program: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x400, 0x0) syz_mount_image$erofs(&(0x7f00000012c0), &(0x7f0000000240)='./file0\x00', 0x2000401, &(0x7f0000000000)=ANY=[], 0x1, 0x235, &(0x7f0000001300)="$eJzsmD1rVE0Ux/9zX3efPIo2KWwsDBiR7GbvNmmCRhCsREh8q3Qx1xB3k5XNFcyCSLCx0c5CsLHwC1gETGVh5xcIaKGCoOAWFjZprpyZ2buzO4m7ubHz/IrhP3POzJxzdu4pFgzD/LN8+fzr05NzMwsQwP+YQKjXv7mAEEo7hv/H5/dOP5s9/+L1h1fvVg8/2Bo8j7akaf9C4Q/3ewDezrl4mN2U7d4hMaEnC3BIfyd9GQ5O6fWrEChpfRMOrmgdQ+C61ncM3ST/Uun2ciMu3Wo2FklM01ChIaKhOhhfZ0NgUc/T1IUw7Gvr7Xqt0YhbhvC0bRdTLpFdVh+36ucjQGfO8ZHFl6ZUxWuPH23QvFubaVU/SQUOKjqJKgTm9foMwm5tVEmM/I95vfNdK38725030pcMw5IsKDH7868Ui0QAJY5O5TtnktI5a5uOIE886N/lo2eiSo56jpvv6UjhDX+LZ/QPur8rxugBXBw1i6dFAAf6ccNdIvStlf1m0SfGO1vvbdNX2znsq1gqhl8hRn8/hVFj7n6I+ataRLvuHKRiewW2van6R/pS4KTRnzyjf5STlbvltfX21PJKbSleilejqBqOKZtsRGU5Wn2v15+Lsj/9Z5zv7+EbOAHu15KkVVFjIAIUkSStSM4j47OZ32z+uKG3JbgA4ISaUNsMshNd6w4RKB9H+pKatJ0YhmEYhmEYhmEYhmEYhmFycRxC/gtKbB9CpgeILknv3wEAAP//RnxVVg==") llistxattr(&(0x7f0000000140)='./file0\x00', 0x0, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000040)=@mpls_delroute={0x30, 0x18, 0x9, 0x0, 0x0, {0x1c, 0x14, 0x0, 0x0, 0xfe, 0x2, 0x0, 0x1}, [@RTA_VIA={0x14, 0x12, {0x2, "cfbc6ac116946cf4a5b2f81c4d07"}}]}, 0x30}}, 0x4) r2 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x1c, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}]}, 0x1c}}, 0x0) sendmsg$nl_route(r3, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) (async) sendmsg$nl_route(r3, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=@ipv6_newrule={0x2c, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}, @FIB_RULE_POLICY=@FRA_SPORT_RANGE={0x8, 0x17, {0x4e21, 0x4e24}}]}, 0x2c}}, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) socket(0x200000000000011, 0x2, 0x0) (async) r6 = socket(0x200000000000011, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'bridge0\x00', 0x0}) sendmsg$nl_route(r5, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)=@newlink={0x20, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x74, r7, 0x0, 0x11203}}, 0x20}, 0x1, 0x0, 0x0, 0x800}, 0x0) syz_open_dev$tty20(0xc, 0x4, 0x1) (async) syz_open_dev$tty20(0xc, 0x4, 0x1) socket$inet6_sctp(0xa, 0x1, 0x84) (async) r8 = socket$inet6_sctp(0xa, 0x1, 0x84) fallocate(r8, 0x81, 0x36bc, 0x6) (async) fallocate(r8, 0x81, 0x36bc, 0x6) r9 = bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0xb, 0x6, &(0x7f0000000000)=@framed={{0x5, 0x0, 0x0, 0x0, 0x0, 0x69, 0x11, 0x88}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0x85, 0x0, 0x0, 0x5}, @jmp={0x5, 0x1, 0xa, 0xa, 0xb, 0xffffffffffffffc0, 0xfffffffffffffffc}], {0x95, 0x0, 0x5a5}}, &(0x7f0000000080)='GPL\x00', 0x5, 0xc3, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x6}, 0x94) ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2) (async) r10 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2) ioctl$KVM_SET_MSRS(r10, 0x4008ae89, &(0x7f0000000280)={0x1, 0x0, [{0xc0010007}]}) (async) ioctl$KVM_SET_MSRS(r10, 0x4008ae89, &(0x7f0000000280)={0x1, 0x0, [{0xc0010007}]}) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x2) (async) r11 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x2) ioctl$KVM_GET_XSAVE2(r11, 0x9000aecf, &(0x7f0000fff000/0x1000)=nil) ioctl$AUTOFS_DEV_IOCTL_EXPIRE(0xffffffffffffffff, 0xc018937c, &(0x7f0000000040)={{0x1, 0x1, 0x18, r2, {0x2}}, './file0\x00'}) r13 = openat$vcs(0xffffffffffffff9c, &(0x7f00000000c0), 0x119000, 0x0) r14 = bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f00000003c0)=0xffffffffffffffff, 0x4) r15 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700) ioctl$TIOCGSID(r12, 0x5429, &(0x7f00000006c0)=0x0) sched_setscheduler(r16, 0x1, &(0x7f0000000700)=0x8) write$cgroup_int(r15, &(0x7f0000000200), 0xf000) (async) write$cgroup_int(r15, &(0x7f0000000200), 0xf000) bpf$PROG_LOAD(0x5, &(0x7f0000000600)={0x19, 0x1e, &(0x7f0000000180)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0xd40, 0x0, 0x0, 0x0, 0x3}, {{0x18, 0x1, 0x1, 0x0, r12}}, {}, [@exit, @func={0x85, 0x0, 0x1, 0x0, 0x2}, @snprintf={{}, {}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x3}, {}, {}, {}, {}, {}, {}, {0x18, 0x3, 0x2, 0x0, r13}}], {{}, {0x7, 0x0, 0xb, 0x2, 0x0, 0x0, 0x1}, {0x85, 0x0, 0x0, 0x84}}}, &(0x7f0000000100)='syzkaller\x00', 0x3000, 0xda, &(0x7f00000002c0)=""/218, 0x41100, 0x10, '\x00', 0x0, @cgroup_sockopt=0x15, r14, 0x8, &(0x7f0000000400)={0xa, 0x3}, 0x8, 0x10, &(0x7f0000000500)={0x0, 0x9, 0x8, 0x4}, 0x10, 0xffffffffffffffff, r9, 0x6, &(0x7f0000000540)=[0xffffffffffffffff, r15], &(0x7f0000000580)=[{0x1, 0x2, 0x10, 0x2}, {0x3, 0x2, 0x7, 0x4}, {0x4, 0x5, 0x7, 0xa}, {0x3, 0x4, 0x3, 0x6}, {0x2, 0x4, 0x6, 0x4}, {0x1, 0x800, 0x5, 0x8}], 0x10, 0x45}, 0x94) (async) bpf$PROG_LOAD(0x5, &(0x7f0000000600)={0x19, 0x1e, &(0x7f0000000180)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0xd40, 0x0, 0x0, 0x0, 0x3}, {{0x18, 0x1, 0x1, 0x0, r12}}, {}, [@exit, @func={0x85, 0x0, 0x1, 0x0, 0x2}, @snprintf={{}, {}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x3}, {}, {}, {}, {}, {}, {}, {0x18, 0x3, 0x2, 0x0, r13}}], {{}, {0x7, 0x0, 0xb, 0x2, 0x0, 0x0, 0x1}, {0x85, 0x0, 0x0, 0x84}}}, &(0x7f0000000100)='syzkaller\x00', 0x3000, 0xda, &(0x7f00000002c0)=""/218, 0x41100, 0x10, '\x00', 0x0, @cgroup_sockopt=0x15, r14, 0x8, &(0x7f0000000400)={0xa, 0x3}, 0x8, 0x10, &(0x7f0000000500)={0x0, 0x9, 0x8, 0x4}, 0x10, 0xffffffffffffffff, r9, 0x6, &(0x7f0000000540)=[0xffffffffffffffff, r15], &(0x7f0000000580)=[{0x1, 0x2, 0x10, 0x2}, {0x3, 0x2, 0x7, 0x4}, {0x4, 0x5, 0x7, 0xa}, {0x3, 0x4, 0x3, 0x6}, {0x2, 0x4, 0x6, 0x4}, {0x1, 0x800, 0x5, 0x8}], 0x10, 0x45}, 0x94) [ 74.770504][ T4671] Bluetooth: hci0: command tx timeout [ 74.806909][ T5322] loop0: detected capacity change from 0 to 16 [ 74.835145][ T5322] erofs (device loop0): mounted with root inode @ nid 36. [ 74.901988][ T5323] ================================================================== [ 74.905731][ T5323] BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 [ 74.909356][ T5323] Read of size 1 at addr ffff8880353f32de by task syz.0.0/5323 [ 74.912716][ T5323] [ 74.914659][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.914676][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 74.914705][ T5323] Call Trace: [ 74.914713][ T5323] [ 74.914719][ T5323] dump_stack_lvl+0xe8/0x150 [ 74.914738][ T5323] print_report+0xba/0x230 [ 74.914749][ T5323] ? fib6_add_rt2node+0x349c/0x3500 [ 74.914761][ T5323] kasan_report+0x117/0x150 [ 74.914794][ T5323] ? stack_trace_save+0xa9/0x100 [ 74.914840][ T5323] ? fib6_add_rt2node+0x349c/0x3500 [ 74.914858][ T5323] fib6_add_rt2node+0x349c/0x3500 [ 74.914869][ T5323] ? __lock_acquire+0x6b5/0x2cf0 [ 74.914890][ T5323] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 74.914901][ T5323] ? do_raw_spin_lock+0x12b/0x2f0 [ 74.914912][ T5323] ? fib6_add+0x84b/0x18c0 [ 74.914923][ T5323] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 74.914938][ T5323] fib6_add+0x910/0x18c0 [ 74.914949][ T5323] ? do_raw_spin_lock+0x12b/0x2f0 [ 74.914965][ T5323] ? __pfx_fib6_add+0x10/0x10 [ 74.914977][ T5323] ? ip6_route_add+0xc9/0x1b0 [ 74.914990][ T5323] ip6_route_add+0xde/0x1b0 [ 74.915002][ T5323] inet6_rtm_newroute+0x268/0x19e0 [ 74.915024][ T5323] ? kasan_quarantine_put+0xbb/0x1f0 [ 74.915039][ T5323] ? lockdep_hardirqs_on+0x7a/0x110 [ 74.915051][ T5323] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 74.915066][ T5323] ? kmem_cache_free+0x195/0x610 [ 74.915083][ T5323] ? nlmon_xmit+0xb0/0x100 [ 74.915141][ T5323] ? __lock_acquire+0x6b5/0x2cf0 [ 74.915164][ T5323] ? __local_bh_enable_ip+0xd0/0x130 [ 74.915175][ T5323] ? lockdep_hardirqs_on+0x7a/0x110 [ 74.915192][ T5323] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 74.915208][ T5323] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 74.915221][ T5323] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 74.915232][ T5323] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.915241][ T5323] ? ref_tracker_free+0x693/0x840 [ 74.915254][ T5323] ? __copy_skb_header+0xa3/0x4a0 [ 74.915265][ T5323] ? __pfx_ref_tracker_free+0x10/0x10 [ 74.915277][ T5323] ? __skb_clone+0x63/0x7a0 [ 74.915291][ T5323] netlink_rcv_skb+0x232/0x4b0 [ 74.915309][ T5323] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.915320][ T5323] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.915338][ T5323] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.915350][ T5323] netlink_unicast+0x80f/0x9b0 [ 74.915367][ T5323] ? __pfx_netlink_unicast+0x10/0x10 [ 74.915381][ T5323] ? __alloc_skb+0x193/0x390 [ 74.915392][ T5323] ? netlink_sendmsg+0x650/0xb40 [ 74.915401][ T5323] ? skb_put+0x11b/0x210 [ 74.915412][ T5323] netlink_sendmsg+0x813/0xb40 [ 74.915426][ T5323] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.915436][ T5323] ? aa_sock_msg_perm+0xf1/0x1b0 [ 74.915449][ T5323] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.915466][ T5323] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.915476][ T5323] ____sys_sendmsg+0xa68/0xad0 [ 74.915489][ T5323] ? __might_fault+0xaf/0x130 [ 74.915506][ T5323] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.915520][ T5323] ? import_iovec+0x73/0xa0 [ 74.915535][ T5323] ___sys_sendmsg+0x2a5/0x360 [ 74.915547][ T5323] ? __lock_acquire+0x6b5/0x2cf0 [ 74.915561][ T5323] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.915574][ T5323] ? futex_wait+0x29a/0x380 [ 74.915593][ T5323] ? __fget_files+0x2a/0x420 [ 74.915604][ T5323] ? __fget_files+0x3a0/0x420 [ 74.915615][ T5323] __x64_sys_sendmsg+0x1bd/0x2a0 [ 74.915628][ T5323] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 74.915643][ T5323] ? rcu_is_watching+0x15/0xb0 [ 74.915657][ T5323] do_syscall_64+0xe2/0xf80 [ 74.915669][ T5323] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.915680][ T5323] ? trace_irq_disable+0x37/0x100 [ 74.915691][ T5323] ? clear_bhb_loop+0x60/0xb0 [ 74.915703][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.915715][ T5323] RIP: 0033:0x7fd50b79af79 [ 74.915752][ T5323] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 74.915761][ T5323] RSP: 002b:00007fd507bcc028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.915774][ T5323] RAX: ffffffffffffffda RBX: 00007fd50ba16090 RCX: 00007fd50b79af79 [ 74.915782][ T5323] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000007 [ 74.915789][ T5323] RBP: 00007fd50b8316e0 R08: 0000000000000000 R09: 0000000000000000 [ 74.915796][ T5323] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.915803][ T5323] R13: 00007fd50ba16128 R14: 00007fd50ba16090 R15: 00007ffd9cd6b918 [ 74.915814][ T5323] [ 74.915818][ T5323] [ 75.104380][ T5323] Allocated by task 5322: [ 75.106278][ T5323] kasan_save_track+0x3e/0x80 [ 75.108369][ T5323] __kasan_kmalloc+0x93/0xb0 [ 75.110430][ T5323] __kmalloc_noprof+0x40c/0x7e0 [ 75.112481][ T5323] fib6_info_alloc+0x30/0xf0 [ 75.114568][ T5323] ip6_route_info_create+0x142/0x860 [ 75.116866][ T5323] ip6_route_add+0x49/0x1b0 [ 75.118983][ T5323] inet6_rtm_newroute+0x268/0x19e0 [ 75.121204][ T5323] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 75.123476][ T5323] netlink_rcv_skb+0x232/0x4b0 [ 75.125547][ T5323] netlink_unicast+0x80f/0x9b0 [ 75.127636][ T5323] netlink_sendmsg+0x813/0xb40 [ 75.129706][ T5323] ____sys_sendmsg+0xa68/0xad0 [ 75.131867][ T5323] ___sys_sendmsg+0x2a5/0x360 [ 75.133961][ T5323] __x64_sys_sendmsg+0x1bd/0x2a0 [ 75.136087][ T5323] do_syscall_64+0xe2/0xf80 [ 75.138165][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.140715][ T5323] [ 75.141800][ T5323] The buggy address belongs to the object at ffff8880353f3200 [ 75.141800][ T5323] which belongs to the cache kmalloc-256 of size 256 [ 75.147837][ T5323] The buggy address is located 22 bytes to the right of [ 75.147837][ T5323] allocated 200-byte region [ffff8880353f3200, ffff8880353f32c8) [ 75.154361][ T5323] [ 75.155480][ T5323] The buggy address belongs to the physical page: [ 75.158274][ T5323] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x353f3 [ 75.162203][ T5323] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 75.165493][ T5323] page_type: f5(slab) [ 75.167232][ T5323] raw: 04fff00000000000 ffff88801a841b40 dead000000000122 0000000000000000 [ 75.170942][ T5323] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 75.175655][ T5323] page dumped because: kasan: bad access detected [ 75.179302][ T5323] page_owner tracks the page as allocated [ 75.181879][ T5323] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5322, tgid 5321 (syz.0.0), ts 74900295289, free_ts 72763673695 [ 75.189817][ T5323] post_alloc_hook+0x228/0x280 [ 75.191863][ T5323] get_page_from_freelist+0x24dc/0x2580 [ 75.194353][ T5323] __alloc_frozen_pages_noprof+0x18d/0x380 [ 75.197019][ T5323] alloc_pages_mpol+0x232/0x4a0 [ 75.199074][ T5323] allocate_slab+0x86/0x3a0 [ 75.201006][ T5323] ___slab_alloc+0xd82/0x1760 [ 75.203128][ T5323] __slab_alloc+0x65/0x100 [ 75.205233][ T5323] __kmalloc_cache_noprof+0x40d/0x6e0 [ 75.207474][ T5323] rtm_new_nexthop+0x28b4/0x8620 [ 75.209600][ T5323] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 75.211754][ T5323] netlink_rcv_skb+0x232/0x4b0 [ 75.213855][ T5323] netlink_unicast+0x80f/0x9b0 [ 75.215960][ T5323] netlink_sendmsg+0x813/0xb40 [ 75.218022][ T5323] ____sys_sendmsg+0xa68/0xad0 [ 75.220059][ T5323] ___sys_sendmsg+0x2a5/0x360 [ 75.222159][ T5323] __x64_sys_sendmsg+0x1bd/0x2a0 [ 75.224416][ T5323] page last free pid 5315 tgid 5315 stack trace: [ 75.227177][ T5323] __free_frozen_pages+0xbf8/0xd70 [ 75.229370][ T5323] rcu_core+0xc9e/0x1750 [ 75.231166][ T5323] handle_softirqs+0x22a/0x7c0 [ 75.233237][ T5323] do_softirq+0x76/0xd0 [ 75.234918][ T5323] __local_bh_enable_ip+0xf8/0x130 [ 75.237134][ T5323] __alloc_skb+0x1b7/0x390 [ 75.239050][ T5323] mld_newpack+0x14c/0xc90 [ 75.240997][ T5323] add_grhead+0x5a/0x2a0 [ 75.242813][ T5323] add_grec+0x1452/0x1740 [ 75.244701][ T5323] mld_ifc_work+0x6e6/0xe70 [ 75.246761][ T5323] process_scheduled_works+0xaec/0x17a0 [ 75.249087][ T5323] worker_thread+0xda6/0x1360 [ 75.251134][ T5323] kthread+0x726/0x8b0 [ 75.252874][ T5323] ret_from_fork+0x51b/0xa40 [ 75.254925][ T5323] ret_from_fork_asm+0x1a/0x30 [ 75.256998][ T5323] [ 75.258044][ T5323] Memory state around the buggy address: [ 75.260409][ T5323] ffff8880353f3180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.263890][ T5323] ffff8880353f3200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.267338][ T5323] >ffff8880353f3280: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 75.270723][ T5323] ^ [ 75.273896][ T5323] ffff8880353f3300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.277230][ T5323] ffff8880353f3380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.280538][ T5323] ================================================================== [ 75.283990][ T5323] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.287068][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.290889][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 75.295325][ T5323] Call Trace: [ 75.296762][ T5323] [ 75.298036][ T5323] vpanic+0x1e0/0x670 [ 75.299826][ T5323] panic+0xc5/0xd0 [ 75.301491][ T5323] ? __pfx_panic+0x10/0x10 [ 75.303451][ T5323] ? fib6_add_rt2node+0x349c/0x3500 [ 75.305694][ T5323] ? fib6_add_rt2node+0x349c/0x3500 [ 75.307912][ T5323] check_panic_on_warn+0x89/0xb0 [ 75.310061][ T5323] ? fib6_add_rt2node+0x349c/0x3500 [ 75.312294][ T5323] end_report+0x6f/0x140 [ 75.314145][ T5323] kasan_report+0x128/0x150 [ 75.316067][ T5323] ? stack_trace_save+0xa9/0x100 [ 75.318262][ T5323] ? fib6_add_rt2node+0x349c/0x3500 [ 75.320560][ T5323] fib6_add_rt2node+0x349c/0x3500 [ 75.322746][ T5323] ? __lock_acquire+0x6b5/0x2cf0 [ 75.325111][ T5323] ? __pfx_fib6_add_rt2node+0x10/0x10 [ 75.327523][ T5323] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.329784][ T5323] ? fib6_add+0x84b/0x18c0 [ 75.331728][ T5323] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 75.334224][ T5323] fib6_add+0x910/0x18c0 [ 75.336025][ T5323] ? do_raw_spin_lock+0x12b/0x2f0 [ 75.338150][ T5323] ? __pfx_fib6_add+0x10/0x10 [ 75.340198][ T5323] ? ip6_route_add+0xc9/0x1b0 [ 75.342306][ T5323] ip6_route_add+0xde/0x1b0 [ 75.344193][ T5323] inet6_rtm_newroute+0x268/0x19e0 [ 75.346278][ T5323] ? kasan_quarantine_put+0xbb/0x1f0 [ 75.348311][ T5323] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.350422][ T5323] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 75.352502][ T5323] ? kmem_cache_free+0x195/0x610 [ 75.354440][ T5323] ? nlmon_xmit+0xb0/0x100 [ 75.356135][ T5323] ? __lock_acquire+0x6b5/0x2cf0 [ 75.358164][ T5323] ? __local_bh_enable_ip+0xd0/0x130 [ 75.360422][ T5323] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.362843][ T5323] ? __pfx_inet6_rtm_newroute+0x10/0x10 [ 75.365418][ T5323] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 75.367638][ T5323] ? rtnetlink_rcv_msg+0x1b9/0xbe0 [ 75.369892][ T5323] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.372227][ T5323] ? ref_tracker_free+0x693/0x840 [ 75.374558][ T5323] ? __copy_skb_header+0xa3/0x4a0 [ 75.376814][ T5323] ? __pfx_ref_tracker_free+0x10/0x10 [ 75.379179][ T5323] ? __skb_clone+0x63/0x7a0 [ 75.381254][ T5323] netlink_rcv_skb+0x232/0x4b0 [ 75.383416][ T5323] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.385894][ T5323] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 75.388180][ T5323] ? netlink_deliver_tap+0x2e/0x1b0 [ 75.390449][ T5323] netlink_unicast+0x80f/0x9b0 [ 75.392556][ T5323] ? __pfx_netlink_unicast+0x10/0x10 [ 75.394953][ T5323] ? __alloc_skb+0x193/0x390 [ 75.397112][ T5323] ? netlink_sendmsg+0x650/0xb40 [ 75.399330][ T5323] ? skb_put+0x11b/0x210 [ 75.401210][ T5323] netlink_sendmsg+0x813/0xb40 [ 75.403370][ T5323] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.405641][ T5323] ? aa_sock_msg_perm+0xf1/0x1b0 [ 75.407725][ T5323] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.410114][ T5323] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.412514][ T5323] ____sys_sendmsg+0xa68/0xad0 [ 75.414666][ T5323] ? __might_fault+0xaf/0x130 [ 75.416732][ T5323] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.419129][ T5323] ? import_iovec+0x73/0xa0 [ 75.421235][ T5323] ___sys_sendmsg+0x2a5/0x360 [ 75.423415][ T5323] ? __lock_acquire+0x6b5/0x2cf0 [ 75.425555][ T5323] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.427810][ T5323] ? futex_wait+0x29a/0x380 [ 75.429800][ T5323] ? __fget_files+0x2a/0x420 [ 75.431811][ T5323] ? __fget_files+0x3a0/0x420 [ 75.433946][ T5323] __x64_sys_sendmsg+0x1bd/0x2a0 [ 75.436122][ T5323] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.438464][ T5323] ? rcu_is_watching+0x15/0xb0 [ 75.440606][ T5323] do_syscall_64+0xe2/0xf80 [ 75.442631][ T5323] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.445490][ T5323] ? trace_irq_disable+0x37/0x100 [ 75.447717][ T5323] ? clear_bhb_loop+0x60/0xb0 [ 75.449627][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.451917][ T5323] RIP: 0033:0x7fd50b79af79 [ 75.453652][ T5323] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 75.461430][ T5323] RSP: 002b:00007fd507bcc028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.465146][ T5323] RAX: ffffffffffffffda RBX: 00007fd50ba16090 RCX: 00007fd50b79af79 [ 75.468627][ T5323] RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000007 [ 75.472161][ T5323] RBP: 00007fd50b8316e0 R08: 0000000000000000 R09: 0000000000000000 [ 75.475532][ T5323] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.478899][ T5323] R13: 00007fd50ba16128 R14: 00007fd50ba16090 R15: 00007ffd9cd6b918 [ 75.482181][ T5323] [ 75.483925][ T5323] Kernel Offset: disabled [ 75.485824][ T5323] Rebooting in 86400 seconds..