program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000003b40), r0) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) r4 = socket$qrtr(0x2a, 0x2, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8914, &(0x7f0000000000)={'wlan1\x00'}) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r6, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)={0x24, r7, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}]}, 0x24}}, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000001c0)={0x28, r3, 0x5, 0x3, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_MESH_ID={0xa}]}, 0x28}}, 0x0) r10 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r10, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000003b80)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CHANNEL_SWITCH(r0, &(0x7f0000004180)={0x0, 0x0, &(0x7f0000004140)={&(0x7f0000000000)={0x2c, r1, 0x1, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r11}, @void}}, [@chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}], @NL80211_ATTR_CH_SWITCH_COUNT={0x8, 0xb7, 0xe}]}, 0x2c}}, 0x0) (fail_nth: 10) [ 68.868158][ T5301] Bluetooth: hci0: command tx timeout [ 68.936933][ T5322] netlink: 'syz.0.0': attribute type 10 has an invalid length. [ 68.952301][ T5322] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 68.965186][ T5322] FAULT_INJECTION: forcing a failure. [ 68.965186][ T5322] name failslab, interval 1, probability 0, space 0, times 1 [ 68.971853][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 68.971873][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.971879][ T5322] Call Trace: [ 68.971884][ T5322] [ 68.971890][ T5322] dump_stack_lvl+0x189/0x250 [ 68.972006][ T5322] ? __pfx____ratelimit+0x10/0x10 [ 68.972051][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.972065][ T5322] ? __pfx__printk+0x10/0x10 [ 68.972077][ T5322] ? __pfx___might_resched+0x10/0x10 [ 68.972090][ T5322] ? fs_reclaim_acquire+0x7d/0x100 [ 68.972108][ T5322] should_fail_ex+0x414/0x560 [ 68.972155][ T5322] should_failslab+0xa8/0x100 [ 68.972173][ T5322] __kmalloc_noprof+0xcb/0x7f0 [ 68.972185][ T5322] ? ieee80211_ie_len_eht_cap+0x4fc/0x750 [ 68.972196][ T5322] ? ieee80211_mesh_build_beacon+0xc3/0x1b50 [ 68.972213][ T5322] ieee80211_mesh_build_beacon+0xc3/0x1b50 [ 68.972231][ T5322] ieee80211_mesh_rebuild_beacon+0xc7/0x170 [ 68.972247][ T5322] ieee80211_mesh_csa_beacon+0x140/0x2c0 [ 68.972262][ T5322] ieee80211_set_csa_beacon+0x3cc/0x9a0 [ 68.972277][ T5322] ? drv_pre_channel_switch+0x38c/0x690 [ 68.972291][ T5322] ieee80211_channel_switch+0x8ef/0xcb0 [ 68.972308][ T5322] ? __pfx_ieee80211_channel_switch+0x10/0x10 [ 68.972318][ T5322] ? cfg80211_chandef_dfs_required+0xcee/0xe70 [ 68.972351][ T5322] ? rcu_is_watching+0x15/0xb0 [ 68.972367][ T5322] rdev_channel_switch+0x108/0x290 [ 68.972379][ T5322] nl80211_channel_switch+0xac9/0xd70 [ 68.972390][ T5322] ? __rtnl_unlock+0x68/0xf0 [ 68.972403][ T5322] ? __mutex_unlock_slowpath+0x1a1/0x740 [ 68.972421][ T5322] ? __pfx_nl80211_channel_switch+0x10/0x10 [ 68.972433][ T5322] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 68.972447][ T5322] ? rcu_is_watching+0x15/0xb0 [ 68.972483][ T5322] ? __nla_parse+0x40/0x60 [ 68.972501][ T5322] ? nl80211_pre_doit+0x4f1/0x930 [ 68.972518][ T5322] genl_family_rcv_msg_doit+0x215/0x300 [ 68.972536][ T5322] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 68.972555][ T5322] ? bpf_lsm_capable+0x9/0x20 [ 68.972567][ T5322] ? security_capable+0x7e/0x2e0 [ 68.972584][ T5322] genl_rcv_msg+0x60e/0x790 [ 68.972600][ T5322] ? __pfx_genl_rcv_msg+0x10/0x10 [ 68.972610][ T5322] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 68.972620][ T5322] ? __pfx_nl80211_channel_switch+0x10/0x10 [ 68.972629][ T5322] ? __pfx_nl80211_post_doit+0x10/0x10 [ 68.972641][ T5322] ? __asan_memcpy+0x40/0x70 [ 68.972654][ T5322] ? __pfx_ref_tracker_free+0x10/0x10 [ 68.972673][ T5322] netlink_rcv_skb+0x208/0x470 [ 68.972693][ T5322] ? __lock_acquire+0xab9/0xd20 [ 68.972705][ T5322] ? __pfx_genl_rcv_msg+0x10/0x10 [ 68.972718][ T5322] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 68.972743][ T5322] ? down_read+0x1ad/0x2e0 [ 68.972755][ T5322] genl_rcv+0x28/0x40 [ 68.972766][ T5322] netlink_unicast+0x82f/0x9e0 [ 68.972785][ T5322] ? __pfx_netlink_unicast+0x10/0x10 [ 68.972800][ T5322] ? netlink_sendmsg+0x642/0xb30 [ 68.972814][ T5322] ? skb_put+0x11b/0x210 [ 68.972832][ T5322] netlink_sendmsg+0x805/0xb30 [ 68.972853][ T5322] ? __pfx_netlink_sendmsg+0x10/0x10 [ 68.972870][ T5322] ? aa_sock_msg_perm+0xf1/0x1d0 [ 68.972885][ T5322] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 68.972900][ T5322] ? __pfx_netlink_sendmsg+0x10/0x10 [ 68.972917][ T5322] __sock_sendmsg+0x21c/0x270 [ 68.972932][ T5322] ____sys_sendmsg+0x505/0x830 [ 68.972951][ T5322] ? __pfx_____sys_sendmsg+0x10/0x10 [ 68.972999][ T5322] ? import_iovec+0x74/0xa0 [ 68.973016][ T5322] ___sys_sendmsg+0x21f/0x2a0 [ 68.973034][ T5322] ? __pfx____sys_sendmsg+0x10/0x10 [ 68.973062][ T5322] ? __fget_files+0x2a/0x420 [ 68.973077][ T5322] ? __fget_files+0x3a0/0x420 [ 68.973097][ T5322] __x64_sys_sendmsg+0x19b/0x260 [ 68.973116][ T5322] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 68.973137][ T5322] ? __pfx_ksys_write+0x10/0x10 [ 68.973153][ T5322] ? do_syscall_64+0xbe/0xfa0 [ 68.973170][ T5322] do_syscall_64+0xfa/0xfa0 [ 68.973183][ T5322] ? lockdep_hardirqs_on+0x9c/0x150 [ 68.973197][ T5322] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.973208][ T5322] ? clear_bhb_loop+0x60/0xb0 [ 68.973221][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.973231][ T5322] RIP: 0033:0x7f1350f8f6c9 [ 68.973242][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.973251][ T5322] RSP: 002b:00007f1351ec9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.973264][ T5322] RAX: ffffffffffffffda RBX: 00007f13511e5fa0 RCX: 00007f1350f8f6c9 [ 68.973272][ T5322] RDX: 0000000000000000 RSI: 0000200000004180 RDI: 0000000000000003 [ 68.973278][ T5322] RBP: 00007f1351ec9090 R08: 0000000000000000 R09: 0000000000000000 [ 68.973284][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 68.973290][ T5322] R13: 00007f13511e6038 R14: 00007f13511e5fa0 R15: 00007fffac855f08 [ 68.973310][ T5322] [ 68.973380][ T5322] [ 69.182923][ T5322] ============================= [ 69.184841][ T5322] WARNING: suspicious RCU usage [ 69.186753][ T5322] syzkaller #0 Not tainted [ 69.188667][ T5322] ----------------------------- [ 69.190573][ T5322] net/mac80211/mesh.c:1571 suspicious rcu_dereference_check() usage! [ 69.193760][ T5322] [ 69.193760][ T5322] other info that might help us debug this: [ 69.193760][ T5322] [ 69.197994][ T5322] [ 69.197994][ T5322] rcu_scheduler_active = 2, debug_locks = 1 [ 69.201449][ T5322] 2 locks held by syz.0.0/5322: [ 69.203800][ T5322] #0: ffffffff8f333750 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 [ 69.207624][ T5322] #1: ffff888034550788 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: nl80211_pre_doit+0x281/0x930 [ 69.211913][ T5322] [ 69.211913][ T5322] stack backtrace: [ 69.214324][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 69.214335][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.214340][ T5322] Call Trace: [ 69.214346][ T5322] [ 69.214350][ T5322] dump_stack_lvl+0x189/0x250 [ 69.214365][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.214374][ T5322] ? __pfx__printk+0x10/0x10 [ 69.214383][ T5322] ? print_lock_name+0xde/0x100 [ 69.214392][ T5322] lockdep_rcu_suspicious+0x140/0x1d0 [ 69.214406][ T5322] ieee80211_mesh_csa_beacon+0x280/0x2c0 [ 69.214422][ T5322] ieee80211_set_csa_beacon+0x3cc/0x9a0 [ 69.214437][ T5322] ? drv_pre_channel_switch+0x38c/0x690 [ 69.214451][ T5322] ieee80211_channel_switch+0x8ef/0xcb0 [ 69.214471][ T5322] ? __pfx_ieee80211_channel_switch+0x10/0x10 [ 69.214482][ T5322] ? cfg80211_chandef_dfs_required+0xcee/0xe70 [ 69.214502][ T5322] ? rcu_is_watching+0x15/0xb0 [ 69.214513][ T5322] rdev_channel_switch+0x108/0x290 [ 69.214525][ T5322] nl80211_channel_switch+0xac9/0xd70 [ 69.214537][ T5322] ? __rtnl_unlock+0x68/0xf0 [ 69.214551][ T5322] ? __mutex_unlock_slowpath+0x1a1/0x740 [ 69.214568][ T5322] ? __pfx_nl80211_channel_switch+0x10/0x10 [ 69.214579][ T5322] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 69.214593][ T5322] ? rcu_is_watching+0x15/0xb0 [ 69.214626][ T5322] ? __nla_parse+0x40/0x60 [ 69.214645][ T5322] ? nl80211_pre_doit+0x4f1/0x930 [ 69.214660][ T5322] genl_family_rcv_msg_doit+0x215/0x300 [ 69.214679][ T5322] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 69.214698][ T5322] ? bpf_lsm_capable+0x9/0x20 [ 69.214709][ T5322] ? security_capable+0x7e/0x2e0 [ 69.214726][ T5322] genl_rcv_msg+0x60e/0x790 [ 69.214743][ T5322] ? __pfx_genl_rcv_msg+0x10/0x10 [ 69.214754][ T5322] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 69.214764][ T5322] ? __pfx_nl80211_channel_switch+0x10/0x10 [ 69.214774][ T5322] ? __pfx_nl80211_post_doit+0x10/0x10 [ 69.214784][ T5322] ? __asan_memcpy+0x40/0x70 [ 69.214793][ T5322] ? __pfx_ref_tracker_free+0x10/0x10 [ 69.214805][ T5322] netlink_rcv_skb+0x208/0x470 [ 69.214814][ T5322] ? __lock_acquire+0xab9/0xd20 [ 69.214821][ T5322] ? __pfx_genl_rcv_msg+0x10/0x10 [ 69.214832][ T5322] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 69.214857][ T5322] ? down_read+0x1ad/0x2e0 [ 69.214869][ T5322] genl_rcv+0x28/0x40 [ 69.214880][ T5322] netlink_unicast+0x82f/0x9e0 [ 69.214897][ T5322] ? __pfx_netlink_unicast+0x10/0x10 [ 69.214913][ T5322] ? netlink_sendmsg+0x642/0xb30 [ 69.214927][ T5322] ? skb_put+0x11b/0x210 [ 69.214945][ T5322] netlink_sendmsg+0x805/0xb30 [ 69.214969][ T5322] ? __pfx_netlink_sendmsg+0x10/0x10 [ 69.214979][ T5322] ? aa_sock_msg_perm+0xf1/0x1d0 [ 69.214989][ T5322] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 69.214998][ T5322] ? __pfx_netlink_sendmsg+0x10/0x10 [ 69.215008][ T5322] __sock_sendmsg+0x21c/0x270 [ 69.215018][ T5322] ____sys_sendmsg+0x505/0x830 [ 69.215030][ T5322] ? __pfx_____sys_sendmsg+0x10/0x10 [ 69.215045][ T5322] ? import_iovec+0x74/0xa0 [ 69.215058][ T5322] ___sys_sendmsg+0x21f/0x2a0 [ 69.215075][ T5322] ? __pfx____sys_sendmsg+0x10/0x10 [ 69.215111][ T5322] ? __fget_files+0x2a/0x420 [ 69.215125][ T5322] ? __fget_files+0x3a0/0x420 [ 69.215146][ T5322] __x64_sys_sendmsg+0x19b/0x260 [ 69.215162][ T5322] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 69.215184][ T5322] ? __pfx_ksys_write+0x10/0x10 [ 69.215201][ T5322] ? do_syscall_64+0xbe/0xfa0 [ 69.215217][ T5322] do_syscall_64+0xfa/0xfa0 [ 69.215231][ T5322] ? lockdep_hardirqs_on+0x9c/0x150 [ 69.215245][ T5322] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.215255][ T5322] ? clear_bhb_loop+0x60/0xb0 [ 69.215269][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.215280][ T5322] RIP: 0033:0x7f1350f8f6c9 [ 69.215301][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 69.215311][ T5322] RSP: 002b:00007f1351ec9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 69.215323][ T5322] RAX: ffffffffffffffda RBX: 00007f13511e5fa0 RCX: 00007f1350f8f6c9 [ 69.215331][ T5322] RDX: 0000000000000000 RSI: 0000200000004180 RDI: 0000000000000003 [ 69.215338][ T5322] RBP: 00007f1351ec9090 R08: 0000000000000000 R09: 0000000000000000 [ 69.215344][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 69.215351][ T5322] R13: 00007f13511e6038 R14: 00007f13511e5fa0 R15: 00007fffac855f08 [ 69.215365][ T5322]