------------[ cut here ]------------
WARNING: CPU: 0 PID: 2405 at kernel/kcov.c:871 kcov_remote_start+0x5a2/0x7e0 kernel/kcov.c:871
Modules linked in:
CPU: 0 PID: 2405 Comm: kworker/u8:6 Not tainted 6.10.0-rc7-syzkaller-00012-g34afb82a3c67 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:kcov_remote_start+0x5a2/0x7e0 kernel/kcov.c:871
Code: 24 00 00 00 00 9c 8f 04 24 f7 04 24 00 02 00 00 0f 85 a6 01 00 00 41 f7 c6 00 02 00 00 0f 84 93 fa ff ff fb e9 8d fa ff ff 90 <0f> 0b 90 e8 66 cd ef 09 89 c0 48 c7 c7 c8 d4 02 00 48 03 3c c5 e0
RSP: 0018:ffffc900000072b0 EFLAGS: 00010002
RAX: 0000000080010101 RBX: ffff8880294e0000 RCX: 0000000000000002
RDX: dffffc0000000000 RSI: ffffffff8bcaccc0 RDI: ffffffff8c1fe980
RBP: 0100000000000002 R08: ffffffff92fa75f7 R09: 1ffffffff25f4ebe
R10: dffffc0000000000 R11: fffffbfff25f4ebf R12: ffffffff8196315e
R13: ffff88802c695200 R14: 0000000000000006 R15: ffff8880b942d4c8
FS:  0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555691808 CR3: 000000006fe36000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 kcov_remote_start_usb include/linux/kcov.h:55 [inline]
 kcov_remote_start_usb_softirq include/linux/kcov.h:89 [inline]
 __usb_hcd_giveback_urb+0x405/0x6e0 drivers/usb/core/hcd.c:1649
 dummy_timer+0x830/0x45d0 drivers/usb/gadget/udc/dummy_hcd.c:1987
 __run_hrtimer kernel/time/hrtimer.c:1689 [inline]
 __hrtimer_run_queues+0x59d/0xd50 kernel/time/hrtimer.c:1753
 hrtimer_interrupt+0x396/0x990 kernel/time/hrtimer.c:1815
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
 __sysvec_apic_timer_interrupt+0x112/0x3f0 arch/x86/kernel/apic/apic.c:1049
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:ieee80211_rx_monitor net/mac80211/rx.c:821 [inline]
RIP: 0010:ieee80211_rx_list+0xabe/0x3780 net/mac80211/rx.c:5450
Code: 44 89 f7 89 de e8 a2 8d 99 f6 41 39 de 0f 86 55 23 00 00 e8 d4 8b 99 f6 b8 04 00 00 00 48 89 84 24 88 00 00 00 48 8b 44 24 50 <44> 8d 68 02 31 ff 44 89 ee e8 f4 8f 99 f6 45 85 ed 0f 88 74 1f 00
RSP: 0018:ffffc90000007a40 EFLAGS: 00000283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc90002131000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: ffffc90000007c90 R08: ffffffff8afc9b85 R09: 1ffff1100ddde1cf
R10: dffffc0000000000 R11: ffffed100ddde1d0 R12: dffffc0000000000
R13: ffff888063848780 R14: 0000000000020000 R15: ffff88806eef30b0
 ieee80211_rx_napi+0x18a/0x3c0 net/mac80211/rx.c:5482
 ieee80211_rx include/net/mac80211.h:5093 [inline]
 ieee80211_handle_queued_frames+0xe7/0x1e0 net/mac80211/main.c:438
 tasklet_action_common+0x323/0x4d0 kernel/softirq.c:785
 handle_softirqs+0x2c6/0x970 kernel/softirq.c:554
 do_softirq+0x11b/0x1e0 kernel/softirq.c:455
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
 ieee80211_tx_skb_tid_band net/mac80211/ieee80211_i.h:2268 [inline]
 ieee80211_handle_roc_started+0x267/0x440 net/mac80211/offchannel.c:248
 _ieee80211_start_next_roc+0x7a1/0xb00 net/mac80211/offchannel.c:381
 cfg80211_wiphy_work+0x223/0x260 net/wireless/core.c:437
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2e/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
----------------
Code disassembly (best guess):
   0:	44 89 f7             	mov    %r14d,%edi
   3:	89 de                	mov    %ebx,%esi
   5:	e8 a2 8d 99 f6       	call   0xf6998dac
   a:	41 39 de             	cmp    %ebx,%r14d
   d:	0f 86 55 23 00 00    	jbe    0x2368
  13:	e8 d4 8b 99 f6       	call   0xf6998bec
  18:	b8 04 00 00 00       	mov    $0x4,%eax
  1d:	48 89 84 24 88 00 00 	mov    %rax,0x88(%rsp)
  24:	00
  25:	48 8b 44 24 50       	mov    0x50(%rsp),%rax
* 2a:	44 8d 68 02          	lea    0x2(%rax),%r13d <-- trapping instruction
  2e:	31 ff                	xor    %edi,%edi
  30:	44 89 ee             	mov    %r13d,%esi
  33:	e8 f4 8f 99 f6       	call   0xf699902c
  38:	45 85 ed             	test   %r13d,%r13d
  3b:	0f                   	.byte 0xf
  3c:	88 74 1f 00          	mov    %dh,0x0(%rdi,%rbx,1)