==================================================================
BUG: KASAN: use-after-free in decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460
Read of size 1 at addr ffff888041f5350f by task syz-executor.1/26695

CPU: 0 PID: 26695 Comm: syz-executor.1 Not tainted 6.5.0-rc3-syzkaller-00824-gb23ec2bd7b84 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460
 __xfrm_decode_session+0x54/0xb0 net/xfrm/xfrm_policy.c:3566
 xfrm_decode_session_reverse include/net/xfrm.h:1223 [inline]
 icmpv6_route_lookup+0x397/0x550 net/ipv6/icmp.c:388
 icmp6_send+0x11c1/0x2720 net/ipv6/icmp.c:595
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x31/0x5a0 net/ipv6/route.c:2785
 dst_link_failure include/net/dst.h:437 [inline]
 ip6_tnl_xmit+0x4f9/0x3950 net/ipv6/ip6_tunnel.c:1268
 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1384 [inline]
 ip6_tnl_start_xmit+0x6ef/0x1750 net/ipv6/ip6_tunnel.c:1432
 __netdev_start_xmit include/linux/netdevice.h:4936 [inline]
 netdev_start_xmit include/linux/netdevice.h:4950 [inline]
 xmit_one net/core/dev.c:3542 [inline]
 dev_hard_start_xmit+0x13d/0x6c0 net/core/dev.c:3558
 sch_direct_xmit+0x1ac/0xc20 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x540/0x19d0 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3832 [inline]
 __dev_queue_xmit+0x24e2/0x3d60 net/core/dev.c:4301
 dev_queue_xmit include/linux/netdevice.h:3111 [inline]
 neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1581
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0x5d0/0x1b20 net/ipv6/ip6_output.c:135
 __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
 ip6_finish_output+0x485/0x1250 net/ipv6/ip6_output.c:207
 NF_HOOK_COND include/linux/netfilter.h:292 [inline]
 ip6_output+0x23a/0x880 net/ipv6/ip6_output.c:228
 dst_output include/net/dst.h:458 [inline]
 NF_HOOK include/linux/netfilter.h:303 [inline]
 NF_HOOK include/linux/netfilter.h:297 [inline]
 ip6_xmit+0xe1d/0x1fe0 net/ipv6/ip6_output.c:344
 inet6_csk_xmit+0x3c0/0x730 net/ipv6/inet6_connection_sock.c:135
 __tcp_transmit_skb+0x199b/0x3a80 net/ipv4/tcp_output.c:1401
 tcp_transmit_skb net/ipv4/tcp_output.c:1419 [inline]
 tcp_send_syn_data net/ipv4/tcp_output.c:3914 [inline]
 tcp_connect+0x249f/0x54d0 net/ipv4/tcp_output.c:3953
 tcp_v6_connect+0x1476/0x1fb0 net/ipv6/tcp_ipv6.c:338
 __inet_stream_connect+0x947/0xe10 net/ipv4/af_inet.c:666
 tcp_sendmsg_fastopen+0x3ce/0x710 net/ipv4/tcp.c:1020
 tcp_sendmsg_locked+0x1e5f/0x3420 net/ipv4/tcp.c:1071
 tcp_sendmsg+0x2e/0x40 net/ipv4/tcp.c:1334
 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:651
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:748
 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2494
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2548
 __sys_sendmsg+0x117/0x1e0 net/socket.c:2577
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2be5e7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2be6bfc0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f2be5f9bf80 RCX: 00007f2be5e7cae9
RDX: 000000002400c004 RSI: 0000000020001580 RDI: 0000000000000003
RBP: 00007f2be5ec847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f2be5f9bf80 R15: 00007ffc4b410658
 </TASK>

The buggy address belongs to the physical page:
page:ffffea000107d4c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x41f53
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 26577, tgid 26574 (syz-executor.4), ts 2197067651388, free_ts 2197260674591
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1570
 prep_new_page mm/page_alloc.c:1577 [inline]
 get_page_from_freelist+0x10a9/0x31e0 mm/page_alloc.c:3221
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4477
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2279
 af_alg_sendmsg+0x11bf/0x2bc0 crypto/af_alg.c:1065
 sock_sendmsg_nosec net/socket.c:725 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:748
 __sys_sendto+0x255/0x340 net/socket.c:2134
 __do_sys_sendto net/socket.c:2146 [inline]
 __se_sys_sendto net/socket.c:2142 [inline]
 __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2142
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1161 [inline]
 free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2348
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2443
 __folio_put_small mm/swap.c:106 [inline]
 __folio_put+0xc5/0x140 mm/swap.c:129
 folio_put include/linux/mm.h:1423 [inline]
 put_page include/linux/mm.h:1492 [inline]
 af_alg_pull_tsgl+0xb07/0xd60 crypto/af_alg.c:747
 skcipher_sock_destruct+0xc6/0x1d0 crypto/algif_skcipher.c:302
 __sk_destruct+0x4d/0x770 net/core/sock.c:2163
 sk_destruct+0xc2/0xf0 net/core/sock.c:2211
 __sk_free+0xc4/0x3a0 net/core/sock.c:2222
 sk_free+0x7c/0xa0 net/core/sock.c:2233
 sock_put include/net/sock.h:1976 [inline]
 af_alg_release+0xdf/0x110 crypto/af_alg.c:125
 __sock_release+0xcd/0x290 net/socket.c:654
 sock_close+0x1c/0x20 net/socket.c:1386
 __fput+0x3fd/0xac0 fs/file_table.c:384
 task_work_run+0x14d/0x240 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297

Memory state around the buggy address:
 ffff888041f53400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888041f53480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888041f53500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff888041f53580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888041f53600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================