program: r0 = socket$unix(0x1, 0x1, 0x0) r1 = socket$unix(0x1, 0x1, 0x0) r2 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r2, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) r3 = socket(0x400000000010, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r3, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000005c0)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd2a, 0xffffffff, {0x0, 0x0, 0x0, r4, {0x0, 0xfff1}, {0xffff, 0xffff}, {0x0, 0xb}}, [@qdisc_kind_options=@q_multiq={{0xb}, {0x8, 0x2, {0x0, 0x2}}}]}, 0x38}}, 0x0) sendmsg$nl_route_sched(r3, &(0x7f0000000580)={0x0, 0x0, &(0x7f00000006c0)={&(0x7f0000000280)=@newtfilter={0x98, 0x2c, 0xd27, 0x30bd29, 0x25dfdc00, {0x0, 0x0, 0x0, r4, {0xd, 0x5}, {}, {0x7, 0x3}}, [@filter_kind_options=@f_matchall={{0xd}, {0x64, 0x2, [@TCA_MATCHALL_ACT={0x60, 0x2, [@m_ife={0x5c, 0x1, 0x0, 0x0, {{0x8}, {0x34, 0x2, 0x0, 0x1, [@TCA_IFE_PARMS={0x1c, 0x1, {{0x8, 0xfff, 0x0, 0xa, 0x3}, 0x1}}, @TCA_IFE_METALST={0x14, 0x6, [@IFE_META_PRIO={0x8, 0x3, @val=0x7}, @IFE_META_TCINDEX={0x6, 0x5, @val=0x8}]}]}, {0x4}, {0xc}, {0xc, 0x8, {0x2, 0x3}}}}]}]}}]}, 0x98}}, 0x0) r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0) close(r5) socket$inet_sctp(0x2, 0x5, 0x84) ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local}) r6 = socket$kcm(0x11, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$kcm(r6, &(0x7f00000000c0)={&(0x7f0000000380)=@xdp={0x2c, 0x7, r7, 0x3e}, 0x80, &(0x7f0000000080)=[{&(0x7f0000000140)='\r', 0x1}], 0x1}, 0x4) (fail_nth: 6) [ 75.576694][ T47] Bluetooth: hci0: command tx timeout [ 75.630685][ T5335] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI [ 75.635039][ T5335] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 75.638163][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.641616][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 75.645366][ T5335] RIP: 0010:ife_tlv_meta_encode+0x46/0xb0 [ 75.647947][ T5335] Code: 70 87 71 f6 45 8d 77 07 4d 8d 65 04 c1 e5 10 44 89 fb 83 c3 04 09 eb 0f cb 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 75 43 41 89 5d 00 41 81 e6 fc ff 00 00 41 8d 46 [ 75.656108][ T5335] RSP: 0018:ffffc9000a09ef60 EFLAGS: 00010246 [ 75.658679][ T5335] RAX: 0000000000000000 RBX: 0000000008000300 RCX: dffffc0000000000 [ 75.661997][ T5335] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000000 [ 75.665311][ T5335] RBP: 0000000000030000 R08: 0000000000000003 R09: 0000000000000004 [ 75.668732][ T5335] R10: dffffc0000000000 R11: ffffffff897bb640 R12: 0000000000000004 [ 75.671819][ T5335] R13: 0000000000000000 R14: 000000000000000b R15: 0000000000000004 [ 75.675110][ T5335] FS: 00007fbc5fdf36c0(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000 [ 75.679098][ T5335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.681984][ T5335] CR2: 00007fbc5fd4d9d0 CR3: 0000000011c50000 CR4: 0000000000352ef0 [ 75.685435][ T5335] Call Trace: [ 75.686926][ T5335] [ 75.688255][ T5335] ife_encode_meta_u32+0x126/0x1c0 [ 75.690413][ T5335] ? tcf_ife_act+0x1067/0x1d80 [ 75.692483][ T5335] ? __pfx_ife_encode_meta_u32+0x10/0x10 [ 75.694814][ T5335] ? ife_encode+0x3cf/0x4e0 [ 75.696720][ T5335] tcf_ife_act+0x10fd/0x1d80 [ 75.698774][ T5335] ? __pfx_tcf_ife_act+0x10/0x10 [ 75.701077][ T5335] ? save_trace+0x2c4/0x390 [ 75.703049][ T5335] ? lockdep_unlock+0x5d/0xd0 [ 75.705124][ T5335] ? mark_lock+0x180/0x190 [ 75.707009][ T5335] tcf_action_exec+0x185/0x8e0 [ 75.709060][ T5335] tcf_classify+0x4cf/0x1130 [ 75.711083][ T5335] multiq_enqueue+0x102/0x4d0 [ 75.712864][ T5335] ? __pfx_multiq_enqueue+0x10/0x10 [ 75.715152][ T5335] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.717358][ T5335] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.719742][ T5335] dev_qdisc_enqueue+0x4e/0x240 [ 75.722085][ T5335] ? __dev_queue_xmit+0x1916/0x32b0 [ 75.724356][ T5335] __dev_queue_xmit+0x1933/0x32b0 [ 75.726584][ T5335] ? __dev_queue_xmit+0x2a7/0x32b0 [ 75.728845][ T5335] ? _copy_from_iter+0x21b/0x1670 [ 75.731181][ T5335] ? __pfx___dev_queue_xmit+0x10/0x10 [ 75.733576][ T5335] ? sock_alloc_send_pskb+0x896/0x990 [ 75.735874][ T5335] ? packet_parse_headers+0x808/0xb50 [ 75.738172][ T5335] ? packet_parse_headers+0x8b5/0xb50 [ 75.740466][ T5335] ? __pfx_sock_alloc_send_pskb+0x10/0x10 [ 75.742860][ T5335] ? __pfx_packet_parse_headers+0x10/0x10 [ 75.745291][ T5335] ? skb_copy_datagram_from_iter+0x60c/0x710 [ 75.747873][ T5335] ? packet_xmit+0x68/0x320 [ 75.749819][ T5335] packet_sendmsg+0x3eb6/0x50f0 [ 75.751985][ T5335] ? __percpu_rwsem_trylock+0xd7/0x160 [ 75.754301][ T5335] ? unwind_next_frame+0xa5/0x23c0 [ 75.756587][ T5335] ? unwind_next_frame+0xa5/0x23c0 [ 75.758849][ T5335] ? unwind_next_frame+0xa5/0x23c0 [ 75.761096][ T5335] ? rcu_is_watching+0x15/0xb0 [ 75.763181][ T5335] ? __kasan_check_byte+0x12/0x40 [ 75.765529][ T5335] ? aa_sk_perm+0x15a/0x960 [ 75.767981][ T5335] ? aa_sk_perm+0x82d/0x960 [ 75.770579][ T5335] ? __pfx_packet_sendmsg+0x10/0x10 [ 75.772909][ T5335] ? tomoyo_socket_sendmsg_permission+0x1e0/0x300 [ 75.775791][ T5335] ? aa_sock_msg_perm+0xf1/0x1b0 [ 75.778010][ T5335] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.780388][ T5335] ? __pfx_packet_sendmsg+0x10/0x10 [ 75.782631][ T5335] __sock_sendmsg+0x21c/0x270 [ 75.784745][ T5335] ____sys_sendmsg+0x4d7/0x810 [ 75.786985][ T5335] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.789350][ T5335] ? import_iovec+0x73/0xa0 [ 75.791472][ T5335] ___sys_sendmsg+0x2a5/0x360 [ 75.793596][ T5335] ? __lock_acquire+0x6b5/0x2cf0 [ 75.795920][ T5335] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.798325][ T5335] ? __fget_files+0x2a/0x420 [ 75.800464][ T5335] ? __fget_files+0x3a0/0x420 [ 75.802138][ T5335] __x64_sys_sendmsg+0x1bd/0x2a0 [ 75.803791][ T5335] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.805908][ T5335] ? __pfx_ksys_write+0x10/0x10 [ 75.807973][ T5335] do_syscall_64+0xe2/0xf80 [ 75.810080][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.812902][ T5335] ? trace_irq_disable+0x37/0x100 [ 75.815153][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 75.817249][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.819819][ T5335] RIP: 0033:0x7fbc5ef9acb9 [ 75.821706][ T5335] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 75.830126][ T5335] RSP: 002b:00007fbc5fdf3028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.833823][ T5335] RAX: ffffffffffffffda RBX: 00007fbc5f215fa0 RCX: 00007fbc5ef9acb9 [ 75.837010][ T5335] RDX: 0000000000000004 RSI: 00002000000000c0 RDI: 0000000000000008 [ 75.840216][ T5335] RBP: 00007fbc5fdf3090 R08: 0000000000000000 R09: 0000000000000000 [ 75.843424][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 75.847081][ T5335] R13: 00007fbc5f216038 R14: 00007fbc5f215fa0 R15: 00007ffcbbd23568 [ 75.850651][ T5335] [ 75.852006][ T5335] Modules linked in: [ 75.853911][ T5335] ---[ end trace 0000000000000000 ]--- [ 75.856589][ T5335] RIP: 0010:ife_tlv_meta_encode+0x46/0xb0 [ 75.859476][ T5335] Code: 70 87 71 f6 45 8d 77 07 4d 8d 65 04 c1 e5 10 44 89 fb 83 c3 04 09 eb 0f cb 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 75 43 41 89 5d 00 41 81 e6 fc ff 00 00 41 8d 46 [ 75.867863][ T5335] RSP: 0018:ffffc9000a09ef60 EFLAGS: 00010246 [ 75.870585][ T5335] RAX: 0000000000000000 RBX: 0000000008000300 RCX: dffffc0000000000 [ 75.874091][ T5335] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000000 [ 75.877488][ T5335] RBP: 0000000000030000 R08: 0000000000000003 R09: 0000000000000004 [ 75.880564][ T5335] R10: dffffc0000000000 R11: ffffffff897bb640 R12: 0000000000000004 [ 75.884153][ T5335] R13: 0000000000000000 R14: 000000000000000b R15: 0000000000000004 [ 75.887580][ T5335] FS: 00007fbc5fdf36c0(0000) GS:ffff88808cf1d000(0000) knlGS:0000000000000000 [ 75.892023][ T5335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.894700][ T5335] CR2: 00007fbc5fd4d9d0 CR3: 0000000011c50000 CR4: 0000000000352ef0 [ 75.898568][ T5335] Kernel panic - not syncing: Fatal exception in interrupt [ 75.902110][ T5335] Kernel Offset: disabled [ 75.904302][ T5335] Rebooting in 86400 seconds..