program: r0 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff) (async) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff) socket$qrtr(0x2a, 0x2, 0x0) (async) r2 = socket$qrtr(0x2a, 0x2, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r2, 0x8914, &(0x7f0000000000)={'wlan1\x00'}) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_GET_KEY(r0, &(0x7f0000000280)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000240)={&(0x7f00000001c0)={0x28, r1, 0x800, 0x70bd26, 0x25dfdbfc, {{}, {@void, @val={0xc, 0x99, {0x3, 0x3b}}}}, [@NL80211_ATTR_KEY_IDX={0x5}]}, 0x28}, 0x1, 0x0, 0x0, 0x20000000}, 0x40008) sendmsg$NL80211_CMD_SET_INTERFACE(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)={0x24, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}]}, 0x24}}, 0x0) socket$kcm(0x10, 0x2, 0x0) (async) r7 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r7, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000040)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_NEW_STATION(r0, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f00000000c0)={0x3c, r1, 0xb97534d5fe9704cf, 0x0, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_STA_AID={0x6, 0x10, 0x57d}]}, 0x3c}}, 0x0) (async) sendmsg$NL80211_CMD_NEW_STATION(r0, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f00000000c0)={0x3c, r1, 0xb97534d5fe9704cf, 0x0, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_STA_AID={0x6, 0x10, 0x57d}]}, 0x3c}}, 0x0) [ 73.660889][ T5295] Bluetooth: hci0: command tx timeout [ 73.769349][ T5316] netlink: 'syz.0.0': attribute type 10 has an invalid length. [ 73.778154][ T5316] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 73.785862][ T5315] ------------[ cut here ]------------ [ 73.788389][ T5315] !chanctx_conf [ 73.788395][ T5315] WARNING: net/mac80211/tx.c:6305 at ieee80211_tx_skb_tid+0x3b4/0x470, CPU#0: syz.0.0/5315 [ 73.793548][ T5315] Modules linked in: [ 73.795216][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.798913][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.803041][ T5315] RIP: 0010:ieee80211_tx_skb_tid+0x3b4/0x470 [ 73.805613][ T5315] Code: 73 77 f6 e9 b1 fe ff ff e8 69 49 9b f6 90 0f 0b 90 e9 e2 fe ff ff e8 5b 49 9b f6 90 0f 0b 90 e9 2a fe ff ff e8 4d 49 9b f6 90 <0f> 0b 90 e8 54 cc fd ff 31 ff 48 8b 34 24 ba 02 00 00 00 48 83 c4 [ 73.813525][ T5315] RSP: 0018:ffffc9000db86d98 EFLAGS: 00010293 [ 73.815774][ T5315] RAX: ffffffff8b2a51d3 RBX: ffffffff8b2a4e4f RCX: ffff88801fbfc900 [ 73.819009][ T5315] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 73.822059][ T5315] RBP: 00000000ffffffff R08: ffffffff8b2a4e4f R09: ffffffff8e7602e0 [ 73.825261][ T5315] R10: dffffc0000000000 R11: ffffed100232ca7e R12: ffff8880125e0dc0 [ 73.828472][ T5315] R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000 [ 73.831683][ T5315] FS: 00007f5a4ba296c0(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000 [ 73.835229][ T5315] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.837897][ T5315] CR2: 0000200000001080 CR3: 00000000447aa000 CR4: 0000000000352ef0 [ 73.841593][ T5315] Call Trace: [ 73.843096][ T5315] [ 73.844405][ T5315] mesh_plink_frame_tx+0x748/0xc20 [ 73.846676][ T5315] ? __pfx_mesh_plink_frame_tx+0x10/0x10 [ 73.849304][ T5315] ? hwmp_preq_frame_process+0xd80/0x14b0 [ 73.851915][ T5315] mesh_plink_deactivate+0x18e/0x2f0 [ 73.854456][ T5315] mesh_sta_cleanup+0x42/0x150 [ 73.856689][ T5315] cleanup_single_sta+0x40f/0x660 [ 73.858898][ T5315] ? sta_info_insert_rcu+0x2dd/0x2730 [ 73.861134][ T5315] sta_info_insert_rcu+0x1601/0x2730 [ 73.863291][ T5315] ? sta_info_insert_rcu+0x2dd/0x2730 [ 73.865420][ T5315] ? sta_apply_parameters+0xf12/0x1620 [ 73.867842][ T5315] ? ieee80211_add_station+0x4db/0x6a0 [ 73.870086][ T5315] sta_info_insert+0x16/0xc0 [ 73.872010][ T5315] rdev_add_station+0xfc/0x2c0 [ 73.874081][ T5315] nl80211_new_station+0x1864/0x1d30 [ 73.876286][ T5315] ? trace_contention_end+0x3d/0x150 [ 73.878525][ T5315] ? __pfx_nl80211_new_station+0x10/0x10 [ 73.880825][ T5315] ? __rtnl_unlock+0xc8/0xf0 [ 73.882869][ T5315] ? nl80211_pre_doit+0x4f1/0x930 [ 73.885119][ T5315] genl_family_rcv_msg_doit+0x22a/0x330 [ 73.887743][ T5315] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 73.890581][ T5315] ? bpf_lsm_capable+0x9/0x20 [ 73.892461][ T5315] ? security_capable+0x7e/0x2c0 [ 73.894354][ T5315] genl_rcv_msg+0x61c/0x7a0 [ 73.896298][ T5315] ? __pfx_genl_rcv_msg+0x10/0x10 [ 73.898461][ T5315] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 73.900916][ T5315] ? __pfx_nl80211_new_station+0x10/0x10 [ 73.903164][ T5315] ? __pfx_nl80211_post_doit+0x10/0x10 [ 73.905270][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 73.907573][ T5315] netlink_rcv_skb+0x232/0x4b0 [ 73.909652][ T5315] ? __pfx_genl_rcv_msg+0x10/0x10 [ 73.911975][ T5315] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 73.914384][ T5315] ? down_read+0x272/0x2e0 [ 73.916402][ T5315] ? genl_rcv+0xd/0x40 [ 73.918212][ T5315] genl_rcv+0x28/0x40 [ 73.920063][ T5315] netlink_unicast+0x80f/0x9b0 [ 73.922196][ T5315] ? __pfx_netlink_unicast+0x10/0x10 [ 73.924606][ T5315] ? netlink_sendmsg+0x650/0xb40 [ 73.926881][ T5315] ? skb_put+0x11b/0x210 [ 73.928656][ T5315] netlink_sendmsg+0x813/0xb40 [ 73.930833][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 73.933171][ T5315] ? trace_sched_set_need_resched_tp+0x3e/0x160 [ 73.935920][ T5315] ? aa_sock_msg_perm+0xf1/0x1b0 [ 73.938143][ T5315] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 73.940216][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 73.942217][ T5315] ____sys_sendmsg+0xa68/0xad0 [ 73.944320][ T5315] ? __pfx_____sys_sendmsg+0x10/0x10 [ 73.947038][ T5315] ? import_iovec+0x73/0xa0 [ 73.949634][ T5315] ___sys_sendmsg+0x2a5/0x360 [ 73.952307][ T5315] ? __pfx____sys_sendmsg+0x10/0x10 [ 73.955156][ T5315] ? futex_wake+0x4ac/0x580 [ 73.957808][ T5315] ? __fget_files+0x2a/0x420 [ 73.960405][ T5315] ? __fget_files+0x3a0/0x420 [ 73.962504][ T5315] __x64_sys_sendmsg+0x1bd/0x2a0 [ 73.964724][ T5315] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 73.967421][ T5315] ? rcu_is_watching+0x15/0xb0 [ 73.970252][ T5315] do_syscall_64+0x14d/0xf80 [ 73.972860][ T5315] ? trace_irq_disable+0x3b/0x150 [ 73.975520][ T5315] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.978472][ T5315] ? clear_bhb_loop+0x40/0x90 [ 73.980864][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.983620][ T5315] RIP: 0033:0x7f5a4ab9c629 [ 73.985883][ T5315] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.994275][ T5315] RSP: 002b:00007f5a4ba29028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 73.997980][ T5315] RAX: ffffffffffffffda RBX: 00007f5a4ae15fa0 RCX: 00007f5a4ab9c629 [ 74.001387][ T5315] RDX: 0000000000000000 RSI: 0000200000001080 RDI: 0000000000000003 [ 74.004264][ T5315] RBP: 00007f5a4ac32b39 R08: 0000000000000000 R09: 0000000000000000 [ 74.007437][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.010772][ T5315] R13: 00007f5a4ae16038 R14: 00007f5a4ae15fa0 R15: 00007ffdde6e4fd8 [ 74.013695][ T5315] [ 74.014950][ T5315] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 74.017957][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.021555][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 74.025716][ T5315] Call Trace: [ 74.027080][ T5315] [ 74.028414][ T5315] vpanic+0x56c/0xa60 [ 74.030059][ T5315] ? __pfx__printk+0x10/0x10 [ 74.031960][ T5315] ? __pfx_vpanic+0x10/0x10 [ 74.033892][ T5315] ? is_bpf_text_address+0x292/0x2b0 [ 74.036156][ T5315] ? is_bpf_text_address+0x26/0x2b0 [ 74.038315][ T5315] panic+0xc5/0xd0 [ 74.039985][ T5315] ? __pfx_panic+0x10/0x10 [ 74.041832][ T5315] __warn+0x315/0x4f0 [ 74.043442][ T5315] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 74.045785][ T5315] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 74.048135][ T5315] __report_bug+0x29a/0x540 [ 74.050174][ T5315] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 74.052542][ T5315] ? __pfx___report_bug+0x10/0x10 [ 74.054702][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 74.056786][ T5315] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 74.058959][ T5315] report_bug+0x16a/0x220 [ 74.060825][ T5315] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 74.063101][ T5315] ? ieee80211_tx_skb_tid+0x3b6/0x470 [ 74.065461][ T5315] handle_bug+0x98/0x200 [ 74.067328][ T5315] exc_invalid_op+0x1a/0x50 [ 74.069291][ T5315] asm_exc_invalid_op+0x1a/0x20 [ 74.071383][ T5315] RIP: 0010:ieee80211_tx_skb_tid+0x3b4/0x470 [ 74.073860][ T5315] Code: 73 77 f6 e9 b1 fe ff ff e8 69 49 9b f6 90 0f 0b 90 e9 e2 fe ff ff e8 5b 49 9b f6 90 0f 0b 90 e9 2a fe ff ff e8 4d 49 9b f6 90 <0f> 0b 90 e8 54 cc fd ff 31 ff 48 8b 34 24 ba 02 00 00 00 48 83 c4 [ 74.081802][ T5315] RSP: 0018:ffffc9000db86d98 EFLAGS: 00010293 [ 74.084420][ T5315] RAX: ffffffff8b2a51d3 RBX: ffffffff8b2a4e4f RCX: ffff88801fbfc900 [ 74.087849][ T5315] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 74.091292][ T5315] RBP: 00000000ffffffff R08: ffffffff8b2a4e4f R09: ffffffff8e7602e0 [ 74.096557][ T5315] R10: dffffc0000000000 R11: ffffed100232ca7e R12: ffff8880125e0dc0 [ 74.100158][ T5315] R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000 [ 74.103714][ T5315] ? ieee80211_tx_skb_tid+0x2f/0x470 [ 74.106144][ T5315] ? ieee80211_tx_skb_tid+0x2f/0x470 [ 74.108508][ T5315] ? ieee80211_tx_skb_tid+0x3b3/0x470 [ 74.110969][ T5315] ? ieee80211_tx_skb_tid+0x3b3/0x470 [ 74.113379][ T5315] mesh_plink_frame_tx+0x748/0xc20 [ 74.115165][ T5315] ? __pfx_mesh_plink_frame_tx+0x10/0x10 [ 74.117532][ T5315] ? hwmp_preq_frame_process+0xd80/0x14b0 [ 74.119996][ T5315] mesh_plink_deactivate+0x18e/0x2f0 [ 74.122335][ T5315] mesh_sta_cleanup+0x42/0x150 [ 74.124384][ T5315] cleanup_single_sta+0x40f/0x660 [ 74.126559][ T5315] ? sta_info_insert_rcu+0x2dd/0x2730 [ 74.128813][ T5315] sta_info_insert_rcu+0x1601/0x2730 [ 74.130909][ T5315] ? sta_info_insert_rcu+0x2dd/0x2730 [ 74.133054][ T5315] ? sta_apply_parameters+0xf12/0x1620 [ 74.135225][ T5315] ? ieee80211_add_station+0x4db/0x6a0 [ 74.137456][ T5315] sta_info_insert+0x16/0xc0 [ 74.139319][ T5315] rdev_add_station+0xfc/0x2c0 [ 74.141435][ T5315] nl80211_new_station+0x1864/0x1d30 [ 74.143898][ T5315] ? trace_contention_end+0x3d/0x150 [ 74.146312][ T5315] ? __pfx_nl80211_new_station+0x10/0x10 [ 74.148815][ T5315] ? __rtnl_unlock+0xc8/0xf0 [ 74.150944][ T5315] ? nl80211_pre_doit+0x4f1/0x930 [ 74.153200][ T5315] genl_family_rcv_msg_doit+0x22a/0x330 [ 74.155669][ T5315] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 74.158110][ T5315] ? bpf_lsm_capable+0x9/0x20 [ 74.160094][ T5315] ? security_capable+0x7e/0x2c0 [ 74.162132][ T5315] genl_rcv_msg+0x61c/0x7a0 [ 74.163981][ T5315] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.166031][ T5315] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 74.168294][ T5315] ? __pfx_nl80211_new_station+0x10/0x10 [ 74.170855][ T5315] ? __pfx_nl80211_post_doit+0x10/0x10 [ 74.173365][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 74.175614][ T5315] netlink_rcv_skb+0x232/0x4b0 [ 74.177716][ T5315] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.179747][ T5315] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.181971][ T5315] ? down_read+0x272/0x2e0 [ 74.183901][ T5315] ? genl_rcv+0xd/0x40 [ 74.185744][ T5315] genl_rcv+0x28/0x40 [ 74.187938][ T5315] netlink_unicast+0x80f/0x9b0 [ 74.190516][ T5315] ? __pfx_netlink_unicast+0x10/0x10 [ 74.193443][ T5315] ? netlink_sendmsg+0x650/0xb40 [ 74.195957][ T5315] ? skb_put+0x11b/0x210 [ 74.197890][ T5315] netlink_sendmsg+0x813/0xb40 [ 74.200062][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.202238][ T5315] ? trace_sched_set_need_resched_tp+0x3e/0x160 [ 74.204994][ T5315] ? aa_sock_msg_perm+0xf1/0x1b0 [ 74.207139][ T5315] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.209222][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.211416][ T5315] ____sys_sendmsg+0xa68/0xad0 [ 74.213370][ T5315] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.215504][ T5315] ? import_iovec+0x73/0xa0 [ 74.217370][ T5315] ___sys_sendmsg+0x2a5/0x360 [ 74.219233][ T5315] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.221333][ T5315] ? futex_wake+0x4ac/0x580 [ 74.223159][ T5315] ? __fget_files+0x2a/0x420 [ 74.225061][ T5315] ? __fget_files+0x3a0/0x420 [ 74.227041][ T5315] __x64_sys_sendmsg+0x1bd/0x2a0 [ 74.229094][ T5315] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 74.231364][ T5315] ? rcu_is_watching+0x15/0xb0 [ 74.233309][ T5315] do_syscall_64+0x14d/0xf80 [ 74.235270][ T5315] ? trace_irq_disable+0x3b/0x150 [ 74.237512][ T5315] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.240107][ T5315] ? clear_bhb_loop+0x40/0x90 [ 74.242139][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.244664][ T5315] RIP: 0033:0x7f5a4ab9c629 [ 74.246667][ T5315] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 74.254722][ T5315] RSP: 002b:00007f5a4ba29028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.258347][ T5315] RAX: ffffffffffffffda RBX: 00007f5a4ae15fa0 RCX: 00007f5a4ab9c629 [ 74.261623][ T5315] RDX: 0000000000000000 RSI: 0000200000001080 RDI: 0000000000000003 [ 74.264896][ T5315] RBP: 00007f5a4ac32b39 R08: 0000000000000000 R09: 0000000000000000 [ 74.268307][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.271678][ T5315] R13: 00007f5a4ae16038 R14: 00007f5a4ae15fa0 R15: 00007ffdde6e4fd8 [ 74.274953][ T5315] [ 74.276654][ T5315] Kernel Offset: disabled [ 74.278443][ T5315] Rebooting in 86400 seconds..