program: openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='memory.swap.events\x00', 0x275a, 0x0) syz_80211_inject_frame(&(0x7f0000000240)=@device_b, &(0x7f0000000000)=ANY=[@ANYBLOB="80000000080211000001080211000000aa09b799c0d70000000000000000000064000110000602020202020201010b04060200005ba10972060303030303037107"], 0xb5) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) r2 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r2, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r4, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000a00)={0x28, r4, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) r6 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r6, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)=[{&(0x7f0000000040)="2e00000010008108040f80ecdb4cb92e0a480e000f000000e8bd6efb250314000e000100240248ff05000500", 0x2c}, {&(0x7f00000019c0)="06bb", 0x2}], 0x2}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000a00)={0x28, r1, 0x5, 0x70bd29, 0x0, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}}, 0x0) [ 85.713387][ T5341] Bluetooth: hci0: command tx timeout [ 85.786462][ T5365] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 85.821361][ T5365] netlink: 'syz.0.0': attribute type 10 has an invalid length. [ 85.846668][ T5365] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 85.871099][ T5365] wlan1: No basic rates, using min rate instead [ 85.878319][ T5365] wlan1: authenticate with aa:09:b7:99:c0:d7 (local address=aa:aa:aa:aa:aa:17) [ 85.884280][ T5365] wlan1: send auth to aa:09:b7:99:c0:d7 (try 1/3) [ 85.888309][ T1095] wlan1: send auth to aa:09:b7:99:c0:d7 (try 2/3) [ 85.896238][ T1095] wlan1: send auth to aa:09:b7:99:c0:d7 (try 3/3) [ 85.908907][ T1095] wlan1: authentication with aa:09:b7:99:c0:d7 timed out [ 85.913665][ T1095] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000029: 0000 [#1] SMP KASAN NOPTI [ 85.919073][ T1095] KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f] [ 85.922824][ T1095] CPU: 0 UID: 0 PID: 1095 Comm: kworker/u4:10 Not tainted 6.16.0-syzkaller-12016-gbec077162bd0 #0 PREEMPT(full) [ 85.927903][ T1095] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.932513][ T1095] Workqueue: events_unbound cfg80211_wiphy_work [ 85.935814][ T1095] RIP: 0010:kasan_byte_accessible+0x12/0x30 [ 85.938512][ T1095] Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e [ 85.946977][ T1095] RSP: 0018:ffffc900027bf3e0 EFLAGS: 00010202 [ 85.950392][ T1095] RAX: dffffc0000000000 RBX: ffffffff819d03fd RCX: 8436497914860900 [ 85.954223][ T1095] RDX: 0000000000000000 RSI: ffffffff819d03fd RDI: 0000000000000029 [ 85.958249][ T1095] RBP: ffffffff82418b3a R08: 0000000000000001 R09: 0000000000000000 [ 85.961565][ T1095] R10: dffffc0000000000 R11: ffffed100a50f132 R12: 0000000000000000 [ 85.965179][ T1095] R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001 [ 85.968459][ T1095] FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000 [ 85.972014][ T1095] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.974863][ T1095] CR2: 00002000000019c0 CR3: 0000000011daa000 CR4: 0000000000352ef0 [ 85.979017][ T1095] Call Trace: [ 85.980870][ T1095] [ 85.982276][ T1095] __kasan_check_byte+0x12/0x40 [ 85.984206][ T1095] lock_acquire+0x8d/0x360 [ 85.986008][ T1095] down_write_nested+0x9d/0x200 [ 85.988084][ T1095] ? __simple_recursive_removal+0x9a/0x510 [ 85.990592][ T1095] ? __pfx_down_write_nested+0x10/0x10 [ 85.993083][ T1095] ? do_raw_spin_unlock+0x4d/0x240 [ 85.995456][ T1095] __simple_recursive_removal+0x9a/0x510 [ 85.998222][ T1095] ? mntput+0x65/0xc0 [ 86.000221][ T1095] ? __pfx_remove_one+0x10/0x10 [ 86.002987][ T1095] debugfs_remove+0x5b/0x70 [ 86.005283][ T1095] ieee80211_sta_debugfs_remove+0x40/0x70 [ 86.007851][ T1095] __sta_info_destroy_part2+0x352/0x450 [ 86.010226][ T1095] sta_info_destroy_addr+0xf5/0x140 [ 86.012874][ T1095] ieee80211_destroy_auth_data+0x12d/0x260 [ 86.016111][ T1095] ieee80211_sta_work+0x11cf/0x3600 [ 86.018872][ T1095] ? __lock_acquire+0xab9/0xd20 [ 86.021137][ T1095] ? __lock_acquire+0xab9/0xd20 [ 86.023341][ T1095] ? __pfx_ieee80211_sta_work+0x10/0x10 [ 86.025774][ T1095] ? do_raw_spin_lock+0x121/0x290 [ 86.028050][ T1095] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 86.030627][ T1095] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.032978][ T1095] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 86.035823][ T1095] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.039267][ T1095] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 86.041843][ T1095] ? skb_dequeue+0x10e/0x150 [ 86.043849][ T1095] ? ieee80211_iface_work+0xfc4/0x12d0 [ 86.046281][ T1095] ? ieee80211_iface_work+0x11d6/0x12d0 [ 86.048780][ T1095] ? rcu_is_watching+0x15/0xb0 [ 86.050913][ T1095] cfg80211_wiphy_work+0x2b8/0x470 [ 86.053202][ T1095] ? process_scheduled_works+0x9ef/0x17b0 [ 86.055769][ T1095] process_scheduled_works+0xade/0x17b0 [ 86.058242][ T1095] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.061067][ T1095] worker_thread+0x8a0/0xda0 [ 86.063517][ T1095] kthread+0x70e/0x8a0 [ 86.065629][ T1095] ? __pfx_worker_thread+0x10/0x10 [ 86.067973][ T1095] ? __pfx_kthread+0x10/0x10 [ 86.070092][ T1095] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.072495][ T1095] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.074779][ T1095] ? __pfx_kthread+0x10/0x10 [ 86.076838][ T1095] ret_from_fork+0x3fc/0x770 [ 86.078987][ T1095] ? __pfx_ret_from_fork+0x10/0x10 [ 86.081450][ T1095] ? __pfx_kthread+0x10/0x10 [ 86.083870][ T1095] ret_from_fork_asm+0x1a/0x30 [ 86.086671][ T1095] [ 86.088428][ T1095] Modules linked in: [ 86.091181][ T1095] ---[ end trace 0000000000000000 ]--- [ 86.095164][ T5365] bond0: entered promiscuous mode [ 86.097601][ T5365] bond_slave_0: entered promiscuous mode [ 86.100443][ T5365] bond_slave_1: entered promiscuous mode [ 86.103216][ T5365] mac80211_hwsim hwsim3 wlan1: entered promiscuous mode [ 86.115445][ T1095] RIP: 0010:kasan_byte_accessible+0x12/0x30 [ 86.119816][ T1095] Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e [ 86.130047][ T1095] RSP: 0018:ffffc900027bf3e0 EFLAGS: 00010202 [ 86.133122][ T1095] RAX: dffffc0000000000 RBX: ffffffff819d03fd RCX: 8436497914860900 [ 86.136727][ T1095] RDX: 0000000000000000 RSI: ffffffff819d03fd RDI: 0000000000000029 [ 86.141601][ T1095] RBP: ffffffff82418b3a R08: 0000000000000001 R09: 0000000000000000 [ 86.146879][ T1095] R10: dffffc0000000000 R11: ffffed100a50f132 R12: 0000000000000000 [ 86.150989][ T1095] R13: 0000000000000148 R14: 0000000000000148 R15: 0000000000000001 [ 86.154849][ T1095] FS: 0000000000000000(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000 [ 86.160165][ T1095] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.163400][ T1095] CR2: 00007f0ab47f4fc8 CR3: 0000000051418000 CR4: 0000000000352ef0 [ 86.167178][ T1095] Kernel panic - not syncing: Fatal exception [ 86.170285][ T1095] Kernel Offset: disabled [ 86.172268][ T1095] Rebooting in 86400 seconds..