program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_TIOCOUTQ(r1, 0x5411, &(0x7f00000000c0)) (async)
getpeername$inet(r1, &(0x7f0000000040)={0x2, 0x0, @loopback}, &(0x7f0000000080)=0x10) (async)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x2, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000)
r3 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000380)=ANY=[@ANYBLOB="300000001800dd8d00000000000000000a000000000000060000000008001e0002"], 0x30}}, 0x4090) (async)
r4 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=@ipv6_newnexthop={0x24, 0x68, 0x309, 0x0, 0x0, {}, [@NHA_FDB={0x4}, @NHA_ID={0x8, 0x1, 0x1}]}, 0x24}}, 0x0)

[   73.780589][ T4667] Bluetooth: hci0: command tx timeout
[   73.820424][ T5313] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'.
[   73.883678][  T183] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000018: 0000 [#1] SMP KASAN NOPTI
[   73.888743][  T183] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]
[   73.892379][  T183] CPU: 0 UID: 0 PID: 183 Comm: kworker/u4:5 Not tainted 6.15.0-syzkaller-03478-gc89756bcf406 #0 PREEMPT(full) 
[   73.897310][  T183] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   73.901806][  T183] Workqueue: ipv6_addrconf addrconf_dad_work
[   73.904519][  T183] RIP: 0010:find_match+0xa3/0xc90
[   73.906695][  T183] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 7f f9 0b f8 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5e f9 0b f8 48 8b 1b e8 56 3f 47
[   73.914672][  T183] RSP: 0018:ffffc90001b0e430 EFLAGS: 00010206
[   73.917161][  T183] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000
[   73.920447][  T183] RDX: ffff888000e0c880 RSI: 0000000000000000 RDI: 0000000000000000
[   73.923848][  T183] RBP: 1ffff11006c41bc4 R08: ffffc90001b0e7c0 R09: ffffc90001b0e7d0
[   73.927122][  T183] R10: ffffc90001b0e620 R11: ffffffff8a16d760 R12: dffffc0000000000
[   73.930480][  T183] R13: 0000000000000002 R14: 1ffff11006c41bc6 R15: ffff88803620de37
[   73.933920][  T183] FS:  0000000000000000(0000) GS:ffff88808d28f000(0000) knlGS:0000000000000000
[   73.937574][  T183] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   73.940494][  T183] CR2: 00007f7b57984538 CR3: 000000005146f000 CR4: 0000000000352ef0
[   73.943915][  T183] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   73.947294][  T183] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   73.950711][  T183] Call Trace:
[   73.952218][  T183]  <TASK>
[   73.953488][  T183]  rt6_nh_find_match+0xd9/0x150
[   73.955590][  T183]  nexthop_for_each_fib6_nh+0x1c6/0x400
[   73.957961][  T183]  ? __pfx_rt6_nh_find_match+0x10/0x10
[   73.960309][  T183]  __find_rr_leaf+0x461/0x6d0
[   73.962397][  T183]  ? __pfx___find_rr_leaf+0x10/0x10
[   73.964507][  T183]  fib6_table_lookup+0x39f/0xa80
[   73.966580][  T183]  ? __pfx_fib6_table_lookup+0x10/0x10
[   73.968862][  T183]  ? ip6_pol_route+0x162/0x1180
[   73.970957][  T183]  ip6_pol_route+0x222/0x1180
[   73.972926][  T183]  ? __pfx_ip6_pol_route+0x10/0x10
[   73.975086][  T183]  ? unwind_next_frame+0xa5/0x2390
[   73.977232][  T183]  fib6_rule_lookup+0x348/0x6f0
[   73.979305][  T183]  ? __pfx_ip6_pol_route_output+0x10/0x10
[   73.981770][  T183]  ? __pfx_fib6_rule_lookup+0x10/0x10
[   73.984054][  T183]  ? ip6_route_output_flags+0x2e/0x5d0
[   73.986312][  T183]  ? ip6_route_output_flags+0x2e/0x5d0
[   73.988603][  T183]  ? __lock_acquire+0xab9/0xd20
[   73.990645][  T183]  ip6_route_output_flags+0x364/0x5d0
[   73.992927][  T183]  ? ip6_route_output_flags+0x2e/0x5d0
[   73.995287][  T183]  ip6_dst_lookup_tail+0x1ae/0x1500
[   73.997465][  T183]  ? __pfx_ip6_dst_lookup_tail+0x10/0x10
[   73.999847][  T183]  ? __lock_acquire+0xab9/0xd20
[   74.001886][  T183]  ? __lock_acquire+0xab9/0xd20
[   74.003886][  T183]  ? __siphash_unaligned+0x263/0x3b0
[   74.006112][  T183]  ip6_dst_lookup_flow+0x47/0xe0
[   74.008207][  T183]  ? __pfx_ip6_dst_lookup_flow+0x10/0x10
[   74.010557][  T183]  udp_tunnel6_dst_lookup+0x231/0x3c0
[   74.012807][  T183]  ? __pfx_udp_tunnel6_dst_lookup+0x10/0x10
[   74.015253][  T183]  ? geneve_get_dsfield+0xec/0x680
[   74.017458][  T183]  ? __pfx_geneve_get_dsfield+0x10/0x10
[   74.019806][  T183]  geneve_xmit+0xd2e/0x2b70
[   74.021712][  T183]  ? __pfx_skb_network_protocol+0x10/0x10
[   74.024164][  T183]  ? geneve_xmit+0x128/0x2b70
[   74.026118][  T183]  ? __pfx_validate_xmit_xfrm+0x10/0x10
[   74.028457][  T183]  ? __pfx_geneve_xmit+0x10/0x10
[   74.030538][  T183]  dev_hard_start_xmit+0x302/0x880
[   74.032646][  T183]  __dev_queue_xmit+0x1adf/0x3a70
[   74.034722][  T183]  ? __dev_queue_xmit+0x27e/0x3a70
[   74.036854][  T183]  ? fib_rules_lookup+0x96/0xe90
[   74.038942][  T183]  ? __pfx_fib_rules_lookup+0x10/0x10
[   74.041205][  T183]  ? __pfx___dev_queue_xmit+0x10/0x10
[   74.043412][  T183]  ? l3mdev_update_flow+0x4d1/0x640
[   74.045610][  T183]  ? __lock_acquire+0xab9/0xd20
[   74.047678][  T183]  ? __lock_acquire+0xab9/0xd20
[   74.049769][  T183]  ? ip6_finish_output+0x234/0x7d0
[   74.051939][  T183]  ? ip6_finish_output2+0xf99/0x16a0
[   74.054161][  T183]  ip6_finish_output2+0x11bc/0x16a0
[   74.056460][  T183]  ? ip6_finish_output2+0x701/0x16a0
[   74.058723][  T183]  ? __pfx_ip6_finish_output2+0x10/0x10
[   74.061036][  T183]  ? ip6_mtu+0x7d/0x3f0
[   74.062779][  T183]  ? ip6_mtu+0x7d/0x3f0
[   74.064601][  T183]  ip6_finish_output+0x234/0x7d0
[   74.066684][  T183]  NF_HOOK+0x9e/0x380
[   74.068506][  T183]  ? NF_HOOK+0x101/0x380
[   74.070229][  T183]  ? __pfx_NF_HOOK+0x10/0x10
[   74.072154][  T183]  ? __pfx_dst_output+0x10/0x10
[   74.074196][  T183]  ? icmp6_dst_alloc+0x3a5/0x420
[   74.076237][  T183]  ? icmp6_dst_alloc+0x3a5/0x420
[   74.078372][  T183]  mld_sendpack+0x800/0xd80
[   74.080288][  T183]  ? __asan_memcpy+0x40/0x70
[   74.082274][  T183]  ? mld_sendpack+0x1de/0xd80
[   74.084267][  T183]  ? __pfx_mld_sendpack+0x10/0x10
[   74.086319][  T183]  ? mld_send_initial_cr+0x2f7/0x4c0
[   74.088540][  T183]  ipv6_mc_dad_complete+0x88/0x4b0
[   74.090721][  T183]  addrconf_dad_completed+0x6d5/0xd60
[   74.092993][  T183]  ? __pfx_addrconf_dad_completed+0x10/0x10
[   74.095450][  T183]  ? addrconf_dad_work+0xd83/0x14b0
[   74.097682][  T183]  addrconf_dad_work+0xc36/0x14b0
[   74.099818][  T183]  ? __lock_acquire+0xab9/0xd20
[   74.101911][  T183]  ? __pfx_addrconf_dad_work+0x10/0x10
[   74.104172][  T183]  ? process_scheduled_works+0x9ec/0x17a0
[   74.106571][  T183]  ? _raw_spin_unlock_irq+0x23/0x50
[   74.108724][  T183]  ? process_scheduled_works+0x9ec/0x17a0
[   74.111064][  T183]  ? process_scheduled_works+0x9ec/0x17a0
[   74.113434][  T183]  process_scheduled_works+0xadb/0x17a0
[   74.115778][  T183]  ? __pfx_process_scheduled_works+0x10/0x10
[   74.118302][  T183]  worker_thread+0x8a0/0xda0
[   74.120380][  T183]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   74.123023][  T183]  ? __kthread_parkme+0x7b/0x200
[   74.125084][  T183]  kthread+0x711/0x8a0
[   74.126842][  T183]  ? __pfx_worker_thread+0x10/0x10
[   74.129048][  T183]  ? __pfx_kthread+0x10/0x10
[   74.131075][  T183]  ? _raw_spin_unlock_irq+0x23/0x50
[   74.133268][  T183]  ? lockdep_hardirqs_on+0x9c/0x150
[   74.135424][  T183]  ? __pfx_kthread+0x10/0x10
[   74.137348][  T183]  ret_from_fork+0x3fc/0x770
[   74.139316][  T183]  ? __pfx_ret_from_fork+0x10/0x10
[   74.141485][  T183]  ? __pfx_kthread+0x10/0x10
[   74.143496][  T183]  ret_from_fork_asm+0x1a/0x30
[   74.145534][  T183]  </TASK>
[   74.146825][  T183] Modules linked in:
[   74.148629][  T183] ---[ end trace 0000000000000000 ]---
[   74.150982][  T183] RIP: 0010:find_match+0xa3/0xc90
[   74.153237][  T183] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 7f f9 0b f8 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5e f9 0b f8 48 8b 1b e8 56 3f 47
[   74.160563][  T183] RSP: 0018:ffffc90001b0e430 EFLAGS: 00010206
[   74.163009][  T183] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000
[   74.166113][  T183] RDX: ffff888000e0c880 RSI: 0000000000000000 RDI: 0000000000000000
[   74.169215][  T183] RBP: 1ffff11006c41bc4 R08: ffffc90001b0e7c0 R09: ffffc90001b0e7d0
[   74.172608][  T183] R10: ffffc90001b0e620 R11: ffffffff8a16d760 R12: dffffc0000000000
[   74.176076][  T183] R13: 0000000000000002 R14: 1ffff11006c41bc6 R15: ffff88803620de37
[   74.179501][  T183] FS:  0000000000000000(0000) GS:ffff88808d28f000(0000) knlGS:0000000000000000
[   74.183372][  T183] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.186283][  T183] CR2: 00007f7b57984538 CR3: 000000005146f000 CR4: 0000000000352ef0
[   74.189717][  T183] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   74.192949][  T183] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   74.196123][  T183] Kernel panic - not syncing: Fatal exception in interrupt
[   74.199296][  T183] Kernel Offset: disabled
[   74.201029][  T183] Rebooting in 86400 seconds..