program: r0 = openat$drirender128(0xffffffffffffff9c, &(0x7f0000000400), 0x800, 0x0) readv(r0, &(0x7f0000000940)=[{&(0x7f0000000440)=""/152, 0x98}], 0x1) (async) setrlimit(0x2, &(0x7f0000000040)={0x4000051, 0xfffffffa}) prctl$PR_SET_MM(0x23, 0x1, &(0x7f00007d8000/0x1000)=nil) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) (async) r2 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x2, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000) (async) r3 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r3, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000380)=ANY=[@ANYBLOB="300000001800dd8d00000000000000000a000000000000060000000008001e0002"], 0x30}}, 0x4090) (async) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=@ipv6_newnexthop={0x24, 0x68, 0x309, 0x0, 0x0, {}, [@NHA_FDB={0x4}, @NHA_ID={0x8, 0x1, 0x1}]}, 0x24}}, 0x0) (async) r5 = socket$inet_icmp_raw(0x2, 0x3, 0x1) (async) r6 = syz_open_dev$vim2m(&(0x7f0000000000), 0x7f, 0x2) ioctl$vim2m_VIDIOC_S_FMT(r6, 0xc0d05605, &(0x7f0000000140)={0x1, @vbi={0x7f, 0x8000, 0xf, 0x33424752, [0x10000, 0xffffffff], [0x1, 0x1], 0x1}}) (async) setsockopt$inet_buf(r5, 0x0, 0x8008000000010, &(0x7f0000000000)="170000000200010000ffbe8c5ee17688a20033000202000aff3f000057fce46d0a00d65ad90200bb6a880000d6c8db0000dba67e06020000e28900000a00df01800a000000fc0607bdff59100ac45761547ae81f009cee4a5acb3da400001fb700674f00c88ebbf9315033bf79ac2dfc060115003901000000000000ea000000000000000062068f5ee50ce5af9b1c568311ffff02ff030000ba000840024f0298e9e90539062a80e605007f71174aa951f3c63e5a1b47b6", 0xb8) [ 86.843917][ T5360] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'. [ 86.858937][ T5337] Bluetooth: hci0: command tx timeout [ 86.973799][ T1135] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000018: 0000 [#1] SMP KASAN NOPTI [ 86.979393][ T1135] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 86.983164][ T1135] CPU: 0 UID: 0 PID: 1135 Comm: kworker/u4:10 Not tainted 6.16.0-syzkaller-12250-gc30a13538d9f #0 PREEMPT(full) [ 86.987841][ T1135] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.992638][ T1135] Workqueue: ipv6_addrconf addrconf_dad_work [ 86.995282][ T1135] RIP: 0010:find_match+0xa3/0xc90 [ 86.997454][ T1135] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 3f cc f1 f7 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 1e cc f1 f7 48 8b 1b e8 d6 53 48 [ 87.005696][ T1135] RSP: 0018:ffffc9000288e550 EFLAGS: 00010206 [ 87.008359][ T1135] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000 [ 87.011856][ T1135] RDX: ffff888033578000 RSI: 0000000000000000 RDI: 0000000000000000 [ 87.015258][ T1135] RBP: 1ffff11006bc12c4 R08: ffffc9000288e8e0 R09: ffffc9000288e8f0 [ 87.018691][ T1135] R10: ffffc9000288e740 R11: ffffffff8a32d8f0 R12: dffffc0000000000 [ 87.022234][ T1135] R13: 0000000000000002 R14: 1ffff11006bc12c6 R15: ffff888035e09637 [ 87.025804][ T1135] FS: 0000000000000000(0000) GS:ffff88808d211000(0000) knlGS:0000000000000000 [ 87.029540][ T1135] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 87.032507][ T1135] CR2: 0000555cb3734660 CR3: 0000000011b04000 CR4: 0000000000352ef0 [ 87.035985][ T1135] Call Trace: [ 87.037475][ T1135] [ 87.038735][ T1135] rt6_nh_find_match+0xd9/0x150 [ 87.040889][ T1135] nexthop_for_each_fib6_nh+0x1cd/0x400 [ 87.043229][ T1135] ? __pfx_rt6_nh_find_match+0x10/0x10 [ 87.045697][ T1135] __find_rr_leaf+0x461/0x6d0 [ 87.047838][ T1135] ? __pfx___find_rr_leaf+0x10/0x10 [ 87.050054][ T1135] fib6_table_lookup+0x39f/0xa80 [ 87.052264][ T1135] ? __pfx_fib6_table_lookup+0x10/0x10 [ 87.054808][ T1135] ? ip6_pol_route+0x162/0x1180 [ 87.057042][ T1135] ip6_pol_route+0x222/0x1180 [ 87.059131][ T1135] ? __lock_acquire+0xab9/0xd20 [ 87.061528][ T1135] ? __pfx_ip6_pol_route+0x10/0x10 [ 87.063639][ T1135] fib6_rule_lookup+0x348/0x6f0 [ 87.066093][ T1135] ? __pfx_ip6_pol_route_output+0x10/0x10 [ 87.068905][ T1135] ? __pfx_fib6_rule_lookup+0x10/0x10 [ 87.071597][ T1135] ? ip6_route_output_flags+0x2e/0x5d0 [ 87.074294][ T1135] ? ip6_route_output_flags+0x2e/0x5d0 [ 87.076806][ T1135] ip6_route_output_flags+0x364/0x5d0 [ 87.079271][ T1135] ? ip6_route_output_flags+0x2e/0x5d0 [ 87.081629][ T1135] ip6_dst_lookup_tail+0x1ae/0x1510 [ 87.083921][ T1135] ? __lock_acquire+0xab9/0xd20 [ 87.086144][ T1135] ? __pfx_ip6_dst_lookup_tail+0x10/0x10 [ 87.088409][ T1135] ? dst_cache_get_ip6+0xf8/0x7a0 [ 87.090454][ T1135] ? dst_cache_get_ip6+0xf8/0x7a0 [ 87.092740][ T1135] ip6_dst_lookup_flow+0x47/0xe0 [ 87.094823][ T1135] ? __pfx_ip6_dst_lookup_flow+0x10/0x10 [ 87.097160][ T1135] udp_tunnel6_dst_lookup+0x234/0x3c0 [ 87.099489][ T1135] ? __pfx_udp_tunnel6_dst_lookup+0x10/0x10 [ 87.102823][ T1135] ? geneve_get_dsfield+0xec/0x680 [ 87.105618][ T1135] ? __pfx_geneve_get_dsfield+0x10/0x10 [ 87.108223][ T1135] geneve_xmit+0xd2e/0x2b70 [ 87.110257][ T1135] ? __lock_acquire+0xab9/0xd20 [ 87.112258][ T1135] ? validate_xmit_xfrm+0xbf/0x1130 [ 87.114424][ T1135] ? __pfx_skb_network_protocol+0x10/0x10 [ 87.116791][ T1135] ? geneve_xmit+0x128/0x2b70 [ 87.118737][ T1135] ? __pfx_validate_xmit_xfrm+0x10/0x10 [ 87.121149][ T1135] ? __pfx_geneve_xmit+0x10/0x10 [ 87.123181][ T1135] dev_hard_start_xmit+0x2d4/0x830 [ 87.125362][ T1135] __dev_queue_xmit+0x1b8d/0x3b50 [ 87.127623][ T1135] ? register_lock_class+0x51/0x320 [ 87.129927][ T1135] ? __dev_queue_xmit+0x27b/0x3b50 [ 87.132166][ T1135] ? __pfx___dev_queue_xmit+0x10/0x10 [ 87.134540][ T1135] ? read_seqbegin+0x122/0x250 [ 87.136634][ T1135] ? neigh_resolve_output+0x438/0x750 [ 87.139010][ T1135] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.141345][ T1135] ? read_seqbegin+0x1ac/0x250 [ 87.143340][ T1135] ? __pfx_read_seqbegin+0x10/0x10 [ 87.145548][ T1135] ? __local_bh_enable_ip+0x12d/0x1c0 [ 87.147830][ T1135] ? eth_header+0x11b/0x200 [ 87.149809][ T1135] ? __asan_memcpy+0x40/0x70 [ 87.151819][ T1135] ? eth_header+0x11b/0x200 [ 87.153858][ T1135] ? __pfx_eth_header+0x10/0x10 [ 87.155953][ T1135] ? neigh_resolve_output+0x624/0x750 [ 87.158286][ T1135] ip6_finish_output2+0x11fb/0x16a0 [ 87.160511][ T1135] ? ip6_finish_output2+0x701/0x16a0 [ 87.162873][ T1135] ? __pfx_ip6_finish_output2+0x10/0x10 [ 87.165205][ T1135] ? ip6_mtu+0x7d/0x3f0 [ 87.166985][ T1135] ? ip6_mtu+0x7d/0x3f0 [ 87.169299][ T1135] ip6_finish_output+0x234/0x7d0 [ 87.172018][ T1135] ndisc_send_skb+0xb54/0x1440 [ 87.174601][ T1135] ? ndisc_send_skb+0x20c/0x1440 [ 87.176921][ T1135] ? __pfx_ndisc_send_skb+0x10/0x10 [ 87.179232][ T1135] ? ndisc_ns_create+0x4ea/0x650 [ 87.181512][ T1135] ? __asan_memcpy+0x40/0x70 [ 87.183423][ T1135] ? mod_delayed_work_on+0x128/0x200 [ 87.185784][ T1135] ndisc_send_ns+0xcb/0x150 [ 87.187779][ T1135] ? __pfx_ndisc_send_ns+0x10/0x10 [ 87.190022][ T1135] ? addrconf_dad_work+0xa04/0x14b0 [ 87.192404][ T1135] addrconf_dad_work+0xaae/0x14b0 [ 87.194782][ T1135] ? __lock_acquire+0xab9/0xd20 [ 87.197085][ T1135] ? __pfx_addrconf_dad_work+0x10/0x10 [ 87.199606][ T1135] ? process_scheduled_works+0x9ef/0x17b0 [ 87.202137][ T1135] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.204318][ T1135] ? process_scheduled_works+0x9ef/0x17b0 [ 87.206844][ T1135] ? process_scheduled_works+0x9ef/0x17b0 [ 87.209224][ T1135] process_scheduled_works+0xade/0x17b0 [ 87.211526][ T1135] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.214275][ T1135] worker_thread+0x8a0/0xda0 [ 87.216381][ T1135] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 87.219124][ T1135] ? __kthread_parkme+0x7b/0x200 [ 87.221371][ T1135] kthread+0x70e/0x8a0 [ 87.223394][ T1135] ? __pfx_worker_thread+0x10/0x10 [ 87.225912][ T1135] ? __pfx_kthread+0x10/0x10 [ 87.228006][ T1135] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.230169][ T1135] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.232429][ T1135] ? __pfx_kthread+0x10/0x10 [ 87.234432][ T1135] ret_from_fork+0x3fc/0x770 [ 87.236383][ T1135] ? __pfx_ret_from_fork+0x10/0x10 [ 87.238708][ T1135] ? __pfx_kthread+0x10/0x10 [ 87.240996][ T1135] ret_from_fork_asm+0x1a/0x30 [ 87.243026][ T1135] [ 87.244381][ T1135] Modules linked in: [ 87.246183][ T1135] ---[ end trace 0000000000000000 ]--- [ 87.248544][ T1135] RIP: 0010:find_match+0xa3/0xc90 [ 87.250742][ T1135] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 3f cc f1 f7 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 1e cc f1 f7 48 8b 1b e8 d6 53 48 [ 87.258911][ T1135] RSP: 0018:ffffc9000288e550 EFLAGS: 00010206 [ 87.261591][ T1135] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000 [ 87.264997][ T1135] RDX: ffff888033578000 RSI: 0000000000000000 RDI: 0000000000000000 [ 87.268543][ T1135] RBP: 1ffff11006bc12c4 R08: ffffc9000288e8e0 R09: ffffc9000288e8f0 [ 87.271931][ T1135] R10: ffffc9000288e740 R11: ffffffff8a32d8f0 R12: dffffc0000000000 [ 87.275089][ T1135] R13: 0000000000000002 R14: 1ffff11006bc12c6 R15: ffff888035e09637 [ 87.279191][ T1135] FS: 0000000000000000(0000) GS:ffff88808d211000(0000) knlGS:0000000000000000 [ 87.283612][ T1135] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 87.286401][ T1135] CR2: 0000555cb3734660 CR3: 0000000011b04000 CR4: 0000000000352ef0 [ 87.290236][ T1135] Kernel panic - not syncing: Fatal exception in interrupt [ 87.293640][ T1135] Kernel Offset: disabled [ 87.295423][ T1135] Rebooting in 86400 seconds..