program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) (async)
sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async)
sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
socket(0x200000000000011, 0x2, 0x0) (async)
r3 = socket(0x200000000000011, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r4=>0x0})
ioctl$SNDCTL_DSP_NONBLOCK(r3, 0x500e, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r4, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0)

[   86.545986][ T5298] Bluetooth: hci0: command tx timeout
[   86.731685][ T5320] ==================================================================
[   86.734730][ T5320] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500
[   86.737946][ T5320] Read of size 1 at addr ffff888042c388de by task syz.0.0/5320
[   86.740906][ T5320] 
[   86.742035][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.742049][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   86.742055][ T5320] Call Trace:
[   86.742062][ T5320]  <TASK>
[   86.742068][ T5320]  dump_stack_lvl+0xe8/0x150
[   86.742109][ T5320]  print_report+0xba/0x230
[   86.742121][ T5320]  ? fib6_add_rt2node+0x349c/0x3500
[   86.742137][ T5320]  kasan_report+0x117/0x150
[   86.742175][ T5320]  ? stack_trace_save+0xa9/0x100
[   86.742205][ T5320]  ? fib6_add_rt2node+0x349c/0x3500
[   86.742219][ T5320]  fib6_add_rt2node+0x349c/0x3500
[   86.742234][ T5320]  ? __lock_acquire+0x6b5/0x2cf0
[   86.742250][ T5320]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   86.742263][ T5320]  ? do_raw_spin_lock+0x12b/0x2f0
[   86.742276][ T5320]  ? fib6_add+0x84b/0x18c0
[   86.742288][ T5320]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   86.742302][ T5320]  fib6_add+0x910/0x18c0
[   86.742316][ T5320]  ? do_raw_spin_lock+0x12b/0x2f0
[   86.742329][ T5320]  ? __pfx_fib6_add+0x10/0x10
[   86.742343][ T5320]  ? ip6_route_add+0xc9/0x1b0
[   86.742358][ T5320]  ip6_route_add+0xde/0x1b0
[   86.742372][ T5320]  inet6_rtm_newroute+0x268/0x19e0
[   86.742381][ T5320]  ? kasan_quarantine_put+0xbb/0x1f0
[   86.742388][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   86.742443][ T5320]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   86.742455][ T5320]  ? kmem_cache_free+0x195/0x610
[   86.742466][ T5320]  ? nlmon_xmit+0xb0/0x100
[   86.742576][ T5320]  ? __lock_acquire+0x6b5/0x2cf0
[   86.742589][ T5320]  ? __local_bh_enable_ip+0xd0/0x130
[   86.742602][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   86.742619][ T5320]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   86.742631][ T5320]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   86.742685][ T5320]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   86.742704][ T5320]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   86.742717][ T5320]  ? ref_tracker_free+0x693/0x840
[   86.742754][ T5320]  ? __copy_skb_header+0xa3/0x4a0
[   86.742769][ T5320]  ? __pfx_ref_tracker_free+0x10/0x10
[   86.742780][ T5320]  ? __skb_clone+0x63/0x7a0
[   86.742789][ T5320]  netlink_rcv_skb+0x232/0x4b0
[   86.742810][ T5320]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   86.742823][ T5320]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   86.742837][ T5320]  ? netlink_deliver_tap+0x2e/0x1b0
[   86.742851][ T5320]  netlink_unicast+0x80f/0x9b0
[   86.742864][ T5320]  ? __pfx_netlink_unicast+0x10/0x10
[   86.742870][ T5320]  ? __alloc_skb+0x193/0x390
[   86.742878][ T5320]  ? netlink_sendmsg+0x650/0xb40
[   86.742885][ T5320]  ? skb_put+0x11b/0x210
[   86.742894][ T5320]  netlink_sendmsg+0x813/0xb40
[   86.742903][ T5320]  ? __pfx_netlink_sendmsg+0x10/0x10
[   86.742911][ T5320]  ? aa_sock_msg_perm+0xf1/0x1b0
[   86.742920][ T5320]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   86.742929][ T5320]  ? __pfx_netlink_sendmsg+0x10/0x10
[   86.742936][ T5320]  ____sys_sendmsg+0xa68/0xad0
[   86.742946][ T5320]  ? __might_fault+0xaf/0x130
[   86.742953][ T5320]  ? __pfx_____sys_sendmsg+0x10/0x10
[   86.742963][ T5320]  ? import_iovec+0x73/0xa0
[   86.742973][ T5320]  ___sys_sendmsg+0x2a5/0x360
[   86.742982][ T5320]  ? __lock_acquire+0x6b5/0x2cf0
[   86.742989][ T5320]  ? __pfx____sys_sendmsg+0x10/0x10
[   86.742998][ T5320]  ? futex_wait+0x29a/0x380
[   86.743009][ T5320]  ? __fget_files+0x2a/0x420
[   86.743018][ T5320]  ? __fget_files+0x3a0/0x420
[   86.743028][ T5320]  __x64_sys_sendmsg+0x1bd/0x2a0
[   86.743037][ T5320]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   86.743047][ T5320]  ? rcu_is_watching+0x15/0xb0
[   86.743056][ T5320]  do_syscall_64+0x14d/0xf80
[   86.743065][ T5320]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.743074][ T5320]  ? trace_irq_disable+0x37/0x100
[   86.743085][ T5320]  ? clear_bhb_loop+0x40/0x90
[   86.743095][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.743105][ T5320] RIP: 0033:0x7f647079bf79
[   86.743116][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   86.743124][ T5320] RSP: 002b:00007f64716c4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   86.743136][ T5320] RAX: ffffffffffffffda RBX: 00007f6470a16090 RCX: 00007f647079bf79
[   86.743141][ T5320] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   86.743148][ T5320] RBP: 00007f64708327e0 R08: 0000000000000000 R09: 0000000000000000
[   86.743154][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.743160][ T5320] R13: 00007f6470a16128 R14: 00007f6470a16090 R15: 00007fff2b6a3ce8
[   86.743170][ T5320]  </TASK>
[   86.743173][ T5320] 
[   86.935482][ T5320] Allocated by task 5319:
[   86.937218][ T5320]  kasan_save_track+0x3e/0x80
[   86.939352][ T5320]  __kasan_kmalloc+0x93/0xb0
[   86.941327][ T5320]  __kmalloc_noprof+0x40c/0x7e0
[   86.943442][ T5320]  fib6_info_alloc+0x30/0xf0
[   86.945523][ T5320]  ip6_route_info_create+0x142/0x860
[   86.947920][ T5320]  ip6_route_add+0x49/0x1b0
[   86.949777][ T5320]  inet6_rtm_newroute+0x268/0x19e0
[   86.951777][ T5320]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   86.953814][ T5320]  netlink_rcv_skb+0x232/0x4b0
[   86.955859][ T5320]  netlink_unicast+0x80f/0x9b0
[   86.957998][ T5320]  netlink_sendmsg+0x813/0xb40
[   86.960074][ T5320]  ____sys_sendmsg+0xa68/0xad0
[   86.962174][ T5320]  ___sys_sendmsg+0x2a5/0x360
[   86.964210][ T5320]  __x64_sys_sendmsg+0x1bd/0x2a0
[   86.968105][ T5320]  do_syscall_64+0x14d/0xf80
[   86.970376][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.973026][ T5320] 
[   86.974131][ T5320] The buggy address belongs to the object at ffff888042c38800
[   86.974131][ T5320]  which belongs to the cache kmalloc-256 of size 256
[   86.980726][ T5320] The buggy address is located 22 bytes to the right of
[   86.980726][ T5320]  allocated 200-byte region [ffff888042c38800, ffff888042c388c8)
[   86.987070][ T5320] 
[   86.988204][ T5320] The buggy address belongs to the physical page:
[   86.990977][ T5320] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42c38
[   86.994836][ T5320] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   86.998082][ T5320] page_type: f5(slab)
[   86.999609][ T5320] raw: 04fff00000000000 ffff88801a841b40 dead000000000122 0000000000000000
[   87.002908][ T5320] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[   87.006437][ T5320] page dumped because: kasan: bad access detected
[   87.009363][ T5320] page_owner tracks the page as allocated
[   87.011885][ T5320] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 12, tgid 12 (kworker/u4:0), ts 86688097604, free_ts 86579671568
[   87.019644][ T5320]  post_alloc_hook+0x228/0x280
[   87.021699][ T5320]  get_page_from_freelist+0x24dc/0x2580
[   87.024074][ T5320]  __alloc_frozen_pages_noprof+0x18d/0x380
[   87.026598][ T5320]  allocate_slab+0x7a/0x3a0
[   87.028575][ T5320]  ___slab_alloc+0xd90/0x1790
[   87.030558][ T5320]  __slab_alloc+0x65/0x100
[   87.032543][ T5320]  __kmalloc_node_noprof+0x5bc/0x7f0
[   87.034920][ T5320]  alloc_slab_obj_exts+0x3e/0x100
[   87.037065][ T5320]  allocate_slab+0x1cc/0x3a0
[   87.039085][ T5320]  ___slab_alloc+0xd90/0x1790
[   87.041025][ T5320]  __slab_alloc+0x65/0x100
[   87.043012][ T5320]  kmem_cache_alloc_noprof+0x3fe/0x6e0
[   87.045353][ T5320]  fib6_add_1+0x9c1/0x1460
[   87.047356][ T5320]  fib6_add+0x211/0x18c0
[   87.049054][ T5320]  ip6_ins_rt+0xd6/0x140
[   87.050703][ T5320]  __ipv6_ifa_notify+0x4e8/0xc60
[   87.052615][ T5320] page last free pid 5011 tgid 5011 stack trace:
[   87.055182][ T5320]  __free_frozen_pages+0xbf8/0xd70
[   87.057178][ T5320]  rcu_core+0x7cd/0x1070
[   87.058975][ T5320]  handle_softirqs+0x22a/0x7c0
[   87.060881][ T5320]  __irq_exit_rcu+0x5f/0x150
[   87.063058][ T5320]  irq_exit_rcu+0x9/0x30
[   87.064929][ T5320]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   87.067244][ T5320]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   87.069870][ T5320] 
[   87.070907][ T5320] Memory state around the buggy address:
[   87.073267][ T5320]  ffff888042c38780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.076612][ T5320]  ffff888042c38800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   87.080309][ T5320] >ffff888042c38880: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   87.083682][ T5320]                                                     ^
[   87.086511][ T5320]  ffff888042c38900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.089861][ T5320]  ffff888042c38980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.093238][ T5320] ==================================================================
[   87.097584][ T5320] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   87.100988][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   87.104825][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.109090][ T5320] Call Trace:
[   87.110639][ T5320]  <TASK>
[   87.111962][ T5320]  vpanic+0x1e0/0x670
[   87.113736][ T5320]  panic+0xc5/0xd0
[   87.115376][ T5320]  ? __pfx_panic+0x10/0x10
[   87.117402][ T5320]  ? fib6_add_rt2node+0x349c/0x3500
[   87.119605][ T5320]  ? fib6_add_rt2node+0x349c/0x3500
[   87.121794][ T5320]  check_panic_on_warn+0x89/0xb0
[   87.123914][ T5320]  ? fib6_add_rt2node+0x349c/0x3500
[   87.126135][ T5320]  end_report+0x6f/0x140
[   87.127853][ T5320]  kasan_report+0x128/0x150
[   87.129832][ T5320]  ? stack_trace_save+0xa9/0x100
[   87.132011][ T5320]  ? fib6_add_rt2node+0x349c/0x3500
[   87.134309][ T5320]  fib6_add_rt2node+0x349c/0x3500
[   87.136525][ T5320]  ? __lock_acquire+0x6b5/0x2cf0
[   87.138702][ T5320]  ? __pfx_fib6_add_rt2node+0x10/0x10
[   87.140824][ T5320]  ? do_raw_spin_lock+0x12b/0x2f0
[   87.143150][ T5320]  ? fib6_add+0x84b/0x18c0
[   87.145098][ T5320]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   87.147498][ T5320]  fib6_add+0x910/0x18c0
[   87.149419][ T5320]  ? do_raw_spin_lock+0x12b/0x2f0
[   87.151716][ T5320]  ? __pfx_fib6_add+0x10/0x10
[   87.153664][ T5320]  ? ip6_route_add+0xc9/0x1b0
[   87.155459][ T5320]  ip6_route_add+0xde/0x1b0
[   87.157254][ T5320]  inet6_rtm_newroute+0x268/0x19e0
[   87.159524][ T5320]  ? kasan_quarantine_put+0xbb/0x1f0
[   87.161868][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   87.164045][ T5320]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   87.166508][ T5320]  ? kmem_cache_free+0x195/0x610
[   87.168707][ T5320]  ? nlmon_xmit+0xb0/0x100
[   87.170798][ T5320]  ? __lock_acquire+0x6b5/0x2cf0
[   87.173065][ T5320]  ? __local_bh_enable_ip+0xd0/0x130
[   87.175366][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   87.177514][ T5320]  ? __pfx_inet6_rtm_newroute+0x10/0x10
[   87.179954][ T5320]  rtnetlink_rcv_msg+0x7d5/0xbe0
[   87.182184][ T5320]  ? rtnetlink_rcv_msg+0x1b9/0xbe0
[   87.184453][ T5320]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   87.186932][ T5320]  ? ref_tracker_free+0x693/0x840
[   87.189176][ T5320]  ? __copy_skb_header+0xa3/0x4a0
[   87.191408][ T5320]  ? __pfx_ref_tracker_free+0x10/0x10
[   87.193721][ T5320]  ? __skb_clone+0x63/0x7a0
[   87.195598][ T5320]  netlink_rcv_skb+0x232/0x4b0
[   87.197668][ T5320]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   87.200041][ T5320]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   87.202374][ T5320]  ? netlink_deliver_tap+0x2e/0x1b0
[   87.204600][ T5320]  netlink_unicast+0x80f/0x9b0
[   87.206561][ T5320]  ? __pfx_netlink_unicast+0x10/0x10
[   87.208861][ T5320]  ? __alloc_skb+0x193/0x390
[   87.210866][ T5320]  ? netlink_sendmsg+0x650/0xb40
[   87.213232][ T5320]  ? skb_put+0x11b/0x210
[   87.215168][ T5320]  netlink_sendmsg+0x813/0xb40
[   87.217401][ T5320]  ? __pfx_netlink_sendmsg+0x10/0x10
[   87.219802][ T5320]  ? aa_sock_msg_perm+0xf1/0x1b0
[   87.222059][ T5320]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   87.224403][ T5320]  ? __pfx_netlink_sendmsg+0x10/0x10
[   87.226739][ T5320]  ____sys_sendmsg+0xa68/0xad0
[   87.228800][ T5320]  ? __might_fault+0xaf/0x130
[   87.230928][ T5320]  ? __pfx_____sys_sendmsg+0x10/0x10
[   87.233207][ T5320]  ? import_iovec+0x73/0xa0
[   87.235190][ T5320]  ___sys_sendmsg+0x2a5/0x360
[   87.237199][ T5320]  ? __lock_acquire+0x6b5/0x2cf0
[   87.239354][ T5320]  ? __pfx____sys_sendmsg+0x10/0x10
[   87.241631][ T5320]  ? futex_wait+0x29a/0x380
[   87.243649][ T5320]  ? __fget_files+0x2a/0x420
[   87.245796][ T5320]  ? __fget_files+0x3a0/0x420
[   87.247912][ T5320]  __x64_sys_sendmsg+0x1bd/0x2a0
[   87.250126][ T5320]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   87.252547][ T5320]  ? rcu_is_watching+0x15/0xb0
[   87.254680][ T5320]  do_syscall_64+0x14d/0xf80
[   87.256721][ T5320]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.259345][ T5320]  ? trace_irq_disable+0x37/0x100
[   87.261544][ T5320]  ? clear_bhb_loop+0x40/0x90
[   87.263608][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.266155][ T5320] RIP: 0033:0x7f647079bf79
[   87.268238][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   87.276645][ T5320] RSP: 002b:00007f64716c4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   87.279983][ T5320] RAX: ffffffffffffffda RBX: 00007f6470a16090 RCX: 00007f647079bf79
[   87.283389][ T5320] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
[   87.286860][ T5320] RBP: 00007f64708327e0 R08: 0000000000000000 R09: 0000000000000000
[   87.290408][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   87.294032][ T5320] R13: 00007f6470a16128 R14: 00007f6470a16090 R15: 00007fff2b6a3ce8
[   87.297433][ T5320]  </TASK>
[   87.299244][ T5320] Kernel Offset: disabled
[   87.301184][ T5320] Rebooting in 86400 seconds..