program: r0 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000000180), 0xa0400, 0x0) (async) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) (async, rerun: 64) ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) (rerun: 64) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) (async) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000180)={0x24, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x9}]}, 0x24}}, 0x0) (async) sendmsg$NL80211_CMD_START_AP(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000540)={0x88, r5, 0x5, 0x70bd26, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@beacon=[@NL80211_ATTR_BEACON_HEAD={0x4c, 0xe, {{{}, {}, @broadcast, @device_a, @from_mac}, 0x0, @default, 0x1, @void, @void, @void, @void, @void, @void, @void, @void, @void, @val={0x2d, 0x1a, {0x1, 0x1, 0x7, 0x0, {0xa600000000000000, 0x2, 0x0, 0x3fe, 0x0, 0x0, 0x0, 0x1}, 0x0, 0x9, 0x3}}, @val={0x72, 0x6}, @void, @void}}], @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}, @NL80211_ATTR_WIPHY_CHANNEL_TYPE={0x8, 0x27, 0x1}], @NL80211_ATTR_BEACON_INTERVAL={0x8}, @NL80211_ATTR_DTIM_PERIOD={0x8}]}, 0x88}}, 0x20000014) socketpair$unix(0x1, 0x2, 0x0, &(0x7f00000003c0)={0xffffffffffffffff}) r8 = socket$nl_generic(0x10, 0x3, 0x10) r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff) (async) ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f0000000300)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_NEW_STATION(r8, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f0000000280)={0x3c, r9, 0xb97534d5fe9704cf, 0x0, 0x0, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STA_AID={0x6, 0x10, 0x580}, @NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}]}, 0x3c}, 0x1, 0x0, 0x0, 0xc0}, 0x0) sendmsg$NL80211_CMD_SET_INTERFACE(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r2, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x3}]}, 0x24}}, 0x0) (async) recvmsg$unix(0xffffffffffffffff, 0x0, 0x0) (async) syz_usb_connect$hid(0x0, 0x36, 0x0, 0x0) (async, rerun: 32) r11 = openat$vicodec0(0xffffffffffffff9c, &(0x7f0000000480), 0x2, 0x0) (rerun: 32) ioctl$VIDIOC_ENUM_FMT(r11, 0xc0405602, &(0x7f0000000040)={0x58, 0xa, 0x0, "05fcff410400001bf9585253b800c495f2bc838200"}) (async) write$rfkill(0xffffffffffffffff, 0x0, 0x0) ioctl$VHOST_SET_FEATURES(r0, 0x4008af00, &(0x7f0000000080)=0x8001100) [ 110.590026][ T5316] Bluetooth: hci0: command tx timeout [ 110.939107][ T5338] ------------[ cut here ]------------ [ 110.941518][ T5338] !chanctx_conf [ 110.941526][ T5338] WARNING: net/mac80211/rate.c:53 at rate_control_rate_init+0x64a/0x6e0, CPU#0: syz.0.0/5338 [ 110.949539][ T5338] Modules linked in: [ 110.951809][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 110.955054][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 110.959406][ T5338] RIP: 0010:rate_control_rate_init+0x64a/0x6e0 [ 110.961598][ T5338] Code: 82 01 00 00 20 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 c8 04 92 00 cc e8 52 a0 9a f6 90 0f 0b 90 eb e1 e8 47 a0 9a f6 90 <0f> 0b 90 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 90 00 00 00 [ 110.970417][ T5338] RSP: 0018:ffffc9000e2defd8 EFLAGS: 00010293 [ 110.973168][ T5338] RAX: ffffffff8b2b40a9 RBX: ffff88801288c000 RCX: ffff888033364a00 [ 110.976454][ T5338] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 110.980095][ T5338] RBP: 0000000000000000 R08: ffffffff8b2b3bc3 R09: ffffffff8e95cce0 [ 110.986322][ T5338] R10: dffffc0000000000 R11: ffffed1002511831 R12: 1ffff1100251180a [ 110.989991][ T5338] R13: ffff888042ff0f20 R14: 0000000000000001 R15: ffffffff8b2b3bc3 [ 110.993449][ T5338] FS: 00007ffafb9a16c0(0000) GS:ffff88808c80c000(0000) knlGS:0000000000000000 [ 110.997708][ T5338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 111.000647][ T5338] CR2: 00007ffafb97ffe8 CR3: 00000000376a7000 CR4: 0000000000352ef0 [ 111.005206][ T5338] Call Trace: [ 111.007976][ T5338] [ 111.009560][ T5338] rate_control_rate_init_all_links+0x109/0x1a0 [ 111.012249][ T5338] sta_apply_auth_flags+0x1c2/0x400 [ 111.014390][ T5338] sta_apply_parameters+0x1098/0x18a0 [ 111.016771][ T5338] ieee80211_add_station+0x3e6/0x710 [ 111.019293][ T5338] rdev_add_station+0xfc/0x290 [ 111.021379][ T5338] nl80211_new_station+0x1cab/0x2130 [ 111.023622][ T5338] ? __pfx_nl80211_new_station+0x10/0x10 [ 111.026320][ T5338] ? __rtnl_unlock+0xc8/0xf0 [ 111.029402][ T5338] genl_family_rcv_msg_doit+0x22a/0x330 [ 111.032453][ T5338] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 111.035052][ T5338] ? bpf_lsm_capable+0x9/0x20 [ 111.036944][ T5338] ? security_capable+0x7e/0x2c0 [ 111.039341][ T5338] genl_rcv_msg+0x61c/0x7a0 [ 111.041303][ T5338] ? __pfx_genl_rcv_msg+0x10/0x10 [ 111.043656][ T5338] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 111.046599][ T5338] ? __pfx_nl80211_new_station+0x10/0x10 [ 111.050110][ T5338] ? __pfx_nl80211_post_doit+0x10/0x10 [ 111.052467][ T5338] ? __pfx_ref_tracker_free+0x10/0x10 [ 111.055141][ T5338] ? __asan_memcpy+0x40/0x70 [ 111.057616][ T5338] ? __skb_clone+0x63/0x7a0 [ 111.059828][ T5338] netlink_rcv_skb+0x232/0x4b0 [ 111.062143][ T5338] ? __pfx_genl_rcv_msg+0x10/0x10 [ 111.065467][ T5338] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 111.069215][ T5338] ? down_read+0x270/0x2e0 [ 111.071235][ T5338] ? genl_rcv+0xd/0x40 [ 111.073024][ T5338] genl_rcv+0x28/0x40 [ 111.074665][ T5338] netlink_unicast+0x75c/0x8e0 [ 111.076694][ T5338] netlink_sendmsg+0x813/0xb40 [ 111.079340][ T5338] ? __pfx_netlink_sendmsg+0x10/0x10 [ 111.082361][ T5338] ? aa_sock_msg_perm+0xf1/0x1b0 [ 111.085003][ T5338] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 111.087784][ T5338] ____sys_sendmsg+0x972/0x9f0 [ 111.089757][ T5338] ? __might_fault+0xaf/0x130 [ 111.092105][ T5338] ? __pfx_____sys_sendmsg+0x10/0x10 [ 111.094445][ T5338] ? import_iovec+0x73/0xa0 [ 111.096697][ T5338] ___sys_sendmsg+0x2a5/0x360 [ 111.099127][ T5338] ? __lock_acquire+0x6b5/0x2cf0 [ 111.101383][ T5338] ? __pfx____sys_sendmsg+0x10/0x10 [ 111.105272][ T5338] ? futex_wait+0x2a2/0x390 [ 111.108624][ T5338] ? __fget_files+0x2a/0x420 [ 111.110750][ T5338] ? __fget_files+0x3a0/0x420 [ 111.112816][ T5338] __x64_sys_sendmsg+0x1bd/0x2a0 [ 111.114951][ T5338] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 111.117512][ T5338] ? rcu_is_watching+0x15/0xb0 [ 111.119931][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.122592][ T5338] do_syscall_64+0x15f/0xf80 [ 111.124928][ T5338] ? trace_irq_disable+0x3b/0x140 [ 111.128251][ T5338] ? clear_bhb_loop+0x40/0x90 [ 111.130797][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.133605][ T5338] RIP: 0033:0x7ffafab9c819 [ 111.135523][ T5338] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 111.144360][ T5338] RSP: 002b:00007ffafb9a0fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 111.148523][ T5338] RAX: ffffffffffffffda RBX: 00007ffafae16090 RCX: 00007ffafab9c819 [ 111.151859][ T5338] RDX: 0000000000000000 RSI: 0000200000001080 RDI: 0000000000000008 [ 111.155310][ T5338] RBP: 00007ffafac32c91 R08: 0000000000000000 R09: 0000000000000000 [ 111.158750][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 111.162486][ T5338] R13: 00007ffafae16128 R14: 00007ffafae16090 R15: 00007fffa84301d8 [ 111.167251][ T5338] [ 111.168894][ T5338] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 111.172077][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 111.176042][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 111.181201][ T5338] Call Trace: [ 111.182825][ T5338] [ 111.184213][ T5338] vpanic+0x56c/0xa60 [ 111.185963][ T5338] ? __pfx__printk+0x10/0x10 [ 111.188025][ T5338] ? __pfx_vpanic+0x10/0x10 [ 111.190032][ T5338] ? is_bpf_text_address+0x292/0x2b0 [ 111.192672][ T5338] ? is_bpf_text_address+0x26/0x2b0 [ 111.195656][ T5338] panic+0xc5/0xd0 [ 111.197938][ T5338] ? __pfx_panic+0x10/0x10 [ 111.200149][ T5338] __warn+0x315/0x4c0 [ 111.201858][ T5338] ? rate_control_rate_init+0x64a/0x6e0 [ 111.204207][ T5338] ? rate_control_rate_init+0x64a/0x6e0 [ 111.206735][ T5338] __report_bug+0x29a/0x540 [ 111.208789][ T5338] ? rate_control_rate_init+0x64a/0x6e0 [ 111.211384][ T5338] ? __pfx___report_bug+0x10/0x10 [ 111.214103][ T5338] ? __lock_acquire+0x6b5/0x2cf0 [ 111.216871][ T5338] ? __lock_acquire+0x6b5/0x2cf0 [ 111.219186][ T5338] ? rate_control_rate_init+0x64a/0x6e0 [ 111.221528][ T5338] report_bug+0x16a/0x220 [ 111.223209][ T5338] ? rate_control_rate_init+0x64a/0x6e0 [ 111.225602][ T5338] ? rate_control_rate_init+0x64c/0x6e0 [ 111.228424][ T5338] handle_bug+0x9c/0x200 [ 111.230716][ T5338] exc_invalid_op+0x1a/0x50 [ 111.233369][ T5338] asm_exc_invalid_op+0x1a/0x20 [ 111.235954][ T5338] RIP: 0010:rate_control_rate_init+0x64a/0x6e0 [ 111.238738][ T5338] Code: 82 01 00 00 20 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 c8 04 92 00 cc e8 52 a0 9a f6 90 0f 0b 90 eb e1 e8 47 a0 9a f6 90 <0f> 0b 90 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 90 00 00 00 [ 111.247708][ T5338] RSP: 0018:ffffc9000e2defd8 EFLAGS: 00010293 [ 111.251713][ T5338] RAX: ffffffff8b2b40a9 RBX: ffff88801288c000 RCX: ffff888033364a00 [ 111.255696][ T5338] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 111.259317][ T5338] RBP: 0000000000000000 R08: ffffffff8b2b3bc3 R09: ffffffff8e95cce0 [ 111.263030][ T5338] R10: dffffc0000000000 R11: ffffed1002511831 R12: 1ffff1100251180a [ 111.267228][ T5338] R13: ffff888042ff0f20 R14: 0000000000000001 R15: ffffffff8b2b3bc3 [ 111.271172][ T5338] ? rate_control_rate_init+0x163/0x6e0 [ 111.273291][ T5338] ? rate_control_rate_init+0x163/0x6e0 [ 111.275727][ T5338] ? rate_control_rate_init+0x649/0x6e0 [ 111.278540][ T5338] ? rate_control_rate_init+0x649/0x6e0 [ 111.281763][ T5338] rate_control_rate_init_all_links+0x109/0x1a0 [ 111.284456][ T5338] sta_apply_auth_flags+0x1c2/0x400 [ 111.286358][ T5338] sta_apply_parameters+0x1098/0x18a0 [ 111.288585][ T5338] ieee80211_add_station+0x3e6/0x710 [ 111.290776][ T5338] rdev_add_station+0xfc/0x290 [ 111.293140][ T5338] nl80211_new_station+0x1cab/0x2130 [ 111.295958][ T5338] ? __pfx_nl80211_new_station+0x10/0x10 [ 111.298683][ T5338] ? __rtnl_unlock+0xc8/0xf0 [ 111.300883][ T5338] genl_family_rcv_msg_doit+0x22a/0x330 [ 111.303291][ T5338] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 111.305990][ T5338] ? bpf_lsm_capable+0x9/0x20 [ 111.308355][ T5338] ? security_capable+0x7e/0x2c0 [ 111.310992][ T5338] genl_rcv_msg+0x61c/0x7a0 [ 111.313352][ T5338] ? __pfx_genl_rcv_msg+0x10/0x10 [ 111.315698][ T5338] ? __pfx_nl80211_pre_doit+0x10/0x10 [ 111.318203][ T5338] ? __pfx_nl80211_new_station+0x10/0x10 [ 111.320558][ T5338] ? __pfx_nl80211_post_doit+0x10/0x10 [ 111.323514][ T5338] ? __pfx_ref_tracker_free+0x10/0x10 [ 111.326590][ T5338] ? __asan_memcpy+0x40/0x70 [ 111.329302][ T5338] ? __skb_clone+0x63/0x7a0 [ 111.331487][ T5338] netlink_rcv_skb+0x232/0x4b0 [ 111.333647][ T5338] ? __pfx_genl_rcv_msg+0x10/0x10 [ 111.335859][ T5338] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 111.338167][ T5338] ? down_read+0x270/0x2e0 [ 111.340176][ T5338] ? genl_rcv+0xd/0x40 [ 111.342320][ T5338] genl_rcv+0x28/0x40 [ 111.344994][ T5338] netlink_unicast+0x75c/0x8e0 [ 111.347581][ T5338] netlink_sendmsg+0x813/0xb40 [ 111.349852][ T5338] ? __pfx_netlink_sendmsg+0x10/0x10 [ 111.352154][ T5338] ? aa_sock_msg_perm+0xf1/0x1b0 [ 111.354382][ T5338] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 111.357051][ T5338] ____sys_sendmsg+0x972/0x9f0 [ 111.360059][ T5338] ? __might_fault+0xaf/0x130 [ 111.362434][ T5338] ? __pfx_____sys_sendmsg+0x10/0x10 [ 111.364681][ T5338] ? import_iovec+0x73/0xa0 [ 111.366757][ T5338] ___sys_sendmsg+0x2a5/0x360 [ 111.368985][ T5338] ? __lock_acquire+0x6b5/0x2cf0 [ 111.371369][ T5338] ? __pfx____sys_sendmsg+0x10/0x10 [ 111.373659][ T5338] ? futex_wait+0x2a2/0x390 [ 111.375900][ T5338] ? __fget_files+0x2a/0x420 [ 111.378177][ T5338] ? __fget_files+0x3a0/0x420 [ 111.380788][ T5338] __x64_sys_sendmsg+0x1bd/0x2a0 [ 111.383263][ T5338] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 111.385619][ T5338] ? rcu_is_watching+0x15/0xb0 [ 111.387581][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.389827][ T5338] do_syscall_64+0x15f/0xf80 [ 111.391715][ T5338] ? trace_irq_disable+0x3b/0x140 [ 111.393835][ T5338] ? clear_bhb_loop+0x40/0x90 [ 111.396700][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.400059][ T5338] RIP: 0033:0x7ffafab9c819 [ 111.402135][ T5338] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 111.411122][ T5338] RSP: 002b:00007ffafb9a0fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 111.415264][ T5338] RAX: ffffffffffffffda RBX: 00007ffafae16090 RCX: 00007ffafab9c819 [ 111.418961][ T5338] RDX: 0000000000000000 RSI: 0000200000001080 RDI: 0000000000000008 [ 111.422434][ T5338] RBP: 00007ffafac32c91 R08: 0000000000000000 R09: 0000000000000000 [ 111.425854][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 111.430346][ T5338] R13: 00007ffafae16128 R14: 00007ffafae16090 R15: 00007fffa84301d8 [ 111.435283][ T5338] [ 111.437444][ T5338] Kernel Offset: disabled [ 111.439456][ T5338] Rebooting in 86400 seconds..