program:
r0 = syz_open_dev$vim2m(&(0x7f0000000000), 0x9, 0x2)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r3=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r6=>0x0})
sendmsg$NL80211_CMD_CONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f0000000040)=@device_b, &(0x7f0000000280)=ANY=[@ANYBLOB="50000000080211000001ffffffffffff0802110000000000000000000000000064000100000602020202020201010b"], 0x48)
nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0)
syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f00000021c0)=ANY=[@ANYBLOB="b00000000802110000010802110000000802110000001000000002"], 0x1e)
syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000440)=ANY=[@ANYBLOB="10000000080211000001080211000000080211000000200004a000000c0001"], 0x3c)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f0000000240)={'wlan1\x00', <r8=>0x0})
r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000380), 0xffffffffffffffff)
sendmsg$NL80211_CMD_TDLS_MGMT(r7, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000500)={0x44, r9, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_STATUS_CODE={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @broadcast}, @NL80211_ATTR_TDLS_ACTION={0x5, 0x88, 0x2}, @NL80211_ATTR_IE={0x4}, @NL80211_ATTR_TDLS_DIALOG_TOKEN={0x5}]}, 0x44}, 0x1, 0x0, 0x0, 0x20000000}, 0x0)
r10 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r10}, &(0x7f0000bbdffc))
syz_mount_image$minix(&(0x7f0000000180), &(0x7f00000001c0)='./file0\x00', 0xc00, &(0x7f0000000200), 0x1, 0x172, &(0x7f0000000240)="$eJzs20tOwlAUxvGvgErw/TaOTEyME6kCCWEmC3ADzghUQixqxAnExLgUd+JO3AAM3IA1lEYDcVBvAzX2/0ugZ/L13g4OPXeAACTWuf9tyVLWrzzPezqQdHkhKRPz5gBMlRdcPzwAyZOm9YGEGlTT/vv/1ZLe3h/r/eCTDTk/DKqpUWFJfZP8s+Vf9zPj+ZykxTDzy8sof6Tx/NIv189N5JdD50fPf3w4nl+RtCppTdK6pA1Jm5K2JG3/sH5jYv29kOsDAAAAABDG8PSZj5qPcIPh6fmq5Tqnhvm5IH9mmJ8P8oWI+aJhfiHI5+u3bsPwHoCpVMz9n47Y/5mI/Q8kWafbu665rnNPQUFB8VXE/csEYNrsh/ad3en2TlrtWtNpOjelcqVSLhULFdsfy+0owzmAP+37pR/3TgAAAAAAAAAAAAAAgKkdSbtxbwIAAADATMzi70RxPyMAAAAAAAAAAAAAAP/dZwAAAP//X2pLFQ==")
rmdir(&(0x7f00000003c0)='./file0\x00')
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x3938700}}, 0x0)
r11 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r12 = syz_genetlink_get_family_id$nbd(&(0x7f0000000000), 0xffffffffffffffff)
r13 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x200)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r14=>0xffffffffffffffff})
ioctl$NBD_SET_SOCK(r13, 0xab00, r14)
r15 = dup3(r13, r0, 0x80000)
ioctl$NBD_DO_IT(r15, 0xab03)
sendmsg$NBD_CMD_DISCONNECT(r11, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000100)={0x1c, r12, 0x1, 0x70bd2b, 0x8, {}, [@NBD_ATTR_INDEX={0x8, 0x1, 0x0}]}, 0x1c}}, 0x20000004)

[   68.898873][ T5300] Bluetooth: hci0: command tx timeout
[   68.980325][ T5315] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   69.020503][ T5313] wlan1: No basic rates, using min rate instead
[   69.024184][ T5313] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01)
[   69.028874][ T5313] wlan1: send auth to 08:02:11:00:00:00 (try 1/3)
[   69.036205][ T1087] wlan1: authenticated
[   69.038119][ T5313] wlan1: associating to AP 08:02:11:00:00:00 with corrupt probe response
[   69.041446][ T5315] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   69.045547][ T1087] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0xa004 status=0 aid=12)
[   69.051113][ T5315] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   69.054880][ T1087] wlan1: No basic rates, using min rate instead
[   69.057967][ T1087] wlan1: associated
[   69.063040][ T5315] ------------[ cut here ]------------
[   69.065208][ T5315] WARNING: CPU: 0 PID: 5315 at net/mac80211/tdls.c:611 ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.069945][ T5315] Modules linked in:
[   69.071430][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-04858-g21266b8df522 #0
[   69.075229][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.079526][ T5315] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.082527][ T5315] Code: f5 ff ff e8 86 d1 3f f6 90 0f 0b 90 4c 8b 7c 24 10 e9 7e fe ff ff e8 73 d1 3f f6 90 0f 0b 90 e9 70 fe ff ff e8 65 d1 3f f6 90 <0f> 0b 90 e9 62 fe ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c c7
[   69.089859][ T5315] RSP: 0018:ffffc9000d34f0c0 EFLAGS: 00010283
[   69.092215][ T5315] RAX: ffffffff8b5f978b RBX: ffff88803ee40d80 RCX: 0000000000100000
[   69.095218][ T5315] RDX: ffffc9000e2d2000 RSI: 00000000000002f6 RDI: 00000000000002f7
[   69.098540][ T5315] RBP: ffffc9000d34f260 R08: ffffffff901b58f7 R09: 1ffffffff2036b1e
[   69.101636][ T5315] R10: dffffc0000000000 R11: fffffbfff2036b1f R12: dffffc0000000000
[   69.104759][ T5315] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880367a8500
[   69.107947][ T5315] FS:  00007fd84306f6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   69.111473][ T5315] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   69.114008][ T5315] CR2: 00000000200021c0 CR3: 0000000042ce4000 CR4: 0000000000352ef0
[   69.117124][ T5315] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   69.120303][ T5315] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   69.123375][ T5315] Call Trace:
[   69.124747][ T5315]  <TASK>
[   69.125925][ T5315]  ? __warn+0x165/0x4d0
[   69.127468][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.129927][ T5315]  ? report_bug+0x2b3/0x500
[   69.131838][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.134340][ T5315]  ? handle_bug+0x60/0x90
[   69.136241][ T5315]  ? exc_invalid_op+0x1a/0x50
[   69.138319][ T5315]  ? asm_exc_invalid_op+0x1a/0x20
[   69.140199][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0x329b/0x4080
[   69.143237][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.145819][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0xe6/0x4080
[   69.148591][ T5315]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   69.150754][ T5315]  ? __pfx_lock_release+0x10/0x10
[   69.152338][ T5315]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   69.154455][ T5315]  ? __pfx_lock_release+0x10/0x10
[   69.156352][ T5315]  ? sta_info_get+0x50/0x2b0
[   69.158330][ T5315]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   69.160726][ T5315]  ieee80211_tdls_prep_mgmt_packet+0x3b6/0x860
[   69.162812][ T5315]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   69.165123][ T5315]  ieee80211_tdls_mgmt+0x8cf/0x10a0
[   69.167451][ T5315]  nl80211_tdls_mgmt+0x4d8/0x770
[   69.169343][ T5315]  genl_rcv_msg+0xb14/0xec0
[   69.171085][ T5315]  ? __pfx_genl_rcv_msg+0x10/0x10
[   69.173810][ T5315]  ? __pfx_lock_acquire+0x10/0x10
[   69.175759][ T5315]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   69.177978][ T5315]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   69.180108][ T5315]  ? __pfx_nl80211_post_doit+0x10/0x10
[   69.182313][ T5315]  ? __pfx___might_resched+0x10/0x10
[   69.184418][ T5315]  netlink_rcv_skb+0x1e3/0x430
[   69.186248][ T5315]  ? __pfx_genl_rcv_msg+0x10/0x10
[   69.188357][ T5315]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   69.190375][ T5315]  ? __netlink_deliver_tap+0x7aa/0x7f0
[   69.192450][ T5315]  genl_rcv+0x28/0x40
[   69.194041][ T5315]  netlink_unicast+0x7f6/0x990
[   69.195853][ T5315]  ? __pfx_netlink_unicast+0x10/0x10
[   69.197976][ T5315]  ? __virt_addr_valid+0x45f/0x530
[   69.199857][ T5315]  ? __phys_addr_symbol+0x2f/0x70
[   69.201886][ T5315]  ? __check_object_size+0x47a/0x730
[   69.203907][ T5315]  netlink_sendmsg+0x8e4/0xcb0
[   69.205668][ T5315]  ? __pfx_netlink_sendmsg+0x10/0x10
[   69.207884][ T5315]  ? aa_sock_msg_perm+0x91/0x160
[   69.209769][ T5315]  ? __pfx_netlink_sendmsg+0x10/0x10
[   69.211806][ T5315]  __sock_sendmsg+0x221/0x270
[   69.213685][ T5315]  ____sys_sendmsg+0x52a/0x7e0
[   69.215566][ T5315]  ? __pfx_____sys_sendmsg+0x10/0x10
[   69.217767][ T5315]  ? __fget_files+0x2a/0x410
[   69.219599][ T5315]  ? __fget_files+0x2a/0x410
[   69.221383][ T5315]  __sys_sendmsg+0x269/0x350
[   69.223122][ T5315]  ? __pfx___sys_sendmsg+0x10/0x10
[   69.225054][ T5315]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   69.227383][ T5315]  ? do_syscall_64+0x100/0x230
[   69.229190][ T5315]  ? do_syscall_64+0xb6/0x230
[   69.231082][ T5315]  do_syscall_64+0xf3/0x230
[   69.232720][ T5315]  ? clear_bhb_loop+0x35/0x90
[   69.234419][ T5315]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.236786][ T5315] RIP: 0033:0x7fd84218cd29
[   69.238793][ T5315] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   69.245841][ T5315] RSP: 002b:00007fd84306f038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   69.249070][ T5315] RAX: ffffffffffffffda RBX: 00007fd8423a5fa0 RCX: 00007fd84218cd29
[   69.252000][ T5315] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000006
[   69.254934][ T5315] RBP: 00007fd84220e2a0 R08: 0000000000000000 R09: 0000000000000000
[   69.258023][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   69.261047][ T5315] R13: 0000000000000000 R14: 00007fd8423a5fa0 R15: 00007fffdc6a2c68
[   69.264188][ T5315]  </TASK>
[   69.265396][ T5315] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   69.268145][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-04858-g21266b8df522 #0
[   69.271892][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.275976][ T5315] Call Trace:
[   69.277269][ T5315]  <TASK>
[   69.278408][ T5315]  dump_stack_lvl+0x241/0x360
[   69.280214][ T5315]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.282261][ T5315]  ? __pfx__printk+0x10/0x10
[   69.284128][ T5315]  ? _printk+0xd5/0x120
[   69.285838][ T5315]  ? __init_begin+0x41000/0x41000
[   69.287758][ T5315]  ? vscnprintf+0x5d/0x90
[   69.289366][ T5315]  panic+0x349/0x880
[   69.290929][ T5315]  ? __warn+0x174/0x4d0
[   69.292444][ T5315]  ? __pfx_panic+0x10/0x10
[   69.294052][ T5315]  __warn+0x344/0x4d0
[   69.295427][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.297963][ T5315]  report_bug+0x2b3/0x500
[   69.299718][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.302423][ T5315]  handle_bug+0x60/0x90
[   69.304036][ T5315]  exc_invalid_op+0x1a/0x50
[   69.305840][ T5315]  asm_exc_invalid_op+0x1a/0x20
[   69.307733][ T5315] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x329c/0x4080
[   69.310400][ T5315] Code: f5 ff ff e8 86 d1 3f f6 90 0f 0b 90 4c 8b 7c 24 10 e9 7e fe ff ff e8 73 d1 3f f6 90 0f 0b 90 e9 70 fe ff ff e8 65 d1 3f f6 90 <0f> 0b 90 e9 62 fe ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c c7
[   69.317226][ T5315] RSP: 0018:ffffc9000d34f0c0 EFLAGS: 00010283
[   69.319427][ T5315] RAX: ffffffff8b5f978b RBX: ffff88803ee40d80 RCX: 0000000000100000
[   69.322253][ T5315] RDX: ffffc9000e2d2000 RSI: 00000000000002f6 RDI: 00000000000002f7
[   69.325152][ T5315] RBP: ffffc9000d34f260 R08: ffffffff901b58f7 R09: 1ffffffff2036b1e
[   69.328030][ T5315] R10: dffffc0000000000 R11: fffffbfff2036b1f R12: dffffc0000000000
[   69.330978][ T5315] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880367a8500
[   69.333904][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0x329b/0x4080
[   69.336467][ T5315]  ? ieee80211_tdls_build_mgmt_packet_data+0xe6/0x4080
[   69.338864][ T5315]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   69.341575][ T5315]  ? __pfx_lock_release+0x10/0x10
[   69.343369][ T5315]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   69.345534][ T5315]  ? __pfx_lock_release+0x10/0x10
[   69.347372][ T5315]  ? sta_info_get+0x50/0x2b0
[   69.348920][ T5315]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   69.351339][ T5315]  ieee80211_tdls_prep_mgmt_packet+0x3b6/0x860
[   69.353566][ T5315]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   69.355861][ T5315]  ieee80211_tdls_mgmt+0x8cf/0x10a0
[   69.357739][ T5315]  nl80211_tdls_mgmt+0x4d8/0x770
[   69.359520][ T5315]  genl_rcv_msg+0xb14/0xec0
[   69.361125][ T5315]  ? __pfx_genl_rcv_msg+0x10/0x10
[   69.362935][ T5315]  ? __pfx_lock_acquire+0x10/0x10
[   69.364792][ T5315]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   69.366825][ T5315]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   69.368865][ T5315]  ? __pfx_nl80211_post_doit+0x10/0x10
[   69.370817][ T5315]  ? __pfx___might_resched+0x10/0x10
[   69.372720][ T5315]  netlink_rcv_skb+0x1e3/0x430
[   69.374574][ T5315]  ? __pfx_genl_rcv_msg+0x10/0x10
[   69.376428][ T5315]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   69.378386][ T5315]  ? __netlink_deliver_tap+0x7aa/0x7f0
[   69.380576][ T5315]  genl_rcv+0x28/0x40
[   69.382078][ T5315]  netlink_unicast+0x7f6/0x990
[   69.383949][ T5315]  ? __pfx_netlink_unicast+0x10/0x10
[   69.385835][ T5315]  ? __virt_addr_valid+0x45f/0x530
[   69.387780][ T5315]  ? __phys_addr_symbol+0x2f/0x70
[   69.389600][ T5315]  ? __check_object_size+0x47a/0x730
[   69.391534][ T5315]  netlink_sendmsg+0x8e4/0xcb0
[   69.393370][ T5315]  ? __pfx_netlink_sendmsg+0x10/0x10
[   69.395333][ T5315]  ? aa_sock_msg_perm+0x91/0x160
[   69.397152][ T5315]  ? __pfx_netlink_sendmsg+0x10/0x10
[   69.399058][ T5315]  __sock_sendmsg+0x221/0x270
[   69.400822][ T5315]  ____sys_sendmsg+0x52a/0x7e0
[   69.402563][ T5315]  ? __pfx_____sys_sendmsg+0x10/0x10
[   69.404472][ T5315]  ? __fget_files+0x2a/0x410
[   69.406148][ T5315]  ? __fget_files+0x2a/0x410
[   69.407843][ T5315]  __sys_sendmsg+0x269/0x350
[   69.409343][ T5315]  ? __pfx___sys_sendmsg+0x10/0x10
[   69.411155][ T5315]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   69.413438][ T5315]  ? do_syscall_64+0x100/0x230
[   69.415112][ T5315]  ? do_syscall_64+0xb6/0x230
[   69.416877][ T5315]  do_syscall_64+0xf3/0x230
[   69.418595][ T5315]  ? clear_bhb_loop+0x35/0x90
[   69.420438][ T5315]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.422620][ T5315] RIP: 0033:0x7fd84218cd29
[   69.424371][ T5315] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   69.431208][ T5315] RSP: 002b:00007fd84306f038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   69.434190][ T5315] RAX: ffffffffffffffda RBX: 00007fd8423a5fa0 RCX: 00007fd84218cd29
[   69.437091][ T5315] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000006
[   69.440165][ T5315] RBP: 00007fd84220e2a0 R08: 0000000000000000 R09: 0000000000000000
[   69.443211][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   69.446049][ T5315] R13: 0000000000000000 R14: 00007fd8423a5fa0 R15: 00007fffdc6a2c68
[   69.448898][ T5315]  </TASK>
[   69.450341][ T5315] Kernel Offset: disabled
[   69.451994][ T5315] Rebooting in 86400 seconds..