Oops: general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 1 UID: 0 PID: 5950 Comm: kworker/1:6 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: mld mld_ifc_work
RIP: 0010:fib6_nh_get_excptn_bucket net/ipv6/route.c:1662 [inline]
RIP: 0010:rt6_find_cached_rt+0xb9/0x270 net/ipv6/route.c:1860
Code: 48 c1 e8 03 48 89 44 24 08 48 8b 44 24 08 80 3c 18 00 74 08 4c 89 f7 e8 65 74 2b f8 49 8b 2e 48 83 c5 60 48 89 e8 48 c1 e8 03 <80> 3c 18 00 74 08 48 89 ef e8 49 74 2b f8 4c 8b 6d 00 e8 d0 8d 4d
RSP: 0018:ffffc90000a079e0 EFLAGS: 00010206
RAX: 000000000000000c RBX: dffffc0000000000 RCX: 0000000000000100
RDX: ffff888024168000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000060 R08: ffff888031963133 R09: 1ffff1100632c626
R10: dffffc0000000000 R11: ffffed100632c627 R12: ffffc90000a07ab8
R13: 0000000000000000 R14: ffffc90000a07ab0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881261b1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa9aa4131e8 CR3: 00000000510ec000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 ip6_pol_route+0x28d/0x1180 net/ipv6/route.c:2276
 pol_lookup_func include/net/ip6_fib.h:617 [inline]
 fib6_rule_lookup+0x55e/0x6f0 net/ipv6/fib6_rules.c:125
 ip6_route_input_lookup net/ipv6/route.c:2338 [inline]
 ip6_route_input+0x6de/0xad0 net/ipv6/route.c:2641
 ip6_rcv_finish+0x141/0x2e0 net/ipv6/ip6_input.c:77
 ip_sabotage_in+0x1e1/0x270 net/bridge/br_netfilter_hooks.c:990
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK+0x206/0x3a0 include/linux/netfilter.h:316
 __netif_receive_skb_one_core net/core/dev.c:6137 [inline]
 __netif_receive_skb+0xd3/0x380 net/core/dev.c:6250
 netif_receive_skb_internal net/core/dev.c:6336 [inline]
 netif_receive_skb+0x1bb/0x750 net/core/dev.c:6395
 NF_HOOK+0xa0/0x390 include/linux/netfilter.h:319
 br_handle_frame_finish+0x15c6/0x1c90 net/bridge/br_input.c:235
 br_nf_hook_thresh+0x3c6/0x4a0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0x999/0xd60 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x37e/0x6b0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0x96e/0x14f0 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x95f/0x2f90 net/core/dev.c:6024
 __netif_receive_skb_one_core net/core/dev.c:6135 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6250
 process_backlog+0x622/0x1500 net/core/dev.c:6602
 __napi_poll+0xae/0x320 net/core/dev.c:7666
 napi_poll net/core/dev.c:7729 [inline]
 net_rx_action+0x672/0xe50 net/core/dev.c:7881
 handle_softirqs+0x27d/0x850 kernel/softirq.c:622
 do_softirq+0xec/0x180 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
 __dev_queue_xmit+0x1955/0x3140 net/core/dev.c:4844
 neigh_output include/net/neighbour.h:556 [inline]
 ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
 mld_send_cr net/ipv6/mcast.c:2154 [inline]
 mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:fib6_nh_get_excptn_bucket net/ipv6/route.c:1662 [inline]
RIP: 0010:rt6_find_cached_rt+0xb9/0x270 net/ipv6/route.c:1860
Code: 48 c1 e8 03 48 89 44 24 08 48 8b 44 24 08 80 3c 18 00 74 08 4c 89 f7 e8 65 74 2b f8 49 8b 2e 48 83 c5 60 48 89 e8 48 c1 e8 03 <80> 3c 18 00 74 08 48 89 ef e8 49 74 2b f8 4c 8b 6d 00 e8 d0 8d 4d
RSP: 0018:ffffc90000a079e0 EFLAGS: 00010206
RAX: 000000000000000c RBX: dffffc0000000000 RCX: 0000000000000100
RDX: ffff888024168000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000060 R08: ffff888031963133 R09: 1ffff1100632c626
R10: dffffc0000000000 R11: ffffed100632c627 R12: ffffc90000a07ab8
R13: 0000000000000000 R14: ffffc90000a07ab0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881261b1000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa9aa4131e8 CR3: 00000000510ec000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	48 c1 e8 03          	shr    $0x3,%rax
   4:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
   9:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
   e:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1)
  12:	74 08                	je     0x1c
  14:	4c 89 f7             	mov    %r14,%rdi
  17:	e8 65 74 2b f8       	call   0xf82b7481
  1c:	49 8b 2e             	mov    (%r14),%rbp
  1f:	48 83 c5 60          	add    $0x60,%rbp
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	48 89 ef             	mov    %rbp,%rdi
  33:	e8 49 74 2b f8       	call   0xf82b7481
  38:	4c 8b 6d 00          	mov    0x0(%rbp),%r13
  3c:	e8                   	.byte 0xe8
  3d:	d0                   	.byte 0xd0
  3e:	8d                   	.byte 0x8d
  3f:	4d                   	rex.WRB