syzbot

==================================================================
BUG: KASAN: use-after-free in rtnetlink_put_metrics+0x621/0x690 net/core/rtnetlink.c:754
Read of size 4 at addr ffff8801d8aa7a80 by task syz-executor7/2722

CPU: 1 PID: 2722 Comm: syz-executor7 Not tainted 4.18.0-rc7+ #173
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 rtnetlink_put_metrics+0x621/0x690 net/core/rtnetlink.c:754
 rt6_fill_node+0x7d9/0x1540 net/ipv6/route.c:4753
 inet6_rt_notify+0x161/0x2c0 net/ipv6/route.c:4985
 fib6_del_route net/ipv6/ip6_fib.c:1788 [inline]
 fib6_del+0xf4d/0x1310 net/ipv6/ip6_fib.c:1815
 fib6_clean_node+0x3ee/0x5e0 net/ipv6/ip6_fib.c:1976
 fib6_walk_continue+0x4b1/0x8e0 net/ipv6/ip6_fib.c:1899
 fib6_walk+0x95/0xf0 net/ipv6/ip6_fib.c:1947
 fib6_clean_tree+0x1ea/0x360 net/ipv6/ip6_fib.c:2024
 __fib6_clean_all+0x21c/0x420 net/ipv6/ip6_fib.c:2040
 fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:2051
 rt6_sync_down_dev net/ipv6/route.c:4083 [inline]
 rt6_disable_ip+0x111/0x7e0 net/ipv6/route.c:4088
 addrconf_ifdown+0x16f/0x1670 net/ipv6/addrconf.c:3650
 addrconf_notify+0x6e9/0x27f0 net/ipv6/addrconf.c:3575
 notifier_call_chain+0x180/0x390 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
 call_netdevice_notifiers net/core/dev.c:1753 [inline]
 dev_set_mtu+0x439/0x6c0 net/core/dev.c:7121
 dev_ifsioc+0x97e/0xb30 net/core/dev_ioctl.c:244
 dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
 sock_do_ioctl+0x1d3/0x3e0 net/socket.c:993
 sock_ioctl+0x30d/0x680 net/socket.c:1094
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x456a09
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007ff701586c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff7015876d4 RCX: 0000000000456a09
RDX: 0000000020000000 RSI: 0000000000008922 RDI: 0000000000000014
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004ced98 R14: 00000000004c546b R15: 0000000000000000

Allocated by task 27373:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 fib6_metric_set+0x163/0x2c0 net/ipv6/ip6_fib.c:645
 fib6_add_rt2node+0xe36/0x27f0 net/ipv6/ip6_fib.c:1000
 fib6_add+0xaae/0x14d0 net/ipv6/ip6_fib.c:1308
 __ip6_ins_rt+0x54/0x80 net/ipv6/route.c:1163
 ip6_route_add+0x6d/0xc0 net/ipv6/route.c:3171
 addrconf_prefix_route.isra.48+0x51d/0x720 net/ipv6/addrconf.c:2347
 inet6_addr_modify net/ipv6/addrconf.c:4627 [inline]
 inet6_rtm_newaddr+0x112e/0x1b50 net/ipv6/addrconf.c:4743
 rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2453
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1315 [inline]
 netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1341
 netlink_sendmsg+0xa18/0xfd0 net/netlink/af_netlink.c:1906
 sock_sendmsg_nosec net/socket.c:642 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:652
 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2126
 __sys_sendmsg+0x11d/0x290 net/socket.c:2164
 __do_sys_sendmsg net/socket.c:2173 [inline]
 __se_sys_sendmsg net/socket.c:2171 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2171
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 2722:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 fib6_metrics_release+0x77/0x90 net/ipv6/ip6_fib.c:179
 fib6_drop_pcpu_from net/ipv6/ip6_fib.c:899 [inline]
 fib6_purge_rt+0x5ec/0x7f0 net/ipv6/ip6_fib.c:934
 fib6_del_route net/ipv6/ip6_fib.c:1784 [inline]
 fib6_del+0xc11/0x1310 net/ipv6/ip6_fib.c:1815
 fib6_clean_node+0x3ee/0x5e0 net/ipv6/ip6_fib.c:1976
 fib6_walk_continue+0x4b1/0x8e0 net/ipv6/ip6_fib.c:1899
 fib6_walk+0x95/0xf0 net/ipv6/ip6_fib.c:1947
 fib6_clean_tree+0x1ea/0x360 net/ipv6/ip6_fib.c:2024
 __fib6_clean_all+0x21c/0x420 net/ipv6/ip6_fib.c:2040
 fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:2051
 rt6_sync_down_dev net/ipv6/route.c:4083 [inline]
 rt6_disable_ip+0x111/0x7e0 net/ipv6/route.c:4088
 addrconf_ifdown+0x16f/0x1670 net/ipv6/addrconf.c:3650
 addrconf_notify+0x6e9/0x27f0 net/ipv6/addrconf.c:3575
 notifier_call_chain+0x180/0x390 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
 call_netdevice_notifiers net/core/dev.c:1753 [inline]
 dev_set_mtu+0x439/0x6c0 net/core/dev.c:7121
 dev_ifsioc+0x97e/0xb30 net/core/dev_ioctl.c:244
 dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493
 sock_do_ioctl+0x1d3/0x3e0 net/socket.c:993
 sock_ioctl+0x30d/0x680 net/socket.c:1094
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801d8aa7a80
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes inside of
 96-byte region [ffff8801d8aa7a80, ffff8801d8aa7ae0)
The buggy address belongs to the page:
page:ffffea000762a9c0 count:1 mapcount:0 mapping:ffff8801dac004c0 index:0xffff8801d8aa7b80
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea000754c888 ffffea00075a15c8 ffff8801dac004c0
raw: ffff8801d8aa7b80 ffff8801d8aa7000 000000010000001a 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d8aa7980: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff8801d8aa7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8801d8aa7a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                   ^
 ffff8801d8aa7b00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff8801d8aa7b80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================