program:
r0 = socket$kcm(0x23, 0x5, 0x0)
mq_open(&(0x7f0000000000)=')(\x00', 0x40, 0x142, &(0x7f0000000080)={0x5, 0x0, 0x5})
listen(r0, 0x3)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), r1)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000000080)={'wlan0\x00', <r3=>0x0})
sendmsg$NL80211_CMD_AUTHENTICATE(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000140)={0x60, r2, 0x8007023327f40d31, 0x70bd2d, 0x25dfdbff, {{}, {@val={0x8, 0x3, r3}, @void}}, [@key_params=[@NL80211_ATTR_KEY_IDX={0x5}], @NL80211_ATTR_SSID={0xa, 0x34, @default_ibss_ssid}, @NL80211_ATTR_AUTH_TYPE={0x8}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}], @key_params=[@NL80211_ATTR_KEY_DATA_WEP40={0x9, 0x7, "4121c2c5be"}, @NL80211_ATTR_KEY_CIPHER={0x8, 0x9, 0xfac01}], @NL80211_ATTR_MAC={0xa, 0x6, @random="39f0d3134eee"}]}, 0x60}, 0x1, 0x0, 0x0, 0x4000001}, 0x10)
r4 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$inet(r4, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4)
r5 = socket$phonet_pipe(0x23, 0x5, 0x2)
connect$phonet_pipe(r5, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10)
r6 = fcntl$dupfd(r5, 0x0, r5)
write$tun(r6, 0x0, 0x3db)
r7 = accept4(r0, 0x0, 0x0, 0x80000)
sendmsg$IPCTNL_MSG_CT_NEW(r7, &(0x7f00000003c0)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000380)={&(0x7f0000000280)={0xd8, 0x0, 0x1, 0x5, 0x0, 0x0, {0x3, 0x0, 0x3}, [@CTA_FILTER={0xc, 0x19, 0x0, 0x1, [@CTA_FILTER_REPLY_FLAGS={0x8, 0x2, 0xd1}]}, @CTA_NAT_SRC={0xa4, 0x6, 0x0, 0x1, [@CTA_NAT_PROTO={0xc, 0x3, 0x0, 0x1, [@CTA_PROTONAT_PORT_MAX={0x6, 0x2, 0x4e23}]}, @CTA_NAT_V4_MINIP={0x8, 0x1, @broadcast}, @CTA_NAT_V4_MINIP={0x8, 0x1, @private=0xa010100}, @CTA_NAT_V4_MAXIP={0x8, 0x2, @loopback}, @CTA_NAT_V6_MINIP={0x14, 0x4, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02'}, @CTA_NAT_V4_MAXIP={0x8, 0x2, @remote}, @CTA_NAT_PROTO={0x3c, 0x3, 0x0, 0x1, [@CTA_PROTONAT_PORT_MIN={0x6, 0x1, 0x4e23}, @CTA_PROTONAT_PORT_MAX={0x6, 0x2, 0x4e23}, @CTA_PROTONAT_PORT_MAX={0x6, 0x2, 0x4e23}, @CTA_PROTONAT_PORT_MIN={0x6, 0x1, 0x4e23}, @CTA_PROTONAT_PORT_MIN={0x6, 0x1, 0x4e23}, @CTA_PROTONAT_PORT_MAX={0x6, 0x2, 0x4e22}, @CTA_PROTONAT_PORT_MIN={0x6, 0x1, 0x4e21}]}, @CTA_NAT_V4_MINIP={0x8, 0x1, @dev={0xac, 0x14, 0x14, 0x21}}, @CTA_NAT_V4_MINIP={0x8, 0x1, @remote}, @CTA_NAT_V6_MINIP={0x14, 0x4, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}}]}, @CTA_LABELS={0x14, 0x16, 0x1, 0x0, [0x2, 0x1, 0x5, 0x5]}]}, 0xd8}, 0x1, 0x0, 0x0, 0x4000}, 0x0)

[  109.851230][ T5310] Bluetooth: hci0: command tx timeout
[  109.978302][ T5336] netlink: 'syz.0.0': attribute type 2 has an invalid length.
[  110.047073][ T5336] ------------[ cut here ]------------
[  110.049556][ T5336] kernel BUG at net/phonet/socket.c:213!
[  110.051765][ T5336] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[  110.054212][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  110.057624][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  110.061383][ T5336] RIP: 0010:pn_socket_sendmsg+0x240/0x250
[  110.063773][ T5336] Code: d5 00 cc e8 92 5a d2 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 7b 53 4c f7 e9 f7 fe ff ff e8 31 15 e0 f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
[  110.072418][ T5336] RSP: 0018:ffffc9000c5ff920 EFLAGS: 00010283
[  110.075253][ T5336] RAX: ffffffff8ae5c97f RBX: 0000000000000000 RCX: 0000000000100000
[  110.078711][ T5336] RDX: ffffc90020001000 RSI: 0000000000000051 RDI: 0000000000000052
[  110.082258][ T5336] RBP: ffffc9000c5ff9d0 R08: ffffffff903359f7 R09: 1ffffffff2066b3e
[  110.085771][ T5336] R10: dffffc0000000000 R11: fffffbfff2066b3f R12: dffffc0000000000
[  110.089344][ T5336] R13: ffff888011a0cc40 R14: ffff888032913a80 R15: 1ffff920018bff28
[  110.093002][ T5336] FS:  00007f4d5b24f6c0(0000) GS:ffff88808c81a000(0000) knlGS:0000000000000000
[  110.096872][ T5336] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  110.099567][ T5336] CR2: 0000000000000000 CR3: 0000000032d64000 CR4: 0000000000352ef0
[  110.102772][ T5336] Call Trace:
[  110.104153][ T5336]  <TASK>
[  110.105364][ T5336]  ? tomoyo_socket_sendmsg_permission+0x1e0/0x300
[  110.108056][ T5336]  ? __pfx_pn_socket_sendmsg+0x10/0x10
[  110.110335][ T5336]  ? aa_sock_msg_perm+0xf1/0x1b0
[  110.112467][ T5336]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[  110.114739][ T5336]  ____sys_sendmsg+0x972/0x9f0
[  110.116851][ T5336]  ? __pfx_____sys_sendmsg+0x10/0x10
[  110.119226][ T5336]  ? import_iovec+0x73/0xa0
[  110.121258][ T5336]  ___sys_sendmsg+0x2a5/0x360
[  110.123377][ T5336]  ? __lock_acquire+0x6b5/0x2cf0
[  110.125663][ T5336]  ? __pfx____sys_sendmsg+0x10/0x10
[  110.128004][ T5336]  ? futex_wait+0x2a2/0x390
[  110.130078][ T5336]  ? __fget_files+0x2a/0x420
[  110.132216][ T5336]  ? __fget_files+0x3a0/0x420
[  110.134349][ T5336]  __x64_sys_sendmsg+0x1bd/0x2a0
[  110.136559][ T5336]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[  110.139046][ T5336]  ? rcu_is_watching+0x15/0xb0
[  110.141246][ T5336]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.144049][ T5336]  do_syscall_64+0x15f/0xf80
[  110.146289][ T5336]  ? trace_irq_disable+0x3b/0x140
[  110.148500][ T5336]  ? clear_bhb_loop+0x40/0x90
[  110.150106][ T5336]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.152506][ T5336] RIP: 0033:0x7f4d5a39c819
[  110.154401][ T5336] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  110.163250][ T5336] RSP: 002b:00007f4d5b24efe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  110.167203][ T5336] RAX: ffffffffffffffda RBX: 00007f4d5a615fa0 RCX: 00007f4d5a39c819
[  110.170795][ T5336] RDX: 0000000000000000 RSI: 00002000000003c0 RDI: 0000000000000008
[  110.175055][ T5336] RBP: 00007f4d5a432c91 R08: 0000000000000000 R09: 0000000000000000
[  110.178740][ T5336] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  110.182824][ T5336] R13: 00007f4d5a616038 R14: 00007f4d5a615fa0 R15: 00007ffcf50c0d78
[  110.187255][ T5336]  </TASK>
[  110.188773][ T5336] Modules linked in:
[  110.191045][ T5336] ---[ end trace 0000000000000000 ]---
[  110.198474][ T5336] RIP: 0010:pn_socket_sendmsg+0x240/0x250
[  110.201131][ T5336] Code: d5 00 cc e8 92 5a d2 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 7b 53 4c f7 e9 f7 fe ff ff e8 31 15 e0 f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
[  110.211287][ T5336] RSP: 0018:ffffc9000c5ff920 EFLAGS: 00010283
[  110.215489][ T5336] RAX: ffffffff8ae5c97f RBX: 0000000000000000 RCX: 0000000000100000
[  110.219216][ T5336] RDX: ffffc90020001000 RSI: 0000000000000051 RDI: 0000000000000052
[  110.223238][ T5336] RBP: ffffc9000c5ff9d0 R08: ffffffff903359f7 R09: 1ffffffff2066b3e
[  110.227222][ T5336] R10: dffffc0000000000 R11: fffffbfff2066b3f R12: dffffc0000000000
[  110.231376][ T5336] R13: ffff888011a0cc40 R14: ffff888032913a80 R15: 1ffff920018bff28
[  110.235289][ T5336] FS:  00007f4d5b24f6c0(0000) GS:ffff88808c81a000(0000) knlGS:0000000000000000
[  110.239407][ T5336] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  110.242495][ T5336] CR2: 0000000000000000 CR3: 0000000032d64000 CR4: 0000000000352ef0
[  110.246524][ T5336] Kernel panic - not syncing: Fatal exception
[  110.249738][ T5336] Kernel Offset: disabled
[  110.251669][ T5336] Rebooting in 86400 seconds..