==================================================================
BUG: KASAN: slab-out-of-bounds in rt6_get_pcpu_route net/ipv6/route.c:1396 [inline]
BUG: KASAN: slab-out-of-bounds in ip6_pol_route+0x10e5/0x11e0 net/ipv6/route.c:2255
Read of size 8 at addr ffff88801947563f by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.17.0-rc2-syzkaller-00169-gfe68195daf34 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_long defense_work_handler
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 rt6_get_pcpu_route net/ipv6/route.c:1396 [inline]
 ip6_pol_route+0x10e5/0x11e0 net/ipv6/route.c:2255
 pol_lookup_func include/net/ip6_fib.h:581 [inline]
 fib6_rule_lookup+0x111/0x6f0 net/ipv6/fib6_rules.c:115
 ip6_route_input_lookup net/ipv6/route.c:2291 [inline]
 ip6_route_input+0x63c/0xbc0 net/ipv6/route.c:2587
 ip6_rcv_finish_core.constprop.0.isra.0+0x168/0x570 net/ipv6/ip6_input.c:63
 ip6_list_rcv_finish.constprop.0+0x231/0xb90 net/ipv6/ip6_input.c:127
 ip6_sublist_rcv net/ipv6/ip6_input.c:307 [inline]
 ipv6_list_rcv+0x350/0x490 net/ipv6/ip6_input.c:342
 __netif_receive_skb_list_ptype net/core/dev.c:5394 [inline]
 __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5442
 __netif_receive_skb_list net/core/dev.c:5494 [inline]
 netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5585
 netif_receive_skb_list net/core/dev.c:5637 [inline]
 netif_receive_skb_list+0x54/0x5b0 net/core/dev.c:5627
 ieee80211_rx_napi+0x34c/0x3d0 net/mac80211/rx.c:5004
 ieee80211_rx include/net/mac80211.h:4594 [inline]
 ieee80211_tasklet_handler+0xd4/0x130 net/mac80211/main.c:235
 tasklet_action_common.constprop.0+0x201/0x2e0 kernel/softirq.c:784
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 do_softirq.part.0+0xde/0x130 kernel/softirq.c:459
 </IRQ>
 <TASK>
 do_softirq kernel/softirq.c:451 [inline]
 __local_bh_enable_ip+0x102/0x120 kernel/softirq.c:383
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 update_defense_level+0xa6a/0x10f0 net/netfilter/ipvs/ip_vs_ctl.c:211
 defense_work_handler+0x25/0xe0 net/netfilter/ipvs/ip_vs_ctl.c:236
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 5:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3243
 dst_alloc+0x146/0x1f0 net/core/dst.c:92
 ip6_dst_alloc+0x2e/0x100 net/ipv6/route.c:340
 icmp6_dst_alloc+0x6d/0x6c0 net/ipv6/route.c:3271
 ndisc_send_skb+0x1146/0x17f0 net/ipv6/ndisc.c:488
 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650
 addrconf_dad_work+0xc3f/0x1340 net/ipv6/addrconf.c:4153
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 0:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
 slab_free mm/slub.c:3509 [inline]
 kmem_cache_free+0xd8/0x340 mm/slub.c:3526
 dst_destroy+0x2e6/0x400 net/core/dst.c:127
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
 dst_release net/core/dst.c:177 [inline]
 dst_release+0x79/0xe0 net/core/dst.c:167
 refdst_drop include/net/dst.h:262 [inline]
 skb_dst_drop include/net/dst.h:274 [inline]
 __dev_queue_xmit+0x1a14/0x3660 net/core/dev.c:4072
 neigh_resolve_output net/core/neighbour.c:1528 [inline]
 neigh_resolve_output+0x50e/0x830 net/core/neighbour.c:1508
 neigh_output include/net/neighbour.h:549 [inline]
 ip6_finish_output2+0x56e/0x14f0 net/ipv6/ip6_output.c:126
 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
 __ip6_finish_output+0x61e/0xe90 net/ipv6/ip6_output.c:170
 ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:451 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508
 ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650
 addrconf_dad_work+0xc3f/0x1340 net/ipv6/addrconf.c:4153
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
 dst_release net/core/dst.c:177 [inline]
 dst_release+0x79/0xe0 net/core/dst.c:167
 fib6_nh_release_dsts.part.0+0x100/0x160 net/ipv6/route.c:3683
 fib6_nh_release_dsts net/ipv6/route.c:3673 [inline]
 fib6_nh_release+0x11a/0x240 net/ipv6/route.c:3663
 fib6_info_destroy_rcu+0x187/0x210 net/ipv6/ip6_fib.c:176
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0x7b8/0x1540 kernel/rcu/tree.c:2778
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558

The buggy address belongs to the object at ffff888019475500
 which belongs to the cache ip6_dst_cache of size 240
The buggy address is located 79 bytes to the right of
 240-byte region [ffff888019475500, ffff8880194755f0)
The buggy address belongs to the page:
page:ffffea0000651d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19475
memcg:ffff888073247901
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001f21ac0 dead000000000005 ffff88814a60c500
raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff888073247901
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3749, ts 108957566063, free_ts 108930296410
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab mm/slub.c:1944 [inline]
 new_slab+0x28a/0x3b0 mm/slub.c:2004
 ___slab_alloc+0x87c/0xe90 mm/slub.c:3018
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3243
 dst_alloc+0x146/0x1f0 net/core/dst.c:92
 ip6_dst_alloc+0x2e/0x100 net/ipv6/route.c:340
 icmp6_dst_alloc+0x6d/0x6c0 net/ipv6/route.c:3271
 mld_sendpack+0x56f/0xe40 net/ipv6/mcast.c:1815
 mld_send_cr net/ipv6/mcast.c:2127 [inline]
 mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2659
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 __unfreeze_partials+0x320/0x340 mm/slub.c:2536
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3266
 __alloc_skb+0x215/0x340 net/core/skbuff.c:414
 alloc_skb include/linux/skbuff.h:1158 [inline]
 alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:5956
 sock_alloc_send_pskb+0x793/0x920 net/core/sock.c:2586
 mld_newpack+0x1df/0x770 net/ipv6/mcast.c:1754
 add_grhead+0x265/0x330 net/ipv6/mcast.c:1857
 add_grec+0x1053/0x14e0 net/ipv6/mcast.c:1995
 mld_send_initial_cr.part.0+0xf6/0x230 net/ipv6/mcast.c:2242
 mld_send_initial_cr net/ipv6/mcast.c:1232 [inline]
 ipv6_mc_dad_complete+0x1d0/0x690 net/ipv6/mcast.c:2253
 addrconf_dad_completed+0xa20/0xd60 net/ipv6/addrconf.c:4209

Memory state around the buggy address:
 ffff888019475500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888019475580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
>ffff888019475600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
                                        ^
 ffff888019475680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888019475700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================