KASAN: slab-out-of-bounds Read in __xfrm_decode

Date	Name	Commit	Repro	Result
2026/04/12	linux-5.15.y (ToT)	91d48252ad4b	C	[report] KASAN: use-after-free Read in __xfrm_decode_session
2026/04/12	upstream (ToT)	f5459048c38a	C	Didn't crash

Date

Name

Commit

Repro

Result

2026/04/12

linux-5.15.y (ToT)

91d48252ad4b

[report] KASAN: use-after-free Read in __xfrm_decode_session

2026/04/12

upstream (ToT)

f5459048c38a

Didn't crash

Kernel	Title	Rank 🛈	Repro	Fix bisect	Count	Last	Reported	Patched	Status
linux-6.6	KASAN: slab-use-after-free Read in __xfrm_decode_session	19			19	266d	288d	0/2	auto-obsoleted due to no activity on 2025/10/01 05:45
linux-6.1	KASAN: use-after-free Read in __xfrm_decode_session (2) origin:lts-only	19	C	inconclusive	9	140d	350d	0/3	upstream: reported C repro on 2025/04/30 13:03
upstream	KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) net	19			7	1592d	1828d	0/29	auto-closed as invalid on 2022/04/04 17:22
upstream	KMSAN: kernel-infoleak in copyout (2) net	17	C		6723	1042d	2211d	22/29	fixed on 2023/06/08 14:41
linux-5.15	KASAN: slab-out-of-bounds Read in __xfrm_decode_session origin:upstream	19	C	error	7	889d	1076d	0/3	auto-obsoleted due to no activity on 2024/02/16 23:16
linux-6.6	KASAN: slab-out-of-bounds Read in __xfrm_decode_session origin:lts-only	17	C	error	1	23d	24d	0/2	upstream: reported C repro on 2026/03/22 10:21
linux-6.1	KASAN: slab-out-of-bounds Read in __xfrm_decode_session	17			1	475d	475d	0/3	auto-obsoleted due to no activity on 2025/04/05 09:29
linux-5.15	KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2)	19			4	253d	381d	0/3	auto-obsoleted due to no activity on 2025/11/13 13:37
upstream	KASAN: slab-out-of-bounds Read in __xfrm_decode_session net	17			20	2044d	2329d	0/29	auto-closed as invalid on 2021/01/07 14:52
linux-6.1	KASAN: use-after-free Read in __xfrm_decode_session	19			4	935d	1066d	0/3	auto-obsoleted due to no activity on 2024/01/01 21:03
linux-6.6	KASAN: slab-use-after-free Read in __xfrm_decode_session (2)	19			1	157d	157d	0/2	auto-obsoleted due to no activity on 2026/02/17 15:57
upstream	KMSAN: kernel-infoleak in _copy_to_iter (7) net	21	C		138977	1146d	1498d	22/29	fixed on 2023/02/24 13:50
upstream	KMSAN: uninit-value in __xfrm_decode_session (4) net	19	C		8	906d	953d	0/29	closed as invalid on 2023/12/14 11:46
upstream	KASAN: use-after-free Read in __xfrm_decode_session net	19			12	2048d	2407d	0/29	auto-closed as invalid on 2021/01/03 02:25

Created	Duration	User	Patch	Repo	Result
2026/04/12 05:59	1m	fix candidate		upstream	error job log

Created

Duration

User

Patch

Repo

Result

2026/04/12 05:59

fix candidate

upstream

error job log

netlink: 80 bytes leftover after parsing attributes in process `syz.0.18'. ================================================================== BUG: KASAN: slab-out-of-bounds in decode_session6 net/xfrm/xfrm_policy.c:3413 [inline] BUG: KASAN: slab-out-of-bounds in __xfrm_decode_session+0x17ae/0x1fa0 net/xfrm/xfrm_policy.c:3520 Read of size 1 at addr ffff888072c3abc7 by task syz.0.18/4316 CPU: 0 PID: 4316 Comm: syz.0.18 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: <TASK> dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106 print_address_description+0x60/0x2d0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xdf/0x130 mm/kasan/report.c:451 decode_session6 net/xfrm/xfrm_policy.c:3413 [inline] __xfrm_decode_session+0x17ae/0x1fa0 net/xfrm/xfrm_policy.c:3520 xfrm_decode_session_reverse include/net/xfrm.h:1170 [inline] icmpv6_route_lookup+0x3ea/0x5a0 net/ipv6/icmp.c:394 icmp6_send+0xff2/0x1990 net/ipv6/icmp.c:601 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x35/0x490 net/ipv6/route.c:2788 dst_link_failure include/net/dst.h:422 [inline] ip6_tnl_xmit+0x671/0x23e0 net/ipv6/ip6_tunnel.c:1274 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1390 [inline] ip6_tnl_start_xmit+0xd27/0x12d0 net/ipv6/ip6_tunnel.c:1439 __netdev_start_xmit include/linux/netdevice.h:5036 [inline] netdev_start_xmit include/linux/netdevice.h:5050 [inline] xmit_one net/core/dev.c:3662 [inline] dev_hard_start_xmit+0x2a5/0x7e0 net/core/dev.c:3678 sch_direct_xmit+0x25a/0x4b0 net/sched/sch_generic.c:345 qdisc_restart net/sched/sch_generic.c:410 [inline] __qdisc_run+0xa7e/0x1490 net/sched/sch_generic.c:418 __dev_xmit_skb net/core/dev.c:3955 [inline] __dev_queue_xmit+0xe3d/0x2f80 net/core/dev.c:4266 neigh_output include/net/neighbour.h:509 [inline] ip6_finish_output2+0x108c/0x1510 net/ipv6/ip6_output.c:130 ip6_fragment+0x133d/0x1ee0 net/ipv6/ip6_output.c:998 dst_output include/net/dst.h:452 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] ip6_xmit+0x109b/0x16d0 net/ipv6/ip6_output.c:338 sctp_v6_xmit+0x985/0x11b0 net/sctp/ipv6.c:250 sctp_packet_transmit+0x239c/0x2910 net/sctp/output.c:652 sctp_packet_singleton+0x231/0x330 net/sctp/outqueue.c:780 sctp_outq_flush_ctrl net/sctp/outqueue.c:911 [inline] sctp_outq_flush+0x4ac/0x3100 net/sctp/outqueue.c:1209 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x4ee2/0x55f0 net/sctp/sm_sideeffect.c:1170 sctp_primitive_ASSOCIATE+0x91/0xc0 net/sctp/primitive.c:73 sctp_sendmsg_to_asoc+0x14a7/0x1d90 net/sctp/socket.c:1840 sctp_sendmsg+0x196a/0x2900 net/sctp/socket.c:2030 sock_sendmsg_nosec net/socket.c:706 [inline] __sock_sendmsg net/socket.c:718 [inline] ____sys_sendmsg+0x5b7/0x8f0 net/socket.c:2445 ___sys_sendmsg+0x236/0x2e0 net/socket.c:2499 __sys_sendmmsg+0x2ba/0x500 net/socket.c:2585 __do_sys_sendmmsg net/socket.c:2614 [inline] __se_sys_sendmmsg net/socket.c:2611 [inline] __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2611 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7fe159197819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc1d6244a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007fe159410fa0 RCX: 00007fe159197819 RDX: 0000000000000002 RSI: 0000200000002fc0 RDI: 0000000000000004 RBP: 00007fe15922dc91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000024000045 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe159410fac R14: 00007fe159410fa0 R15: 00007fe159410fa0 </TASK> Allocated by task 4316: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522 kmalloc_reserve net/core/skbuff.c:356 [inline] __alloc_skb+0x22c/0x750 net/core/skbuff.c:427 alloc_skb include/linux/skbuff.h:1162 [inline] ip6_frag_next+0x128/0xbb0 net/ipv6/ip6_output.c:777 ip6_fragment+0x12ee/0x1ee0 net/ipv6/ip6_output.c:988 dst_output include/net/dst.h:452 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] ip6_xmit+0x109b/0x16d0 net/ipv6/ip6_output.c:338 sctp_v6_xmit+0x985/0x11b0 net/sctp/ipv6.c:250 sctp_packet_transmit+0x239c/0x2910 net/sctp/output.c:652 sctp_packet_singleton+0x231/0x330 net/sctp/outqueue.c:780 sctp_outq_flush_ctrl net/sctp/outqueue.c:911 [inline] sctp_outq_flush+0x4ac/0x3100 net/sctp/outqueue.c:1209 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x4ee2/0x55f0 net/sctp/sm_sideeffect.c:1170 sctp_primitive_ASSOCIATE+0x91/0xc0 net/sctp/primitive.c:73 sctp_sendmsg_to_asoc+0x14a7/0x1d90 net/sctp/socket.c:1840 sctp_sendmsg+0x196a/0x2900 net/sctp/socket.c:2030 sock_sendmsg_nosec net/socket.c:706 [inline] __sock_sendmsg net/socket.c:718 [inline] ____sys_sendmsg+0x5b7/0x8f0 net/socket.c:2445 ___sys_sendmsg+0x236/0x2e0 net/socket.c:2499 __sys_sendmmsg+0x2ba/0x500 net/socket.c:2585 __do_sys_sendmmsg net/socket.c:2614 [inline] __se_sys_sendmmsg net/socket.c:2611 [inline] __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2611 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 The buggy address belongs to the object at ffff888072c3a000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 967 bytes to the right of 2048-byte region [ffff888072c3a000, ffff888072c3a800) The buggy address belongs to the page: page:ffffea0001cb0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72c38 head:ffffea0001cb0e00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888016c42000 raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4316, ts 84473716433, free_ts 84451446553 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0x1bbd/0x1ca0 mm/page_alloc.c:4192 __alloc_pages+0x1ee/0x480 mm/page_alloc.c:5501 alloc_slab_page mm/slub.c:1780 [inline] allocate_slab mm/slub.c:1917 [inline] new_slab+0xc0/0x4b0 mm/slub.c:1980 ___slab_alloc+0x80a/0xdd0 mm/slub.c:3013 __slab_alloc mm/slub.c:3100 [inline] slab_alloc_node mm/slub.c:3191 [inline] slab_alloc mm/slub.c:3233 [inline] __kmalloc+0x1cd/0x330 mm/slub.c:4408 kmalloc include/linux/slab.h:612 [inline] sk_prot_alloc+0xe7/0x210 net/core/sock.c:1866 sk_alloc+0x2f/0x310 net/core/sock.c:1922 __netlink_create+0x6b/0x2d0 net/netlink/af_netlink.c:629 netlink_create+0x3a7/0x510 net/netlink/af_netlink.c:692 __sock_create+0x47b/0x900 net/socket.c:1495 sock_create net/socket.c:1551 [inline] __sys_socket+0xe2/0x170 net/socket.c:1593 __do_sys_socket net/socket.c:1602 [inline] __se_sys_socket net/socket.c:1600 [inline] __x64_sys_socket+0x76/0x80 net/socket.c:1600 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare mm/page_alloc.c:1391 [inline] free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317 free_unref_page+0x8f/0x2a0 mm/page_alloc.c:3396 free_slab mm/slub.c:2020 [inline] discard_slab mm/slub.c:2026 [inline] __unfreeze_partials+0x1a5/0x200 mm/slub.c:2512 put_cpu_partial+0x12d/0x190 mm/slub.c:2592 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519 slab_alloc_node mm/slub.c:3225 [inline] slab_alloc mm/slub.c:3233 [inline] kmem_cache_alloc+0x100/0x290 mm/slub.c:3238 getname_flags+0xb5/0x500 fs/namei.c:138 getname fs/namei.c:217 [inline] __do_sys_unlink fs/namei.c:4404 [inline] __se_sys_unlink fs/namei.c:4402 [inline] __x64_sys_unlink+0x38/0x50 fs/namei.c:4402 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 Memory state around the buggy address: ffff888072c3aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888072c3ab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888072c3ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888072c3ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888072c3ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (9):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/04/12 14:16	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: slab-out-of-bounds Read in __xfrm_decode_session
2026/04/12 09:49	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: slab-out-of-bounds Read in __xfrm_decode_session
2026/04/12 06:34	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: slab-out-of-bounds Read in __xfrm_decode_session
2026/04/12 01:45	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: slab-out-of-bounds Read in __xfrm_decode_session
2026/04/11 23:28	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: slab-out-of-bounds Read in __xfrm_decode_session
2026/04/12 16:52	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: use-after-free Read in __xfrm_decode_session
2026/04/12 12:05	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: use-after-free Read in __xfrm_decode_session
2026/04/12 04:16	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: use-after-free Read in __xfrm_decode_session
2026/04/11 21:06	linux-5.15.y	91d48252ad4b	38c8e246	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: slab-out-of-bounds Read in __xfrm_decode_session

Crashes (9):

Assets (help?)