program: r0 = socket$kcm(0x23, 0x5, 0x0) listen(r0, 0x800) r1 = socket$kcm(0x10, 0x2, 0x0) sendmsg$inet(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) connect$phonet_pipe(r2, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10) r3 = accept4(r0, 0x0, 0x0, 0x80000) r4 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0xe, 0x7fff0000}]}) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$devlink(&(0x7f00000000c0), r3) sendmsg$DEVLINK_CMD_RATE_GET(r5, &(0x7f00000001c0)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x80101200}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x14, r6, 0x100, 0x70bd28, 0x25dfdbfc}, 0x14}, 0x1, 0x0, 0x0, 0x10000090}, 0x8004) close_range(r4, 0xffffffffffffffff, 0x0) [ 80.312779][ T5312] Bluetooth: hci0: command tx timeout [ 80.407622][ T5334] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 80.492968][ T5334] ------------[ cut here ]------------ [ 80.495609][ T5334] kernel BUG at net/phonet/socket.c:213! [ 80.507257][ T5334] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 80.510211][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 80.514175][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 80.519282][ T5334] RIP: 0010:pn_socket_sendmsg+0x240/0x250 [ 80.522625][ T5334] Code: cc cc cc e8 72 5d d2 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 9b ad 4b f7 e9 f7 fe ff ff e8 21 e8 de f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 80.530935][ T5334] RSP: 0018:ffffc90005cdfc00 EFLAGS: 00010283 [ 80.534369][ T5334] RAX: ffffffff8ae6f69f RBX: 0000000000000000 RCX: 0000000000100000 [ 80.538870][ T5334] RDX: ffffc90020001000 RSI: 0000000000000585 RDI: 0000000000000586 [ 80.542179][ T5334] RBP: ffffc90005cdfcb0 R08: ffffffff903377f7 R09: 1ffffffff2066efe [ 80.545656][ T5334] R10: dffffc0000000000 R11: fffffbfff2066eff R12: dffffc0000000000 [ 80.549518][ T5334] R13: ffff8880463a4640 R14: ffff88800e4fba80 R15: 1ffff92000b9bf84 [ 80.553438][ T5334] FS: 00007f540ff7e6c0(0000) GS:ffff88808c812000(0000) knlGS:0000000000000000 [ 80.558000][ T5334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.561060][ T5334] CR2: 00007f540f187980 CR3: 000000001ab3c000 CR4: 0000000000352ef0 [ 80.564993][ T5334] Call Trace: [ 80.567021][ T5334] [ 80.568706][ T5334] ? tomoyo_socket_sendmsg_permission+0x1e0/0x300 [ 80.571932][ T5334] ? __pfx_pn_socket_sendmsg+0x10/0x10 [ 80.574424][ T5334] ? aa_sock_msg_perm+0xf1/0x1b0 [ 80.576828][ T5334] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 80.579831][ T5334] ? __pfx_pn_socket_sendmsg+0x10/0x10 [ 80.583111][ T5334] __sys_sendto+0x672/0x710 [ 80.585119][ T5334] ? __pfx___sys_sendto+0x10/0x10 [ 80.587592][ T5334] ? do_user_addr_fault+0xc6f/0x1340 [ 80.589977][ T5334] __x64_sys_sendto+0xde/0x100 [ 80.592174][ T5334] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.595238][ T5334] do_syscall_64+0x15f/0xf80 [ 80.597698][ T5334] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.600903][ T5334] ? clear_bhb_loop+0x40/0x90 [ 80.603350][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.606097][ T5334] RIP: 0033:0x7f540f15d04e [ 80.608194][ T5334] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 [ 80.619155][ T5334] RSP: 002b:00007f540ff7ce48 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 80.623036][ T5334] RAX: ffffffffffffffda RBX: 00007f540ff7e6c0 RCX: 00007f540f15d04e [ 80.626606][ T5334] RDX: 0000000000000020 RSI: 00007f540ff7cfc0 RDI: 0000000000000006 [ 80.630501][ T5334] RBP: 0000000000000000 R08: 00007f540ff7cec4 R09: 000000000000000c [ 80.634773][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 [ 80.638244][ T5334] R13: 00007f540ff7cf18 R14: 00007f540ff7cfc0 R15: 0000000000000000 [ 80.641755][ T5334] [ 80.643324][ T5334] Modules linked in: [ 80.645808][ T5334] ---[ end trace 0000000000000000 ]--- [ 80.662857][ T5334] RIP: 0010:pn_socket_sendmsg+0x240/0x250 [ 80.665690][ T5334] Code: cc cc cc e8 72 5d d2 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 9b ad 4b f7 e9 f7 fe ff ff e8 21 e8 de f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 [ 80.676640][ T5334] RSP: 0018:ffffc90005cdfc00 EFLAGS: 00010283 [ 80.679683][ T5334] RAX: ffffffff8ae6f69f RBX: 0000000000000000 RCX: 0000000000100000 [ 80.684709][ T5334] RDX: ffffc90020001000 RSI: 0000000000000585 RDI: 0000000000000586 [ 80.688456][ T5334] RBP: ffffc90005cdfcb0 R08: ffffffff903377f7 R09: 1ffffffff2066efe [ 80.692777][ T5334] R10: dffffc0000000000 R11: fffffbfff2066eff R12: dffffc0000000000 [ 80.697592][ T5334] R13: ffff8880463a4640 R14: ffff88800e4fba80 R15: 1ffff92000b9bf84 [ 80.701999][ T5334] FS: 00007f540ff7e6c0(0000) GS:ffff88808c812000(0000) knlGS:0000000000000000 [ 80.706229][ T5334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.709839][ T5334] CR2: 00005563cf2ee168 CR3: 000000001ab3c000 CR4: 0000000000352ef0 [ 80.716488][ T5334] Kernel panic - not syncing: Fatal exception [ 80.719683][ T5334] Kernel Offset: disabled [ 80.721814][ T5334] Rebooting in 86400 seconds..