program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
r2 = socket(0x200000000000011, 0x2, 0x0)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
getsockname$inet6(r3, &(0x7f0000000080), &(0x7f00000001c0)=0x1c)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bridge0\x00'}) (async)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r4=>0x0})
sendmsg$nl_route(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r4, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0) (async)
sendmsg$nl_route(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r4, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0)

[   84.691089][ T5297] Bluetooth: hci0: command tx timeout
[   84.776399][ T5319] ==================================================================
[   84.779712][ T5319] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500
[   84.783273][ T5319] Read of size 1 at addr ffff88801ed966de by task syz.0.0/5319
[   84.786328][ T5319] 
[   84.787405][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.787419][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.787425][ T5319] Call Trace:
[   84.787433][ T5319]  <TASK>
[   84.787439][ T5319]  dump_stack_lvl+0xe8/0x150
[   84.787495][ T5319]  print_report+0xba/0x230
[   84.787506][ T5319]  ? fib6_add_rt2node+0x349c/0x3500
[   84.787520][ T5319]  kasan_report+0x117/0x150
[   84.787546][ T5319]  ? stack_trace_save+0xa9/0x100
[   84.787578][ T5319]  ? fib6_add_rt2node+0x349c/0x3500
[   84.787592][ T5319]  fib6_add_rt2node+0x349c/0x3500
[   84.787604][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   84.787621][ T5319]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   84.787633][ T5319]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.787646][ T5319]  ? fib6_add+0x84b/0x18c0
[   84.787657][ T5319]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   84.787672][ T5319]  fib6_add+0x910/0x18c0
[   84.787686][ T5319]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.787705][ T5319]  ? __pfx_fib6_add+0x10/0x10
[   84.787719][ T5319]  ? ip6_route_add+0xc9/0x1b0
[   84.787732][ T5319]  ip6_route_add+0xde/0x1b0
[   84.787744][ T5319]  inet6_rtm_newroute+0x268/0x19e0
[   84.787758][ T5319]  ? kasan_quarantine_put+0xbb/0x1f0
[   84.787768][ T5319]  ? lockdep_hardirqs_on+0x7a/0x110
[   84.787814][ T5319]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   84.787826][ T5319]  ? kmem_cache_free+0x195/0x610
[   84.787837][ T5319]  ? nlmon_xmit+0xb0/0x100
[   84.787919][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   84.787930][ T5319]  ? __local_bh_enable_ip+0xd0/0x130
[   84.787942][ T5319]  ? lockdep_hardirqs_on+0x7a/0x110
[   84.787958][ T5319]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   84.787969][ T5319]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   84.788005][ T5319]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   84.788017][ T5319]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   84.788027][ T5319]  ? ref_tracker_free+0x693/0x840
[   84.788051][ T5319]  ? __copy_skb_header+0xa3/0x4a0
[   84.788066][ T5319]  ? __pfx_ref_tracker_free+0x10/0x10
[   84.788077][ T5319]  ? __skb_clone+0x63/0x7a0
[   84.788092][ T5319]  netlink_rcv_skb+0x232/0x4b0
[   84.788105][ T5319]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   84.788116][ T5319]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   84.788128][ T5319]  ? netlink_deliver_tap+0x2e/0x1b0
[   84.788140][ T5319]  netlink_unicast+0x80f/0x9b0
[   84.788152][ T5319]  ? __pfx_netlink_unicast+0x10/0x10
[   84.788161][ T5319]  ? __alloc_skb+0x193/0x390
[   84.788173][ T5319]  ? netlink_sendmsg+0x650/0xb40
[   84.788184][ T5319]  ? skb_put+0x11b/0x210
[   84.788196][ T5319]  netlink_sendmsg+0x813/0xb40
[   84.788208][ T5319]  ? __pfx_netlink_sendmsg+0x10/0x10
[   84.788246][ T5319]  ? aa_sock_msg_perm+0xf1/0x1b0
[   84.788260][ T5319]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   84.788273][ T5319]  ? __pfx_netlink_sendmsg+0x10/0x10
[   84.788285][ T5319]  ____sys_sendmsg+0xa68/0xad0
[   84.788300][ T5319]  ? __might_fault+0xaf/0x130
[   84.788312][ T5319]  ? __pfx_____sys_sendmsg+0x10/0x10
[   84.788329][ T5319]  ? import_iovec+0x73/0xa0
[   84.788345][ T5319]  ___sys_sendmsg+0x2a5/0x360
[   84.788357][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   84.788368][ T5319]  ? __pfx____sys_sendmsg+0x10/0x10
[   84.788383][ T5319]  ? futex_wait+0x29a/0x380
[   84.788400][ T5319]  ? __fget_files+0x2a/0x420
[   84.788414][ T5319]  ? __fget_files+0x3a0/0x420
[   84.788430][ T5319]  __x64_sys_sendmsg+0x1bd/0x2a0
[   84.788443][ T5319]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   84.788458][ T5319]  ? rcu_is_watching+0x15/0xb0
[   84.788471][ T5319]  do_syscall_64+0x14d/0xf80
[   84.788484][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.788494][ T5319]  ? trace_irq_disable+0x37/0x100
[   84.788505][ T5319]  ? clear_bhb_loop+0x40/0x90
[   84.788517][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.788526][ T5319] RIP: 0033:0x7fac4ab9bf79
[   84.788537][ T5319] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   84.788546][ T5319] RSP: 002b:00007fac46ff5028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   84.788559][ T5319] RAX: ffffffffffffffda RBX: 00007fac4ae15fa0 RCX: 00007fac4ab9bf79
[   84.788565][ T5319] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   84.788579][ T5319] RBP: 00007fac4ac327e0 R08: 0000000000000000 R09: 0000000000000000
[   84.788586][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.788591][ T5319] R13: 00007fac4ae16038 R14: 00007fac4ae15fa0 R15: 00007ffff3320928
[   84.788603][ T5319]  </TASK>
[   84.788608][ T5319] 
[   84.968498][ T5319] Allocated by task 5319:
[   84.970032][ T5319]  kasan_save_track+0x3e/0x80
[   84.971912][ T5319]  __kasan_kmalloc+0x93/0xb0
[   84.973847][ T5319]  __kmalloc_noprof+0x40c/0x7e0
[   84.976059][ T5319]  fib6_info_alloc+0x30/0xf0
[   84.978188][ T5319]  ip6_route_info_create+0x142/0x860
[   84.980579][ T5319]  ip6_route_add+0x49/0x1b0
[   84.982548][ T5319]  inet6_rtm_newroute+0x268/0x19e0
[   84.984563][ T5319]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   84.986490][ T5319]  netlink_rcv_skb+0x232/0x4b0
[   84.988394][ T5319]  netlink_unicast+0x80f/0x9b0
[   84.990231][ T5319]  netlink_sendmsg+0x813/0xb40
[   84.992410][ T5319]  ____sys_sendmsg+0xa68/0xad0
[   84.994601][ T5319]  ___sys_sendmsg+0x2a5/0x360
[   84.996670][ T5319]  __x64_sys_sendmsg+0x1bd/0x2a0
[   84.998802][ T5319]  do_syscall_64+0x14d/0xf80
[   85.000799][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.003472][ T5319] 
[   85.004634][ T5319] The buggy address belongs to the object at ffff88801ed96600
[   85.004634][ T5319]  which belongs to the cache kmalloc-256 of size 256
[   85.010838][ T5319] The buggy address is located 22 bytes to the right of
[   85.010838][ T5319]  allocated 200-byte region [ffff88801ed96600, ffff88801ed966c8)
[   85.017008][ T5319] 
[   85.017883][ T5319] The buggy address belongs to the physical page:
[   85.020565][ T5319] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ed96
[   85.024204][ T5319] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   85.027120][ T5319] page_type: f5(slab)
[   85.028794][ T5319] raw: 00fff00000000000 ffff88801ac41b40 dead000000000122 0000000000000000
[   85.032520][ T5319] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[   85.036156][ T5319] page dumped because: kasan: bad access detected
[   85.038880][ T5319] page_owner tracks the page as allocated
[   85.041274][ T5319] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 12, tgid 12 (kworker/u4:0), ts 84728128794, free_ts 81846622553
[   85.049508][ T5319]  post_alloc_hook+0x228/0x280
[   85.051671][ T5319]  get_page_from_freelist+0x24dc/0x2580
[   85.054121][ T5319]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.056686][ T5319]  allocate_slab+0x7a/0x3a0
[   85.058672][ T5319]  ___slab_alloc+0xd90/0x1790
[   85.060773][ T5319]  __slab_alloc+0x65/0x100
[   85.062686][ T5319]  __kmalloc_node_noprof+0x5bc/0x7f0
[   85.065027][ T5319]  alloc_slab_obj_exts+0x3e/0x100
[   85.067235][ T5319]  allocate_slab+0x1cc/0x3a0
[   85.069046][ T5319]  ___slab_alloc+0xd90/0x1790
[   85.070988][ T5319]  __slab_alloc+0x65/0x100
[   85.072825][ T5319]  kmem_cache_alloc_noprof+0x3fe/0x6e0
[   85.075202][ T5319]  fib6_add_1+0x9c1/0x1460
[   85.077605][ T5319]  fib6_add+0x211/0x18c0
[   85.079862][ T5319]  ip6_ins_rt+0xd6/0x140
[   85.081806][ T5319]  __ipv6_ifa_notify+0x4e8/0xc60
[   85.083614][ T5319] page last free pid 71 tgid 71 stack trace:
[   85.086260][ T5319]  free_unref_folios+0xdce/0x1510
[   85.088445][ T5319]  shrink_folio_list+0x2960/0x5160
[   85.090500][ T5319]  evict_folios+0x4795/0x5880
[   85.092304][ T5319]  try_to_shrink_lruvec+0x88b/0xb20
[   85.094248][ T5319]  shrink_one+0x25c/0x710
[   85.096085][ T5319]  shrink_node+0x2f8b/0x35f0
[   85.098042][ T5319]  kswapd+0x144c/0x2800
[   85.099735][ T5319]  kthread+0x388/0x470
[   85.101459][ T5319]  ret_from_fork+0x51e/0xb90
[   85.103413][ T5319]  ret_from_fork_asm+0x1a/0x30
[   85.105406][ T5319] 
[   85.106472][ T5319] Memory state around the buggy address:
[   85.108871][ T5319]  ffff88801ed96580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.112167][ T5319]  ffff88801ed96600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.115527][ T5319] >ffff88801ed96680: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   85.118918][ T5319]                                                     ^
[   85.121776][ T5319]  ffff88801ed96700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.125146][ T5319]  ffff88801ed96780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.128442][ T5319] ==================================================================
[   85.131971][ T5319] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   85.135044][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   85.138896][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.143327][ T5319] Call Trace:
[   85.144901][ T5319]  <TASK>
[   85.146235][ T5319]  vpanic+0x1e0/0x670
[   85.147902][ T5319]  panic+0xc5/0xd0
[   85.149538][ T5319]  ? __pfx_panic+0x10/0x10
[   85.151315][ T5319]  ? fib6_add_rt2node+0x349c/0x3500
[   85.153537][ T5319]  ? fib6_add_rt2node+0x349c/0x3500
[   85.155797][ T5319]  check_panic_on_warn+0x89/0xb0
[   85.158202][ T5319]  ? fib6_add_rt2node+0x349c/0x3500
[   85.160464][ T5319]  end_report+0x6f/0x140
[   85.162345][ T5319]  kasan_report+0x128/0x150
[   85.164109][ T5319]  ? stack_trace_save+0xa9/0x100
[   85.166002][ T5319]  ? fib6_add_rt2node+0x349c/0x3500
[   85.168349][ T5319]  fib6_add_rt2node+0x349c/0x3500
[   85.171297][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   85.173753][ T5319]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   85.176241][ T5319]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.178475][ T5319]  ? fib6_add+0x84b/0x18c0
[   85.180425][ T5319]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   85.182692][ T5319]  fib6_add+0x910/0x18c0
[   85.184297][ T5319]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.186402][ T5319]  ? __pfx_fib6_add+0x10/0x10
[   85.188480][ T5319]  ? ip6_route_add+0xc9/0x1b0
[   85.190457][ T5319]  ip6_route_add+0xde/0x1b0
[   85.192426][ T5319]  inet6_rtm_newroute+0x268/0x19e0
[   85.194544][ T5319]  ? kasan_quarantine_put+0xbb/0x1f0
[   85.196726][ T5319]  ? lockdep_hardirqs_on+0x7a/0x110
[   85.198877][ T5319]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   85.201343][ T5319]  ? kmem_cache_free+0x195/0x610
[   85.203520][ T5319]  ? nlmon_xmit+0xb0/0x100
[   85.205311][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   85.207367][ T5319]  ? __local_bh_enable_ip+0xd0/0x130
[   85.209648][ T5319]  ? lockdep_hardirqs_on+0x7a/0x110
[   85.211959][ T5319]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   85.214426][ T5319]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   85.216639][ T5319]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   85.218830][ T5319]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   85.220994][ T5319]  ? ref_tracker_free+0x693/0x840
[   85.223172][ T5319]  ? __copy_skb_header+0xa3/0x4a0
[   85.225374][ T5319]  ? __pfx_ref_tracker_free+0x10/0x10
[   85.227513][ T5319]  ? __skb_clone+0x63/0x7a0
[   85.229374][ T5319]  netlink_rcv_skb+0x232/0x4b0
[   85.231285][ T5319]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   85.233512][ T5319]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   85.236025][ T5319]  ? netlink_deliver_tap+0x2e/0x1b0
[   85.238550][ T5319]  netlink_unicast+0x80f/0x9b0
[   85.240668][ T5319]  ? __pfx_netlink_unicast+0x10/0x10
[   85.243027][ T5319]  ? __alloc_skb+0x193/0x390
[   85.245209][ T5319]  ? netlink_sendmsg+0x650/0xb40
[   85.247381][ T5319]  ? skb_put+0x11b/0x210
[   85.249241][ T5319]  netlink_sendmsg+0x813/0xb40
[   85.251510][ T5319]  ? __pfx_netlink_sendmsg+0x10/0x10
[   85.253892][ T5319]  ? aa_sock_msg_perm+0xf1/0x1b0
[   85.256193][ T5319]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   85.258309][ T5319]  ? __pfx_netlink_sendmsg+0x10/0x10
[   85.260272][ T5319]  ____sys_sendmsg+0xa68/0xad0
[   85.262240][ T5319]  ? __might_fault+0xaf/0x130
[   85.264123][ T5319]  ? __pfx_____sys_sendmsg+0x10/0x10
[   85.266322][ T5319]  ? import_iovec+0x73/0xa0
[   85.268202][ T5319]  ___sys_sendmsg+0x2a5/0x360
[   85.270114][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   85.272108][ T5319]  ? __pfx____sys_sendmsg+0x10/0x10
[   85.274213][ T5319]  ? futex_wait+0x29a/0x380
[   85.276102][ T5319]  ? __fget_files+0x2a/0x420
[   85.277953][ T5319]  ? __fget_files+0x3a0/0x420
[   85.279987][ T5319]  __x64_sys_sendmsg+0x1bd/0x2a0
[   85.282101][ T5319]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   85.284266][ T5319]  ? rcu_is_watching+0x15/0xb0
[   85.286219][ T5319]  do_syscall_64+0x14d/0xf80
[   85.288193][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.290769][ T5319]  ? trace_irq_disable+0x37/0x100
[   85.292989][ T5319]  ? clear_bhb_loop+0x40/0x90
[   85.295067][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.297589][ T5319] RIP: 0033:0x7fac4ab9bf79
[   85.299410][ T5319] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   85.307342][ T5319] RSP: 002b:00007fac46ff5028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   85.310569][ T5319] RAX: ffffffffffffffda RBX: 00007fac4ae15fa0 RCX: 00007fac4ab9bf79
[   85.313951][ T5319] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   85.317152][ T5319] RBP: 00007fac4ac327e0 R08: 0000000000000000 R09: 0000000000000000
[   85.320371][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.323753][ T5319] R13: 00007fac4ae16038 R14: 00007fac4ae15fa0 R15: 00007ffff3320928
[   85.326975][ T5319]  </TASK>
[   85.328646][ T5319] Kernel Offset: disabled
[   85.330348][ T5319] Rebooting in 86400 seconds..