KASAN: global-out-of-bounds Read in __find_rr

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: global-out-of-bounds Read in __find_rr_leaf (2) net				7	10d	23d	0/28	upstream: reported on 2025/05/01 14:39
==================================================================
BUG: KASAN: global-out-of-bounds in __find_rr_leaf+0xbe1/0xe00 net/ipv6/route.c:804
Read of size 4 at addr ffffffff9ac274f0 by task kworker/u32:2/46

CPU: 3 UID: 0 PID: 46 Comm: kworker/u32:2 Not tainted 6.14.0-rc6-syzkaller-00022-gb7f94fcf5546 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound nsim_dev_trap_report_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xd9/0x110 mm/kasan/report.c:634
 __find_rr_leaf+0xbe1/0xe00 net/ipv6/route.c:804
 find_rr_leaf net/ipv6/route.c:856 [inline]
 rt6_select net/ipv6/route.c:900 [inline]
 fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
 ip6_pol_route+0x1cd/0x1120 net/ipv6/route.c:2231
 pol_lookup_func include/net/ip6_fib.h:616 [inline]
 fib6_rule_lookup+0x536/0x720 net/ipv6/fib6_rules.c:119
 ip6_route_input_lookup net/ipv6/route.c:2300 [inline]
 ip6_route_input+0x663/0xc10 net/ipv6/route.c:2596
 ip6_rcv_finish_core.constprop.0+0x1a0/0x5d0 net/ipv6/ip6_input.c:66
 ip6_rcv_finish net/ipv6/ip6_input.c:77 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ipv6_rcv+0x1e4/0x680 net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5893
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6006
 process_backlog+0x443/0x15f0 net/core/dev.c:6354
 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:7188
 napi_poll net/core/dev.c:7257 [inline]
 net_rx_action+0xa94/0x1010 net/core/dev.c:7379
 handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
 do_softirq kernel/softirq.c:462 [inline]
 do_softirq+0xb2/0xf0 kernel/softirq.c:449
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:389
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
 nsim_dev_trap_report_work+0x8c7/0xd00 drivers/net/netdevsim/dev.c:851
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3400
 kthread+0x3af/0x750 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the variable:
 __key.0+0x10/0x40

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ac27
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea00006b09c8 ffffea00006b09c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff9ac27380: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 ffffffff9ac27400: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
>ffffffff9ac27480: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9
                                                             ^
 ffffffff9ac27500: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffffffff9ac27580: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
==================================================================