==================================================================
BUG: KASAN: invalid-access in skb_dst include/linux/skbuff.h:1127 [inline]
BUG: KASAN: invalid-access in decode_session6+0x54/0x43c net/xfrm/xfrm_policy.c:3462
Read at addr f3ff0000059719a0 by task swapper/1/0
Pointer tag: [f3], memory tag: [fe]

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.4.0-syzkaller-04247-g3a8a670eeeaa #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xd8/0x5f4 mm/kasan/report.c:475
 kasan_report+0x7c/0xa0 mm/kasan/report.c:588
 __do_kernel_fault+0x174/0x1c0 arch/arm64/mm/fault.c:334
 do_bad_area arch/arm64/mm/fault.c:493 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:804
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:880
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:369
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:429
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:586
 skb_dst include/linux/skbuff.h:1127 [inline]
 decode_session6+0x54/0x43c net/xfrm/xfrm_policy.c:3462
 __xfrm_decode_session+0x34/0x74 net/xfrm/xfrm_policy.c:3566
 xfrm_decode_session include/net/xfrm.h:1216 [inline]
 vti6_tnl_xmit+0xf4/0x704 net/ipv6/ip6_vti.c:575
 __netdev_start_xmit include/linux/netdevice.h:4910 [inline]
 netdev_start_xmit include/linux/netdevice.h:4924 [inline]
 xmit_one net/core/dev.c:3537 [inline]
 dev_hard_start_xmit+0x94/0x148 net/core/dev.c:3553
 sch_direct_xmit+0x90/0x1e4 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x124/0x74c net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3827 [inline]
 __dev_queue_xmit+0x714/0xd40 net/core/dev.c:4169
 dev_queue_xmit include/linux/netdevice.h:3088 [inline]
 neigh_connected_output+0xc4/0x124 net/core/neighbour.c:1581
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0x1b0/0x7b4 net/ipv6/ip6_output.c:135
 __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
 ip6_finish_output+0x220/0x360 net/ipv6/ip6_output.c:207
 NF_HOOK_COND include/linux/netfilter.h:292 [inline]
 ip6_output+0x74/0x1d4 net/ipv6/ip6_output.c:228
 dst_output include/net/dst.h:458 [inline]
 NF_HOOK.constprop.0+0x50/0xe0 include/linux/netfilter.h:303
 ndisc_send_skb+0x2f0/0x488 net/ipv6/ndisc.c:508
 ndisc_send_rs+0x5c/0x1b0 net/ipv6/ndisc.c:718
 addrconf_rs_timer+0x154/0x2ac net/ipv6/addrconf.c:3936
 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1700
 expire_timers+0x9c/0xd4 kernel/time/timer.c:1751
 __run_timers kernel/time/timer.c:2022 [inline]
 __run_timers kernel/time/timer.c:1995 [inline]
 run_timer_softirq+0xf4/0x254 kernel/time/timer.c:2035
 __do_softirq+0x124/0x290 kernel/softirq.c:553
 ____do_softirq+0x10/0x1c arch/arm64/kernel/irq.c:80
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:882
 do_softirq_own_stack+0x1c/0x2c arch/arm64/kernel/irq.c:85
 invoke_softirq kernel/softirq.c:434 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xd8/0xf4 kernel/softirq.c:644
 __el1_irq arch/arm64/kernel/entry-common.c:474 [inline]
 el1_interrupt+0x38/0x64 arch/arm64/kernel/entry-common.c:488
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:493
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:587
 __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:33 [inline]
 arch_local_irq_enable arch/arm64/include/asm/irqflags.h:55 [inline]
 default_idle_call+0x28/0x3c kernel/sched/idle.c:103
 cpuidle_idle_call kernel/sched/idle.c:170 [inline]
 do_idle+0x214/0x270 kernel/sched/idle.c:282
 cpu_startup_entry+0x24/0x2c kernel/sched/idle.c:379
 secondary_start_kernel+0x130/0x150 arch/arm64/kernel/smp.c:264
 __secondary_switched+0xb8/0xbc arch/arm64/kernel/head.S:679

The buggy address belongs to the object at ffff0000059718c0
 which belongs to the cache skbuff_small_head of size 576
The buggy address is located 224 bytes inside of
 576-byte region [ffff0000059718c0, ffff000005971b00)

The buggy address belongs to the physical page:
page:00000000af0cb823 refcount:1 mapcount:0 mapping:0000000000000000 index:0xf0ff000005971d40 pfn:0x45970
head:00000000af0cb823 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x1ffc00000010200(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: 0xffffffff()
raw: 01ffc00000010200 fbff000002e09400 fffffc0000165b90 fffffc0000165c90
raw: f0ff000005971d40 00000000000e0000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000005971700: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff000005971800: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>ffff000005971900: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                                 ^
 ffff000005971a00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff000005971b00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================