KASAN: use-after-free Read in _decode

Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: slab-out-of-bounds Read in _decode_session6			23	856d	1511d	0/1	auto-closed as invalid on 2022/04/20 21:31
linux-4.19	KASAN: use-after-free Read in _decode_session6 (2)			1	708d	708d	0/1	auto-obsoleted due to no activity on 2022/09/15 14:44
linux-4.14	KASAN: use-after-free Read in _decode_session6			2	1433d	1441d	0/1	auto-closed as invalid on 2020/09/21 07:45
linux-4.19	KASAN: use-after-free Read in _decode_session6			2	1401d	1433d	0/1	auto-closed as invalid on 2020/10/22 17:34
upstream	KASAN: use-after-free Read in _decode_session6 net	C	done	4	1990d	2058d	13/26	fixed on 2019/11/07 18:45

audit: type=1400 audit(1536849426.508:17): avc: denied { prog_load } for pid=5545 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1 ================================================================== BUG: KASAN: use-after-free in _decode_session6+0xe55/0x1370 net/ipv6/xfrm6_policy.c:175 Read of size 2 at addr ffff8801cb94a196 by task syz-executor3/5551 CPU: 0 PID: 5551 Comm: syz-executor3 Not tainted 4.14.69+ #5 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_address_description+0x60/0x22b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409 _decode_session6+0xe55/0x1370 net/ipv6/xfrm6_policy.c:175 __xfrm_decode_session+0x64/0x100 net/xfrm/xfrm_policy.c:2423 xfrm_decode_session include/net/xfrm.h:1201 [inline] vti6_tnl_xmit+0x31b/0x15b0 net/ipv6/ip6_vti.c:550 __netdev_start_xmit include/linux/netdevice.h:4023 [inline] netdev_start_xmit include/linux/netdevice.h:4032 [inline] xmit_one net/core/dev.c:2987 [inline] dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3003 __dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3503 __bpf_tx_skb net/core/filter.c:1708 [inline] __bpf_redirect_common net/core/filter.c:1746 [inline] __bpf_redirect+0x5b0/0x990 net/core/filter.c:1753 ____bpf_clone_redirect net/core/filter.c:1786 [inline] bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012 The buggy address belongs to the page: page:ffffea00072e5280 count:0 mapcount:-127 mapping: (null) index:0xffff880155729080 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 ffff880155729080 00000000ffffff80 raw: ffffea00074ce8a0 ffffea0007309d20 0000000000000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cb94a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cb94a100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801cb94a180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cb94a200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cb94a280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================