program: setsockopt$IP6T_SO_SET_REPLACE(0xffffffffffffffff, 0x29, 0x40, 0x0, 0x0) r0 = socket(0x10, 0x803, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000400)={'veth0_to_hsr\x00', 0x0}) sendmsg$nl_route_sched(r0, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd25, 0x25dfdbfe, {0x0, 0x0, 0x0, r1, {0x0, 0xffe1}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x4, 0x9}}]}}]}, 0x48}}, 0xc840) sendmsg$nl_route_sched(r0, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000800)=@newtfilter={0x54, 0x2c, 0xd2b, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r1, {0x6}, {}, {0x7, 0xfff1}}, [@filter_kind_options=@f_u32={{0x8}, {0x28, 0x2, [@TCA_U32_SEL={0x24, 0x5, {0xd, 0x7, 0x1, 0x3d3f, 0x0, 0xfff, 0xb709, 0x58f, [{0x0, 0x20008000, 0x4, 0x1}]}}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x4084}, 0x24040084) recvmmsg$unix(r0, &(0x7f0000000580)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f00000002c0)=""/219, 0xdb}], 0x1}}], 0x1, 0x60, 0x0) sendmsg$GTP_CMD_NEWPDP(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000300)={0x2c, 0x0, 0x1, 0x2, 0x25dfdbfe, {}, [@GTPA_LINK={0x8}, @GTPA_I_TEI={0x8, 0x8, 0x1}, @GTPA_FLOW={0x6, 0x6, 0x1}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4004054}, 0x4000044) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[], 0xc3}, 0x1, 0x100000000000000, 0x0, 0x2000}, 0x40400c0) r2 = socket(0x10, 0x3, 0x0) sendmmsg(r2, &(0x7f0000000000), 0x4000000000001f2, 0x0) [ 84.398830][ T5304] Bluetooth: hci0: command tx timeout [ 84.540384][ T5328] ------------[ cut here ]------------ [ 84.543484][ T5328] memcpy: detected field-spanning write (size 32) of single field "&new->sel" at net/sched/cls_u32.c:855 (size 16) [ 84.549695][ T5328] WARNING: net/sched/cls_u32.c:855 at u32_change+0x1da0/0x2720, CPU#0: syz.0.0/5328 [ 84.556083][ T5328] Modules linked in: [ 84.558130][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.562315][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.567188][ T5328] RIP: 0010:u32_change+0x1daf/0x2720 [ 84.569386][ T5328] Code: 3d 82 2f 41 06 01 75 33 e8 0e 1e 0b f8 eb 50 e8 07 1e 0b f8 48 8d 3d a0 63 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 00 c3 e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 e2 1d 0b f8 eb 24 e8 db 1d 0b f8 [ 84.579820][ T5328] RSP: 0018:ffffc9000e266fc0 EFLAGS: 00010283 [ 84.582554][ T5328] RAX: ffffffff89bab189 RBX: ffff888041377400 RCX: 0000000000000010 [ 84.586685][ T5328] RDX: ffffffff8ce1c300 RSI: 0000000000000020 RDI: ffffffff90211530 [ 84.590697][ T5328] RBP: ffffc9000e267178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 84.594565][ T5328] R10: dffffc0000000000 R11: fffffbfff2023fd7 R12: ffff8880413770e8 [ 84.598383][ T5328] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 84.602555][ T5328] FS: 00007f49449166c0(0000) GS:ffff88808ca49000(0000) knlGS:0000000000000000 [ 84.608358][ T5328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 84.611419][ T5328] CR2: 0000200000006040 CR3: 000000001fcc2000 CR4: 0000000000352ef0 [ 84.615185][ T5328] Call Trace: [ 84.616753][ T5328] [ 84.618191][ T5328] ? __pfx_u32_change+0x10/0x10 [ 84.620967][ T5328] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.625507][ T5328] tc_new_tfilter+0xff8/0x1780 [ 84.628096][ T5328] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.630504][ T5328] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.633217][ T5328] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.635896][ T5328] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 84.638573][ T5328] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.641773][ T5328] ? ref_tracker_free+0x693/0x840 [ 84.644695][ T5328] ? __copy_skb_header+0xa3/0x4a0 [ 84.647141][ T5328] ? __pfx_ref_tracker_free+0x10/0x10 [ 84.649688][ T5328] ? __skb_clone+0x63/0x7a0 [ 84.651877][ T5328] netlink_rcv_skb+0x232/0x4b0 [ 84.654664][ T5328] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.658171][ T5328] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 84.661104][ T5328] ? netlink_deliver_tap+0x2e/0x1b0 [ 84.663759][ T5328] netlink_unicast+0x80f/0x9b0 [ 84.665915][ T5328] ? __pfx_netlink_unicast+0x10/0x10 [ 84.668382][ T5328] ? netlink_sendmsg+0x650/0xb40 [ 84.671478][ T5328] ? skb_put+0x11b/0x210 [ 84.674870][ T5328] netlink_sendmsg+0x813/0xb40 [ 84.677215][ T5328] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.679477][ T5328] ? aa_sock_msg_perm+0xf1/0x1b0 [ 84.681673][ T5328] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 84.684234][ T5328] ____sys_sendmsg+0x972/0x9f0 [ 84.686764][ T5328] ? __pfx_____sys_sendmsg+0x10/0x10 [ 84.689288][ T5328] ? import_iovec+0x73/0xa0 [ 84.691375][ T5328] ___sys_sendmsg+0x2a5/0x360 [ 84.694354][ T5328] ? __pfx____sys_sendmsg+0x10/0x10 [ 84.696779][ T5328] ? preempt_schedule_common+0x82/0xd0 [ 84.699413][ T5328] ? preempt_schedule_thunk+0x16/0x30 [ 84.702446][ T5328] ? __fget_files+0x2a/0x420 [ 84.705245][ T5328] ? __fget_files+0x3a0/0x420 [ 84.707636][ T5328] __sys_sendmmsg+0x27c/0x4e0 [ 84.709627][ T5328] ? __pfx___sys_sendmmsg+0x10/0x10 [ 84.712026][ T5328] ? do_futex+0x395/0x420 [ 84.714202][ T5328] ? rcu_is_watching+0x15/0xb0 [ 84.717090][ T5328] __x64_sys_sendmmsg+0xa0/0xc0 [ 84.720089][ T5328] do_syscall_64+0x14d/0xf80 [ 84.722444][ T5328] ? trace_irq_disable+0x3b/0x150 [ 84.725041][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.727702][ T5328] ? clear_bhb_loop+0x40/0x90 [ 84.729965][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.733333][ T5328] RIP: 0033:0x7f494399c819 [ 84.735905][ T5328] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.744850][ T5328] RSP: 002b:00007f4944915fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 84.748743][ T5328] RAX: ffffffffffffffda RBX: 00007f4943c15fa0 RCX: 00007f494399c819 [ 84.753116][ T5328] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000004 [ 84.757724][ T5328] RBP: 00007f4943a32c91 R08: 0000000000000000 R09: 0000000000000000 [ 84.761492][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.765235][ T5328] R13: 00007f4943c16038 R14: 00007f4943c15fa0 R15: 00007ffd42653ef8 [ 84.768860][ T5328] [ 84.770406][ T5328] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 84.773922][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.778756][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.783631][ T5328] Call Trace: [ 84.785154][ T5328] [ 84.786521][ T5328] vpanic+0x56c/0xa60 [ 84.788421][ T5328] ? __pfx__printk+0x10/0x10 [ 84.790813][ T5328] ? __pfx_vpanic+0x10/0x10 [ 84.793213][ T5328] ? is_bpf_text_address+0x292/0x2b0 [ 84.795825][ T5328] ? is_bpf_text_address+0x26/0x2b0 [ 84.798350][ T5328] panic+0xc5/0xd0 [ 84.800093][ T5328] ? __pfx_panic+0x10/0x10 [ 84.802134][ T5328] __warn+0x315/0x4f0 [ 84.804210][ T5328] ? u32_change+0x1da0/0x2720 [ 84.806449][ T5328] ? u32_change+0x1da0/0x2720 [ 84.809277][ T5328] __report_bug+0x29a/0x540 [ 84.811647][ T5328] ? ___sys_sendmsg+0x2a5/0x360 [ 84.813935][ T5328] ? __sys_sendmmsg+0x27c/0x4e0 [ 84.816205][ T5328] ? __x64_sys_sendmmsg+0xa0/0xc0 [ 84.818714][ T5328] ? u32_change+0x1da0/0x2720 [ 84.821145][ T5328] ? __pfx___report_bug+0x10/0x10 [ 84.823417][ T5328] report_bug_entry+0x19a/0x290 [ 84.826307][ T5328] ? u32_change+0x1daf/0x2720 [ 84.829280][ T5328] ? u32_change+0x1db4/0x2720 [ 84.831744][ T5328] handle_bug+0xce/0x200 [ 84.833593][ T5328] exc_invalid_op+0x1a/0x50 [ 84.835570][ T5328] asm_exc_invalid_op+0x1a/0x20 [ 84.837946][ T5328] RIP: 0010:u32_change+0x1daf/0x2720 [ 84.840482][ T5328] Code: 3d 82 2f 41 06 01 75 33 e8 0e 1e 0b f8 eb 50 e8 07 1e 0b f8 48 8d 3d a0 63 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 00 c3 e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 e2 1d 0b f8 eb 24 e8 db 1d 0b f8 [ 84.850548][ T5328] RSP: 0018:ffffc9000e266fc0 EFLAGS: 00010283 [ 84.853113][ T5328] RAX: ffffffff89bab189 RBX: ffff888041377400 RCX: 0000000000000010 [ 84.857142][ T5328] RDX: ffffffff8ce1c300 RSI: 0000000000000020 RDI: ffffffff90211530 [ 84.861630][ T5328] RBP: ffffc9000e267178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 84.865601][ T5328] R10: dffffc0000000000 R11: fffffbfff2023fd7 R12: ffff8880413770e8 [ 84.869574][ T5328] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 84.873642][ T5328] ? u32_change+0x1d99/0x2720 [ 84.875724][ T5328] ? __pfx_u32_change+0x10/0x10 [ 84.878009][ T5328] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.880769][ T5328] tc_new_tfilter+0xff8/0x1780 [ 84.882872][ T5328] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.885385][ T5328] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.887927][ T5328] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.890206][ T5328] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 84.892820][ T5328] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.895734][ T5328] ? ref_tracker_free+0x693/0x840 [ 84.898037][ T5328] ? __copy_skb_header+0xa3/0x4a0 [ 84.900195][ T5328] ? __pfx_ref_tracker_free+0x10/0x10 [ 84.902516][ T5328] ? __skb_clone+0x63/0x7a0 [ 84.904416][ T5328] netlink_rcv_skb+0x232/0x4b0 [ 84.906653][ T5328] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.909540][ T5328] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 84.912404][ T5328] ? netlink_deliver_tap+0x2e/0x1b0 [ 84.914708][ T5328] netlink_unicast+0x80f/0x9b0 [ 84.916879][ T5328] ? __pfx_netlink_unicast+0x10/0x10 [ 84.919311][ T5328] ? netlink_sendmsg+0x650/0xb40 [ 84.921869][ T5328] ? skb_put+0x11b/0x210 [ 84.924075][ T5328] netlink_sendmsg+0x813/0xb40 [ 84.926230][ T5328] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.928633][ T5328] ? aa_sock_msg_perm+0xf1/0x1b0 [ 84.931131][ T5328] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 84.933538][ T5328] ____sys_sendmsg+0x972/0x9f0 [ 84.936048][ T5328] ? __pfx_____sys_sendmsg+0x10/0x10 [ 84.939106][ T5328] ? import_iovec+0x73/0xa0 [ 84.941302][ T5328] ___sys_sendmsg+0x2a5/0x360 [ 84.943534][ T5328] ? __pfx____sys_sendmsg+0x10/0x10 [ 84.946021][ T5328] ? preempt_schedule_common+0x82/0xd0 [ 84.948997][ T5328] ? preempt_schedule_thunk+0x16/0x30 [ 84.951511][ T5328] ? __fget_files+0x2a/0x420 [ 84.953524][ T5328] ? __fget_files+0x3a0/0x420 [ 84.955653][ T5328] __sys_sendmmsg+0x27c/0x4e0 [ 84.958551][ T5328] ? __pfx___sys_sendmmsg+0x10/0x10 [ 84.961505][ T5328] ? do_futex+0x395/0x420 [ 84.963519][ T5328] ? rcu_is_watching+0x15/0xb0 [ 84.965644][ T5328] __x64_sys_sendmmsg+0xa0/0xc0 [ 84.968156][ T5328] do_syscall_64+0x14d/0xf80 [ 84.970198][ T5328] ? trace_irq_disable+0x3b/0x150 [ 84.972805][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.976557][ T5328] ? clear_bhb_loop+0x40/0x90 [ 84.978998][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.981676][ T5328] RIP: 0033:0x7f494399c819 [ 84.983660][ T5328] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.993050][ T5328] RSP: 002b:00007f4944915fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 84.996778][ T5328] RAX: ffffffffffffffda RBX: 00007f4943c15fa0 RCX: 00007f494399c819 [ 85.000592][ T5328] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000004 [ 85.005049][ T5328] RBP: 00007f4943a32c91 R08: 0000000000000000 R09: 0000000000000000 [ 85.008441][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.011975][ T5328] R13: 00007f4943c16038 R14: 00007f4943c15fa0 R15: 00007ffd42653ef8 [ 85.015226][ T5328] [ 85.017319][ T5328] Kernel Offset: disabled [ 85.019930][ T5328] Rebooting in 86400 seconds..