==================================================================
BUG: KASAN: global-out-of-bounds in fib6_clean_node+0x3a4/0x438 net/ipv6/ip6_fib.c:2251
Read of size 8 at addr ffff80008d46f228 by task kworker/u8:9/1569

CPU: 1 UID: 0 PID: 1569 Comm: kworker/u8:9 Not tainted 6.15.0-syzkaller-11061-g7f9039c524a3 #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Workqueue: events_unbound linkwatch_event
Call trace:
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xf4/0x60c mm/kasan/report.c:521
 kasan_report+0xc8/0x108 mm/kasan/report.c:634
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 fib6_clean_node+0x3a4/0x438 net/ipv6/ip6_fib.c:2251
 fib6_walk_continue+0x2ec/0x69c net/ipv6/ip6_fib.c:2177
 fib6_walk+0x138/0x2e8 net/ipv6/ip6_fib.c:2225
 fib6_clean_tree+0xd0/0x114 net/ipv6/ip6_fib.c:2305
 __fib6_clean_all+0xd4/0x1f0 net/ipv6/ip6_fib.c:2321
 fib6_clean_all+0x1c/0x28 net/ipv6/ip6_fib.c:2332
 rt6_sync_down_dev+0x118/0x130 net/ipv6/route.c:5004
 addrconf_notify+0x9f4/0x113c net/ipv6/addrconf.c:3717
 notifier_call_chain+0x11c/0x49c kernel/notifier.c:85
 raw_notifier_call_chain+0x18/0x24 kernel/notifier.c:453
 call_netdevice_notifiers_info+0x88/0xe8 net/core/dev.c:2230
 netif_state_change+0x118/0x2a8 net/core/dev.c:1584
 linkwatch_do_dev+0xd0/0x144 net/core/link_watch.c:186
 __linkwatch_run_queue+0x294/0x618 net/core/link_watch.c:244
 linkwatch_event+0x90/0xbc net/core/link_watch.c:304
 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x734/0xb84 kernel/workqueue.c:3402
 kthread+0x348/0x5fc kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

The buggy address belongs to the variable:
 binder_devices+0x8/0x40

The buggy address belongs to the virtual mapping at
 [ffff800087110000, ffff80008d4d1000) created by:
 declare_kernel_vmas arch/arm64/mm/mmu.c:793 [inline]
 paging_init+0x3d0/0x560 arch/arm64/mm/mmu.c:834

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4d66f
flags: 0x1ffc00000002000(reserved|node=0|zone=0|lastcpupid=0x7ff)
raw: 01ffc00000002000 fffffdffc0359bc8 fffffdffc0359bc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff80008d46f100: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
 ffff80008d46f180: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
>ffff80008d46f200: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
                                  ^
 ffff80008d46f280: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffff80008d46f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================