program:
openat$iommufd(0xffffffffffffff9c, &(0x7f0000000040), 0x40, 0x0)
r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f00000000c0)={0xc, 0x0, <r1=>0x0})
ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r0, 0x3ba0, &(0x7f0000000100)={0x48, 0x2, r1})
r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)
ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101})
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000400)={'wlan0\x00', <r5=>0x0})
r6 = socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r6, 0x8933, &(0x7f00000000c0)={'wlan0\x00', <r8=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r6, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r7, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x3}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_START_AP(r6, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000440)=ANY=[@ANYBLOB="0000000051118c5d2db64633c34a641ce4964aba7824be2a44708d2092100000002def830c624d190c453af4075978bb074a4b6070dc0803dbd008003cb4fc195e37c8aa94fcc1e327af81701975d784e4a380589cc6", @ANYRES16=r7, @ANYBLOB="050000000000000000000f00000008000300", @ANYRES32=r8, @ANYBLOB="2b000e0080000000ffffffffffff08021100000108021100000000000000000000000000640001002a010600080026006c09000008000c006400000008000d0000000000"], 0x60}}, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000040)={<r9=>0xffffffffffffffff})
r10 = socket$nl_generic(0x10, 0x3, 0x10)
r11 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f0000000300)={'wlan0\x00', <r12=>0x0})
sendmsg$NL80211_CMD_NEW_STATION(r10, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f0000000340)={0x3c, r11, 0xb97534d5fe9704cf, 0x0, 0x0, {{}, {@val={0x8, 0x3, r12}, @void}}, [@NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STA_AID={0x6, 0x10, 0x580}, @NL80211_ATTR_STA_LISTEN_INTERVAL={0x6, 0x12, 0x1}]}, 0x3c}, 0x1, 0x0, 0x0, 0x80c1}, 0x0)
sendmsg$NL80211_CMD_CONTROL_PORT_FRAME(r3, &(0x7f0000003700)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000002840)=ANY=[@ANYBLOB='L\x00\x00\x00', @ANYRES16=r4, @ANYBLOB="010000000000000000008100000008000300", @ANYRES32=r5, @ANYBLOB="0a0006000800000000010000060066008e8800001c00330008010000080211000000080211000001ffffffffffff0000"], 0x4c}}, 0x0)
r13 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0xc1842, 0x0)
ioctl$TUNSETIFF(r13, 0x400454ca, &(0x7f0000000500)={'syzkaller0\x00', 0x7101})
r14 = socket$unix(0x1, 0x1, 0x0)
r15 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r14, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r16=>0x0})
r17 = bpf$MAP_CREATE(0x0, &(0x7f0000000a00)=@base={0x1, 0x3, 0xbec, 0x7}, 0x50)
bpf$MAP_LOOKUP_BATCH(0x18, &(0x7f0000000300)={0x0, 0x0, 0x0, 0x0, 0x0, r17, 0xffffffff00000000}, 0x38)
sendmsg$nl_route_sched(r15, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000580)={&(0x7f00000001c0)=@newqdisc={0x2c, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r16, {0x0, 0xb}, {0xffff, 0xffff}, {0xfff2}}, [@qdisc_kind_options=@q_mq={0x7}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20000001}, 0x0)
sendmsg$nl_route_sched(r15, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70b923, 0x80000, {0x0, 0x0, 0x0, r16, {}, {0x2, 0xb}, {0xd, 0xb}}, [@qdisc_kind_options=@q_fq={{0x7}, {0x4}}]}, 0x30}, 0x1, 0x0, 0x0, 0x2000c061}, 0x4008000)
ioctl$TUNSETQUEUE(r2, 0x400454d9, &(0x7f0000000080)={'veth0_to_bridge\x00', 0x400})

[  101.571135][ T5301] Bluetooth: hci0: command tx timeout
[  101.746709][ T5325] iommufd_mock iommufd_mock0: Adding to iommu group 11
[  101.796257][ T5325] ------------[ cut here ]------------
[  101.799462][ T5325] !chanctx_conf
[  101.799477][ T5325] WARNING: net/mac80211/rate.c:53 at rate_control_rate_init+0x64a/0x6e0, CPU#0: syz.0.0/5325
[  101.806968][ T5325] Modules linked in:
[  101.809374][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  101.813680][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  101.819406][ T5325] RIP: 0010:rate_control_rate_init+0x64a/0x6e0
[  101.822626][ T5325] Code: 82 01 00 00 20 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 12 f5 a3 f6 90 0f 0b 90 eb e1 e8 07 f5 a3 f6 90 <0f> 0b 90 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 90 00 00 00
[  101.832647][ T5325] RSP: 0018:ffffc9000f126f48 EFLAGS: 00010287
[  101.835946][ T5325] RAX: ffffffff8b21ba79 RBX: ffff888041c04000 RCX: 0000000000100000
[  101.840598][ T5325] RDX: ffffc90020001000 RSI: 00000000000003c5 RDI: 00000000000003c6
[  101.844309][ T5325] RBP: 0000000000000000 R08: ffffffff8b21b593 R09: ffffffff8e75e460
[  101.850348][ T5325] R10: dffffc0000000000 R11: ffffed1008380831 R12: 1ffff1100838080a
[  101.854442][ T5325] R13: ffff888041800e80 R14: 0000000000000001 R15: ffffffff8b21b593
[  101.858148][ T5325] FS:  00007fba034696c0(0000) GS:ffff88808ca55000(0000) knlGS:0000000000000000
[  101.862556][ T5325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  101.866330][ T5325] CR2: 0000200000001080 CR3: 0000000041c57000 CR4: 0000000000352ef0
[  101.869999][ T5325] Call Trace:
[  101.871527][ T5325]  <TASK>
[  101.872993][ T5325]  rate_control_rate_init_all_links+0x109/0x1a0
[  101.876110][ T5325]  sta_apply_auth_flags+0x1c2/0x400
[  101.879530][ T5325]  sta_apply_parameters+0xea9/0x1620
[  101.881740][ T5325]  ieee80211_add_station+0x424/0x6a0
[  101.884453][ T5325]  rdev_add_station+0xfc/0x2c0
[  101.886742][ T5325]  nl80211_new_station+0x1864/0x1d30
[  101.889813][ T5325]  ? trace_contention_end+0x3d/0x150
[  101.892935][ T5325]  ? __pfx_nl80211_new_station+0x10/0x10
[  101.895610][ T5325]  ? __rtnl_unlock+0xc8/0xf0
[  101.898009][ T5325]  ? nl80211_pre_doit+0x4f1/0x930
[  101.900479][ T5325]  genl_family_rcv_msg_doit+0x22a/0x330
[  101.903083][ T5325]  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10
[  101.906130][ T5325]  ? bpf_lsm_capable+0x9/0x20
[  101.908850][ T5325]  ? security_capable+0x7e/0x2c0
[  101.911160][ T5325]  genl_rcv_msg+0x61c/0x7a0
[  101.913180][ T5325]  ? __pfx_genl_rcv_msg+0x10/0x10
[  101.915691][ T5325]  ? __pfx_nl80211_pre_doit+0x10/0x10
[  101.918419][ T5325]  ? __pfx_nl80211_new_station+0x10/0x10
[  101.921307][ T5325]  ? __pfx_nl80211_post_doit+0x10/0x10
[  101.924120][ T5325]  ? __lock_acquire+0x6b5/0x2cf0
[  101.926372][ T5325]  netlink_rcv_skb+0x232/0x4b0
[  101.928741][ T5325]  ? __pfx_genl_rcv_msg+0x10/0x10
[  101.931180][ T5325]  ? __pfx_netlink_rcv_skb+0x10/0x10
[  101.933947][ T5325]  ? down_read+0x272/0x2e0
[  101.936013][ T5325]  ? genl_rcv+0xd/0x40
[  101.938101][ T5325]  genl_rcv+0x28/0x40
[  101.939900][ T5325]  netlink_unicast+0x80f/0x9b0
[  101.942307][ T5325]  ? __pfx_netlink_unicast+0x10/0x10
[  101.945398][ T5325]  ? netlink_sendmsg+0x650/0xb40
[  101.948413][ T5325]  ? skb_put+0x11b/0x210
[  101.950423][ T5325]  netlink_sendmsg+0x813/0xb40
[  101.952433][ T5325]  ? __pfx_netlink_sendmsg+0x10/0x10
[  101.954634][ T5325]  ? aa_sock_msg_perm+0xf1/0x1b0
[  101.956962][ T5325]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[  101.959664][ T5325]  ____sys_sendmsg+0x972/0x9f0
[  101.962226][ T5325]  ? __pfx_____sys_sendmsg+0x10/0x10
[  101.965300][ T5325]  ? import_iovec+0x73/0xa0
[  101.967451][ T5325]  ___sys_sendmsg+0x2a5/0x360
[  101.969794][ T5325]  ? __pfx____sys_sendmsg+0x10/0x10
[  101.972172][ T5325]  ? futex_wake+0x4ac/0x580
[  101.974457][ T5325]  ? __fget_files+0x2a/0x420
[  101.977226][ T5325]  ? __fget_files+0x3a0/0x420
[  101.979907][ T5325]  __x64_sys_sendmsg+0x1bd/0x2a0
[  101.982023][ T5325]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[  101.984173][ T5325]  ? rcu_is_watching+0x15/0xb0
[  101.986191][ T5325]  do_syscall_64+0x14d/0xf80
[  101.988391][ T5325]  ? trace_irq_disable+0x3b/0x150
[  101.990562][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.993106][ T5325]  ? clear_bhb_loop+0x40/0x90
[  101.995558][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.999172][ T5325] RIP: 0033:0x7fba0259c799
[  102.001784][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  102.011371][ T5325] RSP: 002b:00007fba03468fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  102.014981][ T5325] RAX: ffffffffffffffda RBX: 00007fba02815fa0 RCX: 00007fba0259c799
[  102.018633][ T5325] RDX: 0000000000000000 RSI: 0000200000001080 RDI: 000000000000000a
[  102.022645][ T5325] RBP: 00007fba02632c99 R08: 0000000000000000 R09: 0000000000000000
[  102.027089][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  102.031387][ T5325] R13: 00007fba02816038 R14: 00007fba02815fa0 R15: 00007ffd2d341428
[  102.035090][ T5325]  </TASK>
[  102.036709][ T5325] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  102.040966][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  102.045350][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.050034][ T5325] Call Trace:
[  102.051781][ T5325]  <TASK>
[  102.053507][ T5325]  vpanic+0x56c/0xa60
[  102.055646][ T5325]  ? __pfx__printk+0x10/0x10
[  102.057766][ T5325]  ? __pfx_vpanic+0x10/0x10
[  102.059908][ T5325]  ? is_bpf_text_address+0x292/0x2b0
[  102.062025][ T5325]  ? is_bpf_text_address+0x26/0x2b0
[  102.064049][ T5325]  panic+0xc5/0xd0
[  102.065905][ T5325]  ? __pfx_panic+0x10/0x10
[  102.068734][ T5325]  __warn+0x315/0x4f0
[  102.070910][ T5325]  ? rate_control_rate_init+0x64a/0x6e0
[  102.073179][ T5325]  ? rate_control_rate_init+0x64a/0x6e0
[  102.075673][ T5325]  __report_bug+0x29a/0x540
[  102.078299][ T5325]  ? lockdep_hardirqs_on+0x7a/0x110
[  102.081396][ T5325]  ? rate_control_rate_init+0x64a/0x6e0
[  102.084954][ T5325]  ? __pfx___report_bug+0x10/0x10
[  102.087694][ T5325]  ? __lock_acquire+0x6b5/0x2cf0
[  102.089985][ T5325]  ? __lock_acquire+0x6b5/0x2cf0
[  102.092375][ T5325]  ? rate_control_rate_init+0x64a/0x6e0
[  102.095395][ T5325]  report_bug+0x16a/0x220
[  102.097480][ T5325]  ? rate_control_rate_init+0x64a/0x6e0
[  102.100111][ T5325]  ? rate_control_rate_init+0x64c/0x6e0
[  102.102627][ T5325]  handle_bug+0x9c/0x200
[  102.104614][ T5325]  exc_invalid_op+0x1a/0x50
[  102.106883][ T5325]  asm_exc_invalid_op+0x1a/0x20
[  102.109313][ T5325] RIP: 0010:rate_control_rate_init+0x64a/0x6e0
[  102.112055][ T5325] Code: 82 01 00 00 20 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 12 f5 a3 f6 90 0f 0b 90 eb e1 e8 07 f5 a3 f6 90 <0f> 0b 90 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 90 00 00 00
[  102.121007][ T5325] RSP: 0018:ffffc9000f126f48 EFLAGS: 00010287
[  102.124302][ T5325] RAX: ffffffff8b21ba79 RBX: ffff888041c04000 RCX: 0000000000100000
[  102.127915][ T5325] RDX: ffffc90020001000 RSI: 00000000000003c5 RDI: 00000000000003c6
[  102.131200][ T5325] RBP: 0000000000000000 R08: ffffffff8b21b593 R09: ffffffff8e75e460
[  102.135654][ T5325] R10: dffffc0000000000 R11: ffffed1008380831 R12: 1ffff1100838080a
[  102.140182][ T5325] R13: ffff888041800e80 R14: 0000000000000001 R15: ffffffff8b21b593
[  102.143750][ T5325]  ? rate_control_rate_init+0x163/0x6e0
[  102.146201][ T5325]  ? rate_control_rate_init+0x163/0x6e0
[  102.148731][ T5325]  ? rate_control_rate_init+0x649/0x6e0
[  102.151443][ T5325]  ? rate_control_rate_init+0x649/0x6e0
[  102.154290][ T5325]  rate_control_rate_init_all_links+0x109/0x1a0
[  102.157107][ T5325]  sta_apply_auth_flags+0x1c2/0x400
[  102.160007][ T5325]  sta_apply_parameters+0xea9/0x1620
[  102.162717][ T5325]  ieee80211_add_station+0x424/0x6a0
[  102.165195][ T5325]  rdev_add_station+0xfc/0x2c0
[  102.167563][ T5325]  nl80211_new_station+0x1864/0x1d30
[  102.170138][ T5325]  ? trace_contention_end+0x3d/0x150
[  102.172603][ T5325]  ? __pfx_nl80211_new_station+0x10/0x10
[  102.175224][ T5325]  ? __rtnl_unlock+0xc8/0xf0
[  102.177656][ T5325]  ? nl80211_pre_doit+0x4f1/0x930
[  102.180074][ T5325]  genl_family_rcv_msg_doit+0x22a/0x330
[  102.182946][ T5325]  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10
[  102.185997][ T5325]  ? bpf_lsm_capable+0x9/0x20
[  102.188592][ T5325]  ? security_capable+0x7e/0x2c0
[  102.191045][ T5325]  genl_rcv_msg+0x61c/0x7a0
[  102.193124][ T5325]  ? __pfx_genl_rcv_msg+0x10/0x10
[  102.195372][ T5325]  ? __pfx_nl80211_pre_doit+0x10/0x10
[  102.197825][ T5325]  ? __pfx_nl80211_new_station+0x10/0x10
[  102.200718][ T5325]  ? __pfx_nl80211_post_doit+0x10/0x10
[  102.203501][ T5325]  ? __lock_acquire+0x6b5/0x2cf0
[  102.205657][ T5325]  netlink_rcv_skb+0x232/0x4b0
[  102.207885][ T5325]  ? __pfx_genl_rcv_msg+0x10/0x10
[  102.210504][ T5325]  ? __pfx_netlink_rcv_skb+0x10/0x10
[  102.213587][ T5325]  ? down_read+0x272/0x2e0
[  102.216086][ T5325]  ? genl_rcv+0xd/0x40
[  102.217978][ T5325]  genl_rcv+0x28/0x40
[  102.219860][ T5325]  netlink_unicast+0x80f/0x9b0
[  102.222111][ T5325]  ? __pfx_netlink_unicast+0x10/0x10
[  102.225172][ T5325]  ? netlink_sendmsg+0x650/0xb40
[  102.227904][ T5325]  ? skb_put+0x11b/0x210
[  102.229848][ T5325]  netlink_sendmsg+0x813/0xb40
[  102.232040][ T5325]  ? __pfx_netlink_sendmsg+0x10/0x10
[  102.234483][ T5325]  ? aa_sock_msg_perm+0xf1/0x1b0
[  102.237147][ T5325]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[  102.240210][ T5325]  ____sys_sendmsg+0x972/0x9f0
[  102.242618][ T5325]  ? __pfx_____sys_sendmsg+0x10/0x10
[  102.245066][ T5325]  ? import_iovec+0x73/0xa0
[  102.247349][ T5325]  ___sys_sendmsg+0x2a5/0x360
[  102.249847][ T5325]  ? __pfx____sys_sendmsg+0x10/0x10
[  102.252219][ T5325]  ? futex_wake+0x4ac/0x580
[  102.254316][ T5325]  ? __fget_files+0x2a/0x420
[  102.256276][ T5325]  ? __fget_files+0x3a0/0x420
[  102.258623][ T5325]  __x64_sys_sendmsg+0x1bd/0x2a0
[  102.260939][ T5325]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[  102.263429][ T5325]  ? rcu_is_watching+0x15/0xb0
[  102.265872][ T5325]  do_syscall_64+0x14d/0xf80
[  102.268433][ T5325]  ? trace_irq_disable+0x3b/0x150
[  102.271161][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.273835][ T5325]  ? clear_bhb_loop+0x40/0x90
[  102.276078][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.279416][ T5325] RIP: 0033:0x7fba0259c799
[  102.282165][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  102.291814][ T5325] RSP: 002b:00007fba03468fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  102.295965][ T5325] RAX: ffffffffffffffda RBX: 00007fba02815fa0 RCX: 00007fba0259c799
[  102.300036][ T5325] RDX: 0000000000000000 RSI: 0000200000001080 RDI: 000000000000000a
[  102.303587][ T5325] RBP: 00007fba02632c99 R08: 0000000000000000 R09: 0000000000000000
[  102.307238][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  102.311536][ T5325] R13: 00007fba02816038 R14: 00007fba02815fa0 R15: 00007ffd2d341428
[  102.315426][ T5325]  </TASK>
[  102.317278][ T5325] Kernel Offset: disabled
[  102.319431][ T5325] Rebooting in 86400 seconds..