program: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000280)={r0, r0, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x4c4a, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'}) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r3, 0x400448ca, 0x0) bind$bt_hci(r3, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) syz_emit_vhci(&(0x7f0000000080)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x1, 0x0, 0x4}}, 0x9) r4 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r4, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000a80)=@allocspi={0x124, 0x16, 0x1, 0x0, 0x0, {{{@in=@dev, @in6=@dev}, {@in=@remote, 0x0, 0x32}, @in6=@empty}, 0x0, 0xa0b1}, [@user_kmaddress={0x2c, 0x1c, {@in, @in6=@rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'}}]}, 0x124}}, 0x0) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff) r6 = socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r6, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r6, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r7, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) r9 = socket$nl_generic(0x10, 0x3, 0x10) r10 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CONNECT(r9, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r10, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r11}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @random=0x401, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x4, 0x1}]}, @void, @void, @void, @void, @void, @void}, 0x2f) sendmsg$NL80211_CMD_SET_TX_BITRATE_MASK(r2, &(0x7f0000000180)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000140)={&(0x7f0000000bc0)={0x73c, r10, 0x1, 0x70bd27, 0x25dfdbfd, {{}, {@void, @val={0xc, 0x99, {0xb, 0x2f}}}}, [@NL80211_ATTR_TX_RATES={0x2e8, 0x5a, 0x0, 0x1, [@NL80211_BAND_6GHZ={0x64, 0x3, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_HT={0x27, 0x2, [{0x2, 0x1}, {0x6, 0x3}, {0x7, 0x3}, {0x0, 0x2}, {0x0, 0x9}, {0x1, 0x5}, {0x3, 0x7}, {0x6, 0x2}, {0x1, 0x1}, {0x6, 0x3}, {0x1, 0x7}, {0x7}, {0x6, 0x9}, {0x4, 0x4}, {0x0, 0x2}, {0x6, 0x2}, {0x0, 0x5}, {0x4, 0x1}, {0x2, 0x4}, {0x5, 0x7}, {0x4, 0x8}, {0x5, 0x7}, {0x1, 0x5}, {0x0, 0x1}, {0x0, 0x2}, {0x3, 0x2}, {0x3, 0x1}, {0x6, 0x2}, {0x4, 0x4}, {0x0, 0x2}, {0x2, 0x2}, {0x3, 0x4}, {0x1, 0x8}, {0x2, 0x7}, {0x2, 0x8}]}, @NL80211_TXRATE_HT={0x1d, 0x2, [{0x1, 0x5}, {0x2, 0x3}, {0x5, 0x9}, {0x1, 0x3}, {0x1, 0x7}, {0x3, 0x3}, {0x1}, {0x3, 0x3}, {0x7, 0x9}, {0x7, 0x5}, {0x0, 0x1}, {0x5, 0x1}, {0x4, 0x6}, {0x5}, {0x0, 0x8}, {0x0, 0x5}, {0x6, 0x6}, {0x0, 0x1}, {0x5, 0x6}, {0x4, 0x2}, {0x5, 0x5}, {0x0, 0x2}, {0x3, 0x3}, {0x6}, {0x0, 0xa}]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE_LTF={0x5}]}, @NL80211_BAND_2GHZ={0x6c, 0x0, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5, 0x4, 0x1}, @NL80211_TXRATE_HT={0x4c, 0x2, [{0x6, 0x5}, {0x0, 0x1}, {0x3, 0x2}, {0x3, 0x2}, {0x5, 0xa}, {0x5, 0x9}, {0x6, 0x8}, {0x5, 0x7}, {0x2, 0x2}, {0x3, 0x5}, {0x2, 0x3}, {0x0, 0x4}, {0x0, 0x6}, {0x3, 0x4}, {0x2, 0x3}, {0x2, 0x5}, {0x7, 0x3}, {0x1, 0x8}, {0x4, 0x1}, {0x7, 0x2}, {0x3, 0x6}, {0x1, 0x9}, {0x5, 0x9}, {0x4, 0xa}, {0x0, 0x7}, {0x6, 0x3}, {0x3}, {0x0, 0x6}, {0x5}, {0x0, 0xa}, {0x4, 0x6}, {0x7, 0x6}, {0x2, 0xa}, {0x0, 0x6}, {0x3, 0x1}, {0x7, 0x8}, {0x1, 0x6}, {0x6, 0x4}, {0x5, 0x7}, {0x1, 0x1}, {0x6, 0x2}, {0x4, 0x2}, {0x3, 0x8}, {0x3, 0x5}, {0x2, 0x4}, {0x1, 0x6}, {0x0, 0x7}, {0x5, 0x2}, {0x2, 0xa}, {0x2, 0x6}, {0x6, 0x9}, {0x5, 0x5}, {0x2, 0x1}, {}, {0x2, 0x6}, {0x3, 0x4}, {0x5, 0xa}, {0x7, 0x2}, {0x1, 0x6}, {0x7, 0x3}, {0x7, 0x1}, {0x7, 0x3}, {0x7, 0x9}, {0x0, 0x8}, {0x4}, {0x2, 0xa}, {}, {0x4, 0x6}, {0x4, 0x5}, {0x1, 0xa}, {0x7, 0x3}, {0x5, 0x8}]}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0xb, 0x4, 0x4, 0x6, 0x80, 0x1, 0x6, 0xfff]}}]}, @NL80211_BAND_6GHZ={0x20, 0x3, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x78e9, 0x100, 0x100, 0x3, 0x640, 0x1, 0x1ff, 0xc]}}]}, @NL80211_BAND_60GHZ={0x98, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_HT={0x50, 0x2, [{0x3, 0x4}, {0x1, 0x3}, {0x1, 0x8}, {0x2}, {0x5, 0x6}, {0x3, 0x9}, {0x3, 0x3}, {0x1, 0x9}, {0x2, 0x9}, {0x1, 0x4}, {0x2}, {0x5, 0x8}, {0x3, 0x3}, {0x3, 0xa}, {0x1, 0xa}, {0x6, 0xa}, {0x7, 0x7}, {0x7, 0x4}, {0x5, 0x8}, {0x0, 0x5}, {0x0, 0x3}, {0x7, 0x4}, {0x4, 0x4}, {0x4, 0x5}, {0x1}, {0x7, 0x2}, {0x2, 0xa}, {0x5, 0x1}, {0x5, 0x4}, {0x6, 0x4}, {}, {0x4, 0x5}, {0x1, 0x9}, {0x1, 0x5}, {0x2, 0x7}, {0x5, 0x5}, {0x5, 0x1}, {0x6, 0x1}, {0x4, 0x6}, {0x5, 0x2}, {0x2, 0x2}, {0x4, 0x6}, {0x3, 0x3}, {0x0, 0x5}, {0x5, 0x9}, {0x1, 0x2}, {0x5}, {0x0, 0x7}, {0x4, 0x2}, {0x2, 0x1}, {0x1, 0x1}, {0x0, 0x9}, {0x1, 0x8}, {}, {0x3, 0x3}, {0x6, 0x5}, {0x7, 0x4}, {0x7, 0xa}, {0x7, 0x1}, {0x1, 0x4}, {0x4, 0x2}, {0x6, 0x7}, {0x0, 0x9}, {0x1, 0x7}, {0x6, 0x6}, {0x5, 0xa}, {0x2, 0x6}, {0x0, 0x3}, {0x0, 0x1}, {0x1}, {0x3, 0x8}, {0x6, 0x2}, {0x6, 0x8}, {0x0, 0x3}, {0x7, 0xa}, {0x6, 0x2}]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_HT={0x9, 0x2, [{0x0, 0xa}, {0x3, 0x3}, {0x1, 0xa}, {0x1, 0x3}, {0x5, 0x2}]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_GI={0x5, 0x4, 0x2}]}, @NL80211_BAND_2GHZ={0x30, 0x0, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_LEGACY={0x19, 0x1, [0x3, 0x3, 0x24, 0x0, 0x2, 0x30, 0x5, 0x12, 0x18, 0x18, 0x4, 0x24, 0x12, 0xc, 0x4, 0x2d, 0x36, 0x0, 0x3, 0x9, 0x2]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}]}, @NL80211_BAND_60GHZ={0x44, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HT={0x27, 0x2, [{0x3, 0x7}, {0x0, 0x2}, {0x2, 0x8}, {0x6, 0x1}, {0x4, 0x3}, {0x0, 0x3}, {0x0, 0xa}, {0x5, 0x9}, {0x7, 0x7}, {0x0, 0x8}, {0x0, 0x1}, {0x5, 0x4}, {0x2, 0x9}, {0x2}, {0x1, 0x6}, {0x4, 0x5}, {0x1, 0x5}, {0x3, 0x4}, {0x7, 0xa}, {0x1}, {0x6, 0x9}, {0x5, 0x7}, {0x7, 0x4}, {0x4, 0x6}, {0x4}, {}, {0x2, 0x8}, {0x7, 0x5}, {0x7, 0x4}, {0x1, 0x3}, {0x2, 0x3}, {0x7, 0x3}, {0x0, 0x4}, {0x0, 0x3}, {0x0, 0x3}]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}]}, @NL80211_BAND_6GHZ={0x50, 0x3, 0x0, 0x1, [@NL80211_TXRATE_VHT={0x14, 0x3, {[0x375b, 0x8, 0xb5ea, 0x4, 0x8, 0x9, 0x2, 0x49de]}}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x6, 0x4, 0x40, 0xd5, 0x4, 0x401, 0x3, 0x8]}}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_LEGACY={0x9, 0x1, [0x4, 0x18, 0x16, 0x36, 0x5]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}]}, @NL80211_BAND_60GHZ={0x48, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_LEGACY={0x1d, 0x1, [0x2, 0x6, 0x12, 0x60, 0x3, 0x1b, 0x9, 0x24, 0x3, 0x3, 0x1e, 0x16, 0xb, 0x30, 0x36, 0x1, 0x36, 0x2, 0x18, 0x5, 0x5, 0x30, 0x1, 0x5, 0x30]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x1ff, 0xfffe, 0xa9b, 0x6, 0x8, 0x8, 0xfffd]}}]}, @NL80211_BAND_5GHZ={0x50, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x2, 0x5, 0x0, 0xfffe, 0x9, 0x0, 0x0, 0x1]}}, @NL80211_TXRATE_HT={0x20, 0x2, [{0x1, 0x9}, {0x4}, {0x6, 0x4}, {0x1, 0x5}, {0x7, 0x8}, {0x2, 0x5}, {0x3, 0xa}, {0x4, 0x6}, {0x6, 0x7}, {0x4, 0x2}, {0x2, 0x1}, {0x1, 0x1}, {0x5, 0x1}, {}, {0x1, 0x5}, {0x3, 0x3}, {0x7, 0x5}, {0x5, 0xa}, {0x4, 0xa}, {0x1, 0x7}, {0x4, 0x7}, {0x2, 0x5}, {0x4, 0x5}, {0x0, 0x2}, {0x4, 0x4}, {0x7, 0x7}, {0x7, 0xa}, {0x0, 0x5}]}, @NL80211_TXRATE_HT={0x5, 0x2, [{0x7, 0x1}]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}]}]}, @NL80211_ATTR_TX_RATES={0x22c, 0x5a, 0x0, 0x1, [@NL80211_BAND_6GHZ={0x98, 0x3, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}, @NL80211_TXRATE_LEGACY={0x24, 0x1, [0x18, 0x1b, 0x30, 0x13, 0x5, 0x9, 0x4, 0x12, 0x4, 0x16, 0x1b, 0x16, 0x12, 0x5, 0x5, 0x5, 0x18, 0x6c, 0x6e2de499a0479014, 0xc, 0x5, 0x6, 0x43, 0x30, 0x5, 0x12, 0xc, 0xc, 0x18, 0x6, 0x1, 0x2]}, @NL80211_TXRATE_HT={0x49, 0x2, [{0x0, 0x3}, {0x3}, {0x5, 0x7}, {0x5, 0x1}, {0x4}, {0x3, 0x9}, {0x2, 0x9}, {0x1, 0x3}, {0x4, 0x1}, {0x1, 0x4}, {0x0, 0x4}, {0x3, 0xa}, {0x5, 0x4}, {0x6}, {0x7, 0x6}, {0x1, 0x1}, {0x5, 0x5}, {0x3, 0x5}, {0x0, 0x8}, {0x3, 0x3}, {0x4, 0x1}, {0x7, 0xa}, {0x1, 0x2}, {0x1, 0x3}, {0x3, 0x2}, {0x3, 0x3}, {0x7, 0x4}, {0x0, 0x1}, {0x4, 0x8}, {0x2, 0x4}, {0x0, 0x6}, {0x0, 0x5}, {0x0, 0x6}, {0x6, 0x7}, {0x6, 0x3}, {0x2}, {0x5, 0x7}, {0x3, 0x3}, {0x0, 0x2}, {0x1, 0x5}, {0x0, 0x2}, {0x0, 0x3}, {0x1, 0x5}, {0x0, 0x2}, {0x5, 0x7}, {0x6, 0x9}, {0x5, 0x7}, {0x7, 0x7}, {0x4, 0x3}, {0x5, 0x6}, {0x0, 0x3}, {0x0, 0x9}, {0x1, 0x9}, {}, {0x5, 0x2}, {0x7, 0x1}, {0x7, 0x2}, {0x3, 0x3}, {0x0, 0x8}, {0x1, 0x9}, {0x5, 0x6}, {0x0, 0x3}, {0x7, 0x6}, {0x2, 0x2}, {0x1, 0x7}, {0x7, 0x4}, {0x4, 0x2}, {0x4, 0x6}, {0x5, 0xa}]}, @NL80211_TXRATE_GI={0x5}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x2, 0x400, 0x4, 0xd, 0x0, 0xc, 0x1f]}}]}, @NL80211_BAND_5GHZ={0x84, 0x1, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0x9, 0x1, [0x16, 0x2323fb5aa2b225ad, 0x1b, 0x1, 0x5]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x9, 0xd8, 0x101, 0x1, 0xc2, 0xd, 0x3, 0x7]}}, @NL80211_TXRATE_LEGACY={0x20, 0x1, [0x30, 0xc, 0xc, 0x12, 0x24, 0x48, 0x16, 0xe7, 0x9, 0xb, 0x6c, 0x2, 0x6c, 0xd, 0x24, 0x30, 0x6, 0x60, 0xb, 0x24, 0x36, 0x60, 0xc, 0x3, 0x36, 0x30, 0x48, 0x57]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x1, 0x0, 0x800, 0xfff7, 0x3, 0x81, 0x0, 0xfffb]}}, @NL80211_TXRATE_HT={0x19, 0x2, [{0x0, 0x9}, {0x2, 0x2}, {0x3, 0x5}, {0x7, 0x6}, {0x1}, {0x7, 0x3}, {0x7, 0x9}, {0x1, 0x5}, {0x1, 0x9}, {0x3, 0x5}, {0x2}, {0x2, 0x1}, {0x2, 0x3}, {0x4, 0x5}, {0x6, 0xa}, {0x0, 0x6}, {0x1, 0x4}, {0x1, 0x5}, {0x3}, {0x7, 0x6}, {0x2, 0x8}]}, @NL80211_TXRATE_HE_LTF={0x5}]}, @NL80211_BAND_5GHZ={0x20, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE={0x14, 0x5, {[0xe, 0x401, 0x100, 0xa, 0x6, 0xc, 0x9, 0x965]}}, @NL80211_TXRATE_GI={0x5}]}, @NL80211_BAND_2GHZ={0xd0, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_HT={0x48, 0x2, [{0x2, 0x4}, {0x1, 0x7}, {0x7, 0x9}, {0x1, 0x2}, {0x1, 0x5}, {0x6, 0x7}, {0x0, 0x3}, {0x0, 0x1}, {0x1, 0x7}, {0x6, 0x6}, {0x3, 0x3}, {0x4, 0x5}, {0x4, 0x1}, {0x6}, {0x1, 0x6}, {0x7, 0x9}, {0x3, 0xa}, {0x5, 0x9}, {0x3, 0x8}, {0x4, 0x4}, {0x6, 0x3}, {0x6, 0x6}, {0x5}, {0x1, 0x7}, {0x4, 0xa}, {0x1, 0x7}, {0x6, 0x9}, {0x6, 0x4}, {0x0, 0x6}, {0x3, 0x9}, {0x6, 0x1}, {0x3, 0xa}, {0x0, 0x9}, {0x5, 0x4}, {0x3, 0xa}, {0x4, 0x3}, {0x1, 0x9}, {0x7, 0x8}, {0x2, 0x2}, {0x2, 0xa}, {0x7, 0x9}, {0x1, 0x5}, {0x2, 0x9}, {0x7}, {0x1, 0x4}, {0x7, 0x8}, {0x5, 0x3}, {0x4}, {0x1, 0x3}, {0x0, 0x8}, {0x4, 0x6}, {0x3, 0x9}, {0x7, 0x7}, {0x2}, {0x0, 0x1}, {0x5, 0x6}, {0x0, 0x1}, {0x2, 0x8}, {0x0, 0x1}, {0x4, 0x5}, {0x3, 0x4}, {0x0, 0x3}, {0x1, 0x2}, {0x5, 0x7}, {0x0, 0x5}, {0x7, 0x9}, {0x5, 0x6}, {0x2, 0x1}]}, @NL80211_TXRATE_LEGACY={0x15, 0x1, [0x24, 0x36, 0x6c, 0xc, 0x36, 0x3, 0x2, 0x3, 0x1b, 0x0, 0x30, 0x6, 0x1, 0x5, 0x0, 0x6, 0x48]}, @NL80211_TXRATE_HT={0x49, 0x2, [{0x0, 0x2}, {0x1, 0x4}, {0x4, 0x5}, {0x2, 0x5}, {0x0, 0x1}, {0x4}, {0x5, 0x5}, {0x4, 0x3}, {}, {0x2, 0x4}, {0x6}, {0x5, 0x9}, {0x2, 0x5}, {0x6, 0x8}, {0x7, 0x4}, {0x7, 0x9}, {0x7, 0xa}, {0x0, 0x1}, {0x3, 0x5}, {0x4, 0xa}, {0x4, 0x2}, {0x7, 0x3}, {0x3, 0x7}, {0x4, 0x5}, {0x0, 0x9}, {0x2, 0x5}, {0x3, 0xa}, {0x0, 0x3}, {0x1, 0x8}, {0x2, 0x5}, {0x7, 0x2}, {0x1, 0x3}, {0x1, 0x4}, {0x4, 0x1}, {0x0, 0x8}, {0x5, 0x4}, {0x2, 0x3}, {0x7, 0x5}, {0x4, 0x4}, {0x6, 0x1}, {0x0, 0x9}, {0x6, 0x7}, {0x2, 0x8}, {0x5, 0x1}, {0x5, 0x7}, {0x7, 0xa}, {0x4, 0x4}, {0x5}, {0x6, 0xa}, {0x2, 0xa}, {0x6, 0x8}, {0x7, 0x3}, {0x3, 0x9}, {0x4, 0x7}, {0x1, 0x1}, {0x0, 0x8}, {0x6, 0x7}, {0x4, 0x8}, {0x1, 0x4}, {0x1, 0x6}, {0x4, 0x2}, {0x2, 0x9}, {0x5, 0x4}, {0x4, 0x6}, {0x2, 0x6}, {0x1, 0x8}, {0x6, 0x8}, {0x5, 0x4}, {0x6, 0x5}]}, @NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}, @NL80211_TXRATE_HT={0x5, 0x2, [{0x6, 0x8}]}]}, @NL80211_BAND_5GHZ={0x1c, 0x1, 0x0, 0x1, [@NL80211_TXRATE_GI={0x5, 0x4, 0x2}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x1}, @NL80211_TXRATE_HE_LTF={0x5}]}]}, @NL80211_ATTR_TX_RATES={0x208, 0x5a, 0x0, 0x1, [@NL80211_BAND_5GHZ={0xec, 0x1, 0x0, 0x1, [@NL80211_TXRATE_LEGACY={0xe, 0x1, [0x12, 0x60, 0x36, 0x3, 0xf, 0x6, 0x48, 0x36, 0x16, 0xb]}, @NL80211_TXRATE_HE_LTF={0x5}, @NL80211_TXRATE_HT={0x40, 0x2, [{0x4, 0xa}, {0x4, 0x4}, {0x4, 0x9}, {0x1}, {0x2, 0x9}, {0x7, 0x3}, {0x3, 0xa}, {0x0, 0x8}, {0x3, 0x3}, {0x5, 0x1}, {0x1, 0x5}, {0x7, 0x7}, {0x0, 0x3}, {0x2, 0x5}, {0x6, 0x8}, {0x6, 0x1}, {0x4, 0x3}, {0x1, 0x3}, {0x6, 0x5}, {0x6, 0x9}, {0x3, 0x3}, {0x1}, {0x1, 0x3}, {0x4, 0xa}, {0x5, 0x6}, {0x4, 0x5}, {0x3, 0x7}, {0x1, 0x1}, {0x0, 0x4}, {0x5}, {}, {0x6, 0xa}, {0x3, 0x4}, {0x0, 0x8}, {0x7, 0x9}, {0x0, 0x6}, {0x6, 0x9}, {0x7, 0x8}, {0x7, 0x8}, {0x1, 0x8}, {0x6, 0xc}, {0x0, 0x5}, {0x7, 0x7}, {0x4, 0x1}, {0x5, 0x7}, {0x5}, {0x4, 0x9}, {0x6, 0x5}, {0x7, 0x1}, {0x7, 0x1}, {0x1, 0x4}, {0x3}, {0x3, 0x8}, {0x7, 0x6}, {0x7}, {0x1, 0x7}, {0x2, 0x6}, {0x6, 0xa}, {0x6, 0x1}, {0x6, 0x6}]}, @NL80211_TXRATE_HT={0x2a, 0x2, [{0x0, 0x5}, {}, {0x0, 0x3}, {0x0, 0x2}, {0x3, 0x2}, {0x0, 0x5}, {0x0, 0x2}, {0x5, 0x4}, {0x3, 0x7}, {0x7, 0x2}, {0x7, 0x6}, {0x2, 0x8}, {0x0, 0x4}, {0x0, 0x2}, {0x6, 0x7}, {0x2, 0x5}, {0x7, 0x5}, {0x5, 0x2}, {0x7, 0xa}, {0x7, 0x1}, {0x3, 0x7}, {0x0, 0x9}, {0x1}, {0x2, 0x9}, {0x7, 0x5}, {}, {0x2, 0x6}, {0x4, 0x1}, {0x3, 0x7}, {0x1, 0x2}, {0x4}, {0x4, 0x3}, {0x5, 0x5}, {0x0, 0x6}, {0x5, 0x9}, {0x1, 0x4}, {0x4, 0x7}, {0x5, 0xa}]}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x5, 0x5, 0x7fff, 0x5, 0x2, 0x8, 0x204, 0x3]}}, @NL80211_TXRATE_HE={0x14, 0x5, {[0x2, 0x4, 0xf, 0x7, 0x1000, 0x60, 0x5, 0xfff8]}}, @NL80211_TXRATE_LEGACY={0x1e, 0x1, [0x6, 0x30, 0x30, 0x30, 0x3, 0xb, 0x4, 0x6, 0x0, 0x6, 0x18, 0x18, 0x2, 0x1b, 0x36, 0x12, 0x6, 0x5, 0x1b, 0x16, 0x3, 0x4, 0x12, 0x36, 0x30, 0x24]}, @NL80211_TXRATE_LEGACY={0x1b, 0x1, [0x9, 0xf, 0x4, 0x1, 0xc, 0x18, 0x18, 0x5, 0xc, 0x48, 0x16, 0x16, 0x2, 0x1, 0x48, 0x6, 0x4, 0x48, 0x9, 0x5, 0x5, 0x16, 0x1]}]}, @NL80211_BAND_60GHZ={0x4c, 0x2, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5}, @NL80211_TXRATE_HT={0x3e, 0x2, [{0x4, 0x4}, {0x5, 0x5}, {0x4, 0x6}, {0x1, 0x3}, {0x2}, {0x0, 0x6}, {0x0, 0x3}, {0x0, 0x3}, {0x5, 0x7}, {0x1, 0x3}, {0x0, 0x1}, {0x4}, {0x3, 0x6}, {0x7, 0x1}, {0x5, 0x5}, {0x0, 0x4}, {0x6}, {0x3, 0xa}, {0x7, 0x6}, {0x6, 0x9}, {0x3, 0x9}, {0x7, 0x2}, {0x5, 0xa}, {0x5, 0x3}, {0x2, 0xa}, {0x6, 0x2}, {0x0, 0x8}, {0x1, 0x5}, {0x4, 0x4}, {0x5, 0x8}, {0x6, 0x6}, {0x5}, {0x7, 0x6}, {0x0, 0x6}, {0x1, 0x1}, {0x5, 0x5}, {0x7, 0xa}, {0x4, 0x3}, {0x2, 0x3}, {0x5, 0x1}, {0x7, 0x8}, {0x1, 0x8}, {0x1, 0x8}, {0x2}, {0x4, 0x5}, {0x1, 0x8}, {0x7, 0x9}, {0x5, 0x2}, {0x4, 0x6}, {0x0, 0x5}, {0x1, 0xa}, {0x5, 0xa}, {0x2, 0x1}, {0x6, 0x9}, {0x0, 0xa}, {0x4, 0x1}, {}, {0x6, 0x9}]}]}, @NL80211_BAND_2GHZ={0x60, 0x0, 0x0, 0x1, [@NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_LEGACY={0x11, 0x1, [0x36, 0x6, 0x5e, 0x2, 0x6, 0xb, 0x4b, 0x12, 0x2, 0xb, 0x24, 0x1, 0x48]}, @NL80211_TXRATE_HT={0x3e, 0x2, [{0x3}, {0x3, 0x8}, {0x7, 0x5}, {0x2, 0x8}, {0x4, 0xa}, {0x3}, {0x5, 0x9}, {0x6, 0x4}, {0x3}, {0x1, 0x6}, {0x1, 0x1}, {0x3, 0x6}, {0x1, 0x9}, {0x4, 0xa}, {0x4, 0x1}, {0x0, 0x9}, {0x3, 0x1}, {0x3, 0x9}, {0x2}, {0x0, 0x2}, {0x7, 0x9}, {}, {0x2, 0x6}, {0x3}, {0x2, 0x1}, {0x4, 0x9}, {0x6, 0x7}, {0x6, 0x6}, {0x1, 0x5}, {0x3, 0x6}, {0x3, 0x2}, {0x1, 0x8}, {0x0, 0x2}, {0x3, 0x8}, {0x2, 0x6}, {0x3}, {0x0, 0x9}, {0x4, 0x3}, {0x0, 0x3}, {0x6, 0x2}, {0x4, 0xa}, {0x6, 0x5}, {0x5, 0x9}, {0x3, 0x5}, {0x0, 0xa}, {0x7, 0x4}, {0x4, 0x2}, {0x6, 0x2}, {0x0, 0x2}, {0x1, 0x6}, {0x3, 0x9}, {0x6, 0x3}, {0x0, 0x2}, {0x2, 0x4}, {0x4}, {0x3, 0x3}, {0x0, 0x3}, {0x0, 0x4}]}]}, @NL80211_BAND_5GHZ={0xc, 0x1, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x2}]}, @NL80211_BAND_2GHZ={0x54, 0x0, 0x0, 0x1, [@NL80211_TXRATE_VHT={0x14, 0x3, {[0xb0, 0x2, 0x0, 0x101, 0x400, 0x9c, 0x5, 0x1]}}, @NL80211_TXRATE_HE_GI={0x5, 0x6, 0x2}, @NL80211_TXRATE_VHT={0x14, 0x3, {[0x9, 0x101, 0x0, 0x1, 0x8, 0x9557, 0x4, 0x6]}}, @NL80211_TXRATE_LEGACY={0x1d, 0x1, [0x30, 0x1, 0x36, 0x6, 0x0, 0x18, 0x24, 0x36, 0xc, 0x1, 0x1b, 0x1b, 0x24, 0x16, 0x1b, 0x1b, 0x2, 0x16, 0x5, 0x48, 0x36, 0x12, 0x5a, 0x76, 0x4]}]}, @NL80211_BAND_6GHZ={0xc, 0x3, 0x0, 0x1, [@NL80211_TXRATE_HE_LTF={0x5, 0x7, 0x1}]}]}]}, 0x73c}, 0x1, 0x0, 0x0, 0x58810}, 0x4044008) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) sendmsg$NL80211_CMD_DEAUTHENTICATE(r2, &(0x7f0000000300)={0x0, 0xffffffffffffff02, &(0x7f00000002c0)={&(0x7f0000000000)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="01000055f2000000000000000000000000009816e7f49a4f7630a67528dec6890bdc083ae96378bdbe003ebdd22313c3931cde894771e34f77d8773f54d44c4746dbd8ed50c155894aa1dc20431ad6736ed30211a6565f1341c79923545762", @ANYRES32=r8, @ANYBLOB="06003600160000000a0006000802110000000000"], 0x30}, 0x1, 0x0, 0x0, 0x40}, 0x80) [ 73.358498][ T5300] Bluetooth: hci0: command tx timeout [ 73.507470][ T5318] hid-generic 0005:4C4A:0009.0002: unknown main item tag 0x0 [ 73.529364][ T5318] hid-generic 0005:4C4A:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa [ 73.585170][ T5320] [ 73.586262][ T5320] ====================================================== [ 73.589148][ T5320] WARNING: possible circular locking dependency detected [ 73.592458][ T5320] syzkaller #0 Not tainted [ 73.595071][ T5320] ------------------------------------------------------ [ 73.598358][ T5320] syz.0.0/5320 is trying to acquire lock: [ 73.601134][ T5320] ffff888034c59840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 73.606279][ T5320] [ 73.606279][ T5320] but task is already holding lock: [ 73.609760][ T5320] ffff888034c59af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 73.613949][ T5320] [ 73.613949][ T5320] which lock already depends on the new lock. [ 73.613949][ T5320] [ 73.618602][ T5320] [ 73.618602][ T5320] the existing dependency chain (in reverse order) is: [ 73.622725][ T5320] [ 73.622725][ T5320] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 73.626209][ T5320] __mutex_lock+0x19f/0x1300 [ 73.628658][ T5320] l2cap_info_timeout+0x60/0xa0 [ 73.631066][ T5320] process_scheduled_works+0xb6e/0x18c0 [ 73.633650][ T5320] worker_thread+0xa53/0xfc0 [ 73.635890][ T5320] kthread+0x388/0x470 [ 73.638307][ T5320] ret_from_fork+0x51e/0xb90 [ 73.640727][ T5320] ret_from_fork_asm+0x1a/0x30 [ 73.643140][ T5320] [ 73.643140][ T5320] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 73.648642][ T5320] __lock_acquire+0x15a5/0x2cf0 [ 73.651496][ T5320] lock_acquire+0xf0/0x2e0 [ 73.653797][ T5320] __flush_work+0x700/0xc50 [ 73.656082][ T5320] __cancel_work_sync+0xbe/0x110 [ 73.658442][ T5320] l2cap_conn_del+0x40f/0x5c0 [ 73.661235][ T5320] hci_conn_hash_flush+0x10d/0x260 [ 73.664890][ T5320] hci_dev_close_sync+0x821/0x10e0 [ 73.667987][ T5320] hci_dev_close+0x108/0x260 [ 73.670178][ T5320] sock_do_ioctl+0x101/0x320 [ 73.672531][ T5320] sock_ioctl+0x5c6/0x7f0 [ 73.675031][ T5320] __se_sys_ioctl+0xfc/0x170 [ 73.678008][ T5320] do_syscall_64+0x14d/0xf80 [ 73.680693][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.683611][ T5320] [ 73.683611][ T5320] other info that might help us debug this: [ 73.683611][ T5320] [ 73.688645][ T5320] Possible unsafe locking scenario: [ 73.688645][ T5320] [ 73.692467][ T5320] CPU0 CPU1 [ 73.695048][ T5320] ---- ---- [ 73.699648][ T5320] lock(&conn->lock#2); [ 73.702062][ T5320] lock((work_completion)(&(&conn->info_timer)->work)); [ 73.706134][ T5320] lock(&conn->lock#2); [ 73.708947][ T5320] lock((work_completion)(&(&conn->info_timer)->work)); [ 73.712479][ T5320] [ 73.712479][ T5320] *** DEADLOCK *** [ 73.712479][ T5320] [ 73.716784][ T5320] 5 locks held by syz.0.0/5320: [ 73.718774][ T5320] #0: ffff8880427e0ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260 [ 73.722637][ T5320] #1: ffff8880427e00c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 [ 73.726824][ T5320] #2: ffffffff8fd5d068 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 73.731615][ T5320] #3: ffff888034c59af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 73.735691][ T5320] #4: ffffffff8e75e520 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 73.740026][ T5320] [ 73.740026][ T5320] stack backtrace: [ 73.743098][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.743123][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.743136][ T5320] Call Trace: [ 73.743176][ T5320] [ 73.743185][ T5320] dump_stack_lvl+0xe8/0x150 [ 73.743213][ T5320] print_circular_bug+0x2e1/0x300 [ 73.743238][ T5320] check_noncircular+0x12e/0x150 [ 73.743258][ T5320] __lock_acquire+0x15a5/0x2cf0 [ 73.743307][ T5320] ? do_raw_spin_lock+0x12b/0x2f0 [ 73.743324][ T5320] ? do_raw_spin_unlock+0x4d/0x210 [ 73.743335][ T5320] lock_acquire+0xf0/0x2e0 [ 73.743347][ T5320] ? __flush_work+0x100/0xc50 [ 73.743364][ T5320] ? __flush_work+0x100/0xc50 [ 73.743377][ T5320] __flush_work+0x700/0xc50 [ 73.743390][ T5320] ? __flush_work+0x100/0xc50 [ 73.743402][ T5320] ? __flush_work+0x100/0xc50 [ 73.743416][ T5320] ? __pfx___flush_work+0x10/0x10 [ 73.743430][ T5320] ? __pfx_wq_barrier_func+0x10/0x10 [ 73.743444][ T5320] ? __cancel_work_sync+0x5c/0x110 [ 73.743459][ T5320] __cancel_work_sync+0xbe/0x110 [ 73.743473][ T5320] l2cap_conn_del+0x40f/0x5c0 [ 73.743512][ T5320] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 73.743530][ T5320] hci_conn_hash_flush+0x10d/0x260 [ 73.743550][ T5320] hci_dev_close_sync+0x821/0x10e0 [ 73.743566][ T5320] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 73.743578][ T5320] ? lockdep_hardirqs_on+0x7a/0x110 [ 73.743590][ T5320] ? enable_work+0x1fd/0x230 [ 73.743611][ T5320] hci_dev_close+0x108/0x260 [ 73.743627][ T5320] sock_do_ioctl+0x101/0x320 [ 73.743642][ T5320] ? __pfx_sock_do_ioctl+0x10/0x10 [ 73.743655][ T5320] ? do_futex+0x333/0x420 [ 73.743674][ T5320] sock_ioctl+0x5c6/0x7f0 [ 73.743691][ T5320] ? __pfx_sock_ioctl+0x10/0x10 [ 73.743707][ T5320] ? __fget_files+0x2a/0x420 [ 73.743721][ T5320] ? __fget_files+0x3a0/0x420 [ 73.743733][ T5320] ? __fget_files+0x2a/0x420 [ 73.743749][ T5320] ? bpf_lsm_file_ioctl+0x9/0x20 [ 73.743761][ T5320] ? __pfx_sock_ioctl+0x10/0x10 [ 73.743774][ T5320] __se_sys_ioctl+0xfc/0x170 [ 73.743787][ T5320] do_syscall_64+0x14d/0xf80 [ 73.743799][ T5320] ? trace_irq_disable+0x3b/0x150 [ 73.743820][ T5320] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.743837][ T5320] ? clear_bhb_loop+0x40/0x90 [ 73.743853][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.743865][ T5320] RIP: 0033:0x7fabb7d9c799 [ 73.743913][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.743925][ T5320] RSP: 002b:00007fabb8c03fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.743941][ T5320] RAX: ffffffffffffffda RBX: 00007fabb8015fa0 RCX: 00007fabb7d9c799 [ 73.743951][ T5320] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000007 [ 73.743959][ T5320] RBP: 00007fabb7e32c99 R08: 0000000000000000 R09: 0000000000000000 [ 73.743967][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 73.743977][ T5320] R13: 00007fabb8016038 R14: 00007fabb8015fa0 R15: 00007fff612ea768 [ 73.743991][ T5320] [ 73.973267][ T5325] fido_id[5325]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory [ 74.095781][ T5328] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 74.127051][ T1350] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 74.131194][ T1350] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 74.235832][ T1039] wlan1: send auth to 08:02:11:00:00:00 (try 2/3) [ 74.346429][ T1039] wlan1: send auth to 08:02:11:00:00:00 (try 3/3) [ 74.455937][ T1039] wlan1: authentication with 08:02:11:00:00:00 timed out [ 75.406041][ T45] Bluetooth: hci0: command tx timeout [ 76.207118][ T1314] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.210117][ T1314] ieee802154 phy1 wpan1: encryption failed: -22 [ 77.486670][ T45] Bluetooth: hci0: command tx timeout [ 79.566315][ T45] Bluetooth: hci0: command tx timeout