program: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x70bd27, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}}, 0x4000) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000380)=ANY=[@ANYBLOB="300000001800dd8d00000000000000000a000000000000060000000008001e0002"], 0x30}}, 0x4090) r2 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB="240000006800010002000000fcffff7f00000000000000000c0002000100000009000000"], 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x2, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=@ipv6_newnexthop={0x24, 0x68, 0x309, 0x0, 0x0, {}, [@NHA_FDB={0x4}, @NHA_ID={0x8, 0x1, 0x1}]}, 0x24}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={0x0, 0x38}, 0x1, 0x300}, 0x0) r6 = socket(0x10, 0x3, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000001c0)=ANY=[], 0x24}}, 0x0) sendmmsg$alg(r6, &(0x7f0000000140), 0x4924b68, 0x0) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x70bd27, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}}, 0x4000) (async) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000380)=ANY=[@ANYBLOB="300000001800dd8d00000000000000000a000000000000060000000008001e0002"], 0x30}}, 0x4090) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r2, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=ANY=[@ANYBLOB="240000006800010002000000fcffff7f00000000000000000c0002000100000009000000"], 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000300)=@newnexthop={0x24, 0x68, 0x1, 0x2, 0x7ffffffc, {}, [@NHA_GROUP={0xc, 0x2, [{0x1, 0x4}]}]}, 0x24}, 0x1, 0x0, 0x0, 0x24008000}, 0x4000) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=@ipv6_newnexthop={0x24, 0x68, 0x309, 0x0, 0x0, {}, [@NHA_FDB={0x4}, @NHA_ID={0x8, 0x1, 0x1}]}, 0x24}}, 0x0) (async) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={0x0, 0x38}, 0x1, 0x300}, 0x0) (async) socket(0x10, 0x3, 0x0) (async) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000001c0)=ANY=[], 0x24}}, 0x0) (async) sendmmsg$alg(r6, &(0x7f0000000140), 0x4924b68, 0x0) (async) [ 75.135563][ T45] Bluetooth: hci0: command tx timeout [ 75.219839][ T5353] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'. [ 75.228731][ T5353] Zero length message leads to an empty skb [ 75.237569][ T12] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000018: 0000 [#1] SMP KASAN NOPTI [ 75.242551][ T12] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 75.246091][ T12] CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted syzkaller #0 PREEMPT(full) [ 75.250320][ T12] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.254898][ T12] Workqueue: ipv6_addrconf addrconf_dad_work [ 75.257529][ T12] RIP: 0010:find_match+0xa3/0xc90 [ 75.259633][ T12] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 7f 69 f1 f7 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5e 69 f1 f7 48 8b 1b e8 46 60 48 [ 75.267369][ T12] RSP: 0018:ffffc900001e6430 EFLAGS: 00010206 [ 75.269826][ T12] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000 [ 75.274302][ T12] RDX: ffff88801c2e4880 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.278000][ T12] RBP: 1ffff11006daaaa4 R08: ffffc900001e67c0 R09: ffffc900001e67d0 [ 75.281531][ T12] R10: ffffc900001e6620 R11: ffffffff8a333c80 R12: dffffc0000000000 [ 75.284865][ T12] R13: 0000000000000002 R14: 1ffff11006daaaa6 R15: ffff888036d55537 [ 75.288046][ T12] FS: 0000000000000000(0000) GS:ffff88808d20f000(0000) knlGS:0000000000000000 [ 75.291744][ T12] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.294607][ T12] CR2: 00007fd811b6ffc8 CR3: 0000000042fb6000 CR4: 0000000000352ef0 [ 75.297886][ T12] Call Trace: [ 75.299293][ T12] [ 75.300649][ T12] ? stack_trace_snprint+0xd1/0xf0 [ 75.302641][ T12] rt6_nh_find_match+0xd9/0x150 [ 75.305177][ T12] nexthop_for_each_fib6_nh+0x1d0/0x400 [ 75.307818][ T12] ? __pfx_rt6_nh_find_match+0x10/0x10 [ 75.310418][ T12] __find_rr_leaf+0x461/0x6d0 [ 75.312614][ T12] ? __pfx___find_rr_leaf+0x10/0x10 [ 75.314974][ T12] fib6_table_lookup+0x39f/0xa80 [ 75.317270][ T12] ? __pfx_fib6_table_lookup+0x10/0x10 [ 75.319614][ T12] ? ip6_pol_route+0x162/0x1180 [ 75.321550][ T12] ip6_pol_route+0x222/0x1180 [ 75.323673][ T12] ? __pfx_ip6_pol_route+0x10/0x10 [ 75.325987][ T12] ? unwind_next_frame+0xa5/0x2390 [ 75.328363][ T12] ? unwind_next_frame+0xa5/0x2390 [ 75.330559][ T12] fib6_rule_lookup+0x348/0x6f0 [ 75.332633][ T12] ? __pfx_ip6_pol_route_output+0x10/0x10 [ 75.335036][ T12] ? __pfx_fib6_rule_lookup+0x10/0x10 [ 75.337190][ T12] ? ip6_route_output_flags+0x2e/0x5d0 [ 75.339471][ T12] ? ip6_route_output_flags+0x2e/0x5d0 [ 75.341880][ T12] ip6_route_output_flags+0x364/0x5d0 [ 75.344253][ T12] ? ip6_route_output_flags+0x2e/0x5d0 [ 75.346726][ T12] ip6_dst_lookup_tail+0x1ae/0x1510 [ 75.349054][ T12] ? unwind_next_frame+0xa5/0x2390 [ 75.351212][ T12] ? __pfx_ip6_dst_lookup_tail+0x10/0x10 [ 75.353507][ T12] ? unwind_next_frame+0xa5/0x2390 [ 75.355607][ T12] ? unwind_next_frame+0xa5/0x2390 [ 75.357604][ T12] ? unwind_next_frame+0x19ae/0x2390 [ 75.359626][ T12] ? __siphash_unaligned+0x263/0x3b0 [ 75.361809][ T12] ip6_dst_lookup_flow+0x47/0xe0 [ 75.363938][ T12] ? __pfx_ip6_dst_lookup_flow+0x10/0x10 [ 75.366297][ T12] udp_tunnel6_dst_lookup+0x231/0x3c0 [ 75.368640][ T12] ? __pfx_udp_tunnel6_dst_lookup+0x10/0x10 [ 75.371497][ T12] ? geneve_get_dsfield+0xec/0x680 [ 75.373904][ T12] ? __pfx_geneve_get_dsfield+0x10/0x10 [ 75.376264][ T12] geneve_xmit+0xd2e/0x2b70 [ 75.378259][ T12] ? __pfx_skb_network_protocol+0x10/0x10 [ 75.380867][ T12] ? validate_xmit_xfrm+0xbf/0x1160 [ 75.382920][ T12] ? geneve_xmit+0x128/0x2b70 [ 75.384773][ T12] ? __pfx_validate_xmit_xfrm+0x10/0x10 [ 75.387207][ T12] ? __pfx_geneve_xmit+0x10/0x10 [ 75.389426][ T12] dev_hard_start_xmit+0x2d4/0x830 [ 75.392003][ T12] __dev_queue_xmit+0x1b8d/0x3b50 [ 75.394586][ T12] ? __dev_queue_xmit+0x27b/0x3b50 [ 75.397375][ T12] ? fib_rules_lookup+0x96/0xe90 [ 75.400438][ T12] ? __pfx_fib_rules_lookup+0x10/0x10 [ 75.403896][ T12] ? __pfx___dev_queue_xmit+0x10/0x10 [ 75.406978][ T12] ? l3mdev_update_flow+0x4d1/0x640 [ 75.409932][ T12] ? __lock_acquire+0xab9/0xd20 [ 75.412212][ T12] ? __lock_acquire+0xab9/0xd20 [ 75.414420][ T12] ? ip6_finish_output+0x234/0x7d0 [ 75.416839][ T12] ? ip6_finish_output2+0xf99/0x16a0 [ 75.419293][ T12] ip6_finish_output2+0x11bc/0x16a0 [ 75.421624][ T12] ? ip6_finish_output2+0x701/0x16a0 [ 75.423893][ T12] ? __pfx_ip6_finish_output2+0x10/0x10 [ 75.426198][ T12] ? ip6_mtu+0x7d/0x3f0 [ 75.427946][ T12] ? ip6_mtu+0x7d/0x3f0 [ 75.429750][ T12] ip6_finish_output+0x234/0x7d0 [ 75.431926][ T12] NF_HOOK+0x9e/0x380 [ 75.433522][ T12] ? __pfx_NF_HOOK+0x10/0x10 [ 75.435519][ T12] ? __pfx_xfrm_lookup_with_ifid+0x10/0x10 [ 75.437840][ T12] ? do_raw_spin_unlock+0x4d/0x240 [ 75.440038][ T12] ? icmp6_dst_alloc+0x3a5/0x420 [ 75.442123][ T12] ? icmp6_dst_alloc+0x3a5/0x420 [ 75.444153][ T12] mld_sendpack+0x800/0xd80 [ 75.445862][ T12] ? mld_sendpack+0x1de/0xd80 [ 75.447793][ T12] ? __pfx_mld_sendpack+0x10/0x10 [ 75.450020][ T12] ? mld_send_initial_cr+0x352/0x550 [ 75.452425][ T12] ipv6_mc_dad_complete+0x88/0x410 [ 75.454943][ T12] addrconf_dad_completed+0x6d5/0xd60 [ 75.457703][ T12] ? __pfx_addrconf_dad_completed+0x10/0x10 [ 75.460474][ T12] ? addrconf_dad_work+0xd83/0x14b0 [ 75.462718][ T12] addrconf_dad_work+0xc36/0x14b0 [ 75.464886][ T12] ? __lock_acquire+0xab9/0xd20 [ 75.467125][ T12] ? __pfx_addrconf_dad_work+0x10/0x10 [ 75.469636][ T12] ? process_scheduled_works+0x9ef/0x17b0 [ 75.472229][ T12] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.474510][ T12] ? process_scheduled_works+0x9ef/0x17b0 [ 75.477346][ T12] ? process_scheduled_works+0x9ef/0x17b0 [ 75.479910][ T12] process_scheduled_works+0xae1/0x17b0 [ 75.482431][ T12] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.485080][ T12] worker_thread+0x8a0/0xda0 [ 75.487150][ T12] kthread+0x70e/0x8a0 [ 75.488950][ T12] ? __pfx_worker_thread+0x10/0x10 [ 75.491254][ T12] ? __pfx_kthread+0x10/0x10 [ 75.493328][ T12] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.495648][ T12] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.497762][ T12] ? __pfx_kthread+0x10/0x10 [ 75.499756][ T12] ret_from_fork+0x3f9/0x770 [ 75.501723][ T12] ? __pfx_ret_from_fork+0x10/0x10 [ 75.503976][ T12] ? __pfx_kthread+0x10/0x10 [ 75.505917][ T12] ret_from_fork_asm+0x1a/0x30 [ 75.507939][ T12] [ 75.509232][ T12] Modules linked in: [ 75.511100][ T12] ---[ end trace 0000000000000000 ]--- [ 75.513430][ T12] RIP: 0010:find_match+0xa3/0xc90 [ 75.515547][ T12] Code: 00 00 00 00 00 fc ff df 42 80 7c 25 00 00 74 08 48 89 df e8 7f 69 f1 f7 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5e 69 f1 f7 48 8b 1b e8 46 60 48 [ 75.523228][ T12] RSP: 0018:ffffc900001e6430 EFLAGS: 00010206 [ 75.525883][ T12] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: 0000000000000000 [ 75.529456][ T12] RDX: ffff88801c2e4880 RSI: 0000000000000000 RDI: 0000000000000000 [ 75.532859][ T12] RBP: 1ffff11006daaaa4 R08: ffffc900001e67c0 R09: ffffc900001e67d0 [ 75.536127][ T12] R10: ffffc900001e6620 R11: ffffffff8a333c80 R12: dffffc0000000000 [ 75.539502][ T12] R13: 0000000000000002 R14: 1ffff11006daaaa6 R15: ffff888036d55537 [ 75.543079][ T12] FS: 0000000000000000(0000) GS:ffff88808d20f000(0000) knlGS:0000000000000000 [ 75.546956][ T12] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.550006][ T12] CR2: 00007fd811b6ffc8 CR3: 0000000042fb6000 CR4: 0000000000352ef0 [ 75.553156][ T12] Kernel panic - not syncing: Fatal exception in interrupt [ 75.556751][ T12] Kernel Offset: disabled [ 75.558604][ T12] Rebooting in 86400 seconds..