program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f00000003c0)={'wlan0\x00', <r4=>0x0})
sendmsg$NL80211_CMD_CHANNEL_SWITCH(r3, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000400)={0x30, r2, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8, 0x26, @random=0x994}], @NL80211_ATTR_CH_SWITCH_BLOCK_TX={0x4}, @NL80211_ATTR_CH_SWITCH_COUNT={0x8, 0xb7, 0x99}]}, 0x30}}, 0x0)
r5 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000180)={'wlan1\x00', <r6=>0x0})
sendmsg$nl_route(r5, &(0x7f0000000040)={0x0, 0xf0, &(0x7f0000000100)={&(0x7f0000000280)=@newlink={0x20, 0x10, 0x401, 0x0, 0x0, {0x0, 0x48, 0x0, r6, 0x21eae}}, 0x20}}, 0x0)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r8, &(0x7f0000001e00)={0x0, 0x0, &(0x7f0000001dc0)={&(0x7f0000000280)={{0x14}, [@NFT_MSG_NEWFLOWTABLE={0x30, 0x16, 0xa, 0x101, 0x0, 0x0, {0x2, 0x0, 0x2}, [@NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz1\x00'}, @NFTA_FLOWTABLE_HOOK={0x4}, @NFTA_FLOWTABLE_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14}}, 0x58}}, 0x44814)
r9 = socket$unix(0x1, 0x2, 0x0)
r10 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f0000000100)={'wlan1\x00', <r11=>0x0})
sendmsg$NL80211_CMD_NEW_INTERFACE(r7, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000340)={0x50, r10, 0x1, 0x70bd28, 0x25dfdbfd, {{}, {@void, @val={0x8, 0x3, r11}, @val={0xc, 0x99, {0x7ff, 0x70}}}}, [@NL80211_ATTR_IFNAME={0x14, 0x4, 'syzkaller0\x00'}, @NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}, @NL80211_ATTR_MESH_ID={0xa}]}, 0x50}, 0x1, 0x0, 0x0, 0x91}, 0x24044884)
r12 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r12)
socket$inet_sctp(0x2, 0x1, 0x84)
ioctl$SIOCSIFHWADDR(r12, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local})
syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000000)=@mgmt_frame=@probe_response={{{}, {}, @broadcast, @device_a, @from_mac}, 0x0, @random=0x3fe, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val, @void, @void, @void, @void, @val={0x72, 0x6}, @val={0x71, 0x7, {0x1, 0x1, 0xffffffffffffffff, 0x1, 0x40, 0x7f, 0x20}}}, 0x3f)
r13 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
getsockopt$bt_BT_FLUSHABLE(r13, 0x112, 0x8, &(0x7f0000000240)=0x8, &(0x7f0000000440)=0x4)
r14 = socket$nl_generic(0x10, 0x3, 0x10)
r15 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r14, 0x8933, &(0x7f00000002c0)={'wlan0\x00', <r16=>0x0})
sendmsg$NL80211_CMD_FRAME(r14, &(0x7f0000000c00)={0x0, 0x0, &(0x7f0000000640)={&(0x7f00000005c0)={0x50, r15, 0x1, 0x0, 0x0, {{}, {@val={0x8, 0x3, r16}, @void}}, [@NL80211_ATTR_FRAME={0x2a, 0x33, @action={{{}, {}, @device_b}, @ext_ch_sw={0x4, 0x4, {{}, @val={0x76, 0x6, {0x4, 0x5, 0x19, 0x3}}}}}}, @NL80211_ATTR_CSA_C_OFFSETS_TX={0x6, 0xcd, [0x0]}]}, 0x50}}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r17=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r17}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x9}]}, 0x24}, 0x1, 0x0, 0x0, 0x20004000}, 0x0)

[   73.026482][ T4662] Bluetooth: hci0: command tx timeout
[   73.122847][ T5317] mac80211_hwsim hwsim3 wlan1: entered allmulticast mode
[   73.157760][ T5317] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   73.166026][ T5317] Unknown status report in ack skb
[   73.176596][ T5301] ------------[ cut here ]------------
[   73.178794][ T5301] Invalid VIF (ffff8880124829d0) magic 0x0, 08:02:11:00:00:01, 1/0
[   73.182105][ T5301] WARNING: CPU: 0 PID: 5301 at drivers/net/wireless/virtual/mac80211_hwsim.c:237 mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.186323][ T5301] Modules linked in:
[   73.187694][ T5301] CPU: 0 UID: 0 PID: 5301 Comm: kworker/0:3 Not tainted 6.13.0-syzkaller-04541-gdf60eac9efe8 #0
[   73.191186][ T5301] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   73.194849][ T5301] Workqueue: mld mld_ifc_work
[   73.196700][ T5301] RIP: 0010:mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.198856][ T5301] Code: 28 84 c0 0f 85 06 08 00 00 45 0f b6 8e 61 04 00 00 48 c7 c7 60 d6 a9 8c 4c 89 f6 44 89 e2 48 89 e9 41 89 d8 e8 f2 c8 49 fa 90 <0f> 0b 90 90 e9 69 f2 ff ff e8 03 16 89 fa 90 0f 0b 90 e9 d5 f2 ff
[   73.205895][ T5301] RSP: 0018:ffffc9000d20eb70 EFLAGS: 00010246
[   73.208317][ T5301] RAX: c88974db876d8200 RBX: 0000000000000001 RCX: ffff88801fa1c880
[   73.211180][ T5301] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   73.213760][ T5301] RBP: ffff888012482e2a R08: ffffffff81603132 R09: 1ffff11003f8519a
[   73.216810][ T5301] R10: dffffc0000000000 R11: ffffed1003f8519b R12: 0000000000000000
[   73.219652][ T5301] R13: dffffc0000000000 R14: ffff8880124829d0 R15: 0000000000000000
[   73.222555][ T5301] FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   73.225755][ T5301] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   73.228233][ T5301] CR2: 0000000020002280 CR3: 0000000042bda000 CR4: 0000000000352ef0
[   73.231015][ T5301] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   73.233849][ T5301] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   73.236601][ T5301] Call Trace:
[   73.237812][ T5301]  <TASK>
[   73.238843][ T5301]  ? __warn+0x165/0x4d0
[   73.240542][ T5301]  ? mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.242680][ T5301]  ? report_bug+0x2b3/0x500
[   73.244497][ T5301]  ? mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.246860][ T5301]  ? handle_bug+0x60/0x90
[   73.249085][ T5301]  ? exc_invalid_op+0x1a/0x50
[   73.251078][ T5301]  ? asm_exc_invalid_op+0x1a/0x20
[   73.252707][ T5301]  ? __warn_printk+0x292/0x360
[   73.254539][ T5301]  ? mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.256533][ T5301]  ieee80211_handle_wake_tx_queue+0x1ae/0x2d0
[   73.258769][ T5301]  ? __pfx_ieee80211_handle_wake_tx_queue+0x10/0x10
[   73.261228][ T5301]  ? ieee80211_queue_skb+0x18b6/0x24b0
[   73.263231][ T5301]  ? do_raw_spin_unlock+0x58/0x8b0
[   73.265209][ T5301]  ieee80211_queue_skb+0x1ae9/0x24b0
[   73.267314][ T5301]  ieee80211_tx+0x2c4/0x470
[   73.269025][ T5301]  ? __pfx_ieee80211_tx+0x10/0x10
[   73.271053][ T5301]  ? ieee80211_xmit+0x30f/0x3f0
[   73.273056][ T5301]  __ieee80211_subif_start_xmit+0xe93/0x1600
[   73.275584][ T5301]  ? ip6_finish_output2+0x12ad/0x1780
[   73.277807][ T5301]  ? ip6_finish_output+0x41e/0x840
[   73.279798][ T5301]  ? __ieee80211_subif_start_xmit+0x300/0x1600
[   73.282043][ T5301]  ? __pfx___ieee80211_subif_start_xmit+0x10/0x10
[   73.284285][ T5301]  ? __lock_acquire+0x1397/0x2100
[   73.285896][ T5301]  ieee80211_subif_start_xmit+0xde/0x4d0
[   73.287950][ T5301]  ? __pfx_ieee80211_subif_start_xmit+0x10/0x10
[   73.290311][ T5301]  ? __pfx_lock_acquire+0x10/0x10
[   73.292289][ T5301]  dev_hard_start_xmit+0x27a/0x7d0
[   73.294578][ T5301]  __dev_queue_xmit+0x1b73/0x3f50
[   73.296596][ T5301]  ? __dev_queue_xmit+0x2f4/0x3f50
[   73.298670][ T5301]  ? __pfx___dev_queue_xmit+0x10/0x10
[   73.300468][ T5301]  ? neigh_resolve_output+0x450/0x740
[   73.302000][ T5301]  ? read_seqbegin+0x15a/0x2c0
[   73.303354][ T5301]  ? lockdep_hardirqs_on+0x99/0x150
[   73.304927][ T5301]  ? read_seqbegin+0x200/0x2c0
[   73.306710][ T5301]  ? __pfx_read_seqbegin+0x10/0x10
[   73.308198][ T5301]  ? neigh_resolve_output+0x2e5/0x740
[   73.310053][ T5301]  ? eth_header+0x11c/0x1f0
[   73.311759][ T5301]  ? __asan_memcpy+0x40/0x70
[   73.313572][ T5301]  ? eth_header+0x11c/0x1f0
[   73.315194][ T5301]  ? __pfx_eth_header+0x10/0x10
[   73.317093][ T5301]  ? neigh_resolve_output+0x61f/0x740
[   73.318931][ T5301]  ip6_finish_output2+0x12ad/0x1780
[   73.320824][ T5301]  ? ip6_finish_output2+0x61d/0x1780
[   73.322805][ T5301]  ? __pfx_ip6_finish_output2+0x10/0x10
[   73.324997][ T5301]  ? ip6_mtu+0x81/0x3f0
[   73.326702][ T5301]  ip6_finish_output+0x41e/0x840
[   73.328673][ T5301]  NF_HOOK+0x9e/0x430
[   73.330282][ T5301]  ? NF_HOOK+0xfa/0x430
[   73.331944][ T5301]  ? __pfx_NF_HOOK+0x10/0x10
[   73.333764][ T5301]  ? __pfx_dst_output+0x10/0x10
[   73.335688][ T5301]  ? icmp6_dst_alloc+0x3aa/0x420
[   73.337719][ T5301]  mld_sendpack+0x843/0xdb0
[   73.339481][ T5301]  ? __pfx_mld_newpack+0x10/0x10
[   73.341400][ T5301]  ? mld_sendpack+0x1e8/0xdb0
[   73.343314][ T5301]  ? __pfx_mld_sendpack+0x10/0x10
[   73.345335][ T5301]  mld_ifc_work+0x7d9/0xd90
[   73.347432][ T5301]  ? process_scheduled_works+0x976/0x1840
[   73.349652][ T5301]  process_scheduled_works+0xa66/0x1840
[   73.351850][ T5301]  ? __pfx_process_scheduled_works+0x10/0x10
[   73.354199][ T5301]  ? assign_work+0x364/0x3d0
[   73.355846][ T5301]  worker_thread+0x870/0xd30
[   73.357589][ T5301]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   73.359729][ T5301]  ? __kthread_parkme+0x169/0x1d0
[   73.361599][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   73.363596][ T5301]  kthread+0x7a9/0x920
[   73.365177][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.367001][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   73.369053][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.370845][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.372635][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.374439][ T5301]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.376532][ T5301]  ? lockdep_hardirqs_on+0x99/0x150
[   73.378581][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.380307][ T5301]  ret_from_fork+0x4b/0x80
[   73.382092][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.383662][ T5301]  ret_from_fork_asm+0x1a/0x30
[   73.385297][ T5301]  </TASK>
[   73.386482][ T5301] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   73.388837][ T5301] CPU: 0 UID: 0 PID: 5301 Comm: kworker/0:3 Not tainted 6.13.0-syzkaller-04541-gdf60eac9efe8 #0
[   73.392748][ T5301] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   73.396829][ T5301] Workqueue: mld mld_ifc_work
[   73.398702][ T5301] Call Trace:
[   73.400019][ T5301]  <TASK>
[   73.401212][ T5301]  dump_stack_lvl+0x241/0x360
[   73.402988][ T5301]  ? __pfx_dump_stack_lvl+0x10/0x10
[   73.405036][ T5301]  ? __pfx__printk+0x10/0x10
[   73.406869][ T5301]  ? vscnprintf+0x5d/0x90
[   73.408534][ T5301]  panic+0x349/0x880
[   73.410117][ T5301]  ? __warn+0x174/0x4d0
[   73.411609][ T5301]  ? __pfx_panic+0x10/0x10
[   73.413063][ T5301]  ? ret_from_fork_asm+0x1a/0x30
[   73.414798][ T5301]  __warn+0x344/0x4d0
[   73.416315][ T5301]  ? mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.418460][ T5301]  report_bug+0x2b3/0x500
[   73.420063][ T5301]  ? mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.422086][ T5301]  handle_bug+0x60/0x90
[   73.423481][ T5301]  exc_invalid_op+0x1a/0x50
[   73.425053][ T5301]  asm_exc_invalid_op+0x1a/0x20
[   73.426799][ T5301] RIP: 0010:mac80211_hwsim_tx+0x1b6f/0x23c0
[   73.428862][ T5301] Code: 28 84 c0 0f 85 06 08 00 00 45 0f b6 8e 61 04 00 00 48 c7 c7 60 d6 a9 8c 4c 89 f6 44 89 e2 48 89 e9 41 89 d8 e8 f2 c8 49 fa 90 <0f> 0b 90 90 e9 69 f2 ff ff e8 03 16 89 fa 90 0f 0b 90 e9 d5 f2 ff
[   73.435522][ T5301] RSP: 0018:ffffc9000d20eb70 EFLAGS: 00010246
[   73.437468][ T5301] RAX: c88974db876d8200 RBX: 0000000000000001 RCX: ffff88801fa1c880
[   73.440137][ T5301] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   73.442934][ T5301] RBP: ffff888012482e2a R08: ffffffff81603132 R09: 1ffff11003f8519a
[   73.445547][ T5301] R10: dffffc0000000000 R11: ffffed1003f8519b R12: 0000000000000000
[   73.448065][ T5301] R13: dffffc0000000000 R14: ffff8880124829d0 R15: 0000000000000000
[   73.450617][ T5301]  ? __warn_printk+0x292/0x360
[   73.452254][ T5301]  ieee80211_handle_wake_tx_queue+0x1ae/0x2d0
[   73.454529][ T5301]  ? __pfx_ieee80211_handle_wake_tx_queue+0x10/0x10
[   73.457288][ T5301]  ? ieee80211_queue_skb+0x18b6/0x24b0
[   73.459552][ T5301]  ? do_raw_spin_unlock+0x58/0x8b0
[   73.461399][ T5301]  ieee80211_queue_skb+0x1ae9/0x24b0
[   73.463697][ T5301]  ieee80211_tx+0x2c4/0x470
[   73.465679][ T5301]  ? __pfx_ieee80211_tx+0x10/0x10
[   73.467339][ T5301]  ? ieee80211_xmit+0x30f/0x3f0
[   73.469278][ T5301]  __ieee80211_subif_start_xmit+0xe93/0x1600
[   73.471541][ T5301]  ? ip6_finish_output2+0x12ad/0x1780
[   73.473620][ T5301]  ? ip6_finish_output+0x41e/0x840
[   73.475516][ T5301]  ? __ieee80211_subif_start_xmit+0x300/0x1600
[   73.477878][ T5301]  ? __pfx___ieee80211_subif_start_xmit+0x10/0x10
[   73.480128][ T5301]  ? __lock_acquire+0x1397/0x2100
[   73.482003][ T5301]  ieee80211_subif_start_xmit+0xde/0x4d0
[   73.484072][ T5301]  ? __pfx_ieee80211_subif_start_xmit+0x10/0x10
[   73.486355][ T5301]  ? __pfx_lock_acquire+0x10/0x10
[   73.488302][ T5301]  dev_hard_start_xmit+0x27a/0x7d0
[   73.490116][ T5301]  __dev_queue_xmit+0x1b73/0x3f50
[   73.492030][ T5301]  ? __dev_queue_xmit+0x2f4/0x3f50
[   73.493994][ T5301]  ? __pfx___dev_queue_xmit+0x10/0x10
[   73.495987][ T5301]  ? neigh_resolve_output+0x450/0x740
[   73.498011][ T5301]  ? read_seqbegin+0x15a/0x2c0
[   73.499832][ T5301]  ? lockdep_hardirqs_on+0x99/0x150
[   73.501864][ T5301]  ? read_seqbegin+0x200/0x2c0
[   73.503634][ T5301]  ? __pfx_read_seqbegin+0x10/0x10
[   73.505515][ T5301]  ? neigh_resolve_output+0x2e5/0x740
[   73.507675][ T5301]  ? eth_header+0x11c/0x1f0
[   73.509369][ T5301]  ? __asan_memcpy+0x40/0x70
[   73.511236][ T5301]  ? eth_header+0x11c/0x1f0
[   73.513091][ T5301]  ? __pfx_eth_header+0x10/0x10
[   73.514998][ T5301]  ? neigh_resolve_output+0x61f/0x740
[   73.516893][ T5301]  ip6_finish_output2+0x12ad/0x1780
[   73.518844][ T5301]  ? ip6_finish_output2+0x61d/0x1780
[   73.520992][ T5301]  ? __pfx_ip6_finish_output2+0x10/0x10
[   73.523048][ T5301]  ? ip6_mtu+0x81/0x3f0
[   73.524614][ T5301]  ip6_finish_output+0x41e/0x840
[   73.526434][ T5301]  NF_HOOK+0x9e/0x430
[   73.527822][ T5301]  ? NF_HOOK+0xfa/0x430
[   73.529331][ T5301]  ? __pfx_NF_HOOK+0x10/0x10
[   73.531150][ T5301]  ? __pfx_dst_output+0x10/0x10
[   73.532940][ T5301]  ? icmp6_dst_alloc+0x3aa/0x420
[   73.534810][ T5301]  mld_sendpack+0x843/0xdb0
[   73.536470][ T5301]  ? __pfx_mld_newpack+0x10/0x10
[   73.538385][ T5301]  ? mld_sendpack+0x1e8/0xdb0
[   73.540185][ T5301]  ? __pfx_mld_sendpack+0x10/0x10
[   73.542165][ T5301]  mld_ifc_work+0x7d9/0xd90
[   73.543855][ T5301]  ? process_scheduled_works+0x976/0x1840
[   73.546008][ T5301]  process_scheduled_works+0xa66/0x1840
[   73.548171][ T5301]  ? __pfx_process_scheduled_works+0x10/0x10
[   73.550463][ T5301]  ? assign_work+0x364/0x3d0
[   73.552287][ T5301]  worker_thread+0x870/0xd30
[   73.554100][ T5301]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   73.556351][ T5301]  ? __kthread_parkme+0x169/0x1d0
[   73.558313][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   73.560254][ T5301]  kthread+0x7a9/0x920
[   73.561903][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.563667][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   73.565608][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.567356][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.569112][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.570872][ T5301]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.572870][ T5301]  ? lockdep_hardirqs_on+0x99/0x150
[   73.574860][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.576614][ T5301]  ret_from_fork+0x4b/0x80
[   73.578363][ T5301]  ? __pfx_kthread+0x10/0x10
[   73.580055][ T5301]  ret_from_fork_asm+0x1a/0x30
[   73.581914][ T5301]  </TASK>
[   73.583379][ T5301] Kernel Offset: disabled
[   73.585077][ T5301] Rebooting in 86400 seconds..