program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000340)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={{0x14}, [@NFT_MSG_NEWRULE={0x50, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x24, 0x4, 0x0, 0x1, [{0x20, 0x1, 0x0, 0x1, @ct={{0x7}, @val={0x14, 0x2, 0x0, 0x1, [@NFTA_CT_KEY={0x8, 0x2, 0x1, 0x0, 0xf}, @NFTA_CT_DREG={0x8, 0x1, 0x1, 0x0, 0x14}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x78}}, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000006800e97800000000000000000a00000000000000040004"], 0x1c}}, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000040)={'lo\x00', <r4=>0x0})
sendmsg$nl_route(r2, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)=@ipv6_newnexthop={0x40, 0x68, 0x1, 0x0, 0x0, {}, [@NHA_ENCAP_TYPE={0x6, 0x7, 0x2}, @NHA_ENCAP={0x18, 0x8, 0x0, 0x1, @SEG6_IPTUNNEL_SRH={0x14}}, @NHA_OIF={0x8, 0x5, r4}]}, 0x40}}, 0x0)
r5 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r5, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfe, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010)
r6 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r6, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfd, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010)
syz_emit_ethernet(0x36, &(0x7f0000000300)={@random="19f7b81b4eda", @empty, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x1, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}, @local}, @timestamp={0xd, 0x0, 0x0, 0x6, 0x1, 0x5, 0x9, 0x9}}}}}, 0x0)

[   85.906440][ T5317] BUG: unable to handle page fault for address: ffffed101194b600
[   85.909691][ T5317] #PF: supervisor read access in kernel mode
[   85.912028][ T5317] #PF: error_code(0x0000) - not-present page
[   85.914612][ T5317] PGD 5ffd5067 P4D 5ffd5067 PUD 2fffa067 PMD 0 
[   85.917178][ T5317] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
[   85.919314][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   85.922974][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.926974][ T5317] RIP: 0010:ip_route_output_key_hash_rcu+0x1264/0x25d0
[   85.929536][ T5317] Code: 83 11 09 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 59 64 26 f8 49 03 1e 4d 89 fd 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 3d 64 26 f8 4c 8b 3b e8 f5 2a a4
[   85.936950][ T5317] RSP: 0018:ffffc9000daaeea0 EFLAGS: 00010a06
[   85.939387][ T5317] RAX: 1ffff1101194b600 RBX: ffff88808ca5b000 RCX: 0000000000100000
[   85.942631][ T5317] RDX: ffffc9000ecda000 RSI: 0000000000000610 RDI: 0000000000000611
[   85.945681][ T5317] RBP: 0000000080000000 R08: ffff88803535a480 R09: 0000000000000003
[   85.948797][ T5317] R10: 0000000000000005 R11: 0000000000000002 R12: dffffc0000000000
[   85.952228][ T5317] R13: 0000000000000000 R14: ffff88801f47dc58 R15: 0000000000000000
[   85.955646][ T5317] FS:  00007f5235edd6c0(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000
[   85.959247][ T5317] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.961629][ T5317] CR2: ffffed101194b600 CR3: 00000000411d2000 CR4: 0000000000352ef0
[   85.964693][ T5317] Call Trace:
[   85.966230][ T5317]  <TASK>
[   85.967752][ T5317]  ? ip_route_output_key_hash+0xd8/0x2a0
[   85.970420][ T5317]  ip_route_output_key_hash+0x18d/0x2a0
[   85.972980][ T5317]  ? __pfx_ip_route_output_key_hash+0x10/0x10
[   85.975543][ T5317]  ip_route_output_flow+0x2a/0x150
[   85.977727][ T5317]  ? security_skb_classify_flow+0x74/0x280
[   85.980378][ T5317]  icmp_reply+0x991/0xcb0
[   85.982356][ T5317]  ? icmp_reply+0x304/0xcb0
[   85.984382][ T5317]  ? __pfx_icmp_reply+0x10/0x10
[   85.986294][ T5317]  ? __pfx_ktime_get_real_ts64+0x10/0x10
[   85.988671][ T5317]  ? skb_copy_bits+0xf7/0x8f0
[   85.990670][ T5317]  icmp_timestamp+0x24c/0x370
[   85.992840][ T5317]  ? raw_local_deliver+0x30a/0xf40
[   85.995187][ T5317]  ? __pfx_icmp_timestamp+0x10/0x10
[   85.997542][ T5317]  ? __xfrm_policy_check2+0x2cd/0x6f0
[   85.999821][ T5317]  icmp_rcv+0xd14/0x1270
[   86.001651][ T5317]  ? __pfx_icmp_rcv+0x10/0x10
[   86.003651][ T5317]  ip_protocol_deliver_rcu+0x2e0/0x440
[   86.005984][ T5317]  ? ip_local_deliver_finish+0x2ae/0x6f0
[   86.008312][ T5317]  ip_local_deliver_finish+0x3bb/0x6f0
[   86.010743][ T5317]  NF_HOOK+0x336/0x3c0
[   86.012538][ T5317]  ? __pfx_ip_local_deliver_finish+0x10/0x10
[   86.015038][ T5317]  ? NF_HOOK+0x9e/0x3c0
[   86.016867][ T5317]  ? __pfx_NF_HOOK+0x10/0x10
[   86.018857][ T5317]  ? ip_rcv_finish_core+0x10e9/0x1c00
[   86.021176][ T5317]  ? __pfx_ip_local_deliver_finish+0x10/0x10
[   86.023825][ T5317]  ? skb_dst+0x4f/0xd0
[   86.025719][ T5317]  ? ip_local_deliver+0x12a/0x1b0
[   86.027981][ T5317]  NF_HOOK+0x336/0x3c0
[   86.029545][ T5317]  ? __pfx_ip_rcv_finish+0x10/0x10
[   86.031598][ T5317]  ? NF_HOOK+0x9e/0x3c0
[   86.033386][ T5317]  ? __pfx_NF_HOOK+0x10/0x10
[   86.035322][ T5317]  ? __pfx_ip_rcv_finish+0x10/0x10
[   86.037481][ T5317]  ? netif_receive_skb+0x102/0xc50
[   86.039618][ T5317]  ? __pfx_ip_rcv+0x10/0x10
[   86.041503][ T5317]  netif_receive_skb+0x45b/0xc50
[   86.043613][ T5317]  ? __pfx_netif_receive_skb+0x10/0x10
[   86.045793][ T5317]  ? __lock_acquire+0x6b5/0x2cf0
[   86.047931][ T5317]  ? tun_rx_batched+0x185/0x790
[   86.052257][ T5317]  tun_rx_batched+0x1de/0x790
[   86.054855][ T5317]  ? __build_skb+0x62/0x440
[   86.056734][ T5317]  ? __pfx_tun_rx_batched+0x10/0x10
[   86.058959][ T5317]  ? tun_get_user+0x2354/0x3dd0
[   86.061096][ T5317]  ? __local_bh_enable_ip+0xd0/0x130
[   86.063212][ T5317]  ? tun_get_user+0x2669/0x3dd0
[   86.065715][ T5317]  tun_get_user+0x2a78/0x3dd0
[   86.067798][ T5317]  ? aa_file_perm+0x440/0x1630
[   86.069819][ T5317]  ? __pfx_tun_get_user+0x10/0x10
[   86.071803][ T5317]  ? __lock_acquire+0x6b5/0x2cf0
[   86.073808][ T5317]  ? ref_tracker_alloc+0x363/0x4d0
[   86.075945][ T5317]  ? page_table_check_set+0x148/0x610
[   86.078207][ T5317]  ? __pfx_ref_tracker_alloc+0x10/0x10
[   86.080510][ T5317]  ? count_memcg_event_mm+0x21/0x260
[   86.082792][ T5317]  ? tun_get+0x1c/0x2f0
[   86.084730][ T5317]  ? tun_get+0x1c/0x2f0
[   86.087116][ T5317]  ? tun_get+0x1c/0x2f0
[   86.089465][ T5317]  tun_chr_write_iter+0x113/0x200
[   86.092089][ T5317]  vfs_write+0x61d/0xb90
[   86.094046][ T5317]  ? __pfx_vfs_write+0x10/0x10
[   86.096131][ T5317]  ? __fget_files+0x2a/0x420
[   86.098173][ T5317]  ksys_write+0x150/0x270
[   86.100039][ T5317]  ? __pfx_ksys_write+0x10/0x10
[   86.102206][ T5317]  do_syscall_64+0x14d/0xf80
[   86.104313][ T5317]  ? trace_irq_disable+0x3b/0x150
[   86.106512][ T5317]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.109002][ T5317]  ? clear_bhb_loop+0x40/0x90
[   86.110911][ T5317]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.113412][ T5317] RIP: 0033:0x7f5234f5cece
[   86.115468][ T5317] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   86.123659][ T5317] RSP: 002b:00007f5235edcfb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   86.127319][ T5317] RAX: ffffffffffffffda RBX: 00007f5235edd6c0 RCX: 00007f5234f5cece
[   86.130735][ T5317] RDX: 0000000000000036 RSI: 0000200000000300 RDI: 00000000000000c8
[   86.133987][ T5317] RBP: 00007f5235032b39 R08: 0000000000000000 R09: 0000000000000000
[   86.137288][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.141106][ T5317] R13: 00007f5235216038 R14: 00007f5235215fa0 R15: 00007ffcc6ded0c8
[   86.144492][ T5317]  </TASK>
[   86.145798][ T5317] Modules linked in:
[   86.147380][ T5317] CR2: ffffed101194b600
[   86.149254][ T5317] ---[ end trace 0000000000000000 ]---
[   86.151566][ T5317] RIP: 0010:ip_route_output_key_hash_rcu+0x1264/0x25d0
[   86.154685][ T5317] Code: 83 11 09 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 59 64 26 f8 49 03 1e 4d 89 fd 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 3d 64 26 f8 4c 8b 3b e8 f5 2a a4
[   86.161944][ T5317] RSP: 0018:ffffc9000daaeea0 EFLAGS: 00010a06
[   86.164511][ T5317] RAX: 1ffff1101194b600 RBX: ffff88808ca5b000 RCX: 0000000000100000
[   86.167765][ T5317] RDX: ffffc9000ecda000 RSI: 0000000000000610 RDI: 0000000000000611
[   86.171043][ T5317] RBP: 0000000080000000 R08: ffff88803535a480 R09: 0000000000000003
[   86.174355][ T5317] R10: 0000000000000005 R11: 0000000000000002 R12: dffffc0000000000
[   86.177769][ T5317] R13: 0000000000000000 R14: ffff88801f47dc58 R15: 0000000000000000
[   86.181145][ T5317] FS:  00007f5235edd6c0(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000
[   86.184758][ T5317] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   86.187574][ T5317] CR2: ffffed101194b600 CR3: 00000000411d2000 CR4: 0000000000352ef0
[   86.190917][ T5317] Kernel panic - not syncing: Fatal exception in interrupt
[   86.194389][ T5317] Kernel Offset: disabled
[   86.196424][ T5317] Rebooting in 86400 seconds..