bisecting fixing commit since 4143d798313fffa39f05bf24dd560ace42225c26
building syzkaller on c104d4a3bfc1f83e7ed33b4dca70e099402ce39f
testing commit 4143d798313fffa39f05bf24dd560ace42225c26
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: cd4cdc3389c2360a82d42533218a7b37bffae0a0e79a0809134388ca70317b44
run #0: crashed: WARNING in ieee80211_free_ack_frame
run #1: crashed: WARNING in ieee80211_free_ack_frame
run #2: crashed: WARNING in ieee80211_free_ack_frame
run #3: crashed: WARNING in ieee80211_free_ack_frame
run #4: crashed: WARNING in ieee80211_free_ack_frame
run #5: crashed: WARNING in ieee80211_free_ack_frame
run #6: crashed: WARNING in ieee80211_free_ack_frame
run #7: crashed: WARNING in ieee80211_free_ack_frame
run #8: crashed: WARNING in ieee80211_free_ack_frame
run #9: crashed: WARNING in ieee80211_free_ack_frame
run #10: crashed: WARNING in ieee80211_free_ack_frame
run #11: crashed: WARNING in ieee80211_free_ack_frame
run #12: crashed: WARNING in ieee80211_free_ack_frame
run #13: crashed: WARNING in ieee80211_free_ack_frame
run #14: crashed: WARNING in ieee80211_free_ack_frame
run #15: crashed: WARNING in ieee80211_free_ack_frame
run #16: crashed: WARNING in ieee80211_free_ack_frame
run #17: crashed: WARNING in ieee80211_free_ack_frame
run #18: crashed: WARNING in ieee80211_free_ack_frame
run #19: OK
testing current HEAD a89b48fe9308d976d9dcb2112e264d647f7efce4
testing commit a89b48fe9308d976d9dcb2112e264d647f7efce4
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 0186fd136adc2bb42d33db9fbcf2cd50c790f81b86f6f8194acfde814c12d72e
run #0: crashed: WARNING in ieee80211_free_ack_frame
run #1: crashed: WARNING in ieee80211_free_ack_frame
run #2: crashed: WARNING in ieee80211_free_ack_frame
run #3: crashed: WARNING in ieee80211_free_ack_frame
run #4: crashed: WARNING in ieee80211_free_ack_frame
run #5: crashed: WARNING in ieee80211_free_ack_frame
run #6: crashed: WARNING in ieee80211_free_ack_frame
run #7: crashed: WARNING in ieee80211_free_ack_frame
run #8: crashed: WARNING in ieee80211_free_ack_frame
run #9: OK
revisions tested: 2, total time: 34m35.802214066s (build: 16m30.06263493s, test: 17m33.443908599s)
the crash still happens on HEAD
commit msg: Linux 4.19.199
crash: WARNING in ieee80211_free_ack_frame
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
------------[ cut here ]------------
Have pending ack frames!
WARNING: CPU: 1 PID: 9224 at net/mac80211/main.c:1279 ieee80211_free_ack_frame+0x34/0x40 net/mac80211/main.c:1279
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 9224 Comm: kworker/u4:5 Not tainted 4.19.199-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x17c/0x226 lib/dump_stack.c:118
 panic+0x1cd/0x375 kernel/panic.c:186
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
 __warn.cold.7+0x1b/0x36 kernel/panic.c:541
 report_bug+0x1a1/0x200 lib/bug.c:183
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 fixup_bug arch/x86/kernel/traps.c:173 [inline]
 do_error_trap+0x200/0x350 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1038
RIP: 0010:ieee80211_free_ack_frame+0x34/0x40 net/mac80211/main.c:1279
Code: 07 c9 77 03 00 74 0c 48 89 f7 e8 e7 b8 e9 fe 31 c0 c9 c3 48 c7 c7 e0 6d f6 88 48 89 75 f8 c6 05 e7 c8 77 03 01 e8 8d 23 58 00 <0f> 0b 48 8b 75 f8 eb d5 0f 1f 40 00 55 be 04 00 00 00 48 89 e5 41
RSP: 0018:ffff8880a4d0f970 EFLAGS: 00010286
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffffffff88502140 RDI: ffffffff8bada720
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
RBP: ffff8880a4d0f978 R08: ffffed1017464e99 R09: ffffed1017464e98
R10: ffffed1017464e98 R11: ffff8880ba3274c7 R12: 0000000000000000
R13: ffff88808df30170 R14: ffffffff87298f20 R15: ffff8880a4d0fa38
 idr_for_each+0x114/0x250 lib/idr.c:211
 ieee80211_free_hw+0x77/0x130 net/mac80211/main.c:1294
 mac80211_hwsim_del_radio+0x2a7/0x360 drivers/net/wireless/mac80211_hwsim.c:2998
 hwsim_exit_net+0x869/0x1200 drivers/net/wireless/mac80211_hwsim.c:3666
 ops_exit_list.isra.0+0x8b/0x120 net/core/net_namespace.c:153
 cleanup_net+0x368/0x850 net/core/net_namespace.c:553
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
Kernel Offset: disabled
Rebooting in 86400 seconds..