program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_route(0x10, 0x3, 0x0) (async)
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
r2 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)={0x14, 0x25, 0x301, 0x270bd24, 0x25dfdbfd, {0x1}}, 0x14}, 0x1, 0x0, 0x0, 0x4000}, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
r4 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r5=>0x0})
sendmsg$nl_route(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r5, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0)

[   74.492306][   T45] Bluetooth: hci0: command tx timeout
[   74.565664][ T5314] ==================================================================
[   74.568803][ T5314] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500
[   74.572366][ T5314] Read of size 1 at addr ffff8880432b1cde by task syz.0.0/5314
[   74.575823][ T5314] 
[   74.576986][ T5314] CPU: 0 UID: 0 PID: 5314 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   74.577001][ T5314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   74.577008][ T5314] Call Trace:
[   74.577015][ T5314]  <TASK>
[   74.577020][ T5314]  dump_stack_lvl+0xe8/0x150
[   74.577040][ T5314]  print_report+0xba/0x230
[   74.577053][ T5314]  ? fib6_add_rt2node+0x349c/0x3500
[   74.577065][ T5314]  kasan_report+0x117/0x150
[   74.577081][ T5314]  ? fib6_add_rt2node+0x349c/0x3500
[   74.577125][ T5314]  fib6_add_rt2node+0x349c/0x3500
[   74.577140][ T5314]  ? __lock_acquire+0x6b5/0x2cf0
[   74.577156][ T5314]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   74.577168][ T5314]  ? do_raw_spin_lock+0x12b/0x2f0
[   74.577179][ T5314]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   74.577191][ T5314]  fib6_add+0x910/0x18c0
[   74.577203][ T5314]  ? do_raw_spin_lock+0x12b/0x2f0
[   74.577212][ T5314]  ? __pfx_fib6_add+0x10/0x10
[   74.577223][ T5314]  ? ip6_route_add+0xc9/0x1b0
[   74.577236][ T5314]  ip6_route_add+0xde/0x1b0
[   74.577249][ T5314]  inet6_rtm_newroute+0x268/0x19e0
[   74.577260][ T5314]  ? kasan_quarantine_put+0xbb/0x1f0
[   74.577274][ T5314]  ? lockdep_hardirqs_on+0x7a/0x110
[   74.577290][ T5314]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   74.577299][ T5314]  ? kmem_cache_free+0x187/0x630
[   74.577314][ T5314]  ? nlmon_xmit+0xb0/0x100
[   74.577380][ T5314]  ? __lock_acquire+0x6b5/0x2cf0
[   74.577394][ T5314]  ? __local_bh_enable_ip+0xd0/0x130
[   74.577408][ T5314]  ? lockdep_hardirqs_on+0x7a/0x110
[   74.577427][ T5314]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   74.577438][ T5314]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   74.577450][ T5314]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   74.577460][ T5314]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   74.577469][ T5314]  ? ref_tracker_free+0x693/0x840
[   74.577498][ T5314]  ? __copy_skb_header+0xa3/0x4a0
[   74.577511][ T5314]  ? __pfx_ref_tracker_free+0x10/0x10
[   74.577520][ T5314]  ? __skb_clone+0x63/0x7a0
[   74.577533][ T5314]  netlink_rcv_skb+0x232/0x4b0
[   74.577551][ T5314]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   74.577561][ T5314]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   74.577579][ T5314]  ? netlink_deliver_tap+0x2e/0x1b0
[   74.577590][ T5314]  netlink_unicast+0x80f/0x9b0
[   74.577607][ T5314]  ? __pfx_netlink_unicast+0x10/0x10
[   74.577622][ T5314]  ? netlink_sendmsg+0x650/0xb40
[   74.577631][ T5314]  ? skb_put+0x11b/0x210
[   74.577643][ T5314]  netlink_sendmsg+0x813/0xb40
[   74.577656][ T5314]  ? __pfx_netlink_sendmsg+0x10/0x10
[   74.577666][ T5314]  ? trace_sched_set_need_resched_tp+0x3e/0x160
[   74.577681][ T5314]  ? aa_sock_msg_perm+0xf1/0x1b0
[   74.577714][ T5314]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   74.577729][ T5314]  ? __pfx_netlink_sendmsg+0x10/0x10
[   74.577739][ T5314]  ____sys_sendmsg+0xa68/0xad0
[   74.577755][ T5314]  ? __pfx_____sys_sendmsg+0x10/0x10
[   74.577769][ T5314]  ? import_iovec+0x73/0xa0
[   74.577802][ T5314]  ___sys_sendmsg+0x2a5/0x360
[   74.577817][ T5314]  ? __pfx____sys_sendmsg+0x10/0x10
[   74.577831][ T5314]  ? futex_wake+0x4ac/0x580
[   74.577854][ T5314]  ? __fget_files+0x2a/0x420
[   74.577867][ T5314]  ? __fget_files+0x3a0/0x420
[   74.577881][ T5314]  __x64_sys_sendmsg+0x1bd/0x2a0
[   74.577895][ T5314]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   74.577911][ T5314]  ? rcu_is_watching+0x15/0xb0
[   74.577929][ T5314]  do_syscall_64+0x14d/0xf80
[   74.577946][ T5314]  ? trace_irq_disable+0x3b/0x150
[   74.577963][ T5314]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.577974][ T5314]  ? clear_bhb_loop+0x40/0x90
[   74.577988][ T5314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.578000][ T5314] RIP: 0033:0x7f9b6e59c629
[   74.578014][ T5314] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   74.578023][ T5314] RSP: 002b:00007f9b6f3b6028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   74.578036][ T5314] RAX: ffffffffffffffda RBX: 00007f9b6e815fa0 RCX: 00007f9b6e59c629
[   74.578044][ T5314] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   74.578051][ T5314] RBP: 00007f9b6e632b39 R08: 0000000000000000 R09: 0000000000000000
[   74.578057][ T5314] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   74.578063][ T5314] R13: 00007f9b6e816038 R14: 00007f9b6e815fa0 R15: 00007ffe239e0f48
[   74.578074][ T5314]  </TASK>
[   74.578079][ T5314] 
[   74.755614][ T5314] Allocated by task 5315:
[   74.757401][ T5314]  kasan_save_track+0x3e/0x80
[   74.759426][ T5314]  __kasan_kmalloc+0x93/0xb0
[   74.761426][ T5314]  __kmalloc_noprof+0x35c/0x760
[   74.763419][ T5314]  fib6_info_alloc+0x30/0xf0
[   74.765389][ T5314]  ip6_route_info_create+0x142/0x860
[   74.767601][ T5314]  ip6_route_add+0x49/0x1b0
[   74.769519][ T5314]  inet6_rtm_newroute+0x268/0x19e0
[   74.771657][ T5314]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   74.773755][ T5314]  netlink_rcv_skb+0x232/0x4b0
[   74.775807][ T5314]  netlink_unicast+0x80f/0x9b0
[   74.777818][ T5314]  netlink_sendmsg+0x813/0xb40
[   74.780211][ T5314]  ____sys_sendmsg+0xa68/0xad0
[   74.782622][ T5314]  ___sys_sendmsg+0x2a5/0x360
[   74.784505][ T5314]  __x64_sys_sendmsg+0x1bd/0x2a0
[   74.786622][ T5314]  do_syscall_64+0x14d/0xf80
[   74.788608][ T5314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.791096][ T5314] 
[   74.792077][ T5314] The buggy address belongs to the object at ffff8880432b1c00
[   74.792077][ T5314]  which belongs to the cache kmalloc-256 of size 256
[   74.797850][ T5314] The buggy address is located 22 bytes to the right of
[   74.797850][ T5314]  allocated 200-byte region [ffff8880432b1c00, ffff8880432b1cc8)
[   74.803826][ T5314] 
[   74.804849][ T5314] The buggy address belongs to the physical page:
[   74.807545][ T5314] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x432b1
[   74.811261][ T5314] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   74.814300][ T5314] page_type: f5(slab)
[   74.816011][ T5314] raw: 04fff00000000000 ffff88801a841b40 dead000000000100 dead000000000122
[   74.819708][ T5314] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[   74.823793][ T5314] page dumped because: kasan: bad access detected
[   74.827110][ T5314] page_owner tracks the page as allocated
[   74.830199][ T5314] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 28186980263, free_ts 28183860989
[   74.838332][ T5314]  post_alloc_hook+0x231/0x280
[   74.840375][ T5314]  get_page_from_freelist+0x24dc/0x2580
[   74.842736][ T5314]  __alloc_frozen_pages_noprof+0x18d/0x380
[   74.845171][ T5314]  allocate_slab+0x77/0x660
[   74.847075][ T5314]  refill_objects+0x331/0x3c0
[   74.849245][ T5314]  __pcs_replace_empty_main+0x2b9/0x620
[   74.851623][ T5314]  __kmalloc_node_track_caller_noprof+0x572/0x7b0
[   74.854253][ T5314]  krealloc_node_align_noprof+0x1ae/0x390
[   74.856628][ T5314]  add_sysfs_param+0xd4/0xb80
[   74.858771][ T5314]  kernel_add_sysfs_param+0x7f/0xe0
[   74.861030][ T5314]  param_sysfs_builtin+0x199/0x250
[   74.863434][ T5314]  param_sysfs_builtin_init+0x23/0x30
[   74.865757][ T5314]  do_one_initcall+0x250/0x8d0
[   74.867855][ T5314]  do_initcall_level+0x104/0x190
[   74.870177][ T5314]  do_initcalls+0x59/0xa0
[   74.872141][ T5314]  kernel_init_freeable+0x2a6/0x3e0
[   74.874342][ T5314] page last free pid 1361 tgid 1361 stack trace:
[   74.877028][ T5314]  __free_frozen_pages+0xc00/0xd90
[   74.879274][ T5314]  vfree+0x25a/0x400
[   74.880987][ T5314]  delayed_vfree_work+0x55/0x80
[   74.883042][ T5314]  process_scheduled_works+0xb02/0x1830
[   74.885515][ T5314]  worker_thread+0xa50/0xfc0
[   74.887571][ T5314]  kthread+0x388/0x470
[   74.889375][ T5314]  ret_from_fork+0x51e/0xb90
[   74.891353][ T5314]  ret_from_fork_asm+0x1a/0x30
[   74.893587][ T5314] 
[   74.894868][ T5314] Memory state around the buggy address:
[   74.897889][ T5314]  ffff8880432b1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   74.901911][ T5314]  ffff8880432b1c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   74.905395][ T5314] >ffff8880432b1c80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   74.908909][ T5314]                                                     ^
[   74.911916][ T5314]  ffff8880432b1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   74.915361][ T5314]  ffff8880432b1d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   74.918667][ T5314] ==================================================================
[   74.922172][ T5314] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   74.925363][ T5314] CPU: 0 UID: 0 PID: 5314 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   74.929280][ T5314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   74.933615][ T5314] Call Trace:
[   74.935164][ T5314]  <TASK>
[   74.936642][ T5314]  vpanic+0x56c/0xa60
[   74.938558][ T5314]  ? __pfx_vpanic+0x10/0x10
[   74.940698][ T5314]  panic+0xc5/0xd0
[   74.942669][ T5314]  ? __pfx_panic+0x10/0x10
[   74.944629][ T5314]  ? fib6_add_rt2node+0x349c/0x3500
[   74.946801][ T5314]  ? fib6_add_rt2node+0x349c/0x3500
[   74.949169][ T5314]  check_panic_on_warn+0x89/0xb0
[   74.951241][ T5314]  ? fib6_add_rt2node+0x349c/0x3500
[   74.953523][ T5314]  end_report+0x73/0x180
[   74.955411][ T5314]  ? fib6_add_rt2node+0x349c/0x3500
[   74.957775][ T5314]  kasan_report+0x128/0x150
[   74.959858][ T5314]  ? fib6_add_rt2node+0x349c/0x3500
[   74.962161][ T5314]  fib6_add_rt2node+0x349c/0x3500
[   74.964286][ T5314]  ? __lock_acquire+0x6b5/0x2cf0
[   74.966472][ T5314]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   74.968804][ T5314]  ? do_raw_spin_lock+0x12b/0x2f0
[   74.971006][ T5314]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   74.973284][ T5314]  fib6_add+0x910/0x18c0
[   74.975135][ T5314]  ? do_raw_spin_lock+0x12b/0x2f0
[   74.977312][ T5314]  ? __pfx_fib6_add+0x10/0x10
[   74.979427][ T5314]  ? ip6_route_add+0xc9/0x1b0
[   74.981482][ T5314]  ip6_route_add+0xde/0x1b0
[   74.983516][ T5314]  inet6_rtm_newroute+0x268/0x19e0
[   74.985859][ T5314]  ? kasan_quarantine_put+0xbb/0x1f0
[   74.988055][ T5314]  ? lockdep_hardirqs_on+0x7a/0x110
[   74.990303][ T5314]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   74.992496][ T5314]  ? kmem_cache_free+0x187/0x630
[   74.994513][ T5314]  ? nlmon_xmit+0xb0/0x100
[   74.996416][ T5314]  ? __lock_acquire+0x6b5/0x2cf0
[   74.998549][ T5314]  ? __local_bh_enable_ip+0xd0/0x130
[   75.000490][ T5314]  ? lockdep_hardirqs_on+0x7a/0x110
[   75.002670][ T5314]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   75.004958][ T5314]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   75.007189][ T5314]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   75.009523][ T5314]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   75.011846][ T5314]  ? ref_tracker_free+0x693/0x840
[   75.014400][ T5314]  ? __copy_skb_header+0xa3/0x4a0
[   75.016433][ T5314]  ? __pfx_ref_tracker_free+0x10/0x10
[   75.018732][ T5314]  ? __skb_clone+0x63/0x7a0
[   75.020623][ T5314]  netlink_rcv_skb+0x232/0x4b0
[   75.022596][ T5314]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   75.024873][ T5314]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   75.027255][ T5314]  ? netlink_deliver_tap+0x2e/0x1b0
[   75.029580][ T5314]  netlink_unicast+0x80f/0x9b0
[   75.031570][ T5314]  ? __pfx_netlink_unicast+0x10/0x10
[   75.033838][ T5314]  ? netlink_sendmsg+0x650/0xb40
[   75.035954][ T5314]  ? skb_put+0x11b/0x210
[   75.037741][ T5314]  netlink_sendmsg+0x813/0xb40
[   75.039767][ T5314]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.042045][ T5314]  ? trace_sched_set_need_resched_tp+0x3e/0x160
[   75.044669][ T5314]  ? aa_sock_msg_perm+0xf1/0x1b0
[   75.046827][ T5314]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   75.049069][ T5314]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.051287][ T5314]  ____sys_sendmsg+0xa68/0xad0
[   75.053304][ T5314]  ? __pfx_____sys_sendmsg+0x10/0x10
[   75.055515][ T5314]  ? import_iovec+0x73/0xa0
[   75.057428][ T5314]  ___sys_sendmsg+0x2a5/0x360
[   75.059490][ T5314]  ? __pfx____sys_sendmsg+0x10/0x10
[   75.061690][ T5314]  ? futex_wake+0x4ac/0x580
[   75.063557][ T5314]  ? __fget_files+0x2a/0x420
[   75.065417][ T5314]  ? __fget_files+0x3a0/0x420
[   75.067395][ T5314]  __x64_sys_sendmsg+0x1bd/0x2a0
[   75.069397][ T5314]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   75.071569][ T5314]  ? rcu_is_watching+0x15/0xb0
[   75.073342][ T5314]  do_syscall_64+0x14d/0xf80
[   75.075201][ T5314]  ? trace_irq_disable+0x3b/0x150
[   75.076896][ T5314]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.079114][ T5314]  ? clear_bhb_loop+0x40/0x90
[   75.081024][ T5314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.083234][ T5314] RIP: 0033:0x7f9b6e59c629
[   75.085000][ T5314] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   75.093957][ T5314] RSP: 002b:00007f9b6f3b6028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   75.097577][ T5314] RAX: ffffffffffffffda RBX: 00007f9b6e815fa0 RCX: 00007f9b6e59c629
[   75.100768][ T5314] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   75.104147][ T5314] RBP: 00007f9b6e632b39 R08: 0000000000000000 R09: 0000000000000000
[   75.107523][ T5314] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.111056][ T5314] R13: 00007f9b6e816038 R14: 00007f9b6e815fa0 R15: 00007ffe239e0f48
[   75.115014][ T5314]  </TASK>
[   75.116779][ T5314] Kernel Offset: disabled
[   75.118699][ T5314] Rebooting in 86400 seconds..