program: r0 = open(&(0x7f0000000000)='.\x00', 0x0, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0) mkdirat(r0, &(0x7f0000000440)='./bus\x00', 0x41) syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000280)='./file1\x00', 0x40, &(0x7f0000000480)={[{@nodiscard}]}, 0x0, 0x50a, &(0x7f0000000680)="$eJzs3c9vI1cdAPDvzMabdLttUqjEDwFdSmFBq7UTbxtVPZULCFWVEBUnDmlIvFEUO45ipzRhpSb/AxKVOCA4ceaAxKFSTxwR3ODWSzkgFViBGiSEjMYeZ9ONHYddx96NPx9pNPPmjef73lrznvebxC+AiXUtIvYj4nJEvBkRs/n5JN/i1c6WXffx3Tsrh3fvrCTRar3x96Rdn52LY6/JPJnfcyYivvftiB8mJ+M2dvc2lqvVynZeLjVrW6XG7t7N9dryWmWtslkuLy4szr9866Xy0Pr6XO3XH31r/bXvv/fbL374x/1v/Dhr1tW87ng/hqnT9cJRnMxURLx2HsHG4FLen8vjbggPJI2IT0XE8+3nfzYutd/Ns+nxWAMAj4FWazZas8fLg53pIgDgkZW2c2BJWsxzAVcjTYvFTg7v2biSVuuN5o3b9Z3N1U6ubC4K6e31amU+zxXORSHJygvvZMf3yuX4ZPlWRDwTET+ZfqJdLq6cPc8AAAzXk/fN//+a7sz/AMAFNzPogqXRtAMAGJ2B8z8AcOGY/wFg8pj/AWDymP8BYPKY/wFg0nzQnf8vjbslAMBIfPf117OtdZh///XqW7s7G/W3bq5WGhvF2s5KcaW+vVVcq9fXqpXiSr026H7Ven1r4cXYebvUrDSapcbu3lKtvrPZXGp/r/dSpTCSXgEAp3nmuff/nETE/itPtLc4tpaDuRoutnTcDQDGRs4fJpdv4YbJ5f/4wKC1PPv+ivC7DxCs9c4DvAgYtuufk/+HSSX/D5NL/h8m11RE/DdfC3TcbQFGq9VK+i3nnx5dAgBcKHL8wEh//g8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXxNX2NnesnKbFYsRTETEXheT2erUyHxFPR8SfpgvTWXlhrC0GAB5e+tckX//r+uwLV++vvZz8e7q9j4gf/eyNn7693GxuL2Tn/3F0vvlufr48jvYDAIN05+nuPN718d07K91tlO356JudxUWzuIf51qmZiqls94eZKETElX8mnXIu+7xyaQjx9w8i4rO9+p+0cyNz+cqn98fPYj810vjpJ+Kn7brOPvu3+PSJO0/3jTlorVeYFO9n48+rvZ6/NK619zM9Fz+eaY9QD687/h2eGP+6z/tMe6zpNf5dO2uMF3/3nb51BxGfn+oVPzmKn/SJ/8IZ43/whS8936+u9YuI69E7/vFYpWZtq9TY3bu5Xlteq6xVNsvlxYXF+ZdvvVQutXPUpW6m+qS/vXLj6b79/1XElT7xZwb0/6un9rp1NAD/8j9v/uDL/eIfRHz9K73f/2dPiZ/NiV87Nf49y1d+03f57iz+aqf/B//v+3/jjPE//Mve6hkvBQBGoLG7t7FcrVa2h3pQiCHf8NhBck5tfpwOpuORaMbjdZB9Hn/Y+6T5Y9Pzmt///L3PZJVj7+lQDsY7LgHn795DP+6WAAAAAAAAAAAAAAAA/Zz7nxOl4+4hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9n/AgAA//8JFdEW") mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000140)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]}) setsockopt$inet6_tcp_TCP_MD5SIG(0xffffffffffffffff, 0x6, 0xe, &(0x7f0000000300)={@in6={{0xa, 0x4e01, 0x5, @loopback, 0xa}}, 0x0, 0x0, 0x3d, 0x0, "bb02a3c364ca41d6357e544524474004000b42a21d7214bf92494925208a0e2f964e0000c534a6324d6193fcf19b2df3ee818afaa4ff1f56c54dc46d8b6d2ccd008aa0cc1dc2767bbe00"}, 0xd8) r1 = socket$kcm(0x23, 0x5, 0x0) r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) setsockopt$sock_int(r1, 0x1, 0x6, &(0x7f0000000240)=0x9, 0x4) listen(r1, 0x1000) r3 = socket$kcm(0x10, 0x2, 0x0) sendmsg$inet(r3, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4) r4 = socket$phonet_pipe(0x23, 0x5, 0x2) r5 = socket$nl_crypto(0x10, 0x3, 0x15) sendmsg$nl_crypto(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000540)=ANY=[@ANYBLOB="e8000000120001002abd7000fbdbdf256563622d626c6f77666973682d61736d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000024000000000000000000000800010005003400"], 0xe8}, 0x1, 0x0, 0x0, 0x4}, 0x80) connect$phonet_pipe(r4, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10) r6 = accept4(r1, 0x0, 0x0, 0x80000) r7 = socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000400), r6) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000c40)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_NEW_MPATH(r7, &(0x7f0000000c00)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f0000000bc0)={&(0x7f0000000c80)=ANY=[@ANYBLOB='@\x00\x00\x00', @ANYRES16=r8, @ANYBLOB="040025bd7000ffdbdf251700030004008f8ec803", @ANYRES32=r9, @ANYBLOB="0c009900980d00006f0000000a00060008021100000000000a0006000802110000010000"], 0x40}, 0x1, 0x0, 0x0, 0x40001}, 0x1c44d01e02966ec0) r10 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r10, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000001d00)={&(0x7f0000002280)=ANY=[@ANYBLOB="4c000000020603000000000000001c000a00000a050005000a0000000900020073797a31000000000500040001000000050001000700000012000300686173683a6e65742c706f7274"], 0x4c}, 0x1, 0x0, 0x0, 0x24040014}, 0x0) r11 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_ADD(r11, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000100)=ANY=[@ANYBLOB="38000000090601020000000000000000003100000000050001000700000010000780c34322cd0c00018008000140ffffffff"], 0x38}, 0x1, 0x0, 0x0, 0x10000047}, 0x4000084) r12 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r12, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) write$tun(r2, &(0x7f0000000380)=ANY=[@ANYBLOB="1c0000f500000000000000862dfdff000000"], 0x78) syz_open_dev$loop(&(0x7f0000000640), 0x0, 0x22400) [ 84.922261][ T44] Bluetooth: hci0: command tx timeout [ 84.999935][ T5328] loop0: detected capacity change from 0 to 512 [ 85.005761][ T5328] ======================================================= [ 85.005761][ T5328] WARNING: The mand mount option has been deprecated and [ 85.005761][ T5328] and is ignored by this kernel. Remove the mand [ 85.005761][ T5328] option from the mount to silence this warning. [ 85.005761][ T5328] ======================================================= [ 85.149804][ T5328] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 85.165822][ T5328] ext4 filesystem being mounted at /0/file1 supports timestamps until 2038-01-19 (0x7fffffff) [ 85.174254][ T5328] overlayfs: failed to resolve './file0': -2 [ 85.184530][ T5328] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 85.245100][ T5328] ------------[ cut here ]------------ [ 85.247604][ T5328] kernel BUG at net/phonet/socket.c:213! [ 85.250394][ T5328] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 85.253451][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.257444][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.262132][ T5328] RIP: 0010:pn_socket_sendmsg+0x240/0x250 [ 85.264851][ T5328] Code: cc cc cc e8 02 74 d0 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 4b 3c 59 f7 e9 f7 fe ff ff e8 a1 73 ec f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 85.273638][ T5328] RSP: 0018:ffffc900014d7c00 EFLAGS: 00010283 [ 85.276498][ T5328] RAX: ffffffff8ad9400f RBX: 0000000000000000 RCX: 0000000000100000 [ 85.280131][ T5328] RDX: ffffc90020802000 RSI: 0000000000000142 RDI: 0000000000000143 [ 85.283741][ T5328] RBP: ffffc900014d7cb0 R08: ffffffff9030baf7 R09: 1ffffffff206175e [ 85.287264][ T5328] R10: dffffc0000000000 R11: fffffbfff206175f R12: dffffc0000000000 [ 85.290661][ T5328] R13: ffff88804751cc40 R14: ffff888041b6ba80 R15: 1ffff9200029af84 [ 85.294266][ T5328] FS: 00007f6d2a3d76c0(0000) GS:ffff88808c888000(0000) knlGS:0000000000000000 [ 85.298485][ T5328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.301558][ T5328] CR2: 00007f6d2a3d5f68 CR3: 00000000439c8000 CR4: 0000000000352ef0 [ 85.305220][ T5328] Call Trace: [ 85.306818][ T5328] [ 85.308213][ T5328] ? tomoyo_socket_sendmsg_permission+0x1e0/0x300 [ 85.311143][ T5328] ? __pfx_pn_socket_sendmsg+0x10/0x10 [ 85.313747][ T5328] ? aa_sock_msg_perm+0xf1/0x1b0 [ 85.316100][ T5328] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 85.318434][ T5328] ? __pfx_pn_socket_sendmsg+0x10/0x10 [ 85.320954][ T5328] __sys_sendto+0x672/0x710 [ 85.323041][ T5328] ? __pfx___sys_sendto+0x10/0x10 [ 85.325256][ T5328] ? exc_page_fault+0x6a/0xc0 [ 85.327376][ T5328] ? do_user_addr_fault+0xc6f/0x1340 [ 85.329845][ T5328] __x64_sys_sendto+0xde/0x100 [ 85.332147][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.334876][ T5328] do_syscall_64+0x15f/0xf80 [ 85.336883][ T5328] ? trace_irq_disable+0x3b/0x140 [ 85.339098][ T5328] ? clear_bhb_loop+0x40/0x90 [ 85.341298][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.344223][ T5328] RIP: 0033:0x7f6d2955d60e [ 85.346101][ T5328] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 [ 85.354330][ T5328] RSP: 002b:00007f6d2a3d5e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 85.358022][ T5328] RAX: ffffffffffffffda RBX: 00007f6d2a3d76c0 RCX: 00007f6d2955d60e [ 85.361599][ T5328] RDX: 0000000000000020 RSI: 00007f6d2a3d5fc0 RDI: 000000000000000a [ 85.365213][ T5328] RBP: 0000000000000000 R08: 00007f6d2a3d5ec4 R09: 000000000000000c [ 85.368997][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000a [ 85.372605][ T5328] R13: 00007f6d2a3d5f18 R14: 00007f6d2a3d5fc0 R15: 0000000000000000 [ 85.376231][ T5328] [ 85.377593][ T5328] Modules linked in: [ 85.379780][ T5328] ---[ end trace 0000000000000000 ]--- [ 85.387725][ T5329] netlink: 36 bytes leftover after parsing attributes in process `syz.0.0'. [ 85.392006][ T5329] syz.0.0 uses obsolete (PF_INET,SOCK_PACKET) [ 85.394740][ T5328] RIP: 0010:pn_socket_sendmsg+0x240/0x250 [ 85.398421][ T5328] Code: cc cc cc e8 02 74 d0 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 4b 3c 59 f7 e9 f7 fe ff ff e8 a1 73 ec f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 85.409725][ T5328] RSP: 0018:ffffc900014d7c00 EFLAGS: 00010283 [ 85.412951][ T5328] RAX: ffffffff8ad9400f RBX: 0000000000000000 RCX: 0000000000100000 [ 85.416526][ T5328] RDX: ffffc90020802000 RSI: 0000000000000142 RDI: 0000000000000143 [ 85.420363][ T5328] RBP: ffffc900014d7cb0 R08: ffffffff9030baf7 R09: 1ffffffff206175e [ 85.424848][ T5328] R10: dffffc0000000000 R11: fffffbfff206175f R12: dffffc0000000000 [ 85.428707][ T5328] R13: ffff88804751cc40 R14: ffff888041b6ba80 R15: 1ffff9200029af84 [ 85.442062][ T5328] FS: 00007f6d2a3d76c0(0000) GS:ffff88808c888000(0000) knlGS:0000000000000000 [ 85.446509][ T5328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.452548][ T5328] CR2: 0000200000002280 CR3: 00000000439c8000 CR4: 0000000000352ef0 [ 85.461822][ T5328] Kernel panic - not syncing: Fatal exception [ 85.465084][ T5328] Kernel Offset: disabled [ 85.467072][ T5328] Rebooting in 86400 seconds..