program: r0 = socket$nl_route(0x10, 0x3, 0x0) (async) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) (async, rerun: 32) sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async, rerun: 32) r2 = socket$nl_route(0x10, 0x3, 0x0) (async) r3 = socket$nl_xfrm(0x10, 0x3, 0x6) (async, rerun: 64) r4 = socket(0x2a, 0x2, 0x0) (rerun: 64) getsockname$packet(r4, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14) request_key(&(0x7f0000001000)='dns_resolver\x00', &(0x7f00000002c0)={'syz', 0x2}, &(0x7f00000001c0)='\xa7x{8\xb8\x81\xae$\xbb\x17\x90\xaa\x96\xd4\x9b\xd8\x87\x84\xca\xf6\xa6;\xd2!?,J\r\x94EA\x11\xc2\n\xc4h\xad\xc4\xe7*<\x87\xb5H\xfb\xf6t\x12\xed\x8f\x9caU^\xffW\xa1\x06\xcc', 0x0) (async) request_key(&(0x7f00000010c0)='dns_resolver\x00', &(0x7f0000001100)={'syz', 0x2}, 0x0, 0x0) (async) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000840)=@newtfilter={0x478, 0x2c, 0xd27, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r5, {0x5, 0x5}, {}, {0x8, 0xffe0}}, [@filter_kind_options=@f_basic={{0xa}, {0x448, 0x2, [@TCA_BASIC_POLICE={0x444, 0x4, [@TCA_POLICE_RATE={0x404, 0x2, [0x3, 0x8, 0x62, 0x2, 0x0, 0xc, 0x2, 0x7fff, 0x0, 0xffffff70, 0x15, 0xffffffa9, 0x2, 0x7, 0x80000001, 0x7, 0x2, 0x36, 0xc, 0x6, 0x6, 0x5d0bef1f, 0x400, 0x1, 0x837, 0xffffffff, 0x9fec, 0x401, 0x68, 0x9, 0xdd64, 0x1, 0x4, 0x8001, 0xfffffffe, 0x3, 0x0, 0x200, 0xfff, 0xfffffff1, 0x7, 0x4, 0xf, 0x7, 0x7469, 0xb, 0x2, 0x200, 0xff32, 0x6, 0xca, 0x4ec1, 0x1, 0x9, 0x80, 0x0, 0x10000, 0x0, 0xb4, 0x7, 0x6, 0x0, 0x0, 0x8156b2a, 0x2, 0xd5c, 0x1, 0xa0, 0x2, 0x7, 0x4, 0x0, 0x81, 0xff, 0x2, 0xe6b, 0x9, 0xa, 0xc8c, 0x1, 0xd2a, 0x6, 0x0, 0xd, 0x3a0, 0x3, 0x10000, 0x7ff, 0x44, 0x1, 0x2, 0x800, 0x3, 0x8, 0x0, 0x8e5e00, 0x902e, 0x0, 0x8, 0x1898, 0xf, 0x4, 0x2, 0x2c000, 0x80, 0xc, 0x1, 0x2, 0x5, 0x3, 0xd, 0x6, 0x0, 0x3365, 0x1, 0x4, 0xffffffff, 0x1000, 0x0, 0x4, 0x0, 0x1, 0x1, 0x81, 0x111, 0x2, 0x5c20, 0x7f, 0x0, 0xe, 0xfffffffb, 0x6, 0x391, 0x0, 0x0, 0x3, 0x9, 0xc95d90e, 0x7, 0x2, 0x7, 0xf, 0xc7, 0x4, 0x7, 0x0, 0x9, 0xffffffff, 0x9, 0x7, 0x4, 0x0, 0x7, 0xfffffff9, 0x10, 0x2, 0xfff, 0x2, 0x6, 0x8b4, 0x600000, 0x1, 0x6, 0x0, 0x10000, 0x0, 0x3, 0x5, 0x0, 0x1000, 0x6, 0x9, 0x0, 0x1, 0x81, 0x2, 0xffff6c4b, 0x1, 0x7, 0x5, 0x7fff, 0x8, 0xffffffff, 0x9, 0x6, 0x0, 0x40, 0x1b, 0x80000000, 0x2, 0x603c, 0x4, 0x4, 0x0, 0xfffffff8, 0x7, 0x3, 0x10, 0x400, 0xfffffe00, 0x1, 0x3, 0x0, 0xffff, 0x4, 0x6, 0x8, 0x1, 0x400, 0x1, 0x8a, 0x10, 0x7, 0x0, 0xfffffffd, 0x3, 0x8, 0x616, 0x2, 0x2, 0xd1, 0x2, 0xfffffffc, 0x8, 0xe, 0x800, 0x1, 0x4, 0xd87, 0x80000001, 0x48e0, 0x8, 0x9, 0x40, 0x400, 0x5, 0x2, 0x4e1b, 0x40, 0x1000, 0x2, 0x4, 0x3, 0x0, 0x2, 0x9, 0x2, 0x2, 0x10001, 0x4000ffff, 0x4d, 0x2, 0x8, 0x2, 0x2, 0x8]}, @TCA_POLICE_TBF={0x3c, 0x1, {0x7, 0x8, 0xfffffffe, 0xe, 0x66, {0xb, 0x2, 0x200, 0x8001, 0xfffa, 0xbf}, {0xd9, 0x2, 0x5, 0xfff8, 0xfff}, 0x6, 0x9, 0x2}}]}]}}]}, 0x478}}, 0x4000) (async) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000000), 0xfffffecc) fsconfig$FSCONFIG_SET_BINARY(0xffffffffffffffff, 0x2, &(0x7f0000000300)='#!{+\x00', &(0x7f0000000cc0)="fecf4065c5e77e1991865f07a1754d73e9d30989a399b6e1c0df8eb270", 0x1d) getsockopt$inet_IP_IPSEC_POLICY(r4, 0x0, 0x10, &(0x7f0000000d80)={{{@in6=@private2, @in=@empty, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in6=@remote}, 0x0, @in6}}, &(0x7f0000000480)=0xbf) (async) ioctl$sock_ipv6_tunnel_SIOCGETTUNNEL(0xffffffffffffffff, 0x89f0, &(0x7f0000000640)={'syztnl0\x00', &(0x7f00000005c0)={'ip6_vti0\x00', 0x0, 0x29, 0x3a, 0x5, 0x2, 0x44, @dev={0xfe, 0x80, '\x00', 0x25}, @private2={0xfc, 0x2, '\x00', 0x1}, 0x20, 0x80, 0x8, 0xa1}}) (async, rerun: 32) getsockopt$inet_IP_XFRM_POLICY(0xffffffffffffffff, 0x0, 0x11, &(0x7f0000000680)={{{@in=@dev, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}, {{@in=@multicast1}, 0x0, @in6=@initdev}}, &(0x7f00000007c0)=0xe8) (rerun: 32) sendmsg$nl_xfrm(r3, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000800)=@report={0x1d4, 0x20, 0x200, 0x70bd25, 0x25dfdbfd, {0x6c, {@in6=@dev={0xfe, 0x80, '\x00', 0x15}, @in=@initdev={0xac, 0x1e, 0x1, 0x0}, 0x4e24, 0xb5e, 0x4e21, 0x36a8, 0xa, 0x1a0, 0xa0, 0x84, r5, r6}}, [@policy={0xac, 0x7, {{@in6=@private2, @in=@dev={0xac, 0x14, 0x14, 0x3b}, 0x4e20, 0xaefa, 0x4e24, 0x2, 0xa, 0xa0, 0x80, 0x0, r7, r8}, {0xa034, 0xfffffffffffffff8, 0x7, 0xfff, 0x7, 0xffffffffffffffff, 0x3, 0x7}, {0x2, 0x80000001, 0x80000000}, 0x8000, 0x6e6bb0, 0x2}}, @algo_aead={0xdc, 0x12, {{'ccm-aes-ce\x00'}, 0x480, 0x180, "c2ff61841e607cb2efa86013910024ce7243b920b66a844649fb755ae46dfca08fbf2e1da6b1d5f005b4a5e8b3d49fcc7e2bfbe0c2f0be6fdcc260416cc0ef69355c14a41899de13f39383ff6c797ed87f3e3d69f4e2398132428cddbcc017bd417f4b17aed2ac2558a845ff69f48365865808dc5e6d57002e4cb5deedb45a82853be4a37ca0ff57473df3e8950678ad"}}]}, 0x1d4}}, 0x0) (async, rerun: 64) syz_emit_ethernet(0x4a, &(0x7f00000003c0)=ANY=[@ANYBLOB="aaaaaaaaaaaaffffffffffff86dd600000ce001406fffe8000000000000000000000000000bbfc02000000000000000000000000000000004e22", @ANYRES32=0x41424344, @ANYRES32=0x41424344, @ANYBLOB="05e3800390d5fc00"], 0x0) (async, rerun: 64) r9 = socket(0x200000000000011, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r9, 0x8933, &(0x7f0000000000)={'bridge0\x00', 0x0}) (async) ioctl$ifreq_SIOCGIFINDEX_vcan(r9, 0x8933, &(0x7f0000000080)={'vxcan1\x00'}) (async) socket(0x10, 0x803, 0x0) (async) prctl$PR_SET_SYSCALL_USER_DISPATCH_ON(0x3b, 0x1, 0x0, 0x0, &(0x7f0000006680)) (async) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x200000a, 0x8031, 0xffffffffffffffff, 0x0) (async) r11 = socket$nl_route(0x10, 0x3, 0x0) socket$inet6(0xa, 0x2, 0x3a) (async, rerun: 64) sendmsg$nl_route(r11, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000040)=@ipv4_newroute={0x1c, 0x18, 0x35f32a6dfa748ddd, 0x0, 0x2, {0x2, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x6, 0x1400}}, 0x1c}}, 0x0) (rerun: 64) sendmsg$nl_xfrm(r3, &(0x7f0000000440)={&(0x7f0000000200)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000240)={&(0x7f0000000340)=@newae={0x54, 0x1e, 0x2, 0x70bd28, 0x25dfdbfd, {{@in6=@mcast1, 0x4d5, 0x6914fb6a85c17270, 0x2b}, @in=@remote, 0x8b}, [@srcaddr={0x14, 0xd, @in6=@mcast2}]}, 0x54}, 0x1, 0x0, 0x0, 0x24008041}, 0x24000804) (async) syz_emit_ethernet(0x36, &(0x7f0000000d00)=ANY=[@ANYBLOB="aa1809000000000000aaaaaa08004526519d41f98450998dfe07976d0067000002019078ac1414bbac1e00010e009078008100080000099f0001000000000002"], 0x0) (async, rerun: 64) sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r10, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0) (rerun: 64) [ 73.090394][ T4667] Bluetooth: hci0: command tx timeout [ 73.190845][ T5318] ================================================================== [ 73.194537][ T5318] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 [ 73.198250][ T5318] Read of size 1 at addr ffff888036b70cde by task syz.0.0/5318 [ 73.201514][ T5318] [ 73.202615][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.202630][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.202637][ T5318] Call Trace: [ 73.202645][ T5318] [ 73.202658][ T5318] dump_stack_lvl+0xe8/0x150 [ 73.202677][ T5318] print_report+0xba/0x230 [ 73.202687][ T5318] ? fib6_add_rt2node+0x349c/0x3500 [ 73.202707][ T5318] kasan_report+0x117/0x150 [ 73.202723][ T5318] ? stack_trace_save+0xa9/0x100 [ 73.202741][ T5318] ? fib6_add_rt2node+0x349c/0x3500 [ 73.202758][ T5318] fib6_add_rt2node+0x349c/0x3500 [ 73.202772][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 73.202793][ T5318] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 73.202808][ T5318] ? do_raw_spin_lock+0x12b/0x2f0 [ 73.202819][ T5318] ? fib6_add+0x84b/0x18c0 [ 73.202833][ T5318] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 73.202848][ T5318] fib6_add+0x910/0x18c0 [ 73.202865][ T5318] ? do_raw_spin_lock+0x12b/0x2f0 [ 73.202877][ T5318] ? __pfx_fib6_add+0x10/0x10 [ 73.202893][ T5318] ? ip6_route_add+0xc9/0x1b0 [ 73.202909][ T5318] ip6_route_add+0xde/0x1b0 [ 73.202925][ T5318] inet6_rtm_newroute+0x268/0x19e0 [ 73.202942][ T5318] ? kasan_quarantine_put+0xbb/0x1f0 [ 73.202955][ T5318] ? lockdep_hardirqs_on+0x7a/0x110 [ 73.202971][ T5318] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 73.202985][ T5318] ? kmem_cache_free+0x195/0x610 [ 73.203000][ T5318] ? nlmon_xmit+0xb0/0x100 [ 73.203886][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 73.203903][ T5318] ? __local_bh_enable_ip+0xd0/0x130 [ 73.203915][ T5318] ? lockdep_hardirqs_on+0x7a/0x110 [ 73.203939][ T5318] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 73.203953][ T5318] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 73.203974][ T5318] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 73.203988][ T5318] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 73.204001][ T5318] ? ref_tracker_free+0x693/0x840 [ 73.204465][ T5318] ? __copy_skb_header+0xa3/0x4a0 [ 73.204476][ T5318] ? __pfx_ref_tracker_free+0x10/0x10 [ 73.204489][ T5318] ? __skb_clone+0x63/0x7a0 [ 73.204500][ T5318] netlink_rcv_skb+0x232/0x4b0 [ 73.204515][ T5318] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 73.204529][ T5318] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 73.204546][ T5318] ? netlink_deliver_tap+0x2e/0x1b0 [ 73.204562][ T5318] netlink_unicast+0x80f/0x9b0 [ 73.204576][ T5318] ? __pfx_netlink_unicast+0x10/0x10 [ 73.204593][ T5318] ? __alloc_skb+0x193/0x390 [ 73.204608][ T5318] ? netlink_sendmsg+0x650/0xb40 [ 73.204622][ T5318] ? skb_put+0x11b/0x210 [ 73.204632][ T5318] netlink_sendmsg+0x813/0xb40 [ 73.204647][ T5318] ? __pfx_netlink_sendmsg+0x10/0x10 [ 73.204660][ T5318] ? aa_sock_msg_perm+0xf1/0x1b0 [ 73.204715][ T5318] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 73.204730][ T5318] ? __pfx_netlink_sendmsg+0x10/0x10 [ 73.204743][ T5318] ____sys_sendmsg+0xa68/0xad0 [ 73.204753][ T5318] ? __might_fault+0xaf/0x130 [ 73.204767][ T5318] ? __pfx_____sys_sendmsg+0x10/0x10 [ 73.204778][ T5318] ? import_iovec+0x73/0xa0 [ 73.204805][ T5318] ___sys_sendmsg+0x2a5/0x360 [ 73.204816][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 73.204832][ T5318] ? __pfx____sys_sendmsg+0x10/0x10 [ 73.204844][ T5318] ? futex_wait+0x29a/0x380 [ 73.204860][ T5318] ? __fget_files+0x2a/0x420 [ 73.204871][ T5318] ? __fget_files+0x3a0/0x420 [ 73.204883][ T5318] __x64_sys_sendmsg+0x1bd/0x2a0 [ 73.204895][ T5318] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 73.204908][ T5318] ? rcu_is_watching+0x15/0xb0 [ 73.204920][ T5318] do_syscall_64+0xe2/0xf80 [ 73.204936][ T5318] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.204948][ T5318] ? trace_irq_disable+0x37/0x100 [ 73.204958][ T5318] ? clear_bhb_loop+0x60/0xb0 [ 73.204970][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.204981][ T5318] RIP: 0033:0x7f2f3759bf79 [ 73.204994][ T5318] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.205003][ T5318] RSP: 002b:00007f2f384e5028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 73.205016][ T5318] RAX: ffffffffffffffda RBX: 00007f2f37815fa0 RCX: 00007f2f3759bf79 [ 73.205025][ T5318] RDX: 0000000000000000 RSI: 0000200000000100 RDI: 0000000000000004 [ 73.205032][ T5318] RBP: 00007f2f376327e0 R08: 0000000000000000 R09: 0000000000000000 [ 73.205039][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 73.205045][ T5318] R13: 00007f2f37816038 R14: 00007f2f37815fa0 R15: 00007fff5cef1858 [ 73.205056][ T5318] [ 73.205061][ T5318] [ 73.390116][ T5318] Allocated by task 5318: [ 73.391972][ T5318] kasan_save_track+0x3e/0x80 [ 73.393918][ T5318] __kasan_kmalloc+0x93/0xb0 [ 73.395836][ T5318] __kmalloc_noprof+0x40c/0x7e0 [ 73.397917][ T5318] fib6_info_alloc+0x30/0xf0 [ 73.399942][ T5318] ip6_route_info_create+0x142/0x860 [ 73.402284][ T5318] ip6_route_add+0x49/0x1b0 [ 73.404230][ T5318] inet6_rtm_newroute+0x268/0x19e0 [ 73.406491][ T5318] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 73.408728][ T5318] netlink_rcv_skb+0x232/0x4b0 [ 73.410891][ T5318] netlink_unicast+0x80f/0x9b0 [ 73.412961][ T5318] netlink_sendmsg+0x813/0xb40 [ 73.415010][ T5318] ____sys_sendmsg+0xa68/0xad0 [ 73.416989][ T5318] ___sys_sendmsg+0x2a5/0x360 [ 73.418916][ T5318] __x64_sys_sendmsg+0x1bd/0x2a0 [ 73.421110][ T5318] do_syscall_64+0xe2/0xf80 [ 73.423169][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.425848][ T5318] [ 73.426959][ T5318] The buggy address belongs to the object at ffff888036b70c00 [ 73.426959][ T5318] which belongs to the cache kmalloc-256 of size 256 [ 73.432801][ T5318] The buggy address is located 22 bytes to the right of [ 73.432801][ T5318] allocated 200-byte region [ffff888036b70c00, ffff888036b70cc8) [ 73.438784][ T5318] [ 73.439857][ T5318] The buggy address belongs to the physical page: [ 73.442672][ T5318] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36b70 [ 73.446529][ T5318] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 73.449676][ T5318] page_type: f5(slab) [ 73.451437][ T5318] raw: 04fff00000000000 ffff88801ac41b40 ffffea0000e2b3c0 dead000000000004 [ 73.455117][ T5318] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 73.458841][ T5318] page dumped because: kasan: bad access detected [ 73.461807][ T5318] page_owner tracks the page as allocated [ 73.464449][ T5318] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 25176492736, free_ts 21753456240 [ 73.472156][ T5318] post_alloc_hook+0x228/0x280 [ 73.474181][ T5318] get_page_from_freelist+0x24dc/0x2580 [ 73.476551][ T5318] __alloc_frozen_pages_noprof+0x18d/0x380 [ 73.479111][ T5318] alloc_pages_mpol+0x232/0x4a0 [ 73.481326][ T5318] allocate_slab+0x86/0x3a0 [ 73.483374][ T5318] ___slab_alloc+0xd82/0x1760 [ 73.485384][ T5318] __slab_alloc+0x65/0x100 [ 73.487365][ T5318] __kvmalloc_node_noprof+0x673/0x8d0 [ 73.489635][ T5318] v4l2_ctrl_new+0x9d5/0x1790 [ 73.491655][ T5318] v4l2_ctrl_new_custom+0x5fc/0x850 [ 73.493870][ T5318] vivid_create_controls+0xddd/0x3bd0 [ 73.496185][ T5318] vivid_probe+0x4261/0x72b0 [ 73.498178][ T5318] platform_probe+0xf9/0x190 [ 73.500197][ T5318] really_probe+0x267/0xaf0 [ 73.502072][ T5318] __driver_probe_device+0x18c/0x320 [ 73.504495][ T5318] driver_probe_device+0x4f/0x240 [ 73.506749][ T5318] page last free pid 787 tgid 787 stack trace: [ 73.509434][ T5318] __free_frozen_pages+0xbf8/0xd70 [ 73.511665][ T5318] vfree+0x25a/0x400 [ 73.513364][ T5318] delayed_vfree_work+0x55/0x80 [ 73.515510][ T5318] process_scheduled_works+0xaec/0x17a0 [ 73.517937][ T5318] worker_thread+0xda6/0x1360 [ 73.519930][ T5318] kthread+0x388/0x470 [ 73.521690][ T5318] ret_from_fork+0x51b/0xa40 [ 73.523671][ T5318] ret_from_fork_asm+0x1a/0x30 [ 73.525726][ T5318] [ 73.526839][ T5318] Memory state around the buggy address: [ 73.529231][ T5318] ffff888036b70b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.532763][ T5318] ffff888036b70c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 73.536372][ T5318] >ffff888036b70c80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 73.539842][ T5318] ^ [ 73.542768][ T5318] ffff888036b70d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.546443][ T5318] ffff888036b70d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.549938][ T5318] ================================================================== [ 73.553580][ T5318] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 73.556758][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.560620][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.565001][ T5318] Call Trace: [ 73.566571][ T5318] [ 73.567989][ T5318] vpanic+0x1e0/0x670 [ 73.569880][ T5318] panic+0xc5/0xd0 [ 73.571561][ T5318] ? __pfx_panic+0x10/0x10 [ 73.573578][ T5318] ? fib6_add_rt2node+0x349c/0x3500 [ 73.575912][ T5318] ? fib6_add_rt2node+0x349c/0x3500 [ 73.578059][ T5318] check_panic_on_warn+0x89/0xb0 [ 73.580166][ T5318] ? fib6_add_rt2node+0x349c/0x3500 [ 73.582342][ T5318] end_report+0x6f/0x140 [ 73.584152][ T5318] kasan_report+0x128/0x150 [ 73.586078][ T5318] ? stack_trace_save+0xa9/0x100 [ 73.588178][ T5318] ? fib6_add_rt2node+0x349c/0x3500 [ 73.590348][ T5318] fib6_add_rt2node+0x349c/0x3500 [ 73.592527][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 73.594753][ T5318] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 73.597096][ T5318] ? do_raw_spin_lock+0x12b/0x2f0 [ 73.599310][ T5318] ? fib6_add+0x84b/0x18c0 [ 73.601268][ T5318] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 73.603729][ T5318] fib6_add+0x910/0x18c0 [ 73.605503][ T5318] ? do_raw_spin_lock+0x12b/0x2f0 [ 73.607764][ T5318] ? __pfx_fib6_add+0x10/0x10 [ 73.609880][ T5318] ? ip6_route_add+0xc9/0x1b0 [ 73.611878][ T5318] ip6_route_add+0xde/0x1b0 [ 73.613802][ T5318] inet6_rtm_newroute+0x268/0x19e0 [ 73.616019][ T5318] ? kasan_quarantine_put+0xbb/0x1f0 [ 73.618230][ T5318] ? lockdep_hardirqs_on+0x7a/0x110 [ 73.620278][ T5318] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 73.622538][ T5318] ? kmem_cache_free+0x195/0x610 [ 73.624610][ T5318] ? nlmon_xmit+0xb0/0x100 [ 73.626682][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 73.628853][ T5318] ? __local_bh_enable_ip+0xd0/0x130 [ 73.631104][ T5318] ? lockdep_hardirqs_on+0x7a/0x110 [ 73.633441][ T5318] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 73.635862][ T5318] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 73.638067][ T5318] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 73.640424][ T5318] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 73.642664][ T5318] ? ref_tracker_free+0x693/0x840 [ 73.644603][ T5318] ? __copy_skb_header+0xa3/0x4a0 [ 73.646664][ T5318] ? __pfx_ref_tracker_free+0x10/0x10 [ 73.648974][ T5318] ? __skb_clone+0x63/0x7a0 [ 73.650829][ T5318] netlink_rcv_skb+0x232/0x4b0 [ 73.652685][ T5318] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 73.655089][ T5318] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 73.657226][ T5318] ? netlink_deliver_tap+0x2e/0x1b0 [ 73.659491][ T5318] netlink_unicast+0x80f/0x9b0 [ 73.661659][ T5318] ? __pfx_netlink_unicast+0x10/0x10 [ 73.663956][ T5318] ? __alloc_skb+0x193/0x390 [ 73.665804][ T5318] ? netlink_sendmsg+0x650/0xb40 [ 73.667737][ T5318] ? skb_put+0x11b/0x210 [ 73.669697][ T5318] netlink_sendmsg+0x813/0xb40 [ 73.671893][ T5318] ? __pfx_netlink_sendmsg+0x10/0x10 [ 73.674262][ T5318] ? aa_sock_msg_perm+0xf1/0x1b0 [ 73.676426][ T5318] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 73.678932][ T5318] ? __pfx_netlink_sendmsg+0x10/0x10 [ 73.681160][ T5318] ____sys_sendmsg+0xa68/0xad0 [ 73.683015][ T5318] ? __might_fault+0xaf/0x130 [ 73.685151][ T5318] ? __pfx_____sys_sendmsg+0x10/0x10 [ 73.687398][ T5318] ? import_iovec+0x73/0xa0 [ 73.689472][ T5318] ___sys_sendmsg+0x2a5/0x360 [ 73.691527][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 73.693892][ T5318] ? __pfx____sys_sendmsg+0x10/0x10 [ 73.696353][ T5318] ? futex_wait+0x29a/0x380 [ 73.698714][ T5318] ? __fget_files+0x2a/0x420 [ 73.700791][ T5318] ? __fget_files+0x3a0/0x420 [ 73.703113][ T5318] __x64_sys_sendmsg+0x1bd/0x2a0 [ 73.705399][ T5318] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 73.707886][ T5318] ? rcu_is_watching+0x15/0xb0 [ 73.710043][ T5318] do_syscall_64+0xe2/0xf80 [ 73.711951][ T5318] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.714638][ T5318] ? trace_irq_disable+0x37/0x100 [ 73.716943][ T5318] ? clear_bhb_loop+0x60/0xb0 [ 73.718975][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.721376][ T5318] RIP: 0033:0x7f2f3759bf79 [ 73.723196][ T5318] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.730942][ T5318] RSP: 002b:00007f2f384e5028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 73.734535][ T5318] RAX: ffffffffffffffda RBX: 00007f2f37815fa0 RCX: 00007f2f3759bf79 [ 73.737979][ T5318] RDX: 0000000000000000 RSI: 0000200000000100 RDI: 0000000000000004 [ 73.741324][ T5318] RBP: 00007f2f376327e0 R08: 0000000000000000 R09: 0000000000000000 [ 73.745087][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 73.748578][ T5318] R13: 00007f2f37816038 R14: 00007f2f37815fa0 R15: 00007fff5cef1858 [ 73.751948][ T5318] [ 73.753746][ T5318] Kernel Offset: disabled [ 73.755714][ T5318] Rebooting in 86400 seconds..