syzbot

wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 15532 Comm: syz-executor003 Not tainted 4.19.170-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ieee80211_multicast_to_unicast net/mac80211/tx.c:3752 [inline]
RIP: 0010:ieee80211_subif_start_xmit+0x24b/0xef0 net/mac80211/tx.c:3836
Code: 03 80 3c 02 00 0f 85 3c 0c 00 00 49 8b 9f 80 14 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb d8 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 19 0c 00 00 0f b6 9b d8 01 00 00 31
RSP: 0018:ffff8880ba007390 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87a0705a
RDX: 000000000000003b RSI: ffffffff87a070ea RDI: 00000000000001d8
RBP: ffff8880a1a5c580 R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000000005 R11: 0000000000000000 R12: ffffffff89671720
R13: ffff8880a9f59382 R14: ffff8880ab4bc5d0 R15: ffff8880ab4bc500
FS:  000000000095e880(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000046da00 CR3: 00000000a9176000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __netdev_start_xmit include/linux/netdevice.h:4333 [inline]
 netdev_start_xmit include/linux/netdevice.h:4347 [inline]
 xmit_one net/core/dev.c:3256 [inline]
 dev_hard_start_xmit+0x1a8/0x920 net/core/dev.c:3272
 sch_direct_xmit+0x2d6/0xf50 net/sched/sch_generic.c:332
 qdisc_restart net/sched/sch_generic.c:395 [inline]
 __qdisc_run+0x4d0/0x1640 net/sched/sch_generic.c:403
 qdisc_run include/net/pkt_sched.h:120 [inline]
 __dev_xmit_skb net/core/dev.c:3451 [inline]
 __dev_queue_xmit+0x2102/0x2e00 net/core/dev.c:3807
 neigh_hh_output include/net/neighbour.h:491 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip6_finish_output2+0xde7/0x2290 net/ipv6/ip6_output.c:120
 ip6_finish_output+0x795/0xe50 net/ipv6/ip6_output.c:192
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip6_output+0x205/0x770 net/ipv6/ip6_output.c:209
 dst_output include/net/dst.h:455 [inline]
 NF_HOOK include/linux/netfilter.h:289 [inline]
 mld_sendpack+0x674/0x1060 net/ipv6/mcast.c:1684
 mld_send_cr net/ipv6/mcast.c:1980 [inline]
 mld_ifc_timer_expire+0x616/0xdf0 net/ipv6/mcast.c:2479
 call_timer_fn+0x177/0x700 kernel/time/timer.c:1338
 expire_timers+0x243/0x4e0 kernel/time/timer.c:1375
 __run_timers kernel/time/timer.c:1696 [inline]
 run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1709
 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x215/0x260 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:545 [inline]
 smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1094
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:__list_del_entry_valid+0xb3/0xf0 lib/list_debug.c:54
Code: 14 24 48 39 ea 0f 85 77 bc 83 04 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 22 49 8b 55 08 <48> 39 ea 0f 85 88 bc 83 04 5d b8 01 00 00 00 41 5c 41 5d c3 e8 94
RSP: 0018:ffff888093b17470 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffff88808792e6d8 RCX: ffffffff814bc27b
RDX: ffff88808792e6d8 RSI: 0000000000000004 RDI: ffff88808792eb10
RBP: ffff88808792e6d8 R08: 0000000000000001 R09: ffffed10476729b0
R10: ffff88823b394d83 R11: 0000000000000000 R12: ffff88823b394db8
R13: ffff88808792eb08 R14: ffffffff889f9fa0 R15: ffff88808792e558
 __list_del_entry include/linux/list.h:117 [inline]
 list_del_init include/linux/list.h:159 [inline]
 inode_sb_list_del fs/inode.c:454 [inline]
 evict+0x181/0x760 fs/inode.c:548
 iput_final fs/inode.c:1555 [inline]
 iput+0x4f1/0x860 fs/inode.c:1581
 dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
 d_delete+0x210/0x280 fs/dcache.c:2372
 __debugfs_remove_file fs/debugfs/inode.c:628 [inline]
 __debugfs_remove.part.0+0x10b/0x1b0 fs/debugfs/inode.c:658
 __debugfs_remove include/linux/dcache.h:322 [inline]
 debugfs_remove_recursive fs/debugfs/inode.c:740 [inline]
 debugfs_remove_recursive+0x1ba/0x4c0 fs/debugfs/inode.c:709
 ieee80211_debugfs_remove_netdev+0x43/0xc0 net/mac80211/debugfs_netdev.c:836
 ieee80211_teardown_sdata+0x48/0x2b0 net/mac80211/iface.c:1119
 ieee80211_runtime_change_iftype net/mac80211/iface.c:1547 [inline]
 ieee80211_if_change_type+0x2a7/0x5f0 net/mac80211/iface.c:1579
 ieee80211_change_iface+0x26/0x220 net/mac80211/cfg.c:157
 rdev_change_virtual_intf net/wireless/rdev-ops.h:69 [inline]
 cfg80211_change_iface+0x2e1/0x1530 net/wireless/util.c:936
 nl80211_set_interface+0x661/0x830 net/wireless/nl80211.c:3205
 genl_family_rcv_msg+0x642/0xc40 net/netlink/genetlink.c:602
 genl_rcv_msg+0xbf/0x160 net/netlink/genetlink.c:627
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455
 genl_rcv+0x24/0x40 net/netlink/genetlink.c:638
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:632
 __sys_sendto+0x21a/0x320 net/socket.c:1787
 __do_sys_sendto net/socket.c:1799 [inline]
 __se_sys_sendto net/socket.c:1795 [inline]
 __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1795
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x401ea3
Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 83 3d 6d 88 2d 00 00 75 17 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 f1 0b 00 00 c3 48 83 ec 08 e8 57 01 00 00
RSP: 002b:00007fff2808c648 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fff2808c700 RCX: 0000000000401ea3
RDX: 0000000000000024 RSI: 00007fff2808c750 RDI: 0000000000000006
RBP: 0000000000000000 R08: 00007fff2808c650 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fff2808c750 R15: 0000000000000006
Modules linked in:
---[ end trace 6ce1d1fa970cd998 ]---
RIP: 0010:ieee80211_multicast_to_unicast net/mac80211/tx.c:3752 [inline]
RIP: 0010:ieee80211_subif_start_xmit+0x24b/0xef0 net/mac80211/tx.c:3836
Code: 03 80 3c 02 00 0f 85 3c 0c 00 00 49 8b 9f 80 14 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb d8 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 19 0c 00 00 0f b6 9b d8 01 00 00 31
RSP: 0018:ffff8880ba007390 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87a0705a
RDX: 000000000000003b RSI: ffffffff87a070ea RDI: 00000000000001d8
RBP: ffff8880a1a5c580 R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000000005 R11: 0000000000000000 R12: ffffffff89671720
R13: ffff8880a9f59382 R14: ffff8880ab4bc5d0 R15: ffff8880ab4bc500
FS:  000000000095e880(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000046da00 CR3: 00000000a9176000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400