==================================================================
BUG: KASAN: use-after-free in decode_session6 net/xfrm/xfrm_policy.c:3369 [inline]
BUG: KASAN: use-after-free in __xfrm_decode_session+0x1843/0x21c0 net/xfrm/xfrm_policy.c:3456
Read of size 1 at addr ffff88801ef8ecf3 by task syz-executor.4/13976

CPU: 1 PID: 13976 Comm: syz-executor.4 Not tainted 5.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x202/0x31e lib/dump_stack.c:120
 print_address_description+0x5f/0x3b0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x15c/0x200 mm/kasan/report.c:436
 decode_session6 net/xfrm/xfrm_policy.c:3369 [inline]
 __xfrm_decode_session+0x1843/0x21c0 net/xfrm/xfrm_policy.c:3456
 vti6_tnl_xmit+0x427/0x1a70 net/ipv6/ip6_vti.c:569
 __netdev_start_xmit include/linux/netdevice.h:4944 [inline]
 netdev_start_xmit include/linux/netdevice.h:4958 [inline]
 xmit_one net/core/dev.c:3654 [inline]
 dev_hard_start_xmit+0x20b/0x450 net/core/dev.c:3670
 sch_direct_xmit+0x25e/0xe40 net/sched/sch_generic.c:313
 qdisc_restart net/sched/sch_generic.c:376 [inline]
 __qdisc_run+0xa4d/0x1a90 net/sched/sch_generic.c:384
 __dev_xmit_skb net/core/dev.c:3904 [inline]
 __dev_queue_xmit+0x113a/0x2cd0 net/core/dev.c:4213
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0x113e/0x14f0 net/ipv6/ip6_output.c:117
 dst_output include/net/dst.h:448 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 ndisc_send_skb+0xa27/0xe70 net/ipv6/ndisc.c:508
 addrconf_rs_timer+0x33d/0x790 net/ipv6/addrconf.c:3877
 call_timer_fn+0xf6/0x210 kernel/time/timer.c:1431
 expire_timers kernel/time/timer.c:1476 [inline]
 __run_timers+0x6ff/0x910 kernel/time/timer.c:1745
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1758
 __do_softirq+0x372/0x7a6 kernel/softirq.c:559
 invoke_softirq kernel/softirq.c:433 [inline]
 __irq_exit_rcu+0x245/0x280 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x43/0xb0 arch/x86/kernel/apic/apic.c:1100
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:647
RIP: 0033:0x414a10
Code: ff fe ff ff 66 0f 1f 44 00 00 47 89 44 95 00 e9 b3 fe ff ff 49 39 d4 74 73 48 8d 72 10 4c 39 e6 75 0b eb 2c 66 0f 1f 44 00 00 <48> 8b 3a 4c 8b 06 48 8d 42 08 49 39 f8 74 0e 48 8d 7a 10 4c 89 42
RSP: 002b:00007ffdf857bfd0 EFLAGS: 00000206
RAX: 00007f040e01da58 RBX: 00007f040e01d008 RCX: 00007f040e01d080
RDX: 00007f040e01da50 RSI: 00007f040e1021b0 RDI: ffffffff81de6d43
RBP: 000000000003ffff R08: ffffffff81de6d43 R09: 0000001b2bf27514
R10: 000000000000148b R11: 00000000a616548f R12: 00007f040e21d000
R13: 00007f040e21d000 R14: ffffffff8216793d R15: 000000000056c008

Allocated by task 8448:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:507
 kasan_kmalloc include/linux/kasan.h:246 [inline]
 __kmalloc+0xb4/0x390 mm/slub.c:4059
 kmalloc include/linux/slab.h:561 [inline]
 kzalloc include/linux/slab.h:686 [inline]
 tomoyo_init_log+0x19f6/0x1f00 security/tomoyo/audit.c:275
 tomoyo_supervisor+0x3c9/0x1460 security/tomoyo/common.c:2097
 tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline]
 tomoyo_path_number_perm+0x533/0x790 security/tomoyo/file.c:734
 tomoyo_path_mkdir+0xe3/0x120 security/tomoyo/tomoyo.c:167
 security_path_mkdir+0xd5/0x160 security/security.c:1139
 do_mkdirat+0x1a1/0x3e0 fs/namei.c:3834
 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801ef8ec00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 243 bytes inside of
 512-byte region [ffff88801ef8ec00, ffff88801ef8ee00)
The buggy address belongs to the page:
page:ffffea00007be300 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801ef8e000 pfn:0x1ef8c
head:ffffea00007be300 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000a0d708 ffffea000081ce08 ffff888011841c80
raw: ffff88801ef8e000 0000000000100007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8419, ts 96391226110, free_ts 96385180565
 prep_new_page mm/page_alloc.c:2358 [inline]
 get_page_from_freelist+0x779/0xa20 mm/page_alloc.c:3994
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5200
 alloc_slab_page mm/slub.c:1645 [inline]
 allocate_slab+0xf1/0x5b0 mm/slub.c:1785
 new_slab mm/slub.c:1848 [inline]
 new_slab_objects mm/slub.c:2594 [inline]
 ___slab_alloc+0x1cf/0x350 mm/slub.c:2757
 __slab_alloc mm/slub.c:2797 [inline]
 slab_alloc_node mm/slub.c:2879 [inline]
 __kmalloc_node_track_caller+0x2fa/0x420 mm/slub.c:4596
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x127/0x580 net/core/skbuff.c:425
 __napi_alloc_skb+0x155/0x2d0 net/core/skbuff.c:566
 napi_alloc_skb include/linux/skbuff.h:2924 [inline]
 page_to_skb+0x2a1/0xbb0 drivers/net/virtio_net.c:435
 receive_mergeable+0xa7d/0x38e0 drivers/net/virtio_net.c:1018
 receive_buf+0x158/0x1d90 drivers/net/virtio_net.c:1128
 virtnet_receive drivers/net/virtio_net.c:1420 [inline]
 virtnet_poll+0x59a/0x1140 drivers/net/virtio_net.c:1525
 __napi_poll+0xba/0x4f0 net/core/dev.c:6966
 napi_poll net/core/dev.c:7033 [inline]
 net_rx_action+0x62c/0xf30 net/core/dev.c:7120
 __do_softirq+0x372/0x7a6 kernel/softirq.c:559
 invoke_softirq kernel/softirq.c:433 [inline]
 __irq_exit_rcu+0x245/0x280 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1298 [inline]
 __free_pages_ok+0x10a5/0x1180 mm/page_alloc.c:1572
 put_page include/linux/mm.h:1243 [inline]
 __skb_frag_unref include/linux/skbuff.h:3089 [inline]
 skb_release_data+0x3cd/0x760 net/core/skbuff.c:667
 skb_release_all net/core/skbuff.c:726 [inline]
 __kfree_skb+0x56/0x1d0 net/core/skbuff.c:740
 sk_eat_skb include/net/sock.h:2567 [inline]
 tcp_recvmsg_locked+0x157b/0x2bc0 net/ipv4/tcp.c:2505
 tcp_recvmsg+0x22a/0x7b0 net/ipv4/tcp.c:2551
 inet_recvmsg+0x156/0x270 net/ipv4/af_inet.c:852
 sock_recvmsg_nosec net/socket.c:888 [inline]
 sock_recvmsg net/socket.c:906 [inline]
 sock_read_iter+0x3a7/0x4e0 net/socket.c:979
 call_read_iter include/linux/fs.h:2108 [inline]
 new_sync_read fs/read_write.c:415 [inline]
 vfs_read+0x9d9/0xc20 fs/read_write.c:496
 ksys_read+0x171/0x2a0 fs/read_write.c:634
 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88801ef8eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801ef8ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801ef8ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88801ef8ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801ef8ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================