program: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = socket$inet(0x2, 0x1, 0x0) setsockopt$inet_opts(r1, 0x0, 0x4, &(0x7f0000000540)="432fa2a3dbae4c0400eab36f7cdafdd700b2000217df7f3228a970880401655e25b786f5c9ce40", 0x27) setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f00000000c0)='bridge_slave_1\x00', 0x10) connect$inet(r1, &(0x7f0000000080)={0x2, 0x100, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10) bind$inet6(r0, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c) listen(r0, 0x3) setsockopt$SO_BINDTODEVICE(r0, 0x1, 0x19, &(0x7f0000000040)='syz_tun\x00', 0x10) syz_emit_ethernet(0x36, &(0x7f0000000140)=ANY=[@ANYBLOB="000000000000ffffffffffff08004f000028000000000006907864010101e000000200004e22", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="5c02000090780000"], 0x0) r2 = syz_open_procfs(0x0, &(0x7f00000001c0)='net/arp\x00') preadv(r2, &(0x7f0000000000)=[{&(0x7f0000000200)=""/233, 0xe9}], 0x1, 0x9f, 0x0) socket$netlink(0x10, 0x3, 0x0) r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$tipc(&(0x7f0000000200), 0xffffffffffffffff) r6 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) r7 = socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$team(&(0x7f00000044c0), 0xffffffffffffffff) ioctl$ifreq_SIOCGIFINDEX_team(r7, 0x8933, &(0x7f0000000240)={'team0\x00', 0x0}) sendmsg$TEAM_CMD_OPTIONS_SET(r7, &(0x7f0000004bc0)={0x0, 0x0, &(0x7f0000004b80)={&(0x7f0000000140)={0x64, r8, 0x405, 0x70bd28, 0x25dfdbfe, {}, [{{0x8, 0x1, r9}, {0x48, 0x2, 0x0, 0x1, [{0x44, 0x1, @name={{0x24}, {0x5}, {0x11, 0x4, 'activebackup\x00'}}}]}}]}, 0x64}, 0x1, 0x0, 0x0, 0x4000401}, 0x44084) r10 = socket$nl_route(0x10, 0x3, 0x0) accept$alg(0xffffffffffffffff, 0x0, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r7, 0x8933, &(0x7f0000000480)={'team0\x00', 0x0}) sendmsg$nl_route(r10, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x7, 0xffffffff, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10100}, [@IFLA_IFNAME={0x14, 0x3, 'gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r11}]}, 0x3c}}, 0x0) sendmsg$TIPC_CMD_ENABLE_BEARER(r4, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000002c0)=ANY=[@ANYBLOB="340000008e9c9866131658e01ccfa5054f69c48a08f23eaf6d26a436bc886f464a288e87027ef7c8320c370dbc5f71b8406af18b0b83f4e060e1a2753418a111461a5a0f8c81659227d613348c2b06bb738679d004ee131e47a02c260ad234209e292da94e2836799efc44fa979827d40587494c199c758ed868715bfd3b5bce331220657d5a3ef5ad0c581944599a7f8569bb58de831d31688a5fd5a6e9fe243601d9b909edf2039039281d0b217d0776761863141cab5cabd4ef76fbfdc5ddfeaee300a2fe2d5f71f13edaebc4c6145b674df5fdda60b5aac2bf4674eb38547b1cb68ddfebdf99776a5edaae1a4d14af0c0e79ff58a6a1287a4d83ed09", @ANYRES16=r5, @ANYBLOB="010000000000ffdbdf250100000000000000014100000018001700000000000000006574683a7465616d30000000"], 0x34}}, 0x0) r12 = syz_genetlink_get_family_id$nl802154(&(0x7f00000004c0), 0xffffffffffffffff) sendmsg$NL802154_CMD_SET_CHANNEL(r3, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000500)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r12, @ANYBLOB="01002dbd7000fbdb00000500070004000000"], 0x24}, 0x1, 0x0, 0x0, 0x2}, 0x10) unshare(0x22020600) syz_open_procfs$namespace(0x0, &(0x7f00000000c0)='ns/mnt\x00') [ 84.716727][ T4707] Bluetooth: hci0: command tx timeout [ 84.840979][ T5368] bridge_slave_0: left allmulticast mode [ 84.843348][ T5368] bridge_slave_0: left promiscuous mode [ 84.845730][ T5368] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.852912][ T5368] bridge_slave_1: left allmulticast mode [ 84.855458][ T5368] bridge_slave_1: left promiscuous mode [ 84.860952][ T5368] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.870396][ T5368] bond0: (slave bond_slave_0): Releasing backup interface [ 84.881625][ T5368] bond0: (slave bond_slave_1): Releasing backup interface [ 84.899543][ T5368] team0: Port device team_slave_0 removed [ 84.905497][ T5368] team0: Port device team_slave_1 removed [ 84.910311][ T5368] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 84.913653][ T5368] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 84.920025][ T5368] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 84.923990][ T5368] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 84.942329][ T5370] team0: Mode changed to "activebackup" [ 84.952786][ T5368] gre0: entered promiscuous mode [ 84.987859][ T5365] skbuff: skb_under_panic: text:ffffffff8a13dfd7 len:830262932 put:830262836 head:ffff888052f06000 data:ffff88802173928c tail:0x120 end:0x6c0 dev:team0 [ 85.002246][ T5365] ------------[ cut here ]------------ [ 85.004488][ T5365] kernel BUG at net/core/skbuff.c:211! [ 85.007238][ T5368] team0: Port device gre0 added [ 85.012090][ T5365] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 85.014883][ T5365] CPU: 0 UID: 0 PID: 5365 Comm: kworker/0:5 Not tainted syzkaller #0 PREEMPT(full) [ 85.018438][ T5365] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.022925][ T5365] Workqueue: mld mld_ifc_work [ 85.025062][ T5365] RIP: 0010:skb_panic+0x157/0x160 [ 85.027249][ T5365] Code: c7 00 14 94 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 8e 0c f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 85.035324][ T5365] RSP: 0018:ffffc9000d4c7418 EFLAGS: 00010286 [ 85.037986][ T5365] RAX: 0000000000000095 RBX: dffffc0000000000 RCX: 14f993582639e300 [ 85.041343][ T5365] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 85.044553][ T5365] RBP: 00000000000006c0 R08: ffffc9000d4c7127 R09: 1ffff92001a98e24 [ 85.047613][ T5365] R10: dffffc0000000000 R11: fffff52001a98e25 R12: ffff8880429d8650 [ 85.050823][ T5365] R13: ffff888052f06000 R14: ffff88802173928c R15: 0000000000000120 [ 85.054180][ T5365] FS: 0000000000000000(0000) GS:ffff88808d20a000(0000) knlGS:0000000000000000 [ 85.057954][ T5365] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.060811][ T5365] CR2: 00007fc2f6a19fb8 CR3: 0000000000f9f000 CR4: 0000000000352ef0 [ 85.064247][ T5365] Call Trace: [ 85.065604][ T5365] [ 85.066918][ T5365] ? ipgre_header+0x67/0x290 [ 85.068864][ T5365] ? ipgre_header+0x67/0x290 [ 85.070842][ T5365] skb_push+0xc3/0xe0 [ 85.072526][ T5365] ipgre_header+0x67/0x290 [ 85.074357][ T5365] ? __pfx_ipgre_header+0x10/0x10 [ 85.076428][ T5365] neigh_connected_output+0x283/0x460 [ 85.078676][ T5365] ip6_finish_output2+0x11fe/0x16a0 [ 85.080874][ T5365] ? ip6_finish_output2+0x701/0x16a0 [ 85.083731][ T5365] ? __pfx_ip6_finish_output2+0x10/0x10 [ 85.086672][ T5365] ? ip6_mtu+0x7d/0x3f0 [ 85.088786][ T5365] ? ip6_mtu+0x7d/0x3f0 [ 85.090834][ T5365] ip6_finish_output+0x234/0x7d0 [ 85.093346][ T5365] NF_HOOK+0x9e/0x380 [ 85.095326][ T5365] ? __pfx_NF_HOOK+0x10/0x10 [ 85.097654][ T5365] ? __pfx_xfrm_lookup_with_ifid+0x10/0x10 [ 85.100607][ T5365] ? do_raw_spin_unlock+0x4d/0x240 [ 85.103032][ T5365] ? icmp6_dst_alloc+0x3a5/0x420 [ 85.105080][ T5365] ? icmp6_dst_alloc+0x3a5/0x420 [ 85.107111][ T5365] mld_sendpack+0x800/0xd80 [ 85.109012][ T5365] ? mld_sendpack+0x1de/0xd80 [ 85.111225][ T5365] ? __pfx_mld_sendpack+0x10/0x10 [ 85.113408][ T5365] mld_ifc_work+0x83e/0xd60 [ 85.115391][ T5365] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.117642][ T5365] ? process_scheduled_works+0x9ef/0x17b0 [ 85.120033][ T5365] process_scheduled_works+0xae1/0x17b0 [ 85.122479][ T5365] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.124890][ T5365] worker_thread+0x8a0/0xda0 [ 85.126811][ T5365] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.129491][ T5365] ? __kthread_parkme+0x7b/0x200 [ 85.131654][ T5365] kthread+0x70e/0x8a0 [ 85.133363][ T5365] ? __pfx_worker_thread+0x10/0x10 [ 85.135540][ T5365] ? __pfx_kthread+0x10/0x10 [ 85.137455][ T5365] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.139672][ T5365] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.141930][ T5365] ? __pfx_kthread+0x10/0x10 [ 85.143885][ T5365] ret_from_fork+0x436/0x7d0 [ 85.145909][ T5365] ? __pfx_ret_from_fork+0x10/0x10 [ 85.148120][ T5365] ? __pfx_kthread+0x10/0x10 [ 85.150136][ T5365] ret_from_fork_asm+0x1a/0x30 [ 85.152240][ T5365] [ 85.153381][ T5365] Modules linked in: [ 85.155572][ T5365] ---[ end trace 0000000000000000 ]--- [ 85.158875][ T5370] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'. [ 85.166344][ T5365] RIP: 0010:skb_panic+0x157/0x160 [ 85.168598][ T5365] Code: c7 00 14 94 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 8e 0c f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 85.176986][ T5365] RSP: 0018:ffffc9000d4c7418 EFLAGS: 00010286 [ 85.179544][ T5365] RAX: 0000000000000095 RBX: dffffc0000000000 RCX: 14f993582639e300 [ 85.182903][ T5365] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 85.186095][ T5365] RBP: 00000000000006c0 R08: ffffc9000d4c7127 R09: 1ffff92001a98e24 [ 85.189790][ T5365] R10: dffffc0000000000 R11: fffff52001a98e25 R12: ffff8880429d8650 [ 85.193151][ T5365] R13: ffff888052f06000 R14: ffff88802173928c R15: 0000000000000120 [ 85.197188][ T5365] FS: 0000000000000000(0000) GS:ffff88808d20a000(0000) knlGS:0000000000000000 [ 85.201069][ T5365] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.203847][ T5365] CR2: 00007fc2f6a19fb8 CR3: 0000000000f9f000 CR4: 0000000000352ef0 [ 85.207657][ T5365] Kernel panic - not syncing: Fatal exception [ 85.210573][ T5365] Kernel Offset: disabled [ 85.212384][ T5365] Rebooting in 86400 seconds..