program:
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={0x0}}, 0x800)
r0 = socket$netlink(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r4=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r7=>0x0})
sendmsg$NL80211_CMD_CONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000580)=ANY=[@ANYBLOB='0\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="050000000000000000002e00000008000300", @ANYRES32=r7, @ANYBLOB="0a0034000202020202020000080026006c0900004be43d5fbc5f30580ee4c841dc549b61627997bc16263f75694889eba93cc5f879e10532a3e7ce86c4a3d374e2979ea52dc6fa0bbcbd0736e32b0119ed975ca2083e2aad0ef1dd1e479d08db5e30cd3acd59ac0fb314619faeabb365651e1301623ae4ef74f3d8795f8b35c198"], 0x30}}, 0x0)
syz_80211_inject_frame(&(0x7f0000000040)=@device_b, &(0x7f0000000280)=ANY=[@ANYBLOB="50000000080211000001ffffffffffff0802110000000000000000000000000064000100000602020202020201010b"], 0x48)
nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0)
syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f00000021c0)=ANY=[@ANYBLOB="b00000000802110000010802110000000802110000001000000002"], 0x1e)
syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000440)=ANY=[@ANYBLOB="10000000080211000001080211000000080211000000200004a000000c0001"], 0x3c)
r8 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f0000000240)={'wlan1\x00', <r9=>0x0})
r10 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000380), 0xffffffffffffffff)
r11 = socket$inet6(0xa, 0x80803, 0x83)
setsockopt$inet6_IPV6_XFRM_POLICY(r11, 0x29, 0x23, &(0x7f00000002c0)={{{@in6=@private1, @in6=@private0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0xae}, {}, {}, 0x0, 0x0, 0x1}, {{@in6=@mcast2, 0x0, 0x32}, 0x0, @in=@multicast1, 0x4000, 0x0, 0x0, 0x0, 0x9}}, 0xe8)
r12 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$inet_buf(r12, 0x0, 0x8008000000010, &(0x7f0000005e40)="17000000020001000003d68c5ee17688a2003208020300ecff3f0200000300000a000000009afc5ad9485bbb6a880000d6c8db0000dba67e060180000a0000f10607bdff59100ac45761407a681f009cee4a5acb3da400001fb700674f19b44e09f9315033bf79ac2dff060115003901000000000000ea000000000000000009ffff02dfccebf6ba0008400200000000e90554062a80e605007f71174aa951f3c63e5c83f1ba2112ce68bf17a6e000"/184, 0xb8)
sendmsg$NL80211_CMD_TDLS_MGMT(r8, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000500)={0x44, r10, 0x1, 0x8000000, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_STATUS_CODE={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_TDLS_ACTION={0x5, 0x88, 0x2}, @NL80211_ATTR_IE={0x4}, @NL80211_ATTR_TDLS_DIALOG_TOKEN={0x5}]}, 0x44}, 0x1, 0x0, 0x0, 0x20000000}, 0x0)
r13 = socket$packet(0x11, 0x2, 0x300)
ioctl$sock_SIOCGIFINDEX(r13, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', <r14=>0x0})
sendmsg$nl_route(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=@bridge_delvlan={0x24, 0x70, 0x1, 0x0, 0x0, {0x7, 0x0, 0x0, r14}, [@BRIDGE_VLANDB_ENTRY={0xc, 0x1, 0x0, 0x1, @BRIDGE_VLANDB_ENTRY_INFO={0x8, 0x1, {0x0, 0x3}}}]}, 0x24}}, 0x0)
r15 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r15, 0x8933, &(0x7f0000000300)={'bridge0\x00', <r16=>0x0})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)=ANY=[@ANYBLOB="280000001c000100000000000000000007000000", @ANYRES32=r16, @ANYBLOB="8000f2000a000200aa"], 0x28}}, 0x0)
sendmmsg(r0, &(0x7f00000002c0), 0x40000000000009f, 0x0)

[   77.068845][ T5313] Bluetooth: hci0: command tx timeout
[   77.073521][ T1312] ieee802154 phy0 wpan0: encryption failed: -22
[   77.077911][ T1312] ieee802154 phy1 wpan1: encryption failed: -22
[   77.180219][ T5329] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   77.215795][    T9] wlan1: No basic rates, using min rate instead
[   77.219511][    T9] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01)
[   77.222986][    T9] wlan1: send auth to 08:02:11:00:00:00 (try 1/3)
[   77.244958][ T5329] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   77.248952][ T3734] wlan1: authenticated
[   77.250790][    T9] wlan1: associating to AP 08:02:11:00:00:00 with corrupt probe response
[   77.256348][ T3734] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0xa004 status=0 aid=12)
[   77.260140][ T3734] wlan1: No basic rates, using min rate instead
[   77.263139][ T5329] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   77.269620][ T3734] wlan1: associated
[   77.276738][ T5329] ------------[ cut here ]------------
[   77.279014][ T5329] WARNING: CPU: 0 PID: 5329 at net/mac80211/tdls.c:611 ieee80211_tdls_build_mgmt_packet_data+0x2f23/0x3be0
[   77.283639][ T5329] Modules linked in:
[   77.285523][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.15.0-rc2-syzkaller-00042-g1a1d569a75f3 #0 PREEMPT(full) 
[   77.289542][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   77.293521][ T5329] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x2f23/0x3be0
[   77.296320][ T5329] Code: 0f 0b 90 e9 76 f6 ff ff e8 ca 96 08 f6 90 0f 0b 90 e9 77 fe ff ff e8 bc 96 08 f6 90 0f 0b 90 e9 69 fe ff ff e8 ae 96 08 f6 90 <0f> 0b 90 e9 5b fe ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 1b
[   77.303451][ T5329] RSP: 0018:ffffc9000d2cf0c0 EFLAGS: 00010287
[   77.305855][ T5329] RAX: ffffffff8bbabe82 RBX: ffff888012588d80 RCX: 0000000000100000
[   77.308859][ T5329] RDX: ffffc9000e16a000 RSI: 00000000000002c4 RDI: 00000000000002c5
[   77.311754][ T5329] RBP: ffffc9000d2cf260 R08: ffffffff8b956c89 R09: ffffffff8504a1f9
[   77.314956][ T5329] R10: 000000000000000c R11: 0000000000000000 R12: ffff888035e0aa00
[   77.318064][ T5329] R13: dffffc0000000000 R14: ffff888053358e40 R15: 0000000000000000
[   77.321209][ T5329] FS:  00007fdf510ca6c0(0000) GS:ffff88808c593000(0000) knlGS:0000000000000000
[   77.324833][ T5329] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   77.327464][ T5329] CR2: 0000200000005e40 CR3: 000000004307a000 CR4: 0000000000352ef0
[   77.330539][ T5329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   77.333630][ T5329] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   77.338021][ T5329] Call Trace:
[   77.339335][ T5329]  <TASK>
[   77.340518][ T5329]  ? __pfx_rhltable_lookup+0x10/0x10
[   77.342677][ T5329]  ? ieee80211_tdls_build_mgmt_packet_data+0xea/0x3be0
[   77.345953][ T5329]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   77.348753][ T5329]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   77.351118][ T5329]  ieee80211_tdls_prep_mgmt_packet+0x3b6/0x860
[   77.353497][ T5329]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   77.356092][ T5329]  ieee80211_tdls_mgmt+0x8cf/0x10a0
[   77.358063][ T5329]  nl80211_tdls_mgmt+0x4d8/0x770
[   77.359832][ T5329]  genl_rcv_msg+0xb38/0xf00
[   77.361489][ T5329]  ? __pfx_genl_rcv_msg+0x10/0x10
[   77.363204][ T5329]  ? __dev_queue_xmit+0x1780/0x3f60
[   77.365017][ T5329]  ? kasan_save_track+0x3f/0x80
[   77.366858][ T5329]  ? __kasan_slab_alloc+0x66/0x80
[   77.368796][ T5329]  ? do_syscall_64+0xf3/0x230
[   77.370716][ T5329]  ? __lock_acquire+0xad5/0xd80
[   77.372693][ T5329]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   77.374897][ T5329]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   77.376892][ T5329]  ? __pfx_nl80211_post_doit+0x10/0x10
[   77.378742][ T5329]  netlink_rcv_skb+0x208/0x480
[   77.380433][ T5329]  ? __pfx_genl_rcv_msg+0x10/0x10
[   77.382268][ T5329]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   77.384310][ T5329]  ? netlink_deliver_tap+0x2e/0x1b0
[   77.386340][ T5329]  genl_rcv+0x28/0x40
[   77.387864][ T5329]  netlink_unicast+0x7f8/0x9a0
[   77.389866][ T5329]  ? __pfx_netlink_unicast+0x10/0x10
[   77.392072][ T5329]  ? skb_put+0x114/0x1f0
[   77.393981][ T5329]  netlink_sendmsg+0x8c3/0xcd0
[   77.396255][ T5329]  ? __pfx_netlink_sendmsg+0x10/0x10
[   77.398697][ T5329]  ? aa_sock_msg_perm+0x91/0x160
[   77.400579][ T5329]  ? __pfx_netlink_sendmsg+0x10/0x10
[   77.402477][ T5329]  __sock_sendmsg+0x221/0x270
[   77.404366][ T5329]  ____sys_sendmsg+0x523/0x860
[   77.406152][ T5329]  ? __pfx_____sys_sendmsg+0x10/0x10
[   77.408064][ T5329]  ? __fget_files+0x2a/0x420
[   77.409810][ T5329]  ? __fget_files+0x2a/0x420
[   77.412071][ T5329]  __sys_sendmsg+0x271/0x360
[   77.415326][ T5329]  ? __lock_acquire+0xad5/0xd80
[   77.417265][ T5329]  ? __pfx___sys_sendmsg+0x10/0x10
[   77.419527][ T5329]  ? do_syscall_64+0xb6/0x230
[   77.421709][ T5329]  do_syscall_64+0xf3/0x230
[   77.423735][ T5329]  ? clear_bhb_loop+0x45/0xa0
[   77.425954][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.428252][ T5329] RIP: 0033:0x7fdf5018e169
[   77.430028][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   77.437228][ T5329] RSP: 002b:00007fdf510ca038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   77.440424][ T5329] RAX: ffffffffffffffda RBX: 00007fdf503b5fa0 RCX: 00007fdf5018e169
[   77.443610][ T5329] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000007
[   77.447117][ T5329] RBP: 00007fdf50210a68 R08: 0000000000000000 R09: 0000000000000000
[   77.450152][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   77.452961][ T5329] R13: 0000000000000000 R14: 00007fdf503b5fa0 R15: 00007fff369dc5c8
[   77.456267][ T5329]  </TASK>
[   77.457562][ T5329] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   77.460365][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.15.0-rc2-syzkaller-00042-g1a1d569a75f3 #0 PREEMPT(full) 
[   77.464928][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   77.469188][ T5329] Call Trace:
[   77.470582][ T5329]  <TASK>
[   77.471783][ T5329]  dump_stack_lvl+0x241/0x360
[   77.473656][ T5329]  ? __pfx_dump_stack_lvl+0x10/0x10
[   77.475724][ T5329]  ? __pfx__printk+0x10/0x10
[   77.477561][ T5329]  ? vscnprintf+0x5d/0x90
[   77.479317][ T5329]  panic+0x349/0x880
[   77.480972][ T5329]  ? __warn+0x174/0x4d0
[   77.482652][ T5329]  ? __pfx_panic+0x10/0x10
[   77.484280][ T5329]  __warn+0x344/0x4d0
[   77.485859][ T5329]  ? ieee80211_tdls_build_mgmt_packet_data+0x2f23/0x3be0
[   77.488794][ T5329]  report_bug+0x2b3/0x500
[   77.490901][ T5329]  ? ieee80211_tdls_build_mgmt_packet_data+0x2f23/0x3be0
[   77.493738][ T5329]  ? ieee80211_tdls_build_mgmt_packet_data+0x2f23/0x3be0
[   77.496473][ T5329]  ? ieee80211_tdls_build_mgmt_packet_data+0x2f25/0x3be0
[   77.499308][ T5329]  handle_bug+0x89/0x170
[   77.501050][ T5329]  exc_invalid_op+0x1a/0x50
[   77.502869][ T5329]  asm_exc_invalid_op+0x1a/0x20
[   77.504889][ T5329] RIP: 0010:ieee80211_tdls_build_mgmt_packet_data+0x2f23/0x3be0
[   77.507691][ T5329] Code: 0f 0b 90 e9 76 f6 ff ff e8 ca 96 08 f6 90 0f 0b 90 e9 77 fe ff ff e8 bc 96 08 f6 90 0f 0b 90 e9 69 fe ff ff e8 ae 96 08 f6 90 <0f> 0b 90 e9 5b fe ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 1b
[   77.515192][ T5329] RSP: 0018:ffffc9000d2cf0c0 EFLAGS: 00010287
[   77.517737][ T5329] RAX: ffffffff8bbabe82 RBX: ffff888012588d80 RCX: 0000000000100000
[   77.521312][ T5329] RDX: ffffc9000e16a000 RSI: 00000000000002c4 RDI: 00000000000002c5
[   77.524493][ T5329] RBP: ffffc9000d2cf260 R08: ffffffff8b956c89 R09: ffffffff8504a1f9
[   77.527644][ T5329] R10: 000000000000000c R11: 0000000000000000 R12: ffff888035e0aa00
[   77.530722][ T5329] R13: dffffc0000000000 R14: ffff888053358e40 R15: 0000000000000000
[   77.533819][ T5329]  ? jhash+0x269/0x760
[   77.535520][ T5329]  ? sta_info_get+0x199/0x2b0
[   77.537471][ T5329]  ? ieee80211_tdls_build_mgmt_packet_data+0x2f22/0x3be0
[   77.540303][ T5329]  ? __pfx_rhltable_lookup+0x10/0x10
[   77.542563][ T5329]  ? ieee80211_tdls_build_mgmt_packet_data+0xea/0x3be0
[   77.546013][ T5329]  ? __pfx_ieee80211_tdls_build_mgmt_packet_data+0x10/0x10
[   77.549233][ T5329]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   77.551762][ T5329]  ieee80211_tdls_prep_mgmt_packet+0x3b6/0x860
[   77.554115][ T5329]  ? ieee80211_tdls_prep_mgmt_packet+0x3b/0x860
[   77.556539][ T5329]  ieee80211_tdls_mgmt+0x8cf/0x10a0
[   77.558654][ T5329]  nl80211_tdls_mgmt+0x4d8/0x770
[   77.560748][ T5329]  genl_rcv_msg+0xb38/0xf00
[   77.562504][ T5329]  ? __pfx_genl_rcv_msg+0x10/0x10
[   77.564537][ T5329]  ? __dev_queue_xmit+0x1780/0x3f60
[   77.566701][ T5329]  ? kasan_save_track+0x3f/0x80
[   77.568641][ T5329]  ? __kasan_slab_alloc+0x66/0x80
[   77.570619][ T5329]  ? do_syscall_64+0xf3/0x230
[   77.572499][ T5329]  ? __lock_acquire+0xad5/0xd80
[   77.574435][ T5329]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   77.576529][ T5329]  ? __pfx_nl80211_tdls_mgmt+0x10/0x10
[   77.578702][ T5329]  ? __pfx_nl80211_post_doit+0x10/0x10
[   77.580948][ T5329]  netlink_rcv_skb+0x208/0x480
[   77.582865][ T5329]  ? __pfx_genl_rcv_msg+0x10/0x10
[   77.584891][ T5329]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   77.586823][ T5329]  ? netlink_deliver_tap+0x2e/0x1b0
[   77.588708][ T5329]  genl_rcv+0x28/0x40
[   77.590173][ T5329]  netlink_unicast+0x7f8/0x9a0
[   77.591962][ T5329]  ? __pfx_netlink_unicast+0x10/0x10
[   77.593878][ T5329]  ? skb_put+0x114/0x1f0
[   77.595566][ T5329]  netlink_sendmsg+0x8c3/0xcd0
[   77.597476][ T5329]  ? __pfx_netlink_sendmsg+0x10/0x10
[   77.599573][ T5329]  ? aa_sock_msg_perm+0x91/0x160
[   77.601535][ T5329]  ? __pfx_netlink_sendmsg+0x10/0x10
[   77.603535][ T5329]  __sock_sendmsg+0x221/0x270
[   77.605499][ T5329]  ____sys_sendmsg+0x523/0x860
[   77.607375][ T5329]  ? __pfx_____sys_sendmsg+0x10/0x10
[   77.609390][ T5329]  ? __fget_files+0x2a/0x420
[   77.611215][ T5329]  ? __fget_files+0x2a/0x420
[   77.613133][ T5329]  __sys_sendmsg+0x271/0x360
[   77.614939][ T5329]  ? __lock_acquire+0xad5/0xd80
[   77.616890][ T5329]  ? __pfx___sys_sendmsg+0x10/0x10
[   77.619022][ T5329]  ? do_syscall_64+0xb6/0x230
[   77.620967][ T5329]  do_syscall_64+0xf3/0x230
[   77.622824][ T5329]  ? clear_bhb_loop+0x45/0xa0
[   77.624765][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.627185][ T5329] RIP: 0033:0x7fdf5018e169
[   77.629012][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   77.636576][ T5329] RSP: 002b:00007fdf510ca038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   77.639929][ T5329] RAX: ffffffffffffffda RBX: 00007fdf503b5fa0 RCX: 00007fdf5018e169
[   77.643010][ T5329] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000007
[   77.646061][ T5329] RBP: 00007fdf50210a68 R08: 0000000000000000 R09: 0000000000000000
[   77.649229][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   77.652429][ T5329] R13: 0000000000000000 R14: 00007fdf503b5fa0 R15: 00007fff369dc5c8
[   77.655570][ T5329]  </TASK>
[   77.657081][ T5329] Kernel Offset: disabled
[   77.658746][ T5329] Rebooting in 86400 seconds..