program: socket$inet_udp(0x2, 0x2, 0x0) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r0 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x7fff7ff9}]}) close_range(r0, 0xffffffffffffffff, 0x0) r1 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_generic(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)=ANY=[@ANYBLOB="1c0000004500090000000000000000e40200000008000200", @ANYRES32=0x0, @ANYBLOB], 0x1c}, 0x1, 0x0, 0x0, 0x40}, 0x0) socket$nl_generic(0x10, 0x3, 0x10) socket$netlink(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$inet_icmp_raw(0x2, 0x3, 0x1) bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="04000000040000000400000005"], 0x48) r2 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="0e"], 0x48) ioctl$sock_SIOCGIFCONF(0xffffffffffffffff, 0x8912, &(0x7f0000000340)=@req={0x28, &(0x7f0000000240)={'bond_slave_0\x00', @ifru_addrs=@ax25={0x3, @bcast, 0x5}}}) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x6, 0xc, &(0x7f00000001c0)=ANY=[@ANYBLOB="1800000010000000000000000000000018110000", @ANYRES32=r2, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bc82000000000000a6020000f8ffffffb703000008000000ac03000000000000850000003300000095"], &(0x7f0000000780)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x28, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000300)={{r2}, &(0x7f0000000080), &(0x7f0000000280)=r3}, 0x20) r4 = socket$inet_tcp(0x2, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000180)={'syz_tun\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f00000002c0)={r3, r5}, 0x14) syz_emit_ethernet(0x7a, &(0x7f0000000380)=ANY=[@ANYBLOB="aaaaaaaaaabbffffffffffff86dd61bc4a0600442f00fe8000000000000000000000000000bbfe8000000000000000000000000000aa0c2088be00000001010088a8000086dd080088be000000031c0885eeba3a510000007b40080022eb0000000223022309020000000000000300ebb41b0800655800000004"], 0x0) [ 74.770819][ T5311] Bluetooth: hci0: command tx timeout [ 74.833050][ T5332] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN NOPTI [ 74.837687][ T5332] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 74.841417][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.845414][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.850245][ T5332] RIP: 0010:handshake_complete+0x36/0x350 [ 74.852932][ T5332] Code: 54 53 48 83 ec 10 48 89 54 24 08 89 f5 49 89 ff 49 bd 00 00 00 00 00 fc ff df e8 75 6e 73 f6 49 8d 5f 28 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 3b 19 db f6 48 8b 1b 4c 8d 63 30 [ 74.861087][ T5332] RSP: 0018:ffffc9000e827320 EFLAGS: 00010206 [ 74.863815][ T5332] RAX: 0000000000000005 RBX: 0000000000000028 RCX: 0000000000100000 [ 74.867347][ T5332] RDX: ffffc900206a1000 RSI: 0000000000000211 RDI: 0000000000000212 [ 74.870689][ T5332] RBP: 00000000fffffffb R08: ffff88801a098583 R09: 1ffff110034130b0 [ 74.873847][ T5332] R10: dffffc0000000000 R11: ffffed10034130b1 R12: ffff88801186dcd0 [ 74.877152][ T5332] R13: dffffc0000000000 R14: dffffc0000000000 R15: 0000000000000000 [ 74.880565][ T5332] FS: 00007faf3af096c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 74.884536][ T5332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.887215][ T5332] CR2: 00005561a5d715d0 CR3: 0000000036eae000 CR4: 0000000000352ef0 [ 74.890642][ T5332] Call Trace: [ 74.892236][ T5332] [ 74.893507][ T5332] handshake_nl_accept_doit+0x3f1/0x830 [ 74.896152][ T5332] genl_family_rcv_msg_doit+0x215/0x300 [ 74.898988][ T5332] ? __pfx_genl_family_rcv_msg_doit+0x10/0x10 [ 74.902315][ T5332] ? bpf_lsm_capable+0x9/0x20 [ 74.904363][ T5332] ? security_capable+0x7e/0x2e0 [ 74.906559][ T5332] genl_rcv_msg+0x60e/0x790 [ 74.908551][ T5332] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.910494][ T5332] ? __pfx_handshake_nl_accept_doit+0x10/0x10 [ 74.912797][ T5332] ? __asan_memcpy+0x40/0x70 [ 74.914583][ T5332] ? __pfx_ref_tracker_free+0x10/0x10 [ 74.916625][ T5332] ? __skb_clone+0x63/0x7a0 [ 74.918345][ T5332] netlink_rcv_skb+0x208/0x470 [ 74.920142][ T5332] ? __pfx_genl_rcv_msg+0x10/0x10 [ 74.922176][ T5332] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.924358][ T5332] ? genl_rcv+0x19/0x40 [ 74.926168][ T5332] ? down_read+0x274/0x2e0 [ 74.928235][ T5332] ? genl_rcv+0xd/0x40 [ 74.929986][ T5332] genl_rcv+0x28/0x40 [ 74.931737][ T5332] netlink_unicast+0x82f/0x9e0 [ 74.933741][ T5332] ? __pfx_netlink_unicast+0x10/0x10 [ 74.935952][ T5332] ? __alloc_skb+0x198/0x3a0 [ 74.938104][ T5332] ? netlink_sendmsg+0x642/0xb30 [ 74.940399][ T5332] ? skb_put+0x11b/0x210 [ 74.942564][ T5332] netlink_sendmsg+0x805/0xb30 [ 74.944897][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.947369][ T5332] ? aa_sock_msg_perm+0xf1/0x1b0 [ 74.949699][ T5332] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.952089][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.954367][ T5332] __sock_sendmsg+0x21c/0x270 [ 74.956391][ T5332] ____sys_sendmsg+0x505/0x820 [ 74.958434][ T5332] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.960725][ T5332] ? import_iovec+0x74/0xa0 [ 74.962794][ T5332] ___sys_sendmsg+0x21f/0x2a0 [ 74.964879][ T5332] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.967124][ T5332] ? futex_wait+0x285/0x360 [ 74.969154][ T5332] ? __fget_files+0x2a/0x420 [ 74.970918][ T5332] ? __fget_files+0x3a0/0x420 [ 74.972709][ T5332] __x64_sys_sendmsg+0x19b/0x260 [ 74.974690][ T5332] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 74.977301][ T5332] ? rcu_is_watching+0x15/0xb0 [ 74.979567][ T5332] ? __secure_computing+0xe2/0x2a0 [ 74.981866][ T5332] do_syscall_64+0xec/0xf80 [ 74.983997][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.986622][ T5332] ? trace_irq_disable+0x37/0x100 [ 74.988754][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 74.990806][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.993398][ T5332] RIP: 0033:0x7faf39f8f7c9 [ 74.995351][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.003590][ T5332] RSP: 002b:00007faf3af09038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.007018][ T5332] RAX: ffffffffffffffda RBX: 00007faf3a1e5fa0 RCX: 00007faf39f8f7c9 [ 75.010408][ T5332] RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000000 [ 75.013433][ T5332] RBP: 00007faf3a013f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.016578][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.019687][ T5332] R13: 00007faf3a1e6038 R14: 00007faf3a1e5fa0 R15: 00007ffed5d09238 [ 75.023217][ T5332] [ 75.024788][ T5332] Modules linked in: [ 75.027371][ T5332] ---[ end trace 0000000000000000 ]--- [ 75.052890][ T5332] RIP: 0010:handshake_complete+0x36/0x350 [ 75.056779][ T5332] Code: 54 53 48 83 ec 10 48 89 54 24 08 89 f5 49 89 ff 49 bd 00 00 00 00 00 fc ff df e8 75 6e 73 f6 49 8d 5f 28 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 3b 19 db f6 48 8b 1b 4c 8d 63 30 [ 75.067128][ T5332] RSP: 0018:ffffc9000e827320 EFLAGS: 00010206 [ 75.070227][ T5332] RAX: 0000000000000005 RBX: 0000000000000028 RCX: 0000000000100000 [ 75.074139][ T5332] RDX: ffffc900206a1000 RSI: 0000000000000211 RDI: 0000000000000212 [ 75.079887][ T5332] RBP: 00000000fffffffb R08: ffff88801a098583 R09: 1ffff110034130b0 [ 75.083924][ T5332] R10: dffffc0000000000 R11: ffffed10034130b1 R12: ffff88801186dcd0 [ 75.087849][ T5332] R13: dffffc0000000000 R14: dffffc0000000000 R15: 0000000000000000 [ 75.091548][ T5332] FS: 00007faf3af096c0(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 75.095964][ T5332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.099042][ T5332] CR2: 00005561a5d68168 CR3: 0000000036eae000 CR4: 0000000000352ef0 [ 75.102682][ T5332] Kernel panic - not syncing: Fatal exception [ 75.105649][ T5332] Kernel Offset: disabled [ 75.107477][ T5332] Rebooting in 86400 seconds..