program:
personality(0x400000)
io_setup(0x845, &(0x7f0000009840)=<r0=>0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r6=>0x0})
sendmsg$NL80211_CMD_CONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f0000000040)=@device_b, &(0x7f0000000280)=ANY=[@ANYBLOB="50000000080211000001ffffffffffff0802110000000000000000000000000064000100000602020202020201010b"], 0x48)
nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0)
syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f00000021c0)=ANY=[@ANYBLOB="b00000000802110000010802110000000802110000001000000002"], 0x1e)
syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000440)=ANY=[@ANYBLOB="10000000080211000001080211000000080211000000200004a000000c0001"], 0x3c)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f0000000240)={'wlan1\x00', <r8=>0x0})
r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000380), 0xffffffffffffffff)
sendmsg$NL80211_CMD_TDLS_MGMT(r7, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000580)={0x44, r9, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_STATUS_CODE={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @broadcast}, @NL80211_ATTR_TDLS_ACTION={0x5, 0x88, 0x2}, @NL80211_ATTR_IE={0x4}, @NL80211_ATTR_TDLS_DIALOG_TOKEN={0x5}]}, 0x44}, 0x1, 0x0, 0x0, 0x20000000}, 0x0)
r10 = socket(0x10, 0x803, 0x0)
r11 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000300), 0x149500, 0x0)
openat(r11, &(0x7f0000000480)='./file0\x00', 0x400000, 0x144)
sendto(r10, &(0x7f0000000740)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0)
uname(&(0x7f0000000000)=""/61)
recvmmsg$unix(r10, &(0x7f0000005e00)=[{{0x0, 0x0, 0x0}}], 0x1, 0x4102, 0x0)
io_getevents(r0, 0x4da, 0x2, &(0x7f0000000040)=[{}, {}], &(0x7f0000000080))
recvmmsg(r10, &(0x7f00000037c0)=[{{&(0x7f00000004c0)=@ethernet={0x0, @random}, 0x80, &(0x7f0000000380)=[{&(0x7f0000000140)=""/100, 0x64}, {&(0x7f0000000280)=""/85, 0x55}, {&(0x7f0000000fc0)=""/4096, 0x1000}, {&(0x7f0000000400)=""/106, 0x6a}, {&(0x7f0000000980)=""/69, 0x45}, {&(0x7f0000000200)=""/71, 0x47}, {&(0x7f00000007c0)=""/154, 0x9a}, {&(0x7f00000001c0)=""/17, 0x11}], 0x8, &(0x7f0000000600)=""/191, 0xbf}}], 0x1, 0x0, &(0x7f0000003700)={0x77359400})

[   75.507995][ T5330] Bluetooth: hci0: command tx timeout
[   75.598785][ T5351] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   75.631367][ T5349] wlan1: No basic rates, using min rate instead
[   75.636379][ T5349] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01)
[   75.640616][ T5349] wlan1: send auth to 08:02:11:00:00:00 (try 1/3)
[   75.654549][   T55] wlan1: authenticated
[   75.656689][ T5349] wlan1: associating to AP 08:02:11:00:00:00 with corrupt probe response
[   75.660919][ T5351] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   75.666797][   T55] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0xa004 status=0 aid=12)
[   75.672684][ T5351] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   75.680651][   T55] wlan1: No basic rates, using min rate instead
[   75.686699][   T55] wlan1: associated
[   75.690587][ T5351] ------------[ cut here ]------------
[   75.693566][ T5351] WARNING: CPU: 0 PID: 5351 at net/mac80211/tdls.c:611 ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010
[   75.699368][ T5351] Modules linked in:
[   75.701404][ T5351] CPU: 0 UID: 0 PID: 5351 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-11322-g352af6a011d5 #0 PREEMPT(full) 
[   75.706659][ T5351] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.711651][ T5351] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010
[   75.714997][ T5351] Code: fc ff df e9 9f fe ff ff e8 0c 4a b4 f6 90 0f 0b 90 e9 91 fe ff ff e8 fe 49 b4 f6 90 0f 0b 90 e9 83 fe ff ff e8 f0 49 b4 f6 90 <0f> 0b 90 e9 75 fe ff ff e8 e2 49 b4 f6 48 c7 c7 30 0e 7e 8f 4c 89
[   75.723844][ T5351] RSP: 0018:ffffc9000d42f080 EFLAGS: 00010287
[   75.726602][ T5351] RAX: ffffffff8b0b64b0 RBX: ffff888052d00d80 RCX: 0000000000100000
[   75.730562][ T5351] RDX: ffffc9000de0a000 RSI: 0000000000000311 RDI: 0000000000000312
[   75.734140][ T5351] RBP: ffffc9000d42f200 R08: 0000000000000000 R09: 000000000000000c
[   75.738312][ T5351] R10: 000000000000000c R11: 0000000000000002 R12: ffff888052d02500
[   75.741963][ T5351] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888036780e40
[   75.745290][ T5351] FS:  00007fdd214516c0(0000) GS:ffff88808d21f000(0000) knlGS:0000000000000000
[   75.749278][ T5351] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   75.752285][ T5351] CR2: 00002000000021c0 CR3: 0000000043fbf000 CR4: 0000000000352ef0
[   75.756136][ T5351] Call Trace:
[   75.757965][ T5351]  <TASK>
[   75.759529][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0xe5/0x4010
[   75.762981][ T5351]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   75.766067][ T5351]  ? sta_info_get+0x4f/0x2a0
[   75.768367][ T5351]  ieee80211_tdls_prep_mgmt_packet+0x3a4/0x820
[   75.770975][ T5351]  ? ieee80211_tdls_prep_mgmt_packet+0x40/0x820
[   75.773791][ T5351]  ieee80211_tdls_mgmt+0x32e/0x840
[   75.775967][ T5351]  ? __pfx___cfg80211_wdev_from_attrs+0x10/0x10
[   75.778664][ T5351]  nl80211_tdls_mgmt+0x4e7/0x770
[   75.780926][ T5351]  genl_family_rcv_msg_doit+0x212/0x300
[   75.784175][ T5351]  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10
[   75.786881][ T5351]  ? bpf_lsm_capable+0x9/0x20
[   75.790194][ T5351]  ? security_capable+0x7e/0x2e0
[   75.792204][ T5351]  genl_rcv_msg+0x60e/0x790
[   75.794119][ T5351]  ? __pfx_genl_rcv_msg+0x10/0x10
[   75.796334][ T5351]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   75.798809][ T5351]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   75.801207][ T5351]  ? __pfx_nl80211_post_doit+0x10/0x10
[   75.803722][ T5351]  ? __asan_memcpy+0x40/0x70
[   75.806405][ T5351]  ? __pfx_ref_tracker_free+0x10/0x10
[   75.809688][ T5351]  netlink_rcv_skb+0x208/0x470
[   75.812219][ T5351]  ? __lock_acquire+0xab9/0xd20
[   75.814499][ T5351]  ? __pfx_genl_rcv_msg+0x10/0x10
[   75.816745][ T5351]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   75.819247][ T5351]  ? down_read+0x1ad/0x2e0
[   75.821293][ T5351]  genl_rcv+0x28/0x40
[   75.823129][ T5351]  netlink_unicast+0x82f/0x9e0
[   75.825314][ T5351]  ? __pfx_netlink_unicast+0x10/0x10
[   75.827707][ T5351]  ? netlink_sendmsg+0x642/0xb30
[   75.829713][ T5351]  ? skb_put+0x11b/0x210
[   75.831492][ T5351]  netlink_sendmsg+0x805/0xb30
[   75.833516][ T5351]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.835827][ T5351]  ? aa_sock_msg_perm+0x94/0x160
[   75.838125][ T5351]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   75.840466][ T5351]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.842876][ T5351]  __sock_sendmsg+0x219/0x270
[   75.845110][ T5351]  ____sys_sendmsg+0x505/0x830
[   75.847518][ T5351]  ? __pfx_____sys_sendmsg+0x10/0x10
[   75.849837][ T5351]  ? import_iovec+0x74/0xa0
[   75.851842][ T5351]  ___sys_sendmsg+0x21f/0x2a0
[   75.854041][ T5351]  ? __pfx____sys_sendmsg+0x10/0x10
[   75.856562][ T5351]  ? __fget_files+0x2a/0x420
[   75.858858][ T5351]  ? __fget_files+0x3a0/0x420
[   75.861089][ T5351]  __x64_sys_sendmsg+0x19b/0x260
[   75.863416][ T5351]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   75.866204][ T5351]  ? rcu_is_watching+0x15/0xb0
[   75.868649][ T5351]  ? do_syscall_64+0xbe/0x3b0
[   75.870959][ T5351]  do_syscall_64+0xfa/0x3b0
[   75.873056][ T5351]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.875302][ T5351]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.877869][ T5351]  ? clear_bhb_loop+0x60/0xb0
[   75.879935][ T5351]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.882455][ T5351] RIP: 0033:0x7fdd2058eb69
[   75.884469][ T5351] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.893140][ T5351] RSP: 002b:00007fdd21451038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   75.896776][ T5351] RAX: ffffffffffffffda RBX: 00007fdd207b5fa0 RCX: 00007fdd2058eb69
[   75.900544][ T5351] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000005
[   75.904158][ T5351] RBP: 00007fdd20611df1 R08: 0000000000000000 R09: 0000000000000000
[   75.908061][ T5351] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.911606][ T5351] R13: 0000000000000000 R14: 00007fdd207b5fa0 R15: 00007ffd465be158
[   75.915106][ T5351]  </TASK>
[   75.916560][ T5351] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   75.920008][ T5351] CPU: 0 UID: 0 PID: 5351 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-11322-g352af6a011d5 #0 PREEMPT(full) 
[   75.925175][ T5351] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.929798][ T5351] Call Trace:
[   75.931363][ T5351]  <TASK>
[   75.932721][ T5351]  dump_stack_lvl+0x99/0x250
[   75.934769][ T5351]  ? __asan_memcpy+0x40/0x70
[   75.936872][ T5351]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.939348][ T5351]  ? __pfx__printk+0x10/0x10
[   75.941855][ T5351]  vpanic+0x27a/0x730
[   75.943647][ T5351]  ? __pfx__printk+0x10/0x10
[   75.945652][ T5351]  ? __pfx_vpanic+0x10/0x10
[   75.947600][ T5351]  ? is_bpf_text_address+0x26/0x2b0
[   75.949840][ T5351]  panic+0xb9/0xc0
[   75.951501][ T5351]  ? __pfx_panic+0x10/0x10
[   75.953727][ T5351]  __warn+0x31b/0x4b0
[   75.955590][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010
[   75.958693][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010
[   75.961929][ T5351]  report_bug+0x2be/0x4f0
[   75.963870][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010
[   75.966949][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010
[   75.969788][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0x2e63/0x4010
[   75.973032][ T5351]  handle_bug+0x84/0x160
[   75.975064][ T5351]  exc_invalid_op+0x1a/0x50
[   75.977200][ T5351]  asm_exc_invalid_op+0x1a/0x20
[   75.979392][ T5351] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x2e61/0x4010
[   75.982716][ T5351] Code: fc ff df e9 9f fe ff ff e8 0c 4a b4 f6 90 0f 0b 90 e9 91 fe ff ff e8 fe 49 b4 f6 90 0f 0b 90 e9 83 fe ff ff e8 f0 49 b4 f6 90 <0f> 0b 90 e9 75 fe ff ff e8 e2 49 b4 f6 48 c7 c7 30 0e 7e 8f 4c 89
[   75.990925][ T5351] RSP: 0018:ffffc9000d42f080 EFLAGS: 00010287
[   75.993677][ T5351] RAX: ffffffff8b0b64b0 RBX: ffff888052d00d80 RCX: 0000000000100000
[   75.997179][ T5351] RDX: ffffc9000de0a000 RSI: 0000000000000311 RDI: 0000000000000312
[   76.000354][ T5351] RBP: ffffc9000d42f200 R08: 0000000000000000 R09: 000000000000000c
[   76.003553][ T5351] R10: 000000000000000c R11: 0000000000000002 R12: ffff888052d02500
[   76.006753][ T5351] R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888036780e40
[   76.010228][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0x2e60/0x4010
[   76.013427][ T5351]  ? ieee80211_tdls_build_mgmt_packet_data+0xe5/0x4010
[   76.016442][ T5351]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   76.019547][ T5351]  ? sta_info_get+0x4f/0x2a0
[   76.021640][ T5351]  ieee80211_tdls_prep_mgmt_packet+0x3a4/0x820
[   76.024434][ T5351]  ? ieee80211_tdls_prep_mgmt_packet+0x40/0x820
[   76.027320][ T5351]  ieee80211_tdls_mgmt+0x32e/0x840
[   76.029715][ T5351]  ? __pfx___cfg80211_wdev_from_attrs+0x10/0x10
[   76.032573][ T5351]  nl80211_tdls_mgmt+0x4e7/0x770
[   76.034838][ T5351]  genl_family_rcv_msg_doit+0x212/0x300
[   76.037340][ T5351]  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10
[   76.040073][ T5351]  ? bpf_lsm_capable+0x9/0x20
[   76.042226][ T5351]  ? security_capable+0x7e/0x2e0
[   76.044497][ T5351]  genl_rcv_msg+0x60e/0x790
[   76.046499][ T5351]  ? __pfx_genl_rcv_msg+0x10/0x10
[   76.048542][ T5351]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   76.050888][ T5351]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   76.053300][ T5351]  ? __pfx_nl80211_post_doit+0x10/0x10
[   76.055742][ T5351]  ? __asan_memcpy+0x40/0x70
[   76.057812][ T5351]  ? __pfx_ref_tracker_free+0x10/0x10
[   76.060309][ T5351]  netlink_rcv_skb+0x208/0x470
[   76.062550][ T5351]  ? __lock_acquire+0xab9/0xd20
[   76.064997][ T5351]  ? __pfx_genl_rcv_msg+0x10/0x10
[   76.067696][ T5351]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   76.070185][ T5351]  ? down_read+0x1ad/0x2e0
[   76.072181][ T5351]  genl_rcv+0x28/0x40
[   76.073870][ T5351]  netlink_unicast+0x82f/0x9e0
[   76.075947][ T5351]  ? __pfx_netlink_unicast+0x10/0x10
[   76.078246][ T5351]  ? netlink_sendmsg+0x642/0xb30
[   76.080420][ T5351]  ? skb_put+0x11b/0x210
[   76.082235][ T5351]  netlink_sendmsg+0x805/0xb30
[   76.084380][ T5351]  ? __pfx_netlink_sendmsg+0x10/0x10
[   76.086839][ T5351]  ? aa_sock_msg_perm+0x94/0x160
[   76.089150][ T5351]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   76.091522][ T5351]  ? __pfx_netlink_sendmsg+0x10/0x10
[   76.093993][ T5351]  __sock_sendmsg+0x219/0x270
[   76.096276][ T5351]  ____sys_sendmsg+0x505/0x830
[   76.098413][ T5351]  ? __pfx_____sys_sendmsg+0x10/0x10
[   76.100784][ T5351]  ? import_iovec+0x74/0xa0
[   76.102887][ T5351]  ___sys_sendmsg+0x21f/0x2a0
[   76.105012][ T5351]  ? __pfx____sys_sendmsg+0x10/0x10
[   76.107417][ T5351]  ? __fget_files+0x2a/0x420
[   76.109504][ T5351]  ? __fget_files+0x3a0/0x420
[   76.111683][ T5351]  __x64_sys_sendmsg+0x19b/0x260
[   76.113961][ T5351]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   76.116445][ T5351]  ? rcu_is_watching+0x15/0xb0
[   76.118710][ T5351]  ? do_syscall_64+0xbe/0x3b0
[   76.120985][ T5351]  do_syscall_64+0xfa/0x3b0
[   76.123319][ T5351]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.126112][ T5351]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.128949][ T5351]  ? clear_bhb_loop+0x60/0xb0
[   76.131055][ T5351]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.133697][ T5351] RIP: 0033:0x7fdd2058eb69
[   76.135670][ T5351] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.144002][ T5351] RSP: 002b:00007fdd21451038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   76.147855][ T5351] RAX: ffffffffffffffda RBX: 00007fdd207b5fa0 RCX: 00007fdd2058eb69
[   76.151323][ T5351] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000005
[   76.154819][ T5351] RBP: 00007fdd20611df1 R08: 0000000000000000 R09: 0000000000000000
[   76.158489][ T5351] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   76.162520][ T5351] R13: 0000000000000000 R14: 00007fdd207b5fa0 R15: 00007ffd465be158
[   76.166032][ T5351]  </TASK>
[   76.167785][ T5351] Kernel Offset: disabled
[   76.169709][ T5351] Rebooting in 86400 seconds..