syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: slab-use-after-free in decode_session6 net/xfrm/xfrm_policy.c:3494 [inline] BUG: KASAN: slab-use-after-free in __xfrm_decode_session+0x18d7/0x20a0 net/xfrm/xfrm_policy.c:3600 Read of size 1 at addr ffff888026634751 by task syz.1.2332/12097 CPU: 1 PID: 12097 Comm: syz.1.2332 Not tainted 6.6.99-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xac/0x200 mm/kasan/report.c:466 kasan_report+0x117/0x150 mm/kasan/report.c:579 decode_session6 net/xfrm/xfrm_policy.c:3494 [inline] __xfrm_decode_session+0x18d7/0x20a0 net/xfrm/xfrm_policy.c:3600 xfrm_decode_session_reverse include/net/xfrm.h:1243 [inline] icmpv6_route_lookup+0x358/0x590 net/ipv6/icmp.c:392 icmp6_send+0x106a/0x1990 net/ipv6/icmp.c:604 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x3b/0x4c0 net/ipv6/route.c:2825 dst_link_failure include/net/dst.h:437 [inline] ip6_tnl_xmit+0xdf7/0x2a30 net/ipv6/ip6_tunnel.c:1283 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1399 [inline] ip6_tnl_start_xmit+0xc10/0x1140 net/ipv6/ip6_tunnel.c:1447 __netdev_start_xmit include/linux/netdevice.h:4943 [inline] netdev_start_xmit include/linux/netdevice.h:4957 [inline] xmit_one net/core/dev.c:3607 [inline] dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3623 sch_direct_xmit+0x252/0x4a0 net/sched/sch_generic.c:342 qdisc_restart net/sched/sch_generic.c:407 [inline] __qdisc_run+0xab2/0x1570 net/sched/sch_generic.c:415 __dev_xmit_skb net/core/dev.c:3907 [inline] __dev_queue_xmit+0xf02/0x35a0 net/core/dev.c:4379 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0xe2e/0x1650 net/ipv6/ip6_output.c:141 dst_output include/net/dst.h:467 [inline] NF_HOOK include/linux/netfilter.h:304 [inline] ip6_xmit+0x10a7/0x1830 net/ipv6/ip6_output.c:360 sctp_v6_xmit+0x9e3/0x1230 net/sctp/ipv6.c:250 sctp_packet_transmit+0x2488/0x2a30 net/sctp/output.c:653 sctp_outq_flush_transports net/sctp/outqueue.c:1173 [inline] sctp_outq_flush+0xecc/0x3100 net/sctp/outqueue.c:1221 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x52d6/0x59a0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_REQUESTHEARTBEAT+0x98/0xc0 net/sctp/primitive.c:185 sctp_apply_peer_addr_params+0xdf/0x1880 net/sctp/socket.c:2437 sctp_setsockopt_peer_addr_params+0x673/0x940 net/sctp/socket.c:2687 sctp_setsockopt+0x708/0x11e0 net/sctp/socket.c:4638 do_sock_setsockopt+0x175/0x1a0 net/socket.c:2322 __sys_setsockopt net/socket.c:2345 [inline] __do_sys_setsockopt net/socket.c:2354 [inline] __se_sys_setsockopt net/socket.c:2351 [inline] __x64_sys_setsockopt+0x184/0x200 net/socket.c:2351 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f64f378e9a9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f64f4669038 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f64f39b5fa0 RCX: 00007f64f378e9a9 RDX: 0000000000000009 RSI: 0000000000000084 RDI: 0000000000000003 RBP: 00007f64f3810d69 R08: 000000000000009c R09: 0000000000000000 R10: 00002000000000c0 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f64f39b5fa0 R15: 00007ffc4afad858 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4e/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook+0x6e/0x4d0 mm/slab.h:767 slab_alloc_node mm/slub.c:3485 [inline] slab_alloc mm/slub.c:3493 [inline] __kmem_cache_alloc_lru mm/slub.c:3500 [inline] kmem_cache_alloc+0x11e/0x2e0 mm/slub.c:3509 kmem_cache_zalloc include/linux/slab.h:711 [inline] copy_signal+0x50/0x680 kernel/fork.c:1858 copy_process+0x1673/0x3d70 kernel/fork.c:2503 kernel_clone+0x21b/0x840 kernel/fork.c:2914 kernel_thread+0x10d/0x160 kernel/fork.c:2976 create_kthread kernel/kthread.c:411 [inline] kthreadd+0x560/0x730 kernel/kthread.c:766 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 The buggy address belongs to the object at ffff888026634380 which belongs to the cache signal_cache of size 1544 The buggy address is located 977 bytes inside of freed 1544-byte region [ffff888026634380, ffff888026634988) The buggy address belongs to the physical page: page:ffffea0000998c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888026633cc0 pfn:0x26630 head:ffffea0000998c00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88807938da01 flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000840 ffff888019a4c780 ffffea0000afe410 ffffea0000866610 raw: ffff888026633cc0 0000000000120004 00000001ffffffff ffff88807938da01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 11, tgid 11 (kworker/u4:0), ts 9513715026, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554 prep_new_page mm/page_alloc.c:1561 [inline] get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457 alloc_slab_page+0x5d/0x170 mm/slub.c:1876 allocate_slab mm/slub.c:2023 [inline] new_slab+0x87/0x2e0 mm/slub.c:2076 ___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230 __slab_alloc mm/slub.c:3329 [inline] __slab_alloc_node mm/slub.c:3382 [inline] slab_alloc_node mm/slub.c:3475 [inline] slab_alloc mm/slub.c:3493 [inline] __kmem_cache_alloc_lru mm/slub.c:3500 [inline] kmem_cache_alloc+0x1b7/0x2e0 mm/slub.c:3509 kmem_cache_zalloc include/linux/slab.h:711 [inline] copy_signal+0x50/0x680 kernel/fork.c:1858 copy_process+0x1673/0x3d70 kernel/fork.c:2503 kernel_clone+0x21b/0x840 kernel/fork.c:2914 user_mode_thread+0xde/0x130 kernel/fork.c:2992 call_usermodehelper_exec_work+0x5c/0x220 kernel/umh.c:172 process_one_work kernel/workqueue.c:2634 [inline] process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 page_owner free stack trace missing Memory state around the buggy address: ffff888026634600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888026634680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888026634700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888026634780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888026634800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/07/18 21:36 | linux-6.6.y | d96eb99e2f0e | 7117feec | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/18 21:36 | linux-6.6.y | d96eb99e2f0e | 7117feec | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/16 22:49 | linux-6.6.y | 9247f4e6573a | 44f8051e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/15 05:16 | linux-6.6.y | 9247f4e6573a | 03fcfc4b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/06 12:49 | linux-6.6.y | a5df3a702b2c | 4f67c4ae | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/04 01:22 | linux-6.6.y | 3f5b4c104b7d | 76ad128c | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/02 05:30 | linux-6.6.y | 3f5b4c104b7d | bc80e4f0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/01 19:37 | linux-6.6.y | 3f5b4c104b7d | 091a06cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in __xfrm_decode_session | ||
| 2025/07/17 15:29 | linux-6.6.y | 9247f4e6573a | 0d1223f1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session | ||
| 2025/07/16 22:48 | linux-6.6.y | 9247f4e6573a | 44f8051e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session | ||
| 2025/07/16 09:11 | linux-6.6.y | 9247f4e6573a | 124ec9cc | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session | ||
| 2025/07/14 13:33 | linux-6.6.y | 59a2de10b81a | d8fc7335 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session | ||
| 2025/07/14 13:30 | linux-6.6.y | 59a2de10b81a | d8fc7335 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session | ||
| 2025/07/06 12:49 | linux-6.6.y | a5df3a702b2c | 4f67c4ae | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session | ||
| 2025/07/04 16:08 | linux-6.6.y | 3f5b4c104b7d | d869b261 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session | ||
| 2025/07/04 16:08 | linux-6.6.y | 3f5b4c104b7d | d869b261 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-out-of-bounds Read in __xfrm_decode_session |