program: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f00000001c0)={'vxcan1\x00'}) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_RENAME(r2, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000080)={0x38, 0x5, 0x6, 0x201, 0x0, 0x0, {0x1, 0x0, 0x6}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_SETNAME2={0x9, 0x3, 'syz2\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}]}, 0x38}, 0x1, 0x0, 0x0, 0x4000015}, 0x4800) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket(0x200000000000011, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'bridge0\x00', 0x0}) syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000000640)='./file0\x00', 0x0, &(0x7f0000000040)={[{@nodecompose}, {@type={'type', 0x3d, "e6c0539c"}}]}, 0x1, 0x5e6, &(0x7f0000001940)="$eJzs3c1vHGcdB/DvbDZOHKTUbZM2oEpYjVQQFontlQvmQkAI+VChqhw4W8mmWWXjVvYWuRVC4f3KoX9AOfjGCYl7pHKGW68+VkLi0pNvRjM7a2/txbUbx7umn4/1zPM888w888xvXnZnV9YG+MpamUvzSYqszL2xWda3t1rd7a3Wo0E5yaUkjaTZz1KsJcXHyZ30U75ezqy7K/7Xdj7sLL/1yWfbn/ZrzTpVyzeOWu94Htcps0ku1Plp9Xf3qfsr9vawDNjNQeBg3HYPeXyS1Z/yugUmQdF/3TxkJrmS5HL9PiD13aFxtqM7fSe6ywEAAMA59dxOdrKZq+MeBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJwHrfpX/+vf/y/q1BiUZ1MMfv9/qp6XunyuPRn3AAAAAAAAAADgFHxzJzvZzNVBfbeovvN/tapcq6Zfy3vZSDvruZXNrKaXXtazkGRmqKOpzdVeb33hGGsujlxz8Wz2FwAAAAAAAAD+T/02K/vf/wMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwCQokgv9rErXBuWZNJpJLieZKpd7nPxrUD7Pnox7AAAAAHAGntvJTjZzdVDfLapn/peq5/7LeS9r6aWTXrpp5171WUD/qb+xvdXqbm+1HpXpcL8/+s+JhlH1mP5nD6O3fKNaYjr306nm3MrdvJNu7qVRrVm6MRjP6HH9phxT8cPaMUd2r87LPf9znZ+ZS0c1zlQRubgXkfl6bGU0nj86Eic8Oge3tJDG3ic/155BzK/Uebk/fzzrmB/pYCQWh86+l46ORPKtv//1Fw+6aw8f3N+Ym5xd+pIORqI1FImXv1KRmK8icX2vvpKf5ueZy2zezHo6+WVW00s7s/lJVVqtz+dyOnN0pO58rvbmF41kqj4u/bvoycb0arXu1XTys7yTe2nn9epvMQv5XpaylOWhI3z9GFd942RX/c1v14XpJH+q88lQxvX5obgO33NnqrbhOftReuH0743Nb9SFchu/q/PJcDASC0ORePHoSPxlt5xudNcerj9YffeY23utzsvr6A8T9SpRni8vlAerqn3+7CjbXhzZtlC1Xdtraxxqu77X9kVX6lT9Hu5wT4tV28sj21pV242htlHvtwCYeFe+c2Vq+t/T/5z+aPr30w+m37j840vfv/TKVC7+4+IPmvMXXmu8UvwtH+XX+8//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAl7fx/gcPV7vd9rqCwhkXLiaZgGEojCyM+84EPGu3e4/evb3x/gff7Txafbv9dntteWlpeX556fXW7fudbnu+Px33KIFnYf9Ff9wjAQAAAAAAAAAAAI7rLP6dYNz7CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJxvK3NpPkmRhflb82V9e6vVLdOgvL9kM0kjSfGrpPg4uZN+ysxQd8WB7i8MCh92lt/65LPtT/f7ag6Wb4xY74Qe1ymz9TZnT7G/u0/dX7G3h2XAbg4CB+P23wAAAP//SQ4OOw==") renameat2(0xffffffffffffff9c, &(0x7f0000000580)='./file1\x00', 0xffffffffffffff9c, &(0x7f00000005c0)='./file7\x00', 0x0) sendmsg$nl_route(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r5, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0) socket$nl_route(0x10, 0x3, 0x0) (async) socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) (async) sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f00000001c0)={'vxcan1\x00'}) (async) socket$nl_netfilter(0x10, 0x3, 0xc) (async) sendmsg$IPSET_CMD_RENAME(r2, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000080)={0x38, 0x5, 0x6, 0x201, 0x0, 0x0, {0x1, 0x0, 0x6}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_SETNAME2={0x9, 0x3, 'syz2\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}]}, 0x38}, 0x1, 0x0, 0x0, 0x4000015}, 0x4800) (async) socket$nl_route(0x10, 0x3, 0x0) (async) socket(0x200000000000011, 0x2, 0x0) (async) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'bridge0\x00'}) (async) syz_mount_image$hfsplus(&(0x7f0000000000), &(0x7f0000000640)='./file0\x00', 0x0, &(0x7f0000000040)={[{@nodecompose}, {@type={'type', 0x3d, "e6c0539c"}}]}, 0x1, 0x5e6, &(0x7f0000001940)="$eJzs3c1vHGcdB/DvbDZOHKTUbZM2oEpYjVQQFontlQvmQkAI+VChqhw4W8mmWWXjVvYWuRVC4f3KoX9AOfjGCYl7pHKGW68+VkLi0pNvRjM7a2/txbUbx7umn4/1zPM888w888xvXnZnV9YG+MpamUvzSYqszL2xWda3t1rd7a3Wo0E5yaUkjaTZz1KsJcXHyZ30U75ezqy7K/7Xdj7sLL/1yWfbn/ZrzTpVyzeOWu94Htcps0ku1Plp9Xf3qfsr9vawDNjNQeBg3HYPeXyS1Z/yugUmQdF/3TxkJrmS5HL9PiD13aFxtqM7fSe6ywEAAMA59dxOdrKZq+MeBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJwHrfpX/+vf/y/q1BiUZ1MMfv9/qp6XunyuPRn3AAAAAAAAAADgFHxzJzvZzNVBfbeovvN/tapcq6Zfy3vZSDvruZXNrKaXXtazkGRmqKOpzdVeb33hGGsujlxz8Wz2FwAAAAAAAAD+T/02K/vf/wMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwCQokgv9rErXBuWZNJpJLieZKpd7nPxrUD7Pnox7AAAAAHAGntvJTjZzdVDfLapn/peq5/7LeS9r6aWTXrpp5171WUD/qb+xvdXqbm+1HpXpcL8/+s+JhlH1mP5nD6O3fKNaYjr306nm3MrdvJNu7qVRrVm6MRjP6HH9phxT8cPaMUd2r87LPf9znZ+ZS0c1zlQRubgXkfl6bGU0nj86Eic8Oge3tJDG3ic/155BzK/Uebk/fzzrmB/pYCQWh86+l46ORPKtv//1Fw+6aw8f3N+Ym5xd+pIORqI1FImXv1KRmK8icX2vvpKf5ueZy2zezHo6+WVW00s7s/lJVVqtz+dyOnN0pO58rvbmF41kqj4u/bvoycb0arXu1XTys7yTe2nn9epvMQv5XpaylOWhI3z9GFd942RX/c1v14XpJH+q88lQxvX5obgO33NnqrbhOftReuH0743Nb9SFchu/q/PJcDASC0ORePHoSPxlt5xudNcerj9YffeY23utzsvr6A8T9SpRni8vlAerqn3+7CjbXhzZtlC1Xdtraxxqu77X9kVX6lT9Hu5wT4tV28sj21pV242htlHvtwCYeFe+c2Vq+t/T/5z+aPr30w+m37j840vfv/TKVC7+4+IPmvMXXmu8UvwtH+XX+8//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAl7fx/gcPV7vd9rqCwhkXLiaZgGEojCyM+84EPGu3e4/evb3x/gff7Txafbv9dntteWlpeX556fXW7fudbnu+Px33KIFnYf9Ff9wjAQAAAAAAAAAAAI7rLP6dYNz7CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJxvK3NpPkmRhflb82V9e6vVLdOgvL9kM0kjSfGrpPg4uZN+ysxQd8WB7i8MCh92lt/65LPtT/f7ag6Wb4xY74Qe1ymz9TZnT7G/u0/dX7G3h2XAbg4CB+P23wAAAP//SQ4OOw==") (async) renameat2(0xffffffffffffff9c, &(0x7f0000000580)='./file1\x00', 0xffffffffffffff9c, &(0x7f00000005c0)='./file7\x00', 0x0) (async) sendmsg$nl_route(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r5, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0) (async) [ 84.554912][ T5325] loop0: detected capacity change from 0 to 1024 [ 84.647703][ T5325] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.651646][ T5325] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.707178][ T5332] ================================================================== [ 84.710580][ T5332] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 [ 84.714136][ T5332] Read of size 1 at addr ffff888011b600de by task syz.0.0/5332 [ 84.717366][ T5332] [ 84.718510][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.718525][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.718532][ T5332] Call Trace: [ 84.718541][ T5332] [ 84.718547][ T5332] dump_stack_lvl+0xe8/0x150 [ 84.718607][ T5332] print_report+0xba/0x230 [ 84.718620][ T5332] ? fib6_add_rt2node+0x349c/0x3500 [ 84.718633][ T5332] kasan_report+0x117/0x150 [ 84.718667][ T5332] ? stack_trace_save+0xa9/0x100 [ 84.718704][ T5332] ? fib6_add_rt2node+0x349c/0x3500 [ 84.718717][ T5332] fib6_add_rt2node+0x349c/0x3500 [ 84.718729][ T5332] ? __lock_acquire+0x6b5/0x2cf0 [ 84.718749][ T5332] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 84.718760][ T5332] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.718770][ T5332] ? fib6_add+0x84b/0x18c0 [ 84.718780][ T5332] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 84.718795][ T5332] fib6_add+0x910/0x18c0 [ 84.718807][ T5332] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.718819][ T5332] ? __pfx_fib6_add+0x10/0x10 [ 84.718830][ T5332] ? ip6_route_add+0xc9/0x1b0 [ 84.718838][ T5332] ip6_route_add+0xde/0x1b0 [ 84.718845][ T5332] inet6_rtm_newroute+0x268/0x19e0 [ 84.718859][ T5332] ? kasan_quarantine_put+0xbb/0x1f0 [ 84.718872][ T5332] ? lockdep_hardirqs_on+0x7a/0x110 [ 84.718945][ T5332] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 84.718955][ T5332] ? kmem_cache_free+0x195/0x610 [ 84.718965][ T5332] ? nlmon_xmit+0xb0/0x100 [ 84.719056][ T5332] ? __lock_acquire+0x6b5/0x2cf0 [ 84.719071][ T5332] ? __local_bh_enable_ip+0xd0/0x130 [ 84.719081][ T5332] ? lockdep_hardirqs_on+0x7a/0x110 [ 84.719098][ T5332] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 84.719114][ T5332] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.719163][ T5332] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 84.719173][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.719182][ T5332] ? ref_tracker_free+0x693/0x840 [ 84.719213][ T5332] ? __copy_skb_header+0xa3/0x4a0 [ 84.719241][ T5332] ? __pfx_ref_tracker_free+0x10/0x10 [ 84.719260][ T5332] ? __skb_clone+0x63/0x7a0 [ 84.719275][ T5332] netlink_rcv_skb+0x232/0x4b0 [ 84.719305][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 84.719316][ T5332] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 84.719333][ T5332] ? netlink_deliver_tap+0x2e/0x1b0 [ 84.719345][ T5332] netlink_unicast+0x80f/0x9b0 [ 84.719361][ T5332] ? __pfx_netlink_unicast+0x10/0x10 [ 84.719375][ T5332] ? __alloc_skb+0x193/0x390 [ 84.719386][ T5332] ? netlink_sendmsg+0x650/0xb40 [ 84.719396][ T5332] ? skb_put+0x11b/0x210 [ 84.719406][ T5332] netlink_sendmsg+0x813/0xb40 [ 84.719418][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.719429][ T5332] ? lruvec_stat_mod_folio+0x70/0x4b0 [ 84.719441][ T5332] ? aa_sock_msg_perm+0xf1/0x1b0 [ 84.719454][ T5332] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 84.719471][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 84.719480][ T5332] ____sys_sendmsg+0xa68/0xad0 [ 84.719494][ T5332] ? __might_fault+0xaf/0x130 [ 84.719509][ T5332] ? __pfx_____sys_sendmsg+0x10/0x10 [ 84.719522][ T5332] ? import_iovec+0x73/0xa0 [ 84.719537][ T5332] ___sys_sendmsg+0x2a5/0x360 [ 84.719549][ T5332] ? __lock_acquire+0x6b5/0x2cf0 [ 84.719565][ T5332] ? __pfx____sys_sendmsg+0x10/0x10 [ 84.719585][ T5332] ? __fget_files+0x2a/0x420 [ 84.719595][ T5332] ? __fget_files+0x3a0/0x420 [ 84.719606][ T5332] __x64_sys_sendmsg+0x1bd/0x2a0 [ 84.719618][ T5332] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 84.719629][ T5332] ? __se_sys_rt_sigprocmask+0x22f/0x2a0 [ 84.719642][ T5332] ? rseq_force_update+0x98/0xf0 [ 84.719654][ T5332] do_syscall_64+0xe2/0xf80 [ 84.719665][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.719675][ T5332] ? trace_irq_disable+0x37/0x100 [ 84.719687][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 84.719700][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.719711][ T5332] RIP: 0033:0x7f520839aeb9 [ 84.719752][ T5332] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.719761][ T5332] RSP: 002b:00007f520924e028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 84.719775][ T5332] RAX: ffffffffffffffda RBX: 00007f5208616180 RCX: 00007f520839aeb9 [ 84.719783][ T5332] RDX: 0000000000000000 RSI: 0000200000000100 RDI: 0000000000000004 [ 84.719790][ T5332] RBP: 00007f5208408c1f R08: 0000000000000000 R09: 0000000000000000 [ 84.719797][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.719803][ T5332] R13: 00007f5208616218 R14: 00007f5208616180 R15: 00007ffde220ebf8 [ 84.719816][ T5332] [ 84.719820][ T5332] [ 84.913171][ T5332] Allocated by task 5325: [ 84.915160][ T5332] kasan_save_track+0x3e/0x80 [ 84.917324][ T5332] __kasan_kmalloc+0x93/0xb0 [ 84.919479][ T5332] __kmalloc_noprof+0x40c/0x7e0 [ 84.921757][ T5332] fib6_info_alloc+0x30/0xf0 [ 84.923859][ T5332] ip6_route_info_create+0x142/0x860 [ 84.926237][ T5332] ip6_route_add+0x49/0x1b0 [ 84.928329][ T5332] inet6_rtm_newroute+0x268/0x19e0 [ 84.930640][ T5332] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 84.932925][ T5332] netlink_rcv_skb+0x232/0x4b0 [ 84.935062][ T5332] netlink_unicast+0x80f/0x9b0 [ 84.937176][ T5332] netlink_sendmsg+0x813/0xb40 [ 84.939283][ T5332] ____sys_sendmsg+0xa68/0xad0 [ 84.941498][ T5332] ___sys_sendmsg+0x2a5/0x360 [ 84.943631][ T5332] __x64_sys_sendmsg+0x1bd/0x2a0 [ 84.945880][ T5332] do_syscall_64+0xe2/0xf80 [ 84.947924][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.950446][ T5332] [ 84.951490][ T5332] The buggy address belongs to the object at ffff888011b60000 [ 84.951490][ T5332] which belongs to the cache kmalloc-256 of size 256 [ 84.957632][ T5332] The buggy address is located 22 bytes to the right of [ 84.957632][ T5332] allocated 200-byte region [ffff888011b60000, ffff888011b600c8) [ 84.964116][ T5332] [ 84.965236][ T5332] The buggy address belongs to the physical page: [ 84.968044][ T5332] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888011b60c00 pfn:0x11b60 [ 84.972416][ T5332] flags: 0xfff00000000200(workingset|node=0|zone=1|lastcpupid=0x7ff) [ 84.976001][ T5332] page_type: f5(slab) [ 84.977731][ T5332] raw: 00fff00000000200 ffff88801a841b40 ffff88801a840708 ffff88801a840708 [ 84.981237][ T5332] raw: ffff888011b60c00 0000000000080006 00000000f5000000 0000000000000000 [ 84.984673][ T5332] page dumped because: kasan: bad access detected [ 84.987294][ T5332] page_owner tracks the page as allocated [ 84.989661][ T5332] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5325, tgid 5323 (syz.0.0), ts 84527218127, free_ts 46826724618 [ 84.997628][ T5332] post_alloc_hook+0x228/0x280 [ 84.999840][ T5332] get_page_from_freelist+0x24dc/0x2580 [ 85.002252][ T5332] __alloc_frozen_pages_noprof+0x18d/0x380 [ 85.004712][ T5332] alloc_pages_mpol+0x232/0x4a0 [ 85.006786][ T5332] allocate_slab+0x86/0x3a0 [ 85.008805][ T5332] ___slab_alloc+0xd82/0x1760 [ 85.010932][ T5332] __slab_alloc+0x65/0x100 [ 85.012959][ T5332] __kmalloc_noprof+0x46c/0x7e0 [ 85.015146][ T5332] fib6_info_alloc+0x30/0xf0 [ 85.017246][ T5332] ip6_route_info_create+0x142/0x860 [ 85.019606][ T5332] ip6_route_add+0x49/0x1b0 [ 85.021713][ T5332] inet6_rtm_newroute+0x268/0x19e0 [ 85.024002][ T5332] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 85.026185][ T5332] netlink_rcv_skb+0x232/0x4b0 [ 85.028159][ T5332] netlink_unicast+0x80f/0x9b0 [ 85.030184][ T5332] netlink_sendmsg+0x813/0xb40 [ 85.032094][ T5332] page last free pid 30 tgid 30 stack trace: [ 85.034596][ T5332] __free_pages_ok+0xace/0xc30 [ 85.036542][ T5332] release_free_list+0x1de/0x250 [ 85.038630][ T5332] compact_zone+0x3e5c/0x4640 [ 85.040845][ T5332] compact_node+0x21a/0x320 [ 85.042973][ T5332] kcompactd+0xc0f/0x12a0 [ 85.044990][ T5332] kthread+0x726/0x8b0 [ 85.046855][ T5332] ret_from_fork+0x51b/0xa40 [ 85.048981][ T5332] ret_from_fork_asm+0x1a/0x30 [ 85.051123][ T5332] [ 85.052264][ T5332] Memory state around the buggy address: [ 85.054746][ T5332] ffff888011b5ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.058266][ T5332] ffff888011b60000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.061864][ T5332] >ffff888011b60080: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 85.065275][ T5332] ^ [ 85.068304][ T5332] ffff888011b60100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.071727][ T5332] ffff888011b60180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.075188][ T5332] ================================================================== [ 85.078738][ T5332] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.081864][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.085637][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.089955][ T5332] Call Trace: [ 85.091503][ T5332] [ 85.092733][ T5332] vpanic+0x1e0/0x670 [ 85.094443][ T5332] panic+0xc5/0xd0 [ 85.096086][ T5332] ? __pfx_panic+0x10/0x10 [ 85.098010][ T5332] ? fib6_add_rt2node+0x349c/0x3500 [ 85.100326][ T5332] ? fib6_add_rt2node+0x349c/0x3500 [ 85.102548][ T5332] check_panic_on_warn+0x89/0xb0 [ 85.104762][ T5332] ? fib6_add_rt2node+0x349c/0x3500 [ 85.106924][ T5332] end_report+0x6f/0x140 [ 85.108772][ T5332] kasan_report+0x128/0x150 [ 85.110826][ T5332] ? stack_trace_save+0xa9/0x100 [ 85.113003][ T5332] ? fib6_add_rt2node+0x349c/0x3500 [ 85.115304][ T5332] fib6_add_rt2node+0x349c/0x3500 [ 85.117586][ T5332] ? __lock_acquire+0x6b5/0x2cf0 [ 85.119865][ T5332] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 85.122274][ T5332] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.124462][ T5332] ? fib6_add+0x84b/0x18c0 [ 85.126370][ T5332] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 85.128650][ T5332] fib6_add+0x910/0x18c0 [ 85.130562][ T5332] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.132762][ T5332] ? __pfx_fib6_add+0x10/0x10 [ 85.134736][ T5332] ? ip6_route_add+0xc9/0x1b0 [ 85.136771][ T5332] ip6_route_add+0xde/0x1b0 [ 85.138771][ T5332] inet6_rtm_newroute+0x268/0x19e0 [ 85.141004][ T5332] ? kasan_quarantine_put+0xbb/0x1f0 [ 85.143322][ T5332] ? lockdep_hardirqs_on+0x7a/0x110 [ 85.146247][ T5332] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 85.148740][ T5332] ? kmem_cache_free+0x195/0x610 [ 85.150962][ T5332] ? nlmon_xmit+0xb0/0x100 [ 85.152889][ T5332] ? __lock_acquire+0x6b5/0x2cf0 [ 85.155103][ T5332] ? __local_bh_enable_ip+0xd0/0x130 [ 85.157514][ T5332] ? lockdep_hardirqs_on+0x7a/0x110 [ 85.159818][ T5332] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 85.162330][ T5332] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 85.164545][ T5332] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 85.166743][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 85.169096][ T5332] ? ref_tracker_free+0x693/0x840 [ 85.171491][ T5332] ? __copy_skb_header+0xa3/0x4a0 [ 85.173814][ T5332] ? __pfx_ref_tracker_free+0x10/0x10 [ 85.176268][ T5332] ? __skb_clone+0x63/0x7a0 [ 85.178287][ T5332] netlink_rcv_skb+0x232/0x4b0 [ 85.180479][ T5332] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 85.182975][ T5332] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 85.185246][ T5332] ? netlink_deliver_tap+0x2e/0x1b0 [ 85.187640][ T5332] netlink_unicast+0x80f/0x9b0 [ 85.189954][ T5332] ? __pfx_netlink_unicast+0x10/0x10 [ 85.192324][ T5332] ? __alloc_skb+0x193/0x390 [ 85.194441][ T5332] ? netlink_sendmsg+0x650/0xb40 [ 85.196731][ T5332] ? skb_put+0x11b/0x210 [ 85.198590][ T5332] netlink_sendmsg+0x813/0xb40 [ 85.200677][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 85.203041][ T5332] ? lruvec_stat_mod_folio+0x70/0x4b0 [ 85.205501][ T5332] ? aa_sock_msg_perm+0xf1/0x1b0 [ 85.207692][ T5332] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 85.209968][ T5332] ? __pfx_netlink_sendmsg+0x10/0x10 [ 85.212241][ T5332] ____sys_sendmsg+0xa68/0xad0 [ 85.214325][ T5332] ? __might_fault+0xaf/0x130 [ 85.216521][ T5332] ? __pfx_____sys_sendmsg+0x10/0x10 [ 85.218867][ T5332] ? import_iovec+0x73/0xa0 [ 85.220927][ T5332] ___sys_sendmsg+0x2a5/0x360 [ 85.223024][ T5332] ? __lock_acquire+0x6b5/0x2cf0 [ 85.225286][ T5332] ? __pfx____sys_sendmsg+0x10/0x10 [ 85.227541][ T5332] ? __fget_files+0x2a/0x420 [ 85.229552][ T5332] ? __fget_files+0x3a0/0x420 [ 85.231674][ T5332] __x64_sys_sendmsg+0x1bd/0x2a0 [ 85.233883][ T5332] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 85.236373][ T5332] ? __se_sys_rt_sigprocmask+0x22f/0x2a0 [ 85.238735][ T5332] ? rseq_force_update+0x98/0xf0 [ 85.240896][ T5332] do_syscall_64+0xe2/0xf80 [ 85.242948][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.245649][ T5332] ? trace_irq_disable+0x37/0x100 [ 85.247842][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 85.249970][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.252544][ T5332] RIP: 0033:0x7f520839aeb9 [ 85.254600][ T5332] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 85.263021][ T5332] RSP: 002b:00007f520924e028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 85.266671][ T5332] RAX: ffffffffffffffda RBX: 00007f5208616180 RCX: 00007f520839aeb9 [ 85.270199][ T5332] RDX: 0000000000000000 RSI: 0000200000000100 RDI: 0000000000000004 [ 85.273605][ T5332] RBP: 00007f5208408c1f R08: 0000000000000000 R09: 0000000000000000 [ 85.277023][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.280572][ T5332] R13: 00007f5208616218 R14: 00007f5208616180 R15: 00007ffde220ebf8 [ 85.283806][ T5332] [ 85.285426][ T5332] Kernel Offset: disabled [ 85.287072][ T5332] Rebooting in 86400 seconds..