program: socket$packet(0x11, 0x3, 0x300) sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x24004045) r0 = socket(0x10, 0x803, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000400)={'veth0_to_hsr\x00', 0x0}) sendmsg$nl_route_sched(r0, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd25, 0x25dfdbfe, {0x0, 0x0, 0x0, r1, {0x0, 0xffe1}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x4, 0x9}}]}}]}, 0x48}}, 0xc840) sendmsg$nl_route_sched(r0, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000800)=@newtfilter={0x54, 0x2c, 0xd2b, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r1, {0x6}, {}, {0x7, 0xfff1}}, [@filter_kind_options=@f_u32={{0x8}, {0x28, 0x2, [@TCA_U32_SEL={0x24, 0x5, {0xd, 0x7, 0x1, 0x3d3f, 0x0, 0xfff, 0xb709, 0x58f, [{0x0, 0x20008000, 0x4, 0x1}]}}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x4084}, 0x24040084) recvmmsg$unix(r0, &(0x7f0000000580)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f00000002c0)=""/219, 0xdb}], 0x1}}], 0x1, 0x60, 0x0) sendmsg$GTP_CMD_NEWPDP(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000300)={0x2c, 0x0, 0x1, 0x2, 0x25dfdbfe, {}, [@GTPA_LINK={0x8}, @GTPA_I_TEI={0x8, 0x8, 0x1}, @GTPA_LINK={0x8, 0x1, r1}]}, 0x2c}, 0x1, 0x0, 0x0, 0x4004054}, 0x4000044) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[], 0xc3}, 0x1, 0x100000000000000, 0x0, 0x2000}, 0x40400c0) r2 = socket(0x10, 0x3, 0x0) sendmmsg(r2, &(0x7f0000000000), 0x4000000000001f2, 0x0) io_uring_setup(0x4ff1, &(0x7f0000000040)={0x0, 0x835c, 0xf000, 0x20000a, 0x20002f3}) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x3, &(0x7f0000000000)=0x6, 0x4) getsockopt$inet_sctp_SCTP_MAX_BURST(0xffffffffffffffff, 0x84, 0x14, 0x0, &(0x7f0000000040)) setsockopt$SO_ATTACH_FILTER(0xffffffffffffffff, 0x1, 0x1a, &(0x7f0000ab9ff0)={0x1, &(0x7f0000000000)=[{0x6}]}, 0x10) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x7, &(0x7f0000000240)={0x0, 0x0}) [ 101.985989][ T4670] Bluetooth: hci0: command tx timeout [ 102.093987][ T5332] ------------[ cut here ]------------ [ 102.097318][ T5332] memcpy: detected field-spanning write (size 32) of single field "&new->sel" at net/sched/cls_u32.c:855 (size 16) [ 102.102650][ T5332] WARNING: net/sched/cls_u32.c:855 at u32_change+0x1da0/0x2720, CPU#0: syz.0.0/5332 [ 102.107739][ T5332] Modules linked in: [ 102.109656][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 102.113898][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 102.118725][ T5332] RIP: 0010:u32_change+0x1daf/0x2720 [ 102.121655][ T5332] Code: 3d 06 b8 41 06 01 75 33 e8 1e b0 0b f8 eb 50 e8 17 b0 0b f8 48 8d 3d f0 ea 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 40 ab e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 f2 af 0b f8 eb 24 e8 eb af 0b f8 [ 102.130560][ T5332] RSP: 0018:ffffc9000d9defc0 EFLAGS: 00010283 [ 102.133473][ T5332] RAX: ffffffff89ba01b9 RBX: ffff88801fda9c00 RCX: 0000000000000010 [ 102.137275][ T5332] RDX: ffffffff8ce1ab40 RSI: 0000000000000020 RDI: ffffffff9020ecb0 [ 102.140854][ T5332] RBP: ffffc9000d9df178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 102.144506][ T5332] R10: dffffc0000000000 R11: fffffbfff2023af7 R12: ffff88801fda94e8 [ 102.148302][ T5332] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 102.152057][ T5332] FS: 00007f1613e066c0(0000) GS:ffff88808ca51000(0000) knlGS:0000000000000000 [ 102.156080][ T5332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 102.159595][ T5332] CR2: 0000200000006040 CR3: 000000001cdb1000 CR4: 0000000000352ef0 [ 102.163663][ T5332] Call Trace: [ 102.165646][ T5332] [ 102.167272][ T5332] ? __pfx_u32_change+0x10/0x10 [ 102.169950][ T5332] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 102.173087][ T5332] tc_new_tfilter+0xff8/0x1780 [ 102.175343][ T5332] ? __pfx_tc_new_tfilter+0x10/0x10 [ 102.177769][ T5332] ? __pfx_tc_new_tfilter+0x10/0x10 [ 102.180047][ T5332] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 102.182236][ T5332] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 102.184791][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 102.187683][ T5332] ? ref_tracker_free+0x693/0x840 [ 102.190029][ T5332] ? __copy_skb_header+0xa3/0x4a0 [ 102.192324][ T5332] ? __pfx_ref_tracker_free+0x10/0x10 [ 102.195003][ T5332] ? __skb_clone+0x63/0x7a0 [ 102.197612][ T5332] netlink_rcv_skb+0x232/0x4b0 [ 102.199841][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 102.202280][ T5332] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 102.204734][ T5332] ? netlink_deliver_tap+0x2e/0x1b0 [ 102.207694][ T5332] netlink_unicast+0x80f/0x9b0 [ 102.209931][ T5332] ? __pfx_netlink_unicast+0x10/0x10 [ 102.212245][ T5332] ? netlink_sendmsg+0x650/0xb40 [ 102.214670][ T5332] ? skb_put+0x11b/0x210 [ 102.217029][ T5332] netlink_sendmsg+0x813/0xb40 [ 102.219437][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 102.222220][ T5332] ? aa_sock_msg_perm+0xf1/0x1b0 [ 102.224928][ T5332] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 102.227539][ T5332] ____sys_sendmsg+0x972/0x9f0 [ 102.229632][ T5332] ? __pfx_____sys_sendmsg+0x10/0x10 [ 102.232357][ T5332] ? import_iovec+0x73/0xa0 [ 102.234686][ T5332] ___sys_sendmsg+0x2a5/0x360 [ 102.237016][ T5332] ? __pfx____sys_sendmsg+0x10/0x10 [ 102.239359][ T5332] ? preempt_schedule_common+0x82/0xd0 [ 102.242056][ T5332] ? preempt_schedule_thunk+0x16/0x30 [ 102.244939][ T5332] ? __fget_files+0x2a/0x420 [ 102.247667][ T5332] ? __fget_files+0x3a0/0x420 [ 102.249716][ T5332] __sys_sendmmsg+0x27c/0x4e0 [ 102.251747][ T5332] ? __pfx___sys_sendmmsg+0x10/0x10 [ 102.254052][ T5332] ? do_futex+0x395/0x420 [ 102.256410][ T5332] ? rcu_is_watching+0x15/0xb0 [ 102.259019][ T5332] __x64_sys_sendmmsg+0xa0/0xc0 [ 102.261438][ T5332] do_syscall_64+0x14d/0xf80 [ 102.263590][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.266543][ T5332] ? clear_bhb_loop+0x40/0x90 [ 102.268785][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.271771][ T5332] RIP: 0033:0x7f1612f9c799 [ 102.273890][ T5332] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 102.282917][ T5332] RSP: 002b:00007f1613e05fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 102.287169][ T5332] RAX: ffffffffffffffda RBX: 00007f1613215fa0 RCX: 00007f1612f9c799 [ 102.290873][ T5332] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005 [ 102.294705][ T5332] RBP: 00007f1613032c99 R08: 0000000000000000 R09: 0000000000000000 [ 102.298611][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 102.302175][ T5332] R13: 00007f1613216038 R14: 00007f1613215fa0 R15: 00007ffd5b8af2e8 [ 102.306393][ T5332] [ 102.307903][ T5332] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 102.311044][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 102.315383][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 102.320338][ T5332] Call Trace: [ 102.321809][ T5332] [ 102.323104][ T5332] vpanic+0x56c/0xa60 [ 102.324964][ T5332] ? __pfx__printk+0x10/0x10 [ 102.327540][ T5332] ? __pfx_vpanic+0x10/0x10 [ 102.330336][ T5332] ? is_bpf_text_address+0x292/0x2b0 [ 102.332775][ T5332] ? is_bpf_text_address+0x26/0x2b0 [ 102.335275][ T5332] panic+0xc5/0xd0 [ 102.337063][ T5332] ? __pfx_panic+0x10/0x10 [ 102.339476][ T5332] __warn+0x315/0x4f0 [ 102.341651][ T5332] ? u32_change+0x1da0/0x2720 [ 102.344374][ T5332] ? u32_change+0x1da0/0x2720 [ 102.346916][ T5332] __report_bug+0x29a/0x540 [ 102.349002][ T5332] ? ___sys_sendmsg+0x2a5/0x360 [ 102.351289][ T5332] ? __sys_sendmmsg+0x27c/0x4e0 [ 102.353801][ T5332] ? __x64_sys_sendmmsg+0xa0/0xc0 [ 102.356174][ T5332] ? u32_change+0x1da0/0x2720 [ 102.358244][ T5332] ? __pfx___report_bug+0x10/0x10 [ 102.360746][ T5332] report_bug_entry+0x19a/0x290 [ 102.363311][ T5332] ? u32_change+0x1daf/0x2720 [ 102.365586][ T5332] ? u32_change+0x1db4/0x2720 [ 102.367654][ T5332] handle_bug+0xce/0x200 [ 102.369609][ T5332] exc_invalid_op+0x1a/0x50 [ 102.371564][ T5332] asm_exc_invalid_op+0x1a/0x20 [ 102.373812][ T5332] RIP: 0010:u32_change+0x1daf/0x2720 [ 102.376514][ T5332] Code: 3d 06 b8 41 06 01 75 33 e8 1e b0 0b f8 eb 50 e8 17 b0 0b f8 48 8d 3d f0 ea 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 40 ab e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 f2 af 0b f8 eb 24 e8 eb af 0b f8 [ 102.385001][ T5332] RSP: 0018:ffffc9000d9defc0 EFLAGS: 00010283 [ 102.388357][ T5332] RAX: ffffffff89ba01b9 RBX: ffff88801fda9c00 RCX: 0000000000000010 [ 102.391931][ T5332] RDX: ffffffff8ce1ab40 RSI: 0000000000000020 RDI: ffffffff9020ecb0 [ 102.395359][ T5332] RBP: ffffc9000d9df178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 102.398919][ T5332] R10: dffffc0000000000 R11: fffffbfff2023af7 R12: ffff88801fda94e8 [ 102.402266][ T5332] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 102.405929][ T5332] ? u32_change+0x1d99/0x2720 [ 102.408437][ T5332] ? __pfx_u32_change+0x10/0x10 [ 102.410934][ T5332] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 102.413733][ T5332] tc_new_tfilter+0xff8/0x1780 [ 102.416021][ T5332] ? __pfx_tc_new_tfilter+0x10/0x10 [ 102.418418][ T5332] ? __pfx_tc_new_tfilter+0x10/0x10 [ 102.421073][ T5332] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 102.424063][ T5332] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 102.426724][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 102.429196][ T5332] ? ref_tracker_free+0x693/0x840 [ 102.431497][ T5332] ? __copy_skb_header+0xa3/0x4a0 [ 102.433776][ T5332] ? __pfx_ref_tracker_free+0x10/0x10 [ 102.436338][ T5332] ? __skb_clone+0x63/0x7a0 [ 102.438362][ T5332] netlink_rcv_skb+0x232/0x4b0 [ 102.440372][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 102.443238][ T5332] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 102.445953][ T5332] ? netlink_deliver_tap+0x2e/0x1b0 [ 102.448347][ T5332] netlink_unicast+0x80f/0x9b0 [ 102.450490][ T5332] ? __pfx_netlink_unicast+0x10/0x10 [ 102.452916][ T5332] ? netlink_sendmsg+0x650/0xb40 [ 102.455646][ T5332] ? skb_put+0x11b/0x210 [ 102.457742][ T5332] netlink_sendmsg+0x813/0xb40 [ 102.459873][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 102.462307][ T5332] ? aa_sock_msg_perm+0xf1/0x1b0 [ 102.464920][ T5332] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 102.467848][ T5332] ____sys_sendmsg+0x972/0x9f0 [ 102.470030][ T5332] ? __pfx_____sys_sendmsg+0x10/0x10 [ 102.472307][ T5332] ? import_iovec+0x73/0xa0 [ 102.474312][ T5332] ___sys_sendmsg+0x2a5/0x360 [ 102.476620][ T5332] ? __pfx____sys_sendmsg+0x10/0x10 [ 102.479413][ T5332] ? preempt_schedule_common+0x82/0xd0 [ 102.481721][ T5332] ? preempt_schedule_thunk+0x16/0x30 [ 102.484056][ T5332] ? __fget_files+0x2a/0x420 [ 102.486115][ T5332] ? __fget_files+0x3a0/0x420 [ 102.488199][ T5332] __sys_sendmmsg+0x27c/0x4e0 [ 102.490728][ T5332] ? __pfx___sys_sendmmsg+0x10/0x10 [ 102.493328][ T5332] ? do_futex+0x395/0x420 [ 102.495385][ T5332] ? rcu_is_watching+0x15/0xb0 [ 102.497538][ T5332] __x64_sys_sendmmsg+0xa0/0xc0 [ 102.499889][ T5332] do_syscall_64+0x14d/0xf80 [ 102.501997][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.504880][ T5332] ? clear_bhb_loop+0x40/0x90 [ 102.507047][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.509556][ T5332] RIP: 0033:0x7f1612f9c799 [ 102.511673][ T5332] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 102.520235][ T5332] RSP: 002b:00007f1613e05fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 102.524459][ T5332] RAX: ffffffffffffffda RBX: 00007f1613215fa0 RCX: 00007f1612f9c799 [ 102.528468][ T5332] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000005 [ 102.531974][ T5332] RBP: 00007f1613032c99 R08: 0000000000000000 R09: 0000000000000000 [ 102.535597][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 102.539520][ T5332] R13: 00007f1613216038 R14: 00007f1613215fa0 R15: 00007ffd5b8af2e8 [ 102.543069][ T5332] [ 102.544944][ T5332] Kernel Offset: disabled [ 102.547238][ T5332] Rebooting in 86400 seconds..