program: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) futex(0x0, 0x80, 0x2, 0x0, 0x0, 0x1) r2 = socket$nl_route(0x10, 0x3, 0x0) r3 = socket(0x200000000000011, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'bridge0\x00', 0x0}) sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r4, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0) socket$nl_route(0x10, 0x3, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) (async) sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async) futex(0x0, 0x80, 0x2, 0x0, 0x0, 0x1) (async) socket$nl_route(0x10, 0x3, 0x0) (async) socket(0x200000000000011, 0x2, 0x0) (async) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'bridge0\x00'}) (async) sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r4, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0) (async) [ 75.052028][ T5292] Bluetooth: hci0: command tx timeout [ 75.108499][ T5314] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.112317][ T5314] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.130202][ T5315] ================================================================== [ 75.133731][ T5315] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 [ 75.137414][ T5315] Read of size 1 at addr ffff888043b2eede by task syz.0.0/5315 [ 75.140247][ T5315] [ 75.141305][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.141333][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 75.141340][ T5315] Call Trace: [ 75.141369][ T5315] [ 75.141389][ T5315] dump_stack_lvl+0xe8/0x150 [ 75.141408][ T5315] print_report+0xba/0x230 [ 75.141422][ T5315] ? fib6_add_rt2node+0x349c/0x3500 [ 75.141438][ T5315] kasan_report+0x117/0x150 [ 75.141455][ T5315] ? fib6_add_rt2node+0x349c/0x3500 [ 75.141472][ T5315] fib6_add_rt2node+0x349c/0x3500 [ 75.141486][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 75.141503][ T5315] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 75.141518][ T5315] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.141533][ T5315] ? fib6_add+0x84b/0x18c0 [ 75.141547][ T5315] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.141564][ T5315] fib6_add+0x910/0x18c0 [ 75.141581][ T5315] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.141595][ T5315] ? __pfx_fib6_add+0x10/0x10 [ 75.141612][ T5315] ? ip6_route_add+0xc9/0x1b0 [ 75.141622][ T5315] ip6_route_add+0xde/0x1b0 [ 75.141633][ T5315] inet6_rtm_newroute+0x268/0x19e0 [ 75.141649][ T5315] ? kasan_quarantine_put+0xbb/0x1f0 [ 75.141661][ T5315] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.141774][ T5315] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 75.141788][ T5315] ? nlmon_xmit+0xb0/0x100 [ 75.141841][ T5315] ? kmem_cache_free+0x180/0x610 [ 75.141857][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 75.141869][ T5315] ? __local_bh_enable_ip+0xd0/0x130 [ 75.141878][ T5315] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.141889][ T5315] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 75.141898][ T5315] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 75.141936][ T5315] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 75.141945][ T5315] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.141956][ T5315] ? ref_tracker_free+0x693/0x840 [ 75.141972][ T5315] ? __copy_skb_header+0xa3/0x4a0 [ 75.142001][ T5315] ? __pfx_ref_tracker_free+0x10/0x10 [ 75.142011][ T5315] ? __skb_clone+0x63/0x7a0 [ 75.142023][ T5315] netlink_rcv_skb+0x232/0x4b0 [ 75.142083][ T5315] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.142096][ T5315] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 75.142112][ T5315] ? netlink_deliver_tap+0x2e/0x1b0 [ 75.142127][ T5315] netlink_unicast+0x80f/0x9b0 [ 75.142140][ T5315] ? __pfx_netlink_unicast+0x10/0x10 [ 75.142152][ T5315] ? netlink_sendmsg+0x650/0xb40 [ 75.142165][ T5315] ? skb_put+0x11b/0x210 [ 75.142180][ T5315] netlink_sendmsg+0x813/0xb40 [ 75.142196][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.142209][ T5315] ? aa_sock_msg_perm+0xf1/0x1b0 [ 75.142219][ T5315] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.142232][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.142245][ T5315] ____sys_sendmsg+0xa68/0xad0 [ 75.142255][ T5315] ? __might_fault+0xaf/0x130 [ 75.142268][ T5315] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.142280][ T5315] ? import_iovec+0x73/0xa0 [ 75.142292][ T5315] ___sys_sendmsg+0x2a5/0x360 [ 75.142302][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 75.142313][ T5315] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.142325][ T5315] ? futex_wait+0x29a/0x380 [ 75.142342][ T5315] ? __fget_files+0x2a/0x420 [ 75.142353][ T5315] ? __fget_files+0x3a0/0x420 [ 75.142363][ T5315] __x64_sys_sendmsg+0x1bd/0x2a0 [ 75.142375][ T5315] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.142385][ T5315] ? rcu_is_watching+0x15/0xb0 [ 75.142400][ T5315] do_syscall_64+0x14d/0xf80 [ 75.142413][ T5315] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.142423][ T5315] ? trace_irq_disable+0x37/0x100 [ 75.142434][ T5315] ? clear_bhb_loop+0x40/0x90 [ 75.142444][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.142454][ T5315] RIP: 0033:0x7fc10e19bf79 [ 75.142486][ T5315] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 75.142495][ T5315] RSP: 002b:00007fc10a5d4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.142552][ T5315] RAX: ffffffffffffffda RBX: 00007fc10e416090 RCX: 00007fc10e19bf79 [ 75.142560][ T5315] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 [ 75.142567][ T5315] RBP: 00007fc10e2327e0 R08: 0000000000000000 R09: 0000000000000000 [ 75.142573][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.142579][ T5315] R13: 00007fc10e416128 R14: 00007fc10e416090 R15: 00007fffbc0d9b78 [ 75.142591][ T5315] [ 75.142595][ T5315] [ 75.320520][ T5315] Allocated by task 5314: [ 75.322416][ T5315] kasan_save_track+0x3e/0x80 [ 75.324393][ T5315] __kasan_kmalloc+0x93/0xb0 [ 75.326348][ T5315] __kmalloc_noprof+0x35c/0x760 [ 75.328579][ T5315] fib6_info_alloc+0x30/0xf0 [ 75.330456][ T5315] ip6_route_info_create+0x142/0x860 [ 75.332645][ T5315] ip6_route_add+0x49/0x1b0 [ 75.334476][ T5315] inet6_rtm_newroute+0x268/0x19e0 [ 75.336565][ T5315] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 75.338566][ T5315] netlink_rcv_skb+0x232/0x4b0 [ 75.340496][ T5315] netlink_unicast+0x80f/0x9b0 [ 75.342460][ T5315] netlink_sendmsg+0x813/0xb40 [ 75.344474][ T5315] ____sys_sendmsg+0xa68/0xad0 [ 75.346593][ T5315] ___sys_sendmsg+0x2a5/0x360 [ 75.348539][ T5315] __x64_sys_sendmsg+0x1bd/0x2a0 [ 75.350662][ T5315] do_syscall_64+0x14d/0xf80 [ 75.352578][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.355039][ T5315] [ 75.356155][ T5315] The buggy address belongs to the object at ffff888043b2ee00 [ 75.356155][ T5315] which belongs to the cache kmalloc-256 of size 256 [ 75.361758][ T5315] The buggy address is located 22 bytes to the right of [ 75.361758][ T5315] allocated 200-byte region [ffff888043b2ee00, ffff888043b2eec8) [ 75.367685][ T5315] [ 75.368687][ T5315] The buggy address belongs to the physical page: [ 75.371318][ T5315] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43b2e [ 75.375545][ T5315] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 75.379044][ T5315] page_type: f5(slab) [ 75.380745][ T5315] raw: 04fff00000000000 ffff88801a841b40 dead000000000100 dead000000000122 [ 75.384403][ T5315] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 75.387975][ T5315] page dumped because: kasan: bad access detected [ 75.390624][ T5315] page_owner tracks the page as allocated [ 75.392941][ T5315] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5291, tgid 5291 (syz-executor), ts 73345321622, free_ts 73342013525 [ 75.401392][ T5315] post_alloc_hook+0x231/0x280 [ 75.403409][ T5315] get_page_from_freelist+0x24dc/0x2580 [ 75.405650][ T5315] __alloc_frozen_pages_noprof+0x18d/0x380 [ 75.408147][ T5315] allocate_slab+0x77/0x660 [ 75.410060][ T5315] refill_objects+0x331/0x3c0 [ 75.412035][ T5315] __pcs_replace_empty_main+0x2b9/0x620 [ 75.414344][ T5315] __kmalloc_noprof+0x474/0x760 [ 75.416519][ T5315] fib_create_info+0x171d/0x31f0 [ 75.418640][ T5315] fib_table_insert+0xc8/0x1b50 [ 75.420526][ T5315] fib_magic+0x434/0x510 [ 75.422299][ T5315] fib_add_ifaddr+0x38d/0x5f0 [ 75.424362][ T5315] fib_netdev_event+0x382/0x490 [ 75.426482][ T5315] notifier_call_chain+0x19d/0x3a0 [ 75.428664][ T5315] __dev_notify_flags+0x1a9/0x310 [ 75.430708][ T5315] netif_change_flags+0xe8/0x1a0 [ 75.432843][ T5315] do_setlink+0xf82/0x4590 [ 75.434697][ T5315] page last free pid 15 tgid 15 stack trace: [ 75.437179][ T5315] __free_frozen_pages+0xc01/0xd80 [ 75.439253][ T5315] rcu_core+0x7cd/0x1070 [ 75.441071][ T5315] handle_softirqs+0x22a/0x7c0 [ 75.443158][ T5315] run_ksoftirqd+0x36/0x60 [ 75.445045][ T5315] smpboot_thread_fn+0x541/0xa50 [ 75.447263][ T5315] kthread+0x388/0x470 [ 75.449090][ T5315] ret_from_fork+0x51e/0xb90 [ 75.451107][ T5315] ret_from_fork_asm+0x1a/0x30 [ 75.453104][ T5315] [ 75.454121][ T5315] Memory state around the buggy address: [ 75.456419][ T5315] ffff888043b2ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.459618][ T5315] ffff888043b2ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.462791][ T5315] >ffff888043b2ee80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 75.466121][ T5315] ^ [ 75.468973][ T5315] ffff888043b2ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.472151][ T5315] ffff888043b2ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.475207][ T5315] ================================================================== [ 75.478479][ T5315] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.481248][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.484759][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 75.488572][ T5315] Call Trace: [ 75.490017][ T5315] [ 75.491226][ T5315] vpanic+0x56c/0xa60 [ 75.492803][ T5315] ? __pfx_vpanic+0x10/0x10 [ 75.494693][ T5315] ? irqentry_exit+0x59e/0x620 [ 75.496833][ T5315] panic+0xc5/0xd0 [ 75.498485][ T5315] ? __pfx_panic+0x10/0x10 [ 75.500376][ T5315] ? fib6_add_rt2node+0x349c/0x3500 [ 75.502686][ T5315] ? fib6_add_rt2node+0x349c/0x3500 [ 75.505004][ T5315] check_panic_on_warn+0x89/0xb0 [ 75.507177][ T5315] ? fib6_add_rt2node+0x349c/0x3500 [ 75.509445][ T5315] end_report+0x6f/0x140 [ 75.511232][ T5315] kasan_report+0x128/0x150 [ 75.513187][ T5315] ? fib6_add_rt2node+0x349c/0x3500 [ 75.515529][ T5315] fib6_add_rt2node+0x349c/0x3500 [ 75.517736][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 75.519872][ T5315] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 75.522291][ T5315] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.524368][ T5315] ? fib6_add+0x84b/0x18c0 [ 75.526160][ T5315] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.528491][ T5315] fib6_add+0x910/0x18c0 [ 75.530264][ T5315] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.533048][ T5315] ? __pfx_fib6_add+0x10/0x10 [ 75.535658][ T5315] ? ip6_route_add+0xc9/0x1b0 [ 75.538314][ T5315] ip6_route_add+0xde/0x1b0 [ 75.540800][ T5315] inet6_rtm_newroute+0x268/0x19e0 [ 75.543570][ T5315] ? kasan_quarantine_put+0xbb/0x1f0 [ 75.546207][ T5315] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.548400][ T5315] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 75.550586][ T5315] ? nlmon_xmit+0xb0/0x100 [ 75.552799][ T5315] ? kmem_cache_free+0x180/0x610 [ 75.555513][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 75.558266][ T5315] ? __local_bh_enable_ip+0xd0/0x130 [ 75.560513][ T5315] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.562527][ T5315] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 75.565007][ T5315] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 75.567125][ T5315] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 75.569182][ T5315] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.571323][ T5315] ? ref_tracker_free+0x693/0x840 [ 75.573446][ T5315] ? __copy_skb_header+0xa3/0x4a0 [ 75.575598][ T5315] ? __pfx_ref_tracker_free+0x10/0x10 [ 75.577943][ T5315] ? __skb_clone+0x63/0x7a0 [ 75.579890][ T5315] netlink_rcv_skb+0x232/0x4b0 [ 75.581859][ T5315] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.584140][ T5315] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 75.586305][ T5315] ? netlink_deliver_tap+0x2e/0x1b0 [ 75.588466][ T5315] netlink_unicast+0x80f/0x9b0 [ 75.590402][ T5315] ? __pfx_netlink_unicast+0x10/0x10 [ 75.592679][ T5315] ? netlink_sendmsg+0x650/0xb40 [ 75.594824][ T5315] ? skb_put+0x11b/0x210 [ 75.596701][ T5315] netlink_sendmsg+0x813/0xb40 [ 75.598806][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.601108][ T5315] ? aa_sock_msg_perm+0xf1/0x1b0 [ 75.603158][ T5315] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.605386][ T5315] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.607505][ T5315] ____sys_sendmsg+0xa68/0xad0 [ 75.609365][ T5315] ? __might_fault+0xaf/0x130 [ 75.611369][ T5315] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.613536][ T5315] ? import_iovec+0x73/0xa0 [ 75.615285][ T5315] ___sys_sendmsg+0x2a5/0x360 [ 75.617436][ T5315] ? __lock_acquire+0x6b5/0x2cf0 [ 75.619388][ T5315] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.621410][ T5315] ? futex_wait+0x29a/0x380 [ 75.623241][ T5315] ? __fget_files+0x2a/0x420 [ 75.625022][ T5315] ? __fget_files+0x3a0/0x420 [ 75.626879][ T5315] __x64_sys_sendmsg+0x1bd/0x2a0 [ 75.628663][ T5315] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.631026][ T5315] ? rcu_is_watching+0x15/0xb0 [ 75.633072][ T5315] do_syscall_64+0x14d/0xf80 [ 75.634809][ T5315] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.637420][ T5315] ? trace_irq_disable+0x37/0x100 [ 75.639665][ T5315] ? clear_bhb_loop+0x40/0x90 [ 75.641386][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.643763][ T5315] RIP: 0033:0x7fc10e19bf79 [ 75.645572][ T5315] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 75.653211][ T5315] RSP: 002b:00007fc10a5d4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.656629][ T5315] RAX: ffffffffffffffda RBX: 00007fc10e416090 RCX: 00007fc10e19bf79 [ 75.659509][ T5315] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 [ 75.662507][ T5315] RBP: 00007fc10e2327e0 R08: 0000000000000000 R09: 0000000000000000 [ 75.665521][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.668524][ T5315] R13: 00007fc10e416128 R14: 00007fc10e416090 R15: 00007fffbc0d9b78 [ 75.671437][ T5315] [ 75.672966][ T5315] Kernel Offset: disabled [ 75.674587][ T5315] Rebooting in 86400 seconds..