program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000240), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan1\x00', <r2=>0x0})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
r6 = socket$qrtr(0x2a, 0x2, 0x0)
ioctl$sock_inet_SIOCSIFFLAGS(r6, 0x8914, &(0x7f0000000000)={'wlan1\x00'})
r7 = socket$nl_generic(0x10, 0x3, 0x10)
r8 = socket$nl_generic(0x10, 0x3, 0x10)
r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r10=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r8, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)={0x24, r9, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}]}, 0x24}}, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r11=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000001c0)={0x28, r5, 0x5, 0x3, 0x0, {{}, {@val={0x8, 0x3, r11}, @void}}, [@NL80211_ATTR_MESH_ID={0xa}]}, 0x28}}, 0x0)
r12 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r12, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0)
r13 = socket$nl_generic(0x10, 0x3, 0x10)
r14 = syz_genetlink_get_family_id$nl80211(&(0x7f00000014c0), 0xffffffffffffffff)
r15 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r15, 0x8933, &(0x7f0000000180)={'wlan1\x00', <r16=>0x0})
sendmsg$NL80211_CMD_CHANNEL_SWITCH(r13, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000002c0)={0x2c, r14, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r16}, @void}}, [@chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8, 0x26, @random=0x98f}], @NL80211_ATTR_CH_SWITCH_COUNT={0x8}]}, 0x2c}}, 0x0)
ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8b04, 0x0)
sendmsg$NL80211_CMD_REGISTER_FRAME(r3, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)={0x28, r1, 0x1, 0x3, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_FRAME_MATCH={0x4}, @NL80211_ATTR_FRAME_TYPE={0x6, 0x65, 0x40}]}, 0x28}}, 0x0)
r17 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r17, &(0x7f0000000600)={0x0, 0x4, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0)

[  267.925841][ T4677] Bluetooth: hci0: command tx timeout
[  268.000186][ T5373] netlink: 'syz.0.0': attribute type 10 has an invalid length.
[  268.013864][ T5373] bond0: (slave wlan1): Enslaving as an active interface with an up link
[  268.031331][ T5373] netlink: 'syz.0.0': attribute type 10 has an invalid length.
[  268.036930][ T3381] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] SMP KASAN NOPTI
[  268.042328][ T3381] KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
[  268.045963][ T3381] CPU: 0 UID: 0 PID: 3381 Comm: kworker/u4:19 Not tainted syzkaller #0 PREEMPT(full) 
[  268.050113][ T3381] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  268.054644][ T3381] Workqueue: events_unbound cfg80211_wiphy_work
[  268.057522][ T3381] RIP: 0010:ieee80211_put_srates_elem+0x42/0x640
[  268.060438][ T3381] Code: 18 89 54 24 28 48 89 f3 49 89 fe 49 bc 00 00 00 00 00 fc ff df e8 ae 3f e3 f6 48 89 5c 24 38 4c 8d 6b 18 4d 89 ef 49 c1 ef 03 <43> 0f b6 04 27 84 c0 0f 85 19 05 00 00 41 8b 5d 00 31 ff 89 de e8
[  268.068427][ T3381] RSP: 0018:ffffc9000ec977b8 EFLAGS: 00010206
[  268.070944][ T3381] RAX: ffffffff8addc7b2 RBX: 0000000000000000 RCX: ffff888000ec24c0
[  268.074254][ T3381] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88803ff17780
[  268.077631][ T3381] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffffff8df41aa0
[  268.081117][ T3381] R10: dffffc0000000000 R11: ffffed1006e513b3 R12: dffffc0000000000
[  268.084612][ T3381] R13: 0000000000000018 R14: ffff88803ff17780 R15: 0000000000000003
[  268.088146][ T3381] FS:  0000000000000000(0000) GS:ffff88808d414000(0000) knlGS:0000000000000000
[  268.092055][ T3381] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  268.094973][ T3381] CR2: 00002000000014c0 CR3: 000000001b2dc000 CR4: 0000000000352ef0
[  268.098511][ T3381] Call Trace:
[  268.100053][ T3381]  <TASK>
[  268.101453][ T3381]  ieee80211_mesh_build_beacon+0xa83/0x1b50
[  268.104096][ T3381]  ? ieee80211_mesh_build_beacon+0x292/0x1b50
[  268.106754][ T3381]  ieee80211_mesh_rebuild_beacon+0xc7/0x170
[  268.109446][ T3381]  ieee80211_mesh_finish_csa+0x131/0x210
[  268.111977][ T3381]  ieee80211_csa_finalize+0x633/0x1150
[  268.114450][ T3381]  ? __pfx_ieee80211_csa_finalize+0x10/0x10
[  268.117009][ T3381]  ? ieee80211_csa_finalize_work+0x176/0x1e0
[  268.119702][ T3381]  cfg80211_wiphy_work+0x2ab/0x450
[  268.121952][ T3381]  ? process_scheduled_works+0x9ef/0x1770
[  268.124411][ T3381]  process_scheduled_works+0xad1/0x1770
[  268.126863][ T3381]  ? __pfx_process_scheduled_works+0x10/0x10
[  268.129593][ T3381]  ? do_raw_spin_lock+0x121/0x290
[  268.131847][ T3381]  worker_thread+0x8a0/0xda0
[  268.133969][ T3381]  ? __kthread_parkme+0x7b/0x200
[  268.136212][ T3381]  kthread+0x711/0x8a0
[  268.138797][ T3381]  ? __pfx_worker_thread+0x10/0x10
[  268.141170][ T3381]  ? __pfx_kthread+0x10/0x10
[  268.143102][ T3381]  ? _raw_spin_unlock_irq+0x23/0x50
[  268.145470][ T3381]  ? __pfx_kthread+0x10/0x10
[  268.147397][ T3381]  ret_from_fork+0x510/0xa50
[  268.149408][ T3381]  ? __pfx_ret_from_fork+0x10/0x10
[  268.151566][ T3381]  ? __switch_to+0xc9e/0x1480
[  268.153493][ T3381]  ? __pfx_kthread+0x10/0x10
[  268.155457][ T3381]  ret_from_fork_asm+0x1a/0x30
[  268.157161][ T3381]  </TASK>
[  268.158302][ T3381] Modules linked in:
[  268.161518][ T3381] ---[ end trace 0000000000000000 ]---
[  268.171316][ T3381] RIP: 0010:ieee80211_put_srates_elem+0x42/0x640
[  268.174043][ T3381] Code: 18 89 54 24 28 48 89 f3 49 89 fe 49 bc 00 00 00 00 00 fc ff df e8 ae 3f e3 f6 48 89 5c 24 38 4c 8d 6b 18 4d 89 ef 49 c1 ef 03 <43> 0f b6 04 27 84 c0 0f 85 19 05 00 00 41 8b 5d 00 31 ff 89 de e8
[  268.183045][ T3381] RSP: 0018:ffffc9000ec977b8 EFLAGS: 00010206
[  268.186582][ T3381] RAX: ffffffff8addc7b2 RBX: 0000000000000000 RCX: ffff888000ec24c0
[  268.190517][ T3381] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88803ff17780
[  268.193877][ T3381] RBP: 0000000000000001 R08: 0000000000000001 R09: ffffffff8df41aa0
[  268.197224][ T3381] R10: dffffc0000000000 R11: ffffed1006e513b3 R12: dffffc0000000000
[  268.200808][ T3381] R13: 0000000000000018 R14: ffff88803ff17780 R15: 0000000000000003
[  268.203700][ T3381] FS:  0000000000000000(0000) GS:ffff88808d414000(0000) knlGS:0000000000000000
[  268.207111][ T3381] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  268.210527][ T3381] CR2: 00002000000014c0 CR3: 000000001b2dc000 CR4: 0000000000352ef0
[  268.214110][ T3381] Kernel panic - not syncing: Fatal exception
[  268.217058][ T3381] Kernel Offset: disabled
[  268.218912][ T3381] Rebooting in 86400 seconds..