program: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r1, 0xc0145608, &(0x7f0000000040)={0x1001, 0x2, 0x4, 0x0, 0x3}) ioctl$vim2m_VIDIOC_STREAMOFF(r1, 0x40045612, &(0x7f0000000480)=0x2) ioctl$vim2m_VIDIOC_STREAMON(r1, 0x40045612, &(0x7f0000000000)=0x2) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r2, 0x8933, &(0x7f0000000000)={'team0\x00', 0x0}) r4 = openat$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000080), 0x2, 0x0) write$cgroup_subtree(r4, &(0x7f0000000140)={[{0x2d, 'net_cls'}, {0x2b, 'devices'}, {0x2b, 'cpuset'}, {0x2b, 'cpuset'}, {0x2b, 'pids'}, {0x2d, 'cpuacct'}, {0x2b, 'net_cls'}, {0x2b, 'cpuset'}]}, 0x42) sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r3}]}, 0x3c}}, 0x0) socket(0x29, 0x6, 0x1) socket$nl_route(0x10, 0x3, 0x0) (async) syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x2) (async) ioctl$vim2m_VIDIOC_REQBUFS(r1, 0xc0145608, &(0x7f0000000040)={0x1001, 0x2, 0x4, 0x0, 0x3}) (async) ioctl$vim2m_VIDIOC_STREAMOFF(r1, 0x40045612, &(0x7f0000000480)=0x2) (async) ioctl$vim2m_VIDIOC_STREAMON(r1, 0x40045612, &(0x7f0000000000)=0x2) (async) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) ioctl$ifreq_SIOCGIFINDEX_team(r2, 0x8933, &(0x7f0000000000)) (async) openat$cgroup_subtree(0xffffffffffffffff, &(0x7f0000000080), 0x2, 0x0) (async) write$cgroup_subtree(r4, &(0x7f0000000140)={[{0x2d, 'net_cls'}, {0x2b, 'devices'}, {0x2b, 'cpuset'}, {0x2b, 'cpuset'}, {0x2b, 'pids'}, {0x2d, 'cpuacct'}, {0x2b, 'net_cls'}, {0x2b, 'cpuset'}]}, 0x42) (async) sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r3}]}, 0x3c}}, 0x0) (async) socket(0x29, 0x6, 0x1) (async) [ 85.249692][ T5310] Bluetooth: hci0: command tx timeout [ 85.447330][ T5332] bridge_slave_0: left allmulticast mode [ 85.452668][ T5332] bridge_slave_0: left promiscuous mode [ 85.455893][ T5332] bridge0: port 1(bridge_slave_0) entered disabled state [ 85.465820][ T5332] bridge_slave_1: left allmulticast mode [ 85.468577][ T5332] bridge_slave_1: left promiscuous mode [ 85.474376][ T5332] bridge0: port 2(bridge_slave_1) entered disabled state [ 85.482016][ T5332] bond0: (slave bond_slave_0): Releasing backup interface [ 85.488869][ T5332] bond0: (slave bond_slave_1): Releasing backup interface [ 85.502227][ T5332] team0: Port device team_slave_0 removed [ 85.508863][ T5332] team0: Port device team_slave_1 removed [ 85.512811][ T5332] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 85.516136][ T5332] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 85.521664][ T5332] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 85.525131][ T5332] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 85.529810][ T5332] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 85.542832][ T5331] ip6gre0: entered promiscuous mode [ 85.552611][ T5331] team0: Port device ip6gre0 added [ 85.578397][ T5331] team0: Port device ip6gre0 removed [ 85.587668][ T5331] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 85.612245][ T5333] skbuff: skb_under_panic: text:ffffffff8a27e9f8 len:136 put:40 head:ffff88801135a000 data:ffff888011359fe8 tail:0x70 end:0x6c0 dev:team0 [ 85.624089][ T5333] ------------[ cut here ]------------ [ 85.626605][ T5333] kernel BUG at net/core/skbuff.c:213! [ 85.629053][ T5333] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 85.632016][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: kworker/0:6 Not tainted syzkaller #0 PREEMPT(full) [ 85.635980][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.640444][ T5333] Workqueue: mld mld_ifc_work [ 85.642476][ T5333] RIP: 0010:skb_panic+0x157/0x160 [ 85.644506][ T5333] Code: c7 60 ac 6f 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 ce 6a f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 85.652606][ T5333] RSP: 0018:ffffc9000e8f7400 EFLAGS: 00010286 [ 85.655577][ T5333] RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 619427a6998b0100 [ 85.659406][ T5333] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 85.663174][ T5333] RBP: 00000000000006c0 R08: ffffc9000e8f7167 R09: 1ffff92001d1ee2c [ 85.666623][ T5333] R10: dffffc0000000000 R11: fffff52001d1ee2d R12: ffff888011fafdd0 [ 85.670129][ T5333] R13: ffff88801135a000 R14: ffff888011359fe8 R15: 0000000000000070 [ 85.673556][ T5333] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 85.677353][ T5333] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.680181][ T5333] CR2: 0000000000000000 CR3: 000000003279b000 CR4: 0000000000352ef0 [ 85.683695][ T5333] Call Trace: [ 85.685359][ T5333] [ 85.686600][ T5333] ? ip6gre_header+0xc8/0x790 [ 85.688520][ T5333] ? ip6gre_header+0xc8/0x790 [ 85.690545][ T5333] skb_push+0xc3/0xe0 [ 85.692248][ T5333] ip6gre_header+0xc8/0x790 [ 85.694115][ T5333] ? neigh_connected_output+0x1ea/0x460 [ 85.696635][ T5333] ? __pfx_ip6gre_header+0x10/0x10 [ 85.698764][ T5333] ? neigh_connected_output+0x1ea/0x460 [ 85.701097][ T5333] ? read_seqbegin+0xac/0x180 [ 85.703012][ T5333] ? neigh_connected_output+0x1ea/0x460 [ 85.705276][ T5333] ? lockdep_hardirqs_on+0x7b/0x110 [ 85.707505][ T5333] ? __pfx_ip6gre_header+0x10/0x10 [ 85.709642][ T5333] neigh_connected_output+0x286/0x460 [ 85.711743][ T5333] ip6_finish_output+0x234/0x7d0 [ 85.713575][ T5333] ? ip6_output+0x126/0x550 [ 85.715170][ T5333] ip6_output+0x340/0x550 [ 85.716744][ T5333] NF_HOOK+0x9e/0x380 [ 85.718416][ T5333] ? NF_HOOK+0x101/0x380 [ 85.720287][ T5333] ? __pfx_NF_HOOK+0x10/0x10 [ 85.722164][ T5333] ? __pfx_dst_output+0x10/0x10 [ 85.724087][ T5333] ? lockdep_hardirqs_on+0x7b/0x110 [ 85.726005][ T5333] ? __local_bh_enable_ip+0xd0/0x130 [ 85.728185][ T5333] ? icmp6_dst_alloc+0x3a5/0x420 [ 85.730274][ T5333] mld_sendpack+0x8d4/0xe60 [ 85.732139][ T5333] ? mld_sendpack+0x1e7/0xe60 [ 85.733999][ T5333] ? __pfx_mld_sendpack+0x10/0x10 [ 85.735995][ T5333] mld_ifc_work+0x83e/0xd60 [ 85.738060][ T5333] ? process_scheduled_works+0x9ef/0x1770 [ 85.740551][ T5333] process_scheduled_works+0xad1/0x1770 [ 85.744043][ T5333] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.746815][ T5333] ? do_raw_spin_lock+0x121/0x290 [ 85.748933][ T5333] worker_thread+0x8a0/0xda0 [ 85.750811][ T5333] ? __kthread_parkme+0x7b/0x200 [ 85.753037][ T5333] kthread+0x711/0x8a0 [ 85.754760][ T5333] ? __pfx_worker_thread+0x10/0x10 [ 85.756887][ T5333] ? __pfx_kthread+0x10/0x10 [ 85.758827][ T5333] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.761294][ T5333] ? __pfx_kthread+0x10/0x10 [ 85.763252][ T5333] ret_from_fork+0x510/0xa50 [ 85.765162][ T5333] ? __pfx_ret_from_fork+0x10/0x10 [ 85.767326][ T5333] ? __switch_to+0xc9e/0x1480 [ 85.769444][ T5333] ? __pfx_kthread+0x10/0x10 [ 85.771625][ T5333] ret_from_fork_asm+0x1a/0x30 [ 85.773777][ T5333] [ 85.775053][ T5333] Modules linked in: [ 85.778759][ T5333] ---[ end trace 0000000000000000 ]---