ip6_vti: set netns_immutable on the fallback device.

An attacker with sufficient privileges could move the per-netns fallback tunnel device (`ip6_vti0`) to a different network namespace because the `netns_immutable` flag was not set [patch_id=6734740]. This breaks the isolation model that other tunnel drivers enforce, potentially allowing network traffic to escape the intended namespace boundary. The precondition is that the attacker must have the capability to change network device namespaces (e.g., `CAP_NET_ADMIN`).

The vulnerability is in `net/ipv6/ip6_vti.c`, specifically in the `vti6_init_net()` function. The fallback tunnel device `ip6_vti0` was not having its `netns_immutable` flag set during per-netns initialization.

The patch adds a single line `ip6n->fb_tnl_dev->netns_immutable = true;` in `vti6_init_net()` after the fallback device is allocated and its network namespace is set [patch_id=6734740]. This mirrors the behavior of other tunnel drivers (`ip6_tunnel`, `sit`, `ip6_gre`, `ip_tunnel`) which already set this flag. Setting `netns_immutable` prevents the fallback device from being moved to another network namespace, closing the escape vector.