program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000600)=ANY=[@ANYBLOB="5000000008021100000108021100000050505050505000000000000000000000000401000006020202020202010804"], 0x36) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000280)={0x28, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_SSID={0xc, 0x34, @random="f001f090bfd2066d"}]}, 0x28}}, 0x0) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, r6, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}, 0x1, 0x0, 0x0, 0x20008841}, 0x0) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) r9 = socket$nl_generic(0x10, 0x3, 0x10) r10 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r9, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r10, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r11}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_ASSOCIATE(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000380)={0x3c, r8, 0x1, 0x70bd2b, 0x25dfdbfe, {{}, {@val={0x8, 0x3, r11}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8, 0x26, @random=0x96c}], @NL80211_ATTR_MAC={0xa}]}, 0x3c}, 0x1, 0x0, 0x0, 0x4000815}, 0x850) r12 = syz_open_dev$vbi(&(0x7f0000000080), 0x1, 0x2) ioctl$VIDIOC_S_OUTPUT(r12, 0xc004562f, &(0x7f00000000c0)=0x1) ioctl$VIDIOC_S_DV_TIMINGS(r12, 0xc0845657, &(0x7f0000000380)={0x0, @bt={0x12, 0x7c5, 0x1, 0x3, 0xd59f80, 0x4, 0x5, 0x7, 0x8, 0x5, 0x6, 0xe72, 0x7, 0x8, 0x2e, 0x8, {0xffff945a, 0x1}, 0x3, 0xed}}) r13 = syz_open_dev$vim2m(&(0x7f0000001080), 0x8, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r13, 0xc0145608, &(0x7f00000000c0)={0x1, 0x2, 0x1}) ioctl$vim2m_VIDIOC_QBUF(r13, 0xc058560f, &(0x7f00000002c0)=@multiplanar_mmap={0x0, 0x2, 0x0, 0x0, 0x0, {}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, "fafc00"}, 0x0, 0x1, {0x0}}) sendmsg$IPCTNL_MSG_CT_NEW(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000740)={0x60, 0x0, 0x1, 0x401, 0x0, 0x0, {0xa, 0x0, 0x8000}, [@CTA_TUPLE_ORIG={0x4}, @CTA_TUPLE_REPLY={0x3c, 0x2, 0x0, 0x1, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @local}, {0x14, 0x4, @local}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}, @CTA_TIMEOUT={0x8, 0x7, 0x1, 0x0, 0x8}, @CTA_NAT_SRC={0x4}]}, 0x60}}, 0x0) r14 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$IP_VS_SO_SET_STARTDAEMON(r14, 0x0, 0x48b, &(0x7f00000001c0)={0x1, 'veth0_to_bridge\x00'}, 0x18) getsockopt$IP_VS_SO_GET_DAEMON(r14, 0x0, 0x487, &(0x7f0000000040), &(0x7f00000000c0)=0x30) sendmsg$NFQNL_MSG_CONFIG(r0, &(0x7f0000000340)={&(0x7f0000000000), 0xc, &(0x7f0000000200)={&(0x7f0000000280)={0x58, 0x2, 0x3, 0x101, 0x0, 0x0, {0x5, 0x0, 0x8}, [@NFQA_CFG_PARAMS={0x9, 0x2, {0x7, 0x1}}, @NFQA_CFG_PARAMS={0x9, 0x2, {0x73f3, 0x2}}, @NFQA_CFG_PARAMS={0x9, 0x2, {0x4}}, @NFQA_CFG_QUEUE_MAXLEN={0x8, 0x3, 0x1, 0x0, 0x3}, @NFQA_CFG_QUEUE_MAXLEN={0x8, 0x3, 0x1, 0x0, 0x800}, @NFQA_CFG_CMD={0x8, 0x1, {0x2, 0x0, 0x8}}, @NFQA_CFG_QUEUE_MAXLEN={0x8, 0x3, 0x1, 0x0, 0x8}]}, 0x58}, 0x1, 0x0, 0x0, 0x880}, 0xc000) sendmsg$IPCTNL_MSG_CT_NEW(r0, &(0x7f0000000080)={0x0, 0x2f, &(0x7f00000003c0)={&(0x7f00000004c0)={0xac, 0x0, 0x1, 0x401, 0x0, 0x8000000, {0xa}, [@CTA_TUPLE_ORIG={0x3c, 0x1, 0x0, 0x1, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @empty}, {0x14, 0x4, @mcast1}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}, @CTA_TUPLE_REPLY={0x3c, 0x2, 0x0, 0x1, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @local}, {0x14, 0x4, @local}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}, @CTA_TIMEOUT={0x8}, @CTA_NAT_SRC={0x18, 0x6, 0x0, 0x1, [@CTA_NAT_V6_MINIP={0x14, 0x4, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'}]}]}, 0xac}}, 0x0) [ 78.611018][ T4674] Bluetooth: hci0: command tx timeout [ 78.615157][ T1311] ieee802154 phy0 wpan0: encryption failed: -22 [ 78.617684][ T1311] ieee802154 phy1 wpan1: encryption failed: -22 [ 78.748976][ T5333] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 78.775888][ T5333] wlan1: No basic rates, using min rate instead [ 78.781847][ T1033] wlan1: associate with 50:50:50:50:50:50 (try 1/3) [ 78.784878][ T1033] wlan1: associate with 50:50:50:50:50:50 (try 2/3) [ 78.787588][ T1033] wlan1: associate with 50:50:50:50:50:50 (try 3/3) [ 78.793501][ T1033] wlan1: association with 50:50:50:50:50:50 timed out [ 78.799083][ T5325] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI [ 78.804766][ T5325] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 78.809781][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: kworker/0:4 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(full) [ 78.814770][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 78.819845][ T5325] Workqueue: events cfg80211_conn_work [ 78.822198][ T5325] RIP: 0010:cfg80211_mlme_deauth+0x35a/0x940 [ 78.825083][ T5325] Code: 8d 9c 24 b0 00 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 28 84 c0 4c 8b 7c 24 28 0f 85 25 03 00 00 44 8b 23 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 2b 03 00 00 45 8b 37 48 8b 44 24 20 48 [ 78.834653][ T5325] RSP: 0018:ffffc9000d27f180 EFLAGS: 00010246 [ 78.837145][ T5325] RAX: 0000000000000000 RBX: ffff8880531fce40 RCX: ffff88800029c880 [ 78.840160][ T5325] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 78.843160][ T5325] RBP: ffffc9000d27f268 R08: ffffffff8b8395d8 R09: 0000000000000003 [ 78.846202][ T5325] R10: 0000000000000009 R11: ffff88800029c880 R12: 0000000000000000 [ 78.849297][ T5325] R13: dffffc0000000000 R14: 0000000000000003 R15: 0000000000000000 [ 78.852390][ T5325] FS: 0000000000000000(0000) GS:ffff88808c596000(0000) knlGS:0000000000000000 [ 78.855812][ T5325] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.858355][ T5325] CR2: 00007f105737d538 CR3: 0000000011c94000 CR4: 0000000000352ef0 [ 78.861272][ T5325] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 78.864284][ T5325] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 78.867454][ T5325] Call Trace: [ 78.868788][ T5325] [ 78.870105][ T5325] ? __pfx_cfg80211_mlme_deauth+0x10/0x10 [ 78.872487][ T5325] cfg80211_conn_do_work+0x369/0xed0 [ 78.874673][ T5325] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [ 78.877053][ T5325] ? __schedule+0x1ba6/0x5240 [ 78.878959][ T5325] ? unwind_next_frame+0xb8/0x23b0 [ 78.880866][ T5325] ? ret_from_fork_asm+0x1a/0x30 [ 78.882695][ T5325] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 78.884941][ T5325] cfg80211_conn_work+0x2c2/0x530 [ 78.886798][ T5325] ? __pfx_cfg80211_conn_work+0x10/0x10 [ 78.888989][ T5325] ? stack_trace_save+0x11a/0x1d0 [ 78.890969][ T5325] ? __pfx_stack_trace_save+0x10/0x10 [ 78.893200][ T5325] ? check_noncircular+0xee/0x160 [ 78.895229][ T5325] ? lockdep_unlock+0x8d/0x120 [ 78.897152][ T5325] ? validate_chain+0x8a7/0x24e0 [ 78.899058][ T5325] ? __lock_acquire+0xad5/0xd80 [ 78.900837][ T5325] ? lockdep_hardirqs_on+0x9d/0x150 [ 78.902708][ T5325] ? process_scheduled_works+0x9cb/0x18e0 [ 78.904772][ T5325] process_scheduled_works+0xac3/0x18e0 [ 78.906780][ T5325] ? __pfx_process_scheduled_works+0x10/0x10 [ 78.909233][ T5325] ? assign_work+0x367/0x3d0 [ 78.911146][ T5325] worker_thread+0x870/0xd50 [ 78.913059][ T5325] ? __kthread_parkme+0x1a8/0x200 [ 78.915154][ T5325] ? __pfx_worker_thread+0x10/0x10 [ 78.917216][ T5325] kthread+0x7b7/0x940 [ 78.918839][ T5325] ? __pfx_worker_thread+0x10/0x10 [ 78.920901][ T5325] ? __pfx_kthread+0x10/0x10 [ 78.922749][ T5325] ? __pfx_kthread+0x10/0x10 [ 78.924580][ T5325] ? __pfx_kthread+0x10/0x10 [ 78.926376][ T5325] ? __pfx_kthread+0x10/0x10 [ 78.928190][ T5325] ? _raw_spin_unlock_irq+0x23/0x50 [ 78.930301][ T5325] ? lockdep_hardirqs_on+0x9d/0x150 [ 78.932363][ T5325] ? __pfx_kthread+0x10/0x10 [ 78.934174][ T5325] ret_from_fork+0x4b/0x80 [ 78.935920][ T5325] ? __pfx_kthread+0x10/0x10 [ 78.937709][ T5325] ret_from_fork_asm+0x1a/0x30 [ 78.939638][ T5325] [ 78.940865][ T5325] Modules linked in: [ 78.943230][ T5325] ---[ end trace 0000000000000000 ]--- [ 78.948090][ T5334] use of bytesused == 0 is deprecated and will be removed in the future, [ 78.951547][ T5334] use the actual size instead. [ 78.961384][ T5335] IPVS: sync thread started: state = MASTER, mcast_ifn = veth0_to_bridge, syncid = 0, id = 0 [ 78.966425][ T5325] RIP: 0010:cfg80211_mlme_deauth+0x35a/0x940 [ 78.968848][ T5325] Code: 8d 9c 24 b0 00 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 28 84 c0 4c 8b 7c 24 28 0f 85 25 03 00 00 44 8b 23 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 28 84 c0 0f 85 2b 03 00 00 45 8b 37 48 8b 44 24 20 48 [ 78.977223][ T5325] RSP: 0018:ffffc9000d27f180 EFLAGS: 00010246 [ 78.979829][ T5325] RAX: 0000000000000000 RBX: ffff8880531fce40 RCX: ffff88800029c880 [ 78.983929][ T5325] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 78.987072][ T5325] RBP: ffffc9000d27f268 R08: ffffffff8b8395d8 R09: 0000000000000003 [ 78.990661][ T5325] R10: 0000000000000009 R11: ffff88800029c880 R12: 0000000000000000 [ 78.993766][ T5325] R13: dffffc0000000000 R14: 0000000000000003 R15: 0000000000000000 [ 78.996866][ T5325] FS: 0000000000000000(0000) GS:ffff88808c596000(0000) knlGS:0000000000000000 [ 79.001046][ T5325] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 79.003727][ T5325] CR2: 0000200000001080 CR3: 0000000011c94000 CR4: 0000000000352ef0 [ 79.006839][ T5325] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 79.009943][ T5325] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 79.013923][ T5325] Kernel panic - not syncing: Fatal exception [ 79.016572][ T5325] Kernel Offset: disabled [ 79.018221][ T5325] Rebooting in 86400 seconds..