program: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f0000000000)={'team0\x00', 0x0}) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)=@newlink={0x44, 0x10, 0x403, 0x70bd2a, 0x0, {0x0, 0x0, 0x0, 0x0, 0x300}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @vlan={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}]}, 0xfffffffffffffd86}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r5, &(0x7f0000000080)={0x1f, 0xffff, 0x4}, 0x6) write(r5, &(0x7f00000000c0)="3f000a009b0000ffc18ef5984e597918116ef50a3b5ebcfe1c2bbe14119eeb5d98cdfb9f4114cb800448cc6f17d2ffe0a63def7e8beb26abde1bc1687c2d26e18cb0e783467b91b7e0c8fc1d9047a1162cd1e49268e831d9f077a93df320899d2d030bad556767df54fc907134aa64540bb14cb3988a8d4b6a4053a8053a1ff2a2933bd7d8b12afc0de7468c59f3b39c8afd6b0bed916a1fecdba17b9a932c16fe", 0xa1) ioctl$ifreq_SIOCGIFINDEX_team(r4, 0x8933, &(0x7f0000000000)={'team0\x00', 0x0}) sendmsg$nl_route(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r6}]}, 0x3c}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f0000000000)) (async) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)=@newlink={0x44, 0x10, 0x403, 0x70bd2a, 0x0, {0x0, 0x0, 0x0, 0x0, 0x300}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @vlan={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r2}]}, 0xfffffffffffffd86}}, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async) bind$bt_hci(r5, &(0x7f0000000080)={0x1f, 0xffff, 0x4}, 0x6) (async) write(r5, &(0x7f00000000c0)="3f000a009b0000ffc18ef5984e597918116ef50a3b5ebcfe1c2bbe14119eeb5d98cdfb9f4114cb800448cc6f17d2ffe0a63def7e8beb26abde1bc1687c2d26e18cb0e783467b91b7e0c8fc1d9047a1162cd1e49268e831d9f077a93df320899d2d030bad556767df54fc907134aa64540bb14cb3988a8d4b6a4053a8053a1ff2a2933bd7d8b12afc0de7468c59f3b39c8afd6b0bed916a1fecdba17b9a932c16fe", 0xa1) (async) ioctl$ifreq_SIOCGIFINDEX_team(r4, 0x8933, &(0x7f0000000000)) (async) sendmsg$nl_route(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r6}]}, 0x3c}}, 0x0) (async) [ 76.256190][ T4683] Bluetooth: hci0: command tx timeout [ 76.278920][ T1313] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.281850][ T1313] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.339978][ T5338] bridge_slave_0: left allmulticast mode [ 76.349249][ T5338] bridge_slave_0: left promiscuous mode [ 76.351446][ T5338] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.361040][ T5338] bridge_slave_1: left allmulticast mode [ 76.368287][ T5338] bridge_slave_1: left promiscuous mode [ 76.370903][ T5338] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.378770][ T5338] bond0: (slave bond_slave_0): Releasing backup interface [ 76.390401][ T5338] bond0: (slave bond_slave_1): Releasing backup interface [ 76.400310][ T5338] team0: Port device team_slave_0 removed [ 76.408318][ T5338] team0: Port device team_slave_1 removed [ 76.412470][ T5338] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 76.416872][ T5338] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 76.421255][ T5338] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 76.425502][ T5338] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 76.430127][ T5338] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 76.445982][ T5339] ip6gre0: entered promiscuous mode [ 76.456821][ T5339] team0: Port device ip6gre0 added [ 76.468775][ T5341] team0: Port device ip6gre0 removed [ 76.478686][ T5341] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 76.486040][ T1354] skbuff: skb_under_panic: text:ffffffff8a27e9c8 len:136 put:40 head:ffff888010faf000 data:ffff888010faefe8 tail:0x70 end:0x6c0 dev:team0 [ 76.492964][ T1354] ------------[ cut here ]------------ [ 76.495388][ T1354] kernel BUG at net/core/skbuff.c:213! [ 76.510246][ T1354] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 76.513124][ T1354] CPU: 0 UID: 0 PID: 1354 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) [ 76.517158][ T1354] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.521769][ T1354] Workqueue: mld mld_ifc_work [ 76.523947][ T1354] RIP: 0010:skb_panic+0x157/0x160 [ 76.526216][ T1354] Code: c7 60 ac 6f 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 ce 6a f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 76.534316][ T1354] RSP: 0018:ffffc900085cf400 EFLAGS: 00010286 [ 76.536930][ T1354] RAX: 0000000000000087 RBX: dffffc0000000000 RCX: d6c010af1cedf000 [ 76.540281][ T1354] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 76.543710][ T1354] RBP: 00000000000006c0 R08: ffffc900085cf167 R09: 1ffff920010b9e2c [ 76.547243][ T1354] R10: dffffc0000000000 R11: fffff520010b9e2d R12: ffff88801167e650 [ 76.550678][ T1354] R13: ffff888010faf000 R14: ffff888010faefe8 R15: 0000000000000070 [ 76.553945][ T1354] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 76.557736][ T1354] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 76.560511][ T1354] CR2: 00007f154fe3dd20 CR3: 000000000dd3a000 CR4: 0000000000352ef0 [ 76.563866][ T1354] Call Trace: [ 76.565458][ T1354] [ 76.566744][ T1354] ? ip6gre_header+0xc8/0x790 [ 76.568722][ T1354] ? ip6gre_header+0xc8/0x790 [ 76.570720][ T1354] skb_push+0xc3/0xe0 [ 76.572476][ T1354] ip6gre_header+0xc8/0x790 [ 76.574386][ T1354] ? neigh_connected_output+0x1ea/0x460 [ 76.576810][ T1354] ? __pfx_ip6gre_header+0x10/0x10 [ 76.579028][ T1354] ? neigh_connected_output+0x1ea/0x460 [ 76.581311][ T1354] ? read_seqbegin+0xac/0x180 [ 76.583374][ T1354] ? neigh_connected_output+0x1ea/0x460 [ 76.585905][ T1354] ? lockdep_hardirqs_on+0x7b/0x110 [ 76.588151][ T1354] ? __pfx_ip6gre_header+0x10/0x10 [ 76.590300][ T1354] neigh_connected_output+0x286/0x460 [ 76.592990][ T1354] ip6_finish_output+0x234/0x7d0 [ 76.595509][ T1354] ? ip6_output+0x126/0x550 [ 76.597820][ T1354] ip6_output+0x340/0x550 [ 76.599993][ T1354] NF_HOOK+0x9e/0x380 [ 76.602177][ T1354] ? NF_HOOK+0x101/0x380 [ 76.604444][ T1354] ? __pfx_NF_HOOK+0x10/0x10 [ 76.606901][ T1354] ? __pfx_dst_output+0x10/0x10 [ 76.609358][ T1354] ? lockdep_hardirqs_on+0x7b/0x110 [ 76.611525][ T1354] ? __local_bh_enable_ip+0xd0/0x130 [ 76.614023][ T1354] ? icmp6_dst_alloc+0x3a5/0x420 [ 76.616230][ T1354] mld_sendpack+0x8d4/0xe60 [ 76.618228][ T1354] ? mld_sendpack+0x1e7/0xe60 [ 76.620231][ T1354] ? __pfx_mld_sendpack+0x10/0x10 [ 76.622357][ T1354] mld_ifc_work+0x83e/0xd60 [ 76.624338][ T1354] ? process_scheduled_works+0x9ef/0x1770 [ 76.627040][ T1354] process_scheduled_works+0xad1/0x1770 [ 76.629522][ T1354] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.632168][ T1354] ? do_raw_spin_lock+0x121/0x290 [ 76.634529][ T1354] worker_thread+0x8a0/0xda0 [ 76.636445][ T1354] kthread+0x711/0x8a0 [ 76.638161][ T1354] ? __pfx_worker_thread+0x10/0x10 [ 76.640247][ T1354] ? __pfx_kthread+0x10/0x10 [ 76.642082][ T1354] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.644190][ T1354] ? __pfx_kthread+0x10/0x10 [ 76.646163][ T1354] ret_from_fork+0x510/0xa50 [ 76.648152][ T1354] ? __pfx_ret_from_fork+0x10/0x10 [ 76.650409][ T1354] ? __switch_to+0xc9e/0x1480 [ 76.652482][ T1354] ? __pfx_kthread+0x10/0x10 [ 76.654491][ T1354] ret_from_fork_asm+0x1a/0x30 [ 76.656424][ T1354] [ 76.657759][ T1354] Modules linked in: [ 76.659812][ T1354] ---[ end trace 0000000000000000 ]---