------------[ cut here ]------------
memcpy: detected field-spanning write (size 20) of single field "pfx->in6_u.u6_addr8" at ./include/net/ipv6.h:614 (size 16)
WARNING: CPU: 1 PID: 8012 at ./include/net/ipv6.h:614 ipv6_addr_prefix+0x130/0x1dc include/net/ipv6.h:614
Modules linked in:
CPU: 1 UID: 0 PID: 8012 Comm: syz.0.307 Not tainted 6.16.0-rc1-syzkaller-g39dfc971e42d #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ipv6_addr_prefix+0x130/0x1dc include/net/ipv6.h:614
lr : ipv6_addr_prefix+0x130/0x1dc include/net/ipv6.h:614
sp : ffff8000a2776820
x29: ffff8000a2776820 x28: dfff800000000000 x27: 1ffff000144eed2b
x26: 1ffff000144eed2a x25: dfff800000000000 x24: 0000000000000002
x23: ffff800092c10000 x22: ffff8000a2776964 x21: 0000000000000007
x20: 0000000000000014 x19: ffff0000cc751050 x18: 00000000ffffffff
x17: ffff80009331f000 x16: ffff800080520d04 x15: 0000000000000001
x14: 1ffff00011f01e40 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000080000 x10: 00000000000035f7 x9 : 7b7d23373bbf2a00
x8 : 7b7d23373bbf2a00 x7 : ffff800080552a88 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000010
x2 : ffff8000a2776450 x1 : 0000000000000200 x0 : 0000000000000000
Call trace:
 ipv6_addr_prefix+0x130/0x1dc include/net/ipv6.h:614 (P)
 ip6_route_info_create+0x3c8/0x718 net/ipv6/route.c:3793
 ip6_route_add+0x38/0x1bc net/ipv6/route.c:3889
 addrconf_prefix_route+0x1d4/0x278 net/ipv6/addrconf.c:2487
 addrconf_prefix_rcv+0x4c8/0x1130 net/ipv6/addrconf.c:2878
 ndisc_router_discovery+0x184c/0x2b64 net/ipv6/ndisc.c:1570
 ndisc_rcv+0x3e8/0x5fc net/ipv6/ndisc.c:1874
 icmpv6_rcv+0xffc/0x1888 net/ipv6/icmp.c:988
 ip6_protocol_deliver_rcu+0x9a4/0x12d4 net/ipv6/ip6_input.c:436
 ip6_input_finish+0xd8/0x17c net/ipv6/ip6_input.c:480
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:317
 ip6_input+0x15c/0x270 net/ipv6/ip6_input.c:491
 ip6_mc_input+0x708/0xa8c net/ipv6/ip6_input.c:588
 dst_input include/net/dst.h:469 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:317
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core net/core/dev.c:5977 [inline]
 __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:6090
 netif_receive_skb_internal net/core/dev.c:6176 [inline]
 netif_receive_skb+0x1e0/0x838 net/core/dev.c:6235
 tun_rx_batched+0x478/0x5b4 drivers/net/tun.c:-1
 tun_get_user+0x2040/0x31dc drivers/net/tun.c:1938
 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:1984
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x62c/0x97c fs/read_write.c:686
 ksys_write+0x120/0x210 fs/read_write.c:738
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:746
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
irq event stamp: 155
hardirqs last  enabled at (154): [<ffff800080552b68>] console_trylock_spinning+0x258/0x3b0 kernel/printk/printk.c:2043
hardirqs last disabled at (155): [<ffff80008aec42bc>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
softirqs last  enabled at (56): [<ffff800085498a94>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (58): [<ffff800085498a60>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in ./include/net/ipv6.h:616:21
index 20 is out of range for type 'const __u8[16]' (aka 'const unsigned char[16]')
CPU: 1 UID: 0 PID: 8012 Comm: syz.0.307 Tainted: G        W           6.16.0-rc1-syzkaller-g39dfc971e42d #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 ubsan_epilogue+0x14/0x48 lib/ubsan.c:233
 __ubsan_handle_out_of_bounds+0xd0/0xfc lib/ubsan.c:455
 ipv6_addr_prefix+0x158/0x1dc include/net/ipv6.h:616
 ip6_route_info_create+0x3c8/0x718 net/ipv6/route.c:3793
 ip6_route_add+0x38/0x1bc net/ipv6/route.c:3889
 addrconf_prefix_route+0x1d4/0x278 net/ipv6/addrconf.c:2487
 addrconf_prefix_rcv+0x4c8/0x1130 net/ipv6/addrconf.c:2878
 ndisc_router_discovery+0x184c/0x2b64 net/ipv6/ndisc.c:1570
 ndisc_rcv+0x3e8/0x5fc net/ipv6/ndisc.c:1874
 icmpv6_rcv+0xffc/0x1888 net/ipv6/icmp.c:988
 ip6_protocol_deliver_rcu+0x9a4/0x12d4 net/ipv6/ip6_input.c:436
 ip6_input_finish+0xd8/0x17c net/ipv6/ip6_input.c:480
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:317
 ip6_input+0x15c/0x270 net/ipv6/ip6_input.c:491
 ip6_mc_input+0x708/0xa8c net/ipv6/ip6_input.c:588
 dst_input include/net/dst.h:469 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:317
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core net/core/dev.c:5977 [inline]
 __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:6090
 netif_receive_skb_internal net/core/dev.c:6176 [inline]
 netif_receive_skb+0x1e0/0x838 net/core/dev.c:6235
 tun_rx_batched+0x478/0x5b4 drivers/net/tun.c:-1
 tun_get_user+0x2040/0x31dc drivers/net/tun.c:1938
 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:1984
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x62c/0x97c fs/read_write.c:686
 ksys_write+0x120/0x210 fs/read_write.c:738
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:746
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in ./include/net/ipv6.h:616:3
index 20 is out of range for type '__u8[16]' (aka 'unsigned char[16]')
CPU: 1 UID: 0 PID: 8012 Comm: syz.0.307 Tainted: G        W           6.16.0-rc1-syzkaller-g39dfc971e42d #0 PREEMPT 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 ubsan_epilogue+0x14/0x48 lib/ubsan.c:233
 __ubsan_handle_out_of_bounds+0xd0/0xfc lib/ubsan.c:455
 ipv6_addr_prefix+0x188/0x1dc include/net/ipv6.h:616
 ip6_route_info_create+0x3c8/0x718 net/ipv6/route.c:3793
 ip6_route_add+0x38/0x1bc net/ipv6/route.c:3889
 addrconf_prefix_route+0x1d4/0x278 net/ipv6/addrconf.c:2487
 addrconf_prefix_rcv+0x4c8/0x1130 net/ipv6/addrconf.c:2878
 ndisc_router_discovery+0x184c/0x2b64 net/ipv6/ndisc.c:1570
 ndisc_rcv+0x3e8/0x5fc net/ipv6/ndisc.c:1874
 icmpv6_rcv+0xffc/0x1888 net/ipv6/icmp.c:988
 ip6_protocol_deliver_rcu+0x9a4/0x12d4 net/ipv6/ip6_input.c:436
 ip6_input_finish+0xd8/0x17c net/ipv6/ip6_input.c:480
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:317
 ip6_input+0x15c/0x270 net/ipv6/ip6_input.c:491
 ip6_mc_input+0x708/0xa8c net/ipv6/ip6_input.c:588
 dst_input include/net/dst.h:469 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:317
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core net/core/dev.c:5977 [inline]
 __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:6090
 netif_receive_skb_internal net/core/dev.c:6176 [inline]
 netif_receive_skb+0x1e0/0x838 net/core/dev.c:6235
 tun_rx_batched+0x478/0x5b4 drivers/net/tun.c:-1
 tun_get_user+0x2040/0x31dc drivers/net/tun.c:1938
 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:1984
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x62c/0x97c fs/read_write.c:686
 ksys_write+0x120/0x210 fs/read_write.c:738
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:746
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
---[ end trace ]---