==================================================================
BUG: KASAN: slab-out-of-bounds in decode_session6+0x1059/0x1880 net/xfrm/xfrm_policy.c:3375
Read of size 1 at addr ffff88806f6ddfe2 by task swapper/2/0
CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.1.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
decode_session6+0x1059/0x1880 net/xfrm/xfrm_policy.c:3375
__xfrm_decode_session+0x54/0xb0 net/xfrm/xfrm_policy.c:3481
xfrm_decode_session include/net/xfrm.h:1168 [inline]
xfrmi_xmit+0x179/0x1b90 net/xfrm/xfrm_interface.c:485
__netdev_start_xmit include/linux/netdevice.h:4840 [inline]
netdev_start_xmit include/linux/netdevice.h:4854 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x1c2/0x990 net/core/dev.c:3606
sch_direct_xmit+0x1a3/0xbe0 net/sched/sch_generic.c:342
qdisc_restart net/sched/sch_generic.c:407 [inline]
__qdisc_run+0x4da/0x1750 net/sched/sch_generic.c:415
__dev_xmit_skb net/core/dev.c:3880 [inline]
__dev_queue_xmit+0x230b/0x3ba0 net/core/dev.c:4222
dev_queue_xmit include/linux/netdevice.h:3008 [inline]
neigh_connected_output+0x3c4/0x520 net/core/neighbour.c:1581
neigh_output include/net/neighbour.h:546 [inline]
ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
__ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
dst_output include/net/dst.h:445 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
ndisc_send_skb+0xa63/0x1740 net/ipv6/ndisc.c:508
ndisc_send_rs+0x132/0x6f0 net/ipv6/ndisc.c:718
addrconf_rs_timer+0x3f1/0x810 net/ipv6/addrconf.c:3931
call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers.part.0+0x6a2/0xaf0 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0xb7/0x1d0 kernel/time/timer.c:1803
__do_softirq+0x1fb/0xadc kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x9/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:default_idle+0xf/0x10 arch/x86/kernel/process.c:731
Code: e8 f6 9e dc f7 e9 8c fd ff ff 4c 89 f7 e8 e9 9e dc f7 e9 3a fd ff ff cc cc cc cc f3 0f 1e fa 66 90 0f 00 2d 23 32 56 00 fb f4 f3 0f 1e fa 41 54 be 08 00 00 00 53 65 48 8b 1c 25 c0 7f 02 00
RSP: 0018:ffffc9000046fdf8 EFLAGS: 00000246
RAX: 0000000000101c81 RBX: ffff8880128f8000 RCX: ffffffff89ed3055
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff88802c835c8b
R10: ffffed1005906b91 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000002 R14: ffffffff8e519dd0 R15: 0000000000000000
default_idle_call+0x84/0xc0 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x410/0x590 kernel/sched/idle.c:303
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:400
start_secondary+0x256/0x300 arch/x86/kernel/smpboot.c:262
secondary_startup_64_no_verify+0xce/0xdb
Allocated by task 3744:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
sk_prot_alloc+0x5f/0x290 net/core/sock.c:2024
sk_alloc+0x3a/0x780 net/core/sock.c:2083
unix_create1+0xaa/0x920 net/unix/af_unix.c:959
unix_create+0x114/0x220 net/unix/af_unix.c:1026
__sock_create+0x359/0x790 net/socket.c:1515
sock_create net/socket.c:1566 [inline]
__sys_socket_create net/socket.c:1603 [inline]
__sys_socket_create net/socket.c:1588 [inline]
__sys_socket+0x133/0x250 net/socket.c:1636
__do_compat_sys_socketcall+0x689/0x720 net/compat.c:446
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
The buggy address belongs to the object at ffff88806f6dd800
which belongs to the cache UNIX of size 1920
The buggy address is located 98 bytes to the right of
1920-byte region [ffff88806f6dd800, ffff88806f6ddf80)
The buggy address belongs to the physical page:
page:ffffea0001bdb600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88806f6db000 pfn:0x6f6d8
head:ffffea0001bdb600 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4fff00000010200(slab|head|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000010200 ffff888040387c48 ffffea0001c32208 ffff8880403a1400
raw: ffff88806f6db000 0000000000100000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3743, tgid 3743 (syz-executor.1), ts 352554628141, free_ts 0
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288
__alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3180
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422
sk_prot_alloc+0x5f/0x290 net/core/sock.c:2024
sk_alloc+0x3a/0x780 net/core/sock.c:2083
unix_create1+0xaa/0x920 net/unix/af_unix.c:959
unix_create+0x114/0x220 net/unix/af_unix.c:1026
__sock_create+0x359/0x790 net/socket.c:1515
sock_create net/socket.c:1566 [inline]
__sys_socket_create net/socket.c:1603 [inline]
__sys_socket_create net/socket.c:1588 [inline]
__sys_socket+0x133/0x250 net/socket.c:1636
__do_compat_sys_socketcall+0x689/0x720 net/compat.c:446
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
page_owner free stack trace missing
Memory state around the buggy address:
ffff88806f6dde80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806f6ddf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88806f6ddf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88806f6de000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806f6de080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: e8 f6 9e dc f7 callq 0xf7dc9efb
5: e9 8c fd ff ff jmpq 0xfffffd96
a: 4c 89 f7 mov %r14,%rdi
d: e8 e9 9e dc f7 callq 0xf7dc9efb
12: e9 3a fd ff ff jmpq 0xfffffd51
17: cc int3
18: cc int3
19: cc int3
1a: cc int3
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d 23 32 56 00 verw 0x563223(%rip) # 0x56324b
28: fb sti
29: f4 hlt
* 2a: c3 retq <-- trapping instruction
2b: f3 0f 1e fa endbr64
2f: 41 54 push %r12
31: be 08 00 00 00 mov $0x8,%esi
36: 53 push %rbx
37: 65 48 8b 1c 25 c0 7f mov %gs:0x27fc0,%rbx
3e: 02 00