syzbot

==================================================================
BUG: KASAN: slab-use-after-free in __xfrm_state_lookup_all net/xfrm/xfrm_state.c:1143 [inline]
BUG: KASAN: slab-use-after-free in xfrm_state_find+0x7401/0x84c0 net/xfrm/xfrm_state.c:1494
Read of size 1 at addr ffff888066be0770 by task syz.0.5165/27752

CPU: 0 UID: 0 PID: 27752 Comm: syz.0.5165 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 __xfrm_state_lookup_all net/xfrm/xfrm_state.c:1143 [inline]
 xfrm_state_find+0x7401/0x84c0 net/xfrm/xfrm_state.c:1494
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2522 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2573 [inline]
 xfrm_resolve_and_create_bundle+0x4cd/0x3740 net/xfrm/xfrm_policy.c:2871
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3106 [inline]
 xfrm_lookup_with_ifid+0x51d/0x1e40 net/xfrm/xfrm_policy.c:3237
 xfrm_lookup net/xfrm/xfrm_policy.c:3336 [inline]
 xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3347
 ip_route_output_flow+0x11e/0x150 net/ipv4/route.c:2934
 raw_sendmsg+0xd5b/0x37e0 net/ipv4/raw.c:628
 inet_sendmsg+0x11c/0x140 net/ipv4/af_inet.c:851
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg net/socket.c:729 [inline]
 __sys_sendto+0x43c/0x520 net/socket.c:2228
 __do_sys_sendto net/socket.c:2235 [inline]
 __se_sys_sendto net/socket.c:2231 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2231
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdd2038ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdd21149038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fdd205c5fa0 RCX: 00007fdd2038ebe9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 00007fdd20411e19 R08: 0000200000000000 R09: 0000000000000010
R10: 0000000000048812 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fdd205c6038 R14: 00007fdd205c5fa0 R15: 00007ffd48cb93d8
 </TASK>

Allocated by task 25235:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:330 [inline]
 __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:356
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4191 [inline]
 slab_alloc_node mm/slub.c:4240 [inline]
 kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
 xfrm_state_alloc+0x23/0x5c0 net/xfrm/xfrm_state.c:733
 __find_acq_core+0xb59/0x2900 net/xfrm/xfrm_state.c:1833
 xfrm_find_acq+0x7b/0xa0 net/xfrm/xfrm_state.c:2353
 pfkey_getspi+0xa62/0xeb0 net/key/af_key.c:1365
 pfkey_process+0x6dc/0x840 net/key/af_key.c:2848
 pfkey_sendmsg+0x435/0x850 net/key/af_key.c:3699
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg net/socket.c:729 [inline]
 ____sys_sendmsg+0xa98/0xc70 net/socket.c:2614
 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
 __sys_sendmsg+0x16d/0x220 net/socket.c:2700
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5981:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kmem_cache_free+0x2d1/0x4d0 mm/slub.c:4797
 xfrm_state_free net/xfrm/xfrm_state.c:591 [inline]
 xfrm_state_gc_destroy net/xfrm/xfrm_state.c:618 [inline]
 xfrm_state_gc_task+0x50a/0x770 net/xfrm/xfrm_state.c:634
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c2/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888066be0440
 which belongs to the cache xfrm_state of size 928
The buggy address is located 816 bytes inside of
 freed 928-byte region [ffff888066be0440, ffff888066be07e0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888066be1980 pfn:0x66be0
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888144287b40 dead000000000122 0000000000000000
raw: ffff888066be1980 00000000800f0009 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff888144287b40 dead000000000122 0000000000000000
head: ffff888066be1980 00000000800f0009 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea00019af801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9686, tgid 9681 (syz.5.868), ts 348897574393, free_ts 348847564115
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2492 [inline]
 allocate_slab mm/slub.c:2660 [inline]
 new_slab+0x247/0x330 mm/slub.c:2714
 ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
 __slab_alloc_node mm/slub.c:4067 [inline]
 slab_alloc_node mm/slub.c:4228 [inline]
 kmem_cache_alloc_noprof+0xef/0x3b0 mm/slub.c:4247
 xfrm_state_alloc+0x23/0x5c0 net/xfrm/xfrm_state.c:733
 xfrm_state_construct net/xfrm/xfrm_user.c:889 [inline]
 xfrm_add_sa+0x1283/0x5c50 net/xfrm/xfrm_user.c:1019
 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3501
 netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552
 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3523
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg net/socket.c:729 [inline]
 ____sys_sendmsg+0xa98/0xc70 net/socket.c:2614
page last free pid 5218 tgid 5218 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
 discard_slab mm/slub.c:2758 [inline]
 __put_partials+0x165/0x1c0 mm/slub.c:3223
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4191 [inline]
 slab_alloc_node mm/slub.c:4240 [inline]
 kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
 getname_flags.part.0+0x4c/0x550 fs/namei.c:146
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 do_readlinkat+0xb4/0x3a0 fs/stat.c:575
 __do_sys_readlink fs/stat.c:613 [inline]
 __se_sys_readlink fs/stat.c:610 [inline]
 __x64_sys_readlink+0x78/0xc0 fs/stat.c:610
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888066be0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888066be0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888066be0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888066be0780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888066be0800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================