==================================================================
BUG: KASAN: slab-use-after-free in fib6_gc_table net/ipv6/ip6_fib.c:2331 [inline]
BUG: KASAN: slab-use-after-free in fib6_gc_all net/ipv6/ip6_fib.c:2347 [inline]
BUG: KASAN: slab-use-after-free in fib6_run_gc+0x2fc/0x6a4 net/ipv6/ip6_fib.c:2369
Read of size 8 at addr ffff0000ca7a2038 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc5-syzkaller-g0128e0962959 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x174/0x514 mm/kasan/report.c:475
 kasan_report+0xd8/0x138 mm/kasan/report.c:588
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 fib6_gc_table net/ipv6/ip6_fib.c:2331 [inline]
 fib6_gc_all net/ipv6/ip6_fib.c:2347 [inline]
 fib6_run_gc+0x2fc/0x6a4 net/ipv6/ip6_fib.c:2369
 fib6_gc_timer_cb+0x28/0x38 net/ipv6/ip6_fib.c:2386
 call_timer_fn+0x19c/0x8cc kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x55c/0x734 kernel/time/timer.c:2022
 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:2035
 __do_softirq+0x2d8/0xce4 kernel/softirq.c:553
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:81
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:886
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:86
 invoke_softirq kernel/softirq.c:434 [inline]
 __irq_exit_rcu+0x1d8/0x434 kernel/softirq.c:632
 irq_exit_rcu+0x14/0x84 kernel/softirq.c:644
 __el1_irq arch/arm64/kernel/entry-common.c:503 [inline]
 el1_interrupt+0x38/0x68 arch/arm64/kernel/entry-common.c:517
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:522
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:591
 __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:27 [inline]
 arch_local_irq_enable+0x8/0xc arch/arm64/include/asm/irqflags.h:49
 cpuidle_idle_call kernel/sched/idle.c:170 [inline]
 do_idle+0x1f0/0x4e8 kernel/sched/idle.c:282
 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:380
 rest_init+0x2dc/0x2f4 init/main.c:730
 start_kernel+0x0/0x4e8 init/main.c:827
 start_kernel+0x3e8/0x4e8 init/main.c:1072
 __primary_switched+0xb8/0xc0 arch/arm64/kernel/head.S:523

Allocated by task 13265:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:511
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1007 [inline]
 __kmalloc+0xcc/0x1b8 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 fib6_info_alloc+0x38/0xf0 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x3b8/0xe88 net/ipv6/route.c:3749
 ip6_route_add+0x38/0x168 net/ipv6/route.c:3843
 rt6_add_dflt_router+0x1a0/0x378 net/ipv6/route.c:4375
 ndisc_router_discovery+0x1844/0x2d30 net/ipv6/ndisc.c:1384
 ndisc_rcv+0x3e0/0x5cc net/ipv6/ndisc.c:1856
 icmpv6_rcv+0xd1c/0x1544 net/ipv6/icmp.c:979
 ip6_protocol_deliver_rcu+0x930/0x11c4 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x164/0x298 net/ipv6/ip6_input.c:483
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip6_input net/ipv6/ip6_input.c:492 [inline]
 ip6_mc_input+0x8f4/0xb20 net/ipv6/ip6_input.c:586
 dst_input include/net/dst.h:461 [inline]
 ip6_rcv_finish+0x1f4/0x220 net/ipv6/ip6_input.c:79
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:310
 __netif_receive_skb_one_core net/core/dev.c:5529 [inline]
 __netif_receive_skb+0x18c/0x400 net/core/dev.c:5643
 netif_receive_skb_internal net/core/dev.c:5729 [inline]
 netif_receive_skb+0x1e0/0x8c4 net/core/dev.c:5788
 tun_rx_batched+0x568/0x6e4
 tun_get_user+0x2368/0x37b0 drivers/net/tun.c:2002
 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:2048
 call_write_iter include/linux/fs.h:2020 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x610/0x910 fs/read_write.c:584
 ksys_write+0x15c/0x26c fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:45
 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:492
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502
 __call_rcu_common kernel/rcu/tree.c:2681 [inline]
 call_rcu+0x104/0xaf4 kernel/rcu/tree.c:2795
 fib6_info_release include/net/ip6_fib.h:332 [inline]
 nsim_rt6_release drivers/net/netdevsim/fib.c:515 [inline]
 nsim_fib6_event_fini+0xf0/0x1f4 drivers/net/netdevsim/fib.c:841
 nsim_fib_event drivers/net/netdevsim/fib.c:891 [inline]
 nsim_fib_event_work+0xde0/0x32bc drivers/net/netdevsim/fib.c:1492
 process_one_work+0x694/0x1204 kernel/workqueue.c:2627
 process_scheduled_works kernel/workqueue.c:2700 [inline]
 worker_thread+0x938/0xef4 kernel/workqueue.c:2781
 kthread+0x288/0x310 kernel/kthread.c:388
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:857

Second to last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:45
 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:492
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:502
 insert_work+0x54/0x2d4 kernel/workqueue.c:1647
 __queue_work+0xda8/0x12bc kernel/workqueue.c:1800
 delayed_work_timer_fn+0x74/0x90 kernel/workqueue.c:1925
 call_timer_fn+0x19c/0x8cc kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1746 [inline]
 __run_timers+0x5b4/0x734 kernel/time/timer.c:2022
 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:2035
 __do_softirq+0x2d8/0xce4 kernel/softirq.c:553

The buggy address belongs to the object at ffff0000ca7a2000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 56 bytes inside of
 freed 512-byte region [ffff0000ca7a2000, ffff0000ca7a2200)

The buggy address belongs to the physical page:
page:0000000073486593 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000ca7a2000 pfn:0x10a7a0
head:0000000073486593 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000840 ffff0000c0001c80 fffffc0003437d10 fffffc00035a2810
raw: ffff0000ca7a2000 000000000010000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000ca7a1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000ca7a1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000ca7a2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff0000ca7a2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000ca7a2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================