In the Linux kernel, the following vulnerability has been resolved:
ipv6: fix another slab-out-of-bounds in fib6nhflush_exceptions
While running the self-tests on a KASAN enabled kernel, I observed a slab-out-of-bounds splat very similar to the one reported in commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in fib6nhflush_exceptions").
We additionally need to take care of fib6_metrics initialization failure when the caller provides an nh.
The fix is similar, explicitly free the route instead of calling fib6inforelease on a half-initialized object.