program:
r0 = socket$kcm(0x23, 0x5, 0x0)
listen(r0, 0x800)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$inet(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000040)={'lo\x00', <r4=>0x0})
sendmsg$nl_route_sched(r2, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000001c0)=@newqdisc={0x44, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_USC={0x10}}}]}, 0x44}}, 0x0)
r5 = socket(0x2a, 0x2, 0x0)
getsockname$packet(r5, &(0x7f0000000200)={0x11, 0x0, <r6=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14)
sendmsg$nl_route_sched(r5, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000180)=@gettclass={0x24, 0x2a, 0x20, 0x70bd27, 0x25dfdbff, {0x0, 0x0, 0x0, r4, {0x7ff8, 0xe}, {0xd, 0xb}, {0xb, 0x10}}}, 0x24}, 0x1, 0x0, 0x0, 0x810}, 0x0)
sendmsg$IPCTNL_MSG_CT_NEW(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000009c0)=@newtfilter={0x34, 0x2c, 0xd27, 0x70bd2d, 0x80, {0x0, 0x0, 0x0, r6, {0xf, 0xffe0}, {}, {0x8, 0xffff}}, [@filter_kind_options=@f_cgroup={{0xb}, {0x4}}]}, 0x34}, 0x1, 0x0, 0x0, 0x40}, 0x4044004)
r7 = socket$netlink(0x10, 0x3, 0x0)
sendmmsg(r7, &(0x7f00000002c0), 0x40000000000009f, 0x0)
r8 = socket$inet6_tcp(0xa, 0x1, 0x0)
bind$inet6(r8, &(0x7f0000000100)={0xa, 0x4e22}, 0x1c)
listen(r8, 0x2)
syz_emit_ethernet(0x36, &(0x7f0000000080)={@local, @dev, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote, @local}, {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x6, 0x5, 0x2}}}}}}, 0x0)
r9 = socket$phonet_pipe(0x23, 0x5, 0x2)
connect$phonet_pipe(r9, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0xd, 0x4, &(0x7f0000000040)=@framed={{}, [@ldst={0x1, 0x2, 0x4, 0x2, 0x1, 0xce}]}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0xd, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0xffffffff}, 0x94)
r10 = accept4(r0, 0x0, 0x0, 0x80000)
r11 = syz_genetlink_get_family_id$nl80211(&(0x7f00000003c0), r10)
sendmsg$NL80211_CMD_SET_PMK(r7, &(0x7f0000000540)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x80000}, 0xc, &(0x7f0000000500)={&(0x7f0000000480)={0x70, r11, 0x2, 0x70bd27, 0x25dfdbfb, {{}, {@void, @val={0xc, 0x99, {0x6, 0x1c}}}}, [@NL80211_ATTR_PMK={0x14, 0xfe, "1f01213851b5bd707615c9597d8cabb5"}, @NL80211_ATTR_PMK={0x14, 0xfe, "d86862f200de90c17edc08a681fc5463"}, @NL80211_ATTR_PMK={0x14, 0xfe, "94a8d7e10412e51a3e8ffd17d353a8ca"}, @NL80211_ATTR_PMK={0x14, 0xfe, "1be543959c81d6525bb63b42d45e512e"}]}, 0x70}, 0x1, 0x0, 0x0, 0x10}, 0x8010)
r12 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0xe, 0x7fff0000}]})
close_range(r12, 0xffffffffffffffff, 0x0)

[   84.721582][ T5285] Bluetooth: hci0: command tx timeout
[   84.805106][ T5325] netlink: 'syz.0.0': attribute type 2 has an invalid length.
[   84.855296][ T5325] Zero length message leads to an empty skb
[   84.925635][ T5325] ------------[ cut here ]------------
[   84.928182][ T5325] kernel BUG at net/phonet/socket.c:213!
[   84.930971][ T5325] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[   84.933820][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.937829][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.942207][ T5325] RIP: 0010:pn_socket_sendmsg+0x240/0x250
[   84.945044][ T5325] Code: d3 00 cc e8 92 72 d0 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 db 3a 59 f7 e9 f7 fe ff ff e8 31 72 ec f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
[   84.953586][ T5325] RSP: 0018:ffffc9000dc97c00 EFLAGS: 00010287
[   84.956339][ T5325] RAX: ffffffff8ad9417f RBX: 0000000000000000 RCX: 0000000000100000
[   84.959838][ T5325] RDX: ffffc9000ef62000 RSI: 0000000000000583 RDI: 0000000000000584
[   84.963620][ T5325] RBP: ffffc9000dc97cb0 R08: ffffffff9030bbf7 R09: 1ffffffff206177e
[   84.967116][ T5325] R10: dffffc0000000000 R11: fffffbfff206177f R12: dffffc0000000000
[   84.970591][ T5325] R13: ffff888046f99840 R14: ffff888034683a80 R15: 1ffff92001b92f84
[   84.974255][ T5325] FS:  00007f69c2b056c0(0000) GS:ffff88808c888000(0000) knlGS:0000000000000000
[   84.978160][ T5325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   84.980965][ T5325] CR2: 00007f69c1b87f40 CR3: 0000000042516000 CR4: 0000000000352ef0
[   84.984579][ T5325] Call Trace:
[   84.986097][ T5325]  <TASK>
[   84.987456][ T5325]  ? tomoyo_socket_sendmsg_permission+0x1e0/0x300
[   84.990335][ T5325]  ? __pfx_pn_socket_sendmsg+0x10/0x10
[   84.992752][ T5325]  ? aa_sock_msg_perm+0xf1/0x1b0
[   84.995159][ T5325]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   84.997583][ T5325]  ? __pfx_pn_socket_sendmsg+0x10/0x10
[   84.999980][ T5325]  __sys_sendto+0x672/0x710
[   85.001939][ T5325]  ? __pfx___sys_sendto+0x10/0x10
[   85.004162][ T5325]  ? exc_page_fault+0x6a/0xc0
[   85.006229][ T5325]  ? do_user_addr_fault+0xc6f/0x1340
[   85.008501][ T5325]  __x64_sys_sendto+0xde/0x100
[   85.010611][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.013254][ T5325]  do_syscall_64+0x15f/0xf80
[   85.015281][ T5325]  ? trace_irq_disable+0x3b/0x140
[   85.017468][ T5325]  ? clear_bhb_loop+0x40/0x90
[   85.019511][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.022088][ T5325] RIP: 0033:0x7f69c1b5d60e
[   85.024127][ T5325] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   85.032294][ T5325] RSP: 002b:00007f69c2b03e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   85.035903][ T5325] RAX: ffffffffffffffda RBX: 00007f69c2b056c0 RCX: 00007f69c1b5d60e
[   85.039263][ T5325] RDX: 0000000000000020 RSI: 00007f69c2b03fc0 RDI: 000000000000000b
[   85.042634][ T5325] RBP: 0000000000000000 R08: 00007f69c2b03ec4 R09: 000000000000000c
[   85.045964][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000b
[   85.049253][ T5325] R13: 00007f69c2b03f18 R14: 00007f69c2b03fc0 R15: 0000000000000000
[   85.052628][ T5325]  </TASK>
[   85.054028][ T5325] Modules linked in:
[   85.056019][ T5325] ---[ end trace 0000000000000000 ]---
[   85.063693][ T5325] RIP: 0010:pn_socket_sendmsg+0x240/0x250
[   85.066626][ T5325] Code: d3 00 cc e8 92 72 d0 00 89 d9 80 e1 07 fe c1 38 c1 0f 8c 04 ff ff ff 48 89 df e8 db 3a 59 f7 e9 f7 fe ff ff e8 31 72 ec f6 90 <0f> 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90
[   85.074898][ T5325] RSP: 0018:ffffc9000dc97c00 EFLAGS: 00010287
[   85.078416][ T5325] RAX: ffffffff8ad9417f RBX: 0000000000000000 RCX: 0000000000100000
[   85.081850][ T5325] RDX: ffffc9000ef62000 RSI: 0000000000000583 RDI: 0000000000000584
[   85.085328][ T5325] RBP: ffffc9000dc97cb0 R08: ffffffff9030bbf7 R09: 1ffffffff206177e
[   85.089225][ T5325] R10: dffffc0000000000 R11: fffffbfff206177f R12: dffffc0000000000
[   85.092734][ T5325] R13: ffff888046f99840 R14: ffff888034683a80 R15: 1ffff92001b92f84
[   85.096492][ T5325] FS:  00007f69c2b056c0(0000) GS:ffff88808c888000(0000) knlGS:0000000000000000
[   85.100480][ T5325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.103447][ T5325] CR2: 00007f69c1b87f40 CR3: 0000000042516000 CR4: 0000000000352ef0
[   85.107316][ T5325] Kernel panic - not syncing: Fatal exception
[   85.110283][ T5325] Kernel Offset: disabled
[   85.112150][ T5325] Rebooting in 86400 seconds..