program:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r0, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000000)="2e00000010008188e6b62aa73772cc9f1ba1f848100000005e140602000000000e0021000f000000028000001294", 0x2e}], 0x1}, 0x0)
socket$kcm(0x10, 0x2, 0x0)
r1 = socket(0x10, 0x3, 0x0)
r2 = socket$packet(0x11, 0x2, 0x300)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000080)={'ip6tnl0\x00'})
r3 = socket$inet6_tcp(0xa, 0x1, 0x0)
shutdown(r3, 0x1)
bind$inet6(r3, &(0x7f0000000500)={0xa, 0x4e22, 0x9, @ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x22}}, 0x10}, 0x1c)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
socket$unix(0x1, 0x2, 0x0)
r5 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000001c0)={'wlan0\x00', <r6=>0x0})
sendmsg$NL80211_CMD_NEW_INTERFACE(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000140)={0x4c, r5, 0x1, 0x70bd25, 0x25dfdbfd, {{}, {@val={0x8, 0x1, 0x60}, @val={0x8, 0x3, r6}, @val={0xc, 0x99, {0x2}}}}, [@NL80211_ATTR_IFNAME={0x14, 0x4, 'syzkaller0\x00'}, @NL80211_ATTR_IFTYPE={0x8, 0x5, 0x6}]}, 0x4c}, 0x1, 0x0, 0x0, 0x81}, 0x24044884)
r7 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r7)
socket$inet_sctp(0x2, 0x1, 0x84)
ioctl$SIOCSIFHWADDR(r7, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local})
r8 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', <r9=>0x0})
r10 = socket$packet(0x11, 0x3, 0x300)
sendto$packet(r10, &(0x7f0000000480)="000a180070781642b3a7ec028050abdf000000aa344e4394637556c7fb31a9935c4bf7c2c1f066561b479864888fc06d22da08e815b218b175e62e90d9c5596d0330e8387a94", 0x46, 0x0, &(0x7f0000000380)={0x11, 0x10, r9, 0x1, 0x80, 0x6, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0x14)
connect$inet6(r3, &(0x7f0000000080)={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @empty}, 0x106}, 0x1c)
bpf$MAP_CREATE(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="1e00000000040000d10100000100000001f30100", @ANYRES32, @ANYBLOB="59080000000000b3481836000000000000000000c86f52a7d1b5b17e1106670e77fad836b5c77cd7cf82f42048", @ANYRES32=0x0, @ANYRES32, @ANYBLOB="0100000000000000020000000100000000000000", @ANYRES32, @ANYBLOB, @ANYRES32, @ANYBLOB], 0x50)
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, &(0x7f0000000080)={'bond0\x00'})
socketpair(0x1, 0x1, 0x0, &(0x7f0000000200)={0xffffffffffffffff, <r11=>0xffffffffffffffff})
ioctl$PERF_EVENT_IOC_SET_FILTER(r11, 0x8948, &(0x7f0000000080))
connect$inet6(r3, &(0x7f0000000440)={0xa, 0x4e22, 0x7, @ipv4={'\x00', '\xff\xff', @empty}, 0x106}, 0x1c)
sendmsg$nl_route_sched(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000280)=@newqdisc={0x68, 0x24, 0x3fe3aa0262d8c583, 0x0, 0x0, {0x0, 0x0, 0x0, r9, {}, {0xffff, 0xffff}, {0x0, 0x4}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_RSC={0x10}}}, @TCA_STAB={0x24, 0x8, 0x0, 0x1, [{{0x1c}, {0x4}}]}]}, 0x68}}, 0x0)
sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000000280)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f00000000c0)={&(0x7f0000000200)={0x70, 0x2, 0x6, 0x201, 0x0, 0x0, {0xa, 0x0, 0x7}, [@IPSET_ATTR_DATA={0x5c, 0x7, 0x0, 0x1, [@IPSET_ATTR_MARK={0x8, 0xa, 0x1, 0x0, 0x6}, @IPSET_ATTR_HASHSIZE={0x8, 0x12, 0x1, 0x0, 0x91}, @IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @private=0xa010101}}, @IPSET_ATTR_CADT_FLAGS={0x8, 0x8, 0x1, 0x0, 0xb2}, @IPSET_ATTR_IP={0x18, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV6={0x14, 0x2, 0x1, 0x0, @private1}}, @IPSET_ATTR_MAXELEM={0x8, 0x13, 0x1, 0x0, 0x3}, @IPSET_ATTR_PROTO={0x5, 0x7, 0x8}, @IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @loopback}}]}]}, 0x70}, 0x1, 0x0, 0x0, 0x40000d1}, 0x10)

[   84.503559][ T5301] Bluetooth: hci0: command tx timeout
[   84.577366][ T5326] netlink: 'syz.0.0': attribute type 33 has an invalid length.
[   84.624955][ T5326] ------------[ cut here ]------------
[   84.628018][ T5326] UBSAN: shift-out-of-bounds in net/mac80211/tx.c:2175:30
[   84.631336][ T5326] shift exponent 128 is too large for 64-bit type 'unsigned long'
[   84.634767][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.634782][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.634789][ T5326] Call Trace:
[   84.634796][ T5326]  <TASK>
[   84.634802][ T5326]  dump_stack_lvl+0xe8/0x150
[   84.634897][ T5326]  ubsan_epilogue+0xa/0x30
[   84.634912][ T5326]  __ubsan_handle_shift_out_of_bounds+0x385/0x410
[   84.634983][ T5326]  ieee80211_parse_tx_radiotap+0xadb/0x1950
[   84.635029][ T5326]  ? __pfx_ieee80211_parse_tx_radiotap+0x10/0x10
[   84.635043][ T5326]  ? ieee80211_select_queue_80211+0x216/0x380
[   84.635066][ T5326]  ieee80211_monitor_start_xmit+0xb1f/0x1250
[   84.635081][ T5326]  ? ieee80211_monitor_start_xmit+0x60d/0x1250
[   84.635097][ T5326]  ? __pfx_ieee80211_monitor_start_xmit+0x10/0x10
[   84.635116][ T5326]  dev_hard_start_xmit+0x2d8/0x870
[   84.635146][ T5326]  __dev_queue_xmit+0x16d1/0x3890
[   84.635167][ T5326]  ? __dev_queue_xmit+0x277/0x3890
[   84.635191][ T5326]  ? _copy_from_iter+0x21b/0x1670
[   84.635212][ T5326]  ? __pfx___dev_queue_xmit+0x10/0x10
[   84.635224][ T5326]  ? sock_alloc_send_pskb+0x896/0x990
[   84.635243][ T5326]  ? __pfx__copy_from_iter+0x10/0x10
[   84.635266][ T5326]  ? packet_parse_headers+0x4c9/0x790
[   84.635281][ T5326]  ? packet_parse_headers+0x575/0x790
[   84.635296][ T5326]  ? __pfx_packet_parse_headers+0x10/0x10
[   84.635314][ T5326]  ? packet_xmit+0x68/0x320
[   84.635331][ T5326]  packet_sendmsg+0x3eb6/0x50f0
[   84.635358][ T5326]  ? __futex_wait+0x1fc/0x420
[   84.635371][ T5326]  ? init_file+0x90/0x2b0
[   84.635391][ T5326]  ? __lock_acquire+0x6b5/0x2cf0
[   84.635421][ T5326]  ? aa_sk_perm+0x6d5/0x900
[   84.635436][ T5326]  ? __pfx_packet_sendmsg+0x10/0x10
[   84.635461][ T5326]  ? tomoyo_socket_sendmsg_permission+0x1e0/0x300
[   84.635482][ T5326]  ? aa_sock_msg_perm+0xf1/0x1b0
[   84.635501][ T5326]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   84.635512][ T5326]  ? __pfx_packet_sendmsg+0x10/0x10
[   84.635531][ T5326]  __sys_sendto+0x672/0x710
[   84.635554][ T5326]  ? __pfx___sys_sendto+0x10/0x10
[   84.635582][ T5326]  ? do_futex+0x333/0x420
[   84.635608][ T5326]  ? rcu_is_watching+0x15/0xb0
[   84.635631][ T5326]  __x64_sys_sendto+0xde/0x100
[   84.635651][ T5326]  do_syscall_64+0x14d/0xf80
[   84.635665][ T5326]  ? trace_irq_disable+0x3b/0x150
[   84.635681][ T5326]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.635696][ T5326]  ? clear_bhb_loop+0x40/0x90
[   84.635714][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.635728][ T5326] RIP: 0033:0x7fae2d39c799
[   84.635744][ T5326] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   84.635755][ T5326] RSP: 002b:00007fae2e1b7fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   84.635771][ T5326] RAX: ffffffffffffffda RBX: 00007fae2d615fa0 RCX: 00007fae2d39c799
[   84.635782][ T5326] RDX: 0000000000000046 RSI: 0000200000000480 RDI: 000000000000000c
[   84.635790][ T5326] RBP: 00007fae2d432c99 R08: 0000200000000380 R09: 0000000000000014
[   84.635800][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.635808][ T5326] R13: 00007fae2d616038 R14: 00007fae2d615fa0 R15: 00007ffdc2d17778
[   84.635829][ T5326]  </TASK>
[   84.635835][ T5326] ---[ end trace ]---
[   84.792319][ T5326] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[   84.796087][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.800622][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.804916][ T5326] Call Trace:
[   84.806375][ T5326]  <TASK>
[   84.807942][ T5326]  vpanic+0x56c/0xa60
[   84.809906][ T5326]  ? __pfx_vpanic+0x10/0x10
[   84.812394][ T5326]  panic+0xc5/0xd0
[   84.814454][ T5326]  ? __pfx_panic+0x10/0x10
[   84.816673][ T5326]  ? __pfx__printk+0x10/0x10
[   84.818817][ T5326]  ? dump_stack_lvl+0x103/0x150
[   84.820866][ T5326]  check_panic_on_warn+0x89/0xb0
[   84.823047][ T5326]  __ubsan_handle_shift_out_of_bounds+0x385/0x410
[   84.826579][ T5326]  ieee80211_parse_tx_radiotap+0xadb/0x1950
[   84.828919][ T5326]  ? __pfx_ieee80211_parse_tx_radiotap+0x10/0x10
[   84.831762][ T5326]  ? ieee80211_select_queue_80211+0x216/0x380
[   84.834567][ T5326]  ieee80211_monitor_start_xmit+0xb1f/0x1250
[   84.837433][ T5326]  ? ieee80211_monitor_start_xmit+0x60d/0x1250
[   84.840275][ T5326]  ? __pfx_ieee80211_monitor_start_xmit+0x10/0x10
[   84.843228][ T5326]  dev_hard_start_xmit+0x2d8/0x870
[   84.845794][ T5326]  __dev_queue_xmit+0x16d1/0x3890
[   84.848287][ T5326]  ? __dev_queue_xmit+0x277/0x3890
[   84.851161][ T5326]  ? _copy_from_iter+0x21b/0x1670
[   84.853928][ T5326]  ? __pfx___dev_queue_xmit+0x10/0x10
[   84.856402][ T5326]  ? sock_alloc_send_pskb+0x896/0x990
[   84.858802][ T5326]  ? __pfx__copy_from_iter+0x10/0x10
[   84.861236][ T5326]  ? packet_parse_headers+0x4c9/0x790
[   84.863978][ T5326]  ? packet_parse_headers+0x575/0x790
[   84.866811][ T5326]  ? __pfx_packet_parse_headers+0x10/0x10
[   84.869715][ T5326]  ? packet_xmit+0x68/0x320
[   84.871730][ T5326]  packet_sendmsg+0x3eb6/0x50f0
[   84.873686][ T5326]  ? __futex_wait+0x1fc/0x420
[   84.875693][ T5326]  ? init_file+0x90/0x2b0
[   84.877986][ T5326]  ? __lock_acquire+0x6b5/0x2cf0
[   84.881052][ T5326]  ? aa_sk_perm+0x6d5/0x900
[   84.883315][ T5326]  ? __pfx_packet_sendmsg+0x10/0x10
[   84.885667][ T5326]  ? tomoyo_socket_sendmsg_permission+0x1e0/0x300
[   84.888613][ T5326]  ? aa_sock_msg_perm+0xf1/0x1b0
[   84.891137][ T5326]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   84.893917][ T5326]  ? __pfx_packet_sendmsg+0x10/0x10
[   84.896543][ T5326]  __sys_sendto+0x672/0x710
[   84.898608][ T5326]  ? __pfx___sys_sendto+0x10/0x10
[   84.900759][ T5326]  ? do_futex+0x333/0x420
[   84.902781][ T5326]  ? rcu_is_watching+0x15/0xb0
[   84.905033][ T5326]  __x64_sys_sendto+0xde/0x100
[   84.907890][ T5326]  do_syscall_64+0x14d/0xf80
[   84.910505][ T5326]  ? trace_irq_disable+0x3b/0x150
[   84.912700][ T5326]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.915514][ T5326]  ? clear_bhb_loop+0x40/0x90
[   84.917748][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.920689][ T5326] RIP: 0033:0x7fae2d39c799
[   84.923074][ T5326] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   84.932015][ T5326] RSP: 002b:00007fae2e1b7fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   84.935776][ T5326] RAX: ffffffffffffffda RBX: 00007fae2d615fa0 RCX: 00007fae2d39c799
[   84.939134][ T5326] RDX: 0000000000000046 RSI: 0000200000000480 RDI: 000000000000000c
[   84.942769][ T5326] RBP: 00007fae2d432c99 R08: 0000200000000380 R09: 0000000000000014
[   84.946315][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.950000][ T5326] R13: 00007fae2d616038 R14: 00007fae2d615fa0 R15: 00007ffdc2d17778
[   84.953758][ T5326]  </TASK>
[   84.955478][ T5326] Kernel Offset: disabled
[   84.957572][ T5326] Rebooting in 86400 seconds..