program:
socket$netlink(0x10, 0x3, 0x0)
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000440)=ANY=[@ANYBLOB="1c0000006800e97800000000000000000a00000000000000040004"], 0x1c}}, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
r2 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000040)={'lo\x00', <r3=>0x0})
sendmsg$nl_route(r1, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)=@ipv6_newnexthop={0x40, 0x68, 0x1, 0x0, 0x0, {}, [@NHA_ENCAP_TYPE={0x6, 0x7, 0x2}, @NHA_ENCAP={0x18, 0x8, 0x0, 0x1, @SEG6_IPTUNNEL_SRH={0x14}}, @NHA_OIF={0x8, 0x5, r3}]}, 0x40}}, 0x0)
r4 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfe, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010)
r5 = socket$nl_route(0x10, 0x3, 0x0)
bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000280)={&(0x7f0000000000)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0xc, 0xc, 0x2, [@ptr={0x10000000}]}}, 0x0, 0x26}, 0x20)
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f00000001c0)='./file2\x00', 0x0, &(0x7f0000000080)=ANY=[@ANYRES16=0x0, @ANYRESOCT, @ANYRES32], 0x1, 0x1a2, &(0x7f0000000580)="$eJxiGAWjYBSMWPDo4dcH/7/YPudgYGDgYVBhYIeKv2BGqGFCUn+P413tQR+38P7YpafYH+hxYjPz/3/i7WdhYGA44MjMUALXi6pbBUqHMDDB2aEMTAyaUHY4AyODHpSdwMDEEAZlpzIwMkRC2VlI7HyQej29tMycVL3k/JwUEMMARBiCCCMQYYzuvreNjAwpSO5jBNFQfnFlVXZiTk5qEQ0ZhMLvrSMTgy2S+5DjCxY2BkjhZ8jAymAIZRszMDIEQ9kWDOywsIEECZL/pVgQ5iMlDbr4f5QxyhhcDH5o6qehFSDj6ekvRuIU9/39/584AxHl0/+FjAzqSOUTpCiZBa5q9EtyC/SLK6t0M3MT01PTU/OMjIzNDEwMDEyN9MEFEYTEU/5xgssnLiTzWXGoZWNkY6hILCkpMoSQcL4RhMRW4jKByz8mBg1lCB9U9rOhG/wXUWkxQvF/CKhnYNBgx+n4UTAKRsEoGEAgz8AIK6v+s8AYDlDJ/3BgFDDA7hwFo2AUjIJRMApGwSgYBaNgFIyCUTAKRgH5ABAAAP//iYJ4rw==")
r6 = openat$dir(0xffffffffffffff9c, &(0x7f0000000000)='./file2\x00', 0x121140, 0x13d)
mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x200000d, 0x12, r6, 0x0)
syz_open_dev$usbfs(&(0x7f0000000200), 0xfffffffffffffffe, 0x2001)
sendmsg$nl_route(r5, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000000)=@ipv4_newroute={0x24, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x0, {0x2, 0x0, 0x10, 0x0, 0xfd, 0x4, 0x0, 0x1, 0x20000000}, [@RTA_NH_ID={0x8, 0x1e, 0x2}]}, 0x24}, 0x1, 0x0, 0x0, 0x4a044}, 0x4010)
r7 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r7, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000480)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a05400000000000000000010000000900010073797a300000000040000000030a01010000000000000000010000000900030073797a300000000014000480080002400000000008000140000000000900010073797a30000000004c000000060a01040000000000000000010000002400048020000180080001006f736600140002800500020000000000080001400000001408000b40000000000900010073797a300000000014000000110001"], 0xd4}}, 0x0)
syz_emit_ethernet(0x7a, &(0x7f0000000380)={@local, @link_local, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x6c, 0x0, 0x0, 0x0, 0x6, 0x0, @rand_addr=0x64010101, @local}, {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x6, 0x16, 0x2, 0x0, 0x0, 0x0, {[@mptcp=@generic={0x80, 0x11, "383beff477a952ddc53017c7153023"}, @exp_fastopen={0xfe, 0xa, 0xf989, "7cc669882094"}, @nop, @mptcp=@mp_fclose={0x1e, 0xc, 0x4, 0x0, 0x4}, @mptcp=@add_addr={0x1e, 0x10, 0x0, 0x10, 0x1, @loopback, 0x8c, "667411af93e1"}, @generic={0x4, 0x5, "169713"}, @exp_fastopen={0xfe, 0x4}]}}}}}}}, 0x0)
getsockopt$packet_int(r7, 0x107, 0xa, &(0x7f0000000140), &(0x7f00000001c0)=0x4)

[   91.317380][   T45] Bluetooth: hci0: command tx timeout
[   91.705475][ T5327] loop0: detected capacity change from 0 to 16
[   91.873931][ T5327] erofs (device loop0): mounted with root inode @ nid 36.
[   92.006894][    T9] cfg80211: failed to load regulatory.db
[   92.070678][ T5317] erofs (device loop0): readahead error at folio 2 @ nid 89
[   92.167839][ T5317] erofs (device loop0): readahead error at folio 1 @ nid 89
[   92.176955][ T5317] erofs (device loop0): readahead error at folio 0 @ nid 89
[   92.374458][ T5317] erofs (device loop0): read error -117 @ 0 of nid 89
[   92.519228][ T5318] BUG: unable to handle page fault for address: ffffed101194b000
[   92.549273][ T5318] #PF: supervisor read access in kernel mode
[   92.560717][ T5318] #PF: error_code(0x0000) - not-present page
[   92.572401][ T5318] PGD 5ffd5067 P4D 5ffd5067 PUD 2fffa067 PMD 0 
[   92.581669][ T5318] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
[   92.586452][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   92.611045][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   92.627198][ T5318] RIP: 0010:ip_route_output_key_hash_rcu+0x1264/0x25d0
[   92.637888][ T5318] Code: 43 11 09 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 79 38 26 f8 49 03 1e 4d 89 fd 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5d 38 26 f8 4c 8b 3b e8 a5 4a a4
[   92.672592][ T5318] RSP: 0018:ffffc9000db3eb60 EFLAGS: 00010a06
[   92.682842][ T5318] RAX: 1ffff1101194b000 RBX: ffff88808ca58000 RCX: 0000000000100000
[   92.690896][ T5318] RDX: ffffc90020001000 RSI: 000000000000036c RDI: 000000000000036d
[   92.697173][ T5318] RBP: 0000000080000000 R08: ffff88801f9bc980 R09: 0000000000000003
[   92.720752][ T5318] R10: 0000000000000005 R11: 0000000000000002 R12: dffffc0000000000
[   92.729184][ T5318] R13: 0000000000000000 R14: ffff888042493b58 R15: 0000000000000000
[   92.740054][ T5318] FS:  00007f1ae237b6c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
[   92.751267][ T5318] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   92.761844][ T5318] CR2: ffffed101194b000 CR3: 0000000013193000 CR4: 0000000000352ef0
[   92.771513][ T5318] Call Trace:
[   92.774162][ T5318]  <TASK>
[   92.776688][ T5318]  ? ip_route_output_key_hash+0xd8/0x2a0
[   92.782883][ T5318]  ip_route_output_key_hash+0x18d/0x2a0
[   92.797243][ T5318]  ? __pfx_ip_route_output_key_hash+0x10/0x10
[   92.803478][ T5318]  ip_route_output_flow+0x2a/0x150
[   92.809102][ T5318]  ? security_skb_classify_flow+0x74/0x280
[   92.820384][ T5318]  ip_send_unicast_reply+0x721/0x18a0
[   92.826741][ T5318]  ? save_trace+0x290/0x390
[   92.830038][ T5318]  ? __pfx_ip_send_unicast_reply+0x10/0x10
[   92.839697][ T5318]  ? lockdep_hardirqs_on+0x7a/0x110
[   92.843840][ T5318]  ? lock_acquire+0x20b/0x2e0
[   92.848836][ T5318]  tcp_v4_send_reset+0x15a6/0x26e0
[   92.853659][ T5318]  ? inet_ehashfn+0x8d/0x220
[   92.857566][ T5318]  ? tcp_v4_send_reset+0x638/0x26e0
[   92.862203][ T5318]  ? __pfx_tcp_v4_send_reset+0x10/0x10
[   92.869654][ T5318]  ? csum_partial+0x239/0x2c0
[   92.877403][ T5318]  ? tcp_checksum_complete+0x176/0x200
[   92.880478][ T5318]  tcp_v4_rcv+0x21e2/0x31f0
[   92.892147][ T5318]  ? __pfx_tcp_v4_rcv+0x10/0x10
[   92.896309][ T5318]  ? raw_local_deliver+0x30a/0xf40
[   92.900520][ T5318]  ? __pfx_tcp_v4_rcv+0x10/0x10
[   92.908086][ T5318]  ip_protocol_deliver_rcu+0x221/0x440
[   92.921871][ T5318]  ? ip_local_deliver_finish+0x2ae/0x6f0
[   92.933582][ T5318]  ip_local_deliver_finish+0x3bb/0x6f0
[   92.942575][ T5318]  NF_HOOK+0x336/0x3c0
[   92.947326][ T5318]  ? __pfx_ip_local_deliver_finish+0x10/0x10
[   92.952930][ T5318]  ? NF_HOOK+0x9e/0x3c0
[   92.958804][ T5318]  ? __pfx_NF_HOOK+0x10/0x10
[   92.964054][ T5318]  ? ip_rcv_finish_core+0xda3/0x1c00
[   92.970668][ T5318]  ? __pfx_ip_local_deliver_finish+0x10/0x10
[   92.981869][ T5318]  ? skb_dst+0x4f/0xd0
[   92.989533][ T5318]  ? ip_local_deliver+0x12a/0x1b0
[   92.996787][ T5318]  NF_HOOK+0x336/0x3c0
[   93.025068][ T5318]  ? __pfx_ip_rcv_finish+0x10/0x10
[   93.042533][ T5318]  ? NF_HOOK+0x9e/0x3c0
[   93.044653][ T5318]  ? __pfx_NF_HOOK+0x10/0x10
[   93.046652][ T5318]  ? __pfx_ip_rcv_finish+0x10/0x10
[   93.048704][ T5318]  ? netif_receive_skb+0x102/0xc50
[   93.051673][ T5318]  ? __pfx_ip_rcv+0x10/0x10
[   93.056020][ T5318]  netif_receive_skb+0x45b/0xc50
[   93.062858][ T5318]  ? __pfx_netif_receive_skb+0x10/0x10
[   93.071866][ T5318]  ? __lock_acquire+0x6b5/0x2cf0
[   93.079352][ T5318]  ? tun_rx_batched+0x185/0x790
[   93.086374][ T5318]  tun_rx_batched+0x1de/0x790
[   93.089930][ T5318]  ? __build_skb+0x62/0x440
[   93.092851][ T5318]  ? __pfx_tun_rx_batched+0x10/0x10
[   93.105016][ T5318]  ? tun_get_user+0x2354/0x3dd0
[   93.130432][ T5318]  ? __local_bh_enable_ip+0xd0/0x130
[   93.146841][ T5318]  ? tun_get_user+0x2669/0x3dd0
[   93.149091][ T5318]  tun_get_user+0x2a78/0x3dd0
[   93.151468][ T5318]  ? aa_file_perm+0x50e/0x15e0
[   93.171303][ T5318]  ? __pfx_tun_get_user+0x10/0x10
[   93.174343][ T5318]  ? aa_file_perm+0x192/0x15e0
[   93.185887][ T5318]  ? ref_tracker_alloc+0x35c/0x4c0
[   93.188722][ T5318]  ? __pfx_ref_tracker_alloc+0x10/0x10
[   93.195525][ T5318]  ? tun_get+0x1c/0x2f0
[   93.197357][ T5318]  ? tun_get+0x1c/0x2f0
[   93.199128][ T5318]  ? tun_get+0x1c/0x2f0
[   93.206691][ T5318]  tun_chr_write_iter+0x113/0x200
[   93.212023][ T5318]  vfs_write+0x61d/0xb90
[   93.265613][ T5318]  ? __pfx_vfs_write+0x10/0x10
[   93.268374][ T5318]  ? __fget_files+0x2a/0x420
[   93.270882][ T5318]  ksys_write+0x150/0x270
[   93.273003][ T5318]  ? __pfx_ksys_write+0x10/0x10
[   93.276706][ T5318]  do_syscall_64+0x14d/0xf80
[   93.283173][ T5318]  ? trace_irq_disable+0x3b/0x150
[   93.291086][ T5318]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   93.299413][ T5318]  ? clear_bhb_loop+0x40/0x90
[   93.306648][ T5318]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   93.315613][ T5318] RIP: 0033:0x7f1ae155cfce
[   93.321468][ T5318] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   93.367428][ T5318] RSP: 002b:00007f1ae237af78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   93.382768][ T5318] RAX: ffffffffffffffda RBX: 00007f1ae237b6c0 RCX: 00007f1ae155cfce
[   93.387007][ T5318] RDX: 000000000000007a RSI: 0000200000000380 RDI: 00000000000000c8
[   93.390852][ T5318] RBP: 00007f1ae1632bd9 R08: 0000000000000000 R09: 0000000000000000
[   93.407081][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   93.410810][ T5318] R13: 00007f1ae1816128 R14: 00007f1ae1816090 R15: 00007ffcc33af8f8
[   93.414755][ T5318]  </TASK>
[   93.426791][ T5318] Modules linked in:
[   93.428921][ T5318] CR2: ffffed101194b000
[   93.431694][ T5318] ---[ end trace 0000000000000000 ]---
[   93.435016][ T5318] RIP: 0010:ip_route_output_key_hash_rcu+0x1264/0x25d0
[   93.438348][ T5318] Code: 43 11 09 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 79 38 26 f8 49 03 1e 4d 89 fd 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 5d 38 26 f8 4c 8b 3b e8 a5 4a a4
[   93.477555][ T5318] RSP: 0018:ffffc9000db3eb60 EFLAGS: 00010a06
[   93.480214][ T5318] RAX: 1ffff1101194b000 RBX: ffff88808ca58000 RCX: 0000000000100000
[   93.483490][ T5318] RDX: ffffc90020001000 RSI: 000000000000036c RDI: 000000000000036d
[   93.487159][ T5318] RBP: 0000000080000000 R08: ffff88801f9bc980 R09: 0000000000000003
[   93.500617][ T5318] R10: 0000000000000005 R11: 0000000000000002 R12: dffffc0000000000
[   93.504329][ T5318] R13: 0000000000000000 R14: ffff888042493b58 R15: 0000000000000000
[   93.508677][ T5318] FS:  00007f1ae237b6c0(0000) GS:ffff88808ca58000(0000) knlGS:0000000000000000
[   93.518818][ T5318] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   93.533869][ T5318] CR2: ffffed101194b000 CR3: 0000000013193000 CR4: 0000000000352ef0
[   93.537757][ T5318] Kernel panic - not syncing: Fatal exception in interrupt
[   93.544732][ T5318] Kernel Offset: disabled
[   93.547053][ T5318] Rebooting in 86400 seconds..