program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000003b40), r0)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
r3 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
r4 = socket$qrtr(0x2a, 0x2, 0x0)
ioctl$sock_inet_SIOCSIFFLAGS(r4, 0x8914, &(0x7f0000000000)={'wlan1\x00'})
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r8=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r6, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)={0x24, r7, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}]}, 0x24}}, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f00000000c0)={'wlan1\x00', <r9=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000001c0)={0x28, r3, 0x5, 0x3, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_MESH_ID={0xa}]}, 0x28}}, 0x0)
r10 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r10, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000003b80)={'wlan1\x00', <r11=>0x0})
sendmsg$NL80211_CMD_CHANNEL_SWITCH(r0, &(0x7f0000004180)={0x0, 0x0, &(0x7f0000004140)={&(0x7f0000000000)={0x2c, r1, 0x1, 0x70bd29, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r11}, @void}}, [@chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}], @NL80211_ATTR_CH_SWITCH_COUNT={0x8, 0xb7, 0xe}]}, 0x2c}}, 0x0) (fail_nth: 10)

[   99.365418][ T5295] Bluetooth: hci0: command tx timeout
[   99.407099][ T1351] cfg80211: failed to load regulatory.db
[   99.663947][ T5317] netlink: 'syz.0.0': attribute type 10 has an invalid length.
[   99.672423][ T5317] bond0: (slave wlan1): Enslaving as an active interface with an up link
[   99.678929][ T5317] FAULT_INJECTION: forcing a failure.
[   99.678929][ T5317] name failslab, interval 1, probability 0, space 0, times 1
[   99.684006][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   99.684018][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   99.684024][ T5317] Call Trace:
[   99.684029][ T5317]  <TASK>
[   99.684034][ T5317]  dump_stack_lvl+0xe8/0x150
[   99.684173][ T5317]  should_fail_ex+0x412/0x560
[   99.684212][ T5317]  should_failslab+0xa8/0x100
[   99.684225][ T5317]  __kmalloc_noprof+0xe8/0x760
[   99.684242][ T5317]  ? ieee80211_mesh_build_beacon+0xc3/0x1b50
[   99.684289][ T5317]  ieee80211_mesh_build_beacon+0xc3/0x1b50
[   99.684303][ T5317]  ? __kasan_kmalloc+0x93/0xb0
[   99.684317][ T5317]  ieee80211_mesh_rebuild_beacon+0xc7/0x170
[   99.684330][ T5317]  ieee80211_mesh_csa_beacon+0x140/0x2c0
[   99.684344][ T5317]  ieee80211_set_csa_beacon+0x3cc/0x9a0
[   99.684357][ T5317]  ? drv_pre_channel_switch+0x36c/0x6a0
[   99.684377][ T5317]  ieee80211_channel_switch+0x841/0xc20
[   99.684394][ T5317]  ? __pfx_ieee80211_channel_switch+0x10/0x10
[   99.684401][ T5317]  ? cfg80211_chandef_dfs_required+0xd68/0xee0
[   99.684428][ T5317]  ? rcu_is_watching+0x15/0xb0
[   99.684447][ T5317]  rdev_channel_switch+0xfc/0x2c0
[   99.684466][ T5317]  nl80211_channel_switch+0xbab/0xe40
[   99.684513][ T5317]  ? __pfx_nl80211_channel_switch+0x10/0x10
[   99.684529][ T5317]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   99.684566][ T5317]  ? __nla_parse+0x40/0x60
[   99.684583][ T5317]  ? nl80211_pre_doit+0x4f1/0x930
[   99.684597][ T5317]  genl_family_rcv_msg_doit+0x22a/0x330
[   99.684618][ T5317]  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10
[   99.684639][ T5317]  ? bpf_lsm_capable+0x9/0x20
[   99.684652][ T5317]  ? security_capable+0x7e/0x2c0
[   99.684667][ T5317]  genl_rcv_msg+0x61c/0x7a0
[   99.684685][ T5317]  ? __pfx_genl_rcv_msg+0x10/0x10
[   99.684696][ T5317]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   99.684705][ T5317]  ? __pfx_nl80211_channel_switch+0x10/0x10
[   99.684718][ T5317]  ? __pfx_nl80211_post_doit+0x10/0x10
[   99.684727][ T5317]  ? __lock_acquire+0x6b5/0x2cf0
[   99.684748][ T5317]  netlink_rcv_skb+0x232/0x4b0
[   99.684761][ T5317]  ? __pfx_genl_rcv_msg+0x10/0x10
[   99.684776][ T5317]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   99.684795][ T5317]  ? down_read+0x272/0x2e0
[   99.684802][ T5317]  ? genl_rcv+0xd/0x40
[   99.684811][ T5317]  genl_rcv+0x28/0x40
[   99.684820][ T5317]  netlink_unicast+0x80f/0x9b0
[   99.684830][ T5317]  ? __pfx_netlink_unicast+0x10/0x10
[   99.684837][ T5317]  ? netlink_sendmsg+0x650/0xb40
[   99.684844][ T5317]  ? skb_put+0x11b/0x210
[   99.684854][ T5317]  netlink_sendmsg+0x813/0xb40
[   99.684866][ T5317]  ? __pfx_netlink_sendmsg+0x10/0x10
[   99.684874][ T5317]  ? aa_sock_msg_perm+0xf1/0x1b0
[   99.684883][ T5317]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   99.684895][ T5317]  ? __pfx_netlink_sendmsg+0x10/0x10
[   99.684902][ T5317]  ____sys_sendmsg+0xa68/0xad0
[   99.684916][ T5317]  ? __pfx_____sys_sendmsg+0x10/0x10
[   99.684930][ T5317]  ? import_iovec+0x73/0xa0
[   99.684944][ T5317]  ___sys_sendmsg+0x2a5/0x360
[   99.684967][ T5317]  ? __pfx____sys_sendmsg+0x10/0x10
[   99.685000][ T5317]  ? __fget_files+0x2a/0x420
[   99.685014][ T5317]  ? __fget_files+0x3a0/0x420
[   99.685033][ T5317]  __x64_sys_sendmsg+0x1bd/0x2a0
[   99.685048][ T5317]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   99.685066][ T5317]  ? __pfx_ksys_write+0x10/0x10
[   99.685088][ T5317]  do_syscall_64+0x14d/0xf80
[   99.685104][ T5317]  ? trace_irq_disable+0x3b/0x150
[   99.685119][ T5317]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.685129][ T5317]  ? clear_bhb_loop+0x40/0x90
[   99.685139][ T5317]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.685146][ T5317] RIP: 0033:0x7faaab99c799
[   99.685155][ T5317] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   99.685161][ T5317] RSP: 002b:00007faaac866fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   99.685172][ T5317] RAX: ffffffffffffffda RBX: 00007faaabc15fa0 RCX: 00007faaab99c799
[   99.685179][ T5317] RDX: 0000000000000000 RSI: 0000200000004180 RDI: 0000000000000003
[   99.685184][ T5317] RBP: 00007faaac867050 R08: 0000000000000000 R09: 0000000000000000
[   99.685189][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   99.685194][ T5317] R13: 00007faaabc16038 R14: 00007faaabc15fa0 R15: 00007fff31740c08
[   99.685212][ T5317]  </TASK>
[   99.685282][ T5317] 
[   99.892999][ T5317] =============================
[   99.895289][ T5317] WARNING: suspicious RCU usage
[   99.898130][ T5317] syzkaller #0 Not tainted
[   99.900744][ T5317] -----------------------------
[   99.903464][ T5317] net/mac80211/mesh.c:1574 suspicious rcu_dereference_check() usage!
[   99.907339][ T5317] 
[   99.907339][ T5317] other info that might help us debug this:
[   99.907339][ T5317] 
[   99.911869][ T5317] 
[   99.911869][ T5317] rcu_scheduler_active = 2, debug_locks = 1
[   99.915797][ T5317] 2 locks held by syz.0.0/5317:
[   99.918640][ T5317]  #0: ffffffff8fc3d3f0 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40
[   99.922427][ T5317]  #1: ffff888011858788 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: nl80211_pre_doit+0x281/0x930
[   99.927003][ T5317] 
[   99.927003][ T5317] stack backtrace:
[   99.929493][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   99.929510][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   99.929517][ T5317] Call Trace:
[   99.929524][ T5317]  <TASK>
[   99.929529][ T5317]  dump_stack_lvl+0xe8/0x150
[   99.929552][ T5317]  lockdep_rcu_suspicious+0x13f/0x1d0
[   99.929571][ T5317]  ieee80211_mesh_csa_beacon+0x280/0x2c0
[   99.929589][ T5317]  ieee80211_set_csa_beacon+0x3cc/0x9a0
[   99.929602][ T5317]  ? drv_pre_channel_switch+0x36c/0x6a0
[   99.929620][ T5317]  ieee80211_channel_switch+0x841/0xc20
[   99.929636][ T5317]  ? __pfx_ieee80211_channel_switch+0x10/0x10
[   99.929646][ T5317]  ? cfg80211_chandef_dfs_required+0xd68/0xee0
[   99.929677][ T5317]  ? rcu_is_watching+0x15/0xb0
[   99.929694][ T5317]  rdev_channel_switch+0xfc/0x2c0
[   99.929712][ T5317]  nl80211_channel_switch+0xbab/0xe40
[   99.929732][ T5317]  ? __pfx_nl80211_channel_switch+0x10/0x10
[   99.929747][ T5317]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   99.929780][ T5317]  ? __nla_parse+0x40/0x60
[   99.929796][ T5317]  ? nl80211_pre_doit+0x4f1/0x930
[   99.929809][ T5317]  genl_family_rcv_msg_doit+0x22a/0x330
[   99.929831][ T5317]  ? __pfx_genl_family_rcv_msg_doit+0x10/0x10
[   99.929850][ T5317]  ? bpf_lsm_capable+0x9/0x20
[   99.929864][ T5317]  ? security_capable+0x7e/0x2c0
[   99.929879][ T5317]  genl_rcv_msg+0x61c/0x7a0
[   99.929895][ T5317]  ? __pfx_genl_rcv_msg+0x10/0x10
[   99.929907][ T5317]  ? __pfx_nl80211_pre_doit+0x10/0x10
[   99.929915][ T5317]  ? __pfx_nl80211_channel_switch+0x10/0x10
[   99.929928][ T5317]  ? __pfx_nl80211_post_doit+0x10/0x10
[   99.929938][ T5317]  ? __lock_acquire+0x6b5/0x2cf0
[   99.929955][ T5317]  netlink_rcv_skb+0x232/0x4b0
[   99.929974][ T5317]  ? __pfx_genl_rcv_msg+0x10/0x10
[   99.929988][ T5317]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   99.930010][ T5317]  ? down_read+0x272/0x2e0
[   99.930024][ T5317]  ? genl_rcv+0xd/0x40
[   99.930037][ T5317]  genl_rcv+0x28/0x40
[   99.930049][ T5317]  netlink_unicast+0x80f/0x9b0
[   99.930069][ T5317]  ? __pfx_netlink_unicast+0x10/0x10
[   99.930084][ T5317]  ? netlink_sendmsg+0x650/0xb40
[   99.930094][ T5317]  ? skb_put+0x11b/0x210
[   99.930108][ T5317]  netlink_sendmsg+0x813/0xb40
[   99.930130][ T5317]  ? __pfx_netlink_sendmsg+0x10/0x10
[   99.930147][ T5317]  ? aa_sock_msg_perm+0xf1/0x1b0
[   99.930161][ T5317]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   99.930178][ T5317]  ? __pfx_netlink_sendmsg+0x10/0x10
[   99.930188][ T5317]  ____sys_sendmsg+0xa68/0xad0
[   99.930210][ T5317]  ? __pfx_____sys_sendmsg+0x10/0x10
[   99.930229][ T5317]  ? import_iovec+0x73/0xa0
[   99.930245][ T5317]  ___sys_sendmsg+0x2a5/0x360
[   99.930260][ T5317]  ? __pfx____sys_sendmsg+0x10/0x10
[   99.930291][ T5317]  ? __fget_files+0x2a/0x420
[   99.930306][ T5317]  ? __fget_files+0x3a0/0x420
[   99.930323][ T5317]  __x64_sys_sendmsg+0x1bd/0x2a0
[   99.930338][ T5317]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   99.930355][ T5317]  ? __pfx_ksys_write+0x10/0x10
[   99.930378][ T5317]  do_syscall_64+0x14d/0xf80
[   99.930394][ T5317]  ? trace_irq_disable+0x3b/0x150
[   99.930409][ T5317]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.930420][ T5317]  ? clear_bhb_loop+0x40/0x90
[   99.930432][ T5317]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   99.930442][ T5317] RIP: 0033:0x7faaab99c799
[   99.930456][ T5317] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   99.930465][ T5317] RSP: 002b:00007faaac866fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   99.930479][ T5317] RAX: ffffffffffffffda RBX: 00007faaabc15fa0 RCX: 00007faaab99c799
[   99.930485][ T5317] RDX: 0000000000000000 RSI: 0000200000004180 RDI: 0000000000000003
[   99.930491][ T5317] RBP: 00007faaac867050 R08: 0000000000000000 R09: 0000000000000000
[   99.930496][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   99.930502][ T5317] R13: 00007faaabc16038 R14: 00007faaabc15fa0 R15: 00007fff31740c08
[   99.930517][ T5317]  </TASK>