24 10 35 af b6 89 48 c1 eb 03 48 c7 44 24 18 20 7f 29 81 48 8d 14 03 c7 02 f1 f1 f1 f1 <c7> 42 04 00 f3 f3 f3 48 89 fa 65 48 8b 0c 25 28 00 00 00 48 89 4c
RSP: 0018:ffff8880b5397398 EFLAGS: 00000a06 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: 1ffff11016a72e74 RCX: ffff8880b5397f28
RDX: ffffed1016a72e74 RSI: ffff8880b5397f50 RDI: ffff8880b5397560
RBP: ffff8880b5397f50 R08: ffffffff8b8cd908 R09: ffffffff8b8cd904
R10: ffff8880b53975bf R11: 0000000000074071 R12: ffff8880b5397560
R13: ffff8880b53975a8 R14: ffff8880b5397560 R15: ffffffff8b8cd904
 unwind_next_frame+0x9fc/0x1400 arch/x86/kernel/unwind_orc.c:502
 __save_stack_trace+0x9f/0x190 arch/x86/kernel/stacktrace.c:44
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:553
 slab_post_alloc_hook mm/slab.h:445 [inline]
 slab_alloc mm/slab.c:3397 [inline]
 kmem_cache_alloc+0x110/0x370 mm/slab.c:3557
 f2fs_kmem_cache_alloc fs/f2fs/f2fs.h:2090 [inline]
 add_free_nid.isra.0+0xa1/0x700 fs/f2fs/node.c:2087
 scan_nat_page fs/f2fs/node.c:2186 [inline]
 __f2fs_build_free_nids+0x421/0x1020 fs/f2fs/node.c:2289
 f2fs_build_free_nids fs/f2fs/node.c:2328 [inline]
 f2fs_build_node_manager+0x24c5/0x31d0 fs/f2fs/node.c:3055
 f2fs_fill_super+0x31fd/0x7050 fs/f2fs/super.c:3022
 mount_bdev+0x2fc/0x3b0 fs/super.c:1158
 mount_fs+0xa3/0x310 fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2492 [inline]
 do_mount+0x115c/0x2f50 fs/namespace.c:2822
 ksys_mount+0xcf/0x130 fs/namespace.c:3038
 __do_sys_mount fs/namespace.c:3052 [inline]
 __se_sys_mount fs/namespace.c:3049 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3049
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f36c61f1f6a
Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f36c3765fa8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f36c61f1f6a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f36c3766000
RBP: 00007f36c3766040 R08: 00007f36c3766040 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f36c3766000 R15: 0000000020014900
Kernel Offset: disabled
Rebooting in 86400 seconds..
----------------
Code disassembly (best guess):
   0:	08 b3 8a b5 41 48    	or     %dh,0x4841b58a(%rbx)
   6:	8d 5c 24 08          	lea    0x8(%rsp),%ebx
   a:	48 c7 44 24 10 35 af 	movq   $0xffffffff89b6af35,0x10(%rsp)
  11:	b6 89
  13:	48 c1 eb 03          	shr    $0x3,%rbx
  17:	48 c7 44 24 18 20 7f 	movq   $0xffffffff81297f20,0x18(%rsp)
  1e:	29 81
  20:	48 8d 14 03          	lea    (%rbx,%rax,1),%rdx
  24:	c7 02 f1 f1 f1 f1    	movl   $0xf1f1f1f1,(%rdx)
* 2a:	c7 42 04 00 f3 f3 f3 	movl   $0xf3f3f300,0x4(%rdx) <-- trapping instruction
  31:	48 89 fa             	mov    %rdi,%rdx
  34:	65 48 8b 0c 25 28 00 	mov    %gs:0x28,%rcx
  3b:	00 00
  3d:	48                   	rex.W
  3e:	89                   	.byte 0x89
  3f:	4c                   	rex.WR

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci2-linux-4-19	2021/10/16 16:08	linux-4.19.y	3f8a27f9e27b	0c5d9412	.config	log	report			info	WARNING in __ieee80211_beacon_get