================================================================== BUG: KASAN: use-after-free in __xfrm_state_insert+0x794/0x11a4 net/xfrm/xfrm_state.c:1743 Read of size 1 at addr ffff0000f7811cb0 by task syz.7.3707/16060 CPU: 1 UID: 0 PID: 16060 Comm: syz.7.3707 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 __xfrm_state_insert+0x794/0x11a4 net/xfrm/xfrm_state.c:1743 xfrm_state_insert+0x5c/0x78 net/xfrm/xfrm_state.c:1795 ipcomp6_tunnel_attach net/ipv6/ipcomp6.c:131 [inline] ipcomp6_init_state+0x4b8/0x778 net/ipv6/ipcomp6.c:163 __xfrm_init_state+0x8c4/0x12b8 net/xfrm/xfrm_state.c:3188 xfrm_init_state+0x24/0xbc net/xfrm/xfrm_state.c:3231 pfkey_msg2xfrm_state net/key/af_key.c:1286 [inline] pfkey_add+0x1460/0x224c net/key/af_key.c:1504 pfkey_process net/key/af_key.c:2848 [inline] pfkey_sendmsg+0x9c0/0xd74 net/key/af_key.c:3699 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0x490/0x7b8 net/socket.c:2614 ___sys_sendmsg+0x204/0x278 net/socket.c:2668 __sys_sendmmsg+0x1f4/0x548 net/socket.c:2757 __do_sys_sendmmsg net/socket.c:2784 [inline] __se_sys_sendmmsg net/socket.c:2781 [inline] __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2781 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x137811 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 0000000000000000 00000000ffffffff 0000000000000000 raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f7811b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000f7811c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff0000f7811c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000f7811d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000f7811d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000012f63b000 [0000000000000000] pgd=0800000134a75403, p4d=0800000134a75403, pud=080000013fe96403, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 16060 Comm: syz.7.3707 Tainted: G B syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 pstate: 03400005 (nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : hlist_add_before_rcu include/linux/rculist.h:705 [inline] pc : __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 lr : hlist_add_before_rcu include/linux/rculist.h:705 [inline] lr : __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 sp : ffff8000a1da71d0 x29: ffff8000a1da7200 x28: dfff800000000000 x27: 1fffe0001ef02336 x26: ffff0000cc4b8470 x25: 0000000000000000 x24: ffff0000cc4b8468 x23: ffff0000f78119b0 x22: ffff0000cc4b8770 x21: ffff0000f78119a8 x20: ffff0000cc59a440 x19: ffff0000cc4b8440 x18: 1fffe00033793888 x17: 3d3d3d3d3d3d3d3d x16: ffff80008b020820 x15: 0000000000000001 x14: 1ffff00012613f04 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000080000 x10: fffffffffffffff8 x9 : ffff8000975d78e0 x8 : 0000000000000001 x7 : 0000000000000001 x6 : ffff80008056536c x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800089d8c6f8 x2 : 0000000000000001 x1 : 0000000000000008 x0 : 0000000000000001 Call trace: hlist_add_before_rcu include/linux/rculist.h:705 [inline] (P) __xfrm_state_insert+0xe00/0x11a4 net/xfrm/xfrm_state.c:1743 (P) xfrm_state_insert+0x5c/0x78 net/xfrm/xfrm_state.c:1795 ipcomp6_tunnel_attach net/ipv6/ipcomp6.c:131 [inline] ipcomp6_init_state+0x4b8/0x778 net/ipv6/ipcomp6.c:163 __xfrm_init_state+0x8c4/0x12b8 net/xfrm/xfrm_state.c:3188 xfrm_init_state+0x24/0xbc net/xfrm/xfrm_state.c:3231 pfkey_msg2xfrm_state net/key/af_key.c:1286 [inline] pfkey_add+0x1460/0x224c net/key/af_key.c:1504 pfkey_process net/key/af_key.c:2848 [inline] pfkey_sendmsg+0x9c0/0xd74 net/key/af_key.c:3699 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0x490/0x7b8 net/socket.c:2614 ___sys_sendmsg+0x204/0x278 net/socket.c:2668 __sys_sendmmsg+0x1f4/0x548 net/socket.c:2757 __do_sys_sendmmsg net/socket.c:2784 [inline] __se_sys_sendmmsg net/socket.c:2781 [inline] __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2781 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Code: aa1903e0 52800101 f9000315 9790e35b (c89fff38) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: aa1903e0 mov x0, x25 4: 52800101 mov w1, #0x8 // #8 8: f9000315 str x21, [x24] c: 9790e35b bl 0xfffffffffe438d78 * 10: c89fff38 stlr x24, [x25] <-- trapping instruction