program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a05000000000000000000010000000900010073797a300000000040000000030a01010000000000000000010000000900030073797a320000000014000480080002400000000008000140000000000900010073797a300000000050000000060a010400000000000000000100000028000480240001800b00010072656a6563740000140002800800014000000000050002000000000008000b40000000000900010073797a300000000014000000110001"], 0xd8}}, 0x20000000) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000006800e97800000000000000000a00000000000000040004"], 0x1c}}, 0x0) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket$inet6_udp(0xa, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000040)={'lo\x00', 0x0}) sendmsg$nl_route(r2, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)=@ipv6_newnexthop={0x40, 0x68, 0x1, 0x0, 0x0, {}, [@NHA_ENCAP_TYPE={0x6, 0x7, 0x2}, @NHA_ENCAP={0x18, 0x8, 0x0, 0x1, @SEG6_IPTUNNEL_SRH={0x14}}, @NHA_OIF={0x8, 0x5, r4}]}, 0x40}}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r5, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfe, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010) r6 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r6, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfd, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010) r7 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r7, &(0x7f0000000000)={0x0, 0xfffffffffffffed6, &(0x7f0000000040)={&(0x7f0000000680)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a54000000060a09040000e4ffffffffff010000000900020073797a32000000000900010073797a300000000028000480240001800b000100736f636b6574000014000280080002400000000b080001400000000014000000110001"], 0x7c}}, 0x20044810) syz_emit_ethernet(0x3e, &(0x7f0000000080)={@local, @local, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x1, 0x0, @private=0xa010102, @empty}, @time_exceeded={0xb, 0x0, 0x0, 0x0, 0x0, 0x0, {0x5, 0x4, 0x0, 0x0, 0xffff, 0x67, 0x0, 0x0, 0x11, 0x0, @multicast2, @initdev={0xac, 0x1e, 0x0, 0x0}}}}}}}, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) (async) sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000600)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a05000000000000000000010000000900010073797a300000000040000000030a01010000000000000000010000000900030073797a320000000014000480080002400000000008000140000000000900010073797a300000000050000000060a010400000000000000000100000028000480240001800b00010072656a6563740000140002800800014000000000050002000000000008000b40000000000900010073797a300000000014000000110001"], 0xd8}}, 0x20000000) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000006800e97800000000000000000a00000000000000040004"], 0x1c}}, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) socket$inet6_udp(0xa, 0x2, 0x0) (async) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000040)={'lo\x00'}) (async) sendmsg$nl_route(r2, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)=@ipv6_newnexthop={0x40, 0x68, 0x1, 0x0, 0x0, {}, [@NHA_ENCAP_TYPE={0x6, 0x7, 0x2}, @NHA_ENCAP={0x18, 0x8, 0x0, 0x1, @SEG6_IPTUNNEL_SRH={0x14}}, @NHA_OIF={0x8, 0x5, r4}]}, 0x40}}, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r5, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfe, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r6, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfd, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010) (async) socket$nl_netfilter(0x10, 0x3, 0xc) (async) sendmsg$NFT_BATCH(r7, &(0x7f0000000000)={0x0, 0xfffffffffffffed6, &(0x7f0000000040)={&(0x7f0000000680)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a54000000060a09040000e4ffffffffff010000000900020073797a32000000000900010073797a300000000028000480240001800b000100736f636b6574000014000280080002400000000b080001400000000014000000110001"], 0x7c}}, 0x20044810) (async) syz_emit_ethernet(0x3e, &(0x7f0000000080)={@local, @local, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x1, 0x0, @private=0xa010102, @empty}, @time_exceeded={0xb, 0x0, 0x0, 0x0, 0x0, 0x0, {0x5, 0x4, 0x0, 0x0, 0xffff, 0x67, 0x0, 0x0, 0x11, 0x0, @multicast2, @initdev={0xac, 0x1e, 0x0, 0x0}}}}}}}, 0x0) (async) [ 85.314809][ T5295] Bluetooth: hci0: command tx timeout [ 85.486948][ T5318] BUG: unable to handle page fault for address: ffffed101194b600 [ 85.490387][ T5318] #PF: supervisor read access in kernel mode [ 85.493028][ T5318] #PF: error_code(0x0000) - not-present page [ 85.495532][ T5318] PGD 5ffd5067 P4D 5ffd5067 PUD 2fffa067 PMD 0 [ 85.498263][ T5318] Oops: Oops: 0000 [#1] SMP KASAN NOPTI [ 85.500631][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.504407][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.508554][ T5318] RIP: 0010:ip_route_output_key_hash_rcu+0x1264/0x25d0 [ 85.511564][ T5318] Code: 6e 11 09 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 a9 71 26 f8 49 03 1e 4d 89 fd 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 8d 71 26 f8 4c 8b 3b e8 55 36 a4 [ 85.519697][ T5318] RSP: 0018:ffffc9000da2edc0 EFLAGS: 00010a06 [ 85.522526][ T5318] RAX: 1ffff1101194b600 RBX: ffff88808ca5b000 RCX: ffff88803b9fa480 [ 85.525999][ T5318] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 85.529363][ T5318] RBP: 0000000080000000 R08: ffff88803b9fa480 R09: 0000000000000003 [ 85.532961][ T5318] R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000 [ 85.536230][ T5318] R13: 0000000000000000 R14: ffff888012474558 R15: 0000000000000000 [ 85.539529][ T5318] FS: 00007f4a270696c0(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000 [ 85.543385][ T5318] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.546199][ T5318] CR2: ffffed101194b600 CR3: 00000000128e3000 CR4: 0000000000352ef0 [ 85.549496][ T5318] Call Trace: [ 85.550947][ T5318] [ 85.552283][ T5318] ? ip_route_output_key_hash+0xd8/0x2a0 [ 85.554705][ T5318] ip_route_output_key_hash+0x18d/0x2a0 [ 85.557021][ T5318] ? kasan_save_track+0x4f/0x80 [ 85.559138][ T5318] ? __kasan_slab_alloc+0x6c/0x80 [ 85.561282][ T5318] ? __pfx_ip_route_output_key_hash+0x10/0x10 [ 85.563860][ T5318] ? vfs_write+0x61d/0xb90 [ 85.565793][ T5318] ip_route_output_flow+0x2a/0x150 [ 85.568055][ T5318] ? nf_ip_route+0x17/0x70 [ 85.569904][ T5318] nf_ip_route+0x24/0x70 [ 85.571624][ T5318] nf_reject_fill_skb_dst+0x198/0x380 [ 85.573758][ T5318] ? __pfx_nf_reject_fill_skb_dst+0x10/0x10 [ 85.576172][ T5318] ? nf_sk_lookup_slow_v4+0x12c6/0x12f0 [ 85.578303][ T5318] ? __pfx_nf_sk_lookup_slow_v4+0x10/0x10 [ 85.580636][ T5318] nf_send_unreach+0x1fe/0x710 [ 85.582695][ T5318] ? __pfx_nf_send_unreach+0x10/0x10 [ 85.584926][ T5318] nft_reject_inet_eval+0x4bc/0x690 [ 85.587150][ T5318] nft_do_chain+0x45e/0x1990 [ 85.589107][ T5318] ? __pfx_nft_do_chain+0x10/0x10 [ 85.591360][ T5318] ? __skb_flow_dissect+0x649c/0x6d20 [ 85.593766][ T5318] nft_do_chain_inet+0x29d/0x380 [ 85.595948][ T5318] ? __pfx_nft_do_chain_inet+0x10/0x10 [ 85.598291][ T5318] ? ipt_do_table+0x2b2/0x1630 [ 85.600706][ T5318] ? iptable_mangle_hook+0x189/0x4c0 [ 85.603089][ T5318] ? __pfx_nft_do_chain_inet+0x10/0x10 [ 85.605389][ T5318] nf_hook_slow+0xc5/0x220 [ 85.607152][ T5318] NF_HOOK+0x21f/0x3c0 [ 85.608839][ T5318] ? __pfx_ip_rcv_finish+0x10/0x10 [ 85.611186][ T5318] ? NF_HOOK+0x9e/0x3c0 [ 85.612972][ T5318] ? __pfx_NF_HOOK+0x10/0x10 [ 85.614993][ T5318] ? __pfx_ip_rcv_finish+0x10/0x10 [ 85.617166][ T5318] ? netif_receive_skb+0x102/0xc50 [ 85.619485][ T5318] ? __pfx_ip_rcv+0x10/0x10 [ 85.621502][ T5318] netif_receive_skb+0x45b/0xc50 [ 85.623594][ T5318] ? __pfx_netif_receive_skb+0x10/0x10 [ 85.625930][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 85.628071][ T5318] ? tun_rx_batched+0x185/0x790 [ 85.630139][ T5318] tun_rx_batched+0x1de/0x790 [ 85.632097][ T5318] ? __build_skb+0x62/0x440 [ 85.634065][ T5318] ? __pfx_tun_rx_batched+0x10/0x10 [ 85.636288][ T5318] ? tun_get_user+0x2354/0x3dd0 [ 85.638355][ T5318] ? __local_bh_enable_ip+0xd0/0x130 [ 85.640562][ T5318] ? tun_get_user+0x2669/0x3dd0 [ 85.642698][ T5318] tun_get_user+0x2a78/0x3dd0 [ 85.644775][ T5318] ? aa_file_perm+0x440/0x1630 [ 85.646897][ T5318] ? __pfx_tun_get_user+0x10/0x10 [ 85.649058][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 85.651285][ T5318] ? ref_tracker_alloc+0x363/0x4d0 [ 85.653570][ T5318] ? page_table_check_set+0x148/0x610 [ 85.656053][ T5318] ? __pfx_ref_tracker_alloc+0x10/0x10 [ 85.658500][ T5318] ? count_memcg_event_mm+0x21/0x260 [ 85.660630][ T5318] ? tun_get+0x1c/0x2f0 [ 85.662382][ T5318] ? tun_get+0x1c/0x2f0 [ 85.664113][ T5318] ? tun_get+0x1c/0x2f0 [ 85.666018][ T5318] tun_chr_write_iter+0x113/0x200 [ 85.668246][ T5318] vfs_write+0x61d/0xb90 [ 85.670148][ T5318] ? __pfx_vfs_write+0x10/0x10 [ 85.672266][ T5318] ? __fget_files+0x2a/0x420 [ 85.674356][ T5318] ksys_write+0x150/0x270 [ 85.676189][ T5318] ? __pfx_ksys_write+0x10/0x10 [ 85.678324][ T5318] do_syscall_64+0x14d/0xf80 [ 85.680365][ T5318] ? trace_irq_disable+0x3b/0x150 [ 85.682480][ T5318] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.684913][ T5318] ? clear_bhb_loop+0x40/0x90 [ 85.686920][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.689458][ T5318] RIP: 0033:0x7f4a2615cece [ 85.691370][ T5318] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 [ 85.699250][ T5318] RSP: 002b:00007f4a27068fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 85.703013][ T5318] RAX: ffffffffffffffda RBX: 00007f4a270696c0 RCX: 00007f4a2615cece [ 85.706358][ T5318] RDX: 000000000000003e RSI: 0000200000000080 RDI: 00000000000000c8 [ 85.709741][ T5318] RBP: 00007f4a26232b39 R08: 0000000000000000 R09: 0000000000000000 [ 85.713131][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.716364][ T5318] R13: 00007f4a26416038 R14: 00007f4a26415fa0 R15: 00007fff21de25e8 [ 85.719820][ T5318] [ 85.721298][ T5318] Modules linked in: [ 85.723040][ T5318] CR2: ffffed101194b600 [ 85.724722][ T5318] ---[ end trace 0000000000000000 ]--- [ 85.726755][ T5318] RIP: 0010:ip_route_output_key_hash_rcu+0x1264/0x25d0 [ 85.729400][ T5318] Code: 6e 11 09 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 a9 71 26 f8 49 03 1e 4d 89 fd 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 8d 71 26 f8 4c 8b 3b e8 55 36 a4 [ 85.737160][ T5318] RSP: 0018:ffffc9000da2edc0 EFLAGS: 00010a06 [ 85.739841][ T5318] RAX: 1ffff1101194b600 RBX: ffff88808ca5b000 RCX: ffff88803b9fa480 [ 85.743381][ T5318] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 85.746611][ T5318] RBP: 0000000080000000 R08: ffff88803b9fa480 R09: 0000000000000003 [ 85.749902][ T5318] R10: 0000000000000005 R11: 0000000000000000 R12: dffffc0000000000 [ 85.753097][ T5318] R13: 0000000000000000 R14: ffff888012474558 R15: 0000000000000000 [ 85.756360][ T5318] FS: 00007f4a270696c0(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000 [ 85.760055][ T5318] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.762879][ T5318] CR2: ffffed101194b600 CR3: 00000000128e3000 CR4: 0000000000352ef0 [ 85.766254][ T5318] Kernel panic - not syncing: Fatal exception in interrupt [ 85.769604][ T5318] Kernel Offset: disabled [ 85.771472][ T5318] Rebooting in 86400 seconds..