==================================================================
BUG: KASAN: slab-out-of-bounds in decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460
Read of size 1 at addr ffff888061d7d1c3 by task syz-executor.5/487

CPU: 1 PID: 487 Comm: syz-executor.5 Not tainted 6.5.0-rc3-syzkaller-00712-g079082c60aff #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460
 __xfrm_decode_session+0x54/0xb0 net/xfrm/xfrm_policy.c:3566
 xfrm_decode_session_reverse include/net/xfrm.h:1223 [inline]
 icmpv6_route_lookup+0x397/0x550 net/ipv6/icmp.c:388
 icmp6_send+0x11c1/0x2720 net/ipv6/icmp.c:595
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x31/0x5a0 net/ipv6/route.c:2785
 dst_link_failure include/net/dst.h:437 [inline]
 ip6_tnl_xmit+0x4f9/0x3950 net/ipv6/ip6_tunnel.c:1268
 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1384 [inline]
 ip6_tnl_start_xmit+0x6ef/0x1750 net/ipv6/ip6_tunnel.c:1432
 __netdev_start_xmit include/linux/netdevice.h:4911 [inline]
 netdev_start_xmit include/linux/netdevice.h:4925 [inline]
 xmit_one net/core/dev.c:3542 [inline]
 dev_hard_start_xmit+0x13d/0x6c0 net/core/dev.c:3558
 sch_direct_xmit+0x1ac/0xc20 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x540/0x19d0 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3832 [inline]
 __dev_queue_xmit+0x24e2/0x3d60 net/core/dev.c:4301
 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
 neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1581
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0x5d0/0x1b20 net/ipv6/ip6_output.c:135
 __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
 ip6_finish_output+0x485/0x1250 net/ipv6/ip6_output.c:207
 NF_HOOK_COND include/linux/netfilter.h:292 [inline]
 ip6_output+0x23a/0x880 net/ipv6/ip6_output.c:228
 dst_output include/net/dst.h:458 [inline]
 ip6_local_out+0xaf/0x190 net/ipv6/output_core.c:155
 ip6_send_skb+0xb7/0x330 net/ipv6/ip6_output.c:2008
 udp_v6_send_skb+0x9b2/0x1900 net/ipv6/udp.c:1298
 udpv6_sendmsg+0x24bf/0x2f80 net/ipv6/udp.c:1592
 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:651
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:748
 ____sys_sendmsg+0x2ac/0x940 net/socket.c:2494
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2548
 __sys_sendmmsg+0x1a1/0x450 net/socket.c:2634
 __do_sys_sendmmsg net/socket.c:2663 [inline]
 __se_sys_sendmmsg net/socket.c:2660 [inline]
 __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2660
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe08c27cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe08cefe0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fe08c39bf80 RCX: 00007fe08c27cae9
RDX: 0000000000000002 RSI: 0000000020002080 RDI: 000000000000000a
RBP: 00007fe08c2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fe08c39bf80 R15: 00007ffc8cbd6a78
 </TASK>

Allocated by task 12752:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:196 [inline]
 __do_kmalloc_node mm/slab_common.c:985 [inline]
 __kmalloc+0x5d/0x100 mm/slab_common.c:998
 kmalloc include/linux/slab.h:586 [inline]
 kzalloc include/linux/slab.h:703 [inline]
 fib6_info_alloc+0x40/0x100 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x337/0x1b70 net/ipv6/route.c:3746
 ip6_route_add+0x26/0x150 net/ipv6/route.c:3840
 addrconf_prefix_route+0x300/0x510 net/ipv6/addrconf.c:2434
 addrconf_add_linklocal+0x269/0x5b0 net/ipv6/addrconf.c:3254
 addrconf_addr_gen+0x366/0x3b0 net/ipv6/addrconf.c:3383
 addrconf_dev_config net/ipv6/addrconf.c:3428 [inline]
 addrconf_init_auto_addrs+0x446/0x810 net/ipv6/addrconf.c:3506
 addrconf_notify+0x70f/0x1920 net/ipv6/addrconf.c:3679
 notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
 call_netdevice_notifiers_info+0xb9/0x130 net/core/dev.c:1968
 netdev_state_change net/core/dev.c:1350 [inline]
 netdev_state_change+0x111/0x140 net/core/dev.c:1343
 linkwatch_do_dev+0x122/0x150 net/core/link_watch.c:182
 __linkwatch_run_queue+0x233/0x680 net/core/link_watch.c:235
 linkwatch_event+0x8f/0xc0 net/core/link_watch.c:278
 process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
 process_scheduled_works kernel/workqueue.c:2664 [inline]
 worker_thread+0x896/0x1110 kernel/workqueue.c:2750
 kthread+0x33a/0x430 kernel/kthread.c:389
 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296

The buggy address belongs to the object at ffff888061d7d000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 179 bytes to the right of
 allocated 272-byte region [ffff888061d7d000, ffff888061d7d110)

The buggy address belongs to the physical page:
page:ffffea0001875f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61d7c
head:ffffea0001875f00 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff888012841c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 12752, tgid 12752 (kworker/0:19), ts 862662003951, free_ts 857296893361
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1570
 prep_new_page mm/page_alloc.c:1577 [inline]
 get_page_from_freelist+0x10a9/0x31e0 mm/page_alloc.c:3221
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4477
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2279
 alloc_slab_page mm/slub.c:1862 [inline]
 allocate_slab+0x24e/0x380 mm/slub.c:2009
 new_slab mm/slub.c:2062 [inline]
 ___slab_alloc+0x8bc/0x1570 mm/slub.c:3215
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3314
 __slab_alloc_node mm/slub.c:3367 [inline]
 slab_alloc_node mm/slub.c:3460 [inline]
 __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3509
 __do_kmalloc_node mm/slab_common.c:984 [inline]
 __kmalloc+0x4c/0x100 mm/slab_common.c:998
 kmalloc include/linux/slab.h:586 [inline]
 kzalloc include/linux/slab.h:703 [inline]
 fib6_info_alloc+0x40/0x100 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x337/0x1b70 net/ipv6/route.c:3746
 addrconf_f6i_alloc+0x396/0x670 net/ipv6/route.c:4569
 ipv6_add_addr+0x4c2/0x2010 net/ipv6/addrconf.c:1114
 addrconf_add_linklocal+0x1e5/0x5b0 net/ipv6/addrconf.c:3252
 addrconf_addr_gen+0x366/0x3b0 net/ipv6/addrconf.c:3383
 addrconf_dev_config net/ipv6/addrconf.c:3428 [inline]
 addrconf_init_auto_addrs+0x446/0x810 net/ipv6/addrconf.c:3506
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1161 [inline]
 free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2443
 ib_port_gid_attr_release+0x36/0x80 drivers/infiniband/core/sysfs.c:771
 kobject_cleanup lib/kobject.c:682 [inline]
 kobject_release lib/kobject.c:713 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1f7/0x5b0 lib/kobject.c:730
 destroy_gid_attrs drivers/infiniband/core/sysfs.c:1191 [inline]
 ib_free_port_attrs+0x288/0x490 drivers/infiniband/core/sysfs.c:1414
 remove_one_compat_dev drivers/infiniband/core/device.c:1002 [inline]
 remove_compat_devs drivers/infiniband/core/device.c:1014 [inline]
 disable_device+0x1e1/0x270 drivers/infiniband/core/device.c:1296
 __ib_unregister_device+0x93/0x190 drivers/infiniband/core/device.c:1475
 ib_unregister_work+0x19/0x30 drivers/infiniband/core/device.c:1586
 process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
 worker_thread+0x687/0x1110 kernel/workqueue.c:2748
 kthread+0x33a/0x430 kernel/kthread.c:389
 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296

Memory state around the buggy address:
 ffff888061d7d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888061d7d100: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888061d7d180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff888061d7d200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888061d7d280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================