netdevsim netdevsim6 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
==================================================================
BUG: KASAN: global-out-of-bounds in fib6_clean_node+0x35d/0x590 net/ipv6/ip6_fib.c:2198
Read of size 8 at addr ffffffff99d16868 by task kworker/u8:9/5987

CPU: 0 UID: 0 PID: 5987 Comm: kworker/u8:9 Not tainted 6.15.0-rc6-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xb4/0x290 mm/kasan/report.c:521
 kasan_report+0x118/0x150 mm/kasan/report.c:634
 fib6_clean_node+0x35d/0x590 net/ipv6/ip6_fib.c:2198
 fib6_walk_continue+0x67b/0x910 net/ipv6/ip6_fib.c:2124
 fib6_walk+0x149/0x290 net/ipv6/ip6_fib.c:2172
 fib6_clean_tree net/ipv6/ip6_fib.c:2252 [inline]
 __fib6_clean_all+0x234/0x380 net/ipv6/ip6_fib.c:2268
 rt6_sync_down_dev net/ipv6/route.c:4951 [inline]
 rt6_disable_ip+0x120/0x720 net/ipv6/route.c:4956
 addrconf_ifdown+0x15d/0x1880 net/ipv6/addrconf.c:3857
 addrconf_notify+0x1bc/0x1010 net/ipv6/addrconf.c:-1
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]
 call_netdevice_notifiers net/core/dev.c:2228 [inline]
 dev_close_many+0x29c/0x410 net/core/dev.c:1731
 unregister_netdevice_many_notify+0x619/0x2330 net/core/dev.c:11932
 unregister_netdevice_many net/core/dev.c:12034 [inline]
 unregister_netdevice_queue+0x33c/0x380 net/core/dev.c:11877
 unregister_netdevice include/linux/netdevice.h:3374 [inline]
 nsim_destroy+0x1f6/0x670 drivers/net/netdevsim/netdev.c:1064
 __nsim_dev_port_del+0x14d/0x1b0 drivers/net/netdevsim/dev.c:1428
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline]
 nsim_dev_reload_destroy+0x288/0x490 drivers/net/netdevsim/dev.c:1661
 nsim_dev_reload_down+0x8a/0xc0 drivers/net/netdevsim/dev.c:968
 devlink_reload+0x1b6/0x8d0 net/devlink/dev.c:461
 devlink_pernet_pre_exit+0x1d9/0x3d0 net/devlink/core.c:509
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 cleanup_net+0x594/0xbd0 net/core/net_namespace.c:634
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the variable:
 binder_devices+0x8/0x20

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19d16
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea0000674588 ffffea0000674588 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff99d16700: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffffff99d16780: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
>ffffffff99d16800: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
                                                          ^
 ffffffff99d16880: 00 00 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff99d16900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================