program: r0 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)=ANY=[@ANYBLOB="8c0000003e0007010000000000000000017c00000400000071000180f90ec1cfd5ce5add4155edd01aae13d1823c55bca8f6c974fad0643f846858cdc3e8488166056b4992e79493005bcae6275270b320bccb8b0995dbe907276a1dd9cfdbcb4d067d7854847de8fa99e13c55adddc52ce41971efcaf41d5c85cb082b1919"], 0x8c}}, 0x0) r1 = socket$pppoe(0x18, 0x1, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x1f, 0xc, &(0x7f00000001c0)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b708000000000000738af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b70400000000000485000000a600000095"], &(0x7f0000000080)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x1d, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f00000002c0)={r4, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x50) sendmsg$nl_route(r2, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000700)=@newlink={0x50, 0x10, 0x40d, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @macvlan={{0xc}, {0xc, 0x2, 0x0, 0x1, [@IFLA_MACVLAN_MODE={0x8, 0x1, 0x2}]}}}, @IFLA_ALT_IFNAME={0x14, 0x35, 'macvlan0\x00'}]}, 0x50}}, 0x0) connect$pppoe(r1, &(0x7f00000001c0)={0x18, 0x0, {0x3, @broadcast, 'macvlan1\x00'}}, 0x1e) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), r0) r7 = syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0) ioctl$SCSI_IOCTL_SEND_COMMAND(r7, 0x1, &(0x7f00000001c0)=ANY=[@ANYBLOB='\x00\x00\x00\x00\b\x00\x00\x00Z\x00\n']) sendmsg$NL80211_CMD_SET_REKEY_OFFLOAD(r5, &(0x7f0000000440)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000140)={&(0x7f0000000240)={0x1c8, r6, 0x200, 0x70bd2c, 0x25dfdbfd, {{}, {@void, @val={0xc, 0x99, {0x400, 0xf}}}}, [@NL80211_ATTR_REKEY_DATA={0xb8, 0x7a, 0x0, 0x1, [@NL80211_REKEY_DATA_KCK={0x1c, 0x2, @kck_ext="ab664935dc806082c43ad269d2c12ecc63169c736996ad21"}, @NL80211_REKEY_DATA_KEK={0x24, 0x1, @kek_ext="b1086e1bf9448da97cb432a77fe606a40cb7e0f1b93990765fca1dfe3109c289"}, @NL80211_REKEY_DATA_REPLAY_CTR={0xc, 0x3, "f8d1e1bbc142be87"}, @NL80211_REKEY_DATA_AKM={0x8, 0x4, 0x4be}, @NL80211_REKEY_DATA_REPLAY_CTR={0xc, 0x3, "84cadc088a917758"}, @NL80211_REKEY_DATA_KEK={0x24, 0x1, @kek_ext="6d2dab4e3a6f8905d3f95761d1f8302db5d4cee197c15d338e3efb7ae54ead18"}, @NL80211_REKEY_DATA_REPLAY_CTR={0xc, 0x3, "a5e74120421a0a18"}, @NL80211_REKEY_DATA_KEK={0x24, 0x1, @kek_ext="89330bc92a58ce3ad21f0942e3f0ae60a2398322ef429b4031c6aec0135c591a"}]}, @NL80211_ATTR_REKEY_DATA={0x54, 0x7a, 0x0, 0x1, [@NL80211_REKEY_DATA_KEK={0x14, 0x1, @kek="957049718eba7ded08989f22f99f69ce"}, @NL80211_REKEY_DATA_AKM={0x8, 0x4, 0x5}, @NL80211_REKEY_DATA_KCK={0x1c, 0x2, @kck_ext="3e762b31e0bdd890a71a9e1d4fbf480e944e8835a70bf588"}, @NL80211_REKEY_DATA_AKM={0x8, 0x4, 0x6}, @NL80211_REKEY_DATA_AKM={0x8, 0x4, 0xfffffffc}, @NL80211_REKEY_DATA_AKM={0x8, 0x4, 0x1}]}, @NL80211_ATTR_REKEY_DATA={0x3c, 0x7a, 0x0, 0x1, [@NL80211_REKEY_DATA_KCK={0x1c, 0x2, @kck_ext="f14ba1fb67943ac51cb1a70e6968e812654ec67815bad9ee"}, @NL80211_REKEY_DATA_KCK={0x1c, 0x2, @kck_ext="b14a391150c8fa24dad502d8711fab83b09de17d51110ee4"}]}, @NL80211_ATTR_REKEY_DATA={0x60, 0x7a, 0x0, 0x1, [@NL80211_REKEY_DATA_KCK={0x14, 0x2, @kck="a6b339e04fac61ef4f51f35ca3d8ef23"}, @NL80211_REKEY_DATA_KCK={0x14, 0x2, @kck="13c033a556fb743ecd58f89995a39e30"}, @NL80211_REKEY_DATA_REPLAY_CTR={0xc, 0x3, "ebc64ac556327ba1"}, @NL80211_REKEY_DATA_AKM={0x8, 0x4, 0x3}, @NL80211_REKEY_DATA_KEK={0x14, 0x1, @kek="87c1b08c66595c7d452c39bdd6f8d9c2"}, @NL80211_REKEY_DATA_REPLAY_CTR={0xc, 0x3, "d1e6d35474404139"}]}]}, 0x1c8}, 0x1, 0x0, 0x0, 0x40001}, 0x20000000) sendmmsg(r1, &(0x7f0000001700)=[{{0x0, 0x0, 0x0}}], 0x1, 0x0) r8 = socket$kcm(0x10, 0x3, 0x10) sendmsg$kcm(r8, &(0x7f0000000000)={0x0, 0xa5ba2b88, &(0x7f0000000080)=[{&(0x7f00000004c0)="e03f03003b000b05d25a806c8c6394f901800000000000000b020a00053582c137153e37000c0280fc80ecd8a3c138d90b1000f80b", 0x33fe0}], 0x1}, 0x40000) [ 73.790906][ T4536] Bluetooth: hci0: command tx timeout [ 74.745353][ T5116] netlink: zone id is out of range [ 74.747430][ T5116] netlink: zone id is out of range [ 74.749191][ T5116] netlink: zone id is out of range [ 74.750997][ T5116] netlink: zone id is out of range [ 74.752782][ T5116] netlink: zone id is out of range [ 74.766005][ T5116] netlink: zone id is out of range [ 74.768127][ T5116] netlink: zone id is out of range [ 74.770019][ T5116] netlink: zone id is out of range [ 74.771978][ T5116] netlink: zone id is out of range [ 74.773819][ T5116] netlink: set zone limit has 4 unknown bytes [ 74.797169][ T5116] program syz.0.0 is using a deprecated SCSI ioctl, please convert it to SG_IO [ 74.805891][ T5116] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 74.810758][ T5116] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 74.813644][ T5116] CPU: 0 UID: 0 PID: 5116 Comm: syz.0.0 Not tainted 6.11.0-syzkaller-11558-g075dbe9f6e3c #0 [ 74.816782][ T5116] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.820239][ T5116] RIP: 0010:ata_msense_control+0x966/0x1cf0 [ 74.822500][ T5116] Code: b6 04 10 84 c0 0f 85 9b 0f 00 00 4c 89 e8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b6 0f 00 00 66 c7 03 00 e4 49 89 ec 49 c1 ec 03 <41> 0f b6 04 14 84 c0 0f 85 cc 0f 00 00 0f b6 5d 00 c0 e3 04 80 e3 [ 74.829322][ T5116] RSP: 0018:ffffc9000b03f068 EFLAGS: 00010046 [ 74.831466][ T5116] RAX: 0000000000000000 RBX: ffffffff9a722a9e RCX: ffffffff864bae22 [ 74.834352][ T5116] RDX: dffffc0000000000 RSI: ffffffff8c921a80 RDI: ffffffff9a722a9d [ 74.837395][ T5116] RBP: 0000000000000000 R08: 0000000000020a0a R09: 1e00ffff00000000 [ 74.840548][ T5116] R10: dffffc0000000000 R11: fffffbfff34e4554 R12: 0000000000000000 [ 74.843684][ T5116] R13: ffffffff9a722a9f R14: 000000000000000a R15: ffff8880350c2df8 [ 74.846651][ T5116] FS: 00007f51f2b8b6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 74.849878][ T5116] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.852288][ T5116] CR2: 00007f51f1ea0c68 CR3: 000000003d848000 CR4: 0000000000350ef0 [ 74.855096][ T5116] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 74.857926][ T5116] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 74.860780][ T5116] Call Trace: [ 74.861998][ T5116] [ 74.863003][ T5116] ? __die_body+0x5f/0xb0 [ 74.864434][ T5116] ? die_addr+0xb0/0xe0 [ 74.865880][ T5116] ? exc_general_protection+0x3dd/0x5d0 [ 74.867677][ T5116] ? asm_exc_general_protection+0x26/0x30 [ 74.869662][ T5116] ? ata_msense_control+0x862/0x1cf0 [ 74.871303][ T5116] ? ata_msense_control+0x966/0x1cf0 [ 74.872805][ T5116] ? ata_msense_control+0x862/0x1cf0 [ 74.874589][ T5116] ata_scsi_simulate+0xfe5/0x2320 [ 74.876393][ T5116] ? __pfx_ata_scsi_simulate+0x10/0x10 [ 74.878519][ T5116] __ata_scsi_queuecmd+0x21e/0x1030 [ 74.880478][ T5116] ata_scsi_queuecmd+0x3bb/0x530 [ 74.882239][ T5116] scsi_queue_rq+0x1d7c/0x2e90 [ 74.884106][ T5116] blk_mq_dispatch_rq_list+0xb89/0x1b30 [ 74.886208][ T5116] ? __pfx_lock_release+0x10/0x10 [ 74.888113][ T5116] ? do_raw_spin_lock+0x14f/0x370 [ 74.889809][ T5116] ? __pfx_blk_mq_dispatch_rq_list+0x10/0x10 [ 74.891931][ T5116] __blk_mq_sched_dispatch_requests+0x424/0x1840 [ 74.894269][ T5116] ? __pfx___blk_mq_sched_dispatch_requests+0x10/0x10 [ 74.896757][ T5116] ? blk_mq_run_hw_queue+0x136/0xae0 [ 74.898717][ T5116] ? __asan_memset+0x23/0x50 [ 74.900472][ T5116] ? __pfx_lock_release+0x10/0x10 [ 74.902353][ T5116] ? blk_mq_insert_request+0x72e/0x810 [ 74.904383][ T5116] ? bio_add_hw_page+0x2d0/0xa10 [ 74.906276][ T5116] blk_mq_sched_dispatch_requests+0xcb/0x140 [ 74.908566][ T5116] ? blk_mq_run_hw_queue+0x40c/0xae0 [ 74.910496][ T5116] blk_mq_run_hw_queue+0x9a5/0xae0 [ 74.912471][ T5116] ? blk_account_io_start+0x128/0x4c0 [ 74.914501][ T5116] blk_execute_rq+0x239/0x4b0 [ 74.916171][ T5116] ? bio_add_pc_page+0xb8/0x120 [ 74.918060][ T5116] ? __pfx_blk_execute_rq+0x10/0x10 [ 74.919934][ T5116] ? blk_rq_append_bio+0x2db/0x510 [ 74.921753][ T5116] scsi_ioctl+0x222f/0x2d80 [ 74.923400][ T5116] ? tomoyo_path_number_perm+0x68d/0x880 [ 74.925358][ T5116] ? do_vfs_ioctl+0xf08/0x2e40 [ 74.927022][ T5116] ? __pfx_scsi_ioctl+0x10/0x10 [ 74.928713][ T5116] ? __pfx_do_vfs_ioctl+0x10/0x10 [ 74.930465][ T5116] ? mark_lock+0x9a/0x360 [ 74.931973][ T5116] ? tomoyo_path_number_perm+0x208/0x880 [ 74.933917][ T5116] ? __pfx_lock_release+0x10/0x10 [ 74.935591][ T5116] ? lockdep_hardirqs_on+0x99/0x150 [ 74.937445][ T5116] ? kfree+0x1a0/0x440 [ 74.938712][ T5116] ? tomoyo_path_number_perm+0x68d/0x880 [ 74.940604][ T5116] ? tomoyo_path_number_perm+0x71a/0x880 [ 74.942507][ T5116] ? tomoyo_path_number_perm+0x208/0x880 [ 74.944491][ T5116] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 74.946771][ T5116] sg_ioctl+0x16e9/0x2e80 [ 74.948468][ T5116] ? __pfx_sg_ioctl+0x10/0x10 [ 74.950235][ T5116] ? __fget_files+0x29/0x470 [ 74.952009][ T5116] ? __fget_files+0x3f3/0x470 [ 74.953772][ T5116] ? __pfx_sg_ioctl+0x10/0x10 [ 74.955543][ T5116] __se_sys_ioctl+0xf9/0x170 [ 74.957306][ T5116] do_syscall_64+0xf3/0x230 [ 74.958929][ T5116] ? clear_bhb_loop+0x35/0x90 [ 74.960629][ T5116] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.962672][ T5116] RIP: 0033:0x7f51f1d7df39 [ 74.964252][ T5116] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.970818][ T5116] RSP: 002b:00007f51f2b8b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 74.973751][ T5116] RAX: ffffffffffffffda RBX: 00007f51f1f35f80 RCX: 00007f51f1d7df39 [ 74.976738][ T5116] RDX: 00000000200001c0 RSI: 0000000000000001 RDI: 0000000000000008 [ 74.979537][ T5116] RBP: 00007f51f1df0216 R08: 0000000000000000 R09: 0000000000000000 [ 74.982352][ T5116] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.985185][ T5116] R13: 0000000000000000 R14: 00007f51f1f35f80 R15: 00007ffd7e86f268 [ 74.987981][ T5116] [ 74.989047][ T5116] Modules linked in: [ 74.990382][ T5116] ---[ end trace 0000000000000000 ]--- [ 74.992409][ T5116] RIP: 0010:ata_msense_control+0x966/0x1cf0 [ 74.994724][ T5116] Code: b6 04 10 84 c0 0f 85 9b 0f 00 00 4c 89 e8 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 b6 0f 00 00 66 c7 03 00 e4 49 89 ec 49 c1 ec 03 <41> 0f b6 04 14 84 c0 0f 85 cc 0f 00 00 0f b6 5d 00 c0 e3 04 80 e3 [ 75.001531][ T5116] RSP: 0018:ffffc9000b03f068 EFLAGS: 00010046 [ 75.003741][ T5116] RAX: 0000000000000000 RBX: ffffffff9a722a9e RCX: ffffffff864bae22 [ 75.006549][ T5116] RDX: dffffc0000000000 RSI: ffffffff8c921a80 RDI: ffffffff9a722a9d [ 75.009372][ T5116] RBP: 0000000000000000 R08: 0000000000020a0a R09: 1e00ffff00000000 [ 75.012224][ T5116] R10: dffffc0000000000 R11: fffffbfff34e4554 R12: 0000000000000000 [ 75.015219][ T5116] R13: ffffffff9a722a9f R14: 000000000000000a R15: ffff8880350c2df8 [ 75.018106][ T5116] FS: 00007f51f2b8b6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 75.021419][ T5116] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.023833][ T5116] CR2: 00007f51f1ea0c68 CR3: 000000003d848000 CR4: 0000000000350ef0 [ 75.026726][ T5116] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 75.029626][ T5116] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 75.032687][ T5116] Kernel panic - not syncing: Fatal exception [ 75.035273][ T5116] Kernel Offset: disabled [ 75.036871][ T5116] Rebooting in 86400 seconds..