==================================================================
BUG: KASAN: use-after-free in decode_session6+0xe6d/0x1530 net/xfrm/xfrm_policy.c:3369
Read of size 1 at addr ffff88807d4934a3 by task kworker/0:21/29546

CPU: 0 PID: 29546 Comm: kworker/0:21 Not tainted 5.14.0-next-20210908-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: mld mld_ifc_work
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 decode_session6+0xe6d/0x1530 net/xfrm/xfrm_policy.c:3369
 __xfrm_decode_session+0x50/0xb0 net/xfrm/xfrm_policy.c:3456
 xfrm_decode_session include/net/xfrm.h:1149 [inline]
 vti6_tnl_xmit+0x41f/0x1fe0 net/ipv6/ip6_vti.c:577
 __netdev_start_xmit include/linux/netdevice.h:4988 [inline]
 netdev_start_xmit include/linux/netdevice.h:5002 [inline]
 xmit_one net/core/dev.c:3576 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3592
 sch_direct_xmit+0x19f/0xbb0 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x4bc/0x1700 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3861 [inline]
 __dev_queue_xmit+0x1f6e/0x3710 net/core/dev.c:4170
 neigh_connected_output+0x3b6/0x510 net/core/neighbour.c:1521
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0x717/0x1500 net/ipv6/ip6_output.c:126
 __ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
 __ip6_finish_output+0x4c1/0x1050 net/ipv6/ip6_output.c:170
 ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201
 NF_HOOK_COND include/linux/netfilter.h:296 [inline]
 ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 mld_sendpack+0x9a1/0xe40 net/ipv6/mcast.c:1826
 mld_send_cr net/ipv6/mcast.c:2127 [inline]
 mld_ifc_work+0x71c/0xdc0 net/ipv6/mcast.c:2659
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Allocated by task 28287:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3182 [inline]
 slab_alloc mm/slub.c:3190 [inline]
 kmem_cache_alloc+0x209/0x390 mm/slub.c:3195
 kmem_cache_zalloc include/linux/slab.h:720 [inline]
 fill_pool+0x264/0x5c0 lib/debugobjects.c:171
 __debug_object_init+0x7a/0xd10 lib/debugobjects.c:565
 debug_object_init lib/debugobjects.c:620 [inline]
 debug_object_activate+0x32c/0x3e0 lib/debugobjects.c:706
 debug_rcu_head_queue kernel/rcu/rcu.h:176 [inline]
 __call_rcu kernel/rcu/tree.c:2969 [inline]
 call_rcu+0x2c/0x740 kernel/rcu/tree.c:3065
 security_inode_free+0x9a/0xc0 security/security.c:1050
 __destroy_inode+0x1fc/0x730 fs/inode.c:260
 destroy_inode+0x91/0x1b0 fs/inode.c:283
 iput_final fs/inode.c:1670 [inline]
 iput.part.0+0x539/0x850 fs/inode.c:1696
 iput+0x58/0x70 fs/inode.c:1686
 do_unlinkat+0x418/0x650 fs/namei.c:4176
 __do_sys_unlink fs/namei.c:4217 [inline]
 __se_sys_unlink fs/namei.c:4215 [inline]
 __x64_sys_unlink+0xc6/0x110 fs/namei.c:4215
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88807d493498
 which belongs to the cache debug_objects_cache of size 40
The buggy address is located 11 bytes inside of
 40-byte region [ffff88807d493498, ffff88807d4934c0)
The buggy address belongs to the page:
page:ffffea0001f524c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807d493380 pfn:0x7d493
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0000f4e7c8 ffffea0000df7d48 ffff888010c4f8c0
raw: ffff88807d493380 0000000000490024 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 25667, ts 902268227239, free_ts 843354222432
 prep_new_page mm/page_alloc.c:2424 [inline]
 get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4151
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5373
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2188
 alloc_slab_page mm/slub.c:1744 [inline]
 allocate_slab mm/slub.c:1881 [inline]
 new_slab+0x319/0x490 mm/slub.c:1944
 ___slab_alloc+0x9b6/0x1100 mm/slub.c:2970
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3057
 slab_alloc_node mm/slub.c:3148 [inline]
 slab_alloc mm/slub.c:3190 [inline]
 kmem_cache_alloc+0x365/0x390 mm/slub.c:3195
 kmem_cache_zalloc include/linux/slab.h:720 [inline]
 fill_pool+0x264/0x5c0 lib/debugobjects.c:171
 __debug_object_init+0x7a/0xd10 lib/debugobjects.c:565
 debug_object_init lib/debugobjects.c:620 [inline]
 debug_object_activate+0x32c/0x3e0 lib/debugobjects.c:706
 debug_rcu_head_queue kernel/rcu/rcu.h:176 [inline]
 __call_rcu kernel/rcu/tree.c:2969 [inline]
 call_rcu+0x2c/0x740 kernel/rcu/tree.c:3065
 dentry_free+0xc3/0x160 fs/dcache.c:352
 __dentry_kill+0x4cb/0x640 fs/dcache.c:596
 dentry_kill fs/dcache.c:720 [inline]
 dput+0x66b/0xbc0 fs/dcache.c:888
 find_next_child fs/libfs.c:264 [inline]
 simple_recursive_removal+0x136/0x7b0 fs/libfs.c:279
 debugfs_remove fs/debugfs/inode.c:732 [inline]
 debugfs_remove+0x59/0x80 fs/debugfs/inode.c:726
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x373/0x860 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3315 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3394
 __unfreeze_partials+0x1ac/0x1d0 mm/slub.c:2476
 qlink_free mm/kasan/quarantine.c:146 [inline]
 qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3182 [inline]
 slab_alloc mm/slub.c:3190 [inline]
 __kmalloc+0x1e7/0x320 mm/slub.c:4363
 kmalloc_array include/linux/slab.h:636 [inline]
 kcalloc include/linux/slab.h:667 [inline]
 ext4_ext_remove_space+0x184a/0x4600 fs/ext4/extents.c:2900
 ext4_ext_truncate+0x205/0x260 fs/ext4/extents.c:4382
 ext4_truncate+0xecc/0x1440 fs/ext4/inode.c:4268
 ext4_evict_inode+0xa71/0x1950 fs/ext4/inode.c:287
 evict+0x2ed/0x6b0 fs/inode.c:590
 iput_final fs/inode.c:1670 [inline]
 iput.part.0+0x539/0x850 fs/inode.c:1696
 iput+0x58/0x70 fs/inode.c:1686
 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:376
 __dentry_kill+0x3c0/0x640 fs/dcache.c:582

Memory state around the buggy address:
 ffff88807d493380: fb fb fb fb fb fc fc 00 00 00 00 00 fc fc 00 00
 ffff88807d493400: 00 00 00 fc fc 00 00 00 00 00 fc fc fa fb fb fb
>ffff88807d493480: fb fc fc fb fb fb fb fb fc fc 00 00 00 00 00 fc
                               ^
 ffff88807d493500: fc 00 00 00 00 00 fc fc 00 00 00 00 00 fc fc 00
 ffff88807d493580: 00 00 00 00 fc fc 00 00 00 00 00 fc fc 00 00 00
==================================================================