team0 (unregistering): Port device team_slave_0 removed team0 (unregistering): Port device team_slave_1 removed ================================================================== BUG: KASAN: global-out-of-bounds in fib6_clean_node+0x2b4/0x49c net/ipv6/ip6_fib.c:2198 Read of size 8 at addr ffff8000974c08a8 by task syz.1.366/8619 CPU: 1 UID: 0 PID: 8619 Comm: syz.1.366 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 fib6_clean_node+0x2b4/0x49c net/ipv6/ip6_fib.c:2198 fib6_walk_continue+0x654/0x878 net/ipv6/ip6_fib.c:2124 fib6_walk+0x140/0x254 net/ipv6/ip6_fib.c:2172 fib6_clean_tree net/ipv6/ip6_fib.c:2252 [inline] __fib6_clean_all+0x1dc/0x310 net/ipv6/ip6_fib.c:2268 fib6_clean_all+0x3c/0x50 net/ipv6/ip6_fib.c:2279 rt6_sync_down_dev net/ipv6/route.c:4951 [inline] rt6_disable_ip+0x104/0x6cc net/ipv6/route.c:4956 addrconf_ifdown+0x148/0x148c net/ipv6/addrconf.c:3857 addrconf_notify+0x2f4/0xcdc net/ipv6/addrconf.c:-1 notifier_call_chain+0x1b8/0x4e4 kernel/notifier.c:85 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:453 call_netdevice_notifiers_info net/core/dev.c:2176 [inline] call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] dev_close_many+0x2d4/0x448 net/core/dev.c:1731 netif_close+0x148/0x1f8 net/core/dev.c:1744 dev_close+0xf8/0x1e4 net/core/dev_api.c:219 team_port_del+0x430/0xabc drivers/net/team/team_core.c:1373 team_uninit+0x90/0x134 drivers/net/team/team_core.c:1687 unregister_netdevice_many_notify+0x1818/0x1fbc net/core/dev.c:11994 rtnl_delete_link net/core/rtnetlink.c:3522 [inline] rtnl_dellink+0x394/0x640 net/core/rtnetlink.c:3564 rtnetlink_rcv_msg+0x664/0x97c net/core/rtnetlink.c:6955 netlink_rcv_skb+0x230/0x414 net/netlink/af_netlink.c:2534 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6982 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x60c/0x824 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x648/0x930 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0x490/0x7b8 net/socket.c:2566 ___sys_sendmsg+0x204/0x278 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __arm64_sys_sendmsg+0x184/0x238 net/socket.c:2655 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the variable: binder_devices+0x8/0x20 The buggy address belongs to the virtual mapping at [ffff80008f290000, ffff800097531000) created by: declare_kernel_vmas+0xa8/0xb8 arch/arm64/mm/mmu.c:774 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2100c0 flags: 0x5ffc00000002000(reserved|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000002000 fffffdffc7403008 fffffdffc7403008 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000974c0780: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ffff8000974c0800: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 >ffff8000974c0880: f9 f9 f9 f9 00 f9 f9 f9 00 00 f9 f9 00 00 00 00 ^ ffff8000974c0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8000974c0980: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 ================================================================== team0 (unregistering): Port device bond0 removed Unable to handle kernel paging request at virtual address dfff809da0000448 KASAN: probably user-memory-access in range [0x000004ed00002240-0x000004ed00002247] Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff809da0000448] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 8619 Comm: syz.1.366 Tainted: G B 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : fib6_ifdown+0x9c/0x458 net/ipv6/route.c:4901 lr : read_pnet include/net/net_namespace.h:409 [inline] lr : dev_net include/linux/netdevice.h:2708 [inline] lr : fib6_ifdown+0x58/0x458 net/ipv6/route.c:4899 sp : ffff80009c216b30 x29: ffff80009c216b40 x28: ffff800089bd52f4 x27: 000004ed00002197 x26: dfff800000000000 x25: 1ffff00013842dc0 x24: 1ffff00013842dc6 x23: 000004ed00002247 x22: ffff80009c216fa0 x21: ffff0000ca92c000 x20: ffff0000cba78000 x19: 000004ed00002197 x18: 1fffe0003386f276 x17: ffff80008f31e000 x16: ffff80008ad27e48 x15: 0000000000000001 x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000ff0100 x11: ffff0000d0f61e80 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 0000009da0000448 x7 : 0000000000000000 x6 : ffff8000804f5bd8 x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff800089bf7bfc x2 : 0000000000000000 x1 : ffff80009c216fa0 x0 : 0000000000000000 Call trace: fib6_ifdown+0x9c/0x458 net/ipv6/route.c:4901 (P) fib6_clean_node+0x1e4/0x49c net/ipv6/ip6_fib.c:2199 fib6_walk_continue+0x654/0x878 net/ipv6/ip6_fib.c:2124 fib6_walk+0x140/0x254 net/ipv6/ip6_fib.c:2172 fib6_clean_tree net/ipv6/ip6_fib.c:2252 [inline] __fib6_clean_all+0x1dc/0x310 net/ipv6/ip6_fib.c:2268 fib6_clean_all+0x3c/0x50 net/ipv6/ip6_fib.c:2279 rt6_sync_down_dev net/ipv6/route.c:4951 [inline] rt6_disable_ip+0x104/0x6cc net/ipv6/route.c:4956 addrconf_ifdown+0x148/0x148c net/ipv6/addrconf.c:3857 addrconf_notify+0x2f4/0xcdc net/ipv6/addrconf.c:-1 notifier_call_chain+0x1b8/0x4e4 kernel/notifier.c:85 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:453 call_netdevice_notifiers_info net/core/dev.c:2176 [inline] call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] dev_close_many+0x2d4/0x448 net/core/dev.c:1731 unregister_netdevice_many_notify+0x664/0x1fbc net/core/dev.c:11942 unregister_netdevice_many net/core/dev.c:12036 [inline] unregister_netdevice_queue+0x2b4/0x300 net/core/dev.c:11879 unregister_netdevice include/linux/netdevice.h:3374 [inline] __tun_detach+0x5b8/0x12a4 drivers/net/tun.c:620 tun_detach drivers/net/tun.c:636 [inline] tun_chr_close+0x118/0x1f8 drivers/net/tun.c:3390 __fput+0x340/0x75c fs/file_table.c:465 ____fput+0x20/0x58 fs/file_table.c:493 task_work_run+0x1dc/0x260 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x4e8/0x1998 kernel/exit.c:953 do_group_exit+0x194/0x22c kernel/exit.c:1102 get_signal+0x11dc/0x12f8 kernel/signal.c:3034 do_signal+0x274/0x4438 arch/arm64/kernel/signal.c:1615 do_notify_resume+0xac/0x1ec arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xb4/0x17c arch/arm64/kernel/entry-common.c:768 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: eb08027f 54000160 9102c277 d343fee8 (387a6908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: eb08027f cmp x19, x8 4: 54000160 b.eq 0x30 // b.none 8: 9102c277 add x23, x19, #0xb0 c: d343fee8 lsr x8, x23, #3 * 10: 387a6908 ldrb w8, [x8, x26] <-- trapping instruction