================================================================== BUG: KASAN: use-after-free in decode_session6 net/xfrm/xfrm_policy.c:3390 [inline] BUG: KASAN: use-after-free in __xfrm_decode_session+0x1cfb/0x2e90 net/xfrm/xfrm_policy.c:3482 Read of size 1 at addr ffff8880a3429c42 by task syz-executor.0/29283 CPU: 1 PID: 29283 Comm: syz-executor.0 Not tainted 5.5.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 decode_session6 net/xfrm/xfrm_policy.c:3390 [inline] __xfrm_decode_session+0x1cfb/0x2e90 net/xfrm/xfrm_policy.c:3482 xfrm_decode_session_reverse include/net/xfrm.h:1144 [inline] icmpv6_route_lookup+0x31b/0x4d0 net/ipv6/icmp.c:369 icmp6_send+0x1263/0x1f90 net/ipv6/icmp.c:569 icmpv6_send+0xec/0x220 net/ipv6/ip6_icmp.c:43 ip6_link_failure+0x2b/0x530 net/ipv6/route.c:2643 dst_link_failure include/net/dst.h:419 [inline] ipip6_tunnel_xmit net/ipv6/sit.c:1002 [inline] sit_tunnel_xmit+0x1888/0x2a10 net/ipv6/sit.c:1039 __netdev_start_xmit include/linux/netdevice.h:4447 [inline] netdev_start_xmit include/linux/netdevice.h:4461 [inline] xmit_one net/core/dev.c:3420 [inline] dev_hard_start_xmit+0x1a3/0x9b0 net/core/dev.c:3436 sch_direct_xmit+0x372/0xd30 net/sched/sch_generic.c:313 qdisc_restart net/sched/sch_generic.c:376 [inline] __qdisc_run+0x4bf/0x1770 net/sched/sch_generic.c:384 __dev_xmit_skb net/core/dev.c:3677 [inline] __dev_queue_xmit+0x163f/0x35c0 net/core/dev.c:3982 dev_queue_xmit+0x18/0x20 net/core/dev.c:4046 neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0x109a/0x25c0 net/ipv6/ip6_output.c:116 __ip6_finish_output+0x444/0xaa0 net/ipv6/ip6_output.c:142 ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x25e/0x880 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_xmit+0xe1a/0x2090 net/ipv6/ip6_output.c:279 sctp_v6_xmit+0x34b/0x6a0 net/sctp/ipv6.c:217 sctp_packet_transmit+0x1ba6/0x3740 net/sctp/output.c:629 sctp_packet_singleton net/sctp/outqueue.c:772 [inline] sctp_outq_flush_ctrl.constprop.0+0x73c/0xd30 net/sctp/outqueue.c:903 sctp_outq_flush+0xe8/0x2780 net/sctp/outqueue.c:1185 sctp_outq_uncork+0x6c/0x80 net/sctp/outqueue.c:757 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1797 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1189 [inline] sctp_do_sm+0x50d/0x5370 net/sctp/sm_sideeffect.c:1160 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:73 __sctp_connect+0xa73/0xcd0 net/sctp/socket.c:1213 sctp_connect net/sctp/socket.c:4895 [inline] sctp_inet_connect+0x14d/0x1c0 net/sctp/socket.c:4910 __sys_connect_file+0x161/0x1c0 net/socket.c:1844 __sys_connect+0x174/0x1b0 net/socket.c:1861 __do_sys_connect net/socket.c:1872 [inline] __se_sys_connect net/socket.c:1869 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1869 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45af49 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fcee4690c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49 RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000004 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcee46916d4 R13: 00000000004c17a5 R14: 00000000004d67d0 R15: 00000000ffffffff The buggy address belongs to the page: page:ffffea00028d0a40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 00fffe0000000000 ffffea00028d0a88 ffffea00028d0a08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a3429b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880a3429b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880a3429c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880a3429c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880a3429d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================