==================================================================
BUG: KASAN: use-after-free in decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460
Read of size 1 at addr ffff888042ae855c by task syz-executor.1/2171

CPU: 0 PID: 2171 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-10619-g29aa98d0fe01 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 decode_session6+0x10e1/0x1950 net/xfrm/xfrm_policy.c:3460
 __xfrm_decode_session+0x54/0xb0 net/xfrm/xfrm_policy.c:3566
 xfrm_decode_session_reverse include/net/xfrm.h:1223 [inline]
 icmpv6_route_lookup+0x397/0x550 net/ipv6/icmp.c:388
 icmp6_send+0x11c1/0x2720 net/ipv6/icmp.c:595
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x31/0x5a0 net/ipv6/route.c:2784
 dst_link_failure include/net/dst.h:437 [inline]
 ip6_tnl_xmit+0x4f9/0x3950 net/ipv6/ip6_tunnel.c:1268
 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1384 [inline]
 ip6_tnl_start_xmit+0x6ef/0x1750 net/ipv6/ip6_tunnel.c:1432
 __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
 netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 xmit_one net/core/dev.c:3544 [inline]
 dev_hard_start_xmit+0x13d/0x6c0 net/core/dev.c:3560
 sch_direct_xmit+0x1ac/0xc20 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x540/0x19d0 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3834 [inline]
 __dev_queue_xmit+0x24f9/0x3d80 net/core/dev.c:4306
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1581
 neigh_output include/net/neighbour.h:542 [inline]
 ip6_finish_output2+0x610/0x1b20 net/ipv6/ip6_output.c:135
 __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
 ip6_finish_output+0x485/0x1250 net/ipv6/ip6_output.c:207
 NF_HOOK_COND include/linux/netfilter.h:293 [inline]
 ip6_output+0x23a/0x880 net/ipv6/ip6_output.c:228
 dst_output include/net/dst.h:458 [inline]
 ip6_local_out+0xaf/0x190 net/ipv6/output_core.c:155
 ip6_send_skb+0xb7/0x330 net/ipv6/ip6_output.c:2018
 ip6_push_pending_frames+0xe0/0x100 net/ipv6/ip6_output.c:2038
 rawv6_push_pending_frames net/ipv6/raw.c:581 [inline]
 rawv6_sendmsg+0x2fab/0x40e0 net/ipv6/raw.c:920
 inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:840
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg+0xd9/0x180 net/socket.c:753
 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2540
 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2594
 __sys_sendmsg+0x117/0x1e0 net/socket.c:2623
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7fae579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7fa95ac EFLAGS: 00000292 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00010aba00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x42ae8
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffff7f(buddy)
raw: 00fff00000000000 ffffea0000a8bc08 ffffea0000aa9e08 0000000000000000
raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x140cc0(GFP_USER|__GFP_COMP), pid 1926, tgid 1921 (syz-executor.3), ts 1636980771578, free_ts 1637078077411
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x10a9/0x31e0 mm/page_alloc.c:3183
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4439
 __alloc_pages_node include/linux/gfp.h:237 [inline]
 alloc_pages_node include/linux/gfp.h:260 [inline]
 __kmalloc_large_node+0x87/0x1c0 mm/slab_common.c:1164
 __do_kmalloc_node mm/slab_common.c:1011 [inline]
 __kmalloc.cold+0xb/0xe0 mm/slab_common.c:1036
 kmalloc_array include/linux/slab.h:636 [inline]
 vhost_dev_alloc_iovecs drivers/vhost/vhost.c:441 [inline]
 vhost_dev_set_owner+0x194/0xa70 drivers/vhost/vhost.c:878
 vhost_net_set_owner drivers/vhost/net.c:1687 [inline]
 vhost_net_ioctl+0x692/0x16e0 drivers/vhost/net.c:1737
 compat_ptr_ioctl+0x71/0xa0 fs/ioctl.c:910
 __do_compat_sys_ioctl+0x2bf/0x330 fs/ioctl.c:972
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2312
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2405
 vhost_vq_free_iovecs drivers/vhost/vhost.c:424 [inline]
 vhost_dev_free_iovecs drivers/vhost/vhost.c:461 [inline]
 vhost_dev_cleanup+0x7c0/0xee0 drivers/vhost/vhost.c:984
 vhost_net_release+0xb9/0x2d0 drivers/vhost/net.c:1411
 __fput+0x3f7/0xa70 fs/file_table.c:384
 __fput_sync+0x47/0x50 fs/file_table.c:465
 __do_sys_close fs/open.c:1572 [inline]
 __se_sys_close fs/open.c:1557 [inline]
 __ia32_sys_close+0x87/0xf0 fs/open.c:1557
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x61/0xe0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82

Memory state around the buggy address:
 ffff888042ae8400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888042ae8480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888042ae8500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                    ^
 ffff888042ae8580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888042ae8600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	10 06                	adc    %al,(%rsi)
   2:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
   6:	10 07                	adc    %al,(%rdi)
   8:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   c:	10 08                	adc    %cl,(%rax)
   e:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1e:	00 51 52             	add    %dl,0x52(%rcx)
  21:	55                   	push   %rbp
  22:	89 e5                	mov    %esp,%ebp
  24:	0f 34                	sysenter
  26:	cd 80                	int    $0x80
* 28:	5d                   	pop    %rbp <-- trapping instruction
  29:	5a                   	pop    %rdx
  2a:	59                   	pop    %rcx
  2b:	c3                   	ret
  2c:	90                   	nop
  2d:	90                   	nop
  2e:	90                   	nop
  2f:	90                   	nop
  30:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  37:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi