==================================================================
BUG: KASAN: use-after-free in decode_session6+0xfc3/0x17f0 net/xfrm/xfrm_policy.c:3376
Read of size 1 at addr ffff88801b8c1e89 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.19.0-rc8-syzkaller-00152-g620725263f42 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
decode_session6+0xfc3/0x17f0 net/xfrm/xfrm_policy.c:3376
__xfrm_decode_session+0x50/0xb0 net/xfrm/xfrm_policy.c:3482
xfrm_decode_session include/net/xfrm.h:1160 [inline]
vti6_tnl_xmit+0x419/0x1fe0 net/ipv6/ip6_vti.c:577
__netdev_start_xmit include/linux/netdevice.h:4805 [inline]
netdev_start_xmit include/linux/netdevice.h:4819 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3606
sch_direct_xmit+0x19f/0xbe0 net/sched/sch_generic.c:342
qdisc_restart net/sched/sch_generic.c:407 [inline]
__qdisc_run+0x4c0/0x1720 net/sched/sch_generic.c:415
__dev_xmit_skb net/core/dev.c:3880 [inline]
__dev_queue_xmit+0x217a/0x3900 net/core/dev.c:4221
dev_queue_xmit include/linux/netdevice.h:2994 [inline]
neigh_connected_output+0x3c0/0x520 net/core/neighbour.c:1557
neigh_output include/net/neighbour.h:549 [inline]
ip6_finish_output2+0x564/0x1520 net/ipv6/ip6_output.c:134
__ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
ip6_finish_output+0x844/0x1170 net/ipv6/ip6_output.c:206
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip6_output+0x1ed/0x540 net/ipv6/ip6_output.c:227
dst_output include/net/dst.h:451 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
ndisc_send_skb+0xa64/0x1740 net/ipv6/ndisc.c:507
ndisc_send_rs+0x12e/0x6f0 net/ipv6/ndisc.c:717
addrconf_rs_timer+0x3f2/0x820 net/ipv6/addrconf.c:3927
call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1474
expire_timers kernel/time/timer.c:1519 [inline]
__run_timers.part.0+0x679/0xa80 kernel/time/timer.c:1790
__run_timers kernel/time/timer.c:1768 [inline]
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
__do_softirq+0x29b/0x9c2 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:default_idle+0xb/0x10 arch/x86/kernel/process.c:731
Code: ff ff ff 48 89 df e8 f4 b4 4b f8 e9 55 ff ff ff 4c 89 e7 e8 e7 b4 4b f8 eb 96 0f 1f 44 00 00 66 90 0f 00 2d a7 91 4c 00 fb f4 cc cc cc cc 41 55 41 54 55 48 89 fd 53 e8 92 77 ff f7 e8 8d 0d
RSP: 0018:ffffc9000067fe00 EFLAGS: 00000242
RAX: 0000000000793231 RBX: ffff888012544000 RCX: ffffffff89772771
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000001 R09: ffff88802c93af93
R10: ffffed10059275f2 R11: 0000000000000001 R12: ffffed10024a8800
R13: 0000000000000001 R14: ffffffff8dbb1690 R15: 0000000000000000
default_idle_call+0x80/0xc0 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x401/0x590 kernel/sched/idle.c:303
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:400
start_secondary+0x21d/0x2b0 arch/x86/kernel/smpboot.c:266
secondary_startup_64_no_verify+0xce/0xdb
The buggy address belongs to the physical page:
page:ffffea00006e3040 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1b8c1
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000066dd88 ffffea000094d248 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2c2220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 11947, tgid 11946 (syz-executor.0), ts 2100999779330, free_ts 2125014136236
prep_new_page mm/page_alloc.c:2456 [inline]
get_page_from_freelist+0x1298/0x3b80 mm/page_alloc.c:4202
__alloc_pages_slowpath.constprop.0+0x2e9/0x2160 mm/page_alloc.c:4977
__alloc_pages+0x436/0x510 mm/page_alloc.c:5443
__alloc_pages_node include/linux/gfp.h:587 [inline]
kmem_getpages mm/slab.c:1363 [inline]
cache_grow_begin+0x75/0x350 mm/slab.c:2569
cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
____cache_alloc mm/slab.c:3024 [inline]
____cache_alloc mm/slab.c:3007 [inline]
slab_alloc_node mm/slab.c:3227 [inline]
kmem_cache_alloc_node_trace+0x518/0x5b0 mm/slab.c:3611
__do_kmalloc_node mm/slab.c:3633 [inline]
__kmalloc_node_track_caller+0x38/0x60 mm/slab.c:3648
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0xde/0x340 net/core/skbuff.c:426
skb_copy_expand+0xae/0x3e0 net/core/skbuff.c:1894
sctp_ulpevent_make_send_failed+0xb1/0x9d0 net/sctp/ulpevent.c:442
sctp_datamsg_destroy net/sctp/chunk.c:96 [inline]
sctp_datamsg_put+0x366/0x5d0 net/sctp/chunk.c:128
sctp_chunk_free+0x42/0x60 net/sctp/sm_make_chunk.c:1515
__sctp_outq_teardown+0x6fe/0xc30 net/sctp/outqueue.c:257
sctp_association_free+0x20a/0x7d0 net/sctp/associola.c:341
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:944 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1328 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
sctp_do_sm+0x3855/0x4f00 net/sctp/sm_sideeffect.c:1170
sctp_primitive_SHUTDOWN+0x9b/0xc0 net/sctp/primitive.c:89
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1371 [inline]
free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3343 [inline]
free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438
slab_destroy mm/slab.c:1615 [inline]
slabs_destroy+0x89/0xc0 mm/slab.c:1635
cache_flusharray mm/slab.c:3397 [inline]
___cache_free+0x34e/0x670 mm/slab.c:3460
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x4f/0x1b0 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:446
kasan_slab_alloc include/linux/kasan.h:224 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc mm/slab.c:3302 [inline]
__kmem_cache_alloc_lru mm/slab.c:3479 [inline]
kmem_cache_alloc_lru+0x301/0x8c0 mm/slab.c:3506
__d_alloc+0x32/0x960 fs/dcache.c:1769
d_alloc+0x4a/0x230 fs/dcache.c:1849
d_alloc_parallel+0xe7/0x1af0 fs/dcache.c:2601
__lookup_slow+0x193/0x480 fs/namei.c:1686
lookup_slow fs/namei.c:1718 [inline]
walk_component+0x40f/0x6a0 fs/namei.c:2014
lookup_last fs/namei.c:2469 [inline]
path_lookupat+0x1bb/0x860 fs/namei.c:2493
filename_lookup+0x1c6/0x590 fs/namei.c:2522
user_path_at_empty+0x42/0x60 fs/namei.c:2895
Memory state around the buggy address:
ffff88801b8c1d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88801b8c1e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88801b8c1e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88801b8c1f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88801b8c1f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
0: ff 48 89 decl -0x77(%rax)
3: df e8 fucomip %st(0),%st
5: f4 hlt
6: b4 4b mov $0x4b,%ah
8: f8 clc
9: e9 55 ff ff ff jmpq 0xffffff63
e: 4c 89 e7 mov %r12,%rdi
11: e8 e7 b4 4b f8 callq 0xf84bb4fd
16: eb 96 jmp 0xffffffae
18: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1d: 66 90 xchg %ax,%ax
1f: 0f 00 2d a7 91 4c 00 verw 0x4c91a7(%rip) # 0x4c91cd
26: fb sti
27: f4 hlt
* 28: c3 retq <-- trapping instruction
29: cc int3
2a: cc int3
2b: cc int3
2c: cc int3
2d: 41 55 push %r13
2f: 41 54 push %r12
31: 55 push %rbp
32: 48 89 fd mov %rdi,%rbp
35: 53 push %rbx
36: e8 92 77 ff f7 callq 0xf7ff77cd
3b: e8 .byte 0xe8
3c: 8d .byte 0x8d
3d: 0d .byte 0xd