BCM4360 crashes when connecting to an AP inside QEMU VM on Kernel > 5.15

[Lunks]

When using QEMU to run macOS on a Linux Kernel newer than 5.15, the VM crashes as soon as you connect to an access point. This happens on any macOS version, as far as we know. I've tested from Monterey to Sonoma. I need help either fixing or understanding the issue. Here's the crash log from macOS when it boots back up:

 

panic(cpu 14 caller 0xffffff801e9b4243): Kernel trap at 0xffffff8020911fa8, type 14=page fault, registers:
CR0: 0x000000008001003b, CR2: 0x0000000000000160, CR3: 0x0000000022f82000, CR4: 0x00000000001406e0
RAX: 0x00000000fffffff2, RBX: 0xffffff9f60eb2800, RCX: 0x0000000000008149, RDX: 0xffffffaa93cbf34c
RSP: 0xffffffaa93cbf310, RBP: 0xffffffaa93cbf310, RSI: 0xffffffaa93cbf687, RDI: 0x0000000000000000
R8:  0xffffffaa93cbf2d8, R9:  0x0000000000000009, R10: 0x0000000000000002, R11: 0x000000000000000b
R12: 0xffffff9a9405b000, R13: 0xffffff9a94597800, R14: 0xffffff9f60e91800, R15: 0xffffffaa93cbf687
RFL: 0x0000000000010246, RIP: 0xffffff8020911fa8, CS:  0x0000000000000008, SS:  0x0000000000000010
Fault CR2: 0x0000000000000160, Error code: 0x0000000000000000, Fault CPU: 0xe VMM, PL: 0, VF: 1

Panicked task 0xffffff95c7b20698: 284 threads: pid 0: kernel_task
Backtrace (CPU 14), panicked thread: 0xffffff90fba8f0c8, Frame : Return Address
0xffffffaa93cbecf0 : 0xffffff801e86fc7d mach_kernel : _handle_debugger_trap + 0x4ad
0xffffffaa93cbed40 : 0xffffff801e9c4294 mach_kernel : _kdp_i386_trap + 0x114
0xffffffaa93cbed80 : 0xffffff801e9b3da7 mach_kernel : _kernel_trap + 0x3b7
0xffffffaa93cbedd0 : 0xffffff801e810971 mach_kernel : _return_from_trap + 0xc1
0xffffffaa93cbedf0 : 0xffffff801e86ff5d mach_kernel : _DebuggerTrapWithState + 0x5d
0xffffffaa93cbeee0 : 0xffffff801e86f607 mach_kernel : _panic_trap_to_debugger + 0x1a7
0xffffffaa93cbef40 : 0xffffff801efdad7b mach_kernel : _panic + 0x84
0xffffffaa93cbf030 : 0xffffff801e9b4243 mach_kernel : _sync_iss_to_iks + 0x2c3
0xffffffaa93cbf1b0 : 0xffffff801e9b3f2d mach_kernel : _kernel_trap + 0x53d
0xffffffaa93cbf200 : 0xffffff801e810971 mach_kernel : _return_from_trap + 0xc1
0xffffffaa93cbf220 : 0xffffff8020911fa8 com.apple.driver.AirPort.BrcmNIC : _wlc_wowl_get_replay_counter + 0xe
0xffffffaa93cbf310 : 0xffffff80206cd02e com.apple.driver.AirPort.BrcmNIC : _wlc_ol_armtx + 0x32b
0xffffffaa93cbf6e0 : 0xffffff802077686c com.apple.driver.AirPort.BrcmNIC : _wlc_doiovar + 0x6831
0xffffffaa93cbf8a0 : 0xffffff802077c9bc com.apple.driver.AirPort.BrcmNIC : _wlc_iovar_op + 0x3bf
0xffffffaa93cbf950 : 0xffffff80207a2267 com.apple.driver.AirPort.BrcmNIC : __wlc_ioctl + 0x20e1
0xffffffaa93cbfb00 : 0xffffff802077dcaa com.apple.driver.AirPort.BrcmNIC : _wlc_ioctl + 0x6d
0xffffffaa93cbfb50 : 0xffffff802068e3d9 com.apple.driver.AirPort.BrcmNIC : __ZN15AirPort_BrcmNIC7wlIoctlEjPvmbP8OSObject + 0x45
0xffffffaa93cbfb80 : 0xffffff802069c7d4 com.apple.driver.AirPort.BrcmNIC : __ZN15AirPort_BrcmNIC12SetCryptoKeyEPhiiS0_bP10ether_addr + 0x216
0xffffffaa93cbfca0 : 0xffffff802069a488 com.apple.driver.AirPort.BrcmNIC : __ZN15AirPort_BrcmNIC13setCIPHER_KEYEP8OSObjectP14apple80211_key + 0x430
0xffffffaa93cbfd40 : 0xffffff80206af813 com.apple.driver.AirPort.BrcmNIC : __ZN15AirPort_BrcmNIC17apple80211RequestEjiP16IO80211InterfacePv + 0x16d
0xffffffaa93cbfda0 : 0xffffff80205c42ec com.apple.iokit.IO80211FamilyLegacy : __ZN13RSNSupplicant10installPTKEP16RSNAuthenticator + 0x19e
0xffffffaa93cbfde0 : 0xffffff80205c497d com.apple.iokit.IO80211FamilyLegacy : __ZN13RSNSupplicant9ptkThreadEP16RSNAuthenticator + 0x19f
0xffffffaa93cbfe30 : 0xffffff80205c4a3d com.apple.iokit.IO80211FamilyLegacy : __ZN13RSNSupplicant14ptkThreadGatedEP8OSObjectPvS2_S2_S2_ + 0xf
0xffffffaa93cbfe40 : 0xffffff801ef14848 mach_kernel : __ZN13IOCommandGate9runActionEPFiP8OSObjectPvS2_S2_S2_ES2_S2_S2_S2_ + 0xa8
0xffffffaa93cbfea0 : 0xffffff801e8c5e28 mach_kernel : _thread_call_delayed_timer + 0x508
0xffffffaa93cbfee0 : 0xffffff801e8c6eb8 mach_kernel : _thread_call_delayed_timer + 0x1598
0xffffffaa93cbffa0 : 0xffffff801e81019e mach_kernel : _call_continuation + 0x2e
      Kernel Extensions in backtrace:
         com.apple.iokit.IO80211FamilyLegacy(1200.12.2b1)[0B8E8CC4-6295-3650-8869-A599C3D614FF]@0xffffff80204f4000->0xffffff802063afff
            dependency: com.apple.driver.AppleMobileFileIntegrity(1.0.5)[8922A76A-AF7C-3A2B-AA5C-D1A1895B9028]@0xffffff801fe05000->0xffffff801fe38fff
            dependency: com.apple.driver.corecapture(1.0.4)[9E59BABB-614E-3F00-AAF5-99AD06E2DA50]@0xffffff8021ab4000->0xffffff8021ad6fff
            dependency: com.apple.iokit.CoreAnalyticsFamily(1)[E4FBE84B-1C41-39A0-9371-312F65D85A60]@0xffffff8020172000->0xffffff802017bfff
            dependency: com.apple.iokit.IONetworkingFamily(3.4)[9464DB11-7BAB-372E-BE42-312E2C708040]@0xffffff8021054000->0xffffff802106afff
            dependency: com.apple.iokit.IOSkywalkFamily(1.0)[035A9AD9-6CDE-362F-8DEC-B664BC6431EC]@0xffffff80213a1000->0xffffff80213cdfff
            dependency: com.apple.kec.corecrypto(12.0)[764FC967-3B8C-36C9-9BF3-4740683645A5]@0xffffff8021ae5000->0xffffff8021b5efff
         com.apple.driver.AirPort.BrcmNIC(1400.1.1)[CCF037CD-C95E-393C-BC6C-AE39F608E663]@0xffffff8020656000->0xffffff8020baefff
            dependency: com.apple.driver.corecapture(1.0.4)[9E59BABB-614E-3F00-AAF5-99AD06E2DA50]@0xffffff8021ab4000->0xffffff8021ad6fff
            dependency: com.apple.driver.mDNSOffloadUserClient(1.0.1b8)[BA6FE987-65DB-34CE-AAA0-CEBB09C55B21]@0xffffff80212ae000->0xffffff80212b2fff
            dependency: com.apple.iokit.IO80211FamilyLegacy(1200.12.2b1)[0B8E8CC4-6295-3650-8869-A599C3D614FF]@0xffffff80204f4000->0xffffff802063afff
            dependency: com.apple.iokit.IONetworkingFamily(3.4)[9464DB11-7BAB-372E-BE42-312E2C708040]@0xffffff8021054000->0xffffff802106afff
            dependency: com.apple.iokit.IOPCIFamily(2.9)[A4741D9F-2EAF-36E6-9023-084BA29EE1FE]@0xffffff80212b5000->0xffffff80212e6fff
            dependency: com.apple.iokit.IOSkywalkFamily(1.0)[035A9AD9-6CDE-362F-8DEC-B664BC6431EC]@0xffffff80213a1000->0xffffff80213cdfff

Process name corresponding to current thread (0xffffff90fba8f0c8): kernel_task
Boot args: agdpmod=pikera keepsyms=1 debug=0x100 

Mac OS version:
22G630

Kernel version:
Darwin Kernel Version 22.6.0: Mon Feb 19 19:48:53 PST 2024; root:xnu-8796.141.3.704.6~1/RELEASE_X86_64
Kernel UUID: 8FA1B0A8-5DC1-3601-9D60-FC75DBA31F21
roots installed: 0
KernelCache slide: 0x000000001e400000
KernelCache base:  0xffffff801e600000
Kernel slide:      0x000000001e4dc000
Kernel text base:  0xffffff801e6dc000
__HIB  text base: 0xffffff801e500000
System model name: MacPro7,1 (Mac-27AD2F918AE68F61)
System shutdown begun: NO
Panic diags file available: NO (0xe00002bc)
Hibernation exit count: 0

System uptime in nanoseconds: 139409611943
Last Sleep:           absolute           base_tsc          base_nano
  Uptime  : 0x000000207575dee1
  Sleep   : 0x0000000000000000 0x0000000000000000 0x0000000000000000
  Wake    : 0x0000000000000000 0x00000013b6086a6a 0x0000000000000000
Compressor Info: 0% of compressed pages limit (OK) and 0% of segments limit (OK) with 0 swapfiles and OK swap space
Zone info:
  Zone map: 0xffffff8a9342c000 - 0xffffffaa9342c000
  . PGZ   : 0xffffff8a9342c000 - 0xffffff8a9542d000
  . VM    : 0xffffff8a9542d000 - 0xffffff8f61c2c000
  . RO    : 0xffffff8f61c2c000 - 0xffffff90fb42c000
  . GEN0  : 0xffffff90fb42c000 - 0xffffff95c7c2c000
  . GEN1  : 0xffffff95c7c2c000 - 0xffffff9a9442c000
  . GEN2  : 0xffffff9a9442c000 - 0xffffff9f60c2c000
  . GEN3  : 0xffffff9f60c2c000 - 0xffffffa42d42c000
  . DATA  : 0xffffffa42d42c000 - 0xffffffaa9342c000
  Metadata: 0xffffffefd4444000 - 0xffffffeff4444000
  Bitmaps : 0xffffffeff4444000 - 0xffffffeff7444000
  Extra   : 0 - 0

last started kext at 16846606244: @filesystems.smbfs	5.0 (addr 0xffffff7fb4a73000, size 532480)
loaded kexts:
as.vit9696.VirtualSMC	1.3.2
as.vit9696.RestrictEvents	1.1.2
as.vit9696.WhateverGreen	1.6.6
com.khronokernel.FeatureUnlock	1.1.5
as.vit9696.Lilu	1.6.7
@filesystems.smbfs	5.0
>!ATopCaseHIDEventDriver	6440.7
>AudioAUUC	1.70
>!AUpstreamUserClient	3.6.9
>!AMCCSControl	1.16
>!APlatformEnabler	2.7.0d0
>X86PlatformShim	1.0.0
>AGPM	131
@kext.AMDRadeonX6000	4.1.4
@filesystems.autofs	3.0
@kext.AMDRadeonServiceManager	4.1.4
>!AGraphicsDevicePolicy	7.1.19
@AGDCPluginDisplayMetrics	7.1.19
>!AGFXHDA	240.1
>pmtelemetry	1
@filesystems.nfs	1
|IOUserEthernet	1.0.1
>usb.!UUserHCI	1
>!AHV	1
>!ADiskImages2	198.100.13
>!AFIVRDriver	4.1.0
@UVCService	1
>!A!IMCEReporter	115
>ACPI_SMC_PlatformPlugin	1.0.0
>!A!ISlowAdaptiveClocking	4.0.0
>AirPort.BrcmNIC	1400.1.1
>!AAHCIPort	378
>!AFileSystemDriver	3.0.1
@filesystems.tmpfs	1
@filesystems.lifs	1
@filesystems.apfs	2142.140.9
@filesystems.hfs.kext	627.100.6
@BootCache	40
@!AFSCompression.!AFSCompressionTypeZlib	1.0.0
@!AFSCompression.!AFSCompressionTypeDataless	1.0.0d1
>!AACPIButtons	6.1
@private.KextAudit	1.0
>!AHPET	1.8
>!ARTC	2.0.1
>!ASMBIOS	2.1
>!AAPIC	1.7
$!AUserConsent	1
@!ASystemPolicy	2.0.0
@nke.applicationfirewall	404
|IOKitRegistryCompatibility	1
|EndpointSecurity	1
@Dont_Steal_Mac_OS_X	7.0.0
@kec.Compression	1
@kec.!AEncryptedArchive	1
>!AActuatorDriver	644

 

Any help or tips are appreciated. The procedure is easily reproducible, so it's easy to try different things on request.

Edited April 30 by Lunks