==================================================================
BUG: KASAN: slab-out-of-bounds in decode_session6+0xe6d/0x1530 net/xfrm/xfrm_policy.c:3369
Read of size 1 at addr ffff88807e707cb3 by task kworker/u4:8/10509
CPU: 0 PID: 10509 Comm: kworker/u4:8 Not tainted 5.16.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_nc_worker
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
decode_session6+0xe6d/0x1530 net/xfrm/xfrm_policy.c:3369
__xfrm_decode_session+0x50/0xb0 net/xfrm/xfrm_policy.c:3456
xfrm_decode_session include/net/xfrm.h:1149 [inline]
vti_tunnel_xmit+0x26d/0x1b80 net/ipv4/ip_vti.c:294
__netdev_start_xmit include/linux/netdevice.h:4987 [inline]
netdev_start_xmit include/linux/netdevice.h:5001 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606
sch_direct_xmit+0x19f/0xbc0 net/sched/sch_generic.c:342
qdisc_restart net/sched/sch_generic.c:407 [inline]
__qdisc_run+0x4bc/0x1700 net/sched/sch_generic.c:415
__dev_xmit_skb net/core/dev.c:3875 [inline]
__dev_queue_xmit+0x2091/0x3630 net/core/dev.c:4194
neigh_connected_output+0x3b6/0x510 net/core/neighbour.c:1552
neigh_output include/net/neighbour.h:527 [inline]
ip6_finish_output2+0x571/0x14e0 net/ipv6/ip6_output.c:126
__ip6_finish_output net/ipv6/ip6_output.c:191 [inline]
__ip6_finish_output+0x4c1/0x1050 net/ipv6/ip6_output.c:170
ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:201
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:224
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
ndisc_send_skb+0xa99/0x17f0 net/ipv6/ndisc.c:508
ndisc_send_rs+0x12e/0x6f0 net/ipv6/ndisc.c:702
addrconf_rs_timer+0x3f2/0x820 net/ipv6/addrconf.c:3898
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
expire_timers kernel/time/timer.c:1466 [inline]
__run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
__run_timers kernel/time/timer.c:1715 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:636
irq_exit_rcu+0x5/0x20 kernel/softirq.c:648
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:rcu_dynticks_curr_cpu_in_eqs kernel/rcu/tree.c:330 [inline]
RIP: 0010:rcu_is_watching+0x39/0xb0 kernel/rcu/tree.c:1121
Code: c7 c3 50 aa 03 00 83 f8 07 89 c5 77 77 48 8d 3c ed a0 48 56 8b 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 <75> 51 48 03 1c ed a0 48 56 8b 48 b8 00 00 00 00 00 fc ff df 48 89
RSP: 0018:ffffc90004037b08 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: 000000000003aa50 RCX: ffffffff815cb368
RDX: 1ffffffff16ac914 RSI: 0000000000000002 RDI: ffffffff8b5648a0
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8d9176d7
R10: fffffbfff1b22eda R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: ffffffff8bb83b60 R15: 0000000000000000
rcu_read_lock_held_common kernel/rcu/update.c:108 [inline]
rcu_read_lock_sched_held+0x1c/0x70 kernel/rcu/update.c:123
trace_lock_acquire include/trace/events/lock.h:13 [inline]
lock_acquire+0x442/0x510 kernel/locking/lockdep.c:5608
rcu_lock_acquire include/linux/rcupdate.h:268 [inline]
rcu_read_lock include/linux/rcupdate.h:688 [inline]
batadv_nc_process_nc_paths.part.0+0xec/0x3c0 net/batman-adv/network-coding.c:691
batadv_nc_process_nc_paths net/batman-adv/network-coding.c:683 [inline]
batadv_nc_worker+0xce4/0xfa0 net/batman-adv/network-coding.c:739
process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
kthread+0x405/0x4f0 kernel/kthread.c:327
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Allocated by task 8483:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc mm/kasan/common.c:513 [inline]
____kasan_kmalloc mm/kasan/common.c:472 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522
kmalloc_node include/linux/slab.h:613 [inline]
kzalloc_node include/linux/slab.h:735 [inline]
qdisc_alloc+0xac/0x9e0 net/sched/sch_generic.c:886
qdisc_create_dflt+0x71/0x4a0 net/sched/sch_generic.c:945
attach_one_default_qdisc+0xd0/0x1b0 net/sched/sch_generic.c:1093
netdev_for_each_tx_queue include/linux/netdevice.h:2359 [inline]
attach_default_qdiscs net/sched/sch_generic.c:1111 [inline]
dev_activate+0x5e5/0xa70 net/sched/sch_generic.c:1166
__dev_open+0x380/0x4d0 net/core/dev.c:1499
__dev_change_flags+0x583/0x750 net/core/dev.c:8793
dev_change_flags+0x93/0x170 net/core/dev.c:8864
do_setlink+0x96d/0x3970 net/core/rtnetlink.c:2719
__rtnl_newlink+0xde6/0x1750 net/core/rtnetlink.c:3391
rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3506
rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2491
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x86d/0xda0 net/netlink/af_netlink.c:1916
sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:724
__sys_sendto+0x21c/0x320 net/socket.c:2036
__do_sys_sendto net/socket.c:2048 [inline]
__se_sys_sendto net/socket.c:2044 [inline]
__x64_sys_sendto+0xdd/0x1b0 net/socket.c:2044
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Last potentially related work creation:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
__kasan_record_aux_stack+0xf5/0x120 mm/kasan/generic.c:348
kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3550
drop_sysctl_table+0x3c0/0x4e0 fs/proc/proc_sysctl.c:1647
unregister_sysctl_table fs/proc/proc_sysctl.c:1685 [inline]
unregister_sysctl_table+0xc0/0x190 fs/proc/proc_sysctl.c:1660
neigh_sysctl_unregister+0x5b/0x80 net/core/neighbour.c:3810
devinet_sysctl_unregister net/ipv4/devinet.c:2633 [inline]
inetdev_destroy net/ipv4/devinet.c:326 [inline]
inetdev_event+0xd01/0x15d0 net/ipv4/devinet.c:1600
notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2002
call_netdevice_notifiers_extack net/core/dev.c:2014 [inline]
call_netdevice_notifiers net/core/dev.c:2028 [inline]
unregister_netdevice_many+0x94f/0x1790 net/core/dev.c:11077
ip_tunnel_delete_nets+0x39f/0x5b0 net/ipv4/ip_tunnel.c:1123
ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171
setup_net+0x639/0xa30 net/core/net_namespace.c:349
copy_net_ns+0x318/0x760 net/core/net_namespace.c:470
create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x445/0x920 kernel/fork.c:3075
__do_sys_unshare kernel/fork.c:3146 [inline]
__se_sys_unshare kernel/fork.c:3144 [inline]
__x64_sys_unshare+0x2d/0x40 kernel/fork.c:3144
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88807e707800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 179 bytes to the right of
1024-byte region [ffff88807e707800, ffff88807e707c00)
The buggy address belongs to the page:
page:ffffea0001f9c000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e700
head:ffffea0001f9c000 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c41dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6516, ts 97269043295, free_ts 97263956877
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
__kmalloc_node_track_caller+0x2cb/0x360 mm/slub.c:4956
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0xde/0x340 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1126 [inline]
__tcp_send_ack.part.0+0x67/0x760 net/ipv4/tcp_output.c:3930
__tcp_send_ack net/ipv4/tcp_output.c:3962 [inline]
tcp_send_ack+0x7d/0xa0 net/ipv4/tcp_output.c:3962
tcp_cleanup_rbuf+0x464/0x5a0 net/ipv4/tcp.c:1580
tcp_recvmsg_locked+0x7a2/0x20d0 net/ipv4/tcp.c:2504
tcp_recvmsg+0x12b/0x550 net/ipv4/tcp.c:2534
inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850
sock_recvmsg_nosec net/socket.c:944 [inline]
sock_recvmsg net/socket.c:962 [inline]
sock_recvmsg net/socket.c:958 [inline]
sock_read_iter+0x33c/0x470 net/socket.c:1035
call_read_iter include/linux/fs.h:2156 [inline]
new_sync_read+0x5ba/0x6e0 fs/read_write.c:400
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3388
skb_free_frag include/linux/skbuff.h:2949 [inline]
skb_free_head net/core/skbuff.c:653 [inline]
skb_release_data+0x61f/0x790 net/core/skbuff.c:677
skb_release_all net/core/skbuff.c:742 [inline]
__kfree_skb+0x46/0x60 net/core/skbuff.c:756
sk_eat_skb include/net/sock.h:2652 [inline]
tcp_recvmsg_locked+0x12e8/0x20d0 net/ipv4/tcp.c:2488
tcp_recvmsg+0x12b/0x550 net/ipv4/tcp.c:2534
inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850
sock_recvmsg_nosec net/socket.c:944 [inline]
sock_recvmsg net/socket.c:962 [inline]
sock_recvmsg net/socket.c:958 [inline]
sock_read_iter+0x33c/0x470 net/socket.c:1035
call_read_iter include/linux/fs.h:2156 [inline]
new_sync_read+0x5ba/0x6e0 fs/read_write.c:400
vfs_read+0x35c/0x600 fs/read_write.c:481
ksys_read+0x1ee/0x250 fs/read_write.c:619
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Memory state around the buggy address:
ffff88807e707b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807e707c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807e707c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807e707d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807e707d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: c7 c3 50 aa 03 00 mov $0x3aa50,%ebx
6: 83 f8 07 cmp $0x7,%eax
9: 89 c5 mov %eax,%ebp
b: 77 77 ja 0x84
d: 48 8d 3c ed a0 48 56 lea -0x74a9b760(,%rbp,8),%rdi
14: 8b
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 48 89 fa mov %rdi,%rdx
22: 48 c1 ea 03 shr $0x3,%rdx
26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
* 2a: 75 51 jne 0x7d <-- trapping instruction
2c: 48 03 1c ed a0 48 56 add -0x74a9b760(,%rbp,8),%rbx
33: 8b
34: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
3b: fc ff df
3e: 48 rex.W
3f: 89 .byte 0x89