================================================================== BUG: KASAN: slab-out-of-bounds in decode_session6 net/xfrm/xfrm_policy.c:3383 [inline] BUG: KASAN: slab-out-of-bounds in __xfrm_decode_session+0x19de/0x23e0 net/xfrm/xfrm_policy.c:3489 Read of size 1 at addr ffff8880766104dc by task syz-executor.0/18094 CPU: 1 PID: 18094 Comm: syz-executor.0 Not tainted 6.1.55-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:395 kasan_report+0x136/0x160 mm/kasan/report.c:495 decode_session6 net/xfrm/xfrm_policy.c:3383 [inline] __xfrm_decode_session+0x19de/0x23e0 net/xfrm/xfrm_policy.c:3489 xfrm_decode_session_reverse include/net/xfrm.h:1176 [inline] icmpv6_route_lookup+0x44a/0x680 net/ipv6/icmp.c:386 icmp6_send+0x11eb/0x2090 net/ipv6/icmp.c:593 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x38/0x4e0 net/ipv6/route.c:2789 dst_link_failure include/net/dst.h:423 [inline] ip6_tnl_xmit+0x1065/0x2910 net/ipv6/ip6_tunnel.c:1269 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1385 [inline] ip6_tnl_start_xmit+0xbd7/0x1460 net/ipv6/ip6_tunnel.c:1434 __netdev_start_xmit include/linux/netdevice.h:4853 [inline] netdev_start_xmit include/linux/netdevice.h:4867 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 sch_direct_xmit+0x2b2/0x5e0 net/sched/sch_generic.c:342 qdisc_restart net/sched/sch_generic.c:407 [inline] __qdisc_run+0xa7a/0x1fb0 net/sched/sch_generic.c:415 __dev_xmit_skb net/core/dev.c:3885 [inline] __dev_queue_xmit+0x154f/0x3cf0 net/core/dev.c:4227 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0xe21/0x1540 net/ipv6/ip6_output.c:134 __ip6_finish_output net/ipv6/ip6_output.c:195 [inline] ip6_finish_output+0x6ac/0xa80 net/ipv6/ip6_output.c:206 ip6_send_skb+0x12b/0x240 net/ipv6/ip6_output.c:1989 rawv6_push_pending_frames+0x7a4/0xa00 net/ipv6/raw.c:580 rawv6_sendmsg+0x1752/0x2150 net/ipv6/raw.c:924 sock_sendmsg_nosec net/socket.c:716 [inline] sock_sendmsg net/socket.c:736 [inline] ____sys_sendmsg+0x59e/0x8f0 net/socket.c:2482 ___sys_sendmsg net/socket.c:2536 [inline] __sys_sendmsg+0x2a9/0x390 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f026987cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f026a6750c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f026999bf80 RCX: 00007f026987cae9 RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f02698c847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f026999bf80 R15: 00007ffe01b35f38 Allocated by task 18094: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:955 [inline] __kmalloc_node_track_caller+0xb1/0x220 mm/slab_common.c:975 kmalloc_reserve net/core/skbuff.c:446 [inline] __alloc_skb+0x135/0x670 net/core/skbuff.c:515 alloc_skb include/linux/skbuff.h:1276 [inline] __ip6_append_data+0x3077/0x45b0 net/ipv6/ip6_output.c:1697 ip6_append_data+0x1d6/0x400 net/ipv6/ip6_output.c:1867 rawv6_sendmsg+0x16d8/0x2150 net/ipv6/raw.c:917 sock_sendmsg_nosec net/socket.c:716 [inline] sock_sendmsg net/socket.c:736 [inline] ____sys_sendmsg+0x59e/0x8f0 net/socket.c:2482 ___sys_sendmsg net/socket.c:2536 [inline] __sys_sendmsg+0x2a9/0x390 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 kvfree_call_rcu+0x116/0x8c0 kernel/rcu/tree.c:3355 neigh_periodic_work+0x3c5/0xcb0 net/core/neighbour.c:994 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Second to last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2799 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the object at ffff888076610000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 220 bytes to the right of 1024-byte region [ffff888076610000, ffff888076610400) The buggy address belongs to the physical page: page:ffffea0001d98400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76610 head:ffffea0001d98400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888012441dc0 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2994, tgid 2994 (klogd), ts 59906340228, free_ts 59904397371 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533 prep_new_page mm/page_alloc.c:2540 [inline] get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5559 alloc_slab_page+0x6a/0x150 mm/slub.c:1794 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437 kmalloc_trace+0x26/0xe0 mm/slab_common.c:1045 kmalloc include/linux/slab.h:553 [inline] syslog_print+0x11d/0x9b0 kernel/printk/printk.c:1500 do_syslog+0x819/0x910 kernel/printk/printk.c:1679 __do_sys_syslog kernel/printk/printk.c:1771 [inline] __se_sys_syslog kernel/printk/printk.c:1769 [inline] __x64_sys_syslog+0x78/0x90 kernel/printk/printk.c:1769 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1460 [inline] free_pcp_prepare mm/page_alloc.c:1510 [inline] free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388 free_unref_page+0x98/0x570 mm/page_alloc.c:3484 page_to_skb+0x470/0xb60 drivers/net/virtio_net.c:556 receive_mergeable drivers/net/virtio_net.c:1128 [inline] receive_buf+0x436/0x5520 drivers/net/virtio_net.c:1267 virtnet_receive drivers/net/virtio_net.c:1562 [inline] virtnet_poll+0x6d3/0x1470 drivers/net/virtio_net.c:1680 __napi_poll+0xc7/0x470 net/core/dev.c:6505 napi_poll net/core/dev.c:6572 [inline] net_rx_action+0x70f/0xeb0 net/core/dev.c:6683 __do_softirq+0x2e9/0xa4c kernel/softirq.c:571 Memory state around the buggy address: ffff888076610380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888076610400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888076610480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888076610500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888076610580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================