program:
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0)
r0 = socket$netlink(0x10, 0x3, 0x0)
socket$inet6_tcp(0xa, 0x1, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
socket$inet6_mptcp(0xa, 0x1, 0x106)
socket$nl_route(0x10, 0x3, 0x0)
syz_open_dev$dri(&(0x7f0000000100), 0x2, 0x329200)
r2 = syz_open_dev$media(&(0x7f0000000040), 0x6, 0x1)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000100))
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r5 = dup3(r4, r3, 0x0)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000380)={0x0, 0x0, 0x0, 0x50, 0x0, &(0x7f0000000240)="ed9815e1dcada78176de151105d9589fc2cee8986306ff4dd0664ae2a844400f2c7ebdb83725525567bb874088a8decb9e38e72c13bf5750aacb2ec8e645ee81b759722aaa451b54a6b87cf26dd5ffb1"})
r6 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, r6, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r6, 0x4018620d, &(0x7f0000004a80)={0x73622a85, 0x100, 0x1})
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000004c0)={0x8, 0x0, &(0x7f0000000000)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f00000001c0)={0x4c, 0x0, &(0x7f0000000fc0)=[@transaction_sg={0x40486311, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x18, &(0x7f0000000300)={@flat=@weak_binder={0x77622a85, 0x100a, 0x8000000000}, @flat=@weak_binder={0x77622a85, 0x1100, 0x3}}, &(0x7f0000000200)={0x0, 0x18, 0x30}}}], 0x0, 0x0, 0x0})
r7 = mmap$binder(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x1, 0x11, r3, 0x10000000000)
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000004a40)={0x44, 0x0, &(0x7f00000049c0)=[@transaction={0x40406300, {0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000500)={0xc, 0x0, &(0x7f00000003c0)=[@free_buffer={0x40086303, r7}], 0x0, 0x0, 0x0})
ioctl$BINDER_THREAD_EXIT(r5, 0x40046208, 0x0)
ioctl$MEDIA_IOC_G_TOPOLOGY(r2, 0xc0487c04, &(0x7f0000000200)={0x0, 0x9, 0x0, &(0x7f00000003c0)=[{}, {}, {}, {}, {}, {}, {}, {}, {}], 0x9, 0x0, &(0x7f0000000740)=[{}, {}, {}, {}, {}, {}, {}, {}, {}], 0x5, 0x0, &(0x7f0000000140)=[{}, {}, {}, {}, {}], 0x6, 0x0, &(0x7f0000000b40)=[{}, {}, {}, {}, {}, {}]})
r8 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000380)=ANY=[@ANYBLOB="4c0000001800010d00000000000000850a000000000000000500000014000500200100000000000000000100000000001c00090008000000", @ANYRES32=r1, @ANYRES32=r8], 0x4c}}, 0x0)
sendmmsg(r0, &(0x7f00000002c0), 0x40000000000009f, 0x0)
[ 75.522075][ T5337] Bluetooth: hci0: command tx timeout
[ 75.665158][ T5358] ------------[ cut here ]------------
[ 75.667368][ T5358] WARNING: CPU: 0 PID: 5358 at drivers/net/netdevsim/fib.c:831 nsim_fib_event_nb+0xed8/0x1080
[ 75.671502][ T5358] Modules linked in:
[ 75.673172][ T5358] CPU: 0 UID: 0 PID: 5358 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 75.676769][ T5358] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 75.681354][ T5358] RIP: 0010:nsim_fib_event_nb+0xed8/0x1080
[ 75.683564][ T5358] Code: fa be 02 00 00 00 eb 0a e8 95 34 a6 fa be 01 00 00 00 4c 89 f7 e8 58 8b b0 fd 4c 8b 64 24 08 e9 91 f4 ff ff e8 79 34 a6 fa 90 <0f> 0b 90 e9 70 fb ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c 35
[ 75.691760][ T5358] RSP: 0018:ffffc9000d3aef08 EFLAGS: 00010283
[ 75.694456][ T5358] RAX: ffffffff871988c7 RBX: 0000000000000001 RCX: 0000000000100000
[ 75.698022][ T5358] RDX: ffffc9000de82000 RSI: 000000000000042b RDI: 000000000000042c
[ 75.701206][ T5358] RBP: dffffc0000000000 R08: ffff888012724c2f R09: 1ffff110024e4985
[ 75.704339][ T5358] R10: dffffc0000000000 R11: ffffed10024e4986 R12: ffff8880522ce000
[ 75.707498][ T5358] R13: ffffc9000d3af080 R14: 0000000000000000 R15: ffffc9000d3af098
[ 75.710828][ T5358] FS: 00007fd0c9f956c0(0000) GS:ffff88808d007000(0000) knlGS:0000000000000000
[ 75.714415][ T5358] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 75.717197][ T5358] CR2: 0000200000001000 CR3: 0000000042a25000 CR4: 0000000000352ef0
[ 75.720592][ T5358] Call Trace:
[ 75.722035][ T5358]
[ 75.723175][ T5358] notifier_call_chain+0x1b3/0x3e0
[ 75.725204][ T5358] ? atomic_notifier_call_chain+0x26/0x180
[ 75.727601][ T5358] atomic_notifier_call_chain+0xda/0x180
[ 75.730040][ T5358] call_fib_notifiers+0x31/0x60
[ 75.732054][ T5358] call_fib6_multipath_entry_notifiers+0xe6/0x150
[ 75.734840][ T5358] ? __pfx_call_fib6_multipath_entry_notifiers+0x10/0x10
[ 75.737853][ T5358] ? inet6_rtm_newroute+0xe8b/0x18c0
[ 75.740037][ T5358] inet6_rtm_newroute+0x12f5/0x18c0
[ 75.742240][ T5358] ? nlmon_xmit+0xb0/0x100
[ 75.744261][ T5358] ? kmem_cache_free+0x18f/0x400
[ 75.746441][ T5358] ? __pfx_inet6_rtm_newroute+0x10/0x10
[ 75.748953][ T5358] ? __local_bh_enable_ip+0x12d/0x1c0
[ 75.751296][ T5358] ? __dev_queue_xmit+0x27b/0x3b50
[ 75.753476][ T5358] ? __dev_queue_xmit+0x1d79/0x3b50
[ 75.755699][ T5358] ? __pfx_inet6_rtm_newroute+0x10/0x10
[ 75.757979][ T5358] rtnetlink_rcv_msg+0x7cf/0xb70
[ 75.760107][ T5358] ? rtnetlink_rcv_msg+0x1ab/0xb70
[ 75.762268][ T5358] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 75.764509][ T5358] ? ref_tracker_free+0x63a/0x7d0
[ 75.766690][ T5358] ? __asan_memcpy+0x40/0x70
[ 75.768740][ T5358] ? __pfx_ref_tracker_free+0x10/0x10
[ 75.771009][ T5358] ? __skb_clone+0x63/0x7a0
[ 75.773051][ T5358] netlink_rcv_skb+0x205/0x470
[ 75.775066][ T5358] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 75.777958][ T5358] ? __pfx_netlink_rcv_skb+0x10/0x10
[ 75.780782][ T5358] ? netlink_deliver_tap+0x2e/0x1b0
[ 75.783701][ T5358] netlink_unicast+0x82c/0x9e0
[ 75.785821][ T5358] ? __pfx_netlink_unicast+0x10/0x10
[ 75.788557][ T5358] ? netlink_sendmsg+0x642/0xb30
[ 75.790524][ T5358] ? skb_put+0x11b/0x210
[ 75.792217][ T5358] netlink_sendmsg+0x805/0xb30
[ 75.794161][ T5358] ? __pfx_netlink_sendmsg+0x10/0x10
[ 75.796174][ T5358] ? aa_sock_msg_perm+0xf1/0x1d0
[ 75.798096][ T5358] ? bpf_lsm_socket_sendmsg+0x9/0x20
[ 75.800334][ T5358] ? __pfx_netlink_sendmsg+0x10/0x10
[ 75.802571][ T5358] __sock_sendmsg+0x21c/0x270
[ 75.804562][ T5358] ____sys_sendmsg+0x52d/0x830
[ 75.806593][ T5358] ? __pfx_____sys_sendmsg+0x10/0x10
[ 75.809094][ T5358] ? import_iovec+0x74/0xa0
[ 75.810816][ T5358] ___sys_sendmsg+0x21f/0x2a0
[ 75.812677][ T5358] ? __pfx____sys_sendmsg+0x10/0x10
[ 75.815426][ T5358] ? __fget_files+0x2a/0x420
[ 75.817899][ T5358] ? __fget_files+0x3a0/0x420
[ 75.819785][ T5358] __sys_sendmmsg+0x227/0x430
[ 75.821415][ T5358] ? __pfx___sys_sendmmsg+0x10/0x10
[ 75.823723][ T5358] ? rcu_is_watching+0x15/0xb0
[ 75.825885][ T5358] ? rcu_is_watching+0x15/0xb0
[ 75.828435][ T5358] __x64_sys_sendmmsg+0xa0/0xc0
[ 75.831043][ T5358] do_syscall_64+0xfa/0x3b0
[ 75.833558][ T5358] ? lockdep_hardirqs_on+0x9c/0x150
[ 75.836037][ T5358] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.838731][ T5358] ? clear_bhb_loop+0x60/0xb0
[ 75.840730][ T5358] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.843271][ T5358] RIP: 0033:0x7fd0c918eec9
[ 75.845219][ T5358] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 75.853512][ T5358] RSP: 002b:00007fd0c9f95038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 75.857005][ T5358] RAX: ffffffffffffffda RBX: 00007fd0c93e5fa0 RCX: 00007fd0c918eec9
[ 75.861166][ T5358] RDX: 040000000000009f RSI: 00002000000002c0 RDI: 0000000000000003
[ 75.864611][ T5358] RBP: 00007fd0c9211f91 R08: 0000000000000000 R09: 0000000000000000
[ 75.868085][ T5358] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 75.871499][ T5358] R13: 00007fd0c93e6038 R14: 00007fd0c93e5fa0 R15: 00007ffc93c62f78
[ 75.874842][ T5358]
[ 75.876082][ T5358] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 75.879230][ T5358] CPU: 0 UID: 0 PID: 5358 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 75.883311][ T5358] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 75.887848][ T5358] Call Trace:
[ 75.889288][ T5358]
[ 75.890604][ T5358] dump_stack_lvl+0x99/0x250
[ 75.892612][ T5358] ? __asan_memcpy+0x40/0x70
[ 75.894593][ T5358] ? __pfx_dump_stack_lvl+0x10/0x10
[ 75.896849][ T5358] ? __pfx__printk+0x10/0x10
[ 75.898808][ T5358] vpanic+0x281/0x750
[ 75.900325][ T5358] ? __pfx__printk+0x10/0x10
[ 75.902209][ T5358] ? __pfx_vpanic+0x10/0x10
[ 75.904219][ T5358] ? is_bpf_text_address+0x26/0x2b0
[ 75.906380][ T5358] panic+0xb9/0xc0
[ 75.907964][ T5358] ? __pfx_panic+0x10/0x10
[ 75.909940][ T5358] __warn+0x31b/0x4b0
[ 75.911651][ T5358] ? nsim_fib_event_nb+0xed8/0x1080
[ 75.913841][ T5358] ? nsim_fib_event_nb+0xed8/0x1080
[ 75.916103][ T5358] report_bug+0x2be/0x4f0
[ 75.917980][ T5358] ? nsim_fib_event_nb+0xed8/0x1080
[ 75.920227][ T5358] ? nsim_fib_event_nb+0xed8/0x1080
[ 75.922266][ T5358] ? nsim_fib_event_nb+0xeda/0x1080
[ 75.924529][ T5358] handle_bug+0x84/0x160
[ 75.926312][ T5358] exc_invalid_op+0x1a/0x50
[ 75.928223][ T5358] asm_exc_invalid_op+0x1a/0x20
[ 75.930302][ T5358] RIP: 0010:nsim_fib_event_nb+0xed8/0x1080
[ 75.932801][ T5358] Code: fa be 02 00 00 00 eb 0a e8 95 34 a6 fa be 01 00 00 00 4c 89 f7 e8 58 8b b0 fd 4c 8b 64 24 08 e9 91 f4 ff ff e8 79 34 a6 fa 90 <0f> 0b 90 e9 70 fb ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c 35
[ 75.940759][ T5358] RSP: 0018:ffffc9000d3aef08 EFLAGS: 00010283
[ 75.943417][ T5358] RAX: ffffffff871988c7 RBX: 0000000000000001 RCX: 0000000000100000
[ 75.946518][ T5358] RDX: ffffc9000de82000 RSI: 000000000000042b RDI: 000000000000042c
[ 75.949871][ T5358] RBP: dffffc0000000000 R08: ffff888012724c2f R09: 1ffff110024e4985
[ 75.953241][ T5358] R10: dffffc0000000000 R11: ffffed10024e4986 R12: ffff8880522ce000
[ 75.956523][ T5358] R13: ffffc9000d3af080 R14: 0000000000000000 R15: ffffc9000d3af098
[ 75.959801][ T5358] ? nsim_fib_event_nb+0xed7/0x1080
[ 75.961955][ T5358] ? nsim_fib_event_nb+0xed7/0x1080
[ 75.964201][ T5358] notifier_call_chain+0x1b3/0x3e0
[ 75.966399][ T5358] ? atomic_notifier_call_chain+0x26/0x180
[ 75.968895][ T5358] atomic_notifier_call_chain+0xda/0x180
[ 75.971195][ T5358] call_fib_notifiers+0x31/0x60
[ 75.973146][ T5358] call_fib6_multipath_entry_notifiers+0xe6/0x150
[ 75.975862][ T5358] ? __pfx_call_fib6_multipath_entry_notifiers+0x10/0x10
[ 75.978802][ T5358] ? inet6_rtm_newroute+0xe8b/0x18c0
[ 75.981046][ T5358] inet6_rtm_newroute+0x12f5/0x18c0
[ 75.983447][ T5358] ? nlmon_xmit+0xb0/0x100
[ 75.985436][ T5358] ? kmem_cache_free+0x18f/0x400
[ 75.987683][ T5358] ? __pfx_inet6_rtm_newroute+0x10/0x10
[ 75.990069][ T5358] ? __local_bh_enable_ip+0x12d/0x1c0
[ 75.992483][ T5358] ? __dev_queue_xmit+0x27b/0x3b50
[ 75.994677][ T5358] ? __dev_queue_xmit+0x1d79/0x3b50
[ 75.996974][ T5358] ? __pfx_inet6_rtm_newroute+0x10/0x10
[ 75.999181][ T5358] rtnetlink_rcv_msg+0x7cf/0xb70
[ 76.001315][ T5358] ? rtnetlink_rcv_msg+0x1ab/0xb70
[ 76.003593][ T5358] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 76.005755][ T5358] ? ref_tracker_free+0x63a/0x7d0
[ 76.007865][ T5358] ? __asan_memcpy+0x40/0x70
[ 76.009805][ T5358] ? __pfx_ref_tracker_free+0x10/0x10
[ 76.011886][ T5358] ? __skb_clone+0x63/0x7a0
[ 76.013762][ T5358] netlink_rcv_skb+0x205/0x470
[ 76.015664][ T5358] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 76.017916][ T5358] ? __pfx_netlink_rcv_skb+0x10/0x10
[ 76.020022][ T5358] ? netlink_deliver_tap+0x2e/0x1b0
[ 76.022120][ T5358] netlink_unicast+0x82c/0x9e0
[ 76.024473][ T5358] ? __pfx_netlink_unicast+0x10/0x10
[ 76.027044][ T5358] ? netlink_sendmsg+0x642/0xb30
[ 76.029600][ T5358] ? skb_put+0x11b/0x210
[ 76.031814][ T5358] netlink_sendmsg+0x805/0xb30
[ 76.034512][ T5358] ? __pfx_netlink_sendmsg+0x10/0x10
[ 76.037055][ T5358] ? aa_sock_msg_perm+0xf1/0x1d0
[ 76.039262][ T5358] ? bpf_lsm_socket_sendmsg+0x9/0x20
[ 76.041553][ T5358] ? __pfx_netlink_sendmsg+0x10/0x10
[ 76.043860][ T5358] __sock_sendmsg+0x21c/0x270
[ 76.045933][ T5358] ____sys_sendmsg+0x52d/0x830
[ 76.047991][ T5358] ? __pfx_____sys_sendmsg+0x10/0x10
[ 76.050285][ T5358] ? import_iovec+0x74/0xa0
[ 76.052250][ T5358] ___sys_sendmsg+0x21f/0x2a0
[ 76.054226][ T5358] ? __pfx____sys_sendmsg+0x10/0x10
[ 76.056407][ T5358] ? __fget_files+0x2a/0x420
[ 76.058351][ T5358] ? __fget_files+0x3a0/0x420
[ 76.060373][ T5358] __sys_sendmmsg+0x227/0x430
[ 76.062319][ T5358] ? __pfx___sys_sendmmsg+0x10/0x10
[ 76.064454][ T5358] ? rcu_is_watching+0x15/0xb0
[ 76.066543][ T5358] ? rcu_is_watching+0x15/0xb0
[ 76.068426][ T5358] __x64_sys_sendmmsg+0xa0/0xc0
[ 76.070371][ T5358] do_syscall_64+0xfa/0x3b0
[ 76.072313][ T5358] ? lockdep_hardirqs_on+0x9c/0x150
[ 76.074660][ T5358] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 76.077252][ T5358] ? clear_bhb_loop+0x60/0xb0
[ 76.079246][ T5358] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 76.081814][ T5358] RIP: 0033:0x7fd0c918eec9
[ 76.083697][ T5358] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 76.091410][ T5358] RSP: 002b:00007fd0c9f95038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 76.094881][ T5358] RAX: ffffffffffffffda RBX: 00007fd0c93e5fa0 RCX: 00007fd0c918eec9
[ 76.098231][ T5358] RDX: 040000000000009f RSI: 00002000000002c0 RDI: 0000000000000003
[ 76.101602][ T5358] RBP: 00007fd0c9211f91 R08: 0000000000000000 R09: 0000000000000000
[ 76.104950][ T5358] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 76.108179][ T5358] R13: 00007fd0c93e6038 R14: 00007fd0c93e5fa0 R15: 00007ffc93c62f78
[ 76.111476][ T5358]
[ 76.113177][ T5358] Kernel Offset: disabled
[ 76.115073][ T5358] Rebooting in 86400 seconds..