kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8059 Comm: syz-executor.2 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
RIP: 0010:mac80211_hwsim_tx_frame_nl+0x403/0x1230 drivers/net/wireless/mac80211_hwsim.c:1114
Code: 48 c1 ea 03 80 3c 02 00 0f 85 7e 0d 00 00 4c 8b ab 88 12 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 09 84 d2 74 05 e8
RSP: 0018:ffff8880525769e8 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: ffff8880948cbde0 RCX: ffffc90008418000
RDX: 0000000000000000 RSI: ffffffff84a67685 RDI: 0000000000000004
RBP: ffff8880ab230700 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: ffff888052576a70
R13: 0000000000000000 R14: ffff8880ab230980 R15: ffff8880948ca4c0
FS:  00007fa891208700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bec87a3398 CR3: 000000008ba6e000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 mac80211_hwsim_tx+0x851/0x12f0 drivers/net/wireless/mac80211_hwsim.c:1448
 drv_tx net/mac80211/driver-ops.h:36 [inline]
 ieee80211_tx_frags+0x570/0x9d0 net/mac80211/tx.c:1661
 __ieee80211_tx+0x1b1/0x5f0 net/mac80211/tx.c:1723
 ieee80211_tx+0x355/0x3e0 net/mac80211/tx.c:1909
 ieee80211_xmit+0x380/0x480 net/mac80211/tx.c:2003
 __ieee80211_subif_start_xmit+0x51b/0x970 net/mac80211/tx.c:3728
 ieee80211_subif_start_xmit+0xeb/0xf10 net/mac80211/tx.c:3864
 __netdev_start_xmit include/linux/netdevice.h:4349 [inline]
 netdev_start_xmit include/linux/netdevice.h:4363 [inline]
 xmit_one net/core/dev.c:3256 [inline]
 dev_hard_start_xmit+0x1a8/0x920 net/core/dev.c:3272
 sch_direct_xmit+0x2d6/0xf70 net/sched/sch_generic.c:332
 qdisc_restart net/sched/sch_generic.c:395 [inline]
 __qdisc_run+0x4d0/0x1640 net/sched/sch_generic.c:403
 qdisc_run include/net/pkt_sched.h:120 [inline]
 __dev_xmit_skb net/core/dev.c:3451 [inline]
 __dev_queue_xmit+0x2102/0x2e00 net/core/dev.c:3807
 neigh_resolve_output+0x55a/0x910 net/core/neighbour.c:1374
 neigh_output include/net/neighbour.h:501 [inline]
 ip_finish_output2+0xd76/0x15a0 net/ipv4/ip_output.c:230
 ip_finish_output+0xae9/0x10b0 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x203/0x5f0 net/ipv4/ip_output.c:406
 dst_output include/net/dst.h:455 [inline]
 ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
 ip_send_skb+0x3e/0xe0 net/ipv4/ip_output.c:1452
 udp_send_skb+0x6a4/0x1170 net/ipv4/udp.c:848
 udp_sendmsg+0x1cb4/0x2550 net/ipv4/udp.c:1135
 inet_sendmsg+0x132/0x5a0 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x3b3/0x8e0 net/socket.c:2227
 __sys_sendmmsg+0x195/0x470 net/socket.c:2322
 __do_sys_sendmmsg net/socket.c:2351 [inline]
 __se_sys_sendmmsg net/socket.c:2348 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2348
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fa892893409
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa891208168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fa8929a5f80 RCX: 00007fa892893409
RDX: 040000000000007c RSI: 0000000020007fc0 RDI: 0000000000000005
RBP: 00007fa8928ee367 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff62e6c43f R14: 00007fa891208300 R15: 0000000000022000
Modules linked in:
---[ end trace dee40f00700f4e7b ]---
RIP: 0010:mac80211_hwsim_tx_frame_nl+0x403/0x1230 drivers/net/wireless/mac80211_hwsim.c:1114
Code: 48 c1 ea 03 80 3c 02 00 0f 85 7e 0d 00 00 4c 8b ab 88 12 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 09 84 d2 74 05 e8
RSP: 0018:ffff8880525769e8 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: ffff8880948cbde0 RCX: ffffc90008418000
RDX: 0000000000000000 RSI: ffffffff84a67685 RDI: 0000000000000004
RBP: ffff8880ab230700 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: ffff888052576a70
R13: 0000000000000000 R14: ffff8880ab230980 R15: ffff8880948ca4c0
FS:  00007fa891208700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bec87a3398 CR3: 000000008ba6e000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 7e 0d 00 00    	jne    0xd8c
   e:	4c 8b ab 88 12 00 00 	mov    0x1288(%rbx),%r13
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	49 8d 7d 04          	lea    0x4(%r13),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2e:	48 89 f8             	mov    %rdi,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 01             	add    $0x1,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 09                	jl     0x44
  3b:	84 d2                	test   %dl,%dl
  3d:	74 05                	je     0x44
  3f:	e8                   	.byte 0xe8