program: r0 = socket$inet6_sctp(0xa, 0x1, 0x84) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x6c, 0x3, 0xa, 0x801, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_CHAIN_HOOK={0x4c, 0x4, 0x0, 0x1, [@NFTA_HOOK_HOOKNUM={0x8}, @NFTA_HOOK_PRIORITY={0x8, 0x2, 0x1, 0x0, 0x140bc61f}, @NFTA_HOOK_HOOKNUM={0x8, 0x1, 0x1, 0x0, 0x2}, @NFTA_HOOK_DEV={0x14, 0x3, 'veth0_to_bridge\x00'}, @NFTA_HOOK_HOOKNUM={0x8}, @NFTA_HOOK_DEV={0x14, 0x3, 'batadv_slave_1\x00'}]}]}, @NFT_MSG_NEWRULE={0x50, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_EXPRESSIONS={0x28, 0x4, 0x0, 0x1, [{0x24, 0x1, 0x0, 0x1, @exthdr={{0xb}, @val={0x14, 0x2, 0x0, 0x1, [@NFTA_EXTHDR_OP={0x8}, @NFTA_EXTHDR_DREG={0x8}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14}}, 0x104}}, 0x40) setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r0, 0x84, 0x64, &(0x7f0000000080)=[@in={0x2, 0x4e20, @empty}], 0x10) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f00000000c0)={0x0, 0x10, &(0x7f00000002c0)=[@in={0x2, 0x4e20, @local}]}, &(0x7f0000000100)=0x10) setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r0, 0x84, 0x9, &(0x7f0000000180)={0x0, @in={{0x2, 0x4e20, @local}}, 0x0, 0x0, 0x989, 0x0, 0x10}, 0x9c) socket$nl_route(0x10, 0x3, 0x0) r3 = socket$inet6_udp(0xa, 0x2, 0x0) setsockopt$inet_sctp_SCTP_CONTEXT(0xffffffffffffffff, 0x84, 0x11, &(0x7f0000000240)={r2}, 0x8) r4 = syz_open_procfs(0x0, &(0x7f00000000c0)='task\x00') fchdir(r4) mount(0x0, &(0x7f0000000080)='.\x00', &(0x7f0000000000)='proc\x00', 0x0, 0x0) r5 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$sock_ifreq(r5, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) syz_init_net_socket$rose(0xb, 0x5, 0x0) r6 = syz_init_net_socket$rose(0xb, 0x5, 0x0) bind$rose(r6, &(0x7f00000000c0)=@full={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, 0x4, [@null, @default, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}]}, 0x40) connect$rose(r6, &(0x7f00000001c0)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, 0x1, @bcast}, 0x1c) connect$rose(r6, &(0x7f00000001c0)=@short={0xb, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @null, 0x1, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}}, 0x1c) r7 = syz_clone(0x20000, 0x0, 0x0, 0x0, 0x0, 0x0) syz_usb_connect(0x2, 0x27d, &(0x7f0000000300)=ANY=[@ANYBLOB="12010000e124cf4068162303ca5f000000010902"], 0x0) r8 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000), 0x42, 0x0) write$dsp(r8, &(0x7f00000001c0)="5cba91a4", 0xffffffd9) ioctl$SNDCTL_DSP_SYNC(r8, 0x5001, 0x0) io_uring_setup(0x1236, &(0x7f00000004c0)={0x0, 0x0, 0x800, 0xffffffff}) ioctl$SNDCTL_DSP_SETFRAGMENT(r8, 0xc004500a, &(0x7f00000000c0)=0x4) close_range(r8, 0xffffffffffffffff, 0x0) openat$dsp(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) syz_open_procfs$namespace(r7, &(0x7f0000000040)='ns/cgroup\x00') ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000040)={'lo\x00'}) [ 74.920174][ T4685] Bluetooth: hci0: command tx timeout [ 75.071368][ T5338] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.092438][ T5338] bond0: (slave rose0): Enslaving as an active interface with an up link [ 75.467974][ T5324] usb 5-1: new full-speed USB device number 2 using dummy_hcd [ 75.631425][ T5324] usb 5-1: config 0 has no interfaces? [ 75.633804][ T5324] usb 5-1: New USB device found, idVendor=1668, idProduct=0323, bcdDevice=5f.ca [ 75.648461][ T5324] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 75.663608][ T5324] usb 5-1: config 0 descriptor?? [ 76.181202][ T1313] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.184309][ T1313] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.978521][ T4685] Bluetooth: hci0: command tx timeout [ 78.456876][ T5336] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 78.462113][ T5336] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 78.466484][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 78.471220][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 78.477008][ T5336] RIP: 0010:rose_transmit_link+0x32/0x740 [ 78.480267][ T5336] Code: 56 41 55 41 54 53 48 83 ec 18 48 89 f5 49 89 fc 49 be 00 00 00 00 00 fc ff df e8 79 8a 74 f7 4c 8d 7d 36 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 0f 85 6e 05 00 00 41 0f b6 1f 31 ff 89 de e8 [ 78.489792][ T5336] RSP: 0018:ffffc9000ba07790 EFLAGS: 00010207 [ 78.493325][ T5336] RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff888000de24c0 [ 78.497327][ T5336] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880418fa3c0 [ 78.501284][ T5336] RBP: 0000000000000000 R08: ffff888000de24c0 R09: 0000000000000008 [ 78.504051][ T5336] R10: 000000000000000f R11: 0000000000000000 R12: ffff8880418fa3c0 [ 78.508095][ T5336] R13: dffffc0000000000 R14: dffffc0000000000 R15: 0000000000000036 [ 78.511706][ T5336] FS: 0000000000000000(0000) GS:ffff88808d414000(0000) knlGS:0000000000000000 [ 78.515566][ T5336] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.518501][ T5336] CR2: 00007fb059f3e4c0 CR3: 000000001f756000 CR4: 0000000000352ef0 [ 78.521770][ T5336] Call Trace: [ 78.522993][ T5336] [ 78.524196][ T5336] ? skb_put+0x11b/0x210 [ 78.525973][ T5336] rose_write_internal+0x11dc/0x1ac0 [ 78.528363][ T5336] ? lockdep_hardirqs_on+0x7b/0x110 [ 78.530547][ T5336] ? __pfx_rose_write_internal+0x10/0x10 [ 78.532689][ T5336] ? __timer_delete+0x5d/0x390 [ 78.534686][ T5336] rose_release+0x25b/0x510 [ 78.536423][ T5336] sock_close+0xc3/0x240 [ 78.538122][ T5336] ? __pfx_sock_close+0x10/0x10 [ 78.540034][ T5336] __fput+0x44c/0xa70 [ 78.541809][ T5336] task_work_run+0x1d4/0x260 [ 78.543712][ T5336] ? __pfx_task_work_run+0x10/0x10 [ 78.545765][ T5336] ? do_raw_spin_unlock+0x4d/0x240 [ 78.547766][ T5336] do_exit+0x694/0x22f0 [ 78.549490][ T5336] ? __pfx_do_exit+0x10/0x10 [ 78.551575][ T5336] do_group_exit+0x21c/0x2d0 [ 78.553638][ T5336] ? _raw_spin_unlock_irq+0x23/0x50 [ 78.555943][ T5336] get_signal+0x1285/0x1340 [ 78.558081][ T5336] arch_do_signal_or_restart+0x9a/0x7a0 [ 78.560413][ T5336] ? __pfx_get_timespec64+0x10/0x10 [ 78.562588][ T5336] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 78.565045][ T5336] ? irqentry_exit+0x5e8/0x670 [ 78.566976][ T5336] ? __se_sys_clock_nanosleep+0x339/0x390 [ 78.569362][ T5336] exit_to_user_mode_loop+0x87/0x4e0 [ 78.571460][ T5336] ? rcu_is_watching+0x15/0xb0 [ 78.573128][ T5336] do_syscall_64+0x2c1/0xf80 [ 78.574672][ T5336] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.576649][ T5336] ? clear_bhb_loop+0x60/0xb0 [ 78.578190][ T5336] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 78.580106][ T5336] RIP: 0033:0x7f1feb9c2085 [ 78.581916][ T5336] Code: Unable to access opcode bytes at 0x7f1feb9c205b. [ 78.584952][ T5336] RSP: 002b:00007ffc84cbffa0 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 [ 78.588628][ T5336] RAX: 0000000000000000 RBX: 00007f1febbe5fa0 RCX: 00007f1feb9c2085 [ 78.591895][ T5336] RDX: 00007ffc84cbffe0 RSI: 0000000000000000 RDI: 0000000000000000 [ 78.595287][ T5336] RBP: 00007f1febbe7da0 R08: 0000000000000000 R09: 3fffffffffffffff [ 78.598626][ T5336] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000013453 [ 78.602655][ T5336] R13: 00007f1febbe6360 R14: ffffffffffffffff R15: 00007ffc84cc0120 [ 78.606935][ T5336] [ 78.608575][ T5336] Modules linked in: [ 78.611951][ T5336] ---[ end trace 0000000000000000 ]--- [ 78.620854][ T5336] RIP: 0010:rose_transmit_link+0x32/0x740 [ 78.623885][ T5336] Code: 56 41 55 41 54 53 48 83 ec 18 48 89 f5 49 89 fc 49 be 00 00 00 00 00 fc ff df e8 79 8a 74 f7 4c 8d 7d 36 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 0f 85 6e 05 00 00 41 0f b6 1f 31 ff 89 de e8 [ 78.633432][ T5336] RSP: 0018:ffffc9000ba07790 EFLAGS: 00010207 [ 78.636622][ T5336] RAX: 0000000000000006 RBX: 0000000000000000 RCX: ffff888000de24c0 [ 78.640177][ T5336] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880418fa3c0 [ 78.643782][ T5336] RBP: 0000000000000000 R08: ffff888000de24c0 R09: 0000000000000008 [ 78.647433][ T5336] R10: 000000000000000f R11: 0000000000000000 R12: ffff8880418fa3c0 [ 78.651412][ T5336] R13: dffffc0000000000 R14: dffffc0000000000 R15: 0000000000000036 [ 78.654879][ T5336] FS: 0000000000000000(0000) GS:ffff88808d414000(0000) knlGS:0000000000000000 [ 78.659528][ T5336] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.662632][ T5336] CR2: 00007f3847cddd20 CR3: 000000001f756000 CR4: 0000000000352ef0 [ 78.665881][ T5336] Kernel panic - not syncing: Fatal exception [ 78.668998][ T5336] Kernel Offset: disabled [ 78.671135][ T5336] Rebooting in 86400 seconds..