program: r0 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0) r1 = ioctl$KVM_CREATE_VCPU(r0, 0xae41, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r0, 0x4020ae46, 0x0) ioctl$KVM_SET_REGS(r1, 0x4090ae82, &(0x7f0000000200)={[0x0, 0x6, 0xf3b8, 0x0, 0x1000, 0x400, 0x4002004c4, 0x1000, 0x0, 0x97, 0x10, 0x0, 0x3, 0x4], 0xeeee8000, 0x400}) ioctl$KVM_RUN(r1, 0xae80, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r0, 0x4020ae46, &(0x7f0000000400)={0x0, 0x1, 0x1000000, 0x2000, &(0x7f0000000000/0x2000)=nil}) r2 = socket(0x10, 0x803, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000400)={'veth0_to_hsr\x00', 0x0}) sendmsg$nl_route_sched(r2, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newqdisc={0x48, 0x24, 0x4ee4e6a52ff56541, 0x70bd25, 0x25dfdbfe, {0x0, 0x0, 0x0, r3, {0x0, 0xffe1}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_htb={{0x8}, {0x1c, 0x2, [@TCA_HTB_INIT={0x18, 0x2, {0x3, 0x4, 0x9}}]}}]}, 0x48}}, 0xc840) sendmsg$nl_route_sched(r2, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000800)=@newtfilter={0x54, 0x2c, 0xd2b, 0x70bd2b, 0x25dfdbfb, {0x0, 0x0, 0x0, r3, {0x6}, {}, {0x7, 0xfff1}}, [@filter_kind_options=@f_u32={{0x8}, {0x28, 0x2, [@TCA_U32_SEL={0x24, 0x5, {0xd, 0x7, 0x1, 0x3d3f, 0x0, 0xfff, 0xb709, 0x58f, [{0x0, 0x20008000, 0x4, 0x1}]}}]}}]}, 0x54}, 0x1, 0x0, 0x0, 0x4084}, 0x24040084) recvmmsg$unix(r2, &(0x7f0000000580)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f00000002c0)=""/219, 0xdb}], 0x1}}], 0x1, 0x60, 0x0) sendmsg$GTP_CMD_NEWPDP(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000300)=ANY=[@ANYBLOB="ff07056b", @ANYRES16=0x0, @ANYBLOB="010002000000fedbdf250000000008000100", @ANYRES32=0x0, @ANYBLOB="0800080001", @ANYRES32=r3], 0x2c}, 0x1, 0x0, 0x0, 0x4004054}, 0x4000044) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={0x0}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000002c0)=ANY=[], 0xc3}, 0x1, 0x100000000000000, 0x0, 0x2000}, 0x40400c0) r4 = socket(0x10, 0x3, 0x0) sendmmsg(r4, &(0x7f0000000000), 0x4000000000001f2, 0x0) [ 73.648949][ T4669] Bluetooth: hci0: command tx timeout [ 73.737161][ T5321] netlink: 36 bytes leftover after parsing attributes in process `syz.0.0'. [ 73.741440][ T5321] ------------[ cut here ]------------ [ 73.744090][ T5321] memcpy: detected field-spanning write (size 32) of single field "&new->sel" at net/sched/cls_u32.c:855 (size 16) [ 73.751351][ T5321] WARNING: net/sched/cls_u32.c:855 at u32_change+0x1da0/0x2720, CPU#0: syz.0.0/5321 [ 73.756346][ T5321] Modules linked in: [ 73.758738][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.763063][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.767945][ T5321] RIP: 0010:u32_change+0x1daf/0x2720 [ 73.771263][ T5321] Code: 3d e6 9c 41 06 01 75 33 e8 de 96 0b f8 eb 50 e8 d7 96 0b f8 48 8d 3d 70 d2 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 40 af e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 b2 96 0b f8 eb 24 e8 ab 96 0b f8 [ 73.780436][ T5321] RSP: 0018:ffffc9000a4cefc0 EFLAGS: 00010287 [ 73.783536][ T5321] RAX: ffffffff89ba2799 RBX: ffff88801258c800 RCX: 0000000000000010 [ 73.787152][ T5321] RDX: ffffffff8ce1af40 RSI: 0000000000000020 RDI: ffffffff9020fa10 [ 73.790293][ T5321] RBP: ffffc9000a4cf178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 73.794655][ T5321] R10: dffffc0000000000 R11: fffffbfff2023c57 R12: ffff88801274cce8 [ 73.798823][ T5321] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 73.802488][ T5321] FS: 00007fc0a3a596c0(0000) GS:ffff88808ca4e000(0000) knlGS:0000000000000000 [ 73.806913][ T5321] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.810485][ T5321] CR2: 0000200000006040 CR3: 000000004388c000 CR4: 0000000000352ef0 [ 73.814107][ T5321] Call Trace: [ 73.816002][ T5321] [ 73.817889][ T5321] ? __pfx_u32_change+0x10/0x10 [ 73.820237][ T5321] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 73.822673][ T5321] tc_new_tfilter+0xff8/0x1780 [ 73.824771][ T5321] ? __pfx_tc_new_tfilter+0x10/0x10 [ 73.827223][ T5321] ? __pfx_tc_new_tfilter+0x10/0x10 [ 73.829539][ T5321] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 73.831916][ T5321] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 73.834928][ T5321] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 73.837928][ T5321] ? ref_tracker_free+0x693/0x840 [ 73.840238][ T5321] ? __copy_skb_header+0xa3/0x4a0 [ 73.842627][ T5321] ? __pfx_ref_tracker_free+0x10/0x10 [ 73.845068][ T5321] ? __skb_clone+0x63/0x7a0 [ 73.847772][ T5321] netlink_rcv_skb+0x232/0x4b0 [ 73.850153][ T5321] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 73.852950][ T5321] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 73.855488][ T5321] ? netlink_deliver_tap+0x2e/0x1b0 [ 73.858517][ T5321] netlink_unicast+0x80f/0x9b0 [ 73.861918][ T5321] ? __pfx_netlink_unicast+0x10/0x10 [ 73.865111][ T5321] ? netlink_sendmsg+0x650/0xb40 [ 73.867740][ T5321] ? skb_put+0x11b/0x210 [ 73.869716][ T5321] netlink_sendmsg+0x813/0xb40 [ 73.872049][ T5321] ? __pfx_netlink_sendmsg+0x10/0x10 [ 73.874927][ T5321] ? aa_sock_msg_perm+0xf1/0x1b0 [ 73.877789][ T5321] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 73.880179][ T5321] ____sys_sendmsg+0x972/0x9f0 [ 73.882499][ T5321] ? __pfx_____sys_sendmsg+0x10/0x10 [ 73.885288][ T5321] ? import_iovec+0x73/0xa0 [ 73.888098][ T5321] ___sys_sendmsg+0x2a5/0x360 [ 73.890658][ T5321] ? __pfx____sys_sendmsg+0x10/0x10 [ 73.893083][ T5321] ? preempt_schedule_common+0x82/0xd0 [ 73.895684][ T5321] ? preempt_schedule_thunk+0x16/0x30 [ 73.898813][ T5321] ? __fget_files+0x2a/0x420 [ 73.901634][ T5321] ? __fget_files+0x3a0/0x420 [ 73.903836][ T5321] __sys_sendmmsg+0x27c/0x4e0 [ 73.906043][ T5321] ? __pfx___sys_sendmmsg+0x10/0x10 [ 73.908656][ T5321] ? do_futex+0x395/0x420 [ 73.910690][ T5321] ? rcu_is_watching+0x15/0xb0 [ 73.913188][ T5321] __x64_sys_sendmmsg+0xa0/0xc0 [ 73.915820][ T5321] do_syscall_64+0x14d/0xf80 [ 73.918479][ T5321] ? trace_irq_disable+0x3b/0x150 [ 73.920819][ T5321] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.923618][ T5321] ? clear_bhb_loop+0x40/0x90 [ 73.926078][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.929660][ T5321] RIP: 0033:0x7fc0a2b9c799 [ 73.931905][ T5321] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.940614][ T5321] RSP: 002b:00007fc0a3a58fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 73.944283][ T5321] RAX: ffffffffffffffda RBX: 00007fc0a2e15fa0 RCX: 00007fc0a2b9c799 [ 73.947964][ T5321] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000004 [ 73.952670][ T5321] RBP: 00007fc0a2c32c99 R08: 0000000000000000 R09: 0000000000000000 [ 73.956257][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 73.960038][ T5321] R13: 00007fc0a2e16038 R14: 00007fc0a2e15fa0 R15: 00007fff16383bf8 [ 73.963793][ T5321] [ 73.965586][ T5321] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 73.969600][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.973962][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.978896][ T5321] Call Trace: [ 73.980526][ T5321] [ 73.981875][ T5321] vpanic+0x56c/0xa60 [ 73.983615][ T5321] ? __pfx__printk+0x10/0x10 [ 73.985789][ T5321] ? __pfx_vpanic+0x10/0x10 [ 73.988361][ T5321] ? is_bpf_text_address+0x292/0x2b0 [ 73.991268][ T5321] ? is_bpf_text_address+0x26/0x2b0 [ 73.993666][ T5321] panic+0xc5/0xd0 [ 73.995431][ T5321] ? __pfx_panic+0x10/0x10 [ 73.997459][ T5321] __warn+0x315/0x4f0 [ 73.999243][ T5321] ? u32_change+0x1da0/0x2720 [ 74.001596][ T5321] ? u32_change+0x1da0/0x2720 [ 74.004255][ T5321] __report_bug+0x29a/0x540 [ 74.006739][ T5321] ? ___sys_sendmsg+0x2a5/0x360 [ 74.009084][ T5321] ? __sys_sendmmsg+0x27c/0x4e0 [ 74.011363][ T5321] ? __x64_sys_sendmmsg+0xa0/0xc0 [ 74.013827][ T5321] ? u32_change+0x1da0/0x2720 [ 74.016454][ T5321] ? __pfx___report_bug+0x10/0x10 [ 74.019052][ T5321] report_bug_entry+0x19a/0x290 [ 74.021225][ T5321] ? u32_change+0x1daf/0x2720 [ 74.023453][ T5321] ? u32_change+0x1db4/0x2720 [ 74.026025][ T5321] handle_bug+0xce/0x200 [ 74.028432][ T5321] exc_invalid_op+0x1a/0x50 [ 74.030556][ T5321] asm_exc_invalid_op+0x1a/0x20 [ 74.032710][ T5321] RIP: 0010:u32_change+0x1daf/0x2720 [ 74.035218][ T5321] Code: 3d e6 9c 41 06 01 75 33 e8 de 96 0b f8 eb 50 e8 d7 96 0b f8 48 8d 3d 70 d2 66 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 40 af e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 b2 96 0b f8 eb 24 e8 ab 96 0b f8 [ 74.044563][ T5321] RSP: 0018:ffffc9000a4cefc0 EFLAGS: 00010287 [ 74.047415][ T5321] RAX: ffffffff89ba2799 RBX: ffff88801258c800 RCX: 0000000000000010 [ 74.051822][ T5321] RDX: ffffffff8ce1af40 RSI: 0000000000000020 RDI: ffffffff9020fa10 [ 74.055407][ T5321] RBP: ffffc9000a4cf178 R08: 0000000000000dc0 R09: 00000000ffffffff [ 74.059156][ T5321] R10: dffffc0000000000 R11: fffffbfff2023c57 R12: ffff88801274cce8 [ 74.063426][ T5321] R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001 [ 74.067121][ T5321] ? u32_change+0x1d99/0x2720 [ 74.069387][ T5321] ? __pfx_u32_change+0x10/0x10 [ 74.071759][ T5321] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 74.075147][ T5321] tc_new_tfilter+0xff8/0x1780 [ 74.077651][ T5321] ? __pfx_tc_new_tfilter+0x10/0x10 [ 74.079874][ T5321] ? __pfx_tc_new_tfilter+0x10/0x10 [ 74.082207][ T5321] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 74.084665][ T5321] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 74.087613][ T5321] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.090581][ T5321] ? ref_tracker_free+0x693/0x840 [ 74.093099][ T5321] ? __copy_skb_header+0xa3/0x4a0 [ 74.095350][ T5321] ? __pfx_ref_tracker_free+0x10/0x10 [ 74.097863][ T5321] ? __skb_clone+0x63/0x7a0 [ 74.099893][ T5321] netlink_rcv_skb+0x232/0x4b0 [ 74.102054][ T5321] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.104936][ T5321] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.107883][ T5321] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.110712][ T5321] netlink_unicast+0x80f/0x9b0 [ 74.112948][ T5321] ? __pfx_netlink_unicast+0x10/0x10 [ 74.115226][ T5321] ? netlink_sendmsg+0x650/0xb40 [ 74.117550][ T5321] ? skb_put+0x11b/0x210 [ 74.119746][ T5321] netlink_sendmsg+0x813/0xb40 [ 74.121885][ T5321] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.124280][ T5321] ? aa_sock_msg_perm+0xf1/0x1b0 [ 74.126457][ T5321] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.128866][ T5321] ____sys_sendmsg+0x972/0x9f0 [ 74.130997][ T5321] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.133270][ T5321] ? import_iovec+0x73/0xa0 [ 74.135386][ T5321] ___sys_sendmsg+0x2a5/0x360 [ 74.137662][ T5321] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.139927][ T5321] ? preempt_schedule_common+0x82/0xd0 [ 74.142406][ T5321] ? preempt_schedule_thunk+0x16/0x30 [ 74.145214][ T5321] ? __fget_files+0x2a/0x420 [ 74.148024][ T5321] ? __fget_files+0x3a0/0x420 [ 74.150317][ T5321] __sys_sendmmsg+0x27c/0x4e0 [ 74.152484][ T5321] ? __pfx___sys_sendmmsg+0x10/0x10 [ 74.154942][ T5321] ? do_futex+0x395/0x420 [ 74.157470][ T5321] ? rcu_is_watching+0x15/0xb0 [ 74.160011][ T5321] __x64_sys_sendmmsg+0xa0/0xc0 [ 74.162509][ T5321] do_syscall_64+0x14d/0xf80 [ 74.165073][ T5321] ? trace_irq_disable+0x3b/0x150 [ 74.167705][ T5321] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.171081][ T5321] ? clear_bhb_loop+0x40/0x90 [ 74.173323][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.175848][ T5321] RIP: 0033:0x7fc0a2b9c799 [ 74.178006][ T5321] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 74.187758][ T5321] RSP: 002b:00007fc0a3a58fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 74.191435][ T5321] RAX: ffffffffffffffda RBX: 00007fc0a2e15fa0 RCX: 00007fc0a2b9c799 [ 74.195666][ T5321] RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000004 [ 74.199664][ T5321] RBP: 00007fc0a2c32c99 R08: 0000000000000000 R09: 0000000000000000 [ 74.203200][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.206822][ T5321] R13: 00007fc0a2e16038 R14: 00007fc0a2e15fa0 R15: 00007fff16383bf8 [ 74.211342][ T5321] [ 74.213327][ T5321] Kernel Offset: disabled [ 74.215309][ T5321] Rebooting in 86400 seconds..