netlink: 'syz.0.2676': attribute type 13 has an invalid length.
==================================================================
BUG: KCSAN: data-race in fib6_del / fib6_walk_continue

write to 0xffffc900077736a0 of 4 bytes by task 10977 on cpu 1:
 fib6_walk_continue+0x343/0x440 net/ipv6/ip6_fib.c:2200
 fib6_walk+0xc5/0x180 net/ipv6/ip6_fib.c:2223
 fib6_clean_tree net/ipv6/ip6_fib.c:2303 [inline]
 __fib6_clean_all net/ipv6/ip6_fib.c:2319 [inline]
 fib6_flush_trees+0x150/0x240 net/ipv6/ip6_fib.c:2344
 rt_genid_bump_ipv6 include/net/net_namespace.h:555 [inline]
 xfrm_policy_insert+0x1e6/0x790 net/xfrm/xfrm_policy.c:1605
 xfrm_add_policy+0x1aa/0x450 net/xfrm/xfrm_user.c:2255
 xfrm_user_rcv_msg+0x566/0x660 net/xfrm/xfrm_user.c:3507
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
 xfrm_netlink_rcv+0x48/0x60 net/xfrm/xfrm_user.c:3529
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x145/0x180 net/socket.c:742
 ____sys_sendmsg+0x31e/0x4a0 net/socket.c:2592
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2681
 x64_sys_call+0x17ba/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffc900077736a0 of 4 bytes by task 10974 on cpu 0:
 fib6_del_route net/ipv6/ip6_fib.c:2024 [inline]
 fib6_del+0x4e7/0x8b0 net/ipv6/ip6_fib.c:2091
 fib6_clean_node+0x167/0x280 net/ipv6/ip6_fib.c:2253
 fib6_walk_continue+0x39f/0x440 net/ipv6/ip6_fib.c:2175
 fib6_walk+0xc5/0x180 net/ipv6/ip6_fib.c:2223
 fib6_clean_tree net/ipv6/ip6_fib.c:2303 [inline]
 __fib6_clean_all net/ipv6/ip6_fib.c:2319 [inline]
 fib6_clean_all+0xca/0x140 net/ipv6/ip6_fib.c:2330
 rt6_sync_down_dev net/ipv6/route.c:5014 [inline]
 rt6_disable_ip+0xa6/0x580 net/ipv6/route.c:5019
 addrconf_ifdown+0x8a/0xf00 net/ipv6/addrconf.c:3853
 addrconf_notify+0x222/0x8f0 net/ipv6/addrconf.c:-1
 notifier_call_chain kernel/notifier.c:85 [inline]
 raw_notifier_call_chain+0x6f/0x1b0 kernel/notifier.c:453
 call_netdevice_notifiers_info net/core/dev.c:2243 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]
 call_netdevice_notifiers net/core/dev.c:2295 [inline]
 __dev_notify_flags+0x1d9/0x360 net/core/dev.c:-1
 netif_change_flags+0xac/0xd0 net/core/dev.c:9817
 do_setlink+0x8db/0x2780 net/core/rtnetlink.c:3158
 rtnl_group_changelink net/core/rtnetlink.c:3790 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3944 [inline]
 rtnl_newlink+0xdb5/0x1360 net/core/rtnetlink.c:4072
 rtnetlink_rcv_msg+0x5fe/0x6d0 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
 rtnetlink_rcv+0x1c/0x30 net/core/rtnetlink.c:6985
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x145/0x180 net/socket.c:742
 ____sys_sendmsg+0x31e/0x4a0 net/socket.c:2592
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2681
 x64_sys_call+0x17ba/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x00000004 -> 0x00000003

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 10974 Comm: syz.0.2676 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
==================================================================
bridge0: port 2(bridge_slave_1) entered disabled state
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Interface deactivated: veth1_vlan
syz.0.2676 (10974) used greatest stack depth: 8872 bytes left