================================================================== BUG: KFENCE: use-after-free read in __xfrm_state_lookup_all net/xfrm/xfrm_state.c:-1 [inline] BUG: KFENCE: use-after-free read in xfrm_state_find+0x2820/0x5400 net/xfrm/xfrm_state.c:1494 Use-after-free read at 0xffff88823bfce330 (in kfence-#230): __xfrm_state_lookup_all net/xfrm/xfrm_state.c:-1 [inline] xfrm_state_find+0x2820/0x5400 net/xfrm/xfrm_state.c:1494 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2522 [inline] xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2573 [inline] xfrm_resolve_and_create_bundle+0x768/0x2f80 net/xfrm/xfrm_policy.c:2871 xfrm_lookup_with_ifid+0x2a7/0x1a70 net/xfrm/xfrm_policy.c:3205 xfrm_lookup net/xfrm/xfrm_policy.c:3336 [inline] xfrm_lookup_route+0x3c/0x1c0 net/xfrm/xfrm_policy.c:3347 rawv6_sendmsg+0xdab/0x1820 net/ipv6/raw.c:893 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x19c/0x270 net/socket.c:729 ____sys_sendmsg+0x52d/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmmsg+0x227/0x430 net/socket.c:2757 __do_sys_sendmmsg net/socket.c:2784 [inline] __se_sys_sendmmsg net/socket.c:2781 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2781 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f kfence-#230: 0xffff88823bfce000-0xffff88823bfce57f, size=1408, cache=sock_inode_cache allocated by task 49 on cpu 0 at 211.985838s (4.565096s ago): sock_alloc_inode+0x28/0xc0 net/socket.c:309 alloc_inode+0x67/0x1b0 fs/inode.c:346 new_inode_pseudo include/linux/fs.h:3391 [inline] sock_alloc net/socket.c:624 [inline] __sock_create+0x12d/0x9f0 net/socket.c:1553 rds_tcp_conn_path_connect+0x282/0x680 net/rds/tcp_connect.c:-1 rds_connect_worker+0x1d5/0x290 net/rds/threads.c:176 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 freed by task 0 on cpu 0 at 212.032672s (4.576441s ago): rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x283/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:81 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] default_idle+0x13/0x20 arch/x86/kernel/process.c:757 default_idle_call+0x74/0xb0 kernel/sched/idle.c:122 cpuidle_idle_call kernel/sched/idle.c:190 [inline] do_idle+0x1e8/0x510 kernel/sched/idle.c:330 cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:428 rest_init+0x2de/0x300 init/main.c:744 start_kernel+0x3a9/0x410 init/main.c:1097 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288 common_startup_64+0x13e/0x147 CPU: 1 UID: 0 PID: 9754 Comm: syz.2.966 Not tainted 6.17.0-rc1-syzkaller-00202-g7de0eebbb4c3 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:__xfrm_state_lookup_all net/xfrm/xfrm_state.c:-1 [inline] RIP: 0010:xfrm_state_find+0x2820/0x5400 net/xfrm/xfrm_state.c:1494 Code: 83 e6 0c bf 08 00 00 00 44 89 f6 e8 ca 46 9f f7 4d 8d a5 30 03 00 00 4c 89 e0 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 bc 04 00 00 <45> 0f b6 24 24 41 83 e4 0c bf 08 00 00 00 44 89 e6 e8 9a 46 9f f7 RSP: 0018:ffffc90003646f00 EFLAGS: 00010246 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000002 RDX: ffff8880729e1e00 RSI: 0000000000000000 RDI: 0000000000000008 RBP: ffffc90003647120 R08: ffff8880729e1e00 R09: 0000000000000002 R10: 000000000000000a R11: 0000000000000002 R12: ffff88823bfce330 R13: ffff88823bfce000 R14: 0000000000000000 R15: 1ffff1100f073848 FS: 00007f287ea2a6c0(0000) GS:ffff888125d1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bfce330 CR3: 0000000077506000 CR4: 00000000003526f0 Call Trace: xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2522 [inline] xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2573 [inline] xfrm_resolve_and_create_bundle+0x768/0x2f80 net/xfrm/xfrm_policy.c:2871 xfrm_lookup_with_ifid+0x2a7/0x1a70 net/xfrm/xfrm_policy.c:3205 xfrm_lookup net/xfrm/xfrm_policy.c:3336 [inline] xfrm_lookup_route+0x3c/0x1c0 net/xfrm/xfrm_policy.c:3347 rawv6_sendmsg+0xdab/0x1820 net/ipv6/raw.c:893 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x19c/0x270 net/socket.c:729 ____sys_sendmsg+0x52d/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmmsg+0x227/0x430 net/socket.c:2757 __do_sys_sendmmsg net/socket.c:2784 [inline] __se_sys_sendmmsg net/socket.c:2781 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2781 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f287db8ebe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f287ea2a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f287ddb5fa0 RCX: 00007f287db8ebe9 RDX: 0000000000000021 RSI: 0000200000000480 RDI: 0000000000000009 RBP: 00007f287dc11e19 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f287ddb6038 R14: 00007f287ddb5fa0 R15: 00007ffe0f6448b8 ================================================================== ---------------- Code disassembly (best guess): 0: 83 e6 0c and $0xc,%esi 3: bf 08 00 00 00 mov $0x8,%edi 8: 44 89 f6 mov %r14d,%esi b: e8 ca 46 9f f7 call 0xf79f46da 10: 4d 8d a5 30 03 00 00 lea 0x330(%r13),%r12 17: 4c 89 e0 mov %r12,%rax 1a: 48 c1 e8 03 shr $0x3,%rax 1e: 0f b6 04 18 movzbl (%rax,%rbx,1),%eax 22: 84 c0 test %al,%al 24: 0f 85 bc 04 00 00 jne 0x4e6 * 2a: 45 0f b6 24 24 movzbl (%r12),%r12d <-- trapping instruction 2f: 41 83 e4 0c and $0xc,%r12d 33: bf 08 00 00 00 mov $0x8,%edi 38: 44 89 e6 mov %r12d,%esi 3b: e8 9a 46 9f f7 call 0xf79f46da