program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x8}]}, 0x24}, 0x1, 0x0, 0x0, 0x40840}, 0x0) sendmsg$NL80211_CMD_CONNECT(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @void}, 0x2f) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000880)=ANY=[@ANYBLOB="1e321f45b1d4323513a54b6463c2d4449dde040051509ff6583e72f6fe29b9d2b294ac32366e36569925ab7a575c5391845bee227a2786"], 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x1, 0x0, @default, @val, @void}, 0x20) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000440)=@mgmt_frame=@beacon={{{}, {}, @device_b, @device_b, @from_mac}, 0x0, @default, 0x1, @void, @void, @void, @void, @void, @val={0x5, 0x3, {0x7c, 0x20, 0x8}}, @val={0x25, 0x3, {0x0, 0x2, 0x4}}, @val={0x2a, 0x1, {0x1, 0x1}}, @val={0x3c, 0x4, {0x0, 0x3d, 0xab, 0x5}}, @val={0x2d, 0x1a, {0x8, 0x3, 0x1, 0x0, {0x5, 0x1009, 0x0, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x400, 0x4, 0x5}}, @void, @val={0x71, 0x7, {0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x21}}, @val={0x76, 0x6, {0x0, 0x9, 0x3d, 0x1}}}, 0x64) syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x10, 0x1e71, 0x2010, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x0, 0x10, 0x9, [{{0x9, 0x4, 0x0, 0x0, 0x1, 0x3, 0x0, 0x3, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x6}}, {{{0x9, 0x5, 0x81, 0x3, 0x8}}}}}]}}]}}, 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=ANY=[@ANYBLOB="80000000ffffffffffff080211000000080211"], 0x32) bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0xffffffffffffffff, 0x3}, 0x6) write$bt_hci(r1, &(0x7f00000005c0)=ANY=[@ANYBLOB="0e00000002"], 0x8) syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f0000000000)='./file2\x00', 0x200801f, &(0x7f00000000c0), 0xfe, 0x4ec, &(0x7f0000000380)="$eJzs3d9rHFsdAPDvTLL3Nm2um6s+1IJtsZWkaDdJY9vgQ1UQfSqo9b3GZBtCNtmSbNomFE3xDxBEVPBFn3wR/AME6Z8gQkHfRUURbfXBh+rI7s7GNN1NUro/vNnPB07mnJnZ/Z6TYc7OmRlmAhhaFyNiKiKyLMuuREQxn5/mKXabqb7ei+ePF+spiSy787ckknxe67vezadn8o+dioivfTnim8nrcTe3d1YXKpXyRl6erq0lL7Ns5+rK2sJyebm8Pjc3e2P+5vz1+ZmutHMiIm598U8/+O7PvnTrV59++Pu7f5n6VrOBTfvb0U3Nphca/4uW0YjY6EWwAUkaLWy6PuC6AABwuPrx/ocj4hMRcSWKMdI4OgUAAABOkuxz4/EyaV7/AwAAAE6mNCLGI0lL+f2+45GmpVLzHt6Pxum0Ut2sfSor7p0vmIhCem+lUp7J7x2YiEJSL8/m99i2ytcOlOci4v2I+H5xrFEuLVYrSwM98wEAAADD48yB8f8/i83xPwAAAHDCTAy6AgAAAEDPGf8DAADAyWf8DwAAACfaV27frqes9f7rpQfbW6vVB1eXypurpbWtxdJideN+ablaXW48s2/tqO+rVKv3PxPrW4+ma+XN2vTm9s7dterWeu3uyiuvwAYAAAD66P0LT3+XRMTuZ8fSiMiSfcsKEdnI/pVH+18/oHfSN1n5j72rB9B/I4OuADAwDulheBUGXQFg4I7qBzrevPPr7tcFAADojcmP7V3/b6S6d/JlyUBrBvRafv0/sa/D8HH9H4aX638wvAqHHQEYFMCJlx5jV3/76/9Z9kaVAgAAum68kZK0lI8DxiNNS6WI9xqvBSgk91Yq5ZmI+FBE/LZYeLdenm18MnF6AAAAAAAAAAAAAAAAAAAAAAAAAACOKcuSyDoY21sHAAAA+CCLSP+c5O//mixeHj94fuCd5F/FxjQiHv74zg8fLdRqG7P1+X/fm1/7UT7/Wr/PXgAAAADttMbprXE8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTTi+ePF1upn3H/+oWImGgXfzRONaanohARp/+RxOi+zyURMdKF+LtPIuJsu/hJvVoxkdfiYPw0IsYGHP9MF+LDMHta738+327/S+NiY9p+/xvN09vq3P+le/3fSIf+7712X5i+Puvcs19Md4z/JOLcaPv+pxU/6RD/0jHb+I2v7+x0Wpb9NGKy7e9P8kqs6WT0/vTm9s7VlbWF5fJyeX1ubvbG/M356/Mz0/dWKuX8b9sY3/v4L/9zWPtPd4g/cUT7Lx+z/f9+9uj5R5rZwoFFhfhJlk1dar/9z3aI3/rt+2S+uevlyVZ+t5nf7/zPf3P+wiHtX+rQ/qO2/9Qx23/lq9/5wzFXBQD6YHN7Z3WhUilvyMj0LDMWfQy6EIet0zqI7UN9vp2H+r/YBG+cGWCnBAAA9MT/DvoHXRMAAAAAAAAAAAAAAAAAAAAYXkc9Biy68DixgzF3B9NUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBD/TcAAP//AU3LQQ==") ioctl$KVM_SET_IRQCHIP(0xffffffffffffffff, 0x8208ae63, &(0x7f0000000280)={0x2, 0x0, @ioapic={0x0, 0x0, 0x3, 0xf56, 0x0, [{0x0, 0xfe}, {}, {}, {0x0, 0x35, 0x0, '\x00', 0xfc}, {}, {}, {0x0, 0x0, 0x10}, {0x0, 0x0, 0x3}, {0x0, 0x5}, {}, {}, {0x40}, {}, {}, {}, {}, {0x3, 0xfc}, {}, {0x0, 0x0, 0x0, '\x00', 0x8}, {}, {}, {0x0, 0x1, 0x0, '\x00', 0xf}, {}, {0x4, 0x4}]}}) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x181040, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) ioctl$KVM_CREATE_IRQCHIP(r6, 0xae60) bpf$ENABLE_STATS(0x20, &(0x7f0000000100), 0x4) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$KVM_SET_VCPU_EVENTS(r7, 0x4400ae8f, &(0x7f0000000140)=@arm64={0x1, 0xf6, 0xf0, '\x00', 0x6}) ioctl$KVM_SET_MSRS(r7, 0x4008ae89, &(0x7f00000004c0)={0x1, 0x0, [{0x40000070, 0x0, 0x6}]}) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)) syz_mount_image$minix(&(0x7f0000000200), &(0x7f0000000240)='./file0\x00', 0x0, &(0x7f0000000140)=ANY=[@ANYBLOB="00ad4da59bd78a248060eb7e05f7e56b446305d49c3e5d3120577c4e2b73c6db3384cc496525aa5a1e3f87e283e57448d56ced36ed336d8f77b350d227"], 0x1, 0x1ce, &(0x7f00000002c0)="$eJzs20tqU2EUB/B/0qjgEpwq6MQmrQrtsFDf78cGShtLMVWxDmwRrEtxZXYDHbgBr3iLSkOTXF/5KP39INwDJ4dz7uDk+yYJcHJ1klZaWU5SVdWHdxda2S09EzAVVeH+XyugnJnva7hXegpg+vaX6v3PXpLPX96v/vgsNzy/95fa9XN3qP560/qPrfp5rnO4/kaSmw3qq08H9ReH+t/6zf5nh+pvN64/eP9L5w/X30lyN8m9JPeTPEjyMMmjJI+P6L821P9Zw/4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/Siuzk/Jjv9DO841Bvzcyf6rOz43Mn67z8xPyV0bmz9T52dVXg7VxYwJHaP/l/s9M2P/OhP0Hytna3nmxMhj03wgEAsHPoPQvE/C/dd9uvu5ube9c3thcWe+v91/OLc73ri4sLPaudeubfXf8/R44vn4d+qUnAQAAAAAAAAD+1JMkT0sPAQAATMU0/k5U+h0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOP6+BQAA///mpdN2") r8 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) pwrite64(r8, &(0x7f0000000140)='2', 0xfdef, 0x8000e00) [ 97.356722][ T54] cfg80211: failed to load regulatory.db [ 97.367055][ T4679] Bluetooth: hci0: command tx timeout [ 97.633817][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 97.674441][ T10] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 97.680082][ T10] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 97.693836][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 97.699936][ T133] ------------[ cut here ]------------ [ 97.703519][ T133] UBSAN: array-index-out-of-bounds in net/mac80211/mlme.c:7224:41 [ 97.706848][ T133] index 4 is out of range for type 'u8[0]' (aka 'unsigned char[0]') [ 97.713197][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 97.717171][ T133] CPU: 0 UID: 0 PID: 133 Comm: kworker/u4:4 Not tainted 6.16.0-rc1-syzkaller-00182-g18531f4d1c8c #0 PREEMPT(full) [ 97.717192][ T133] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 97.717200][ T133] Workqueue: events_unbound cfg80211_wiphy_work [ 97.717326][ T133] Call Trace: [ 97.717332][ T133] [ 97.717339][ T133] dump_stack_lvl+0x189/0x250 [ 97.717395][ T133] ? __pfx_dump_stack_lvl+0x10/0x10 [ 97.717414][ T133] ? __pfx__printk+0x10/0x10 [ 97.717429][ T133] ubsan_epilogue+0xa/0x40 [ 97.717439][ T133] __ubsan_handle_out_of_bounds+0xe9/0xf0 [ 97.717504][ T133] ? ieee80211_get_bssid+0xb8/0x200 [ 97.717517][ T133] ieee80211_rx_mgmt_beacon+0x21fd/0x2c10 [ 97.717533][ T133] ? __lock_acquire+0xab9/0xd20 [ 97.717551][ T133] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 97.717561][ T133] ? __lock_acquire+0xab9/0xd20 [ 97.717605][ T133] ieee80211_iface_work+0x49c/0xfe0 [ 97.717634][ T133] cfg80211_wiphy_work+0x2df/0x460 [ 97.717646][ T133] ? process_scheduled_works+0x9ef/0x17b0 [ 97.717662][ T133] process_scheduled_works+0xae1/0x17b0 [ 97.717691][ T133] ? __pfx_process_scheduled_works+0x10/0x10 [ 97.717714][ T133] worker_thread+0x8a0/0xda0 [ 97.717724][ T133] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 97.717800][ T133] ? __kthread_parkme+0x7b/0x200 [ 97.717819][ T133] kthread+0x70e/0x8a0 [ 97.717838][ T133] ? __pfx_worker_thread+0x10/0x10 [ 97.717860][ T133] ? __pfx_kthread+0x10/0x10 [ 97.717878][ T133] ? _raw_spin_unlock_irq+0x23/0x50 [ 97.717895][ T133] ? lockdep_hardirqs_on+0x9c/0x150 [ 97.717915][ T133] ? __pfx_kthread+0x10/0x10 [ 97.717930][ T133] ret_from_fork+0x3fc/0x770 [ 97.717946][ T133] ? __pfx_ret_from_fork+0x10/0x10 [ 97.717964][ T133] ? __pfx_kthread+0x10/0x10 [ 97.717975][ T133] ret_from_fork_asm+0x1a/0x30 [ 97.718002][ T133] [ 97.718006][ T133] ---[ end trace ]--- [ 97.811086][ T5331] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 97.846713][ T133] Kernel panic - not syncing: UBSAN: panic_on_warn set ... [ 97.850316][ T133] CPU: 0 UID: 0 PID: 133 Comm: kworker/u4:4 Not tainted 6.16.0-rc1-syzkaller-00182-g18531f4d1c8c #0 PREEMPT(full) [ 97.855463][ T133] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 97.859693][ T133] Workqueue: events_unbound cfg80211_wiphy_work [ 97.862053][ T133] Call Trace: [ 97.863488][ T133] [ 97.864913][ T133] dump_stack_lvl+0x99/0x250 [ 97.867042][ T133] ? __asan_memcpy+0x40/0x70 [ 97.869545][ T133] ? __pfx_dump_stack_lvl+0x10/0x10 [ 97.872502][ T133] ? __pfx__printk+0x10/0x10 [ 97.874816][ T133] panic+0x2db/0x790 [ 97.876545][ T133] ? __pfx_panic+0x10/0x10 [ 97.878560][ T133] ? _printk+0xcf/0x120 [ 97.880309][ T133] ? __pfx__printk+0x10/0x10 [ 97.882378][ T133] check_panic_on_warn+0x89/0xb0 [ 97.884619][ T133] __ubsan_handle_out_of_bounds+0xe9/0xf0 [ 97.887133][ T133] ? ieee80211_get_bssid+0xb8/0x200 [ 97.889677][ T133] ieee80211_rx_mgmt_beacon+0x21fd/0x2c10 [ 97.893352][ T133] ? __lock_acquire+0xab9/0xd20 [ 97.896308][ T133] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 97.898845][ T133] ? __lock_acquire+0xab9/0xd20 [ 97.901011][ T133] ieee80211_iface_work+0x49c/0xfe0 [ 97.903405][ T133] cfg80211_wiphy_work+0x2df/0x460 [ 97.905640][ T133] ? process_scheduled_works+0x9ef/0x17b0 [ 97.908004][ T133] process_scheduled_works+0xae1/0x17b0 [ 97.910543][ T133] ? __pfx_process_scheduled_works+0x10/0x10 [ 97.913473][ T133] worker_thread+0x8a0/0xda0 [ 97.915783][ T133] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 97.919226][ T133] ? __kthread_parkme+0x7b/0x200 [ 97.921485][ T133] kthread+0x70e/0x8a0 [ 97.923187][ T133] ? __pfx_worker_thread+0x10/0x10 [ 97.925432][ T133] ? __pfx_kthread+0x10/0x10 [ 97.927969][ T133] ? _raw_spin_unlock_irq+0x23/0x50 [ 97.931429][ T133] ? lockdep_hardirqs_on+0x9c/0x150 [ 97.933965][ T133] ? __pfx_kthread+0x10/0x10 [ 97.936223][ T133] ret_from_fork+0x3fc/0x770 [ 97.938400][ T133] ? __pfx_ret_from_fork+0x10/0x10 [ 97.940606][ T133] ? __pfx_kthread+0x10/0x10 [ 97.942678][ T133] ret_from_fork_asm+0x1a/0x30 [ 97.944737][ T133] [ 97.946435][ T133] Kernel Offset: disabled [ 97.948452][ T133] Rebooting in 86400 seconds..