------------[ cut here ]------------
roc->started
WARNING: net/mac80211/offchannel.c:404 at ieee80211_start_next_roc+0x256/0x2d0 net/mac80211/offchannel.c:404, CPU#0: syz.3.20/6470
Modules linked in:
CPU: 0 UID: 0 PID: 6470 Comm: syz.3.20 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:ieee80211_start_next_roc+0x256/0x2d0 net/mac80211/offchannel.c:404
Code: da ff e8 1d b8 06 f7 48 83 c4 10 5b 5d e9 12 8e 91 00 e8 0d b8 06 f7 48 89 df e8 75 5f ff ff e9 36 ff ff ff e8 fb b7 06 f7 90 <0f> 0b 90 e9 28 ff ff ff 48 c7 c7 04 e4 d9 90 e8 56 46 73 f7 e9 d1
RSP: 0018:ffffc90003a972a0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88802c0d0ec0 RCX: ffffffff8b023ca6
RDX: ffff88802e4aa4c0 RSI: ffffffff8b023de5 RDI: ffff88802e4aa4c0
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff88802c0d2950
FS:  00007fa684cf06c0(0000) GS:ffff88812433f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f22945b660 CR3: 000000005ec43000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __ieee80211_scan_completed+0x4fd/0xe60 net/mac80211/scan.c:537
 ieee80211_scan_cancel+0x1cf/0x990 net/mac80211/scan.c:1328
 ieee80211_do_stop+0x1c59/0x25f0 net/mac80211/iface.c:495
 ieee80211_runtime_change_iftype net/mac80211/iface.c:2018 [inline]
 ieee80211_if_change_type+0x3c6/0x790 net/mac80211/iface.c:2056
 ieee80211_change_iface+0xad/0x970 net/mac80211/cfg.c:271
 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline]
 cfg80211_change_iface+0x53d/0xd90 net/wireless/util.c:1218
 nl80211_set_interface+0x875/0xc80 net/wireless/nl80211.c:4694
 genl_family_rcv_msg_doit+0x214/0x300 net/netlink/genetlink.c:1114
 genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline]
 genl_rcv_msg+0x560/0x800 net/netlink/genetlink.c:1209
 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2550
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1218
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 __sys_sendto+0x468/0x4b0 net/socket.c:2206
 __do_sys_sendto net/socket.c:2213 [inline]
 __se_sys_sendto net/socket.c:2209 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2209
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa683f4a84e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007fa684ceee18 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fa684cf06c0 RCX: 00007fa683f4a84e
RDX: 0000000000000024 RSI: 00007fa684cef010 RDI: 0000000000000006
RBP: 0000000000000000 R08: 00007fa684ceee94 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000000 R14: 00007fa684cef010 R15: 0000000000000000
 </TASK>