------------[ cut here ]------------
wlan1: Failed check-sdata-in-driver check, flags: 0x0
WARNING: net/mac80211/driver-ops.c:366 at 0x0, CPU#1: kworker/u8:11/3498
Modules linked in:
CPU: 1 UID: 0 PID: 3498 Comm: kworker/u8:11 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
RIP: 0010:drv_unassign_vif_chanctx+0x4d4/0x7b0 net/mac80211/driver-ops.c:366
Code: 00 48 8d b0 20 01 00 00 49 8d 8d 48 0a 00 00 48 85 c0 48 0f 44 f1 42 0f b6 44 3d 00 84 c0 0f 85 95 01 00 00 41 8b 16 48 89 df <67> 48 0f b9 3a e9 15 fd ff ff e8 cd c6 0b f7 90 0f 0b 90 e9 4e fe
RSP: 0018:ffffc9000ca37200 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffff8f909d70 RCX: ffff8880527d97c8
RDX: 0000000000000000 RSI: ffff8880527d8120 RDI: ffffffff8f909d70
RBP: 1ffff1100a4fb2f7 R08: ffffffff8f802177 R09: 1ffffffff1f0042e
R10: dffffc0000000000 R11: fffffbfff1f0042f R12: ffff8880527daa80
R13: ffff8880527d8d80 R14: ffff8880527d97b8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881261c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555872f9588 CR3: 0000000058892000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 ieee80211_assign_link_chanctx+0x1ec/0xd70 net/mac80211/chan.c:905
 __ieee80211_link_release_channel+0x33b/0x4a0 net/mac80211/chan.c:1879
 unregister_netdevice_many_notify+0x1cae/0x2310 net/core/dev.c:12305
 unregister_netdevice_many net/core/dev.c:12347 [inline]
 unregister_netdevice_queue+0x317/0x350 net/core/dev.c:12161
 unregister_netdevice include/linux/netdevice.h:3389 [inline]
 _cfg80211_unregister_wdev+0x155/0x570 net/wireless/core.c:1284
 ieee80211_remove_interfaces+0x48a/0x6c0 net/mac80211/iface.c:2394
 ieee80211_unregister_hw+0x5d/0x2c0 net/mac80211/main.c:1681
 mac80211_hwsim_del_radio+0x275/0x460 drivers/net/wireless/virtual/mac80211_hwsim.c:5915
 hwsim_exit_net+0xef4/0xfb0 drivers/net/wireless/virtual/mac80211_hwsim.c:6806
 ops_exit_list net/core/net_namespace.c:199 [inline]
 ops_undo_list+0x49a/0x990 net/core/net_namespace.c:252
 cleanup_net+0x4d8/0x7a0 net/core/net_namespace.c:695
 process_one_work kernel/workqueue.c:3263 [inline]
 process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3346
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 48 8d             	add    %cl,-0x73(%rax)
   3:	b0 20                	mov    $0x20,%al
   5:	01 00                	add    %eax,(%rax)
   7:	00 49 8d             	add    %cl,-0x73(%rcx)
   a:	8d 48 0a             	lea    0xa(%rax),%ecx
   d:	00 00                	add    %al,(%rax)
   f:	48 85 c0             	test   %rax,%rax
  12:	48 0f 44 f1          	cmove  %rcx,%rsi
  16:	42 0f b6 44 3d 00    	movzbl 0x0(%rbp,%r15,1),%eax
  1c:	84 c0                	test   %al,%al
  1e:	0f 85 95 01 00 00    	jne    0x1b9
  24:	41 8b 16             	mov    (%r14),%edx
  27:	48 89 df             	mov    %rbx,%rdi
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	e9 15 fd ff ff       	jmp    0xfffffd49
  34:	e8 cd c6 0b f7       	call   0xf70bc706
  39:	90                   	nop
  3a:	0f 0b                	ud2
  3c:	90                   	nop
  3d:	e9                   	.byte 0xe9
  3e:	4e                   	rex.WRX
  3f:	fe                   	.byte 0xfe