program: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000200)=ANY=[@ANYBLOB="3000000010000100"/20, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00\x00\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB="08001b"], 0x30}}, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) syz_open_dev$hidraw(&(0x7f0000000080), 0x0, 0x418000) r2 = syz_usb_connect$cdc_ncm(0x0, 0x6e, &(0x7f0000000040)=ANY=[@ANYBLOB="12010000090000082502000000000000000109025c00020100f92a0904000001020900000524060001053408fa6e0d240f0100000000000d000a0006471a010000190581"], 0x0) syz_open_dev$char_usb(0xc, 0xb4, 0x0) syz_usb_disconnect(r2) socket$inet6_udp(0xa, 0x2, 0x0) syz_usb_connect(0x0, 0x24, &(0x7f0000000040)=ANY=[], 0x0) r3 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r3, &(0x7f0000000000)={0xa, 0x3, 0x0, @loopback}, 0x1c) connect$inet6(r3, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c) ioctl$sock_inet6_tcp_SIOCINQ(r3, 0x541b, &(0x7f00000000c0)) ioctl$ifreq_SIOCGIFINDEX_team(r1, 0x8933, &(0x7f0000000000)={'team0\x00', 0x0}) syz_mount_image$squashfs(&(0x7f0000000200), &(0x7f0000000240)='./file0\x00', 0x0, &(0x7f0000000280), 0x1, 0x1f0, &(0x7f00000002c0)="$eJzsks9rE0EUxz+zu21XsTRIVBRB1GLroc1mq/HHQcGLQT1JhVoQDEmswdQf3YAm9BBBKOJF0IMV8SBIRDyI/4A5eOpNQbzVQs899OBFWldmMrtO/wMP8znku2/mve/Me5mb0b1oANhcny9DBolHlq9C4AEHhFqi4vbU13pJa7/eP+/0tKv1t9bNE62paRC1Q8sFp7unclBk2JH9tbRCmaFrnHp98cO3y7Xn33euvf0s8y9caX5CjFSG3rz6+PTc4qCyF1enTR+3u/+lL42AZxtTyyveXrKG1y7/z+6lR533hcc/eTFAyviXscUzweATR3tGzdatUr1enYvOPnRYU0f9WJ8vy4/rQBzHseodKAJmjmz/nZGzz4NJwCVOc+T8ZDAC5Bqzd3NRszVWmy3NVGeqt8NwohAcC4LjYe5GrV4Ner/COEJPEKlHAdnJNmO/D9jQOdvZijCupveFWdtv/HWjh7fWOkZtooJuWptMVI5gkiP4wP22MFaHlYuHaqmIwNVB3jPuJ1SWrzbGy3fqlQUEIinr4KUe+VX60iA0g4mT7eTaC1qHtRa1dgA5qlUdJy86eamecnD0ex5tQz8PSo3GXF4OqfeVroXpWphpmwOTp2bcf81JTrtYLBaLxWKxWCwWy3/D3wAAAP//m9SdVA==") chdir(&(0x7f0000000080)='./file0\x00') openat(0xffffffffffffff9c, &(0x7f0000000180)='./file0\x00', 0x0, 0x0) sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@newlink={0x3c, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x10104}, [@IFLA_IFNAME={0x14, 0x3, 'ip6gre0\x00'}, @IFLA_MASTER={0x8, 0xa, r4}]}, 0x3c}}, 0x0) socketpair$unix(0x1, 0x2, 0x0, 0x0) syz_usb_connect$cdc_ecm(0x2, 0x5b, &(0x7f0000000280)=ANY=[@ANYBLOB="120100008f0000082505a1a440000102030c090249000101000000090400000303061000052406000005240000000d240f0101000080ff0f000000062407800c0008241cbeef020600090582020000000000090503"], 0x0) r5 = socket(0x11, 0x2, 0x10001) ioctl$sock_SIOCETHTOOL(r5, 0x8946, &(0x7f0000000000)={'bond0\x00', &(0x7f0000000140)=@ethtool_sfeatures={0x3b, 0x2, [{0xae9, 0x8}, {0x11, 0x30000080}]}}) r6 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r6, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {}, [@IFLA_MASTER={0x8}, @IFLA_GROUP={0x8}]}, 0x30}}, 0x0) syz_open_dev$usbfs(&(0x7f0000000180), 0x10000001c, 0x8041) r7 = syz_open_dev$dri(&(0x7f0000000440), 0x1, 0x0) mount(0x0, 0x0, 0x0, 0x0, &(0x7f00000001c0)='\x01') ioctl$DRM_IOCTL_SET_CLIENT_CAP(r7, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000200)={0x24, 0x2b, 0x107, 0xfffffffe, 0x0, {0x3, 0x7c}, [@nested={0xc, 0x1, 0x0, 0x1, [@typed={0x8, 0x6, 0x0, 0x0, @ipv4=@broadcast}]}, @nested={0x4, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4048011}, 0x8010) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r7, 0xc01064b5, &(0x7f0000000040)={&(0x7f0000000100)=[0x0], 0x1}) [ 128.427837][ T46] Bluetooth: hci0: command tx timeout [ 128.582028][ T5347] bridge_slave_0: left allmulticast mode [ 128.585942][ T5347] bridge_slave_0: left promiscuous mode [ 128.588970][ T5347] bridge0: port 1(bridge_slave_0) entered disabled state [ 128.597235][ T5347] bridge_slave_1: left allmulticast mode [ 128.600757][ T5347] bridge_slave_1: left promiscuous mode [ 128.603407][ T5347] bridge0: port 2(bridge_slave_1) entered disabled state [ 128.612468][ T5347] bond0: (slave bond_slave_0): Releasing backup interface [ 128.620182][ T5347] bond0: (slave bond_slave_1): Releasing backup interface [ 128.648641][ T5347] team0: Port device team_slave_0 removed [ 128.656942][ T5347] team0: Port device team_slave_1 removed [ 128.659845][ T5347] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 128.663175][ T5347] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 128.668461][ T5347] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 128.671875][ T5347] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 128.678708][ T5347] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 128.874508][ T4900] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 129.023877][ T4900] usb 5-1: Using ep0 maxpacket: 8 [ 129.028880][ T4900] usb 5-1: config 1 has an invalid descriptor of length 0, skipping remainder of the config [ 129.033201][ T4900] usb 5-1: config 1 has 1 interface, different from the descriptor's value: 2 [ 129.037937][ T4900] usb 5-1: config 1 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 100, changing to 10 [ 129.042664][ T4900] usb 5-1: config 1 interface 0 altsetting 0 endpoint 0x81 has invalid maxpacket 24936, setting to 1024 [ 129.048237][ T4900] usb 5-1: New USB device found, idVendor=0225, idProduct=0000, bcdDevice= 0.00 [ 129.052618][ T4900] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 129.080242][ T4900] hub 5-1:1.0: bad descriptor, ignoring hub [ 129.082913][ T4900] hub 5-1:1.0: probe with driver hub failed with error -5 [ 129.090336][ T4900] cdc_wdm 5-1:1.0: skipping garbage [ 129.092729][ T4900] cdc_wdm 5-1:1.0: skipping garbage [ 129.105493][ T4900] cdc_wdm 5-1:1.0: cdc-wdm0: USB WDM device [ 129.108165][ T4900] cdc_wdm 5-1:1.0: Unknown control protocol [ 129.980821][ T5347] usb 5-1: reset high-speed USB device number 2 using dummy_hcd [ 130.135292][ T5347] usb 5-1: device firmware changed [ 130.140350][ T4763] usb 5-1: USB disconnect, device number 2 [ 130.143073][ T5347] cdc_wdm 5-1:1.0: Error autopm - -16 [ 130.283900][ T4763] usb 5-1: new high-speed USB device number 3 using dummy_hcd [ 130.434685][ T46] Bluetooth: hci0: command tx timeout [ 130.438973][ T4763] usb 5-1: Using ep0 maxpacket: 8 [ 130.444748][ T4763] usb 5-1: config index 0 descriptor too short (expected 92, got 18) [ 130.448429][ T4763] usb 5-1: config 1 has 1 interface, different from the descriptor's value: 2 [ 130.458523][ T4763] usb 5-1: config 1 interface 0 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 1 [ 130.465623][ T4763] usb 5-1: New USB device found, idVendor=0225, idProduct=0000, bcdDevice= 0.00 [ 130.469204][ T4763] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 130.483567][ T4763] hub 5-1:1.0: bad descriptor, ignoring hub [ 130.493402][ T4763] hub 5-1:1.0: probe with driver hub failed with error -5 [ 130.499232][ T4763] cdc_wdm 5-1:1.0: probe with driver cdc_wdm failed with error -22 [ 130.705906][ T5347] loop0: detected capacity change from 0 to 8 [ 130.759382][ T5347] SQUASHFS error: xz decompression failed, data probably corrupt [ 130.762891][ T5347] SQUASHFS error: Failed to read block 0xa8: -5 [ 130.805479][ T5348] ip6gre0: entered promiscuous mode [ 130.837905][ T5347] SQUASHFS error: xz decompression failed, data probably corrupt [ 130.841553][ T5347] SQUASHFS error: Failed to read block 0xa8: -5 [ 130.861559][ T5348] team0: Port device ip6gre0 added [ 130.866160][ T26] audit: type=1800 audit(1766605528.893:2): pid=5347 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.0.0" name="file0" dev="loop0" ino=3 res=0 errno=0 [ 130.886344][ T5347] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 130.891260][ T5347] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 130.901230][ T5347] team0: Port device ip6gre0 removed [ 130.911459][ T5347] A link change request failed with some changes committed already. Interface hsr_slave_0 may have been left with an inconsistent configuration, please check. [ 130.936101][ T4763] skbuff: skb_under_panic: text:ffffffff8a27e968 len:136 put:40 head:ffff888045b8c000 data:ffff888045b8bfe8 tail:0x70 end:0x6c0 dev:team0 [ 130.943084][ T4763] ------------[ cut here ]------------ [ 130.945768][ T4763] kernel BUG at net/core/skbuff.c:213! [ 130.950197][ T4763] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 130.952833][ T4763] CPU: 0 UID: 0 PID: 4763 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT(full) [ 130.956710][ T4763] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 130.961080][ T4763] Workqueue: mld mld_ifc_work [ 130.963174][ T4763] RIP: 0010:skb_panic+0x157/0x160 [ 130.965527][ T4763] Code: c7 60 ac 6f 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 ce 6a f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 130.974375][ T4763] RSP: 0018:ffffc90002647400 EFLAGS: 00010286 [ 130.976780][ T4763] RAX: 0000000000000087 RBX: dffffc0000000000 RCX: fc946373200f1900 [ 130.979771][ T4763] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 130.982836][ T4763] RBP: 00000000000006c0 R08: ffffc90002647167 R09: 1ffff920004c8e2c [ 130.986242][ T4763] R10: dffffc0000000000 R11: fffff520004c8e2d R12: ffff888037d4a8d0 [ 130.989982][ T4763] R13: ffff888045b8c000 R14: ffff888045b8bfe8 R15: 0000000000000070 [ 130.994166][ T4763] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 130.997991][ T4763] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 131.000808][ T4763] CR2: 0000000000000000 CR3: 0000000011dd0000 CR4: 0000000000352ef0 [ 131.004082][ T4763] Call Trace: [ 131.005558][ T4763] [ 131.006857][ T4763] ? ip6gre_header+0xc8/0x790 [ 131.008911][ T4763] ? ip6gre_header+0xc8/0x790 [ 131.011043][ T4763] skb_push+0xc3/0xe0 [ 131.012842][ T4763] ip6gre_header+0xc8/0x790 [ 131.014923][ T4763] ? neigh_connected_output+0x1ea/0x460 [ 131.017373][ T4763] ? __pfx_ip6gre_header+0x10/0x10 [ 131.019941][ T4763] ? neigh_connected_output+0x1ea/0x460 [ 131.022397][ T4763] ? read_seqbegin+0xac/0x180 [ 131.024472][ T4763] ? neigh_connected_output+0x1ea/0x460 [ 131.026851][ T4763] ? lockdep_hardirqs_on+0x7b/0x110 [ 131.029215][ T4763] ? __pfx_ip6gre_header+0x10/0x10 [ 131.031400][ T4763] neigh_connected_output+0x286/0x460 [ 131.033749][ T4763] ip6_finish_output+0x234/0x7d0 [ 131.036009][ T4763] ? ip6_output+0x126/0x550 [ 131.037969][ T4763] ip6_output+0x340/0x550 [ 131.039859][ T4763] NF_HOOK+0x9e/0x380 [ 131.041667][ T4763] ? NF_HOOK+0x101/0x380 [ 131.043533][ T4763] ? __pfx_NF_HOOK+0x10/0x10 [ 131.045362][ T4763] ? __pfx_dst_output+0x10/0x10 [ 131.047148][ T4763] ? lockdep_hardirqs_on+0x7b/0x110 [ 131.049238][ T4763] ? __local_bh_enable_ip+0xd0/0x130 [ 131.051110][ T4763] ? icmp6_dst_alloc+0x3a5/0x420 [ 131.053340][ T4763] mld_sendpack+0x8d4/0xe60 [ 131.055288][ T4763] ? mld_sendpack+0x1e7/0xe60 [ 131.057381][ T4763] ? __pfx_mld_sendpack+0x10/0x10 [ 131.059262][ T4763] mld_ifc_work+0x83e/0xd60 [ 131.061110][ T4763] ? process_scheduled_works+0x9ef/0x1770 [ 131.063456][ T4763] process_scheduled_works+0xad1/0x1770 [ 131.065871][ T4763] ? __pfx_process_scheduled_works+0x10/0x10 [ 131.068474][ T4763] ? do_raw_spin_lock+0x121/0x290 [ 131.070464][ T4763] worker_thread+0x8a0/0xda0 [ 131.072416][ T4763] kthread+0x711/0x8a0 [ 131.074199][ T4763] ? __pfx_worker_thread+0x10/0x10 [ 131.076383][ T4763] ? __pfx_kthread+0x10/0x10 [ 131.078340][ T4763] ? _raw_spin_unlock_irq+0x23/0x50 [ 131.080437][ T4763] ? __pfx_kthread+0x10/0x10 [ 131.082400][ T4763] ret_from_fork+0x510/0xa50 [ 131.084408][ T4763] ? __pfx_ret_from_fork+0x10/0x10 [ 131.086752][ T4763] ? __switch_to+0xc9e/0x1480 [ 131.089277][ T4763] ? __pfx_kthread+0x10/0x10 [ 131.091371][ T4763] ret_from_fork_asm+0x1a/0x30 [ 131.093627][ T4763] [ 131.095153][ T4763] Modules linked in: [ 131.097677][ T4763] ---[ end trace 0000000000000000 ]--- [ 131.105631][ T4763] RIP: 0010:skb_panic+0x157/0x160 [ 131.108000][ T4763] Code: c7 60 ac 6f 8c 48 8b 74 24 08 48 8b 54 24 10 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 55 41 57 41 56 e8 ce 6a f5 ff 48 83 c4 20 90 <0f> 0b cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 [ 131.116966][ T4763] RSP: 0018:ffffc90002647400 EFLAGS: 00010286 [ 131.119819][ T4763] RAX: 0000000000000087 RBX: dffffc0000000000 RCX: fc946373200f1900 [ 131.123119][ T4763] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 131.126652][ T4763] RBP: 00000000000006c0 R08: ffffc90002647167 R09: 1ffff920004c8e2c [ 131.129976][ T4763] R10: dffffc0000000000 R11: fffff520004c8e2d R12: ffff888037d4a8d0 [ 131.133491][ T4763] R13: ffff888045b8c000 R14: ffff888045b8bfe8 R15: 0000000000000070 [ 131.137183][ T4763] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 131.140894][ T4763] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 131.143465][ T4763] CR2: 0000000000000000 CR3: 00000000117e7000 CR4: 0000000000352ef0 [ 131.147550][ T4763] Kernel panic - not syncing: Fatal exception [ 131.150405][ T4763] Kernel Offset: disabled [ 131.152395][ T4763] Rebooting in 86400 seconds..