program:
r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x180, 0x0) (async)
ioctl$IOMMU_IOAS_ALLOC(0xffffffffffffffff, 0x3b81, &(0x7f00000000c0)={0xc, 0x0, <r1=>0x0})
ioctl$IOMMU_IOAS_UNMAP$ALL(r0, 0x3b86, &(0x7f0000000100)={0x18, r1}) (async)
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x2, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000)
r4 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000380)=ANY=[@ANYBLOB="300000001800dd8d00000000000000000a000000000000060000000008001e0002"], 0x30}}, 0x4090) (async)
r5 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=@ipv6_newnexthop={0x24, 0x68, 0x309, 0x0, 0x0, {}, [@NHA_FDB={0x4}, @NHA_ID={0x8, 0x1, 0x1}]}, 0x24}}, 0x0)
r6 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000140)={0x50, 0x2, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_MAXELEM={0x8}]}, @IPSET_ATTR_TYPENAME={0xc, 0x3, 'hash:ip\x00'}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}]}, 0x50}}, 0x0)

[   85.180667][ T5340] Bluetooth: hci0: command tx timeout
[   85.283344][ T5363] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'.
[   85.306242][ T3068] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000018: 0000 [#1] SMP KASAN NOPTI
[   85.311517][ T3068] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]
[   85.315129][ T3068] CPU: 0 UID: 0 PID: 3068 Comm: kworker/u4:11 Not tainted 6.16.0-syzkaller-11699-g7e161a991ea7 #0 PREEMPT(full) 
[   85.320553][ T3068] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.325679][ T3068] Workqueue: ipv6_addrconf addrconf_dad_work
[   85.328345][ T3068] RIP: 0010:find_match+0xa3/0xc90
[   85.330514][ T3068] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 3f 7b f2 f7 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 1e 7b f2 f7 48 8b 1b e8 36 52 48
[   85.338926][ T3068] RSP: 0018:ffffc9000dcce430 EFLAGS: 00010206
[   85.341641][ T3068] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000
[   85.344951][ T3068] RDX: ffff88803f894880 RSI: 0000000000000000 RDI: 0000000000000000
[   85.348310][ T3068] RBP: 1ffff11006d19ac4 R08: ffffc9000dcce7c0 R09: ffffc9000dcce7d0
[   85.351681][ T3068] R10: ffffc9000dcce620 R11: ffffffff8a321a90 R12: dffffc0000000000
[   85.355172][ T3068] R13: 0000000000000002 R14: 1ffff11006d19ac6 R15: ffff8880368cd637
[   85.358714][ T3068] FS:  0000000000000000(0000) GS:ffff88808d219000(0000) knlGS:0000000000000000
[   85.362560][ T3068] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.365350][ T3068] CR2: 00007ffd4996ef32 CR3: 0000000042a84000 CR4: 0000000000352ef0
[   85.368861][ T3068] Call Trace:
[   85.370438][ T3068]  <TASK>
[   85.371820][ T3068]  rt6_nh_find_match+0xd9/0x150
[   85.374011][ T3068]  nexthop_for_each_fib6_nh+0x1d0/0x400
[   85.376358][ T3068]  ? __pfx_rt6_nh_find_match+0x10/0x10
[   85.378699][ T3068]  __find_rr_leaf+0x461/0x6d0
[   85.380813][ T3068]  ? __pfx___find_rr_leaf+0x10/0x10
[   85.383303][ T3068]  fib6_table_lookup+0x39f/0xa80
[   85.385677][ T3068]  ? __pfx_fib6_table_lookup+0x10/0x10
[   85.388372][ T3068]  ? ip6_pol_route+0x162/0x1180
[   85.390575][ T3068]  ip6_pol_route+0x222/0x1180
[   85.392607][ T3068]  ? __pfx_ip6_pol_route+0x10/0x10
[   85.394805][ T3068]  fib6_rule_lookup+0x348/0x6f0
[   85.397008][ T3068]  ? __pfx_ip6_pol_route_output+0x10/0x10
[   85.399521][ T3068]  ? __pfx_fib6_rule_lookup+0x10/0x10
[   85.401956][ T3068]  ? ip6_route_output_flags+0x2e/0x5d0
[   85.404685][ T3068]  ? ip6_route_output_flags+0x2e/0x5d0
[   85.407522][ T3068]  ? do_raw_spin_lock+0x121/0x290
[   85.409805][ T3068]  ip6_route_output_flags+0x364/0x5d0
[   85.412133][ T3068]  ? ip6_route_output_flags+0x2e/0x5d0
[   85.414498][ T3068]  ip6_dst_lookup_tail+0x1ae/0x1510
[   85.416687][ T3068]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.419480][ T3068]  ? __pfx_ip6_dst_lookup_tail+0x10/0x10
[   85.421807][ T3068]  ? stack_depot_save_flags+0x41b/0x860
[   85.424193][ T3068]  ? do_raw_spin_lock+0x121/0x290
[   85.426369][ T3068]  ? kasan_save_track+0x4f/0x80
[   85.428486][ T3068]  ? __kasan_kmalloc+0x93/0xb0
[   85.430693][ T3068]  ? __kmalloc_cache_noprof+0x230/0x3d0
[   85.433342][ T3068]  ? __siphash_unaligned+0x263/0x3b0
[   85.435817][ T3068]  ip6_dst_lookup_flow+0x47/0xe0
[   85.437908][ T3068]  ? __pfx_ip6_dst_lookup_flow+0x10/0x10
[   85.440240][ T3068]  udp_tunnel6_dst_lookup+0x234/0x3c0
[   85.442537][ T3068]  ? __pfx_udp_tunnel6_dst_lookup+0x10/0x10
[   85.445174][ T3068]  ? geneve_get_dsfield+0xec/0x680
[   85.447424][ T3068]  ? __pfx_geneve_get_dsfield+0x10/0x10
[   85.449876][ T3068]  geneve_xmit+0xd2e/0x2b70
[   85.451808][ T3068]  ? validate_xmit_xfrm+0xbf/0x1130
[   85.454105][ T3068]  ? __pfx_skb_network_protocol+0x10/0x10
[   85.456524][ T3068]  ? geneve_xmit+0x128/0x2b70
[   85.458659][ T3068]  ? __pfx_validate_xmit_xfrm+0x10/0x10
[   85.461043][ T3068]  ? __pfx_geneve_xmit+0x10/0x10
[   85.463428][ T3068]  dev_hard_start_xmit+0x2d7/0x830
[   85.465949][ T3068]  __dev_queue_xmit+0x1b8d/0x3b50
[   85.468217][ T3068]  ? __dev_queue_xmit+0x27b/0x3b50
[   85.470371][ T3068]  ? fib_rules_lookup+0x96/0xe90
[   85.472356][ T3068]  ? __pfx_fib_rules_lookup+0x10/0x10
[   85.474640][ T3068]  ? __pfx___dev_queue_xmit+0x10/0x10
[   85.477000][ T3068]  ? l3mdev_update_flow+0x4d1/0x640
[   85.479377][ T3068]  ? __lock_acquire+0xab9/0xd20
[   85.481536][ T3068]  ? __lock_acquire+0xab9/0xd20
[   85.483723][ T3068]  ? ip6_finish_output+0x234/0x7d0
[   85.486097][ T3068]  ? ip6_finish_output2+0xf99/0x16a0
[   85.488812][ T3068]  ip6_finish_output2+0x11bc/0x16a0
[   85.491362][ T3068]  ? ip6_finish_output2+0x701/0x16a0
[   85.493922][ T3068]  ? __pfx_ip6_finish_output2+0x10/0x10
[   85.496316][ T3068]  ? ip6_mtu+0x7d/0x3f0
[   85.498180][ T3068]  ? ip6_mtu+0x7d/0x3f0
[   85.499975][ T3068]  ip6_finish_output+0x234/0x7d0
[   85.502319][ T3068]  NF_HOOK+0x9e/0x380
[   85.504069][ T3068]  ? __pfx_NF_HOOK+0x10/0x10
[   85.506299][ T3068]  ? __pfx_xfrm_lookup_with_ifid+0x10/0x10
[   85.508881][ T3068]  ? do_raw_spin_unlock+0x4d/0x240
[   85.511243][ T3068]  ? icmp6_dst_alloc+0x3a5/0x420
[   85.513375][ T3068]  ? icmp6_dst_alloc+0x3a5/0x420
[   85.515574][ T3068]  mld_sendpack+0x800/0xd80
[   85.517752][ T3068]  ? mld_sendpack+0x1de/0xd80
[   85.519979][ T3068]  ? __pfx_mld_sendpack+0x10/0x10
[   85.522592][ T3068]  ? mld_send_initial_cr+0x352/0x550
[   85.525093][ T3068]  ipv6_mc_dad_complete+0x88/0x410
[   85.527344][ T3068]  addrconf_dad_completed+0x6d5/0xd60
[   85.529740][ T3068]  ? __pfx_addrconf_dad_completed+0x10/0x10
[   85.532179][ T3068]  ? addrconf_dad_work+0xd83/0x14b0
[   85.534426][ T3068]  addrconf_dad_work+0xc36/0x14b0
[   85.536835][ T3068]  ? __lock_acquire+0xab9/0xd20
[   85.539141][ T3068]  ? __pfx_addrconf_dad_work+0x10/0x10
[   85.541636][ T3068]  ? process_scheduled_works+0x9ef/0x17b0
[   85.544245][ T3068]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.546643][ T3068]  ? process_scheduled_works+0x9ef/0x17b0
[   85.549139][ T3068]  ? process_scheduled_works+0x9ef/0x17b0
[   85.551611][ T3068]  process_scheduled_works+0xade/0x17b0
[   85.554231][ T3068]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.557060][ T3068]  worker_thread+0x8a0/0xda0
[   85.559217][ T3068]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.562006][ T3068]  ? __kthread_parkme+0x7b/0x200
[   85.564300][ T3068]  kthread+0x711/0x8a0
[   85.566096][ T3068]  ? __pfx_worker_thread+0x10/0x10
[   85.568433][ T3068]  ? __pfx_kthread+0x10/0x10
[   85.570516][ T3068]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.572753][ T3068]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.575196][ T3068]  ? __pfx_kthread+0x10/0x10
[   85.577437][ T3068]  ret_from_fork+0x3f9/0x770
[   85.579677][ T3068]  ? __pfx_ret_from_fork+0x10/0x10
[   85.581957][ T3068]  ? __pfx_kthread+0x10/0x10
[   85.584112][ T3068]  ret_from_fork_asm+0x1a/0x30
[   85.586396][ T3068]  </TASK>
[   85.587907][ T3068] Modules linked in:
[   85.589839][ T3068] ---[ end trace 0000000000000000 ]---
[   85.592413][ T3068] RIP: 0010:find_match+0xa3/0xc90
[   85.594833][ T3068] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 3f 7b f2 f7 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 1e 7b f2 f7 48 8b 1b e8 36 52 48
[   85.603434][ T3068] RSP: 0018:ffffc9000dcce430 EFLAGS: 00010206
[   85.606422][ T3068] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000
[   85.609957][ T3068] RDX: ffff88803f894880 RSI: 0000000000000000 RDI: 0000000000000000
[   85.613239][ T3068] RBP: 1ffff11006d19ac4 R08: ffffc9000dcce7c0 R09: ffffc9000dcce7d0
[   85.616618][ T3068] R10: ffffc9000dcce620 R11: ffffffff8a321a90 R12: dffffc0000000000
[   85.620218][ T3068] R13: 0000000000000002 R14: 1ffff11006d19ac6 R15: ffff8880368cd637
[   85.623546][ T3068] FS:  0000000000000000(0000) GS:ffff88808d219000(0000) knlGS:0000000000000000
[   85.627249][ T3068] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.630119][ T3068] CR2: 00007ffd4996ef32 CR3: 0000000042a84000 CR4: 0000000000352ef0
[   85.634014][ T3068] Kernel panic - not syncing: Fatal exception in interrupt
[   85.637243][ T3068] Kernel Offset: disabled
[   85.639348][ T3068] Rebooting in 86400 seconds..