program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000080)={'syz_tun\x00', <r2=>0x0})
sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)=@newqdisc={0x84, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x25dfdbff, {0x0, 0x0, 0x0, r2, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_netem={{0xa}, {0x54, 0x2, {{0x0, 0x4, 0x0, 0x0, 0xffffffff}, [@TCA_NETEM_RATE64={0xc, 0x8, 0xc3aff7f8daad9175}, @TCA_NETEM_SLOT={0x2c, 0xc, {0x6, 0x7, 0x0, 0xe3, 0x3ff, 0x2}}]}}}]}, 0x84}}, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000040)={'veth0\x00', <r4=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70bd28, 0x0, {0x0, 0x0, 0x0, r4, {}, {0xffff, 0xffff}, {0xd}}, [@qdisc_kind_options=@q_pie={{0x8}, {0x4}}]}, 0x30}, 0x1, 0x0, 0x0, 0x51}, 0x48c0)
r5 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r5, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000001c0)=@getqdisc={0x24, 0x26, 0x705, 0x70bd2b, 0x25dfdbfd, {0x0, 0x0, 0x0, 0x0, {0x1, 0xffe0}, {0x10, 0x8}, {0xfff2, 0x7}}}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x0)
r6 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_team(r6, 0x8933, &(0x7f0000000000)={'team0\x00', <r7=>0x0})
sendmsg$nl_route(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r7}]}, 0x3c}}, 0x0)
socket$nl_route(0x10, 0x3, 0x0) (async)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000080)={'syz_tun\x00'}) (async)
sendmsg$nl_route_sched(r1, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)=@newqdisc={0x84, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x25dfdbff, {0x0, 0x0, 0x0, r2, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_netem={{0xa}, {0x54, 0x2, {{0x0, 0x4, 0x0, 0x0, 0xffffffff}, [@TCA_NETEM_RATE64={0xc, 0x8, 0xc3aff7f8daad9175}, @TCA_NETEM_SLOT={0x2c, 0xc, {0x6, 0x7, 0x0, 0xe3, 0x3ff, 0x2}}]}}}]}, 0x84}}, 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000040)={'veth0\x00'}) (async)
sendmsg$nl_route_sched(r3, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x70bd28, 0x0, {0x0, 0x0, 0x0, r4, {}, {0xffff, 0xffff}, {0xd}}, [@qdisc_kind_options=@q_pie={{0x8}, {0x4}}]}, 0x30}, 0x1, 0x0, 0x0, 0x51}, 0x48c0) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
sendmsg$nl_route_sched(r5, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000001c0)=@getqdisc={0x24, 0x26, 0x705, 0x70bd2b, 0x25dfdbfd, {0x0, 0x0, 0x0, 0x0, {0x1, 0xffe0}, {0x10, 0x8}, {0xfff2, 0x7}}}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
ioctl$ifreq_SIOCGIFINDEX_team(r6, 0x8933, &(0x7f0000000000)) (async)
sendmsg$nl_route(r6, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r7}]}, 0x3c}}, 0x0) (async)

[  127.223460][ T4683] Bluetooth: hci0: command tx timeout
[  127.264383][ T5345] bridge_slave_0: left allmulticast mode
[  127.270635][ T5345] bridge_slave_0: left promiscuous mode
[  127.291012][ T5345] bridge0: port 1(bridge_slave_0) entered disabled state
[  127.299879][ T5345] bridge_slave_1: left allmulticast mode
[  127.302339][ T5345] bridge_slave_1: left promiscuous mode
[  127.306750][ T5345] bridge0: port 2(bridge_slave_1) entered disabled state
[  127.316963][ T5345] bond0: (slave bond_slave_0): Releasing backup interface
[  127.326218][ T5345] bond0: (slave bond_slave_1): Releasing backup interface
[  127.336999][ T5345] team0: Port device team_slave_0 removed
[  127.344169][ T5345] team0: Port device team_slave_1 removed
[  127.347154][ T5345] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[  127.350386][ T5345] batman_adv: batadv0: Removing interface: batadv_slave_0
[  127.356515][ T5345] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[  127.359933][ T5345] batman_adv: batadv0: Removing interface: batadv_slave_1
[  127.366803][ T5345] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check.
[  127.402574][ T5345] ip6gre0: entered promiscuous mode
[  127.411223][ T5345] team0: Port device ip6gre0 added
[  127.425454][ T5346] team0: Port device ip6gre0 removed
[  127.434150][ T5346] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check.
[  127.454774][   T10] skbuff: skb_under_panic: text:ffffffff8a27e968 len:136 put:40 head:ffff88801a352000 data:ffff88801a351fe8 tail:0x70 end:0x6c0 dev:team0
[  127.460728][   T10] ------------[ cut here ]------------
[  127.463736][   T10] kernel BUG at net/core/skbuff.c:213!
[  127.481518][   T10] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[  127.484457][   T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted syzkaller #0 PREEMPT(full) 
[  127.487973][   T10] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  127.492068][   T10] Workqueue: mld mld_ifc_work
[  127.494130][   T10] RIP: 0010:skb_panic+0x157/0x160
[  127.496351][   T10] Code: c7 60 ac 6f 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 ce 6a f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90
[  127.504380][   T10] RSP: 0018:ffffc900001c7400 EFLAGS: 00010286
[  127.507145][   T10] RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8325eb77df38e500
[  127.510604][   T10] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
[  127.513811][   T10] RBP: 00000000000006c0 R08: ffffc900001c7167 R09: 1ffff92000038e2c
[  127.517323][   T10] R10: dffffc0000000000 R11: fffff52000038e2d R12: ffff88801a2acb50
[  127.520863][   T10] R13: ffff88801a352000 R14: ffff88801a351fe8 R15: 0000000000000070
[  127.524341][   T10] FS:  0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
[  127.528204][   T10] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  127.531161][   T10] CR2: 0000000000000000 CR3: 000000003363a000 CR4: 0000000000352ef0
[  127.534552][   T10] Call Trace:
[  127.535819][   T10]  <TASK>
[  127.536817][   T10]  ? ip6gre_header+0xc8/0x790
[  127.538684][   T10]  ? ip6gre_header+0xc8/0x790
[  127.540703][   T10]  skb_push+0xc3/0xe0
[  127.542435][   T10]  ip6gre_header+0xc8/0x790
[  127.544332][   T10]  ? neigh_connected_output+0x1ea/0x460
[  127.546840][   T10]  ? __pfx_ip6gre_header+0x10/0x10
[  127.549206][   T10]  ? neigh_connected_output+0x1ea/0x460
[  127.551598][   T10]  ? read_seqbegin+0xac/0x180
[  127.553817][   T10]  ? neigh_connected_output+0x1ea/0x460
[  127.556501][   T10]  ? lockdep_hardirqs_on+0x7b/0x110
[  127.558954][   T10]  ? __pfx_ip6gre_header+0x10/0x10
[  127.561191][   T10]  neigh_connected_output+0x286/0x460
[  127.563390][   T10]  ip6_finish_output+0x234/0x7d0
[  127.565574][   T10]  ? ip6_output+0x126/0x550
[  127.567381][   T10]  ip6_output+0x340/0x550
[  127.569121][   T10]  NF_HOOK+0x9e/0x380
[  127.570766][   T10]  ? NF_HOOK+0x101/0x380
[  127.572513][   T10]  ? __pfx_NF_HOOK+0x10/0x10
[  127.574407][   T10]  ? __pfx_dst_output+0x10/0x10
[  127.576329][   T10]  ? lockdep_hardirqs_on+0x7b/0x110
[  127.578488][   T10]  ? __local_bh_enable_ip+0xd0/0x130
[  127.580679][   T10]  ? icmp6_dst_alloc+0x3a5/0x420
[  127.582843][   T10]  mld_sendpack+0x8d4/0xe60
[  127.584646][   T10]  ? mld_sendpack+0x1e7/0xe60
[  127.586554][   T10]  ? __pfx_mld_sendpack+0x10/0x10
[  127.588637][   T10]  mld_ifc_work+0x83e/0xd60
[  127.590427][   T10]  ? process_scheduled_works+0x9ef/0x1770
[  127.592755][   T10]  process_scheduled_works+0xad1/0x1770
[  127.595222][   T10]  ? __pfx_process_scheduled_works+0x10/0x10
[  127.597338][   T10]  ? do_raw_spin_lock+0x121/0x290
[  127.599473][   T10]  worker_thread+0x8a0/0xda0
[  127.601325][   T10]  kthread+0x711/0x8a0
[  127.603001][   T10]  ? __pfx_worker_thread+0x10/0x10
[  127.605238][   T10]  ? __pfx_kthread+0x10/0x10
[  127.607247][   T10]  ? _raw_spin_unlock_irq+0x23/0x50
[  127.609436][   T10]  ? __pfx_kthread+0x10/0x10
[  127.611310][   T10]  ret_from_fork+0x510/0xa50
[  127.613217][   T10]  ? __pfx_ret_from_fork+0x10/0x10
[  127.615308][   T10]  ? __switch_to+0xc9e/0x1480
[  127.617145][   T10]  ? __pfx_kthread+0x10/0x10
[  127.618968][   T10]  ret_from_fork_asm+0x1a/0x30
[  127.620832][   T10]  </TASK>
[  127.622124][   T10] Modules linked in:
[  127.624121][   T10] ---[ end trace 0000000000000000 ]---