program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) r5 = socket$nl_generic(0x10, 0x3, 0x10) syz_open_dev$sg(&(0x7f0000000440), 0x0, 0x82600) r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r6, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r6, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}, 0x1, 0x0, 0x0, 0x800}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x12}]}, @void, @void, @void, @void, @void, @void}, 0x2f) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x4584, 0x0, @default, @val, @void}, 0x20) sendmsg$NL80211_CMD_TRIGGER_SCAN(r2, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x1c, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}}, 0x1c}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000000)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @random=0xb, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val, @void, @void, @void, @val={0x2d, 0x1a, {0x300, 0x0, 0x0, 0x0, {0x5, 0x6, 0x0, 0x7, 0x0, 0x1, 0x0, 0x3, 0x1}, 0x8, 0x7, 0x5}}, @void, @void}, 0x4a) syz_80211_inject_frame(&(0x7f0000000280), &(0x7f0000000380)=@ctrl_frame=@pspoll={{}, @random=0x7ff, @from_mac=@device_b}, 0x10) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000c00), 0xffffffffffffffff) r9 = socket$nl_generic(0x10, 0x3, 0x10) r10 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r9, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r10, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r11}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) r12 = socket$nl_generic(0x10, 0x3, 0x10) r13 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r12, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_TDLS_OPER(r12, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)={0x30, r13, 0xfd39e943ccf1163b, 0x70bd25, 0x25dfdbfd, {{}, {@val={0x8, 0x3, r14}, @void}}, [@NL80211_ATTR_TDLS_OPERATION={0x5, 0x8a, 0x4}, @NL80211_ATTR_MAC={0xa}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000010}, 0x50) ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000008c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_ABORT_SCAN(r0, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000300)={0x1c, r8, 0xd9b2794f6a139537, 0x0, 0x0, {{}, {@val={0x8, 0x3, r15}, @void}}}, 0x1c}}, 0x0) [ 80.618158][ T1310] ieee802154 phy0 wpan0: encryption failed: -22 [ 80.620511][ T1310] ieee802154 phy1 wpan1: encryption failed: -22 [ 80.623754][ T5304] Bluetooth: hci0: command tx timeout [ 80.747895][ T5320] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 80.779180][ T8] wlan1: No basic rates, using min rate instead [ 80.783544][ T8] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 80.787965][ T8] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 80.803427][ T31] wlan1: authenticated [ 80.805700][ T5320] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 80.811954][ T31] wlan1: associate with 08:02:11:00:00:00 (try 1/3) [ 80.817096][ T3971] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0x4584 status=0 aid=1) [ 80.820038][ T3971] wlan1: No basic rates, using min rate instead [ 80.823528][ T5320] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 80.830131][ T3971] wlan1: associated [ 80.837635][ T5320] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 80.842266][ T5320] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 80.855664][ T3971] ------------[ cut here ]------------ [ 80.858364][ T3971] WARNING: CPU: 0 PID: 3971 at net/mac80211/mlme.c:4106 ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 80.862636][ T3971] Modules linked in: [ 80.864068][ T3971] CPU: 0 UID: 0 PID: 3971 Comm: kworker/u4:11 Not tainted 6.14.0-rc4-syzkaller-00212-g276f98efb64a #0 [ 80.868595][ T3971] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 80.873244][ T3971] Workqueue: events_unbound cfg80211_wiphy_work [ 80.875680][ T3971] RIP: 0010:ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 80.878595][ T3971] Code: 5d 41 5e 41 5f 5d e9 fc d1 1d f6 e8 97 4a 31 f6 90 0f 0b 90 eb b6 e8 8c 4a 31 f6 90 0f 0b 90 e9 fc fb ff ff e8 7e 4a 31 f6 90 <0f> 0b 90 e9 bf fc ff ff e8 70 4a 31 f6 90 0f 0b 90 e9 30 ff ff ff [ 80.886748][ T3971] RSP: 0018:ffffc9000f907a80 EFLAGS: 00010293 [ 80.889087][ T3971] RAX: ffffffff8b9074c2 RBX: 0000000000000001 RCX: ffff888040704880 [ 80.892165][ T3971] RDX: 0000000000000000 RSI: ffffffff8c2ab700 RDI: ffffffff8c80f060 [ 80.895170][ T3971] RBP: 1ffff1100a60db8e R08: ffffffff903cef77 R09: 1ffffffff2079dee [ 80.898496][ T3971] R10: dffffc0000000000 R11: fffffbfff2079def R12: ffff88805306ea22 [ 80.901582][ T3971] R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88805306cd80 [ 80.904822][ T3971] FS: 0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 80.908309][ T3971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.911395][ T3971] CR2: 00007fc3e86d7d60 CR3: 0000000043cba000 CR4: 0000000000352ef0 [ 80.915558][ T3971] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 80.919323][ T3971] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 80.922540][ T3971] Call Trace: [ 80.923981][ T3971] [ 80.925210][ T3971] ? __warn+0x165/0x4d0 [ 80.927132][ T3971] ? ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 80.929705][ T3971] ? report_bug+0x2b3/0x500 [ 80.932185][ T3971] ? ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 80.935238][ T3971] ? handle_bug+0x60/0x90 [ 80.937524][ T3971] ? exc_invalid_op+0x1a/0x50 [ 80.939343][ T3971] ? asm_exc_invalid_op+0x1a/0x20 [ 80.941370][ T3971] ? ieee80211_mgd_probe_ap_send+0x4e2/0x5c0 [ 80.943495][ T3971] ? ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 80.945730][ T3971] ? ieee80211_mgd_probe_ap+0x2ed/0x420 [ 80.948221][ T3971] cfg80211_wiphy_work+0x2f0/0x490 [ 80.950903][ T3971] ? process_scheduled_works+0x9c6/0x18e0 [ 80.953533][ T3971] process_scheduled_works+0xabe/0x18e0 [ 80.955967][ T3971] ? __pfx_process_scheduled_works+0x10/0x10 [ 80.958711][ T3971] ? assign_work+0x364/0x3d0 [ 80.960840][ T3971] worker_thread+0x870/0xd30 [ 80.962759][ T3971] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 80.965293][ T3971] ? __kthread_parkme+0x169/0x1d0 [ 80.967675][ T3971] ? __pfx_worker_thread+0x10/0x10 [ 80.969755][ T3971] kthread+0x7a9/0x920 [ 80.971408][ T3971] ? __pfx_kthread+0x10/0x10 [ 80.973123][ T3971] ? __pfx_worker_thread+0x10/0x10 [ 80.975122][ T3971] ? __pfx_kthread+0x10/0x10 [ 80.977120][ T3971] ? __pfx_kthread+0x10/0x10 [ 80.979370][ T3971] ? __pfx_kthread+0x10/0x10 [ 80.981414][ T3971] ? _raw_spin_unlock_irq+0x23/0x50 [ 80.984044][ T3971] ? lockdep_hardirqs_on+0x99/0x150 [ 80.986542][ T3971] ? __pfx_kthread+0x10/0x10 [ 80.988177][ T3971] ret_from_fork+0x4b/0x80 [ 80.989973][ T3971] ? __pfx_kthread+0x10/0x10 [ 80.991714][ T3971] ret_from_fork_asm+0x1a/0x30 [ 80.993345][ T3971] [ 80.994522][ T3971] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 80.997089][ T3971] CPU: 0 UID: 0 PID: 3971 Comm: kworker/u4:11 Not tainted 6.14.0-rc4-syzkaller-00212-g276f98efb64a #0 [ 81.002745][ T3971] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 81.006886][ T3971] Workqueue: events_unbound cfg80211_wiphy_work [ 81.009329][ T3971] Call Trace: [ 81.010711][ T3971] [ 81.011912][ T3971] dump_stack_lvl+0x241/0x360 [ 81.013618][ T3971] ? __pfx_dump_stack_lvl+0x10/0x10 [ 81.015571][ T3971] ? __pfx__printk+0x10/0x10 [ 81.017301][ T3971] ? _printk+0xd5/0x120 [ 81.018919][ T3971] ? __init_begin+0x41000/0x41000 [ 81.020768][ T3971] ? vscnprintf+0x5d/0x90 [ 81.022499][ T3971] panic+0x349/0x880 [ 81.024056][ T3971] ? __warn+0x174/0x4d0 [ 81.025550][ T3971] ? __pfx_panic+0x10/0x10 [ 81.027389][ T3971] ? ret_from_fork_asm+0x1a/0x30 [ 81.029649][ T3971] __warn+0x344/0x4d0 [ 81.031300][ T3971] ? ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 81.033797][ T3971] report_bug+0x2b3/0x500 [ 81.035467][ T3971] ? ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 81.037725][ T3971] handle_bug+0x60/0x90 [ 81.039573][ T3971] exc_invalid_op+0x1a/0x50 [ 81.041845][ T3971] asm_exc_invalid_op+0x1a/0x20 [ 81.043985][ T3971] RIP: 0010:ieee80211_mgd_probe_ap_send+0x4e3/0x5c0 [ 81.046453][ T3971] Code: 5d 41 5e 41 5f 5d e9 fc d1 1d f6 e8 97 4a 31 f6 90 0f 0b 90 eb b6 e8 8c 4a 31 f6 90 0f 0b 90 e9 fc fb ff ff e8 7e 4a 31 f6 90 <0f> 0b 90 e9 bf fc ff ff e8 70 4a 31 f6 90 0f 0b 90 e9 30 ff ff ff [ 81.053843][ T3971] RSP: 0018:ffffc9000f907a80 EFLAGS: 00010293 [ 81.056237][ T3971] RAX: ffffffff8b9074c2 RBX: 0000000000000001 RCX: ffff888040704880 [ 81.059760][ T3971] RDX: 0000000000000000 RSI: ffffffff8c2ab700 RDI: ffffffff8c80f060 [ 81.063062][ T3971] RBP: 1ffff1100a60db8e R08: ffffffff903cef77 R09: 1ffffffff2079dee [ 81.065944][ T3971] R10: dffffc0000000000 R11: fffffbfff2079def R12: ffff88805306ea22 [ 81.069017][ T3971] R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88805306cd80 [ 81.072819][ T3971] ? ieee80211_mgd_probe_ap_send+0x4e2/0x5c0 [ 81.075219][ T3971] ? ieee80211_mgd_probe_ap+0x2ed/0x420 [ 81.077497][ T3971] cfg80211_wiphy_work+0x2f0/0x490 [ 81.079242][ T3971] ? process_scheduled_works+0x9c6/0x18e0 [ 81.081091][ T3971] process_scheduled_works+0xabe/0x18e0 [ 81.083094][ T3971] ? __pfx_process_scheduled_works+0x10/0x10 [ 81.085008][ T3971] ? assign_work+0x364/0x3d0 [ 81.086606][ T3971] worker_thread+0x870/0xd30 [ 81.088404][ T3971] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 81.090987][ T3971] ? __kthread_parkme+0x169/0x1d0 [ 81.093113][ T3971] ? __pfx_worker_thread+0x10/0x10 [ 81.094966][ T3971] kthread+0x7a9/0x920 [ 81.096534][ T3971] ? __pfx_kthread+0x10/0x10 [ 81.098343][ T3971] ? __pfx_worker_thread+0x10/0x10 [ 81.100292][ T3971] ? __pfx_kthread+0x10/0x10 [ 81.102145][ T3971] ? __pfx_kthread+0x10/0x10 [ 81.104424][ T3971] ? __pfx_kthread+0x10/0x10 [ 81.107287][ T3971] ? _raw_spin_unlock_irq+0x23/0x50 [ 81.109804][ T3971] ? lockdep_hardirqs_on+0x99/0x150 [ 81.111583][ T3971] ? __pfx_kthread+0x10/0x10 [ 81.113361][ T3971] ret_from_fork+0x4b/0x80 [ 81.115046][ T3971] ? __pfx_kthread+0x10/0x10 [ 81.117027][ T3971] ret_from_fork_asm+0x1a/0x30 [ 81.119074][ T3971] [ 81.120931][ T3971] Kernel Offset: disabled [ 81.123235][ T3971] Rebooting in 86400 seconds..