program: sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x80) mknodat$loop(0xffffffffffffff9c, 0x0, 0x6000, 0x1) r0 = perf_event_open(&(0x7f0000000340)={0x2, 0x80, 0x2a, 0x1, 0x0, 0x0, 0x0, 0x7, 0x510, 0x1f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, @perf_bp={0x0, 0x9}, 0x107200, 0x10002, 0x20da, 0x7, 0xa, 0x20005, 0xb, 0x0, 0x0, 0x0, 0x20000006}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0xb) setsockopt$sock_attach_bpf(0xffffffffffffffff, 0x1, 0x4c, 0x0, 0x0) ioctl$OCFS2_IOC_INFO(r0, 0x80106f05, 0x0) r1 = socket(0x10, 0x803, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000400)={'veth0_to_hsr\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd25, 0x25dfdbfe, {0x0, 0x0, 0x0, r2, {0x0, 0xffe1}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x4, 0x9}}]}}]}, 0x48}}, 0xc840) sendmsg$nl_route_sched(r1, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000800)=@newtfilter={0x54, 0x2c, 0xd2b, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r2, {0x6}, {}, {0x7, 0xfff1}}, [@filter_kind_options=@f_u32={{0x8}, {0x28, 0x2, [@TCA_U32_SEL={0x24, 0x5, {0xd, 0x7, 0x1, 0x3d3f, 0x0, 0xfff, 0xb709, 0x58f, [{0x0, 0x20008000, 0x4, 0x1}]}}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x4084}, 0x24040084) recvmmsg$unix(r1, &(0x7f0000000580)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f00000002c0)=""/219, 0xdb}], 0x1}}], 0x1, 0x60, 0x0) sendmsg$GTP_CMD_NEWPDP(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000300)={0x30, 0x0, 0x1, 0x3, 0x0, {}, [@GTPA_LINK={0x8}, @GTPA_FLOW={0x6, 0x6, 0x4}, @GTPA_TID={0xc}]}, 0x30}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[], 0xc3}, 0x1, 0x100000000000000, 0x0, 0x2000}, 0x40400c0) r3 = socket(0x10, 0x3, 0x0) sendmmsg(r3, &(0x7f0000000000), 0x4000000000001f2, 0x0) [ 84.260976][ T5300] Bluetooth: hci0: command tx timeout [ 84.408355][ T5324] netlink: 'syz.0.0': attribute type 3 has an invalid length. [ 84.412611][ T5324] netlink: 24 bytes leftover after parsing attributes in process `syz.0.0'. [ 84.417805][ T5324] ------------[ cut here ]------------ [ 84.420446][ T5324] memcpy: detected field-spanning write (size 32) of single field "&new->sel" at net/sched/cls_u32.c:855 (size 16) [ 84.427046][ T5324] WARNING: net/sched/cls_u32.c:855 at u32_change+0x1da0/0x2720, CPU#0: syz.0.0/5324 [ 84.432098][ T5324] Modules linked in: [ 84.434238][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.439385][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.444002][ T5324] RIP: 0010:u32_change+0x1daf/0x2720 [ 84.446697][ T5324] Code: 3d da 87 41 06 01 75 33 e8 ee 73 0b f8 eb 50 e8 e7 73 0b f8 48 8d 3d 00 be 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 00 b7 e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 c2 73 0b f8 eb 24 e8 bb 73 0b f8 [ 84.456612][ T5324] RSP: 0018:ffffc9000e30efc0 EFLAGS: 00010287 [ 84.459650][ T5324] RAX: ffffffff89ba4aa9 RBX: ffff888000c79000 RCX: 0000000000000010 [ 84.464330][ T5324] RDX: ffffffff8ce1b700 RSI: 0000000000000020 RDI: ffffffff902108b0 [ 84.468288][ T5324] RBP: ffffc9000e30f178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 84.471768][ T5324] R10: dffffc0000000000 R11: ffffed1003f881b1 R12: ffff888000c78ce8 [ 84.475221][ T5324] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 84.479031][ T5324] FS: 00007fb6f03b36c0(0000) GS:ffff88808ca4c000(0000) knlGS:0000000000000000 [ 84.483012][ T5324] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 84.486095][ T5324] CR2: 0000200000006040 CR3: 00000000126fe000 CR4: 0000000000352ef0 [ 84.489494][ T5324] Call Trace: [ 84.490871][ T5324] [ 84.492098][ T5324] ? __pfx_u32_change+0x10/0x10 [ 84.494129][ T5324] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.496565][ T5324] tc_new_tfilter+0xff8/0x1780 [ 84.498571][ T5324] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.500805][ T5324] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.503120][ T5324] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.505182][ T5324] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 84.507500][ T5324] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.510008][ T5324] ? ref_tracker_free+0x693/0x840 [ 84.512492][ T5324] ? __copy_skb_header+0xa3/0x4a0 [ 84.514786][ T5324] ? __pfx_ref_tracker_free+0x10/0x10 [ 84.517685][ T5324] ? __skb_clone+0x63/0x7a0 [ 84.519823][ T5324] netlink_rcv_skb+0x232/0x4b0 [ 84.522375][ T5324] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.525239][ T5324] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 84.527680][ T5324] ? netlink_deliver_tap+0x2e/0x1b0 [ 84.529956][ T5324] netlink_unicast+0x80f/0x9b0 [ 84.532759][ T5324] ? __pfx_netlink_unicast+0x10/0x10 [ 84.536288][ T5324] ? netlink_sendmsg+0x650/0xb40 [ 84.538608][ T5324] ? skb_put+0x11b/0x210 [ 84.540553][ T5324] netlink_sendmsg+0x813/0xb40 [ 84.542889][ T5324] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.545584][ T5324] ? aa_sock_msg_perm+0xf1/0x1b0 [ 84.548003][ T5324] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 84.550698][ T5324] ____sys_sendmsg+0x972/0x9f0 [ 84.553366][ T5324] ? __pfx_____sys_sendmsg+0x10/0x10 [ 84.556868][ T5324] ? import_iovec+0x73/0xa0 [ 84.559172][ T5324] ___sys_sendmsg+0x2a5/0x360 [ 84.561454][ T5324] ? __pfx____sys_sendmsg+0x10/0x10 [ 84.564047][ T5324] ? preempt_schedule_common+0x82/0xd0 [ 84.566947][ T5324] ? preempt_schedule_thunk+0x16/0x30 [ 84.570082][ T5324] ? __fget_files+0x2a/0x420 [ 84.572734][ T5324] ? __fget_files+0x3a0/0x420 [ 84.574897][ T5324] __sys_sendmmsg+0x27c/0x4e0 [ 84.577369][ T5324] ? __pfx___sys_sendmmsg+0x10/0x10 [ 84.579895][ T5324] ? do_futex+0x395/0x420 [ 84.581963][ T5324] ? rcu_is_watching+0x15/0xb0 [ 84.584314][ T5324] __x64_sys_sendmmsg+0xa0/0xc0 [ 84.586937][ T5324] do_syscall_64+0x14d/0xf80 [ 84.589417][ T5324] ? trace_irq_disable+0x3b/0x150 [ 84.591911][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.594658][ T5324] ? clear_bhb_loop+0x40/0x90 [ 84.597534][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.600887][ T5324] RIP: 0033:0x7fb6ef59c819 [ 84.603077][ T5324] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.612414][ T5324] RSP: 002b:00007fb6f03b2fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 84.616636][ T5324] RAX: ffffffffffffffda RBX: 00007fb6ef815fa0 RCX: 00007fb6ef59c819 [ 84.620508][ T5324] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005 [ 84.624097][ T5324] RBP: 00007fb6ef632c91 R08: 0000000000000000 R09: 0000000000000000 [ 84.627830][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.631841][ T5324] R13: 00007fb6ef816038 R14: 00007fb6ef815fa0 R15: 00007fffabe1fd38 [ 84.635957][ T5324] [ 84.637646][ T5324] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 84.641773][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.645926][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.650912][ T5324] Call Trace: [ 84.652918][ T5324] [ 84.654581][ T5324] vpanic+0x56c/0xa60 [ 84.656682][ T5324] ? __pfx__printk+0x10/0x10 [ 84.658670][ T5324] ? __pfx_vpanic+0x10/0x10 [ 84.660821][ T5324] ? is_bpf_text_address+0x292/0x2b0 [ 84.663593][ T5324] ? is_bpf_text_address+0x26/0x2b0 [ 84.666554][ T5324] panic+0xc5/0xd0 [ 84.668397][ T5324] ? __pfx_panic+0x10/0x10 [ 84.670333][ T5324] __warn+0x315/0x4f0 [ 84.672063][ T5324] ? u32_change+0x1da0/0x2720 [ 84.674253][ T5324] ? u32_change+0x1da0/0x2720 [ 84.676874][ T5324] __report_bug+0x29a/0x540 [ 84.679469][ T5324] ? ___sys_sendmsg+0x2a5/0x360 [ 84.681737][ T5324] ? __sys_sendmmsg+0x27c/0x4e0 [ 84.683961][ T5324] ? __x64_sys_sendmmsg+0xa0/0xc0 [ 84.686234][ T5324] ? u32_change+0x1da0/0x2720 [ 84.688645][ T5324] ? __pfx___report_bug+0x10/0x10 [ 84.691540][ T5324] report_bug_entry+0x19a/0x290 [ 84.694178][ T5324] ? u32_change+0x1daf/0x2720 [ 84.696387][ T5324] ? u32_change+0x1db4/0x2720 [ 84.698446][ T5324] handle_bug+0xce/0x200 [ 84.700381][ T5324] exc_invalid_op+0x1a/0x50 [ 84.702869][ T5324] asm_exc_invalid_op+0x1a/0x20 [ 84.705450][ T5324] RIP: 0010:u32_change+0x1daf/0x2720 [ 84.708123][ T5324] Code: 3d da 87 41 06 01 75 33 e8 ee 73 0b f8 eb 50 e8 e7 73 0b f8 48 8d 3d 00 be 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 00 b7 e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 c2 73 0b f8 eb 24 e8 bb 73 0b f8 [ 84.718560][ T5324] RSP: 0018:ffffc9000e30efc0 EFLAGS: 00010287 [ 84.721752][ T5324] RAX: ffffffff89ba4aa9 RBX: ffff888000c79000 RCX: 0000000000000010 [ 84.725570][ T5324] RDX: ffffffff8ce1b700 RSI: 0000000000000020 RDI: ffffffff902108b0 [ 84.730375][ T5324] RBP: ffffc9000e30f178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 84.734262][ T5324] R10: dffffc0000000000 R11: ffffed1003f881b1 R12: ffff888000c78ce8 [ 84.738055][ T5324] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 84.742023][ T5324] ? u32_change+0x1d99/0x2720 [ 84.744329][ T5324] ? __pfx_u32_change+0x10/0x10 [ 84.746673][ T5324] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.749371][ T5324] tc_new_tfilter+0xff8/0x1780 [ 84.751603][ T5324] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.754151][ T5324] ? __pfx_tc_new_tfilter+0x10/0x10 [ 84.756652][ T5324] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.759012][ T5324] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 84.761621][ T5324] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.764642][ T5324] ? ref_tracker_free+0x693/0x840 [ 84.767106][ T5324] ? __copy_skb_header+0xa3/0x4a0 [ 84.769574][ T5324] ? __pfx_ref_tracker_free+0x10/0x10 [ 84.771958][ T5324] ? __skb_clone+0x63/0x7a0 [ 84.774183][ T5324] netlink_rcv_skb+0x232/0x4b0 [ 84.776892][ T5324] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.779488][ T5324] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 84.781907][ T5324] ? netlink_deliver_tap+0x2e/0x1b0 [ 84.784500][ T5324] netlink_unicast+0x80f/0x9b0 [ 84.787137][ T5324] ? __pfx_netlink_unicast+0x10/0x10 [ 84.789988][ T5324] ? netlink_sendmsg+0x650/0xb40 [ 84.792619][ T5324] ? skb_put+0x11b/0x210 [ 84.794358][ T5324] netlink_sendmsg+0x813/0xb40 [ 84.796427][ T5324] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.799019][ T5324] ? aa_sock_msg_perm+0xf1/0x1b0 [ 84.801523][ T5324] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 84.803997][ T5324] ____sys_sendmsg+0x972/0x9f0 [ 84.806003][ T5324] ? __pfx_____sys_sendmsg+0x10/0x10 [ 84.808432][ T5324] ? import_iovec+0x73/0xa0 [ 84.811196][ T5324] ___sys_sendmsg+0x2a5/0x360 [ 84.814647][ T5324] ? __pfx____sys_sendmsg+0x10/0x10 [ 84.817513][ T5324] ? preempt_schedule_common+0x82/0xd0 [ 84.820074][ T5324] ? preempt_schedule_thunk+0x16/0x30 [ 84.823021][ T5324] ? __fget_files+0x2a/0x420 [ 84.825449][ T5324] ? __fget_files+0x3a0/0x420 [ 84.827801][ T5324] __sys_sendmmsg+0x27c/0x4e0 [ 84.829897][ T5324] ? __pfx___sys_sendmmsg+0x10/0x10 [ 84.832022][ T5324] ? do_futex+0x395/0x420 [ 84.833882][ T5324] ? rcu_is_watching+0x15/0xb0 [ 84.836235][ T5324] __x64_sys_sendmmsg+0xa0/0xc0 [ 84.838661][ T5324] do_syscall_64+0x14d/0xf80 [ 84.841250][ T5324] ? trace_irq_disable+0x3b/0x150 [ 84.844104][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.846900][ T5324] ? clear_bhb_loop+0x40/0x90 [ 84.849046][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.851859][ T5324] RIP: 0033:0x7fb6ef59c819 [ 84.854241][ T5324] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.862850][ T5324] RSP: 002b:00007fb6f03b2fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 84.866587][ T5324] RAX: ffffffffffffffda RBX: 00007fb6ef815fa0 RCX: 00007fb6ef59c819 [ 84.869988][ T5324] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005 [ 84.873806][ T5324] RBP: 00007fb6ef632c91 R08: 0000000000000000 R09: 0000000000000000 [ 84.877131][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.880785][ T5324] R13: 00007fb6ef816038 R14: 00007fb6ef815fa0 R15: 00007fffabe1fd38 [ 84.885503][ T5324] [ 84.887459][ T5324] Kernel Offset: disabled [ 84.889516][ T5324] Rebooting in 86400 seconds..