program: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000480)={0x6, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000002000000000000000000082295"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x1e00, 0x21}, 0x94) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x20702, 0x0) r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x1c1341, 0x0) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f00000000c0)={'syzkaller0\x00', 0x84aebfbd6349b7f2}) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000080)={'syzkaller0\x00', 0xca58c30f81b6079f}) r4 = socket$nl_route(0x10, 0x3, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r4, 0x8933, &(0x7f0000000000)={'team0\x00', 0x0}) sendmsg$nl_route(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r5}]}, 0x3c}}, 0x0) sendmsg$nl_route(r1, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x2c, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, r5, 0x14080, 0x10000}, [@IFLA_XDP={0x4}, @IFLA_GROUP={0x8}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20000040}, 0x0) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) (async) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000480)={0x6, 0x3, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000002000000000000000000082295"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x1e00, 0x21}, 0x94) (async) socket$nl_route(0x10, 0x3, 0x0) (async) openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x20702, 0x0) (async) openat$tun(0xffffffffffffff9c, &(0x7f0000000040), 0x1c1341, 0x0) (async) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f00000000c0)={'syzkaller0\x00', 0x84aebfbd6349b7f2}) (async) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000080)={'syzkaller0\x00', 0xca58c30f81b6079f}) (async) socket$nl_route(0x10, 0x3, 0x0) (async) ioctl$ifreq_SIOCGIFINDEX_team(r4, 0x8933, &(0x7f0000000000)) (async) sendmsg$nl_route(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r5}]}, 0x3c}}, 0x0) (async) sendmsg$nl_route(r1, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x2c, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, r5, 0x14080, 0x10000}, [@IFLA_XDP={0x4}, @IFLA_GROUP={0x8}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20000040}, 0x0) (async) [ 127.731657][ T47] Bluetooth: hci0: command tx timeout [ 127.812272][ T5342] bridge_slave_0: left allmulticast mode [ 127.814772][ T5342] bridge_slave_0: left promiscuous mode [ 127.827708][ T5342] bridge0: port 1(bridge_slave_0) entered disabled state [ 127.840195][ T5342] bridge_slave_1: left allmulticast mode [ 127.842723][ T5342] bridge_slave_1: left promiscuous mode [ 127.845289][ T5342] bridge0: port 2(bridge_slave_1) entered disabled state [ 127.854474][ T5342] bond0: (slave bond_slave_0): Releasing backup interface [ 127.862772][ T5342] bond0: (slave bond_slave_1): Releasing backup interface [ 127.873979][ T5342] team0: Port device team_slave_0 removed [ 127.881869][ T5342] team0: Port device team_slave_1 removed [ 127.885071][ T5342] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 127.889739][ T5342] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 127.895134][ T5342] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 127.899580][ T5342] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 127.907389][ T5342] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 127.947509][ T5342] ip6gre0: entered promiscuous mode [ 127.960773][ T5342] team0: Port device ip6gre0 added [ 127.983724][ T5343] team0: Port device ip6gre0 removed [ 127.992966][ T5343] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 128.018812][ T5340] skbuff: skb_under_panic: text:ffffffff8a27e968 len:136 put:40 head:ffff8880425c1000 data:ffff8880425c0fe8 tail:0x70 end:0x6c0 dev:team0 [ 128.026419][ T5340] ------------[ cut here ]------------ [ 128.028641][ T5340] kernel BUG at net/core/skbuff.c:213! [ 128.030684][ T5340] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 128.033123][ T5340] CPU: 0 UID: 0 PID: 5340 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT(full) [ 128.036659][ T5340] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 128.040306][ T5340] Workqueue: mld mld_ifc_work [ 128.042116][ T5340] RIP: 0010:skb_panic+0x157/0x160 [ 128.044161][ T5340] Code: c7 60 ac 6f 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 ce 6a f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 128.052653][ T5340] RSP: 0018:ffffc9000addf400 EFLAGS: 00010286 [ 128.055657][ T5340] RAX: 0000000000000087 RBX: dffffc0000000000 RCX: ca6f7ea8410b5700 [ 128.059279][ T5340] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 128.062926][ T5340] RBP: 00000000000006c0 R08: ffffc9000addf167 R09: 1ffff920015bbe2c [ 128.066646][ T5340] R10: dffffc0000000000 R11: fffff520015bbe2d R12: ffff888041b76510 [ 128.070505][ T5340] R13: ffff8880425c1000 R14: ffff8880425c0fe8 R15: 0000000000000070 [ 128.074142][ T5340] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 128.078357][ T5340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 128.081355][ T5340] CR2: 00007ffcd5a02fc0 CR3: 000000001fb23000 CR4: 0000000000352ef0 [ 128.084921][ T5340] Call Trace: [ 128.086465][ T5340] [ 128.087785][ T5340] ? ip6gre_header+0xc8/0x790 [ 128.089914][ T5340] ? ip6gre_header+0xc8/0x790 [ 128.092041][ T5340] skb_push+0xc3/0xe0 [ 128.093917][ T5340] ip6gre_header+0xc8/0x790 [ 128.096056][ T5340] ? neigh_connected_output+0x1ea/0x460 [ 128.098557][ T5340] ? __pfx_ip6gre_header+0x10/0x10 [ 128.100950][ T5340] ? neigh_connected_output+0x1ea/0x460 [ 128.103633][ T5340] ? read_seqbegin+0xac/0x180 [ 128.105753][ T5340] ? neigh_connected_output+0x1ea/0x460 [ 128.108363][ T5340] ? lockdep_hardirqs_on+0x7b/0x110 [ 128.110785][ T5340] ? __pfx_ip6gre_header+0x10/0x10 [ 128.113163][ T5340] neigh_connected_output+0x286/0x460 [ 128.115723][ T5340] ip6_finish_output+0x234/0x7d0 [ 128.118172][ T5340] ? ip6_output+0x126/0x550 [ 128.120244][ T5340] ip6_output+0x340/0x550 [ 128.122211][ T5340] NF_HOOK+0x9e/0x380 [ 128.124042][ T5340] ? NF_HOOK+0x101/0x380 [ 128.126015][ T5340] ? __pfx_NF_HOOK+0x10/0x10 [ 128.128116][ T5340] ? __pfx_dst_output+0x10/0x10 [ 128.130307][ T5340] ? lockdep_hardirqs_on+0x7b/0x110 [ 128.132682][ T5340] ? __local_bh_enable_ip+0xd0/0x130 [ 128.135179][ T5340] ? icmp6_dst_alloc+0x3a5/0x420 [ 128.137463][ T5340] mld_sendpack+0x8d4/0xe60 [ 128.139544][ T5340] ? mld_sendpack+0x1e7/0xe60 [ 128.141706][ T5340] ? __pfx_mld_sendpack+0x10/0x10 [ 128.144021][ T5340] mld_ifc_work+0x83e/0xd60 [ 128.146083][ T5340] ? process_scheduled_works+0x9ef/0x1770 [ 128.148633][ T5340] process_scheduled_works+0xad1/0x1770 [ 128.150932][ T5340] ? __pfx_process_scheduled_works+0x10/0x10 [ 128.153867][ T5340] ? do_raw_spin_lock+0x121/0x290 [ 128.156134][ T5340] worker_thread+0x8a0/0xda0 [ 128.158292][ T5340] ? __kthread_parkme+0x7b/0x200 [ 128.160693][ T5340] kthread+0x711/0x8a0 [ 128.162621][ T5340] ? __pfx_worker_thread+0x10/0x10 [ 128.164927][ T5340] ? __pfx_kthread+0x10/0x10 [ 128.166950][ T5340] ? _raw_spin_unlock_irq+0x23/0x50 [ 128.169357][ T5340] ? __pfx_kthread+0x10/0x10 [ 128.171581][ T5340] ret_from_fork+0x510/0xa50 [ 128.173641][ T5340] ? __pfx_ret_from_fork+0x10/0x10 [ 128.176282][ T5340] ? __switch_to+0xc9e/0x1480 [ 128.178435][ T5340] ? __pfx_kthread+0x10/0x10 [ 128.180805][ T5340] ret_from_fork_asm+0x1a/0x30 [ 128.183069][ T5340] [ 128.184604][ T5340] Modules linked in: [ 128.187021][ T5340] ---[ end trace 0000000000000000 ]--- [ 128.195478][ T5340] RIP: 0010:skb_panic+0x157/0x160 [ 128.197430][ T5340] Code: c7 60 ac 6f 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 ce 6a f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 128.205980][ T5340] RSP: 0018:ffffc9000addf400 EFLAGS: 00010286 [ 128.208751][ T5340] RAX: 0000000000000087 RBX: dffffc0000000000 RCX: ca6f7ea8410b5700 [ 128.211475][ T5340] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 128.214263][ T5340] RBP: 00000000000006c0 R08: ffffc9000addf167 R09: 1ffff920015bbe2c [ 128.218436][ T5340] R10: dffffc0000000000 R11: fffff520015bbe2d R12: ffff888041b76510 [ 128.221918][ T5340] R13: ffff8880425c1000 R14: ffff8880425c0fe8 R15: 0000000000000070 [ 128.225287][ T5340] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 128.229619][ T5340] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 128.232356][ T5340] CR2: 00007f2d9abecfb3 CR3: 0000000011248000 CR4: 0000000000352ef0 [ 128.236126][ T5340] Kernel panic - not syncing: Fatal exception [ 128.239398][ T5340] Kernel Offset: disabled [ 128.241641][ T5340] Rebooting in 86400 seconds..