program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) syz_mount_image$bfs(&(0x7f0000000000), &(0x7f0000000040)='./file1\x00', 0x8010, &(0x7f0000000080)=ANY=[], 0x1, 0xb0, &(0x7f0000000080)="$eJzszjEuRFEUx+H/HUEUZgMKO7hbEDrN7EGmpFORl7AhO7AGjX52oNBqjnhPXvSKR/J9xcn5Jac4Lx9PJ1kn9ZDUXqqqDsZZVbd399dXN+NsmVwk9b2fXfb9tMfwn63S5v10/dXJ2/nULVO/DsN29z5sd5vj+fZwiWcBAIBfWaX/zM1zej9a7h0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAP+czAAD//2r5IIc=") openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x1ff) unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r4, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f0000000040)=@device_b, &(0x7f0000000280)=ANY=[@ANYBLOB="50000000080211000001ffffffffffff0802110000000000000000000000000064000100000602020202020201010b"], 0x48) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f00000021c0)=ANY=[@ANYBLOB="b00000000802110000010802110000000802110000001000000002"], 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000440)=ANY=[@ANYBLOB="10000000080211000001080211000000080211000000200004a000000c0001"], 0x3c) r6 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r6, 0x8933, &(0x7f0000000240)={'wlan1\x00', 0x0}) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000380), 0xffffffffffffffff) sendmsg$NL80211_CMD_TDLS_MGMT(r6, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000580)=ANY=[@ANYBLOB="98000000", @ANYRES16=r8, @ANYBLOB="010000000000000000005200000008000300", @ANYRES32=r7, @ANYBLOB="06004800000000000a000600080280585c8c0000050088000200000058002a003752000062ecb7730deefe2fc8353f157e039fb412740b5db13d0d698b68e55e578af549952f0a2531d2dda999169c51611ebb52f80c2f2f66049bd069ed4da13a2edbae15c15541a3bc8dd32e9216bd6568ffdb0500890000000000"], 0x98}, 0x1, 0x0, 0x0, 0x20000000}, 0x0) [ 73.931037][ T5308] Bluetooth: hci0: command tx timeout [ 74.005441][ T5328] loop0: detected capacity change from 0 to 64 [ 74.023569][ T5328] bfs: Unknown parameter 'x1.DQAf [ 74.023569][ T5328] ;[:AS!;~vjxO^G}%8/O'Y'^YUwW7l\$]t-Sv>lwpg' [ 74.106950][ T5328] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.144102][ T1351] wlan1: No basic rates, using min rate instead [ 74.151172][ T1351] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 74.155152][ T1351] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 74.168392][ T43] wlan1: authenticated [ 74.171884][ T5328] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.176688][ T1351] wlan1: associating to AP 08:02:11:00:00:00 with corrupt probe response [ 74.182876][ T43] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0xa004 status=0 aid=12) [ 74.186936][ T43] wlan1: No basic rates, using min rate instead [ 74.191454][ T5328] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.197183][ T43] wlan1: associated [ 74.203640][ T5328] ------------[ cut here ]------------ [ 74.206603][ T5328] WARNING: CPU: 0 PID: 5328 at net/mac80211/tdls.c:611 ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010 [ 74.212204][ T5328] Modules linked in: [ 74.214498][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-13655-gbdc7f8c5adad #0 PREEMPT(full) [ 74.220429][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.225393][ T5328] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010 [ 74.229210][ T5328] Code: fc ff df e9 9f fe ff ff e8 0c 18 c8 f6 90 0f 0b 90 e9 91 fe ff ff e8 fe 17 c8 f6 90 0f 0b 90 e9 83 fe ff ff e8 f0 17 c8 f6 90 <0f> 0b 90 e9 75 fe ff ff e8 e2 17 c8 f6 48 c7 c7 b0 de 7b 8f 4c 89 [ 74.238387][ T5328] RSP: 0018:ffffc9000d427100 EFLAGS: 00010287 [ 74.241510][ T5328] RAX: ffffffff8af84430 RBX: ffff888052f44d80 RCX: 0000000000100000 [ 74.245276][ T5328] RDX: ffffc9000e08a000 RSI: 0000000000000304 RDI: 0000000000000305 [ 74.249420][ T5328] RBP: ffffc9000d427280 R08: 0000000000000000 R09: 000000000000000c [ 74.253672][ T5328] R10: 000000000000000c R11: 0000000000000002 R12: ffff888052f46500 [ 74.257455][ T5328] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888031320e40 [ 74.261360][ T5328] FS: 00007ff62e2256c0(0000) GS:ffff88808d252000(0000) knlGS:0000000000000000 [ 74.265795][ T5328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.268790][ T5328] CR2: 00002000000021c0 CR3: 00000000433b2000 CR4: 0000000000352ef0 [ 74.272597][ T5328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 74.276335][ T5328] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 74.280134][ T5328] Call Trace: [ 74.281691][ T5328] [ 74.283088][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0xe5/0x4010 [ 74.286171][ T5328] ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10 [ 74.289396][ T5328] ? sta_info_get+0x4f/0x2a0 [ 74.291624][ T5328] ieee80211_tdls_prep_mgmt_packet+0x3a4/0x820 [ 74.295173][ T5328] ? ieee80211_tdls_prep_mgmt_packet+0x40/0x820 [ 74.302161][ T5328] ieee80211_tdls_mgmt+0x32e/0x840 [ 74.304551][ T5328] ? __pfx___cfg80211_wdev_from_attrs+0x10/0x10 [ 74.307179][ T5328] nl80211_tdls_mgmt+0x4e7/0x770 [ 74.309560][ T5328] genl_family_rcv_msg_doit+0x212/0x300 [ 74.312409][ T5328] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 74.315253][ T5328] ? bpf_lsm_capable+0x9/0x20 [ 74.317422][ T5328] ? security_capable+0x7e/0x2e0 [ 74.319716][ T5328] genl_rcv_msg+0x60e/0x790 [ 74.321872][ T5328] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.324168][ T5328] ? ref_tracker_free+0x63a/0x7d0 [ 74.326498][ T5328] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 74.328906][ T5328] ? __pfx_nl80211_tdls_mgmt+0x10/0x10 [ 74.331544][ T5328] ? __pfx_nl80211_post_doit+0x10/0x10 [ 74.334120][ T5328] ? __pfx_ref_tracker_free+0x10/0x10 [ 74.336679][ T5328] netlink_rcv_skb+0x205/0x470 [ 74.338947][ T5328] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.341671][ T5328] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.344825][ T5328] ? down_read+0x1ad/0x2e0 [ 74.347220][ T5328] genl_rcv+0x28/0x40 [ 74.349558][ T5328] netlink_unicast+0x758/0x8d0 [ 74.352459][ T5328] netlink_sendmsg+0x805/0xb30 [ 74.354788][ T5328] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.357440][ T5328] ? aa_sock_msg_perm+0x94/0x160 [ 74.361729][ T5328] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.364285][ T5328] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.366692][ T5328] __sock_sendmsg+0x21c/0x270 [ 74.368839][ T5328] ____sys_sendmsg+0x505/0x830 [ 74.371396][ T5328] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.374215][ T5328] ? import_iovec+0x74/0xa0 [ 74.376834][ T5328] ___sys_sendmsg+0x21f/0x2a0 [ 74.379141][ T5328] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.381580][ T5328] ? __fget_files+0x2a/0x420 [ 74.383831][ T5328] ? __fget_files+0x3a0/0x420 [ 74.386225][ T5328] __x64_sys_sendmsg+0x19b/0x260 [ 74.388732][ T5328] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 74.391772][ T5328] ? rcu_is_watching+0x15/0xb0 [ 74.393809][ T5328] ? do_syscall_64+0xbe/0x3b0 [ 74.395934][ T5328] do_syscall_64+0xfa/0x3b0 [ 74.398115][ T5328] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.401169][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.403842][ T5328] ? clear_bhb_loop+0x60/0xb0 [ 74.406104][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.408920][ T5328] RIP: 0033:0x7ff62d38e929 [ 74.411222][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.421135][ T5328] RSP: 002b:00007ff62e225038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.425283][ T5328] RAX: ffffffffffffffda RBX: 00007ff62d5b5fa0 RCX: 00007ff62d38e929 [ 74.428722][ T5328] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000005 [ 74.433006][ T5328] RBP: 00007ff62d410b39 R08: 0000000000000000 R09: 0000000000000000 [ 74.437480][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.441268][ T5328] R13: 0000000000000000 R14: 00007ff62d5b5fa0 R15: 00007ffe45074e38 [ 74.444609][ T5328] [ 74.446188][ T5328] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 74.449154][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-13655-gbdc7f8c5adad #0 PREEMPT(full) [ 74.455010][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.459784][ T5328] Call Trace: [ 74.461342][ T5328] [ 74.462664][ T5328] dump_stack_lvl+0x99/0x250 [ 74.464833][ T5328] ? __asan_memcpy+0x40/0x70 [ 74.467223][ T5328] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.470050][ T5328] ? __pfx__printk+0x10/0x10 [ 74.472363][ T5328] panic+0x2db/0x790 [ 74.474148][ T5328] ? __pfx_panic+0x10/0x10 [ 74.476118][ T5328] ? show_trace_log_lvl+0x4fb/0x550 [ 74.478463][ T5328] __warn+0x31b/0x4b0 [ 74.480286][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010 [ 74.484023][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010 [ 74.487374][ T5328] report_bug+0x2be/0x4f0 [ 74.489280][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010 [ 74.492348][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010 [ 74.495810][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0x2e63/0x4010 [ 74.499415][ T5328] handle_bug+0x84/0x160 [ 74.501373][ T5328] exc_invalid_op+0x1a/0x50 [ 74.503434][ T5328] asm_exc_invalid_op+0x1a/0x20 [ 74.505717][ T5328] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010 [ 74.509971][ T5328] Code: fc ff df e9 9f fe ff ff e8 0c 18 c8 f6 90 0f 0b 90 e9 91 fe ff ff e8 fe 17 c8 f6 90 0f 0b 90 e9 83 fe ff ff e8 f0 17 c8 f6 90 <0f> 0b 90 e9 75 fe ff ff e8 e2 17 c8 f6 48 c7 c7 b0 de 7b 8f 4c 89 [ 74.518724][ T5328] RSP: 0018:ffffc9000d427100 EFLAGS: 00010287 [ 74.521255][ T5328] RAX: ffffffff8af84430 RBX: ffff888052f44d80 RCX: 0000000000100000 [ 74.525354][ T5328] RDX: ffffc9000e08a000 RSI: 0000000000000304 RDI: 0000000000000305 [ 74.529591][ T5328] RBP: ffffc9000d427280 R08: 0000000000000000 R09: 000000000000000c [ 74.533102][ T5328] R10: 000000000000000c R11: 0000000000000002 R12: ffff888052f46500 [ 74.536544][ T5328] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888031320e40 [ 74.540274][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0x2e60/0x4010 [ 74.543820][ T5328] ? ieee80211_tdls_build_mgmt_packet_data+0xe5/0x4010 [ 74.547341][ T5328] ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10 [ 74.551107][ T5328] ? sta_info_get+0x4f/0x2a0 [ 74.553463][ T5328] ieee80211_tdls_prep_mgmt_packet+0x3a4/0x820 [ 74.556429][ T5328] ? ieee80211_tdls_prep_mgmt_packet+0x40/0x820 [ 74.559822][ T5328] ieee80211_tdls_mgmt+0x32e/0x840 [ 74.562474][ T5328] ? __pfx___cfg80211_wdev_from_attrs+0x10/0x10 [ 74.565362][ T5328] nl80211_tdls_mgmt+0x4e7/0x770 [ 74.567747][ T5328] genl_family_rcv_msg_doit+0x212/0x300 [ 74.570414][ T5328] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 74.573281][ T5328] ? bpf_lsm_capable+0x9/0x20 [ 74.575624][ T5328] ? security_capable+0x7e/0x2e0 [ 74.577901][ T5328] genl_rcv_msg+0x60e/0x790 [ 74.580006][ T5328] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.582184][ T5328] ? ref_tracker_free+0x63a/0x7d0 [ 74.584986][ T5328] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 74.587944][ T5328] ? __pfx_nl80211_tdls_mgmt+0x10/0x10 [ 74.590689][ T5328] ? __pfx_nl80211_post_doit+0x10/0x10 [ 74.592898][ T5328] ? __pfx_ref_tracker_free+0x10/0x10 [ 74.595667][ T5328] netlink_rcv_skb+0x205/0x470 [ 74.597726][ T5328] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.600169][ T5328] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.603237][ T5328] ? down_read+0x1ad/0x2e0 [ 74.605600][ T5328] genl_rcv+0x28/0x40 [ 74.607499][ T5328] netlink_unicast+0x758/0x8d0 [ 74.609768][ T5328] netlink_sendmsg+0x805/0xb30 [ 74.612010][ T5328] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.614529][ T5328] ? aa_sock_msg_perm+0x94/0x160 [ 74.617045][ T5328] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.619996][ T5328] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.622615][ T5328] __sock_sendmsg+0x21c/0x270 [ 74.624854][ T5328] ____sys_sendmsg+0x505/0x830 [ 74.627005][ T5328] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.629292][ T5328] ? import_iovec+0x74/0xa0 [ 74.631544][ T5328] ___sys_sendmsg+0x21f/0x2a0 [ 74.634016][ T5328] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.636795][ T5328] ? __fget_files+0x2a/0x420 [ 74.639099][ T5328] ? __fget_files+0x3a0/0x420 [ 74.641322][ T5328] __x64_sys_sendmsg+0x19b/0x260 [ 74.643657][ T5328] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 74.646300][ T5328] ? rcu_is_watching+0x15/0xb0 [ 74.648922][ T5328] ? do_syscall_64+0xbe/0x3b0 [ 74.651463][ T5328] do_syscall_64+0xfa/0x3b0 [ 74.653626][ T5328] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.656003][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.658699][ T5328] ? clear_bhb_loop+0x60/0xb0 [ 74.660812][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.663660][ T5328] RIP: 0033:0x7ff62d38e929 [ 74.666383][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.677383][ T5328] RSP: 002b:00007ff62e225038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.681600][ T5328] RAX: ffffffffffffffda RBX: 00007ff62d5b5fa0 RCX: 00007ff62d38e929 [ 74.686049][ T5328] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000005 [ 74.689616][ T5328] RBP: 00007ff62d410b39 R08: 0000000000000000 R09: 0000000000000000 [ 74.693210][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.696912][ T5328] R13: 0000000000000000 R14: 00007ff62d5b5fa0 R15: 00007ffe45074e38 [ 74.701116][ T5328] [ 74.702973][ T5328] Kernel Offset: disabled [ 74.704895][ T5328] Rebooting in 86400 seconds..