general protection fault in ip6_dst_lookup_tail (2)

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: fdfdf867 net: phy: marvell: Fix buffer overrun with stats ..
git tree: net
console output: https://syzkaller.appspot.com/x/log.txt?x=12be0d38a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a42d110b47dd6b36
dashboard link: https://syzkaller.appspot.com/bug?extid=58d8f704b86e4e3fb4d3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+58d8f7...@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 20190 Comm: syz-executor.0 Not tainted 5.1.0-rc6+ #184
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:119 [inline]
RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:971
Code: e6 07 e8 55 57 61 fb 48 85 db 0f 84 83 08 00 00 e8 47 57 61 fb 48 8d
7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07
RSP: 0018:ffff888063406f40 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00c0200001ffff88 RCX: ffffc90005fe4000
RDX: 0018040000400000 RSI: ffffffff860f35a9 RDI: 00c0200002000004
RBP: ffff888063407098 R08: ffff888085a7c000 R09: ffffed1015d25bc8
R10: ffffed1015d25bc7 R11: ffff8880ae92de3b R12: ffff8880653b3270
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880653b3298
FS: 00007f58b1851700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001fc96f0 CR3: 000000006d91d000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ip6_dst_lookup_flow+0xa8/0x220 net/ipv6/ip6_output.c:1094
sctp_v6_get_dst+0x785/0x1d80 net/sctp/ipv6.c:293
sctp_transport_route+0x132/0x370 net/sctp/transport.c:312
sctp_assoc_add_peer+0x53e/0xfc0 net/sctp/associola.c:678
sctp_process_param net/sctp/sm_make_chunk.c:2548 [inline]
sctp_process_init+0x249f/0x2b20 net/sctp/sm_make_chunk.c:2361
sctp_sf_do_unexpected_init net/sctp/sm_statefuns.c:1556 [inline]
sctp_sf_do_unexpected_init.isra.0+0x7cd/0x1350 net/sctp/sm_statefuns.c:1456
sctp_sf_do_5_2_1_siminit+0x35/0x40 net/sctp/sm_statefuns.c:1685
sctp_do_sm+0x12c/0x5770 net/sctp/sm_sideeffect.c:1188
sctp_assoc_bh_rcv+0x343/0x660 net/sctp/associola.c:1074
sctp_inq_push+0x1ea/0x290 net/sctp/inqueue.c:95
sctp_backlog_rcv+0x196/0xbe0 net/sctp/input.c:354
sk_backlog_rcv include/net/sock.h:943 [inline]
__release_sock+0x12e/0x3a0 net/core/sock.c:2413
release_sock+0x59/0x1c0 net/core/sock.c:2929
sctp_wait_for_connect+0x316/0x540 net/sctp/socket.c:9048
__sctp_connect+0xac2/0xce0 net/sctp/socket.c:1241
sctp_connect net/sctp/socket.c:4858 [inline]
sctp_inet_connect+0x2a2/0x340 net/sctp/socket.c:4874
__sys_connect+0x266/0x330 net/socket.c:1808
__do_sys_connect net/socket.c:1819 [inline]
__se_sys_connect net/socket.c:1816 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1816
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458da9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f58b1850c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9
RDX: 000000000000001c RSI: 0000000020000200 RDI: 0000000000000003
RBP: 000000000073bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f58b18516d4
R13: 00000000004bf1f1 R14: 00000000004d02c0 R15: 00000000ffffffff
Modules linked in:
---[ end trace 04c26bfcf25dca59 ]---
RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:119 [inline]
RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:971
Code: e6 07 e8 55 57 61 fb 48 85 db 0f 84 83 08 00 00 e8 47 57 61 fb 48 8d
7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07
RSP: 0018:ffff888063406f40 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 00c0200001ffff88 RCX: ffffc90005fe4000
RDX: 0018040000400000 RSI: ffffffff860f35a9 RDI: 00c0200002000004
RBP: ffff888063407098 R08: ffff888085a7c000 R09: ffffed1015d25bc8
R10: ffffed1015d25bc7 R11: ffff8880ae92de3b R12: ffff8880653b3270
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880653b3298
FS: 00007f58b1851700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000070c09b CR3: 000000006d91d000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Dmitry Vyukov]

On Mon, Apr 29, 2019 at 8:51 AM syzbot
<syzbot+58d8f7...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: fdfdf867 net: phy: marvell: Fix buffer overrun with stats ..
> git tree: net
> console output: https://syzkaller.appspot.com/x/log.txt?x=12be0d38a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a42d110b47dd6b36
> dashboard link: https://syzkaller.appspot.com/bug?extid=58d8f704b86e4e3fb4d3
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+58d8f7...@syzkaller.appspotmail.com

Eric, can this be fixed by your "ipv6: fix races in ip6_dst_destroy()"?
https://patchwork.ozlabs.org/patch/1092328/

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000006b30f30587a5b569%40google.com.
> For more options, visit https://groups.google.com/d/optout.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 07c3bbdb samples: bpf: print a warning about headers_install
git tree: bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14424e2ea00000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7b54c66298f8420

dashboard link: https://syzkaller.appspot.com/bug?extid=58d8f704b86e4e3fb4d3
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=117f50e1a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+58d8f7...@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 14003 Comm: syz-executor.4 Not tainted 5.2.0-rc2+ #14

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:120 [inline]
RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:1032
Code: e6 07 e8 75 66 55 fb 48 85 db 0f 84 83 08 00 00 e8 67 66 55 fb 48 8d

7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07

RSP: 0018:ffff888079027480 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: ff8880990716c000 RCX: 0000000000000000
RDX: 1ff1101320e2d80f RSI: ffffffff861b3f59 RDI: ff8880990716c07c
RBP: ffff8880790275d8 R08: ffff8880855b43c0 R09: ffffed1015d26be8
R10: ffffed1015d26be7 R11: ffff8880ae935f3b R12: ffff888079027740
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888079027768
FS: 00007f7158009700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffd85cf4eb8 CR3: 00000000a96aa000 CR4: 00000000001406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

ip6_dst_lookup_flow+0xa8/0x220 net/ipv6/ip6_output.c:1155
tcp_v6_connect+0xda3/0x20a0 net/ipv6/tcp_ipv6.c:282
__inet_stream_connect+0x834/0xe90 net/ipv4/af_inet.c:659
tcp_sendmsg_fastopen net/ipv4/tcp.c:1143 [inline]
tcp_sendmsg_locked+0x2318/0x3920 net/ipv4/tcp.c:1185
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1419
inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:802
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:671
___sys_sendmsg+0x803/0x920 net/socket.c:2292
__sys_sendmsg+0x105/0x1d0 net/socket.c:2330
__do_sys_sendmsg net/socket.c:2339 [inline]
__se_sys_sendmsg net/socket.c:2337 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2337
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459279
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7

48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff

ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7158008c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
RDX: 0000000020008844 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f71580096d4
R13: 00000000004c6ccc R14: 00000000004dbb30 R15: 00000000ffffffff
Modules linked in:
---[ end trace c968f232eacd4c70 ]---
RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:120 [inline]
RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:1032
Code: e6 07 e8 75 66 55 fb 48 85 db 0f 84 83 08 00 00 e8 67 66 55 fb 48 8d

7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07

RSP: 0018:ffff888079027480 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: ff8880990716c000 RCX: 0000000000000000
RDX: 1ff1101320e2d80f RSI: ffffffff861b3f59 RDI: ff8880990716c07c
RBP: ffff8880790275d8 R08: ffff8880855b43c0 R09: ffffed1015d26be8
R10: ffffed1015d26be7 R11: ffff8880ae935f3b R12: ffff888079027740
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888079027768
FS: 00007f7158009700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00000000015523b8 CR3: 00000000a96aa000 CR4: 00000000001406f0

[syzbot]

syzbot has bisected this bug to:

commit f40b6ae2b612446dc970d7b51eeec47bd1619f82
Author: David Ahern <dsa...@gmail.com>
Date: Thu May 23 03:27:55 2019 +0000

ipv6: Move pcpu cached routes to fib6_nh

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13c969a6a00000
start commit: 07c3bbdb samples: bpf: print a warning about headers_install
git tree: bpf-next
final crash: https://syzkaller.appspot.com/x/report.txt?x=102969a6a00000
console output: https://syzkaller.appspot.com/x/log.txt?x=17c969a6a00000

kernel config: https://syzkaller.appspot.com/x/.config?x=b7b54c66298f8420
dashboard link: https://syzkaller.appspot.com/bug?extid=58d8f704b86e4e3fb4d3

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=117f50e1a00000

Reported-by: syzbot+58d8f7...@syzkaller.appspotmail.com
Fixes: f40b6ae2b612 ("ipv6: Move pcpu cached routes to fib6_nh")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Hillf Danton]

Hi

Thu, 06 Jun 2019 16:14:06 -0700 (PDT) syzbot wrote:
> syzbot has found a reproducer for the following crash on:
>
> HEAD commit: 07c3bbdb samples: bpf: print a warning about headers_install
> git tree: bpf-next

> console output: https://syzkaller.appspot.com/x/log.txt?x=14424e2ea00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b7b54c66298f8420

> dashboard link: https://syzkaller.appspot.com/bug?extid=58d8f704b86e4e3fb4d3
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=117f50e1a00000

>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+58d8f7...@syzkaller.appspotmail.com
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] PREEMPT SMP KASAN

> CPU: 1 PID: 14003 Comm: syz-executor.4 Not tainted 5.2.0-rc2+ #14

> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

> RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:120 [inline]
> RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:1032

> Code: e6 07 e8 75 66 55 fb 48 85 db 0f 84 83 08 00 00 e8 67 66 55 fb 48 8d

> 7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
> 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07

> RSP: 0018:ffff888079027480 EFLAGS: 00010a07
> RAX: dffffc0000000000 RBX: ff8880990716c000 RCX: 0000000000000000
> RDX: 1ff1101320e2d80f RSI: ffffffff861b3f59 RDI: ff8880990716c07c
> RBP: ffff8880790275d8 R08: ffff8880855b43c0 R09: ffffed1015d26be8
> R10: ffffed1015d26be7 R11: ffff8880ae935f3b R12: ffff888079027740

> R13: 0000000000000000 R14: 0000000000000000 R15: ffff888079027768
> FS: 00007f7158009700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000

> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

> CR2: 00007ffd85cf4eb8 CR3: 00000000a96aa000 CR4: 00000000001406e0

> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:

> ip6_dst_lookup_flow+0xa8/0x220 net/ipv6/ip6_output.c:1155
> tcp_v6_connect+0xda3/0x20a0 net/ipv6/tcp_ipv6.c:282
> __inet_stream_connect+0x834/0xe90 net/ipv4/af_inet.c:659
> tcp_sendmsg_fastopen net/ipv4/tcp.c:1143 [inline]
> tcp_sendmsg_locked+0x2318/0x3920 net/ipv4/tcp.c:1185
> tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1419
> inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:802
> sock_sendmsg_nosec net/socket.c:652 [inline]
> sock_sendmsg+0xd7/0x130 net/socket.c:671
> ___sys_sendmsg+0x803/0x920 net/socket.c:2292
> __sys_sendmsg+0x105/0x1d0 net/socket.c:2330
> __do_sys_sendmsg net/socket.c:2339 [inline]
> __se_sys_sendmsg net/socket.c:2337 [inline]
> __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2337
> do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x459279

> Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7

> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff

> ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f7158008c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
> RDX: 0000000020008844 RSI: 0000000020000240 RDI: 0000000000000005
> RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f71580096d4

> R13: 00000000004c6ccc R14: 00000000004dbb30 R15: 00000000ffffffff
> Modules linked in:
> ---[ end trace c968f232eacd4c70 ]---

> RIP: 0010:ip6_route_get_saddr include/net/ip6_route.h:120 [inline]
> RIP: 0010:ip6_dst_lookup_tail+0xf0e/0x1b30 net/ipv6/ip6_output.c:1032

> Code: e6 07 e8 75 66 55 fb 48 85 db 0f 84 83 08 00 00 e8 67 66 55 fb 48 8d

> 7b 7c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48
> 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 07

> RSP: 0018:ffff888079027480 EFLAGS: 00010a07
> RAX: dffffc0000000000 RBX: ff8880990716c000 RCX: 0000000000000000
> RDX: 1ff1101320e2d80f RSI: ffffffff861b3f59 RDI: ff8880990716c07c
> RBP: ffff8880790275d8 R08: ffff8880855b43c0 R09: ffffed1015d26be8
> R10: ffffed1015d26be7 R11: ffff8880ae935f3b R12: ffff888079027740

> R13: 0000000000000000 R14: 0000000000000000 R15: ffff888079027768

> FS: 00007f7158009700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000

> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

> CR2: 00000000015523b8 CR3: 00000000a96aa000 CR4: 00000000001406f0

> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>

Ignore my noise if you have no interest seeing the syzbot report.

The following tiny diff, made in hope that it may help you perhaps
handle the report, pins fib info before trying to get saddr and
releases it afterwards.

Thanks
Hillf
---
net/ipv6/ip6_output.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 16f200f..eabac69 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -953,10 +953,13 @@ static int ip6_dst_lookup_tail(struct net *net, const struct sock *sk,

rcu_read_lock();
from = rt ? rcu_dereference(rt->from) : NULL;
+ if (from && !fib6_info_hold_safe(from))
+ from = NULL;
err = ip6_route_get_saddr(net, from, &fl6->daddr,
sk ? inet6_sk(sk)->srcprefs : 0,
&fl6->saddr);
rcu_read_unlock();
+ fib6_info_release(from);

if (err)
goto out_err_release;
--

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.