================================================================== BUG: KASAN: slab-out-of-bounds in decode_session6 net/xfrm/xfrm_policy.c:3389 [inline] BUG: KASAN: slab-out-of-bounds in __xfrm_decode_session+0x1cfb/0x2e90 net/xfrm/xfrm_policy.c:3481 Read of size 1 at addr ffff88809f4fc29f by task kworker/1:3/2548 CPU: 1 PID: 2548 Comm: kworker/1:3 Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 decode_session6 net/xfrm/xfrm_policy.c:3389 [inline] __xfrm_decode_session+0x1cfb/0x2e90 net/xfrm/xfrm_policy.c:3481 xfrm_decode_session include/net/xfrm.h:1133 [inline] vti_tunnel_xmit+0x25c/0x19a0 net/ipv4/ip_vti.c:321 __netdev_start_xmit include/linux/netdevice.h:4607 [inline] netdev_start_xmit include/linux/netdevice.h:4621 [inline] xmit_one net/core/dev.c:3541 [inline] dev_hard_start_xmit+0x1a4/0x9b0 net/core/dev.c:3557 sch_direct_xmit+0x345/0xc20 net/sched/sch_generic.c:313 qdisc_restart net/sched/sch_generic.c:376 [inline] __qdisc_run+0x4d1/0x17b0 net/sched/sch_generic.c:384 __dev_xmit_skb net/core/dev.c:3780 [inline] __dev_queue_xmit+0x165b/0x30a0 net/core/dev.c:4085 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0x1091/0x25b0 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x442/0xab0 net/ipv6/ip6_output.c:143 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x239/0x810 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:435 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] mld_sendpack+0x961/0xdf0 net/ipv6/mcast.c:1679 mld_send_initial_cr.part.0+0x107/0x150 net/ipv6/mcast.c:2096 mld_send_initial_cr net/ipv6/mcast.c:2109 [inline] ipv6_mc_dad_complete+0x192/0x1d0 net/ipv6/mcast.c:2103 addrconf_dad_completed+0x8ce/0xbb0 net/ipv6/addrconf.c:4146 addrconf_dad_begin net/ipv6/addrconf.c:3933 [inline] addrconf_dad_work+0xaa7/0x1280 net/ipv6/addrconf.c:4035 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268 worker_thread+0x96/0xe20 kernel/workqueue.c:2414 kthread+0x388/0x470 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Allocated by task 22573: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:494 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc_track_caller+0x159/0x7a0 mm/slab.c:3671 kstrdup+0x36/0x70 mm/util.c:60 kstrdup_const+0x53/0x80 mm/util.c:82 __kernfs_new_node+0x9d/0x880 fs/kernfs/dir.c:623 kernfs_new_node+0x93/0x120 fs/kernfs/dir.c:689 kernfs_create_link+0xcb/0x230 fs/kernfs/symlink.c:39 sysfs_do_create_link_sd.isra.0+0x8b/0x130 fs/sysfs/symlink.c:44 sysfs_do_create_link fs/sysfs/symlink.c:80 [inline] sysfs_create_link+0x61/0xc0 fs/sysfs/symlink.c:92 device_add_class_symlinks drivers/base/core.c:2255 [inline] device_add+0x713/0x1c10 drivers/base/core.c:2494 netdev_register_kobject+0x180/0x3b0 net/core/net-sysfs.c:1888 register_netdevice+0xa80/0x10b0 net/core/dev.c:9506 __ip_tunnel_create+0x349/0x510 net/ipv4/ip_tunnel.c:265 ip_tunnel_init_net+0x370/0x9e0 net/ipv4/ip_tunnel.c:1070 vti_init_net+0x2a/0x360 net/ipv4/ip_vti.c:509 ops_init+0xaf/0x420 net/core/net_namespace.c:151 setup_net+0x2de/0x860 net/core/net_namespace.c:341 copy_net_ns+0x293/0x590 net/core/net_namespace.c:482 create_new_namespaces+0x3fb/0xb30 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231 ksys_unshare+0x43d/0x8e0 kernel/fork.c:2984 __do_sys_unshare kernel/fork.c:3052 [inline] __se_sys_unshare kernel/fork.c:3050 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3050 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 22201: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 tomoyo_path_perm+0x236/0x400 security/tomoyo/file.c:842 security_inode_getattr+0xeb/0x150 security/security.c:1273 vfs_getattr+0x22/0x60 fs/stat.c:121 vfs_statx_fd+0x6a/0xb0 fs/stat.c:151 vfs_fstat include/linux/fs.h:3319 [inline] __do_sys_newfstat+0x88/0x100 fs/stat.c:398 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff88809f4fc280 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 31 bytes inside of 32-byte region [ffff88809f4fc280, ffff88809f4fc2a0) The buggy address belongs to the page: page:ffffea00027d3f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809f4fcfc1 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00017251c8 ffffea000280a348 ffff8880aa0001c0 raw: ffff88809f4fcfc1 ffff88809f4fc000 000000010000003f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809f4fc180: 00 fc fc fc fc fc fc fc 04 fc fc fc fc fc fc fc ffff88809f4fc200: 05 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc >ffff88809f4fc280: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff88809f4fc300: fb fb fb fb fc fc fc fc 06 fc fc fc fc fc fc fc ffff88809f4fc380: 00 00 fc fc fc fc fc fc 05 fc fc fc fc fc fc fc ==================================================================