KASAN: slab-out-of-bounds Read in decode

KASAN: slab-out-of-bounds Read in decode_session6
Status: upstream: reported on 2020/06/27 07:18
Reported-by: syzbot+2bcc71839223ec82f056@syzkaller.appspotmail.com
First crash: 91d, last: 22h21m

Sample crash report:

==================================================================
BUG: KASAN: slab-out-of-bounds in decode_session6+0xe7c/0x1580 net/xfrm/xfrm_policy.c:3393
Read of size 1 at addr ffff888053fd2bf9 by task syz-executor.0/6720

CPU: 1 PID: 6720 Comm: syz-executor.0 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 decode_session6+0xe7c/0x1580 net/xfrm/xfrm_policy.c:3393
 __xfrm_decode_session+0x50/0xb0 net/xfrm/xfrm_policy.c:3485
 xfrm_decode_session include/net/xfrm.h:1137 [inline]
 vti6_tnl_xmit+0x40d/0x1cd0 net/ipv6/ip6_vti.c:581
 __netdev_start_xmit include/linux/netdevice.h:4636 [inline]
 netdev_start_xmit include/linux/netdevice.h:4650 [inline]
 xmit_one net/core/dev.c:3561 [inline]
 dev_hard_start_xmit+0x193/0x950 net/core/dev.c:3577
 sch_direct_xmit+0x2e1/0xbd0 net/sched/sch_generic.c:313
 qdisc_restart net/sched/sch_generic.c:376 [inline]
 __qdisc_run+0x4b9/0x1620 net/sched/sch_generic.c:384
 __dev_xmit_skb net/core/dev.c:3800 [inline]
 __dev_queue_xmit+0x199e/0x2d70 net/core/dev.c:4105
 __bpf_tx_skb net/core/filter.c:2112 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2137 [inline]
 __bpf_redirect+0x52e/0xc60 net/core/filter.c:2160
 ____bpf_clone_redirect net/core/filter.c:2191 [inline]
 bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2163
 bpf_prog_96a16ec7c1956fe9+0x5c/0xb7c
 bpf_dispatcher_nop_func include/linux/bpf.h:586 [inline]
 bpf_test_run+0x3be/0xcf0 net/bpf/test_run.c:49
 bpf_prog_test_run_skb+0xa4c/0x1c10 net/bpf/test_run.c:496
 bpf_prog_test_run kernel/bpf/syscall.c:2996 [inline]
 __do_sys_bpf+0x1770/0x4c60 kernel/bpf/syscall.c:4196
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e179
Code: 3d b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b b2 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f68b9e0bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000001780 RCX: 000000000045e179
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffdd9746f8f R14: 00007f68b9e0c9c0 R15: 000000000118cf4c

Allocated by task 22972:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc_track_caller+0x1ae/0x360 mm/slab.c:3670
 kmemdup+0x23/0x50 mm/util.c:127
 kmemdup include/linux/string.h:479 [inline]
 __devinet_sysctl_register+0x98/0x280 net/ipv4/devinet.c:2560
 devinet_sysctl_register net/ipv4/devinet.c:2612 [inline]
 devinet_sysctl_register+0x160/0x230 net/ipv4/devinet.c:2602
 inetdev_init+0x225/0x4f0 net/ipv4/devinet.c:276
 inetdev_event+0x9b8/0x14fd net/ipv4/devinet.c:1531
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033
 call_netdevice_notifiers_extack net/core/dev.c:2045 [inline]
 call_netdevice_notifiers net/core/dev.c:2059 [inline]
 register_netdevice+0x1068/0x1630 net/core/dev.c:9861
 veth_newlink+0x533/0x9f0 drivers/net/veth.c:1378
 __rtnl_newlink+0x108b/0x1740 net/core/rtnetlink.c:3441
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5563
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2470
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888053fd2000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3065 bytes inside of
 4096-byte region [ffff888053fd2000, ffff888053fd3000)
The buggy address belongs to the page:
page:0000000093544104 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53fd2
head:0000000093544104 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00014ff508 ffffea00014ff108 ffff8880aa040900
raw: 0000000000000000 ffff888053fd2000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888053fd2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888053fd2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888053fd2b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff888053fd2c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888053fd2c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (24):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Maintainers
ci-upstream-kasan-gce-root	2020/09/23 13:59	upstream	805c6d3c	287cd75a	.config	log	report	info	davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-kasan-gce	2020/09/17 06:30	upstream	5925fa68	8247808b	.config	log	report	info	davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-kasan-gce	2020/09/06 10:14	upstream	9322c47b	abf9ba4f	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-kasan-gce-selinux-root	2020/08/16 22:34	upstream	4b6c093e	424dd8e7	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-kasan-gce-root	2020/08/03 16:03	upstream	bcf87687	196277c4	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/09/17 20:46	net	fd944dc2	8247808b	.config	log	report	info	davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/08/21 12:45	net	f6db9096	6436ce4b	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/07/25 16:59	net	c2c63310	1f7cc1ca	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/07/24 04:19	net	e6827d1a	70c104a1	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/07/02 16:29	net	e4b9a72d	bed10395	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/06/29 14:51	net	0574e200	a2cdad9d	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/06/28 11:50	net	4a21185c	ffec44b5	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/06/27 18:33	net	4a21185c	ffec44b5	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-this-kasan-gce	2020/06/24 22:18	net	b835a71e	54566aff	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-kasan-gce	2020/08/07 19:50	net-next	bfdd5aaa	cb436c69	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-kasan-gce	2020/08/04 18:01	net-next	da795540	80a06902	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-kasan-gce	2020/07/31 14:21	net-next	41d707b7	8df85ed9	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-kasan-gce	2020/07/18 07:25	net-next	4291dc1a	9c812472	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-kasan-gce	2020/07/09 09:26	net-next	e80a07b2	bc238812	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-kasan-gce	2020/07/07 03:07	net-next	e44f65fd	51095195	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-net-kasan-gce	2020/07/05 02:43	net-next	e44f65fd	51095195	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-linux-next-kasan-gce-root	2020/09/06 09:02	linux-next	7a695657	abf9ba4f	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-linux-next-kasan-gce-root	2020/09/04 13:19	linux-next	7a695657	abf9ba4f	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com
ci-upstream-linux-next-kasan-gce-root	2020/08/10 21:38	linux-next	f80535b9	7adc7b65	.config	log	report		davem@davemloft.net, herbert@gondor.apana.org.au, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com