program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x51, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0xfffffffd, {}, [@NHA_BLACKHOLE={0x4}]}, 0x34}}, 0x0)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x200000000000011, 0x2, 0x0) (async)
r2 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r3=>0x0})
sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r3, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0)

[   74.858867][ T5298] Bluetooth: hci0: command tx timeout
[   74.937750][ T5318] ==================================================================
[   74.940699][ T5318] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500
[   74.944288][ T5318] Read of size 1 at addr ffff88803dd1cede by task syz.0.0/5318
[   74.947591][ T5318] 
[   74.948685][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   74.948699][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   74.948706][ T5318] Call Trace:
[   74.948713][ T5318]  <TASK>
[   74.948720][ T5318]  dump_stack_lvl+0xe8/0x150
[   74.948739][ T5318]  print_report+0xba/0x230
[   74.948754][ T5318]  ? fib6_add_rt2node+0x349c/0x3500
[   74.948766][ T5318]  kasan_report+0x117/0x150
[   74.948784][ T5318]  ? fib6_add_rt2node+0x349c/0x3500
[   74.948796][ T5318]  fib6_add_rt2node+0x349c/0x3500
[   74.948809][ T5318]  ? __lock_acquire+0x6b5/0x2cf0
[   74.948825][ T5318]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   74.948843][ T5318]  ? do_raw_spin_lock+0x12b/0x2f0
[   74.948854][ T5318]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   74.948867][ T5318]  fib6_add+0x910/0x18c0
[   74.948883][ T5318]  ? do_raw_spin_lock+0x12b/0x2f0
[   74.948890][ T5318]  ? __pfx_fib6_add+0x10/0x10
[   74.948901][ T5318]  ? ip6_route_add+0xc9/0x1b0
[   74.948908][ T5318]  ip6_route_add+0xde/0x1b0
[   74.948915][ T5318]  inet6_rtm_newroute+0x268/0x19e0
[   74.948926][ T5318]  ? kasan_quarantine_put+0xbb/0x1f0
[   74.948936][ T5318]  ? lockdep_hardirqs_on+0x7a/0x110
[   74.948945][ T5318]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   74.948955][ T5318]  ? kmem_cache_free+0x187/0x630
[   74.948970][ T5318]  ? nlmon_xmit+0xb0/0x100
[   74.949030][ T5318]  ? __lock_acquire+0x6b5/0x2cf0
[   74.949039][ T5318]  ? __local_bh_enable_ip+0xd0/0x130
[   74.949053][ T5318]  ? lockdep_hardirqs_on+0x7a/0x110
[   74.949068][ T5318]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   74.949082][ T5318]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   74.949096][ T5318]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   74.949105][ T5318]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   74.949113][ T5318]  ? ref_tracker_free+0x693/0x840
[   74.949124][ T5318]  ? __copy_skb_header+0xa3/0x4a0
[   74.949135][ T5318]  ? __pfx_ref_tracker_free+0x10/0x10
[   74.949149][ T5318]  ? __skb_clone+0x63/0x7a0
[   74.949162][ T5318]  netlink_rcv_skb+0x232/0x4b0
[   74.949177][ T5318]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   74.949191][ T5318]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   74.949207][ T5318]  ? netlink_deliver_tap+0x2e/0x1b0
[   74.949222][ T5318]  netlink_unicast+0x80f/0x9b0
[   74.949237][ T5318]  ? __pfx_netlink_unicast+0x10/0x10
[   74.949250][ T5318]  ? netlink_sendmsg+0x650/0xb40
[   74.949264][ T5318]  ? skb_put+0x11b/0x210
[   74.949284][ T5318]  netlink_sendmsg+0x813/0xb40
[   74.949298][ T5318]  ? __pfx_netlink_sendmsg+0x10/0x10
[   74.949313][ T5318]  ? aa_sock_msg_perm+0xf1/0x1b0
[   74.949330][ T5318]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   74.949346][ T5318]  ? __pfx_netlink_sendmsg+0x10/0x10
[   74.949360][ T5318]  ____sys_sendmsg+0xa68/0xad0
[   74.949371][ T5318]  ? futex_unqueue+0x211/0x240
[   74.949384][ T5318]  ? __pfx_____sys_sendmsg+0x10/0x10
[   74.949396][ T5318]  ? import_iovec+0x73/0xa0
[   74.949409][ T5318]  ___sys_sendmsg+0x2a5/0x360
[   74.949421][ T5318]  ? __pfx____sys_sendmsg+0x10/0x10
[   74.949433][ T5318]  ? futex_wait+0x29a/0x380
[   74.949453][ T5318]  ? __fget_files+0x2a/0x420
[   74.949466][ T5318]  ? __fget_files+0x3a0/0x420
[   74.949479][ T5318]  __x64_sys_sendmsg+0x1bd/0x2a0
[   74.949490][ T5318]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   74.949503][ T5318]  ? rcu_is_watching+0x15/0xb0
[   74.949520][ T5318]  do_syscall_64+0x14d/0xf80
[   74.949533][ T5318]  ? trace_irq_disable+0x3b/0x150
[   74.949547][ T5318]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.949559][ T5318]  ? clear_bhb_loop+0x40/0x90
[   74.949571][ T5318]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.949582][ T5318] RIP: 0033:0x7f243ad9bf79
[   74.949595][ T5318] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   74.949605][ T5318] RSP: 002b:00007f243bd17028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   74.949618][ T5318] RAX: ffffffffffffffda RBX: 00007f243b015fa0 RCX: 00007f243ad9bf79
[   74.949626][ T5318] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   74.949633][ T5318] RBP: 00007f243ae327e0 R08: 0000000000000000 R09: 0000000000000000
[   74.949640][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   74.949646][ T5318] R13: 00007f243b016038 R14: 00007f243b015fa0 R15: 00007ffd08bf5078
[   74.949657][ T5318]  </TASK>
[   74.949661][ T5318] 
[   75.131457][ T5318] Allocated by task 5318:
[   75.133295][ T5318]  kasan_save_track+0x3e/0x80
[   75.135224][ T5318]  __kasan_kmalloc+0x93/0xb0
[   75.137096][ T5318]  __kmalloc_noprof+0x35c/0x760
[   75.138857][ T5318]  fib6_info_alloc+0x30/0xf0
[   75.140667][ T5318]  ip6_route_info_create+0x142/0x860
[   75.142826][ T5318]  ip6_route_add+0x49/0x1b0
[   75.144635][ T5318]  inet6_rtm_newroute+0x268/0x19e0
[   75.146705][ T5318]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   75.148701][ T5318]  netlink_rcv_skb+0x232/0x4b0
[   75.150522][ T5318]  netlink_unicast+0x80f/0x9b0
[   75.152495][ T5318]  netlink_sendmsg+0x813/0xb40
[   75.154253][ T5318]  ____sys_sendmsg+0xa68/0xad0
[   75.156220][ T5318]  ___sys_sendmsg+0x2a5/0x360
[   75.158232][ T5318]  __x64_sys_sendmsg+0x1bd/0x2a0
[   75.160474][ T5318]  do_syscall_64+0x14d/0xf80
[   75.162623][ T5318]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.165257][ T5318] 
[   75.166363][ T5318] The buggy address belongs to the object at ffff88803dd1ce00
[   75.166363][ T5318]  which belongs to the cache kmalloc-256 of size 256
[   75.172389][ T5318] The buggy address is located 22 bytes to the right of
[   75.172389][ T5318]  allocated 200-byte region [ffff88803dd1ce00, ffff88803dd1cec8)
[   75.178289][ T5318] 
[   75.179222][ T5318] The buggy address belongs to the physical page:
[   75.181789][ T5318] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3dd1c
[   75.185255][ T5318] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   75.188374][ T5318] page_type: f5(slab)
[   75.189880][ T5318] raw: 04fff00000000000 ffff88801a841b40 dead000000000122 0000000000000000
[   75.193214][ T5318] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[   75.196425][ T5318] page dumped because: kasan: bad access detected
[   75.198966][ T5318] page_owner tracks the page as allocated
[   75.201432][ T5318] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5297, tgid 5297 (syz-executor), ts 73354819539, free_ts 73354754127
[   75.210041][ T5318]  post_alloc_hook+0x231/0x280
[   75.212190][ T5318]  get_page_from_freelist+0x24dc/0x2580
[   75.214616][ T5318]  __alloc_frozen_pages_noprof+0x18d/0x380
[   75.217229][ T5318]  allocate_slab+0x77/0x660
[   75.219233][ T5318]  refill_objects+0x331/0x3c0
[   75.221389][ T5318]  __pcs_replace_empty_main+0x2b9/0x620
[   75.223832][ T5318]  __kmalloc_node_track_caller_noprof+0x572/0x7b0
[   75.226737][ T5318]  kmemdup_array+0x3f/0x80
[   75.228662][ T5318]  ebt_register_table+0x99e/0x10e0
[   75.230850][ T5318]  find_inlist_lock_noload+0x183/0x270
[   75.233290][ T5318]  do_ebt_get_ctl+0x2d5/0x1dd0
[   75.235546][ T5318]  nf_getsockopt+0x26e/0x290
[   75.237616][ T5318]  ip_getsockopt+0x19e/0x230
[   75.239688][ T5318]  do_sock_getsockopt+0x37f/0x670
[   75.242019][ T5318]  __x64_sys_getsockopt+0x1a4/0x240
[   75.244342][ T5318]  do_syscall_64+0x14d/0xf80
[   75.246379][ T5318] page last free pid 5297 tgid 5297 stack trace:
[   75.249095][ T5318]  __free_frozen_pages+0xc00/0xd90
[   75.251380][ T5318]  __kasan_populate_vmalloc+0x137/0x1d0
[   75.253721][ T5318]  alloc_vmap_area+0xd73/0x14b0
[   75.255892][ T5318]  __get_vm_area_node+0x1f8/0x300
[   75.258182][ T5318]  __vmalloc_node_range_noprof+0x372/0x1730
[   75.260814][ T5318]  vmalloc_noprof+0xb2/0xe0
[   75.262916][ T5318]  ebt_register_table+0x231/0x10e0
[   75.265153][ T5318]  find_inlist_lock_noload+0x183/0x270
[   75.267614][ T5318]  do_ebt_get_ctl+0x2d5/0x1dd0
[   75.269803][ T5318]  nf_getsockopt+0x26e/0x290
[   75.271939][ T5318]  ip_getsockopt+0x19e/0x230
[   75.273901][ T5318]  do_sock_getsockopt+0x37f/0x670
[   75.275914][ T5318]  __x64_sys_getsockopt+0x1a4/0x240
[   75.278208][ T5318]  do_syscall_64+0x14d/0xf80
[   75.280346][ T5318]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.282987][ T5318] 
[   75.283985][ T5318] Memory state around the buggy address:
[   75.286250][ T5318]  ffff88803dd1cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   75.289730][ T5318]  ffff88803dd1ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   75.292762][ T5318] >ffff88803dd1ce80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   75.295708][ T5318]                                                     ^
[   75.298195][ T5318]  ffff88803dd1cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   75.301626][ T5318]  ffff88803dd1cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   75.305093][ T5318] ==================================================================
[   75.308688][ T5318] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   75.312348][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   75.317143][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   75.322498][ T5318] Call Trace:
[   75.324227][ T5318]  <TASK>
[   75.325744][ T5318]  vpanic+0x56c/0xa60
[   75.327776][ T5318]  ? __pfx_vpanic+0x10/0x10
[   75.330075][ T5318]  panic+0xc5/0xd0
[   75.331762][ T5318]  ? __pfx_panic+0x10/0x10
[   75.333674][ T5318]  ? fib6_add_rt2node+0x349c/0x3500
[   75.336019][ T5318]  ? fib6_add_rt2node+0x349c/0x3500
[   75.338338][ T5318]  check_panic_on_warn+0x89/0xb0
[   75.340405][ T5318]  ? fib6_add_rt2node+0x349c/0x3500
[   75.342557][ T5318]  end_report+0x73/0x180
[   75.344263][ T5318]  ? fib6_add_rt2node+0x349c/0x3500
[   75.346218][ T5318]  kasan_report+0x128/0x150
[   75.348273][ T5318]  ? fib6_add_rt2node+0x349c/0x3500
[   75.350617][ T5318]  fib6_add_rt2node+0x349c/0x3500
[   75.352907][ T5318]  ? __lock_acquire+0x6b5/0x2cf0
[   75.355101][ T5318]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   75.357651][ T5318]  ? do_raw_spin_lock+0x12b/0x2f0
[   75.360493][ T5318]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   75.363491][ T5318]  fib6_add+0x910/0x18c0
[   75.365486][ T5318]  ? do_raw_spin_lock+0x12b/0x2f0
[   75.367774][ T5318]  ? __pfx_fib6_add+0x10/0x10
[   75.369483][ T5318]  ? ip6_route_add+0xc9/0x1b0
[   75.371320][ T5318]  ip6_route_add+0xde/0x1b0
[   75.373154][ T5318]  inet6_rtm_newroute+0x268/0x19e0
[   75.375216][ T5318]  ? kasan_quarantine_put+0xbb/0x1f0
[   75.377417][ T5318]  ? lockdep_hardirqs_on+0x7a/0x110
[   75.379736][ T5318]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   75.382413][ T5318]  ? kmem_cache_free+0x187/0x630
[   75.384521][ T5318]  ? nlmon_xmit+0xb0/0x100
[   75.386239][ T5318]  ? __lock_acquire+0x6b5/0x2cf0
[   75.388186][ T5318]  ? __local_bh_enable_ip+0xd0/0x130
[   75.390323][ T5318]  ? lockdep_hardirqs_on+0x7a/0x110
[   75.392441][ T5318]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   75.394539][ T5318]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   75.396532][ T5318]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   75.398615][ T5318]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   75.400704][ T5318]  ? ref_tracker_free+0x693/0x840
[   75.402740][ T5318]  ? __copy_skb_header+0xa3/0x4a0
[   75.404737][ T5318]  ? __pfx_ref_tracker_free+0x10/0x10
[   75.406916][ T5318]  ? __skb_clone+0x63/0x7a0
[   75.408943][ T5318]  netlink_rcv_skb+0x232/0x4b0
[   75.410624][ T5318]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   75.412432][ T5318]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   75.414567][ T5318]  ? netlink_deliver_tap+0x2e/0x1b0
[   75.417135][ T5318]  netlink_unicast+0x80f/0x9b0
[   75.419472][ T5318]  ? __pfx_netlink_unicast+0x10/0x10
[   75.422399][ T5318]  ? netlink_sendmsg+0x650/0xb40
[   75.425153][ T5318]  ? skb_put+0x11b/0x210
[   75.427266][ T5318]  netlink_sendmsg+0x813/0xb40
[   75.429392][ T5318]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.431703][ T5318]  ? aa_sock_msg_perm+0xf1/0x1b0
[   75.433508][ T5318]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   75.435406][ T5318]  ? __pfx_netlink_sendmsg+0x10/0x10
[   75.437289][ T5318]  ____sys_sendmsg+0xa68/0xad0
[   75.439176][ T5318]  ? futex_unqueue+0x211/0x240
[   75.441226][ T5318]  ? __pfx_____sys_sendmsg+0x10/0x10
[   75.443554][ T5318]  ? import_iovec+0x73/0xa0
[   75.445549][ T5318]  ___sys_sendmsg+0x2a5/0x360
[   75.447720][ T5318]  ? __pfx____sys_sendmsg+0x10/0x10
[   75.450089][ T5318]  ? futex_wait+0x29a/0x380
[   75.452092][ T5318]  ? __fget_files+0x2a/0x420
[   75.453836][ T5318]  ? __fget_files+0x3a0/0x420
[   75.455598][ T5318]  __x64_sys_sendmsg+0x1bd/0x2a0
[   75.457617][ T5318]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   75.459806][ T5318]  ? rcu_is_watching+0x15/0xb0
[   75.461791][ T5318]  do_syscall_64+0x14d/0xf80
[   75.463558][ T5318]  ? trace_irq_disable+0x3b/0x150
[   75.465698][ T5318]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.468224][ T5318]  ? clear_bhb_loop+0x40/0x90
[   75.470197][ T5318]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.472683][ T5318] RIP: 0033:0x7f243ad9bf79
[   75.474457][ T5318] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   75.482208][ T5318] RSP: 002b:00007f243bd17028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   75.485666][ T5318] RAX: ffffffffffffffda RBX: 00007f243b015fa0 RCX: 00007f243ad9bf79
[   75.488854][ T5318] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   75.492110][ T5318] RBP: 00007f243ae327e0 R08: 0000000000000000 R09: 0000000000000000
[   75.495321][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.498644][ T5318] R13: 00007f243b016038 R14: 00007f243b015fa0 R15: 00007ffd08bf5078
[   75.501902][ T5318]  </TASK>
[   75.503590][ T5318] Kernel Offset: disabled
[   75.505436][ T5318] Rebooting in 86400 seconds..