================================================================== BUG: KASAN: slab-out-of-bounds in decode_session6 net/xfrm/xfrm_policy.c:3389 [inline] BUG: KASAN: slab-out-of-bounds in __xfrm_decode_session+0x1cfb/0x2e90 net/xfrm/xfrm_policy.c:3481 Read of size 1 at addr ffff888056ccecb3 by task kworker/0:11/13783 CPU: 0 PID: 13783 Comm: kworker/0:11 Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 decode_session6 net/xfrm/xfrm_policy.c:3389 [inline] __xfrm_decode_session+0x1cfb/0x2e90 net/xfrm/xfrm_policy.c:3481 xfrm_decode_session include/net/xfrm.h:1133 [inline] vti_tunnel_xmit+0x25c/0x19a0 net/ipv4/ip_vti.c:321 __netdev_start_xmit include/linux/netdevice.h:4607 [inline] netdev_start_xmit include/linux/netdevice.h:4621 [inline] xmit_one net/core/dev.c:3541 [inline] dev_hard_start_xmit+0x1a4/0x9b0 net/core/dev.c:3557 sch_direct_xmit+0x345/0xc20 net/sched/sch_generic.c:313 qdisc_restart net/sched/sch_generic.c:376 [inline] __qdisc_run+0x4d1/0x17b0 net/sched/sch_generic.c:384 __dev_xmit_skb net/core/dev.c:3780 [inline] __dev_queue_xmit+0x165b/0x30a0 net/core/dev.c:4085 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0x1091/0x25b0 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x442/0xab0 net/ipv6/ip6_output.c:143 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x239/0x810 net/ipv6/ip6_output.c:176 dst_output include/net/dst.h:435 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] ndisc_send_skb+0xf40/0x14b0 net/ipv6/ndisc.c:506 ndisc_send_rs+0x12e/0x6f0 net/ipv6/ndisc.c:700 addrconf_dad_completed+0x32e/0xbb0 net/ipv6/addrconf.c:4166 addrconf_dad_begin net/ipv6/addrconf.c:3933 [inline] addrconf_dad_work+0xaa7/0x1280 net/ipv6/addrconf.c:4035 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268 worker_thread+0x96/0xe20 kernel/workqueue.c:2414 kthread+0x388/0x470 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Allocated by task 17963: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:494 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc_track_caller+0x159/0x7a0 mm/slab.c:3671 kmemdup+0x23/0x50 mm/util.c:127 kmemdup include/linux/string.h:454 [inline] __devinet_sysctl_register+0x98/0x280 net/ipv4/devinet.c:2560 devinet_sysctl_register net/ipv4/devinet.c:2612 [inline] devinet_sysctl_register+0x160/0x230 net/ipv4/devinet.c:2602 inetdev_init+0x229/0x4f0 net/ipv4/devinet.c:276 inetdev_event+0xfdb/0x15b0 net/ipv4/devinet.c:1531 notifier_call_chain+0xc0/0x230 kernel/notifier.c:83 call_netdevice_notifiers_info net/core/dev.c:2012 [inline] call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1997 call_netdevice_notifiers_extack net/core/dev.c:2024 [inline] call_netdevice_notifiers net/core/dev.c:2038 [inline] register_netdevice+0xd70/0x10b0 net/core/dev.c:9537 veth_newlink+0x555/0xa10 drivers/net/veth.c:1393 __rtnl_newlink+0xf18/0x1590 net/core/rtnetlink.c:3340 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3398 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5461 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352 ___sys_sendmsg+0x100/0x170 net/socket.c:2406 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 15796: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 skb_free_head+0x8b/0xa0 net/core/skbuff.c:590 skb_release_data+0x42e/0x8b0 net/core/skbuff.c:610 skb_release_all+0x46/0x60 net/core/skbuff.c:664 __kfree_skb net/core/skbuff.c:678 [inline] consume_skb net/core/skbuff.c:837 [inline] consume_skb+0xf3/0x400 net/core/skbuff.c:831 nsim_dev_trap_report drivers/net/netdevsim/dev.c:573 [inline] nsim_dev_trap_report_work+0x86d/0xbc0 drivers/net/netdevsim/dev.c:598 process_one_work+0x965/0x16a0 kernel/workqueue.c:2268 worker_thread+0x96/0xe20 kernel/workqueue.c:2414 kthread+0x388/0x470 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 The buggy address belongs to the object at ffff888056cce000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 3251 bytes inside of 4096-byte region [ffff888056cce000, ffff888056ccf000) The buggy address belongs to the page: page:ffffea00015b3380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00015b3380 order:1 compound_mapcount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00019b5a08 ffffea00017dea08 ffff8880aa002000 raw: 0000000000000000 ffff888056cce000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888056cceb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888056ccec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888056ccec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888056cced00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888056cced80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================