program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', <r2=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r4=>0x0})
sendmsg$NL80211_CMD_CONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, 0x0, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r7=>0x0})
r8 = socket$nl_generic(0x10, 0x3, 0x10)
r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f0000000700)={'wlan1\x00', <r10=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r8, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x1c, r9, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r10}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x0)
sendmsg$NL80211_CMD_TRIGGER_SCAN(r8, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYRES16=r9, @ANYBLOB="0500000000000000000021"], 0x20}, 0x1, 0x0, 0x0, 0x20000000}, 0x0)
syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000100)=ANY=[@ANYBLOB="5000000008021100000108021100000008021100000000000000000000000000010001000006020202020202010182"], 0x54)
r11 = socket$nl_generic(0x10, 0x3, 0x10)
r12 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r11, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r13=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r11, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r12, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r13}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_CONNECT(r11, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, r12, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r13}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}, 0x1, 0x0, 0x0, 0x800}, 0x0)
sendmsg$NL80211_CMD_TDLS_OPER(r5, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)={0x30, r6, 0xfd39e943ccf1163b, 0x70bd25, 0x25dfdbfd, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_TDLS_OPERATION={0x5, 0x8a, 0x4}, @NL80211_ATTR_MAC={0xa}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000010}, 0x50)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @void}, 0x2f)
r14 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x41, 0x0)
write$binfmt_aout(r14, &(0x7f00000000c0)=ANY=[], 0xff2e)
syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000580)=ANY=[@ANYBLOB="b00000000802110000010802110000000802110000001000000002"], 0x1e)
syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=ANY=[@ANYBLOB="10000000080211000001080211000000080211000000200001000000010001"], 0x20)
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val, @void, @void, @void, @void, @void, @void}, 0x2e)

[   69.234532][ T4670] Bluetooth: hci0: command tx timeout
[   69.327036][ T5324] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'.
[   69.346156][ T5324] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   69.360059][ T5324] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01)
[   69.364149][ T5324] wlan1: send auth to 08:02:11:00:00:00 (try 1/3)
[   69.375376][ T5324] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   69.436779][ T1086] wlan1: authenticated
[   69.438957][ T1086] ------------[ cut here ]------------
[   69.441087][ T1086] wlan1: STA 08:02:11:00:00:00 not found
[   69.441737][ T1086] WARNING: CPU: 0 PID: 1086 at net/mac80211/mlme.c:4534 ieee80211_mark_sta_auth+0x36c/0x400
[   69.447958][ T1086] Modules linked in:
[   69.449567][ T1086] CPU: 0 UID: 0 PID: 1086 Comm: kworker/u4:10 Not tainted 6.14.0-rc2-syzkaller-00346-gba643b6d8440 #0
[   69.454251][ T1086] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.460726][ T1086] Workqueue: events_unbound cfg80211_wiphy_work
[   69.463295][ T1086] RIP: 0010:ieee80211_mark_sta_auth+0x36c/0x400
[   69.466170][ T1086] Code: 90 0f 0b 90 e9 8a fd ff ff e8 10 11 31 f6 c6 05 83 5f 96 04 01 90 48 c7 c7 60 56 4b 8d 48 8b 34 24 4c 89 fa e8 55 d4 f0 f5 90 <0f> 0b 90 90 eb 8e 48 c7 c1 10 10 3d 90 80 e1 07 80 c1 03 38 c1 0f
[   69.475180][ T1086] RSP: 0018:ffffc9000271f500 EFLAGS: 00010246
[   69.477934][ T1086] RAX: 35574aca9bdf4d00 RBX: 00000000ffffa546 RCX: 0000000000100000
[   69.482260][ T1086] RDX: ffffc90023007000 RSI: 0000000000000a29 RDI: 0000000000000a2a
[   69.485345][ T1086] RBP: 00000000ffffa737 R08: ffffffff81817e32 R09: 1ffff11003f8519a
[   69.488421][ T1086] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff8880442e0d80
[   69.491621][ T1086] R13: 00000000ffffa737 R14: dffffc0000000000 R15: ffff88804258f640
[   69.495382][ T1086] FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   69.500069][ T1086] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   69.502663][ T1086] CR2: 00007f2cca563f98 CR3: 0000000035e3e000 CR4: 0000000000352ef0
[   69.505673][ T1086] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   69.508669][ T1086] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   69.511649][ T1086] Call Trace:
[   69.513050][ T1086]  <TASK>
[   69.514353][ T1086]  ? __warn+0x165/0x4d0
[   69.516373][ T1086]  ? ieee80211_mark_sta_auth+0x36c/0x400
[   69.519122][ T1086]  ? report_bug+0x2b3/0x500
[   69.520907][ T1086]  ? ieee80211_mark_sta_auth+0x36c/0x400
[   69.523112][ T1086]  ? handle_bug+0x60/0x90
[   69.524777][ T1086]  ? exc_invalid_op+0x1a/0x50
[   69.526673][ T1086]  ? asm_exc_invalid_op+0x1a/0x20
[   69.528626][ T1086]  ? __warn_printk+0x292/0x360
[   69.530793][ T1086]  ? ieee80211_mark_sta_auth+0x36c/0x400
[   69.533832][ T1086]  ieee80211_sta_rx_queued_mgmt+0x25c0/0x4e30
[   69.536902][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.539080][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.540969][ T1086]  ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10
[   69.543541][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.545597][ T1086]  ? do_raw_spin_lock+0x14f/0x370
[   69.547499][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.550094][ T1086]  ? mark_lock+0x9a/0x360
[   69.552004][ T1086]  ? mark_lock+0x9a/0x360
[   69.554000][ T1086]  ? __lock_acquire+0x1397/0x2100
[   69.556378][ T1086]  ? mark_lock+0x9a/0x360
[   69.558196][ T1086]  ? __lock_acquire+0x1397/0x2100
[   69.560121][ T1086]  ? mark_lock+0x9a/0x360
[   69.561775][ T1086]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   69.565049][ T1086]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   69.567536][ T1086]  ieee80211_iface_work+0x77a/0xf90
[   69.569522][ T1086]  cfg80211_wiphy_work+0x2f0/0x490
[   69.571677][ T1086]  ? process_scheduled_works+0x9c6/0x18e0
[   69.575504][ T1086]  process_scheduled_works+0xabe/0x18e0
[   69.577788][ T1086]  ? __pfx_process_scheduled_works+0x10/0x10
[   69.579864][ T1086]  ? assign_work+0x364/0x3d0
[   69.581445][ T1086]  worker_thread+0x870/0xd30
[   69.583335][ T1086]  ? __kthread_parkme+0x169/0x1d0
[   69.585309][ T1086]  ? __pfx_worker_thread+0x10/0x10
[   69.587476][ T1086]  kthread+0x7a9/0x920
[   69.589299][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.591630][ T1086]  ? __pfx_worker_thread+0x10/0x10
[   69.594426][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.596462][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.598278][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.600090][ T1086]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.602047][ T1086]  ? lockdep_hardirqs_on+0x99/0x150
[   69.604165][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.606243][ T1086]  ret_from_fork+0x4b/0x80
[   69.608154][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.610357][ T1086]  ret_from_fork_asm+0x1a/0x30
[   69.612707][ T1086]  </TASK>
[   69.614072][ T1086] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   69.617081][ T1086] CPU: 0 UID: 0 PID: 1086 Comm: kworker/u4:10 Not tainted 6.14.0-rc2-syzkaller-00346-gba643b6d8440 #0
[   69.621627][ T1086] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.627489][ T1086] Workqueue: events_unbound cfg80211_wiphy_work
[   69.630729][ T1086] Call Trace:
[   69.632061][ T1086]  <TASK>
[   69.633248][ T1086]  dump_stack_lvl+0x241/0x360
[   69.635124][ T1086]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.636963][ T1086]  ? __pfx__printk+0x10/0x10
[   69.638610][ T1086]  ? _printk+0xd5/0x120
[   69.640061][ T1086]  ? __init_begin+0x41000/0x41000
[   69.641890][ T1086]  ? vscnprintf+0x5d/0x90
[   69.643424][ T1086]  panic+0x349/0x880
[   69.644917][ T1086]  ? __warn+0x174/0x4d0
[   69.646531][ T1086]  ? __pfx_panic+0x10/0x10
[   69.648281][ T1086]  ? ret_from_fork_asm+0x1a/0x30
[   69.650252][ T1086]  __warn+0x344/0x4d0
[   69.652089][ T1086]  ? ieee80211_mark_sta_auth+0x36c/0x400
[   69.654927][ T1086]  report_bug+0x2b3/0x500
[   69.657101][ T1086]  ? ieee80211_mark_sta_auth+0x36c/0x400
[   69.659386][ T1086]  handle_bug+0x60/0x90
[   69.661052][ T1086]  exc_invalid_op+0x1a/0x50
[   69.662908][ T1086]  asm_exc_invalid_op+0x1a/0x20
[   69.664871][ T1086] RIP: 0010:ieee80211_mark_sta_auth+0x36c/0x400
[   69.667125][ T1086] Code: 90 0f 0b 90 e9 8a fd ff ff e8 10 11 31 f6 c6 05 83 5f 96 04 01 90 48 c7 c7 60 56 4b 8d 48 8b 34 24 4c 89 fa e8 55 d4 f0 f5 90 <0f> 0b 90 90 eb 8e 48 c7 c1 10 10 3d 90 80 e1 07 80 c1 03 38 c1 0f
[   69.675246][ T1086] RSP: 0018:ffffc9000271f500 EFLAGS: 00010246
[   69.677684][ T1086] RAX: 35574aca9bdf4d00 RBX: 00000000ffffa546 RCX: 0000000000100000
[   69.680754][ T1086] RDX: ffffc90023007000 RSI: 0000000000000a29 RDI: 0000000000000a2a
[   69.683859][ T1086] RBP: 00000000ffffa737 R08: ffffffff81817e32 R09: 1ffff11003f8519a
[   69.686933][ T1086] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff8880442e0d80
[   69.690427][ T1086] R13: 00000000ffffa737 R14: dffffc0000000000 R15: ffff88804258f640
[   69.694013][ T1086]  ? __warn_printk+0x292/0x360
[   69.696205][ T1086]  ieee80211_sta_rx_queued_mgmt+0x25c0/0x4e30
[   69.698664][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.700686][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.702722][ T1086]  ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10
[   69.705271][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.707407][ T1086]  ? do_raw_spin_lock+0x14f/0x370
[   69.709651][ T1086]  ? __pfx_validate_chain+0x10/0x10
[   69.712532][ T1086]  ? mark_lock+0x9a/0x360
[   69.714678][ T1086]  ? mark_lock+0x9a/0x360
[   69.716659][ T1086]  ? __lock_acquire+0x1397/0x2100
[   69.718627][ T1086]  ? mark_lock+0x9a/0x360
[   69.720318][ T1086]  ? __lock_acquire+0x1397/0x2100
[   69.722237][ T1086]  ? mark_lock+0x9a/0x360
[   69.723919][ T1086]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   69.726290][ T1086]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   69.728990][ T1086]  ieee80211_iface_work+0x77a/0xf90
[   69.731736][ T1086]  cfg80211_wiphy_work+0x2f0/0x490
[   69.734147][ T1086]  ? process_scheduled_works+0x9c6/0x18e0
[   69.736400][ T1086]  process_scheduled_works+0xabe/0x18e0
[   69.738464][ T1086]  ? __pfx_process_scheduled_works+0x10/0x10
[   69.740667][ T1086]  ? assign_work+0x364/0x3d0
[   69.742412][ T1086]  worker_thread+0x870/0xd30
[   69.744111][ T1086]  ? __kthread_parkme+0x169/0x1d0
[   69.746126][ T1086]  ? __pfx_worker_thread+0x10/0x10
[   69.748097][ T1086]  kthread+0x7a9/0x920
[   69.749656][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.751546][ T1086]  ? __pfx_worker_thread+0x10/0x10
[   69.754018][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.756375][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.758267][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.760283][ T1086]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.762253][ T1086]  ? lockdep_hardirqs_on+0x99/0x150
[   69.764018][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.765871][ T1086]  ret_from_fork+0x4b/0x80
[   69.767391][ T1086]  ? __pfx_kthread+0x10/0x10
[   69.769219][ T1086]  ret_from_fork_asm+0x1a/0x30
[   69.771323][ T1086]  </TASK>
[   69.773136][ T1086] Kernel Offset: disabled
[   69.775443][ T1086] Rebooting in 86400 seconds..