program:
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x80)
mknodat$loop(0xffffffffffffff9c, 0x0, 0x6000, 0x1)
r0 = perf_event_open(&(0x7f0000000340)={0x2, 0x80, 0x2a, 0x1, 0x0, 0x0, 0x0, 0x7, 0x510, 0x1f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, @perf_bp={0x0, 0x9}, 0x107200, 0x10002, 0x20da, 0x7, 0xa, 0x20005, 0xb, 0x0, 0x0, 0x0, 0x20000006}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xb)
setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x1, 0x4c, 0x0, 0x0)
ioctl$OCFS2_IOC_INFO(r0, 0x80106f05, 0x0)
openat(0xffffffffffffff9c, 0x0, 0x42, 0x0)
r1 = socket(0x10, 0x803, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000400)={'veth0_to_hsr\x00', <r2=>0x0})
sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd25, 0x25dfdbfe, {0x0, 0x0, 0x0, r2, {0x0, 0xffe1}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x4, 0x9}}]}}]}, 0x48}}, 0xc840)
sendmsg$nl_route_sched(r1, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000800)=@newtfilter={0x54, 0x2c, 0xd2b, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r2, {0x6}, {}, {0x7, 0xfff1}}, [@filter_kind_options=@f_u32={{0x8}, {0x28, 0x2, [@TCA_U32_SEL={0x24, 0x5, {0xd, 0x7, 0x1, 0x3d3f, 0x0, 0xfff, 0xb709, 0x58f, [{0x0, 0x20008000, 0x4, 0x1}]}}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x4084}, 0x24040084)
recvmmsg$unix(r1, &(0x7f0000000580)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f00000002c0)=""/219, 0xdb}], 0x1}}], 0x1, 0x60, 0x0)
sendmsg$GTP_CMD_NEWPDP(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000300)={0x30, 0x0, 0x1, 0x3, 0x0, {}, [@GTPA_LINK={0x8}, @GTPA_FLOW={0x6, 0x6, 0x4}, @GTPA_TID={0xc}]}, 0x30}}, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[], 0xc3}, 0x1, 0x100000000000000, 0x0, 0x2000}, 0x40400c0)
r3 = socket(0x10, 0x3, 0x0)
sendmmsg(r3, &(0x7f0000000000), 0x4000000000001f2, 0x0)

[  153.995460][ T5304] Bluetooth: hci0: command tx timeout
[  154.132744][ T5327] netlink: 'syz.0.0': attribute type 3 has an invalid length.
[  154.138349][ T5327] netlink: 24 bytes leftover after parsing attributes in process `syz.0.0'.
[  154.143316][ T5327] ------------[ cut here ]------------
[  154.147206][ T5327] memcpy: detected field-spanning write (size 32) of single field "&new->sel" at net/sched/cls_u32.c:855 (size 16)
[  154.153044][ T5327] WARNING: net/sched/cls_u32.c:855 at u32_change+0x1da0/0x2720, CPU#0: syz.0.0/5327
[  154.157765][ T5327] Modules linked in:
[  154.160298][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  154.164953][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  154.169279][ T5327] RIP: 0010:u32_change+0x1daf/0x2720
[  154.171646][ T5327] Code: 3d 5a 8a 41 06 01 75 33 e8 6e 76 0b f8 eb 50 e8 67 76 0b f8 48 8d 3d 80 c0 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 00 b7 e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 42 76 0b f8 eb 24 e8 3b 76 0b f8
[  154.181207][ T5327] RSP: 0018:ffffc9000e106fc0 EFLAGS: 00010283
[  154.183824][ T5327] RAX: ffffffff89ba4829 RBX: ffff88801effac00 RCX: 0000000000000010
[  154.187862][ T5327] RDX: ffffffff8ce1b700 RSI: 0000000000000020 RDI: ffffffff902108b0
[  154.192380][ T5327] RBP: ffffc9000e107178 R08: 0000000000000dc0 R09: 00000000ffffffff
[  154.196408][ T5327] R10: fffff52001c20d90 R11: fffffbfff345eefa R12: ffff88805b38e0e8
[  154.199900][ T5327] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001
[  154.203390][ T5327] FS:  00007f0ac3f3f6c0(0000) GS:ffff88808ca4c000(0000) knlGS:0000000000000000
[  154.207488][ T5327] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  154.211103][ T5327] CR2: 0000200000006040 CR3: 00000000497f1000 CR4: 0000000000352ef0
[  154.215269][ T5327] Call Trace:
[  154.216896][ T5327]  <TASK>
[  154.218314][ T5327]  ? __pfx_u32_change+0x10/0x10
[  154.220516][ T5327]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[  154.223164][ T5327]  tc_new_tfilter+0xff8/0x1780
[  154.226141][ T5327]  ? __pfx_tc_new_tfilter+0x10/0x10
[  154.228743][ T5327]  ? __pfx_tc_new_tfilter+0x10/0x10
[  154.231317][ T5327]  rtnetlink_rcv_msg+0x7d5/0xbe0
[  154.233670][ T5327]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[  154.236693][ T5327]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[  154.239461][ T5327]  ? ref_tracker_free+0x693/0x840
[  154.241746][ T5327]  ? __copy_skb_header+0xa3/0x4a0
[  154.244161][ T5327]  ? __pfx_ref_tracker_free+0x10/0x10
[  154.246965][ T5327]  ? __skb_clone+0x63/0x7a0
[  154.249328][ T5327]  netlink_rcv_skb+0x232/0x4b0
[  154.251655][ T5327]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[  154.254412][ T5327]  ? __pfx_netlink_rcv_skb+0x10/0x10
[  154.256886][ T5327]  ? netlink_deliver_tap+0x2e/0x1b0
[  154.259518][ T5327]  netlink_unicast+0x80f/0x9b0
[  154.262467][ T5327]  ? __pfx_netlink_unicast+0x10/0x10
[  154.265383][ T5327]  ? netlink_sendmsg+0x650/0xb40
[  154.267616][ T5327]  ? skb_put+0x11b/0x210
[  154.269746][ T5327]  netlink_sendmsg+0x813/0xb40
[  154.272133][ T5327]  ? __pfx_netlink_sendmsg+0x10/0x10
[  154.274929][ T5327]  ? aa_sock_msg_perm+0xf1/0x1b0
[  154.277211][ T5327]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[  154.279636][ T5327]  ____sys_sendmsg+0x972/0x9f0
[  154.281901][ T5327]  ? __pfx_____sys_sendmsg+0x10/0x10
[  154.284525][ T5327]  ? import_iovec+0x73/0xa0
[  154.286917][ T5327]  ___sys_sendmsg+0x2a5/0x360
[  154.289446][ T5327]  ? __pfx____sys_sendmsg+0x10/0x10
[  154.291841][ T5327]  ? preempt_schedule_common+0x82/0xd0
[  154.294408][ T5327]  ? preempt_schedule_thunk+0x16/0x30
[  154.296934][ T5327]  ? __fget_files+0x2a/0x420
[  154.300062][ T5327]  ? __fget_files+0x3a0/0x420
[  154.302307][ T5327]  __sys_sendmmsg+0x27c/0x4e0
[  154.304950][ T5327]  ? __pfx___sys_sendmmsg+0x10/0x10
[  154.307076][ T5327]  ? do_futex+0x395/0x420
[  154.309005][ T5327]  ? rcu_is_watching+0x15/0xb0
[  154.311712][ T5327]  __x64_sys_sendmmsg+0xa0/0xc0
[  154.314330][ T5327]  do_syscall_64+0x14d/0xf80
[  154.316649][ T5327]  ? trace_irq_disable+0x3b/0x150
[  154.318907][ T5327]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  154.321667][ T5327]  ? clear_bhb_loop+0x40/0x90
[  154.324076][ T5327]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  154.327582][ T5327] RIP: 0033:0x7f0ac2f9c819
[  154.329852][ T5327] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  154.338978][ T5327] RSP: 002b:00007f0ac3f3efe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[  154.343268][ T5327] RAX: ffffffffffffffda RBX: 00007f0ac3215fa0 RCX: 00007f0ac2f9c819
[  154.347358][ T5327] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005
[  154.351865][ T5327] RBP: 00007f0ac3032c91 R08: 0000000000000000 R09: 0000000000000000
[  154.355834][ T5327] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  154.359314][ T5327] R13: 00007f0ac3216038 R14: 00007f0ac3215fa0 R15: 00007ffd627f0678
[  154.363006][ T5327]  </TASK>
[  154.365254][ T5327] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  154.368789][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  154.373435][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  154.378619][ T5327] Call Trace:
[  154.380199][ T5327]  <TASK>
[  154.381578][ T5327]  vpanic+0x56c/0xa60
[  154.383546][ T5327]  ? __pfx__printk+0x10/0x10
[  154.386023][ T5327]  ? __pfx_vpanic+0x10/0x10
[  154.388586][ T5327]  ? is_bpf_text_address+0x292/0x2b0
[  154.390885][ T5327]  ? is_bpf_text_address+0x26/0x2b0
[  154.392978][ T5327]  panic+0xc5/0xd0
[  154.394548][ T5327]  ? __pfx_panic+0x10/0x10
[  154.396463][ T5327]  __warn+0x315/0x4f0
[  154.398461][ T5327]  ? u32_change+0x1da0/0x2720
[  154.400508][ T5327]  ? u32_change+0x1da0/0x2720
[  154.403083][ T5327]  __report_bug+0x29a/0x540
[  154.405584][ T5327]  ? u32_change+0x1da0/0x2720
[  154.407883][ T5327]  ? __pfx___report_bug+0x10/0x10
[  154.410571][ T5327]  report_bug_entry+0x19a/0x290
[  154.413193][ T5327]  ? u32_change+0x1daf/0x2720
[  154.415439][ T5327]  ? u32_change+0x1db4/0x2720
[  154.417784][ T5327]  handle_bug+0xce/0x200
[  154.419958][ T5327]  exc_invalid_op+0x1a/0x50
[  154.422332][ T5327]  asm_exc_invalid_op+0x1a/0x20
[  154.424771][ T5327] RIP: 0010:u32_change+0x1daf/0x2720
[  154.427304][ T5327] Code: 3d 5a 8a 41 06 01 75 33 e8 6e 76 0b f8 eb 50 e8 67 76 0b f8 48 8d 3d 80 c0 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 00 b7 e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 42 76 0b f8 eb 24 e8 3b 76 0b f8
[  154.436442][ T5327] RSP: 0018:ffffc9000e106fc0 EFLAGS: 00010283
[  154.439196][ T5327] RAX: ffffffff89ba4829 RBX: ffff88801effac00 RCX: 0000000000000010
[  154.443295][ T5327] RDX: ffffffff8ce1b700 RSI: 0000000000000020 RDI: ffffffff902108b0
[  154.447171][ T5327] RBP: ffffc9000e107178 R08: 0000000000000dc0 R09: 00000000ffffffff
[  154.450731][ T5327] R10: fffff52001c20d90 R11: fffffbfff345eefa R12: ffff88805b38e0e8
[  154.454756][ T5327] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001
[  154.459069][ T5327]  ? u32_change+0x1d99/0x2720
[  154.461264][ T5327]  ? __pfx_u32_change+0x10/0x10
[  154.463430][ T5327]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[  154.466153][ T5327]  tc_new_tfilter+0xff8/0x1780
[  154.468641][ T5327]  ? __pfx_tc_new_tfilter+0x10/0x10
[  154.471789][ T5327]  ? __pfx_tc_new_tfilter+0x10/0x10
[  154.474220][ T5327]  rtnetlink_rcv_msg+0x7d5/0xbe0
[  154.476375][ T5327]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[  154.478551][ T5327]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[  154.481124][ T5327]  ? ref_tracker_free+0x693/0x840
[  154.483926][ T5327]  ? __copy_skb_header+0xa3/0x4a0
[  154.486758][ T5327]  ? __pfx_ref_tracker_free+0x10/0x10
[  154.489187][ T5327]  ? __skb_clone+0x63/0x7a0
[  154.491296][ T5327]  netlink_rcv_skb+0x232/0x4b0
[  154.493657][ T5327]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[  154.496962][ T5327]  ? __pfx_netlink_rcv_skb+0x10/0x10
[  154.499857][ T5327]  ? netlink_deliver_tap+0x2e/0x1b0
[  154.502245][ T5327]  netlink_unicast+0x80f/0x9b0
[  154.504472][ T5327]  ? __pfx_netlink_unicast+0x10/0x10
[  154.506991][ T5327]  ? netlink_sendmsg+0x650/0xb40
[  154.509513][ T5327]  ? skb_put+0x11b/0x210
[  154.511776][ T5327]  netlink_sendmsg+0x813/0xb40
[  154.514062][ T5327]  ? __pfx_netlink_sendmsg+0x10/0x10
[  154.516572][ T5327]  ? aa_sock_msg_perm+0xf1/0x1b0
[  154.519201][ T5327]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[  154.522030][ T5327]  ____sys_sendmsg+0x972/0x9f0
[  154.524792][ T5327]  ? __pfx_____sys_sendmsg+0x10/0x10
[  154.527595][ T5327]  ? import_iovec+0x73/0xa0
[  154.529781][ T5327]  ___sys_sendmsg+0x2a5/0x360
[  154.532139][ T5327]  ? __pfx____sys_sendmsg+0x10/0x10
[  154.534866][ T5327]  ? preempt_schedule_common+0x82/0xd0
[  154.537760][ T5327]  ? preempt_schedule_thunk+0x16/0x30
[  154.540559][ T5327]  ? __fget_files+0x2a/0x420
[  154.543210][ T5327]  ? __fget_files+0x3a0/0x420
[  154.545768][ T5327]  __sys_sendmmsg+0x27c/0x4e0
[  154.547987][ T5327]  ? __pfx___sys_sendmmsg+0x10/0x10
[  154.550425][ T5327]  ? do_futex+0x395/0x420
[  154.552626][ T5327]  ? rcu_is_watching+0x15/0xb0
[  154.555095][ T5327]  __x64_sys_sendmmsg+0xa0/0xc0
[  154.557580][ T5327]  do_syscall_64+0x14d/0xf80
[  154.559662][ T5327]  ? trace_irq_disable+0x3b/0x150
[  154.561989][ T5327]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  154.565282][ T5327]  ? clear_bhb_loop+0x40/0x90
[  154.568438][ T5327]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  154.571822][ T5327] RIP: 0033:0x7f0ac2f9c819
[  154.574508][ T5327] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  154.584656][ T5327] RSP: 002b:00007f0ac3f3efe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[  154.588350][ T5327] RAX: ffffffffffffffda RBX: 00007f0ac3215fa0 RCX: 00007f0ac2f9c819
[  154.593306][ T5327] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005
[  154.597869][ T5327] RBP: 00007f0ac3032c91 R08: 0000000000000000 R09: 0000000000000000
[  154.602928][ T5327] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  154.606940][ T5327] R13: 00007f0ac3216038 R14: 00007f0ac3215fa0 R15: 00007ffd627f0678
[  154.611482][ T5327]  </TASK>
[  154.613820][ T5327] Kernel Offset: disabled
[  154.616213][ T5327] Rebooting in 86400 seconds..