------------[ cut here ]------------
WARNING: CPU: 1 PID: 5954 at net/wireless/scan.c:1622 rb_insert_bss+0xf0/0x220 net/wireless/scan.c:1622
Modules linked in:
CPU: 1 UID: 0 PID: 5954 Comm: syz.2.10 Not tainted 6.13.0-rc1-syzkaller-00005-gceb8bf2ceaa7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:rb_insert_bss+0xf0/0x220 net/wireless/scan.c:1622
Code: 28 00 0f 85 f3 00 00 00 31 ff 89 de 48 8b 6d 00 e8 35 21 1c f7 85 db 79 89 e8 ec 1e 1c f7 48 83 c5 10 eb 87 e8 e1 1e 1c f7 90 <0f> 0b 90 e8 d8 1e 1c f7 89 d8 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e
RSP: 0018:ffffc90000a18440 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8a7de633
RDX: ffff888021b59e00 RSI: ffffffff8a7de66f RDI: 0000000000000005
RBP: ffff888029ab81a0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888029a3f820
R13: dffffc0000000000 R14: ffff8880296bd070 R15: ffff8880296bd000
FS: 00007f03dabd26c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c346c4f CR3: 000000007903e000 CR4: 0000000000350ef0
Call Trace:
cfg80211_insert_bss net/wireless/scan.c:1667 [inline]
__cfg80211_bss_update+0xa1f/0x2440 net/wireless/scan.c:2003
cfg80211_inform_single_bss_data+0x7af/0x1de0 net/wireless/scan.c:2330
cfg80211_inform_bss_data+0x205/0x3ba0 net/wireless/scan.c:3189
cfg80211_inform_bss_frame_data+0x272/0x7a0 net/wireless/scan.c:3284
ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226
ieee80211_scan_rx+0x474/0xac0 net/mac80211/scan.c:340
__ieee80211_rx_handle_packet net/mac80211/rx.c:5232 [inline]
ieee80211_rx_list+0x1bd7/0x2970 net/mac80211/rx.c:5469
ieee80211_rx_napi+0xdd/0x400 net/mac80211/rx.c:5492
ieee80211_rx include/net/mac80211.h:5163 [inline]
ieee80211_handle_queued_frames+0xd5/0x130 net/mac80211/main.c:441
tasklet_action_common+0x254/0x3f0 kernel/softirq.c:804
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:655
irq_exit_rcu+0x9/0x30 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__seqprop_spinlock_sequence include/linux/seqlock.h:227 [inline]
RIP: 0010:read_seqbegin include/linux/seqlock.h:813 [inline]
RIP: 0010:zone_span_seqbegin include/linux/memory_hotplug.h:103 [inline]
RIP: 0010:page_outside_zone_boundaries mm/page_alloc.c:437 [inline]
RIP: 0010:bad_range+0xcd/0x440 mm/page_alloc.c:456
Code: 89 ef e8 26 9c 88 ff 48 8b 74 24 70 4c 89 ef e8 09 89 88 ff 9c 5a 49 bb 00 00 00 00 00 fc ff df 80 e6 02 58 0f 85 2e 02 00 00 <41> 0f b6 16 41 38 d7 7c 08 84 d2 0f 85 57 02 00 00 8b 93 d0 00 00
RSP: 0018:ffffc90003fc6ff0 EFLAGS: 00000246
RAX: 0000000000000751 RBX: ffff88813fffbc80 RCX: ffffffff81ef171e
RDX: 0000000000000002 RSI: ffffffff8b6cd840 RDI: ffffffff8bd1a5e0
RBP: 0000000000075761 R08: 0000000000000001 R09: fffffbfff2dc999e
R10: ffffffff96e4ccf7 R11: dffffc0000000000 R12: ffffea0001d5d840
R13: ffff88813fffbd58 R14: ffffed1027fff7aa R15: 0000000000000003
rmqueue mm/page_alloc.c:3091 [inline]
get_page_from_freelist+0xfae/0x2f80 mm/page_alloc.c:3471
__alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
folio_alloc_mpol_noprof+0x36/0xd0 mm/mempolicy.c:2283
shmem_alloc_folio+0x135/0x160 mm/shmem.c:1794
shmem_alloc_and_add_folio+0x48b/0xc00 mm/shmem.c:1833
shmem_get_folio_gfp+0x689/0x1530 mm/shmem.c:2355
shmem_fault+0x200/0xae0 mm/shmem.c:2556
__do_fault+0x10d/0x490 mm/memory.c:4907
do_read_fault mm/memory.c:5322 [inline]
do_fault mm/memory.c:5456 [inline]
do_pte_missing+0xec2/0x3e70 mm/memory.c:3979
handle_pte_fault mm/memory.c:5801 [inline]
__handle_mm_fault+0x103c/0x2a40 mm/memory.c:5944
handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6112
faultin_page mm/gup.c:1187 [inline]
__get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
populate_vma_page_range+0x27f/0x3a0 mm/gup.c:1923
__mm_populate+0x1d6/0x380 mm/gup.c:2026
mm_populate include/linux/mm.h:3386 [inline]
vm_mmap_pgoff+0x293/0x360 mm/util.c:585
ksys_mmap_pgoff+0x7d/0x5c0 mm/mmap.c:542
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f03d9d7ff19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f03dabd2058 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 00007f03d9f45fa0 RCX: 00007f03d9d7ff19
RDX: b635773f06ebbeee RSI: 0000000000b36000 RDI: 0000000020000000
RBP: 00007f03d9df3986 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000008031 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f03d9f45fa0 R15: 00007ffde9829758
----------------
Code disassembly (best guess):
0: 89 ef mov %ebp,%edi
2: e8 26 9c 88 ff call 0xff889c2d
7: 48 8b 74 24 70 mov 0x70(%rsp),%rsi
c: 4c 89 ef mov %r13,%rdi
f: e8 09 89 88 ff call 0xff88891d
14: 9c pushf
15: 5a pop %rdx
16: 49 bb 00 00 00 00 00 movabs $0xdffffc0000000000,%r11
1d: fc ff df
20: 80 e6 02 and $0x2,%dh
23: 58 pop %rax
24: 0f 85 2e 02 00 00 jne 0x258
* 2a: 41 0f b6 16 movzbl (%r14),%edx <-- trapping instruction
2e: 41 38 d7 cmp %dl,%r15b
31: 7c 08 jl 0x3b
33: 84 d2 test %dl,%dl
35: 0f 85 57 02 00 00 jne 0x292
3b: 8b .byte 0x8b
3c: 93 xchg %eax,%ebx
3d: d0 00 rolb (%rax)