program: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f000000a280)={0x0, 0x0, &(0x7f00000000c0)={0x0, 0x1c}, 0x1, 0x0, 0x0, 0x20051840}, 0x4000840) r1 = socket(0x840000000002, 0x3, 0x100) connect$inet(r1, &(0x7f0000000000)={0x2, 0x0, @remote}, 0x10) sendmmsg$inet(r1, &(0x7f0000005240), 0x264e33, 0x0) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}, 0x1, 0x0, 0x0, 0x800}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x12}]}, @void, @void, @void, @void, @void, @void}, 0x2f) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) sendmsg$NL80211_CMD_START_AP(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000280)=ANY=[@ANYBLOB='00'], 0x30}, 0x1, 0x0, 0x0, 0x18004}, 0x0) r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000100), 0xffffffffffffffff) r7 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$NL80211_CMD_SET_REG(r7, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000240)=ANY=[@ANYBLOB='D\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="010000000000800000001a000000280022800414008004000080040000808341f1680200008014000080040000800400008004000080060021"], 0x44}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="0500ffffffff020000001f00"], 0x28}}, 0x0) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x4584, 0x0, @default, @val, @void}, 0x20) r8 = socket$nl_generic(0x10, 0x3, 0x10) r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000440), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f0000000000)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_DISASSOCIATE(r8, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000600)={0x30, r9, 0x1, 0x70bd2b, 0x25dfdbff, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_MAC={0xa, 0x6, @from_mac}, @NL80211_ATTR_REASON_CODE={0x6, 0x36, 0x2d}]}, 0x30}, 0x1, 0x0, 0x0, 0x40}, 0x80) [ 85.073742][ T5313] Bluetooth: hci0: command tx timeout [ 85.198437][ T5333] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 85.218714][ T5333] netlink: 20 bytes leftover after parsing attributes in process `syz.0.0'. [ 85.235645][ T5329] wlan1: No basic rates, using min rate instead [ 85.238977][ T5329] ------------[ cut here ]------------ [ 85.241262][ T5329] WARNING: CPU: 0 PID: 5329 at net/mac80211/mlme.c:1124 ieee80211_prep_channel+0x490c/0x60f0 [ 85.245786][ T5329] Modules linked in: [ 85.247618][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: kworker/0:5 Not tainted 6.15.0-syzkaller-11061-g7f9039c524a3 #0 PREEMPT(full) [ 85.252264][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.256774][ T5329] Workqueue: events cfg80211_conn_work [ 85.259094][ T5329] RIP: 0010:ieee80211_prep_channel+0x490c/0x60f0 [ 85.261809][ T5329] Code: c6 05 46 c6 96 04 01 48 c7 c7 97 ff ad 8c be e8 03 00 00 48 c7 c2 00 01 ae 8c e8 ff 58 aa f6 e9 17 ba ff ff e8 65 57 cc f6 90 <0f> 0b 90 48 8b 7c 24 48 e8 17 e0 24 f7 48 c7 44 24 48 ea ff ff ff [ 85.269779][ T5329] RSP: 0018:ffffc9000fddeb60 EFLAGS: 00010293 [ 85.272342][ T5329] RAX: ffffffff8af4037b RBX: 0000000000000000 RCX: ffff88800031a440 [ 85.275816][ T5329] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 85.279168][ T5329] RBP: ffffc9000fddef08 R08: ffff88800031a440 R09: 000000000000000e [ 85.282378][ T5329] R10: 000000000000000d R11: 0000000000000000 R12: ffffc9000fddee10 [ 85.285831][ T5329] R13: dffffc0000000000 R14: 1ffff1100a5d9ceb R15: ffffc9000fddee10 [ 85.289112][ T5329] FS: 0000000000000000(0000) GS:ffff88808d25e000(0000) knlGS:0000000000000000 [ 85.293087][ T5329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.295845][ T5329] CR2: 0000200000009038 CR3: 0000000043b5e000 CR4: 0000000000352ef0 [ 85.299091][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 85.302328][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 85.305679][ T5329] Call Trace: [ 85.307123][ T5329] [ 85.308396][ T5329] ? ieee80211_prep_channel+0x202/0x60f0 [ 85.310743][ T5329] ? __pfx_ieee80211_prep_channel+0x10/0x10 [ 85.313566][ T5329] ? __pfx_rcu_preempt_deferred_qs_irqrestore+0x10/0x10 [ 85.316571][ T5329] ieee80211_prep_connection+0xeb9/0x1600 [ 85.319064][ T5329] ieee80211_mgd_auth+0xee3/0x1770 [ 85.321310][ T5329] ? __lock_acquire+0xab9/0xd20 [ 85.323572][ T5329] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.325808][ T5329] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [ 85.328211][ T5329] ? rcu_is_watching+0x15/0xb0 [ 85.330303][ T5329] cfg80211_mlme_auth+0x62f/0x9c0 [ 85.332509][ T5329] cfg80211_conn_do_work+0x501/0xd10 [ 85.335008][ T5329] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [ 85.337582][ T5329] ? trace_sched_exit_tp+0x38/0x120 [ 85.339931][ T5329] ? __schedule+0x1713/0x4d00 [ 85.342126][ T5329] ? cfg80211_conn_work+0x298/0x440 [ 85.344526][ T5329] cfg80211_conn_work+0x2c0/0x440 [ 85.346778][ T5329] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 85.349460][ T5329] ? __pfx_cfg80211_conn_work+0x10/0x10 [ 85.351890][ T5329] ? stack_trace_save+0x9c/0xe0 [ 85.354142][ T5329] ? __pfx_stack_trace_save+0x10/0x10 [ 85.356575][ T5329] ? check_path+0x21/0x40 [ 85.358491][ T5329] ? lockdep_unlock+0x89/0x120 [ 85.360654][ T5329] ? validate_chain+0x897/0x2140 [ 85.363009][ T5329] ? __lock_acquire+0xab9/0xd20 [ 85.365119][ T5329] ? process_scheduled_works+0x9ef/0x17b0 [ 85.367748][ T5329] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.369979][ T5329] ? process_scheduled_works+0x9ef/0x17b0 [ 85.372418][ T5329] ? process_scheduled_works+0x9ef/0x17b0 [ 85.375070][ T5329] process_scheduled_works+0xade/0x17b0 [ 85.377506][ T5329] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.380133][ T5329] worker_thread+0x8a0/0xda0 [ 85.382199][ T5329] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.385111][ T5329] ? __kthread_parkme+0x7b/0x200 [ 85.387375][ T5329] kthread+0x711/0x8a0 [ 85.389164][ T5329] ? __pfx_worker_thread+0x10/0x10 [ 85.391453][ T5329] ? __pfx_kthread+0x10/0x10 [ 85.393684][ T5329] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.395995][ T5329] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.398164][ T5329] ? __pfx_kthread+0x10/0x10 [ 85.400052][ T5329] ret_from_fork+0x3f9/0x770 [ 85.401957][ T5329] ? __pfx_ret_from_fork+0x10/0x10 [ 85.404142][ T5329] ? __pfx_kthread+0x10/0x10 [ 85.406109][ T5329] ret_from_fork_asm+0x1a/0x30 [ 85.408200][ T5329] [ 85.409561][ T5329] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 85.412662][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: kworker/0:5 Not tainted 6.15.0-syzkaller-11061-g7f9039c524a3 #0 PREEMPT(full) [ 85.417619][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.422245][ T5329] Workqueue: events cfg80211_conn_work [ 85.424465][ T5329] Call Trace: [ 85.425807][ T5329] [ 85.426932][ T5329] dump_stack_lvl+0x99/0x250 [ 85.428870][ T5329] ? __asan_memcpy+0x40/0x70 [ 85.431012][ T5329] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.433227][ T5329] ? __pfx__printk+0x10/0x10 [ 85.435243][ T5329] panic+0x2db/0x790 [ 85.436901][ T5329] ? __pfx_panic+0x10/0x10 [ 85.438749][ T5329] ? show_trace_log_lvl+0x4fb/0x550 [ 85.440901][ T5329] ? ret_from_fork_asm+0x1a/0x30 [ 85.443212][ T5329] __warn+0x31b/0x4b0 [ 85.445093][ T5329] ? ieee80211_prep_channel+0x490c/0x60f0 [ 85.447721][ T5329] ? ieee80211_prep_channel+0x490c/0x60f0 [ 85.449941][ T5329] report_bug+0x2be/0x4f0 [ 85.451902][ T5329] ? ieee80211_prep_channel+0x490c/0x60f0 [ 85.454191][ T5329] ? ieee80211_prep_channel+0x490c/0x60f0 [ 85.456462][ T5329] ? ieee80211_prep_channel+0x490e/0x60f0 [ 85.459023][ T5329] handle_bug+0x84/0x160 [ 85.460931][ T5329] exc_invalid_op+0x1a/0x50 [ 85.462902][ T5329] asm_exc_invalid_op+0x1a/0x20 [ 85.465099][ T5329] RIP: 0010:ieee80211_prep_channel+0x490c/0x60f0 [ 85.467957][ T5329] Code: c6 05 46 c6 96 04 01 48 c7 c7 97 ff ad 8c be e8 03 00 00 48 c7 c2 00 01 ae 8c e8 ff 58 aa f6 e9 17 ba ff ff e8 65 57 cc f6 90 <0f> 0b 90 48 8b 7c 24 48 e8 17 e0 24 f7 48 c7 44 24 48 ea ff ff ff [ 85.476147][ T5329] RSP: 0018:ffffc9000fddeb60 EFLAGS: 00010293 [ 85.478666][ T5329] RAX: ffffffff8af4037b RBX: 0000000000000000 RCX: ffff88800031a440 [ 85.481919][ T5329] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 85.485127][ T5329] RBP: ffffc9000fddef08 R08: ffff88800031a440 R09: 000000000000000e [ 85.488450][ T5329] R10: 000000000000000d R11: 0000000000000000 R12: ffffc9000fddee10 [ 85.491965][ T5329] R13: dffffc0000000000 R14: 1ffff1100a5d9ceb R15: ffffc9000fddee10 [ 85.495529][ T5329] ? ieee80211_prep_channel+0x490b/0x60f0 [ 85.497861][ T5329] ? ieee80211_prep_channel+0x202/0x60f0 [ 85.500175][ T5329] ? __pfx_ieee80211_prep_channel+0x10/0x10 [ 85.502610][ T5329] ? __pfx_rcu_preempt_deferred_qs_irqrestore+0x10/0x10 [ 85.505421][ T5329] ieee80211_prep_connection+0xeb9/0x1600 [ 85.507743][ T5329] ieee80211_mgd_auth+0xee3/0x1770 [ 85.509802][ T5329] ? __lock_acquire+0xab9/0xd20 [ 85.511712][ T5329] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.513728][ T5329] ? __pfx_ieee80211_mgd_auth+0x10/0x10 [ 85.515949][ T5329] ? rcu_is_watching+0x15/0xb0 [ 85.517954][ T5329] cfg80211_mlme_auth+0x62f/0x9c0 [ 85.519789][ T5329] cfg80211_conn_do_work+0x501/0xd10 [ 85.521658][ T5329] ? __pfx_cfg80211_conn_do_work+0x10/0x10 [ 85.523738][ T5329] ? trace_sched_exit_tp+0x38/0x120 [ 85.525600][ T5329] ? __schedule+0x1713/0x4d00 [ 85.527355][ T5329] ? cfg80211_conn_work+0x298/0x440 [ 85.529203][ T5329] cfg80211_conn_work+0x2c0/0x440 [ 85.531015][ T5329] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 85.533630][ T5329] ? __pfx_cfg80211_conn_work+0x10/0x10 [ 85.535692][ T5329] ? stack_trace_save+0x9c/0xe0 [ 85.537647][ T5329] ? __pfx_stack_trace_save+0x10/0x10 [ 85.539914][ T5329] ? check_path+0x21/0x40 [ 85.541735][ T5329] ? lockdep_unlock+0x89/0x120 [ 85.543897][ T5329] ? validate_chain+0x897/0x2140 [ 85.546019][ T5329] ? __lock_acquire+0xab9/0xd20 [ 85.548017][ T5329] ? process_scheduled_works+0x9ef/0x17b0 [ 85.550322][ T5329] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.552362][ T5329] ? process_scheduled_works+0x9ef/0x17b0 [ 85.554570][ T5329] ? process_scheduled_works+0x9ef/0x17b0 [ 85.556858][ T5329] process_scheduled_works+0xade/0x17b0 [ 85.559154][ T5329] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.561591][ T5329] worker_thread+0x8a0/0xda0 [ 85.563213][ T5329] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.565426][ T5329] ? __kthread_parkme+0x7b/0x200 [ 85.567221][ T5329] kthread+0x711/0x8a0 [ 85.568686][ T5329] ? __pfx_worker_thread+0x10/0x10 [ 85.570742][ T5329] ? __pfx_kthread+0x10/0x10 [ 85.572845][ T5329] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.574851][ T5329] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.576749][ T5329] ? __pfx_kthread+0x10/0x10 [ 85.578429][ T5329] ret_from_fork+0x3f9/0x770 [ 85.580151][ T5329] ? __pfx_ret_from_fork+0x10/0x10 [ 85.582372][ T5329] ? __pfx_kthread+0x10/0x10 [ 85.584408][ T5329] ret_from_fork_asm+0x1a/0x30 [ 85.586544][ T5329] [ 85.588313][ T5329] Kernel Offset: disabled [ 85.590284][ T5329] Rebooting in 86400 seconds..