==================================================================
BUG: KASAN: slab-use-after-free in __xfrm_state_lookup_all net/xfrm/xfrm_state.c:-1 [inline]
BUG: KASAN: slab-use-after-free in xfrm_state_find+0x2cf2/0x5400 net/xfrm/xfrm_state.c:1494
Read of size 1 at addr ffff888021f80770 by task syz.1.2231/14763

CPU: 1 UID: 0 PID: 14763 Comm: syz.1.2231 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __xfrm_state_lookup_all net/xfrm/xfrm_state.c:-1 [inline]
 xfrm_state_find+0x2cf2/0x5400 net/xfrm/xfrm_state.c:1494
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2522 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2573 [inline]
 xfrm_resolve_and_create_bundle+0x768/0x2f80 net/xfrm/xfrm_policy.c:2871
 xfrm_lookup_with_ifid+0x2a7/0x1a70 net/xfrm/xfrm_policy.c:3205
 xfrm_lookup net/xfrm/xfrm_policy.c:3336 [inline]
 xfrm_lookup_route+0x3c/0x1c0 net/xfrm/xfrm_policy.c:3347
 ip_route_connect include/net/route.h:355 [inline]
 __ip4_datagram_connect+0x9a5/0x1270 net/ipv4/datagram.c:49
 __ip6_datagram_connect+0x9f0/0x1150 net/ipv6/datagram.c:196
 ip6_datagram_connect net/ipv6/datagram.c:279 [inline]
 ip6_datagram_connect_v6_only+0x63/0xa0 net/ipv6/datagram.c:291
 __sys_connect_file net/socket.c:2086 [inline]
 __sys_connect+0x316/0x440 net/socket.c:2105
 __do_sys_connect net/socket.c:2111 [inline]
 __se_sys_connect net/socket.c:2108 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2108
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7df478ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7df55cc038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f7df49c5fa0 RCX: 00007f7df478ebe9
RDX: 000000000000001c RSI: 0000200000000000 RDI: 0000000000000004
RBP: 00007f7df4811e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7df49c6038 R14: 00007f7df49c5fa0 R15: 00007fff46ce09c8
 </TASK>

Allocated by task 14231:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:330 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:356
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4281
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:578
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:669
 napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811
 page_to_skb+0x288/0x930 drivers/net/virtio_net.c:889
 receive_mergeable drivers/net/virtio_net.c:2496 [inline]
 receive_buf+0x45f/0x15e0 drivers/net/virtio_net.c:2634
 virtnet_receive_packets drivers/net/virtio_net.c:2992 [inline]
 virtnet_receive drivers/net/virtio_net.c:3016 [inline]
 virtnet_poll+0x1fbc/0x2d80 drivers/net/virtio_net.c:3110
 __napi_poll+0xc4/0x360 net/core/dev.c:7555
 napi_poll net/core/dev.c:7618 [inline]
 net_rx_action+0x707/0xe30 net/core/dev.c:7745
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 common_interrupt+0xbb/0xe0 arch/x86/kernel/irq.c:318
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693

Freed by task 14231:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4782
 skb_release_data+0x62d/0x7c0 net/core/skbuff.c:1086
 skb_release_all net/core/skbuff.c:1151 [inline]
 __kfree_skb net/core/skbuff.c:1165 [inline]
 kfree_skb_partial+0x97/0xb0 net/core/skbuff.c:6054
 tcp_data_queue+0x1ee9/0x6380 net/ipv4/tcp_input.c:5229
 tcp_rcv_established+0xf9e/0x1eb0 net/ipv4/tcp_input.c:6216
 tcp_v4_do_rcv+0xa23/0xce0 net/ipv4/tcp_ipv4.c:1924
 tcp_v4_rcv+0x252a/0x2db0 net/ipv4/tcp_ipv4.c:2364
 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
 NF_HOOK+0x309/0x3a0 include/linux/netfilter.h:318
 dst_input include/net/dst.h:474 [inline]
 ip_sublist_rcv_finish+0x221/0x2a0 net/ipv4/ip_input.c:585
 ip_list_rcv_finish net/ipv4/ip_input.c:637 [inline]
 ip_sublist_rcv+0x74c/0xa10 net/ipv4/ip_input.c:645
 ip_list_rcv+0x3e2/0x430 net/ipv4/ip_input.c:679
 __netif_receive_skb_list_ptype net/core/dev.c:6083 [inline]
 __netif_receive_skb_list_core+0x7d2/0x800 net/core/dev.c:6130
 __netif_receive_skb_list net/core/dev.c:6182 [inline]
 netif_receive_skb_list_internal+0x96f/0xcb0 net/core/dev.c:6273
 gro_normal_list include/net/gro.h:532 [inline]
 gro_flush_normal include/net/gro.h:540 [inline]
 napi_complete_done+0x2f2/0x7c0 net/core/dev.c:6642
 virtqueue_napi_complete drivers/net/virtio_net.c:766 [inline]
 virtnet_poll+0x23a6/0x2d80 drivers/net/virtio_net.c:3118
 __napi_poll+0xc4/0x360 net/core/dev.c:7555
 napi_poll net/core/dev.c:7618 [inline]
 net_rx_action+0x707/0xe30 net/core/dev.c:7745
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 common_interrupt+0xbb/0xe0 arch/x86/kernel/irq.c:318
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693

The buggy address belongs to the object at ffff888021f80680
 which belongs to the cache skbuff_small_head of size 704
The buggy address is located 240 bytes inside of
 freed 704-byte region [ffff888021f80680, ffff888021f80940)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21f80
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff888141689b40 0000000000000000 0000000000000001
raw: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff888141689b40 0000000000000000 0000000000000001
head: 0000000000000000 0000000000130013 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea000087e001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 13606, tgid 13605 (syz.3.1911), ts 387029436116, free_ts 377845047287
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 kmem_cache_alloc_node_noprof+0x280/0x3c0 mm/slub.c:4281
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:578
 pskb_expand_head+0x18e/0x1150 net/core/skbuff.c:2240
 netlink_trim+0x1d5/0x2e0 net/netlink/af_netlink.c:1301
 netlink_broadcast_filtered+0xd6/0x1000 net/netlink/af_netlink.c:1514
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 genlmsg_multicast_netns_filtered include/net/genetlink.h:495 [inline]
 devlink_nl_notify_send_desc net/devlink/devl_internal.h:229 [inline]
 devlink_port_notify+0x402/0x570 net/devlink/port.c:571
 __devlink_port_type_set+0x54f/0x700 net/devlink/port.c:1232
 devlink_port_netdevice_event+0x2a9/0x4f0 net/devlink/port.c:1311
 notifier_call_chain+0x1b6/0x3e0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2267 [inline]
 call_netdevice_notifiers net/core/dev.c:2281 [inline]
 register_netdevice+0x1608/0x1ae0 net/core/dev.c:11293
page last free pid 13233 tgid 13224 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
 discard_slab mm/slub.c:2753 [inline]
 __put_partials+0x156/0x1a0 mm/slub.c:3218
 put_cpu_partial+0x17c/0x250 mm/slub.c:3293
 __slab_free+0x2d5/0x3c0 mm/slub.c:4550
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4281
 __alloc_skb+0x112/0x2d0 net/core/skbuff.c:659
 alloc_skb include/linux/skbuff.h:1377 [inline]
 alloc_skb_with_frags+0xca/0x890 net/core/skbuff.c:6667
 sock_alloc_send_pskb+0x857/0x990 net/core/sock.c:2987
 sock_alloc_send_skb include/net/sock.h:1856 [inline]
 llc_ui_sendmsg+0x477/0xdd0 net/llc/af_llc.c:970
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:729
 sock_sendmsg+0x158/0x230 net/socket.c:752
 splice_to_socket+0x8ff/0xf10 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 direct_splice_actor+0xfe/0x160 fs/splice.c:1161

Memory state around the buggy address:
 ffff888021f80600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888021f80680: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888021f80700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff888021f80780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888021f80800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================