program: r0 = socket$tipc(0x1e, 0x2, 0x0) bind$tipc(r0, &(0x7f0000000000)=@nameseq={0x1e, 0x1, 0x0, {0x42, 0x0, 0x2}}, 0x10) sendfile(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x401) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={0x0, 0x38}}, 0x0) r1 = socket(0x10, 0x803, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000400)={'veth0_to_hsr\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd25, 0x25dfdbfe, {0x0, 0x0, 0x0, r2, {0x0, 0xffe1}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x4, 0x9}}]}}]}, 0x48}}, 0xc840) sendmsg$nl_route_sched(r1, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000800)=@newtfilter={0x54, 0x2c, 0xd2b, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r2, {0x6}, {}, {0x7, 0xfff1}}, [@filter_kind_options=@f_u32={{0x8}, {0x28, 0x2, [@TCA_U32_SEL={0x24, 0x5, {0xd, 0x7, 0x1, 0x3d3f, 0x0, 0xfff, 0xb709, 0x58f, [{0x0, 0x20008000, 0x4, 0x1}]}}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x4084}, 0x24040084) recvmmsg$unix(r1, &(0x7f0000000580)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f00000002c0)=""/219, 0xdb}], 0x1}}], 0x1, 0x60, 0x0) sendmsg$GTP_CMD_NEWPDP(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000300)={0x2c, 0x0, 0x1, 0x2, 0x25dfdbfe, {}, [@GTPA_LINK={0x8}, @GTPA_FLOW={0x6, 0x6, 0x1}, @GTPA_LINK={0x8, 0x1, r2}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4004054}, 0x4000044) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[], 0xc3}, 0x1, 0x100000000000000, 0x0, 0x2000}, 0x40400c0) r3 = socket(0x10, 0x3, 0x0) sendmmsg(r3, &(0x7f0000000000), 0x4000000000001f2, 0x0) [ 84.080930][ T5306] Bluetooth: hci0: command tx timeout [ 84.210117][ T5329] ------------[ cut here ]------------ [ 84.212537][ T5329] memcpy: detected field-spanning write (size 32) of single field "&new->sel" at net/sched/cls_u32.c:855 (size 16) [ 84.217953][ T5329] WARNING: net/sched/cls_u32.c:855 at u32_change+0x1da0/0x2720, CPU#0: syz.0.0/5329 [ 84.224015][ T5329] Modules linked in: [ 84.226467][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.230730][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.235290][ T5329] RIP: 0010:u32_change+0x1daf/0x2720 [ 84.238066][ T5329] Code: 3d 1c 48 40 06 01 75 33 e8 5e f2 09 f8 eb 50 e8 57 f2 09 f8 48 8d 3d 60 83 65 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 80 fb e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 32 f2 09 f8 eb 24 e8 2b f2 09 f8 [ 84.247855][ T5329] RSP: 0018:ffffc9000f676fc0 EFLAGS: 00010283 [ 84.250777][ T5329] RAX: ffffffff89bbb519 RBX: ffff888012ab1800 RCX: 0000000000000010 [ 84.254924][ T5329] RDX: ffffffff8ce1fb80 RSI: 0000000000000020 RDI: ffffffff90213880 [ 84.258854][ T5329] RBP: ffffc9000f677178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 84.262562][ T5329] R10: dffffc0000000000 R11: fffffbfff20243f7 R12: ffff888012ab14e8 [ 84.266252][ T5329] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 84.270677][ T5329] FS: 00007fa4dcd716c0(0000) GS:ffff88808ca40000(0000) knlGS:0000000000000000 [ 84.274971][ T5329] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 84.277920][ T5329] CR2: 00007fa4dc187020 CR3: 000000001f4be000 CR4: 0000000000352ef0 [ 84.282847][ T5329] Call Trace: [ 84.284797][ T5329] [ 84.286188][ T5329] ? __pfx_u32_change+0x10/0x10 [ 84.288212][ T5329] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.290759][ T5329] tc_new_tfilter+0xff8/0x1780 [ 84.293019][ T5329] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.296134][ T5329] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.299190][ T5329] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.301603][ T5329] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 84.304018][ T5329] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.306493][ T5329] ? ref_tracker_free+0x693/0x840 [ 84.309269][ T5329] ? __copy_skb_header+0xa3/0x4a0 [ 84.312094][ T5329] ? __pfx_ref_tracker_free+0x10/0x10 [ 84.314675][ T5329] ? __skb_clone+0x63/0x7a0 [ 84.316832][ T5329] netlink_rcv_skb+0x232/0x4b0 [ 84.319173][ T5329] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.321939][ T5329] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 84.325220][ T5329] ? netlink_deliver_tap+0x2e/0x1b0 [ 84.327443][ T5329] netlink_unicast+0x80f/0x9b0 [ 84.329649][ T5329] ? __pfx_netlink_unicast+0x10/0x10 [ 84.331863][ T5329] ? netlink_sendmsg+0x650/0xb40 [ 84.334150][ T5329] ? skb_put+0x11b/0x210 [ 84.336514][ T5329] netlink_sendmsg+0x813/0xb40 [ 84.339071][ T5329] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.341575][ T5329] ? aa_sock_msg_perm+0xf1/0x1b0 [ 84.343901][ T5329] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 84.346356][ T5329] ____sys_sendmsg+0x972/0x9f0 [ 84.348567][ T5329] ? __pfx_____sys_sendmsg+0x10/0x10 [ 84.351011][ T5329] ? import_iovec+0x73/0xa0 [ 84.353251][ T5329] ___sys_sendmsg+0x2a5/0x360 [ 84.356071][ T5329] ? __pfx____sys_sendmsg+0x10/0x10 [ 84.359284][ T5329] ? __pfx_futex_wake_mark+0x10/0x10 [ 84.361939][ T5329] ? __fget_files+0x2a/0x420 [ 84.364125][ T5329] ? __fget_files+0x3a0/0x420 [ 84.366327][ T5329] __sys_sendmmsg+0x27c/0x4e0 [ 84.368395][ T5329] ? __pfx___sys_sendmmsg+0x10/0x10 [ 84.370810][ T5329] ? do_futex+0x333/0x420 [ 84.373009][ T5329] ? rcu_is_watching+0x15/0xb0 [ 84.375697][ T5329] __x64_sys_sendmmsg+0xa0/0xc0 [ 84.378085][ T5329] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.381193][ T5329] do_syscall_64+0x15f/0xf80 [ 84.383394][ T5329] ? trace_irq_disable+0x3b/0x150 [ 84.385747][ T5329] ? clear_bhb_loop+0x40/0x90 [ 84.387869][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.390781][ T5329] RIP: 0033:0x7fa4dbf9c819 [ 84.393318][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.402769][ T5329] RSP: 002b:00007fa4dcd70fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 84.406840][ T5329] RAX: ffffffffffffffda RBX: 00007fa4dc215fa0 RCX: 00007fa4dbf9c819 [ 84.410927][ T5329] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005 [ 84.414723][ T5329] RBP: 00007fa4dc032c91 R08: 0000000000000000 R09: 0000000000000000 [ 84.418149][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.422045][ T5329] R13: 00007fa4dc216038 R14: 00007fa4dc215fa0 R15: 00007fff36370cd8 [ 84.426171][ T5329] [ 84.428007][ T5329] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 84.431302][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.435419][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.440779][ T5329] Call Trace: [ 84.442427][ T5329] [ 84.443860][ T5329] vpanic+0x56c/0xa60 [ 84.445806][ T5329] ? __pfx__printk+0x10/0x10 [ 84.448011][ T5329] ? __pfx_vpanic+0x10/0x10 [ 84.450210][ T5329] ? is_bpf_text_address+0x292/0x2b0 [ 84.453042][ T5329] ? is_bpf_text_address+0x26/0x2b0 [ 84.455551][ T5329] panic+0xc5/0xd0 [ 84.457363][ T5329] ? __pfx_panic+0x10/0x10 [ 84.459342][ T5329] __warn+0x315/0x4f0 [ 84.461191][ T5329] ? u32_change+0x1da0/0x2720 [ 84.463568][ T5329] ? u32_change+0x1da0/0x2720 [ 84.466020][ T5329] __report_bug+0x29a/0x540 [ 84.468415][ T5329] ? ___sys_sendmsg+0x2a5/0x360 [ 84.470888][ T5329] ? __sys_sendmmsg+0x27c/0x4e0 [ 84.473279][ T5329] ? __x64_sys_sendmmsg+0xa0/0xc0 [ 84.475675][ T5329] ? u32_change+0x1da0/0x2720 [ 84.478134][ T5329] ? __pfx___report_bug+0x10/0x10 [ 84.480575][ T5329] report_bug_entry+0x19a/0x290 [ 84.482843][ T5329] ? u32_change+0x1daf/0x2720 [ 84.485021][ T5329] ? u32_change+0x1db4/0x2720 [ 84.487229][ T5329] handle_bug+0xce/0x200 [ 84.489170][ T5329] exc_invalid_op+0x1a/0x50 [ 84.491298][ T5329] asm_exc_invalid_op+0x1a/0x20 [ 84.493579][ T5329] RIP: 0010:u32_change+0x1daf/0x2720 [ 84.495962][ T5329] Code: 3d 1c 48 40 06 01 75 33 e8 5e f2 09 f8 eb 50 e8 57 f2 09 f8 48 8d 3d 60 83 65 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 80 fb e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 32 f2 09 f8 eb 24 e8 2b f2 09 f8 [ 84.504552][ T5329] RSP: 0018:ffffc9000f676fc0 EFLAGS: 00010283 [ 84.507280][ T5329] RAX: ffffffff89bbb519 RBX: ffff888012ab1800 RCX: 0000000000000010 [ 84.510723][ T5329] RDX: ffffffff8ce1fb80 RSI: 0000000000000020 RDI: ffffffff90213880 [ 84.514310][ T5329] RBP: ffffc9000f677178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 84.517712][ T5329] R10: dffffc0000000000 R11: fffffbfff20243f7 R12: ffff888012ab14e8 [ 84.521616][ T5329] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 84.525093][ T5329] ? u32_change+0x1d99/0x2720 [ 84.527295][ T5329] ? __pfx_u32_change+0x10/0x10 [ 84.529583][ T5329] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.532581][ T5329] tc_new_tfilter+0xff8/0x1780 [ 84.535534][ T5329] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.538088][ T5329] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.540310][ T5329] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.542507][ T5329] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 84.544826][ T5329] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.547445][ T5329] ? ref_tracker_free+0x693/0x840 [ 84.549865][ T5329] ? __copy_skb_header+0xa3/0x4a0 [ 84.552429][ T5329] ? __pfx_ref_tracker_free+0x10/0x10 [ 84.554706][ T5329] ? __skb_clone+0x63/0x7a0 [ 84.556561][ T5329] netlink_rcv_skb+0x232/0x4b0 [ 84.558945][ T5329] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.561961][ T5329] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 84.564528][ T5329] ? netlink_deliver_tap+0x2e/0x1b0 [ 84.566982][ T5329] netlink_unicast+0x80f/0x9b0 [ 84.569474][ T5329] ? __pfx_netlink_unicast+0x10/0x10 [ 84.572607][ T5329] ? netlink_sendmsg+0x650/0xb40 [ 84.576210][ T5329] ? skb_put+0x11b/0x210 [ 84.578443][ T5329] netlink_sendmsg+0x813/0xb40 [ 84.580940][ T5329] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.583787][ T5329] ? aa_sock_msg_perm+0xf1/0x1b0 [ 84.586724][ T5329] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 84.590714][ T5329] ____sys_sendmsg+0x972/0x9f0 [ 84.593419][ T5329] ? __pfx_____sys_sendmsg+0x10/0x10 [ 84.595662][ T5329] ? import_iovec+0x73/0xa0 [ 84.597558][ T5329] ___sys_sendmsg+0x2a5/0x360 [ 84.599796][ T5329] ? __pfx____sys_sendmsg+0x10/0x10 [ 84.602379][ T5329] ? __pfx_futex_wake_mark+0x10/0x10 [ 84.604996][ T5329] ? __fget_files+0x2a/0x420 [ 84.607186][ T5329] ? __fget_files+0x3a0/0x420 [ 84.609735][ T5329] __sys_sendmmsg+0x27c/0x4e0 [ 84.612309][ T5329] ? __pfx___sys_sendmmsg+0x10/0x10 [ 84.614667][ T5329] ? do_futex+0x333/0x420 [ 84.616693][ T5329] ? rcu_is_watching+0x15/0xb0 [ 84.619069][ T5329] __x64_sys_sendmmsg+0xa0/0xc0 [ 84.621184][ T5329] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.624752][ T5329] do_syscall_64+0x15f/0xf80 [ 84.627353][ T5329] ? trace_irq_disable+0x3b/0x150 [ 84.629606][ T5329] ? clear_bhb_loop+0x40/0x90 [ 84.631805][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.634346][ T5329] RIP: 0033:0x7fa4dbf9c819 [ 84.636532][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.645995][ T5329] RSP: 002b:00007fa4dcd70fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 84.650152][ T5329] RAX: ffffffffffffffda RBX: 00007fa4dc215fa0 RCX: 00007fa4dbf9c819 [ 84.654380][ T5329] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005 [ 84.658431][ T5329] RBP: 00007fa4dc032c91 R08: 0000000000000000 R09: 0000000000000000 [ 84.661930][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.665589][ T5329] R13: 00007fa4dc216038 R14: 00007fa4dc215fa0 R15: 00007fff36370cd8 [ 84.669619][ T5329] [ 84.671589][ T5329] Kernel Offset: disabled [ 84.673683][ T5329] Rebooting in 86400 seconds..