program: sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000480)={&(0x7f0000000bc0)=@delchain={0x11c, 0x65, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {0x2, 0x2}, {0x0, 0x9}, {0x0, 0xa}}, [@TCA_CHAIN={0x8}, @TCA_RATE={0x6}, @TCA_RATE={0x6, 0x5, {0x4, 0x10}}, @filter_kind_options=@f_route={{0xa}, {0xd4, 0x2, [@TCA_ROUTE4_FROM={0x8, 0x3, 0x69}, @TCA_ROUTE4_FROM={0x8}, @TCA_ROUTE4_ACT={0xc0, 0x6, [@m_simple={0xbc, 0xd, 0x0, 0x0, {{0xb}, {0x4}, {0x8d, 0x6, "e59f3a5f6a4fee51382d38a9f8d5b8f5f83616139e982c4ebc8e8a3c02db708a51159d97ac2cf4d0263ca34bf3e8443387a26b8bb3bb52673c92f9a03e1f602615d75db316bbe575fff7c75b2f8991415f551f35c70b3f7113d71cb8c805f9f7f2f027254a508341f8ae41a305777227b2f36e0fabf6c1b2b1278519676bdf9bfc49917d1fb0fef5b8"}, {0xc, 0x7, {0x0, 0x1}}, {0xc, 0x8, {0x2, 0x2}}}}]}]}}]}, 0x11c}, 0x1, 0x0, 0x0, 0x91}, 0x0) r0 = socket(0x10, 0x803, 0x0) sendto(r0, &(0x7f0000000740)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r4, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x1c, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r4, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYRES16=r5, @ANYBLOB="0500000000000000000021"], 0x20}, 0x1, 0x0, 0x0, 0x20000000}, 0x0) r7 = socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f00000002c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_FRAME(r7, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000640)={&(0x7f00000000c0)={0x44, r8, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_FRAME={0x28, 0x33, @action={{{}, {}, @device_b}, @channel_switch={0x0, 0x4, {{0x25, 0x3}, @val={0x3e, 0x1}, @void}}}}]}, 0x44}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000100)=ANY=[@ANYBLOB="5000000008021100000108021100000008021100000000000000000000000000010001000006020202020202010182"], 0x54) r10 = openat$vnet(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) ioctl$VHOST_GET_FEATURES(r10, 0x4008af25, &(0x7f0000000100)) r11 = socket$nl_generic(0x10, 0x3, 0x10) r12 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r11, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r11, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r12, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r13}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r11, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, r12, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r13}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}, 0x1, 0x0, 0x0, 0x800}, 0x0) sendmsg$NL80211_CMD_TDLS_OPER(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000040)={0x3c, r2, 0xfd39e943ccf1163b, 0x70bd25, 0x25dfdbfd, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_TDLS_OPERATION={0x5, 0x8a, 0x3}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20000010}, 0x50) recvmmsg(r0, &(0x7f00000037c0)=[{{&(0x7f00000004c0)=@ethernet={0x0, @random}, 0xfdf4, &(0x7f0000000380)=[{&(0x7f0000000140)=""/100, 0x365}, {&(0x7f0000000280)=""/85, 0x7c}, {&(0x7f0000000fc0)=""/4096, 0x197}, {&(0x7f0000000400)=""/106, 0x645}, {&(0x7f0000000980)=""/73, 0x1b}, {&(0x7f0000000200)=""/77, 0x14}, {&(0x7f00000007c0)=""/154, 0x21}, {&(0x7f00000001c0)=""/17, 0x1d8}], 0x21, &(0x7f0000000600)=""/191, 0x41}}], 0x4000000000003b4, 0x0, &(0x7f0000003700)={0x77359400}) [ 74.931543][ T5305] Bluetooth: hci0: command tx timeout [ 75.030122][ T5319] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'. [ 75.057687][ T5319] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 75.078052][ T5319] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 75.081505][ T5319] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 75.086359][ T5319] ------------[ cut here ]------------ [ 75.088710][ T5319] WARNING: CPU: 0 PID: 5319 at net/mac80211/tdls.c:1461 ieee80211_tdls_oper+0x364/0x640 [ 75.092764][ T5319] Modules linked in: [ 75.094849][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-12141-gec7714e49479 #0 PREEMPT(full) [ 75.099792][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.104887][ T5319] RIP: 0010:ieee80211_tdls_oper+0x364/0x640 [ 75.107651][ T5319] Code: 6f 01 00 00 e8 ad d1 c8 f6 eb 22 e8 a6 d1 c8 f6 4c 89 e2 eb 21 e8 9c d1 c8 f6 b8 bd ff ff ff e9 1c fe ff ff e8 8d d1 c8 f6 90 <0f> 0b 90 4c 8b 7c 24 08 48 8b 14 24 4d 8d a7 2a 1d 00 00 4c 89 e0 [ 75.116288][ T5319] RSP: 0018:ffffc9000d3673a0 EFLAGS: 00010283 [ 75.119064][ T5319] RAX: ffffffff8af78a43 RBX: dffffc0000000000 RCX: 0000000000100000 [ 75.122648][ T5319] RDX: ffffc9000dc52000 RSI: 000000000000036f RDI: 0000000000000370 [ 75.126646][ T5319] RBP: 0000000000000000 R08: ffff8880403f0187 R09: 1ffff1100807e030 [ 75.130565][ T5319] R10: dffffc0000000000 R11: ffffed100807e031 R12: ffff888052789d2e [ 75.134563][ T5319] R13: ffff888052788d80 R14: 1ffff1100a4f12e4 R15: 0000000000000000 [ 75.138385][ T5319] FS: 00007f6ffb0da6c0(0000) GS:ffff88808d255000(0000) knlGS:0000000000000000 [ 75.142308][ T5319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.145665][ T5319] CR2: 000055df5180a660 CR3: 000000003f73a000 CR4: 0000000000352ef0 [ 75.149047][ T5319] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 75.152470][ T5319] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 75.156450][ T5319] Call Trace: [ 75.157958][ T5319] [ 75.159247][ T5319] nl80211_tdls_oper+0x285/0x440 [ 75.161448][ T5319] genl_family_rcv_msg_doit+0x212/0x300 [ 75.164212][ T5319] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 75.166899][ T5319] ? bpf_lsm_capable+0x9/0x20 [ 75.169026][ T5319] ? security_capable+0x7e/0x2e0 [ 75.171202][ T5319] genl_rcv_msg+0x60e/0x790 [ 75.173173][ T5319] ? __pfx_genl_rcv_msg+0x10/0x10 [ 75.175688][ T5319] ? ref_tracker_free+0x63a/0x7d0 [ 75.178018][ T5319] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 75.180444][ T5319] ? __pfx_nl80211_tdls_oper+0x10/0x10 [ 75.182846][ T5319] ? __pfx_nl80211_post_doit+0x10/0x10 [ 75.185275][ T5319] ? __pfx_ref_tracker_free+0x10/0x10 [ 75.187850][ T5319] netlink_rcv_skb+0x208/0x470 [ 75.190054][ T5319] ? __pfx_genl_rcv_msg+0x10/0x10 [ 75.192416][ T5319] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 75.195478][ T5319] ? down_read+0x1ad/0x2e0 [ 75.197597][ T5319] genl_rcv+0x28/0x40 [ 75.199335][ T5319] netlink_unicast+0x75b/0x8d0 [ 75.201643][ T5319] netlink_sendmsg+0x805/0xb30 [ 75.203831][ T5319] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.206313][ T5319] ? aa_sock_msg_perm+0x94/0x160 [ 75.208788][ T5319] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.211070][ T5319] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.213501][ T5319] __sock_sendmsg+0x21c/0x270 [ 75.215720][ T5319] ____sys_sendmsg+0x505/0x830 [ 75.218030][ T5319] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.220551][ T5319] ? import_iovec+0x74/0xa0 [ 75.222631][ T5319] ___sys_sendmsg+0x21f/0x2a0 [ 75.225078][ T5319] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.227403][ T5319] ? __fget_files+0x2a/0x420 [ 75.229700][ T5319] ? __fget_files+0x3a0/0x420 [ 75.231781][ T5319] __x64_sys_sendmsg+0x19b/0x260 [ 75.234207][ T5319] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.236593][ T5319] ? rcu_is_watching+0x15/0xb0 [ 75.238694][ T5319] ? do_syscall_64+0xbe/0x3b0 [ 75.240879][ T5319] do_syscall_64+0xfa/0x3b0 [ 75.243178][ T5319] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.245804][ T5319] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.248749][ T5319] ? clear_bhb_loop+0x60/0xb0 [ 75.251008][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.253940][ T5319] RIP: 0033:0x7f6ffa18e929 [ 75.256082][ T5319] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.265134][ T5319] RSP: 002b:00007f6ffb0da038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.268951][ T5319] RAX: ffffffffffffffda RBX: 00007f6ffa3b5fa0 RCX: 00007f6ffa18e929 [ 75.272577][ T5319] RDX: 0000000000000050 RSI: 0000200000000240 RDI: 0000000000000004 [ 75.276328][ T5319] RBP: 00007f6ffa210b39 R08: 0000000000000000 R09: 0000000000000000 [ 75.279744][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.283030][ T5319] R13: 0000000000000000 R14: 00007f6ffa3b5fa0 R15: 00007ffc9d51ee78 [ 75.286447][ T5319] [ 75.287624][ T5319] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 75.291054][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-12141-gec7714e49479 #0 PREEMPT(full) [ 75.296043][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.300627][ T5319] Call Trace: [ 75.302104][ T5319] [ 75.303485][ T5319] dump_stack_lvl+0x99/0x250 [ 75.305563][ T5319] ? __asan_memcpy+0x40/0x70 [ 75.307476][ T5319] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.309813][ T5319] ? __pfx__printk+0x10/0x10 [ 75.311927][ T5319] panic+0x2db/0x790 [ 75.313982][ T5319] ? __pfx_panic+0x10/0x10 [ 75.316409][ T5319] ? show_trace_log_lvl+0x4fb/0x550 [ 75.318808][ T5319] __warn+0x31b/0x4b0 [ 75.320632][ T5319] ? ieee80211_tdls_oper+0x364/0x640 [ 75.323054][ T5319] ? ieee80211_tdls_oper+0x364/0x640 [ 75.325540][ T5319] report_bug+0x2be/0x4f0 [ 75.327587][ T5319] ? ieee80211_tdls_oper+0x364/0x640 [ 75.330031][ T5319] ? ieee80211_tdls_oper+0x364/0x640 [ 75.332489][ T5319] ? ieee80211_tdls_oper+0x366/0x640 [ 75.334900][ T5319] handle_bug+0x84/0x160 [ 75.336891][ T5319] exc_invalid_op+0x1a/0x50 [ 75.339110][ T5319] asm_exc_invalid_op+0x1a/0x20 [ 75.341206][ T5319] RIP: 0010:ieee80211_tdls_oper+0x364/0x640 [ 75.343679][ T5319] Code: 6f 01 00 00 e8 ad d1 c8 f6 eb 22 e8 a6 d1 c8 f6 4c 89 e2 eb 21 e8 9c d1 c8 f6 b8 bd ff ff ff e9 1c fe ff ff e8 8d d1 c8 f6 90 <0f> 0b 90 4c 8b 7c 24 08 48 8b 14 24 4d 8d a7 2a 1d 00 00 4c 89 e0 [ 75.352061][ T5319] RSP: 0018:ffffc9000d3673a0 EFLAGS: 00010283 [ 75.354653][ T5319] RAX: ffffffff8af78a43 RBX: dffffc0000000000 RCX: 0000000000100000 [ 75.358228][ T5319] RDX: ffffc9000dc52000 RSI: 000000000000036f RDI: 0000000000000370 [ 75.361778][ T5319] RBP: 0000000000000000 R08: ffff8880403f0187 R09: 1ffff1100807e030 [ 75.365135][ T5319] R10: dffffc0000000000 R11: ffffed100807e031 R12: ffff888052789d2e [ 75.368533][ T5319] R13: ffff888052788d80 R14: 1ffff1100a4f12e4 R15: 0000000000000000 [ 75.371733][ T5319] ? ieee80211_tdls_oper+0x363/0x640 [ 75.374104][ T5319] nl80211_tdls_oper+0x285/0x440 [ 75.376351][ T5319] genl_family_rcv_msg_doit+0x212/0x300 [ 75.378553][ T5319] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 75.381140][ T5319] ? bpf_lsm_capable+0x9/0x20 [ 75.383161][ T5319] ? security_capable+0x7e/0x2e0 [ 75.385286][ T5319] genl_rcv_msg+0x60e/0x790 [ 75.387329][ T5319] ? __pfx_genl_rcv_msg+0x10/0x10 [ 75.389247][ T5319] ? ref_tracker_free+0x63a/0x7d0 [ 75.391205][ T5319] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 75.393340][ T5319] ? __pfx_nl80211_tdls_oper+0x10/0x10 [ 75.395707][ T5319] ? __pfx_nl80211_post_doit+0x10/0x10 [ 75.398066][ T5319] ? __pfx_ref_tracker_free+0x10/0x10 [ 75.400291][ T5319] netlink_rcv_skb+0x208/0x470 [ 75.402495][ T5319] ? __pfx_genl_rcv_msg+0x10/0x10 [ 75.404605][ T5319] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 75.407524][ T5319] ? down_read+0x1ad/0x2e0 [ 75.409903][ T5319] genl_rcv+0x28/0x40 [ 75.411489][ T5319] netlink_unicast+0x75b/0x8d0 [ 75.413373][ T5319] netlink_sendmsg+0x805/0xb30 [ 75.415290][ T5319] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.417457][ T5319] ? aa_sock_msg_perm+0x94/0x160 [ 75.419687][ T5319] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.422118][ T5319] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.424488][ T5319] __sock_sendmsg+0x21c/0x270 [ 75.426804][ T5319] ____sys_sendmsg+0x505/0x830 [ 75.429050][ T5319] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.431595][ T5319] ? import_iovec+0x74/0xa0 [ 75.433704][ T5319] ___sys_sendmsg+0x21f/0x2a0 [ 75.435890][ T5319] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.438338][ T5319] ? __fget_files+0x2a/0x420 [ 75.440627][ T5319] ? __fget_files+0x3a0/0x420 [ 75.442919][ T5319] __x64_sys_sendmsg+0x19b/0x260 [ 75.445320][ T5319] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.447987][ T5319] ? rcu_is_watching+0x15/0xb0 [ 75.450220][ T5319] ? do_syscall_64+0xbe/0x3b0 [ 75.452484][ T5319] do_syscall_64+0xfa/0x3b0 [ 75.454717][ T5319] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.457131][ T5319] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.459955][ T5319] ? clear_bhb_loop+0x60/0xb0 [ 75.462149][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.464875][ T5319] RIP: 0033:0x7f6ffa18e929 [ 75.467006][ T5319] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.475776][ T5319] RSP: 002b:00007f6ffb0da038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.479581][ T5319] RAX: ffffffffffffffda RBX: 00007f6ffa3b5fa0 RCX: 00007f6ffa18e929 [ 75.483094][ T5319] RDX: 0000000000000050 RSI: 0000200000000240 RDI: 0000000000000004 [ 75.486722][ T5319] RBP: 00007f6ffa210b39 R08: 0000000000000000 R09: 0000000000000000 [ 75.490288][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.493887][ T5319] R13: 0000000000000000 R14: 00007f6ffa3b5fa0 R15: 00007ffc9d51ee78 [ 75.497609][ T5319] [ 75.499382][ T5319] Kernel Offset: disabled [ 75.501460][ T5319] Rebooting in 86400 seconds..