program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000640), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000680)={'wlan0\x00', 0x0}) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff) r6 = socket$qrtr(0x2a, 0x2, 0x0) ioctl$sock_inet_SIOCSIFFLAGS(r6, 0x8914, &(0x7f0000000000)={'wlan1\x00'}) r7 = socket$nl_generic(0x10, 0x3, 0x10) r8 = socket$nl_generic(0x10, 0x3, 0x10) r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r8, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)={0x24, r9, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}]}, 0x24}}, 0x0) r11 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r11, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f0000000040)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_NEW_STATION(r4, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f00000000c0)={0x3c, r5, 0xb97534d5fe9704cf, 0x0, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r12}, @void}}, [@NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_STA_AID={0x6, 0x10, 0x57d}]}, 0x3c}}, 0x0) sendmsg$NL80211_CMD_SET_BSS(r1, &(0x7f0000000740)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x44, r2, 0x1, 0x70bd28, 0x25dfdbfb, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_P2P_CTWINDOW={0xfffffe28}, @NL80211_ATTR_BSS_SHORT_PREAMBLE={0x5, 0x1d, 0xc}, @NL80211_ATTR_BSS_SHORT_SLOT_TIME={0x5, 0x1e, 0x4}, @NL80211_ATTR_AP_ISOLATE={0x5, 0x60, 0xc}, @NL80211_ATTR_BSS_HT_OPMODE={0x6, 0x6d, 0xe9c}]}, 0x44}, 0x1, 0x0, 0x0, 0x20000000}, 0x4000) socket$nl_netfilter(0x10, 0x3, 0xc) (async) socket$nl_generic(0x10, 0x3, 0x10) (async) syz_genetlink_get_family_id$nl80211(&(0x7f0000000640), 0xffffffffffffffff) (async) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000680)={'wlan0\x00'}) (async) socket$nl_generic(0x10, 0x3, 0x10) (async) syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), 0xffffffffffffffff) (async) socket$qrtr(0x2a, 0x2, 0x0) (async) ioctl$sock_inet_SIOCSIFFLAGS(r6, 0x8914, &(0x7f0000000000)={'wlan1\x00'}) (async) socket$nl_generic(0x10, 0x3, 0x10) (async) socket$nl_generic(0x10, 0x3, 0x10) (async) syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) (async) ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f00000000c0)={'wlan1\x00'}) (async) sendmsg$NL80211_CMD_SET_INTERFACE(r8, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)={0x24, r9, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}]}, 0x24}}, 0x0) (async) socket$kcm(0x10, 0x2, 0x0) (async) sendmsg$kcm(r11, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) (async) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f0000000040)={'wlan1\x00'}) (async) sendmsg$NL80211_CMD_NEW_STATION(r4, &(0x7f0000001080)={0x0, 0x0, &(0x7f0000001040)={&(0x7f00000000c0)={0x3c, r5, 0xb97534d5fe9704cf, 0x0, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r12}, @void}}, [@NL80211_ATTR_STA_LISTEN_INTERVAL={0x6}, @NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_STA_SUPPORTED_RATES={0x4}, @NL80211_ATTR_STA_AID={0x6, 0x10, 0x57d}]}, 0x3c}}, 0x0) (async) sendmsg$NL80211_CMD_SET_BSS(r1, &(0x7f0000000740)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000000)={0x44, r2, 0x1, 0x70bd28, 0x25dfdbfb, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_P2P_CTWINDOW={0xfffffe28}, @NL80211_ATTR_BSS_SHORT_PREAMBLE={0x5, 0x1d, 0xc}, @NL80211_ATTR_BSS_SHORT_SLOT_TIME={0x5, 0x1e, 0x4}, @NL80211_ATTR_AP_ISOLATE={0x5, 0x60, 0xc}, @NL80211_ATTR_BSS_HT_OPMODE={0x6, 0x6d, 0xe9c}]}, 0x44}, 0x1, 0x0, 0x0, 0x20000000}, 0x4000) (async) [ 87.094010][ T5323] Bluetooth: hci0: command tx timeout [ 87.191763][ T5346] netlink: 'syz.0.0': attribute type 10 has an invalid length. [ 87.200644][ T5346] bond0: (slave wlan1): Enslaving as an active interface with an up link [ 87.206232][ T5346] netlink: 40 bytes leftover after parsing attributes in process `syz.0.0'. [ 87.216336][ T5347] ------------[ cut here ]------------ [ 87.218740][ T5347] WARNING: net/mac80211/tx.c:6303 at ieee80211_tx_skb_tid+0x3b4/0x470, CPU#0: syz.0.0/5347 [ 87.223316][ T5347] Modules linked in: [ 87.225183][ T5347] CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 87.229204][ T5347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.233767][ T5347] RIP: 0010:ieee80211_tx_skb_tid+0x3b4/0x470 [ 87.236323][ T5347] Code: 66 c3 f6 e9 b1 fe ff ff e8 79 35 e6 f6 90 0f 0b 90 e9 e2 fe ff ff e8 6b 35 e6 f6 90 0f 0b 90 e9 2a fe ff ff e8 5d 35 e6 f6 90 <0f> 0b 90 e8 c4 e1 fd ff 31 ff 48 8b 34 24 ba 02 00 00 00 48 83 c4 [ 87.244291][ T5347] RSP: 0018:ffffc9000a18f478 EFLAGS: 00010293 [ 87.247107][ T5347] RAX: ffffffff8adad203 RBX: ffffffff8adace7f RCX: ffff888033bdc980 [ 87.250687][ T5347] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 87.253933][ T5347] RBP: 00000000ffffffff R08: ffffffff8adace7f R09: ffffffff8df41aa0 [ 87.257248][ T5347] R10: dffffc0000000000 R11: ffffed10035ec076 R12: ffff888042274d80 [ 87.260531][ T5347] R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000 [ 87.263718][ T5347] FS: 00007fb63069c6c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 87.266645][ T5347] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 87.269593][ T5347] CR2: 00007fb63067afc8 CR3: 0000000048ffb000 CR4: 0000000000352ef0 [ 87.272838][ T5347] Call Trace: [ 87.274302][ T5347] [ 87.275636][ T5347] mesh_plink_frame_tx+0x734/0xc10 [ 87.277862][ T5347] ? __pfx_mesh_plink_frame_tx+0x10/0x10 [ 87.280370][ T5347] ? ieee80211_mps_set_sta_local_pm+0xb1/0x310 [ 87.282946][ T5347] mesh_plink_deactivate+0x18e/0x2f0 [ 87.285359][ T5347] mesh_sta_cleanup+0x42/0x150 [ 87.287376][ T5347] cleanup_single_sta+0x40f/0x660 [ 87.289730][ T5347] __sta_info_flush+0x5e4/0x710 [ 87.291958][ T5347] ? __pfx___sta_info_flush+0x10/0x10 [ 87.294232][ T5347] ieee80211_do_stop+0x397/0x1f70 [ 87.296834][ T5347] ? trace_contention_end+0x39/0x100 [ 87.299704][ T5347] ? __mutex_lock+0x335/0x1350 [ 87.301752][ T5347] ? __pfx_ieee80211_do_stop+0x10/0x10 [ 87.304103][ T5347] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 87.306543][ T5347] ieee80211_stop+0x1b1/0x240 [ 87.308819][ T5347] ? __pfx_ieee80211_stop+0x10/0x10 [ 87.311049][ T5347] __dev_close_many+0x344/0x6b0 [ 87.313199][ T5347] ? __pfx___dev_close_many+0x10/0x10 [ 87.315420][ T5347] ? __dev_change_flags+0x1b0/0x680 [ 87.317631][ T5347] __dev_change_flags+0x2be/0x680 [ 87.319668][ T5347] ? __pfx___dev_change_flags+0x10/0x10 [ 87.321794][ T5347] ? full_name_hash+0x92/0xe0 [ 87.323994][ T5347] netif_change_flags+0x88/0x1a0 [ 87.326214][ T5347] dev_change_flags+0x130/0x260 [ 87.328272][ T5347] dev_ioctl+0x7b4/0x1150 [ 87.329909][ T5347] sock_do_ioctl+0x22c/0x300 [ 87.331536][ T5347] ? __pfx_sock_do_ioctl+0x10/0x10 [ 87.333549][ T5347] ? do_futex+0x333/0x420 [ 87.335774][ T5347] sock_ioctl+0x576/0x790 [ 87.337851][ T5347] ? __pfx_sock_ioctl+0x10/0x10 [ 87.340022][ T5347] ? __fget_files+0x2a/0x420 [ 87.341747][ T5347] ? __fget_files+0x3a0/0x420 [ 87.343573][ T5347] ? __fget_files+0x2a/0x420 [ 87.345574][ T5347] ? bpf_lsm_file_ioctl+0x9/0x20 [ 87.347819][ T5347] ? __pfx_sock_ioctl+0x10/0x10 [ 87.350064][ T5347] __se_sys_ioctl+0xfc/0x170 [ 87.351976][ T5347] do_syscall_64+0xec/0xf80 [ 87.353742][ T5347] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.356200][ T5347] ? trace_irq_disable+0x37/0x100 [ 87.358336][ T5347] ? clear_bhb_loop+0x60/0xb0 [ 87.360361][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.362766][ T5347] RIP: 0033:0x7fb62f78f7c9 [ 87.364589][ T5347] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 87.372919][ T5347] RSP: 002b:00007fb63069c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 87.376447][ T5347] RAX: ffffffffffffffda RBX: 00007fb62f9e6090 RCX: 00007fb62f78f7c9 [ 87.379705][ T5347] RDX: 0000200000000000 RSI: 0000000000008914 RDI: 0000000000000006 [ 87.382889][ T5347] RBP: 00007fb62f813f91 R08: 0000000000000000 R09: 0000000000000000 [ 87.385934][ T5347] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 87.389400][ T5347] R13: 00007fb62f9e6128 R14: 00007fb62f9e6090 R15: 00007ffcaba2f8f8 [ 87.392853][ T5347] [ 87.394207][ T5347] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 87.397317][ T5347] CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 87.400994][ T5347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.405203][ T5347] Call Trace: [ 87.406581][ T5347] [ 87.407750][ T5347] vpanic+0x1e0/0x670 [ 87.409481][ T5347] panic+0xb9/0xc0 [ 87.411055][ T5347] ? __pfx_panic+0x10/0x10 [ 87.412918][ T5347] __warn+0x317/0x4b0 [ 87.414520][ T5347] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 87.416594][ T5347] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 87.418622][ T5347] __report_bug+0x288/0x500 [ 87.420381][ T5347] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 87.422580][ T5347] ? __pfx___report_bug+0x10/0x10 [ 87.424738][ T5347] ? __lock_acquire+0x6b6/0x2cf0 [ 87.426958][ T5347] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 87.429271][ T5347] report_bug+0x16a/0x220 [ 87.431076][ T5347] ? ieee80211_tx_skb_tid+0x3b4/0x470 [ 87.433457][ T5347] ? ieee80211_tx_skb_tid+0x3b6/0x470 [ 87.435826][ T5347] handle_bug+0x98/0x200 [ 87.437774][ T5347] exc_invalid_op+0x1a/0x50 [ 87.439837][ T5347] asm_exc_invalid_op+0x1a/0x20 [ 87.442116][ T5347] RIP: 0010:ieee80211_tx_skb_tid+0x3b4/0x470 [ 87.444827][ T5347] Code: 66 c3 f6 e9 b1 fe ff ff e8 79 35 e6 f6 90 0f 0b 90 e9 e2 fe ff ff e8 6b 35 e6 f6 90 0f 0b 90 e9 2a fe ff ff e8 5d 35 e6 f6 90 <0f> 0b 90 e8 c4 e1 fd ff 31 ff 48 8b 34 24 ba 02 00 00 00 48 83 c4 [ 87.453020][ T5347] RSP: 0018:ffffc9000a18f478 EFLAGS: 00010293 [ 87.455682][ T5347] RAX: ffffffff8adad203 RBX: ffffffff8adace7f RCX: ffff888033bdc980 [ 87.459202][ T5347] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 [ 87.462701][ T5347] RBP: 00000000ffffffff R08: ffffffff8adace7f R09: ffffffff8df41aa0 [ 87.466218][ T5347] R10: dffffc0000000000 R11: ffffed10035ec076 R12: ffff888042274d80 [ 87.469798][ T5347] R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000 [ 87.473306][ T5347] ? ieee80211_tx_skb_tid+0x2f/0x470 [ 87.475704][ T5347] ? ieee80211_tx_skb_tid+0x2f/0x470 [ 87.478162][ T5347] ? ieee80211_tx_skb_tid+0x3b3/0x470 [ 87.480641][ T5347] ? ieee80211_tx_skb_tid+0x3b3/0x470 [ 87.483032][ T5347] mesh_plink_frame_tx+0x734/0xc10 [ 87.485389][ T5347] ? __pfx_mesh_plink_frame_tx+0x10/0x10 [ 87.487841][ T5347] ? ieee80211_mps_set_sta_local_pm+0xb1/0x310 [ 87.490500][ T5347] mesh_plink_deactivate+0x18e/0x2f0 [ 87.492628][ T5347] mesh_sta_cleanup+0x42/0x150 [ 87.494624][ T5347] cleanup_single_sta+0x40f/0x660 [ 87.496770][ T5347] __sta_info_flush+0x5e4/0x710 [ 87.498839][ T5347] ? __pfx___sta_info_flush+0x10/0x10 [ 87.500994][ T5347] ieee80211_do_stop+0x397/0x1f70 [ 87.503096][ T5347] ? trace_contention_end+0x39/0x100 [ 87.505238][ T5347] ? __mutex_lock+0x335/0x1350 [ 87.507065][ T5347] ? __pfx_ieee80211_do_stop+0x10/0x10 [ 87.509141][ T5347] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 87.511316][ T5347] ieee80211_stop+0x1b1/0x240 [ 87.513126][ T5347] ? __pfx_ieee80211_stop+0x10/0x10 [ 87.515377][ T5347] __dev_close_many+0x344/0x6b0 [ 87.517452][ T5347] ? __pfx___dev_close_many+0x10/0x10 [ 87.519845][ T5347] ? __dev_change_flags+0x1b0/0x680 [ 87.521971][ T5347] __dev_change_flags+0x2be/0x680 [ 87.524068][ T5347] ? __pfx___dev_change_flags+0x10/0x10 [ 87.526280][ T5347] ? full_name_hash+0x92/0xe0 [ 87.528230][ T5347] netif_change_flags+0x88/0x1a0 [ 87.530242][ T5347] dev_change_flags+0x130/0x260 [ 87.532222][ T5347] dev_ioctl+0x7b4/0x1150 [ 87.534054][ T5347] sock_do_ioctl+0x22c/0x300 [ 87.535972][ T5347] ? __pfx_sock_do_ioctl+0x10/0x10 [ 87.538131][ T5347] ? do_futex+0x333/0x420 [ 87.539910][ T5347] sock_ioctl+0x576/0x790 [ 87.541674][ T5347] ? __pfx_sock_ioctl+0x10/0x10 [ 87.543684][ T5347] ? __fget_files+0x2a/0x420 [ 87.545793][ T5347] ? __fget_files+0x3a0/0x420 [ 87.547477][ T5347] ? __fget_files+0x2a/0x420 [ 87.549310][ T5347] ? bpf_lsm_file_ioctl+0x9/0x20 [ 87.551104][ T5347] ? __pfx_sock_ioctl+0x10/0x10 [ 87.552943][ T5347] __se_sys_ioctl+0xfc/0x170 [ 87.554886][ T5347] do_syscall_64+0xec/0xf80 [ 87.556932][ T5347] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.559596][ T5347] ? trace_irq_disable+0x37/0x100 [ 87.561709][ T5347] ? clear_bhb_loop+0x60/0xb0 [ 87.563688][ T5347] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.566064][ T5347] RIP: 0033:0x7fb62f78f7c9 [ 87.568014][ T5347] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 87.576026][ T5347] RSP: 002b:00007fb63069c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 87.579504][ T5347] RAX: ffffffffffffffda RBX: 00007fb62f9e6090 RCX: 00007fb62f78f7c9 [ 87.583064][ T5347] RDX: 0000200000000000 RSI: 0000000000008914 RDI: 0000000000000006 [ 87.586230][ T5347] RBP: 00007fb62f813f91 R08: 0000000000000000 R09: 0000000000000000 [ 87.589246][ T5347] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 87.592171][ T5347] R13: 00007fb62f9e6128 R14: 00007fb62f9e6090 R15: 00007ffcaba2f8f8 [ 87.595305][ T5347] [ 87.596751][ T5347] Kernel Offset: disabled [ 87.598507][ T5347] Rebooting in 86400 seconds..