I don't really know any of this here, but ...
+ ret = rtw89_hw_scan_offload(rtwdev, vif, false);
+ if (ret)
+ rtw89_hw_scan_complete(rtwdev, vif, true);
seems strange? You have to say that it was completed here, in the good
case, so maybe that was meant to be !ret?
It _looks_ like the crash is a use-after-free (the wiphy pointer in a
scan request cannot become NULL in normal flows), so maybe try with
KASAN rather than waiting for the crash. According to the logs, it
doesn't happen every time even for the reporter.
There possibly seems to be some issue between cfg80211 and mac80211 in
this code, we see the WARN_ON() in cfg80211_netdev_notifier_call() in
the NETDEV_DOWN case, which calls ___cfg80211_scan_done() which frees
the scan request. But shortly after the HW crashes, and we have
"ieee80211_restart_work called with hardware scan in progress", mac80211
wants to cancel the HW scan but the HW is dead ("wlo1: Failed check-
sdata-in-driver check, flags: 0x0"), and we see again "phy0: resume with
hardware scan still in progress" ... but this time once tasks are
restarted it crashes ...
So I think KASAN, possibly rtw debugs, and perhaps something like
https://p.sipsolutions.net/602684f34abfcf7c.txt will help debug it (yes
it adds a leak)
johannes
