------------[ cut here ]------------
WARNING: CPU: 1 PID: 4492 at net/mac80211/tx.c:4859 __ieee80211_beacon_update_cntdwn net/mac80211/tx.c:4859 [inline]
WARNING: CPU: 1 PID: 4492 at net/mac80211/tx.c:4859 __ieee80211_beacon_get+0x172c/0x1f80 net/mac80211/tx.c:5083
Modules linked in:
CPU: 1 PID: 4492 Comm: kworker/1:12 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: usb_hub_wq hub_event
RIP: 0010:__ieee80211_beacon_update_cntdwn net/mac80211/tx.c:4859 [inline]
RIP: 0010:__ieee80211_beacon_get+0x172c/0x1f80 net/mac80211/tx.c:5083
Code: f8 0f 0b e9 f1 fa ff ff e8 01 51 3a f8 0f 0b 4c 8b 74 24 08 e9 36 fe ff ff e8 f0 50 3a f8 0f 0b e9 3c ef ff ff e8 e4 50 3a f8 <0f> 0b e9 b8 f2 ff ff e8 98 f2 6b 00 44 89 e1 80 e1 07 80 c1 03 38
RSP: 0018:ffffc90000dd08c0 EFLAGS: 00010246
RAX: ffffffff893d7b2c RBX: ffff8880664a0c80 RCX: ffff8880280cbb80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000dd0ae8 R08: ffff8880280cbb80 R09: 0000000000000003
R10: 0000000000000007 R11: 0000000000000100 R12: ffff8880781b3800
R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920001ba128
FS:  0000000000000000(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffea3a63f40 CR3: 000000007d3de000 CR4: 00000000003506e0
Call Trace:
 <IRQ>
 ieee80211_beacon_get_tim+0x48/0x840 net/mac80211/tx.c:5202
 ieee80211_beacon_get include/net/mac80211.h:4983 [inline]
 mac80211_hwsim_beacon_tx+0xf4/0x920 drivers/net/wireless/mac80211_hwsim.c:1812
 __iterate_interfaces+0x243/0x500 net/mac80211/util.c:793
 ieee80211_iterate_active_interfaces_atomic+0xb3/0x140 net/mac80211/util.c:829
 mac80211_hwsim_beacon+0x9b/0x180 drivers/net/wireless/mac80211_hwsim.c:1865
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x53d/0xc40 kernel/time/hrtimer.c:1749
 hrtimer_run_softirq+0x176/0x240 kernel/time/hrtimer.c:1766
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 common_interrupt+0xb5/0xd0 arch/x86/kernel/irq.c:242
 </IRQ>
 <TASK>
 asm_common_interrupt+0x22/0x40 arch/x86/include/asm/idtentry.h:667
RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline]
RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline]
RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline]
RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline]
RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline]
RIP: 0010:kcov_put kernel/kcov.c:415 [inline]
RIP: 0010:kcov_remote_stop+0x468/0x4c0 kernel/kcov.c:1029
Code: 05 e8 ec 0c 06 00 48 c7 04 24 00 00 00 00 9c 8f 04 24 f7 04 24 00 02 00 00 75 4e 41 f7 c5 00 02 00 00 74 01 fb b8 ff ff ff ff <f0> 0f c1 03 83 f8 01 75 1e 48 89 df e8 77 00 00 00 48 8b 7b 50 e8
RSP: 0018:ffffc90003a1f8f8 EFLAGS: 00000206
RAX: 00000000ffffffff RBX: ffff8880748dd500 RCX: c98ce84cc42eaf00
RDX: dffffc0000000000 RSI: ffffffff8a0b1c60 RDI: ffffffff8a59e580
RBP: 00000000007ff4b8 R08: dffffc0000000000 R09: fffffbfff1ff7c27
R10: fffffbfff1ff7c27 R11: 1ffffffff1ff7c26 R12: 000000000007e62d
R13: 0000000000000246 R14: ffffc900185c7000 R15: ffffc90013a1a000
 hub_event+0x511d/0x5560 drivers/usb/core/hub.c:5926
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
----------------
Code disassembly (best guess):
   0:	05 e8 ec 0c 06       	add    $0x60cece8,%eax
   5:	00 48 c7             	add    %cl,-0x39(%rax)
   8:	04 24                	add    $0x24,%al
   a:	00 00                	add    %al,(%rax)
   c:	00 00                	add    %al,(%rax)
   e:	9c                   	pushf
   f:	8f 04 24             	pop    (%rsp)
  12:	f7 04 24 00 02 00 00 	testl  $0x200,(%rsp)
  19:	75 4e                	jne    0x69
  1b:	41 f7 c5 00 02 00 00 	test   $0x200,%r13d
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	b8 ff ff ff ff       	mov    $0xffffffff,%eax
* 2a:	f0 0f c1 03          	lock xadd %eax,(%rbx) <-- trapping instruction
  2e:	83 f8 01             	cmp    $0x1,%eax
  31:	75 1e                	jne    0x51
  33:	48 89 df             	mov    %rbx,%rdi
  36:	e8 77 00 00 00       	call   0xb2
  3b:	48 8b 7b 50          	mov    0x50(%rbx),%rdi
  3f:	e8                   	.byte 0xe8