program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000000)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x20}}, 0x0, @random=0x4, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @val={0x71, 0x7, {0x1, 0x1, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xf3}}}, 0x38) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) r3 = socket$inet6_tcp(0xa, 0x1, 0x0) r4 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r4, &(0x7f0000000500)={0xa, 0x2, 0x0, @empty}, 0x1c) listen(r4, 0x0) shutdown(r3, 0x1) setsockopt$inet6_tcp_int(r3, 0x6, 0x2000000000000022, &(0x7f0000000040)=0x1, 0x4) sendto$inet6(r3, &(0x7f0000000200)="ae", 0x1, 0x20004002, &(0x7f0000b63fe4)={0xa, 0x2}, 0x1c) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x1, 0x0, @default, @val, @void}, 0x20) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f00000008c0)=@mgmt_frame=@beacon={{{}, {}, @device_b, @device_b, @from_mac}, 0x0, @default, 0x1, @void, @void, @void, @void, @void, @val={0x5, 0x3, {0x7c, 0x20, 0x8}}, @val={0x25, 0x3, {0x0, 0x2, 0x4}}, @val={0x2a, 0x1, {0x1, 0x1}}, @val={0x3c, 0x4, {0x0, 0x3d, 0xab, 0x5}}, @val={0x2d, 0x1a, {0x8, 0x3, 0x1, 0x0, {0x5, 0x9, 0x0, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x6, 0x4, 0x5}}, @void, @void, @val={0x76, 0x6, {0x0, 0x9, 0x3d, 0x1}}}, 0x5b) syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000340)=ANY=[@ANYBLOB="12013f00000000407f04ffff0000000000010902"], 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f00000005c0)=ANY=[@ANYBLOB="800000000802110000010802110000010802110000000000000000000000000064ff0000000602020202020205037c003dab080007718e0000040400000005710700030000000221760600093d000100"/92], 0x6c) [ 85.067010][ T4683] Bluetooth: hci0: command tx timeout [ 85.217652][ T5344] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 85.251165][ T5342] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 85.255552][ T5342] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 85.285286][ T120] wlan1: authenticated [ 85.288008][ T5344] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 85.297398][ T120] wlan1: associate with 08:02:11:00:00:00 (try 1/3) [ 85.310794][ T120] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0x1 status=0 aid=1) [ 85.314762][ T5344] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 85.320338][ T120] wlan1: associated [ 85.323964][ T120] wlan1: cannot understand ECSA IE operating class, 61, ignoring [ 85.327852][ T5344] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 85.576082][ T5342] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 85.729838][ T5342] usb 5-1: config 0 has no interfaces? [ 85.732403][ T5342] usb 5-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 85.737697][ T5342] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 85.755273][ T5342] usb 5-1: config 0 descriptor?? [ 85.963621][ T120] ------------[ cut here ]------------ [ 85.966293][ T120] WARNING: net/wireless/scan.c:1666 at cfg80211_rehash_bss+0x1e6/0x540, CPU#0: kworker/u4:6/120 [ 85.971720][ T120] Modules linked in: [ 85.973945][ T120] CPU: 0 UID: 0 PID: 120 Comm: kworker/u4:6 Not tainted syzkaller #0 PREEMPT(full) [ 85.978200][ T120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.983133][ T120] Workqueue: events_unbound cfg80211_wiphy_work [ 85.986303][ T120] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 85.989297][ T120] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d e9 7c e5 ae 00 cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 0b bc f8 f9 84 c0 74 78 e8 02 86 [ 85.998088][ T120] RSP: 0018:ffffc900019beee0 EFLAGS: 00010246 [ 86.000941][ T120] RAX: ffffffff8a9ca3e5 RBX: 0000000000000000 RCX: 0000000000000002 [ 86.004688][ T120] RDX: ffff88800018c980 RSI: 0000000000000000 RDI: 0000000000000000 [ 86.008973][ T120] RBP: ffff88803319fc68 R08: 0000000000000000 R09: 0000000000000002 [ 86.013262][ T120] R10: 0000000000000002 R11: 0000000000000002 R12: ffff8880331c81a0 [ 86.017541][ T120] R13: ffff888041668030 R14: dffffc0000000000 R15: ffff888011b33020 [ 86.022613][ T120] FS: 0000000000000000(0000) GS:ffff88808d6b5000(0000) knlGS:0000000000000000 [ 86.027015][ T120] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.029981][ T120] CR2: 00005626b23cf048 CR3: 000000003f65b000 CR4: 0000000000352ef0 [ 86.033585][ T120] Call Trace: [ 86.035641][ T120] [ 86.037534][ T120] cfg80211_update_assoc_bss_entry+0x3fa/0x6a0 [ 86.040565][ T120] cfg80211_ch_switch_notify+0x3c1/0x770 [ 86.043120][ T120] ieee80211_sta_process_chanswitch+0xac2/0x2830 [ 86.046159][ T120] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 86.049619][ T120] ? lockdep_hardirqs_on+0x98/0x140 [ 86.052052][ T120] ieee80211_rx_mgmt_beacon+0x1d04/0x3180 [ 86.054645][ T120] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 86.057480][ T120] ? unwind_next_frame+0xa5/0x2390 [ 86.060201][ T120] ieee80211_sta_rx_queued_mgmt+0x4ed/0x44b0 [ 86.063211][ T120] ? unwind_next_frame+0xa5/0x2390 [ 86.065843][ T120] ? unwind_next_frame+0xa5/0x2390 [ 86.067975][ T120] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 86.070666][ T120] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 86.073332][ T120] ? arch_stack_walk+0x11c/0x150 [ 86.075391][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.077889][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.080575][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.083252][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.085657][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.087955][ T120] ? do_raw_spin_lock+0x121/0x290 [ 86.090510][ T120] ? kcov_remote_start+0x4d3/0x7d0 [ 86.092888][ T120] ieee80211_iface_work+0x652/0x12d0 [ 86.095259][ T120] cfg80211_wiphy_work+0x2ab/0x450 [ 86.097498][ T120] ? process_scheduled_works+0x9ef/0x1770 [ 86.100002][ T120] process_scheduled_works+0xad1/0x1770 [ 86.102644][ T120] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.105713][ T120] worker_thread+0x8a0/0xda0 [ 86.108070][ T120] kthread+0x711/0x8a0 [ 86.109921][ T120] ? __pfx_worker_thread+0x10/0x10 [ 86.112237][ T120] ? __pfx_kthread+0x10/0x10 [ 86.114303][ T120] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.116737][ T120] ? lockdep_hardirqs_on+0x98/0x140 [ 86.119012][ T120] ? __pfx_kthread+0x10/0x10 [ 86.121145][ T120] ret_from_fork+0x599/0xb30 [ 86.123403][ T120] ? __pfx_ret_from_fork+0x10/0x10 [ 86.125683][ T120] ? __pfx_kthread+0x10/0x10 [ 86.127858][ T120] ret_from_fork_asm+0x1a/0x30 [ 86.130072][ T120] [ 86.131524][ T120] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 86.134809][ T120] CPU: 0 UID: 0 PID: 120 Comm: kworker/u4:6 Not tainted syzkaller #0 PREEMPT(full) [ 86.139336][ T120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.143983][ T120] Workqueue: events_unbound cfg80211_wiphy_work [ 86.146669][ T120] Call Trace: [ 86.148128][ T120] [ 86.149398][ T120] dump_stack_lvl+0x99/0x250 [ 86.151364][ T120] ? __asan_memcpy+0x40/0x70 [ 86.153445][ T120] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.155650][ T120] ? __pfx__printk+0x10/0x10 [ 86.157553][ T120] vpanic+0x237/0x6d0 [ 86.159306][ T120] ? __pfx_vpanic+0x10/0x10 [ 86.161247][ T120] ? is_bpf_text_address+0x292/0x2b0 [ 86.163550][ T120] ? is_bpf_text_address+0x26/0x2b0 [ 86.165720][ T120] panic+0xb9/0xc0 [ 86.167462][ T120] ? __pfx_panic+0x10/0x10 [ 86.169381][ T120] ? ret_from_fork_asm+0x1a/0x30 [ 86.171537][ T120] __warn+0x317/0x4b0 [ 86.173338][ T120] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.175639][ T120] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.177897][ T120] __report_bug+0x288/0x500 [ 86.179863][ T120] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 86.182167][ T120] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.184446][ T120] ? __pfx___report_bug+0x10/0x10 [ 86.186596][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.188831][ T120] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.191161][ T120] report_bug+0x16a/0x220 [ 86.193114][ T120] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.195521][ T120] ? cfg80211_rehash_bss+0x1e8/0x540 [ 86.197845][ T120] handle_bug+0x98/0x200 [ 86.199745][ T120] exc_invalid_op+0x1a/0x50 [ 86.201776][ T120] asm_exc_invalid_op+0x1a/0x20 [ 86.204060][ T120] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 86.207035][ T120] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d e9 7c e5 ae 00 cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 0b bc f8 f9 84 c0 74 78 e8 02 86 [ 86.215993][ T120] RSP: 0018:ffffc900019beee0 EFLAGS: 00010246 [ 86.218885][ T120] RAX: ffffffff8a9ca3e5 RBX: 0000000000000000 RCX: 0000000000000002 [ 86.222995][ T120] RDX: ffff88800018c980 RSI: 0000000000000000 RDI: 0000000000000000 [ 86.226879][ T120] RBP: ffff88803319fc68 R08: 0000000000000000 R09: 0000000000000002 [ 86.230354][ T120] R10: 0000000000000002 R11: 0000000000000002 R12: ffff8880331c81a0 [ 86.233767][ T120] R13: ffff888041668030 R14: dffffc0000000000 R15: ffff888011b33020 [ 86.237295][ T120] ? cfg80211_rehash_bss+0xe5/0x540 [ 86.240031][ T120] cfg80211_update_assoc_bss_entry+0x3fa/0x6a0 [ 86.242878][ T120] cfg80211_ch_switch_notify+0x3c1/0x770 [ 86.245234][ T120] ieee80211_sta_process_chanswitch+0xac2/0x2830 [ 86.247904][ T120] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 86.250824][ T120] ? lockdep_hardirqs_on+0x98/0x140 [ 86.253154][ T120] ieee80211_rx_mgmt_beacon+0x1d04/0x3180 [ 86.255563][ T120] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 86.257904][ T120] ? unwind_next_frame+0xa5/0x2390 [ 86.260051][ T120] ieee80211_sta_rx_queued_mgmt+0x4ed/0x44b0 [ 86.262810][ T120] ? unwind_next_frame+0xa5/0x2390 [ 86.265302][ T120] ? unwind_next_frame+0xa5/0x2390 [ 86.267658][ T120] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 86.270368][ T120] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 86.273125][ T120] ? arch_stack_walk+0x11c/0x150 [ 86.275522][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.277995][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.280583][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.282641][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.284706][ T120] ? __lock_acquire+0x6b6/0x2cf0 [ 86.286906][ T120] ? do_raw_spin_lock+0x121/0x290 [ 86.289127][ T120] ? kcov_remote_start+0x4d3/0x7d0 [ 86.291540][ T120] ieee80211_iface_work+0x652/0x12d0 [ 86.294647][ T120] cfg80211_wiphy_work+0x2ab/0x450 [ 86.297179][ T120] ? process_scheduled_works+0x9ef/0x1770 [ 86.299952][ T120] process_scheduled_works+0xad1/0x1770 [ 86.302373][ T120] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.305087][ T120] worker_thread+0x8a0/0xda0 [ 86.307238][ T120] kthread+0x711/0x8a0 [ 86.309594][ T120] ? __pfx_worker_thread+0x10/0x10 [ 86.312310][ T120] ? __pfx_kthread+0x10/0x10 [ 86.314701][ T120] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.317095][ T120] ? lockdep_hardirqs_on+0x98/0x140 [ 86.319666][ T120] ? __pfx_kthread+0x10/0x10 [ 86.322449][ T120] ret_from_fork+0x599/0xb30 [ 86.325468][ T120] ? __pfx_ret_from_fork+0x10/0x10 [ 86.328346][ T120] ? __pfx_kthread+0x10/0x10 [ 86.330473][ T120] ret_from_fork_asm+0x1a/0x30 [ 86.332636][ T120] [ 86.334400][ T120] Kernel Offset: disabled [ 86.336341][ T120] Rebooting in 86400 seconds..