program: r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xc0, 0x1, 0x0, 0x0, 0x0, 0xaa8c, 0x40, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0x3, 0x7}, 0x103044, 0x1f72, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000}, 0x0, 0x0, 0xffffffffffffffff, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x20000008b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f0000000200)=0x7) syz_clone(0x0, 0x0, 0xfffffffffffffead, 0x0, 0x0, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) mremap(&(0x7f0000000000/0x9000)=nil, 0x600002, 0x600002, 0x7, &(0x7f0000a00000/0x600000)=nil) madvise(&(0x7f0000000000/0x600000)=nil, 0x600003, 0x19) prctl$PR_TASK_PERF_EVENTS_DISABLE(0x1f) mremap(&(0x7f0000a96000/0x1000)=nil, 0x1000, 0x400000, 0x3, &(0x7f0000000000/0x400000)=nil) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r1 = socket(0x400000000010, 0x3, 0x0) r2 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r1, &(0x7f0000000bc0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000001c0)=@newqdisc={0x2c, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xbfffffff, {0x0, 0x0, 0x0, r3, {0x0, 0x5}, {0xffff, 0xffff}, {0x0, 0x9}}, [@qdisc_kind_options=@q_drr={0x8}]}, 0x2c}}, 0x0) r4 = socket$kcm(0x23, 0x5, 0x0) listen(r4, 0x800) r5 = socket$kcm(0x10, 0x2, 0x0) sendmsg$inet(r5, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4) r6 = socket$phonet_pipe(0x23, 0x5, 0x2) mremap(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x1000, 0x4, &(0x7f0000a7c000/0x1000)=nil) connect$phonet_pipe(r6, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10) r7 = accept4(r4, 0x0, 0x0, 0x80000) ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(r1, 0x89f1, &(0x7f0000000400)={'sit0\x00', &(0x7f0000000340)={'gretap0\x00', r3, 0x8, 0x80, 0x5, 0x7, {{0x26, 0x4, 0x3, 0x10, 0x98, 0x66, 0x0, 0x5, 0x29, 0x0, @broadcast, @broadcast, {[@generic={0x44, 0x11, "c4f3e278b073802be83c807b555b1a"}, @ssrr={0x89, 0x1f, 0x73, [@broadcast, @local, @rand_addr=0x64010102, @initdev={0xac, 0x1e, 0x0, 0x0}, @remote, @local, @remote]}, @end, @noop, @timestamp_addr={0x44, 0x34, 0x91, 0x1, 0x9, [{@remote, 0x9}, {@rand_addr=0x64010102, 0x3}, {@multicast2, 0xae1}, {@dev={0xac, 0x14, 0x14, 0x42}, 0x1000}, {@rand_addr=0x64010101, 0x7}, {@empty, 0xb9}]}, @rr={0x7, 0x1b, 0x65, [@dev={0xac, 0x14, 0x14, 0x2a}, @broadcast, @broadcast, @multicast1, @private=0xa010101, @remote]}]}}}}}) sendmsg$nl_route_sched(r7, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000300)={&(0x7f00000005c0)=@gettfilter={0x54, 0x2e, 0x820389234ce70cc9, 0x70bd2d, 0x25dfdbfc, {0x0, 0x0, 0x0, r8, {0xf, 0x1}, {0xa, 0xf}, {0xffff, 0x13}}, [{0x8, 0xb, 0xd}, {0x8, 0xb, 0xfff}, {0x8}, {0x8, 0xb, 0x4}, {0x8, 0xb, 0x20003}, {0x8, 0xb, 0x9}]}, 0x54}, 0x1, 0x0, 0x0, 0x20000010}, 0x20000000) [ 78.231832][ T5316] Bluetooth: hci0: command tx timeout [ 79.545378][ T5339] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 79.606186][ T5339] ------------[ cut here ]------------ [ 79.609039][ T5339] kernel BUG at net/phonet/socket.c:213! [ 79.611740][ T5339] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 79.614558][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 79.619774][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 79.625999][ T5339] RIP: 0010:pn_socket_sendmsg+0x240/0x250 [ 79.628627][ T5339] Code: cc cc cc e8 f2 65 d2 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 bb 6b 4a f7 e9 f7 fe ff ff e8 d1 a2 dd f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 79.637570][ T5339] RSP: 0018:ffffc900034df920 EFLAGS: 00010283 [ 79.640731][ T5339] RAX: ffffffff8ae83e1f RBX: 0000000000000000 RCX: 0000000000100000 [ 79.644009][ T5339] RDX: ffffc90020001000 RSI: 000000000000004b RDI: 000000000000004c [ 79.648048][ T5339] RBP: ffffc900034df9d0 R08: ffffffff9033a4f7 R09: 1ffffffff206749e [ 79.653156][ T5339] R10: dffffc0000000000 R11: fffffbfff206749f R12: dffffc0000000000 [ 79.656826][ T5339] R13: ffff888011a79e40 R14: ffff888012713a80 R15: 1ffff9200069bf28 [ 79.660454][ T5339] FS: 00007fb78af926c0(0000) GS:ffff88808c809000(0000) knlGS:0000000000000000 [ 79.665395][ T5339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 79.669352][ T5339] CR2: 00007fb78af70ff8 CR3: 0000000042d23000 CR4: 0000000000352ef0 [ 79.673107][ T5339] Call Trace: [ 79.674649][ T5339] [ 79.676004][ T5339] ? tomoyo_socket_sendmsg_permission+0x1e0/0x300 [ 79.678770][ T5339] ? __pfx_pn_socket_sendmsg+0x10/0x10 [ 79.680990][ T5339] ? aa_sock_msg_perm+0xf1/0x1b0 [ 79.683436][ T5339] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 79.686453][ T5339] ____sys_sendmsg+0x972/0x9f0 [ 79.689249][ T5339] ? __might_fault+0xaf/0x130 [ 79.691286][ T5339] ? __pfx_____sys_sendmsg+0x10/0x10 [ 79.693566][ T5339] ? import_iovec+0x73/0xa0 [ 79.695557][ T5339] ___sys_sendmsg+0x2a5/0x360 [ 79.697569][ T5339] ? __lock_acquire+0x6b5/0x2cf0 [ 79.699848][ T5339] ? __pfx____sys_sendmsg+0x10/0x10 [ 79.702422][ T5339] ? futex_wait+0x2a2/0x390 [ 79.704679][ T5339] ? __fget_files+0x2a/0x420 [ 79.706858][ T5339] ? __fget_files+0x3a0/0x420 [ 79.713588][ T5339] __x64_sys_sendmsg+0x1bd/0x2a0 [ 79.715577][ T5339] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 79.718085][ T5339] ? rcu_is_watching+0x15/0xb0 [ 79.720851][ T5339] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 79.724373][ T5339] do_syscall_64+0x15f/0xf80 [ 79.726343][ T5339] ? clear_bhb_loop+0x40/0x90 [ 79.728389][ T5339] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 79.731043][ T5339] RIP: 0033:0x7fb78a19c819 [ 79.733097][ T5339] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 79.742770][ T5339] RSP: 002b:00007fb78af91fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 79.746745][ T5339] RAX: ffffffffffffffda RBX: 00007fb78a415fa0 RCX: 00007fb78a19c819 [ 79.750244][ T5339] RDX: 0000000020000000 RSI: 0000200000000580 RDI: 000000000000000a [ 79.753294][ T5339] RBP: 00007fb78a232c91 R08: 0000000000000000 R09: 0000000000000000 [ 79.756340][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 79.760253][ T5339] R13: 00007fb78a416038 R14: 00007fb78a415fa0 R15: 00007fff1bd0f278 [ 79.763878][ T5339] [ 79.765191][ T5339] Modules linked in: [ 79.770310][ T5339] ---[ end trace 0000000000000000 ]--- [ 79.772790][ T5339] RIP: 0010:pn_socket_sendmsg+0x240/0x250 [ 79.775349][ T5339] Code: cc cc cc e8 f2 65 d2 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 bb 6b 4a f7 e9 f7 fe ff ff e8 d1 a2 dd f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 79.786375][ T5339] RSP: 0018:ffffc900034df920 EFLAGS: 00010283 [ 79.788860][ T5339] RAX: ffffffff8ae83e1f RBX: 0000000000000000 RCX: 0000000000100000 [ 79.791756][ T5339] RDX: ffffc90020001000 RSI: 000000000000004b RDI: 000000000000004c [ 79.794673][ T5339] RBP: ffffc900034df9d0 R08: ffffffff9033a4f7 R09: 1ffffffff206749e [ 79.797626][ T5339] R10: dffffc0000000000 R11: fffffbfff206749f R12: dffffc0000000000 [ 79.800928][ T5339] R13: ffff888011a79e40 R14: ffff888012713a80 R15: 1ffff9200069bf28 [ 79.805883][ T5339] FS: 00007fb78af926c0(0000) GS:ffff88808c809000(0000) knlGS:0000000000000000 [ 79.809575][ T5339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 79.812344][ T5339] CR2: 00007fb78af70ff8 CR3: 0000000042d23000 CR4: 0000000000352ef0 [ 79.815608][ T5339] Kernel panic - not syncing: Fatal exception [ 79.818871][ T5339] Kernel Offset: disabled [ 79.821721][ T5339] Rebooting in 86400 seconds..