program: sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000480)={&(0x7f00000022c0)=@newtaction={0x240, 0x30, 0x300, 0x70bd2d, 0x25dfdbff, {}, [{0x22c, 0x1, [@m_skbedit={0x1f8, 0x19, 0x0, 0x0, {{0xc}, {0x4}, {0x1c9, 0x6, "de616dd9ce3b892bb6fafca061bed3e644dcf9151f4527045657b89def02bb9cad6c62f8293cff1e7df3eb0803889f2fd92b151ed17ab9007c47463bf4e7afe47ab1d24292b0103cbbc15977a51c0ae02a16535a666c86a6321ae76cba859e771aa7d0ff9fa033e50e56e0f68419fd47894ab8f8d473fc2af5fc18fb9399fdbb44bce22ac4c64feea69875f61ef4f46591d0547ce0f025b0a5f6dc470fd9635a05e318fa41b23e07582b3128621edbf17703923cea8b079f042f9924f50ce06116fc38e34430e0a4b60e7144cccb31d0a0457e528dd78226b2989e534df535b22243ec2971118b283cebb23130d1622a675cabf8788d71473f98949841ab1c34d28257f4b10e6eec198365490620753627951432cf82875ec0fccc70181d74035e141d4bbdd59571d5c3fa68b6a9365539b7e734e38e7083fe43b3104f03a618c99dc38b7b166c71dcda72645a7ddd09b867d20ef1d0f2154c6c2af7bfc13509c92a055f4ba6134cf5124359fccca93ea9ef30597c542c2e259bbd96051f001127d7e760711d895b0ae2dabbb4385da14ffe779acd84bec05fb4fc35fefad1a62e114c5f2ca5c6e884ddd618acecb553d05d8ec7fb455e2684ed4d3c3df3c35bee69ce9725"}, {0xc, 0x7, {0x0, 0x1}}, {0xc, 0x8, {0x3, 0x2}}}}, @m_sample={0x30, 0x1e, 0x0, 0x0, {{0xb}, {0x4}, {0x4}, {0xc}, {0xc, 0x8, {0x2, 0x2}}}}]}]}, 0x240}}, 0x0) r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000300)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @void}, 0x2f) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_GET_NODE_DEBUG_INFO(r3, 0xc018620b, 0x0) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x1, 0x0, @default, @val, @void}, 0x20) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000540)=ANY=[@ANYBLOB="80000000080211000001080211000001080211000000000000000000000000006400010005037c200825030002"], 0x64) syz_usb_connect$hid(0x0, 0x0, 0x0, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000580)=ANY=[@ANYBLOB="50000000080211000001080211000000080211000000000000000000f9ffffffffffffff00060202020202020106b00c480b1be07206030303030303710701ff0100ff0421"], 0x45) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000040)=ANY=[@ANYBLOB="80000000ffffffffffff080211000000080211"], 0x32) r4 = socket(0x10, 0x803, 0x0) sendto(r4, &(0x7f0000000740)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0) recvmmsg(r4, &(0x7f00000037c0)=[{{&(0x7f00000004c0)=@ethernet={0x0, @random}, 0xfdf4, &(0x7f0000000380)=[{&(0x7f0000000140)=""/100, 0x365}, {&(0x7f0000000280)=""/85, 0x7c}, {&(0x7f0000000fc0)=""/4096, 0x197}, {&(0x7f0000000400)=""/106, 0x645}, {&(0x7f0000000980)=""/73, 0x1b}, {&(0x7f0000000200)=""/77, 0x334}, {&(0x7f00000007c0)=""/154, 0x2c}, {&(0x7f00000001c0)=""/17, 0x1d8}], 0x21, &(0x7f0000000600)=""/191, 0x41}}], 0x4000000000003b4, 0x0, &(0x7f0000003700)={0x77359400}) [ 86.046154][ T5335] Bluetooth: hci0: command tx timeout [ 86.208150][ T5359] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 86.239038][ T5351] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 86.243614][ T5351] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 86.264804][ T54] wlan1: authenticated [ 86.268765][ T5360] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 86.274710][ T5359] binder: 5358:5359 ioctl c018620b 0 returned -14 [ 86.279930][ T54] wlan1: associate with 08:02:11:00:00:00 (try 1/3) [ 86.284525][ T1040] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0x1 status=0 aid=1) [ 86.289341][ T1040] wlan1: associated [ 86.292940][ T5359] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 86.299734][ T5359] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 86.305430][ T5359] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 86.312684][ T54] ------------[ cut here ]------------ [ 86.315194][ T54] WARNING: CPU: 0 PID: 54 at net/wireless/scan.c:1666 cfg80211_rehash_bss+0x1e6/0x540 [ 86.320653][ T54] Modules linked in: [ 86.322762][ T54] CPU: 0 UID: 0 PID: 54 Comm: kworker/u4:4 Not tainted 6.16.0-syzkaller-12250-gc30a13538d9f #0 PREEMPT(full) [ 86.328067][ T54] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.332867][ T54] Workqueue: events_unbound cfg80211_wiphy_work [ 86.335861][ T54] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 86.338995][ T54] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 bb cf 02 fa 84 c0 74 78 e8 92 07 [ 86.347506][ T54] RSP: 0018:ffffc9000100ef20 EFLAGS: 00010246 [ 86.350081][ T54] RAX: ffffffff8aceb2b5 RBX: 0000000000000000 RCX: 0000000000000002 [ 86.353124][ T54] RDX: ffff88801f35c880 RSI: 0000000000000000 RDI: 0000000000000000 [ 86.356179][ T54] RBP: ffff88803fe97068 R08: 0000000000000000 R09: 0000000000000002 [ 86.359961][ T54] R10: 0000000000000002 R11: 0000000000000002 R12: ffff88803ea081a0 [ 86.363550][ T54] R13: ffff88803fea9c30 R14: dffffc0000000000 R15: ffff88803feaa020 [ 86.366982][ T54] FS: 0000000000000000(0000) GS:ffff88808d211000(0000) knlGS:0000000000000000 [ 86.370964][ T54] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.374246][ T54] CR2: 00007f02a5ad3f70 CR3: 0000000043d13000 CR4: 0000000000352ef0 [ 86.378085][ T54] Call Trace: [ 86.379669][ T54] [ 86.381057][ T54] cfg80211_update_assoc_bss_entry+0x3f6/0x6a0 [ 86.383833][ T54] cfg80211_ch_switch_notify+0x3c1/0x780 [ 86.386594][ T54] ieee80211_sta_process_chanswitch+0xad4/0x2870 [ 86.389798][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.392255][ T54] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 86.395217][ T54] ? __local_bh_enable_ip+0x12d/0x1c0 [ 86.397677][ T54] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 86.400630][ T54] ieee80211_rx_mgmt_beacon+0x19c7/0x2cd0 [ 86.403081][ T54] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 86.406336][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.409001][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.411373][ T54] ieee80211_sta_rx_queued_mgmt+0x4ed/0x4470 [ 86.414051][ T54] ? unwind_next_frame+0xa5/0x2390 [ 86.416494][ T54] ? unwind_next_frame+0xa5/0x2390 [ 86.419123][ T54] ? unwind_next_frame+0x19ae/0x2390 [ 86.421823][ T54] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 86.424823][ T54] ? unwind_next_frame+0xa5/0x2390 [ 86.427265][ T54] ? ret_from_fork_asm+0x1a/0x30 [ 86.429502][ T54] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 86.432080][ T54] ? arch_stack_walk+0x11c/0x150 [ 86.434326][ T54] ? ret_from_fork_asm+0x1a/0x30 [ 86.436565][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.438731][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.441199][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.443670][ T54] ? kcov_remote_start+0x4d3/0x7f0 [ 86.446164][ T54] ieee80211_iface_work+0x652/0x12d0 [ 86.448517][ T54] cfg80211_wiphy_work+0x2b8/0x470 [ 86.450921][ T54] ? process_scheduled_works+0x9ef/0x17b0 [ 86.453403][ T54] process_scheduled_works+0xade/0x17b0 [ 86.455972][ T54] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.458481][ T54] worker_thread+0x8a0/0xda0 [ 86.460912][ T54] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.463688][ T54] ? __kthread_parkme+0x7b/0x200 [ 86.465820][ T54] kthread+0x70e/0x8a0 [ 86.467505][ T54] ? __pfx_worker_thread+0x10/0x10 [ 86.469598][ T54] ? __pfx_kthread+0x10/0x10 [ 86.471713][ T54] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.474054][ T54] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.476659][ T54] ? __pfx_kthread+0x10/0x10 [ 86.478725][ T54] ret_from_fork+0x3fc/0x770 [ 86.480757][ T54] ? __pfx_ret_from_fork+0x10/0x10 [ 86.483156][ T54] ? __pfx_kthread+0x10/0x10 [ 86.485268][ T54] ret_from_fork_asm+0x1a/0x30 [ 86.487502][ T54] [ 86.489058][ T54] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 86.492398][ T54] CPU: 0 UID: 0 PID: 54 Comm: kworker/u4:4 Not tainted 6.16.0-syzkaller-12250-gc30a13538d9f #0 PREEMPT(full) [ 86.497703][ T54] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.502824][ T54] Workqueue: events_unbound cfg80211_wiphy_work [ 86.505487][ T54] Call Trace: [ 86.506918][ T54] [ 86.508248][ T54] dump_stack_lvl+0x99/0x250 [ 86.510440][ T54] ? __asan_memcpy+0x40/0x70 [ 86.512593][ T54] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.514864][ T54] ? __pfx__printk+0x10/0x10 [ 86.517140][ T54] vpanic+0x281/0x750 [ 86.519050][ T54] ? __pfx__printk+0x10/0x10 [ 86.521415][ T54] ? __pfx_vpanic+0x10/0x10 [ 86.523772][ T54] ? is_bpf_text_address+0x26/0x2b0 [ 86.526717][ T54] panic+0xb9/0xc0 [ 86.528503][ T54] ? __pfx_panic+0x10/0x10 [ 86.530600][ T54] __warn+0x31b/0x4b0 [ 86.532515][ T54] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.534701][ T54] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.537192][ T54] report_bug+0x2be/0x4f0 [ 86.539092][ T54] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.541859][ T54] ? cfg80211_rehash_bss+0x1e6/0x540 [ 86.544588][ T54] ? cfg80211_rehash_bss+0x1e8/0x540 [ 86.547044][ T54] handle_bug+0x84/0x160 [ 86.549032][ T54] exc_invalid_op+0x1a/0x50 [ 86.551149][ T54] asm_exc_invalid_op+0x1a/0x20 [ 86.553413][ T54] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 86.555926][ T54] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 bb cf 02 fa 84 c0 74 78 e8 92 07 [ 86.565432][ T54] RSP: 0018:ffffc9000100ef20 EFLAGS: 00010246 [ 86.568071][ T54] RAX: ffffffff8aceb2b5 RBX: 0000000000000000 RCX: 0000000000000002 [ 86.571699][ T54] RDX: ffff88801f35c880 RSI: 0000000000000000 RDI: 0000000000000000 [ 86.575103][ T54] RBP: ffff88803fe97068 R08: 0000000000000000 R09: 0000000000000002 [ 86.578564][ T54] R10: 0000000000000002 R11: 0000000000000002 R12: ffff88803ea081a0 [ 86.582210][ T54] R13: ffff88803fea9c30 R14: dffffc0000000000 R15: ffff88803feaa020 [ 86.585963][ T54] ? cfg80211_rehash_bss+0xe5/0x540 [ 86.588592][ T54] cfg80211_update_assoc_bss_entry+0x3f6/0x6a0 [ 86.592031][ T54] cfg80211_ch_switch_notify+0x3c1/0x780 [ 86.595124][ T54] ieee80211_sta_process_chanswitch+0xad4/0x2870 [ 86.598732][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.601794][ T54] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 86.606252][ T54] ? __local_bh_enable_ip+0x12d/0x1c0 [ 86.609013][ T54] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 86.612239][ T54] ieee80211_rx_mgmt_beacon+0x19c7/0x2cd0 [ 86.615350][ T54] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 86.618620][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.621286][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.623913][ T54] ieee80211_sta_rx_queued_mgmt+0x4ed/0x4470 [ 86.627028][ T54] ? unwind_next_frame+0xa5/0x2390 [ 86.629273][ T54] ? unwind_next_frame+0xa5/0x2390 [ 86.631584][ T54] ? unwind_next_frame+0x19ae/0x2390 [ 86.633974][ T54] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 86.636869][ T54] ? unwind_next_frame+0xa5/0x2390 [ 86.639131][ T54] ? ret_from_fork_asm+0x1a/0x30 [ 86.641413][ T54] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 86.643988][ T54] ? arch_stack_walk+0x11c/0x150 [ 86.646502][ T54] ? ret_from_fork_asm+0x1a/0x30 [ 86.648924][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.651031][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.653099][ T54] ? __lock_acquire+0xab9/0xd20 [ 86.655184][ T54] ? kcov_remote_start+0x4d3/0x7f0 [ 86.657340][ T54] ieee80211_iface_work+0x652/0x12d0 [ 86.659672][ T54] cfg80211_wiphy_work+0x2b8/0x470 [ 86.662100][ T54] ? process_scheduled_works+0x9ef/0x17b0 [ 86.665095][ T54] process_scheduled_works+0xade/0x17b0 [ 86.667788][ T54] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.670634][ T54] worker_thread+0x8a0/0xda0 [ 86.672751][ T54] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.675641][ T54] ? __kthread_parkme+0x7b/0x200 [ 86.678025][ T54] kthread+0x70e/0x8a0 [ 86.680610][ T54] ? __pfx_worker_thread+0x10/0x10 [ 86.682911][ T54] ? __pfx_kthread+0x10/0x10 [ 86.685030][ T54] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.687238][ T54] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.689363][ T54] ? __pfx_kthread+0x10/0x10 [ 86.691229][ T54] ret_from_fork+0x3fc/0x770 [ 86.693149][ T54] ? __pfx_ret_from_fork+0x10/0x10 [ 86.695472][ T54] ? __pfx_kthread+0x10/0x10 [ 86.697791][ T54] ret_from_fork_asm+0x1a/0x30 [ 86.700491][ T54] [ 86.702336][ T54] Kernel Offset: disabled [ 86.704622][ T54] Rebooting in 86400 seconds..