program: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000580)=@base={0x8, 0x4, 0x4, 0x4, 0x0, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x14, &(0x7f00000002c0)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b7080000fcffffff7b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000025000000180100002020732500000000002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000001000000095"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$PROG_BIND_MAP(0xa, &(0x7f0000000640)={r2}, 0x70) r3 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x2, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000380)=ANY=[@ANYBLOB="300000001800dd8d00000000000000000a000000000000060000000008001e0002"], 0x30}}, 0x4090) (async) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=@ipv6_newnexthop={0x24, 0x68, 0x309, 0x0, 0x0, {}, [@NHA_FDB={0x4}, @NHA_ID={0x8, 0x1, 0x1}]}, 0x24}}, 0x0) (async, rerun: 64) r6 = socket$inet_tcp(0x2, 0x1, 0x0) (async, rerun: 64) r7 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) (async) r8 = creat(&(0x7f0000000280)='./file0\x00', 0x0) close(r8) (async) r9 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000300), 0x0, 0x0) ioctl$TIOCSETD(r9, 0x5423, &(0x7f0000000040)=0x1b) (async) r10 = ioctl$KVM_CREATE_VM(r7, 0xae01, 0x0) r11 = ioctl$KVM_CREATE_VCPU(r10, 0xae41, 0x0) syz_kvm_setup_cpu$x86(r8, r11, &(0x7f0000fe7000/0x18000)=nil, &(0x7f0000000100)=[@text64={0x40, 0x0}], 0x1, 0x4b, 0x0, 0x0) bind$inet(r6, &(0x7f0000000040)={0x2, 0x4e21, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10) [ 75.02[ 75.008189][ T5312] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'. [ 75.012428][ T5296] Bluetooth: hci0: command tx timeout [ 75.064741][ T5309] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000018: 0000 [#1] SMP KASAN NOPTI [ 75.069438][ T5309] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 75.072653][ T5309] CPU: 0 UID: 0 PID: 5309 Comm: kworker/0:5 Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT(full) [ 75.077213][ T5309] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.081289][ T5309] Workqueue: mld mld_ifc_work [ 75.083776][ T5309] RIP: 0010:find_match+0xa3/0xc90 [ 75.085830][ T5309] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 2f a0 12 f8 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 0e a0 12 f8 48 8b 1b e8 36 09 47 [ 75.093468][ T5309] RSP: 0018:ffffc9000f52e6b0 EFLAGS: 00010206 [ 75.096096][ T5309] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000 [ 75.099396][ T5309] RDX: ffff88801d61a440 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.102621][ T5309] RBP: 1ffff11003a7ec44 R08: ffffc9000f52ea40 R09: ffffc9000f52ea50 [ 75.105845][ T5309] R10: ffffc9000f52e8a0 R11: ffffffff8a0f1300 R12: dffffc0000000000 [ 75.109214][ T5309] R13: 0000000000000002 R14: 1ffff11003a7ec46 R15: ffff88801d3f6237 [ 75.112510][ T5309] FS: 0000000000000000(0000) GS:ffff88808d6cb000(0000) knlGS:0000000000000000 [ 75.116124][ T5309] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.118897][ T5309] CR2: 0000000000000000 CR3: 0000000050fa4000 CR4: 0000000000352ef0 [ 75.121899][ T5309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 75.125084][ T5309] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 75.128320][ T5309] Call Trace: [ 75.129728][ T5309] [ 75.131033][ T5309] ? do_raw_spin_lock+0x121/0x290 [ 75.133125][ T5309] rt6_nh_find_match+0xd9/0x150 [ 75.135705][ T5309] nexthop_for_each_fib6_nh+0x1c6/0x400 [ 75.137988][ T5309] ? __pfx_rt6_nh_find_match+0x10/0x10 [ 75.140329][ T5309] __find_rr_leaf+0x461/0x6d0 [ 75.142440][ T5309] ? __pfx___find_rr_leaf+0x10/0x10 [ 75.144618][ T5309] fib6_table_lookup+0x39f/0xa80 [ 75.146694][ T5309] ? __pfx_fib6_table_lookup+0x10/0x10 [ 75.148923][ T5309] ? ip6_pol_route+0x162/0x1180 [ 75.150893][ T5309] ip6_pol_route+0x222/0x1180 [ 75.152755][ T5309] ? __pfx_ip6_pol_route+0x10/0x10 [ 75.154897][ T5309] ? __lock_acquire+0xaac/0xd20 [ 75.156995][ T5309] fib6_rule_lookup+0x348/0x6f0 [ 75.159054][ T5309] ? __pfx_ip6_pol_route_output+0x10/0x10 [ 75.161444][ T5309] ? __pfx_fib6_rule_lookup+0x10/0x10 [ 75.163816][ T5309] ? ip6_route_output_flags+0x2e/0x5d0 [ 75.166137][ T5309] ? ip6_route_output_flags+0x2e/0x5d0 [ 75.168312][ T5309] ? do_user_cp_fault+0x146/0x4c0 [ 75.170432][ T5309] ip6_route_output_flags+0x364/0x5d0 [ 75.172692][ T5309] ? ip6_route_output_flags+0x2e/0x5d0 [ 75.175039][ T5309] ip6_dst_lookup_tail+0x1ae/0x1500 [ 75.177120][ T5309] ? __pfx_ip6_dst_lookup_tail+0x10/0x10 [ 75.179519][ T5309] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 75.181665][ T5309] ? arch_stack_walk+0x11c/0x150 [ 75.183771][ T5309] ? ret_from_fork_asm+0x1a/0x30 [ 75.186196][ T5309] ? __siphash_unaligned+0x263/0x3b0 [ 75.188907][ T5309] ip6_dst_lookup_flow+0x47/0xe0 [ 75.191433][ T5309] ? __pfx_ip6_dst_lookup_flow+0x10/0x10 [ 75.194289][ T5309] udp_tunnel6_dst_lookup+0x231/0x3c0 [ 75.197007][ T5309] ? __pfx_udp_tunnel6_dst_lookup+0x10/0x10 [ 75.199936][ T5309] ? geneve_get_dsfield+0xec/0x680 [ 75.202477][ T5309] ? __pfx_geneve_get_dsfield+0x10/0x10 [ 75.205083][ T5309] ? ret_from_fork+0x4b/0x80 [ 75.207419][ T5309] geneve_xmit+0xd2e/0x2b70 [ 75.209745][ T5309] ? __lock_acquire+0xaac/0xd20 [ 75.211797][ T5309] ? __pfx_skb_network_protocol+0x10/0x10 [ 75.214169][ T5309] ? geneve_xmit+0x128/0x2b70 [ 75.216200][ T5309] ? __pfx_validate_xmit_xfrm+0x10/0x10 [ 75.218651][ T5309] ? __pfx_geneve_xmit+0x10/0x10 [ 75.220765][ T5309] dev_hard_start_xmit+0x2ff/0x880 [ 75.222955][ T5309] __dev_queue_xmit+0x1adf/0x3a70 [ 75.225134][ T5309] ? __dev_queue_xmit+0x27e/0x3a70 [ 75.227393][ T5309] ? __pfx_fib_rules_lookup+0x10/0x10 [ 75.229618][ T5309] ? __pfx___dev_queue_xmit+0x10/0x10 [ 75.231885][ T5309] ? l3mdev_update_flow+0x4d1/0x640 [ 75.234144][ T5309] ? look_up_lock_class+0x74/0x170 [ 75.236258][ T5309] ? register_lock_class+0x51/0x320 [ 75.238424][ T5309] ? __lock_acquire+0xaac/0xd20 [ 75.240492][ T5309] ? ip6_finish_output+0x234/0x7d0 [ 75.242641][ T5309] ? ip6_finish_output2+0xf99/0x16a0 [ 75.244968][ T5309] ip6_finish_output2+0x11bc/0x16a0 [ 75.247242][ T5309] ? ip6_finish_output2+0x701/0x16a0 [ 75.249526][ T5309] ? __pfx_ip6_finish_output2+0x10/0x10 [ 75.251993][ T5309] ? ip6_mtu+0x7d/0x3f0 [ 75.253899][ T5309] ? ip6_mtu+0x7d/0x3f0 [ 75.255811][ T5309] ip6_finish_output+0x234/0x7d0 [ 75.258045][ T5309] NF_HOOK+0x9e/0x380 [ 75.259753][ T5309] ? NF_HOOK+0x101/0x380 [ 75.261635][ T5309] ? __pfx_NF_HOOK+0x10/0x10 [ 75.263720][ T5309] ? __pfx_dst_output+0x10/0x10 [ 75.265838][ T5309] ? icmp6_dst_alloc+0x3a5/0x420 [ 75.267964][ T5309] ? icmp6_dst_alloc+0x3a5/0x420 [ 75.270115][ T5309] mld_sendpack+0x800/0xd80 [ 75.272097][ T5309] ? mld_sendpack+0x1de/0xd80 [ 75.274155][ T5309] ? __pfx_mld_sendpack+0x10/0x10 [ 75.276439][ T5309] mld_ifc_work+0x835/0xde0 [ 75.278478][ T5309] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.280699][ T5309] ? process_scheduled_works+0x9ec/0x17a0 [ 75.283167][ T5309] process_scheduled_works+0xadb/0x17a0 [ 75.285561][ T5309] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.288126][ T5309] worker_thread+0x8a0/0xda0 [ 75.290059][ T5309] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.292699][ T5309] ? __kthread_parkme+0x7b/0x200 [ 75.294845][ T5309] kthread+0x70e/0x8a0 [ 75.296582][ T5309] ? __pfx_worker_thread+0x10/0x10 [ 75.298834][ T5309] ? __pfx_kthread+0x10/0x10 [ 75.300828][ T5309] ? __pfx_kthread+0x10/0x10 [ 75.302810][ T5309] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.305103][ T5309] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.307375][ T5309] ? __pfx_kthread+0x10/0x10 [ 75.309349][ T5309] ret_from_fork+0x4b/0x80 [ 75.311255][ T5309] ? __pfx_kthread+0x10/0x10 [ 75.313226][ T5309] ret_from_fork_asm+0x1a/0x30 [ 75.315356][ T5309] [ 75.316730][ T5309] Modules linked in: [ 75.318582][ T5309] ---[ end trace 0000000000000000 ]--- [ 75.320910][ T5309] RIP: 0010:find_match+0xa3/0xc90 [ 75.323054][ T5309] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 2f a0 12 f8 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 0e a0 12 f8 48 8b 1b e8 36 09 47 [ 75.331061][ T5309] RSP: 0018:ffffc9000f52e6b0 EFLAGS: 00010206 [ 75.333573][ T5309] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000 [ 75.336854][ T5309] RDX: ffff88801d61a440 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.340251][ T5309] RBP: 1ffff11003a7ec44 R08: ffffc9000f52ea40 R09: ffffc9000f52ea50 [ 75.343579][ T5309] R10: ffffc9000f52e8a0 R11: ffffffff8a0f1300 R12: dffffc0000000000 [ 75.346858][ T5309] R13: 0000000000000002 R14: 1ffff11003a7ec46 R15: ffff88801d3f6237 [ 75.350198][ T5309] FS: 0000000000000000(0000) GS:ffff88808d6cb000(0000) knlGS:0000000000000000 [ 75.353928][ T5309] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.356644][ T5309] CR2: 0000000000000000 CR3: 0000000050fa4000 CR4: 0000000000352ef0 [ 75.360109][ T5309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 75.363454][ T5309] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 75.366698][ T5309] Kernel panic - not syncing: Fatal exception in interrupt [ 75.369980][ T5309] Kernel Offset: disabled [ 75.371826][ T5309] Rebooting in 86400 seconds..