================================================================== BUG: KASAN: use-after-free in decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460 Read of size 1 at addr ffff888045de2dbe by task syz-executor.0/29035 CPU: 2 PID: 29035 Comm: syz-executor.0 Not tainted 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460 __xfrm_decode_session+0x54/0xb0 net/xfrm/xfrm_policy.c:3566 xfrm_decode_session_reverse include/net/xfrm.h:1223 [inline] icmpv6_route_lookup+0x397/0x550 net/ipv6/icmp.c:388 icmp6_send+0x11c1/0x2720 net/ipv6/icmp.c:595 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x31/0x5a0 net/ipv6/route.c:2785 dst_link_failure include/net/dst.h:437 [inline] ip6_tnl_xmit+0x4f9/0x3960 net/ipv6/ip6_tunnel.c:1268 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1384 [inline] ip6_tnl_start_xmit+0x6ef/0x1750 net/ipv6/ip6_tunnel.c:1432 __netdev_start_xmit include/linux/netdevice.h:4910 [inline] netdev_start_xmit include/linux/netdevice.h:4924 [inline] xmit_one net/core/dev.c:3537 [inline] dev_hard_start_xmit+0x13d/0x6c0 net/core/dev.c:3553 sch_direct_xmit+0x1ac/0xc20 net/sched/sch_generic.c:342 qdisc_restart net/sched/sch_generic.c:407 [inline] __qdisc_run+0x540/0x19d0 net/sched/sch_generic.c:415 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x26ab/0x3f20 net/core/dev.c:4169 dev_queue_xmit include/linux/netdevice.h:3088 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1581 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0x5d0/0x1b20 net/ipv6/ip6_output.c:135 ip6_fragment+0xbf4/0x2a40 net/ipv6/ip6_output.c:1008 __ip6_finish_output net/ipv6/ip6_output.c:194 [inline] ip6_finish_output+0x7a8/0x11d0 net/ipv6/ip6_output.c:207 NF_HOOK_COND include/linux/netfilter.h:292 [inline] ip6_output+0x243/0x890 net/ipv6/ip6_output.c:228 dst_output include/net/dst.h:458 [inline] NF_HOOK include/linux/netfilter.h:303 [inline] NF_HOOK include/linux/netfilter.h:297 [inline] ip6_xmit+0xe1d/0x1fe0 net/ipv6/ip6_output.c:344 sctp_v6_xmit+0xc16/0x1110 net/sctp/ipv6.c:250 sctp_packet_transmit+0x22e1/0x3010 net/sctp/output.c:653 sctp_packet_singleton+0x19f/0x370 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x54c/0x3340 net/sctp/outqueue.c:1212 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1818 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x1786/0x5c40 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x9c/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9df/0xc30 net/sctp/socket.c:1233 sctp_connect net/sctp/socket.c:4810 [inline] sctp_inet_connect+0x15f/0x1f0 net/sctp/socket.c:4825 __sys_connect_file+0x15b/0x1a0 net/socket.c:1992 __sys_connect+0x145/0x170 net/socket.c:2009 __do_sys_connect net/socket.c:2019 [inline] __se_sys_connect net/socket.c:2016 [inline] __x64_sys_connect+0x72/0xb0 net/socket.c:2016 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7feffa27cae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feffaef30c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007feffa39bf80 RCX: 00007feffa27cae9 RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007feffa2c847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007feffa39bf80 R15: 00007ffeacecf6f8 The buggy address belongs to the physical page: page:ffffea0001177880 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x45de2 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 ffff888045de2000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 1, migratetype Unmovable, gfp_mask 0x242040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 32001, tgid 32001 (syz-executor.1), ts 2894356279403, free_ts 2897950395618 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0x10a9/0x31e0 mm/page_alloc.c:3221 __alloc_pages_slowpath.constprop.0+0x2dd/0x2360 mm/page_alloc.c:4011 __alloc_pages+0x411/0x4a0 mm/page_alloc.c:4490 __alloc_pages_node include/linux/gfp.h:237 [inline] kmem_getpages mm/slab.c:1356 [inline] cache_grow_begin+0x99/0x3a0 mm/slab.c:2550 cache_alloc_refill+0x294/0x3a0 mm/slab.c:2923 ____cache_alloc mm/slab.c:2999 [inline] ____cache_alloc mm/slab.c:2982 [inline] __do_cache_alloc mm/slab.c:3182 [inline] slab_alloc_node mm/slab.c:3230 [inline] __kmem_cache_alloc_node+0x3c9/0x470 mm/slab.c:3521 __do_kmalloc_node mm/slab_common.c:984 [inline] __kmalloc+0x4c/0x100 mm/slab_common.c:998 kmalloc include/linux/slab.h:586 [inline] tomoyo_realpath_from_path+0xb9/0x710 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x271/0x450 security/tomoyo/file.c:822 tomoyo_path_unlink+0x92/0xd0 security/tomoyo/tomoyo.c:161 security_path_unlink+0xf9/0x160 security/security.c:1728 do_unlinkat+0x375/0x6d0 fs/namei.c:4392 __do_sys_unlink fs/namei.c:4443 [inline] __se_sys_unlink fs/namei.c:4441 [inline] __x64_sys_unlink+0xc8/0x110 fs/namei.c:4441 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1161 [inline] free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2348 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2443 slab_destroy mm/slab.c:1608 [inline] slabs_destroy+0x85/0xc0 mm/slab.c:1628 cache_flusharray mm/slab.c:3341 [inline] ___cache_free+0x2b6/0x420 mm/slab.c:3404 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x4c/0x1b0 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x18b/0x1d0 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slab.c:3237 [inline] slab_alloc mm/slab.c:3246 [inline] __kmem_cache_alloc_lru mm/slab.c:3423 [inline] kmem_cache_alloc+0x15e/0x400 mm/slab.c:3432 kmem_cache_zalloc include/linux/slab.h:693 [inline] jbd2_alloc_handle include/linux/jbd2.h:1597 [inline] new_handle fs/jbd2/transaction.c:476 [inline] jbd2__journal_start+0x190/0x690 fs/jbd2/transaction.c:503 __ext4_journal_start_sb+0x40f/0x5c0 fs/ext4/ext4_jbd2.c:111 __ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline] __ext4_unlink+0x418/0xcd0 fs/ext4/namei.c:3260 ext4_unlink+0x40b/0x580 fs/ext4/namei.c:3319 vfs_unlink+0x2f1/0x900 fs/namei.c:4329 do_unlinkat+0x3da/0x6d0 fs/namei.c:4395 __do_sys_unlink fs/namei.c:4443 [inline] __se_sys_unlink fs/namei.c:4441 [inline] __x64_sys_unlink+0xc8/0x110 fs/namei.c:4441 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 Memory state around the buggy address: ffff888045de2c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888045de2d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888045de2d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888045de2e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888045de2e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================