------------[ cut here ]------------
intf 08:02:11:00:00:01 [link=0]: bad STA 00:00:00:ff:ff:ff bandwidth 20 MHz (0) > channel config 10 MHz (7)
WARNING: drivers/net/wireless/virtual/mac80211_hwsim.c:2693 at mac80211_hwsim_sta_rc_update+0x5dc/0x840 drivers/net/wireless/virtual/mac80211_hwsim.c:2693, CPU#2: kworker/u32:0/12
Modules linked in:
CPU: 2 UID: 0 PID: 12 Comm: kworker/u32:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:mac80211_hwsim_sta_rc_update+0x5fe/0x840 drivers/net/wireless/virtual/mac80211_hwsim.c:2693
Code: 00 48 8d 3d 74 27 b0 09 48 8b 4c 24 10 48 8b 44 24 20 89 da 44 8b 89 b8 01 00 00 55 48 8d b0 72 05 00 00 41 57 44 8b 44 24 14 <67> 48 0f b9 3a 58 5a e9 3b fc ff ff e8 11 7e f3 fa e8 5c 4a 63 04
RSP: 0018:ffffc900000f7888 EFLAGS: 00010246
RAX: ffff88803d23aa60 RBX: 0000000000000000 RCX: ffff888030254ec0
RDX: 0000000000000000 RSI: ffff88803d23afd2 RDI: ffffffff90c3a490
RBP: 0000000000000007 R08: 0000000000000014 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff888030255088 R14: ffff88803889b100 R15: 000000000000000a
FS:  0000000000000000(0000) GS:ffff8880d67d9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e124008 CR3: 0000000057da2000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 mac80211_hwsim_sta_add+0xc9/0x290 drivers/net/wireless/virtual/mac80211_hwsim.c:2713
 drv_sta_add net/mac80211/driver-ops.h:470 [inline]
 drv_sta_state+0x826/0x17b0 net/mac80211/driver-ops.c:155
 sta_info_insert_drv_state net/mac80211/sta_info.c:824 [inline]
 sta_info_insert_finish net/mac80211/sta_info.c:932 [inline]
 sta_info_insert_rcu+0x170b/0x2fa0 net/mac80211/sta_info.c:1009
 ieee80211_ocb_finish_sta net/mac80211/ocb.c:105 [inline]
 ieee80211_ocb_work+0x34d/0x650 net/mac80211/ocb.c:139
 ieee80211_iface_work+0x431/0x1350 net/mac80211/iface.c:1824
 cfg80211_wiphy_work+0x3f7/0x560 net/wireless/core.c:438
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 48 8d             	add    %cl,-0x73(%rax)
   3:	3d 74 27 b0 09       	cmp    $0x9b02774,%eax
   8:	48 8b 4c 24 10       	mov    0x10(%rsp),%rcx
   d:	48 8b 44 24 20       	mov    0x20(%rsp),%rax
  12:	89 da                	mov    %ebx,%edx
  14:	44 8b 89 b8 01 00 00 	mov    0x1b8(%rcx),%r9d
  1b:	55                   	push   %rbp
  1c:	48 8d b0 72 05 00 00 	lea    0x572(%rax),%rsi
  23:	41 57                	push   %r15
  25:	44 8b 44 24 14       	mov    0x14(%rsp),%r8d
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	58                   	pop    %rax
  30:	5a                   	pop    %rdx
  31:	e9 3b fc ff ff       	jmp    0xfffffc71
  36:	e8 11 7e f3 fa       	call   0xfaf37e4c
  3b:	e8 5c 4a 63 04       	call   0x4634a9c