ci starts bisection 2025-08-27 22:49:57.337984768 +0000 UTC m=+103715.656175672 bisecting cause commit starting from b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 building syzkaller on bf27483f963359281b2d9b6d6efd36289f82e282 ensuring issue is reproducible on original commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 testing commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 84df00bdc95a9624316ff298806cc73422b67d3f265b386c4796cb6b2b34c270 run #0: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #1: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #2: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #3: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #4: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #5: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #6: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #7: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #8: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #9: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #10: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #11: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #12: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #13: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #14: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #15: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #16: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #17: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #18: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete run #19: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Write in __xfrm_state_delete, types: [KASAN-USE-AFTER-FREE-WRITE] check whether we can drop unnecessary instrumentation disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a925322418efe95cefbe147cf374b54de8459262bb6fb85aa924563fb5200c91 all runs: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete representative crash: KASAN: slab-use-after-free Write in __xfrm_state_delete, types: [KASAN-USE-AFTER-FREE-WRITE] the bug reproduces without the instrumentation disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed kconfig minimization: base=4099 full=8506 leaves diff=2191 split chunks (needed=false): <2191> split chunk #0 of len 2191 into 5 parts testing without sub-chunk 1/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 22427828340094233416a37c070ad383aec6c9a23920dbe62cba74e3e28a3c69 all runs: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete representative crash: KASAN: slab-use-after-free Write in __xfrm_state_delete, types: [KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed testing commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ee2ae3c679513d82051589cc382c4b3e7a85a4f14f0a077a580c9af8a7b4e356 all runs: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete representative crash: KASAN: slab-use-after-free Write in __xfrm_state_delete, types: [KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 7655f46192f914256d0521967b3a5986160cf4145b627c5adc8b187f9594e8a7 all runs: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete representative crash: KASAN: slab-use-after-free Write in __xfrm_state_delete, types: [KASAN-USE-AFTER-FREE-WRITE] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 0beba1921796028fb09b67afc744a76ad990d1ebf4dab058101acd6b8077bb93 run #0: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #1: crashed: KFENCE: use-after-free read in xfrm_alloc_spi run #2: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #3: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #4: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #5: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #6: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #7: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #8: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi run #9: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [memleak ubsan bug_or_warning locking atomic_sleep hang], they are not needed testing commit b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 352bbdaa0cc30caaaaf97efac9bbf2d6678a55b7f3d920931a42889258ed5574 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed picked [v6.16 v6.15 v6.14 v6.12 v6.10 v6.8 v6.6 v6.4 v6.1 v5.18 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 39 release tags testing release v6.16 testing commit 038d61fd642278bab63ee8ef722c50d10ab01e8f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ad678e23a10ddb7d31ae214b235b617065450eed527d82a091cacbef51554504 all runs: OK false negative chance: 0.000 # git bisect start b1c92cdf5af3198e8fbc1345a80e2a1dff386c02 038d61fd642278bab63ee8ef722c50d10ab01e8f Bisecting: 6395 revisions left to test after this (roughly 13 steps) [d9104cec3e8fe4b458b74709853231385779001f] Merge tag 'bpf-next-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit d9104cec3e8fe4b458b74709853231385779001f gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 5bce6d2e2e293c3f37c46552168232aa72f321f0c0308e2da5dd7933e26070c4 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad d9104cec3e8fe4b458b74709853231385779001f Bisecting: 3230 revisions left to test after this (roughly 12 steps) [115e74a29b530d121891238e9551c4bcdf7b04b5] Merge tag 'soc-dt-6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 115e74a29b530d121891238e9551c4bcdf7b04b5 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: af7acb0e7c6426cf20b9890e3763d54e6d2cfbf6effd75d0a359223b988d5adc all runs: OK false negative chance: 0.000 # git bisect good 115e74a29b530d121891238e9551c4bcdf7b04b5 Bisecting: 1650 revisions left to test after this (roughly 11 steps) [55c172c13718b93300d3808b65ec326b5287c766] ssb: use new GPIO line value setter callbacks for the second GPIO chip testing commit 55c172c13718b93300d3808b65ec326b5287c766 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: a0902c37d51ec200c79fbf60b4e6012ddecc65ec2460f77f5e11853845df4d1b all runs: OK false negative chance: 0.000 # git bisect good 55c172c13718b93300d3808b65ec326b5287c766 Bisecting: 826 revisions left to test after this (roughly 10 steps) [4dd39ddeb68fbb6d068611f2cc647948dc7dfca0] Merge tag 'x86-cpu-2025-07-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 4dd39ddeb68fbb6d068611f2cc647948dc7dfca0 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 3b9945b8747115e8182df6810cbd737d49203e3cd496063f177c4b9cef88cd8f all runs: OK false negative chance: 0.000 # git bisect good 4dd39ddeb68fbb6d068611f2cc647948dc7dfca0 Bisecting: 460 revisions left to test after this (roughly 9 steps) [fa582ca7e187a15e772e6a72fe035f649b387a60] dpll: zl3073x: Fix build failure testing commit fa582ca7e187a15e772e6a72fe035f649b387a60 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: eab0dfb9cf7cf538299113cca6c3c871944910637d89cb0e8fe2a48f7e5a0075 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad fa582ca7e187a15e772e6a72fe035f649b387a60 Bisecting: 182 revisions left to test after this (roughly 8 steps) [2935e556850e9c94d7a00adf14d3cd7fe406ac03] Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' testing commit 2935e556850e9c94d7a00adf14d3cd7fe406ac03 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 81a7588f1d6b5beb130d26837b73c5a01ade59f6b64faa65cb50f92892bea756 all runs: OK false negative chance: 0.000 # git bisect good 2935e556850e9c94d7a00adf14d3cd7fe406ac03 Bisecting: 92 revisions left to test after this (roughly 7 steps) [e9e91870ac21ad7941774b62e2b9af2658dc503c] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue testing commit e9e91870ac21ad7941774b62e2b9af2658dc503c gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: e87ec40349e8ed5bbe4f594129bc878899cd93b4ab9219478adfe7591f0a929f all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad e9e91870ac21ad7941774b62e2b9af2658dc503c Bisecting: 44 revisions left to test after this (roughly 6 steps) [d2002ccb47dd3bf6102d06c8e5062ccfdd31ce28] Merge tag 'for-net-next-2025-07-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit d2002ccb47dd3bf6102d06c8e5062ccfdd31ce28 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: f68e5438ffa907e7ac0b9696740e961efb6ccae70e7f9ba69a3097484c2823d0 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad d2002ccb47dd3bf6102d06c8e5062ccfdd31ce28 Bisecting: 21 revisions left to test after this (roughly 5 steps) [8aad37d16cffb6c0940d9b213456a2733a786f57] Merge branch 'dualpi2-patch' testing commit 8aad37d16cffb6c0940d9b213456a2733a786f57 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 2dfe8c05e6b512cbe690916ef444b3f8cc4dd67a393269a3213d249fa74dbe87 all runs: OK false negative chance: 0.000 # git bisect good 8aad37d16cffb6c0940d9b213456a2733a786f57 Bisecting: 10 revisions left to test after this (roughly 4 steps) [f70d9819c779fd9eae04c38b1997b3224a5b0fe7] selftests: drv-net: devmem: use new mattr ynl helpers testing commit f70d9819c779fd9eae04c38b1997b3224a5b0fe7 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: f138bdc3d3172ac8a3dce7ef991384b716e44c65b9bd6e4452a31443594f1049 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad f70d9819c779fd9eae04c38b1997b3224a5b0fe7 Bisecting: 5 revisions left to test after this (roughly 3 steps) [8b5a19b4ff6a2096225d88cf24cfeef03edc1bed] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 8b5a19b4ff6a2096225d88cf24cfeef03edc1bed gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: ebb348f77fd74e81098612aa1d9bdabebb2e7c3c77c440a8be694b7afe2cec49 all runs: crashed: KASAN: slab-use-after-free Read in xfrm_alloc_spi representative crash: KASAN: slab-use-after-free Read in xfrm_alloc_spi, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 8b5a19b4ff6a2096225d88cf24cfeef03edc1bed Bisecting: 2 revisions left to test after this (roughly 1 step) [94f39804d891cffe4ce17737d295f3b195bc7299] xfrm: Duplicate SPI Handling testing commit 94f39804d891cffe4ce17737d295f3b195bc7299 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: b7d08aa2e80c8792510bed7ced1721cd391fd611520aeca47f59d5c30bc11a3d all runs: crashed: KASAN: slab-use-after-free Write in __xfrm_state_delete representative crash: KASAN: slab-use-after-free Write in __xfrm_state_delete, types: [KASAN-USE-AFTER-FREE-WRITE] # git bisect bad 94f39804d891cffe4ce17737d295f3b195bc7299 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b05d42eefac737ce3cd80114d3579111023941b8] xfrm: hold device only for the asynchronous decryption testing commit b05d42eefac737ce3cd80114d3579111023941b8 gcc compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7 kernel signature: 0057620a8db4077d453c361754b479557ca91205a5880c1bf5e3fe3244f935c0 all runs: OK false negative chance: 0.000 # git bisect good b05d42eefac737ce3cd80114d3579111023941b8 94f39804d891cffe4ce17737d295f3b195bc7299 is the first bad commit commit 94f39804d891cffe4ce17737d295f3b195bc7299 Author: Aakash Kumar S Date: Mon Jun 30 18:08:56 2025 +0530 xfrm: Duplicate SPI Handling The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI Netlink message, which triggers the kernel function xfrm_alloc_spi(). This function is expected to ensure uniqueness of the Security Parameter Index (SPI) for inbound Security Associations (SAs). However, it can return success even when the requested SPI is already in use, leading to duplicate SPIs assigned to multiple inbound SAs, differentiated only by their destination addresses. This behavior causes inconsistencies during SPI lookups for inbound packets. Since the lookup may return an arbitrary SA among those with the same SPI, packet processing can fail, resulting in packet drops. According to RFC 4301 section 4.4.2 , for inbound processing a unicast SA is uniquely identified by the SPI and optionally protocol. Reproducing the Issue Reliably: To consistently reproduce the problem, restrict the available SPI range in charon.conf : spi_min = 0x10000000 spi_max = 0x10000002 This limits the system to only 2 usable SPI values. Next, create more than 2 Child SA. each using unique pair of src/dst address. As soon as the 3rd Child SA is initiated, it will be assigned a duplicate SPI, since the SPI pool is already exhausted. With a narrow SPI range, the issue is consistently reproducible. With a broader/default range, it becomes rare and unpredictable. Current implementation: xfrm_spi_hash() lookup function computes hash using daddr, proto, and family. So if two SAs have the same SPI but different destination addresses, then they will: a. Hash into different buckets b. Be stored in different linked lists (byspi + h) c. Not be seen in the same hlist_for_each_entry_rcu() iteration. As a result, the lookup will result in NULL and kernel allows that Duplicate SPI Proposed Change: xfrm_state_lookup_spi_proto() does a truly global search - across all states, regardless of hash bucket and matches SPI and proto. Signed-off-by: Aakash Kumar S Acked-by: Herbert Xu Signed-off-by: Steffen Klassert net/xfrm/xfrm_state.c | 72 ++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 29 deletions(-) accumulated error probability: 0.00 culprit signature: b7d08aa2e80c8792510bed7ced1721cd391fd611520aeca47f59d5c30bc11a3d parent signature: 0057620a8db4077d453c361754b479557ca91205a5880c1bf5e3fe3244f935c0 revisions tested: 21, total time: 8h34m37.720687597s (build: 4h17m39.960160772s, test: 3h51m40.174765286s) first bad commit: 94f39804d891cffe4ce17737d295f3b195bc7299 xfrm: Duplicate SPI Handling recipients (to): ["herbert@gondor.apana.org.au" "saakashkumar@marvell.com" "steffen.klassert@secunet.com"] recipients (cc): [] crash: KASAN: slab-use-after-free Write in __xfrm_state_delete ================================================================== BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:980 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:560 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete+0x528/0x740 net/xfrm/xfrm_state.c:836 Write of size 8 at addr ffff88810f745128 by task kworker/u8:3/47 CPU: 1 UID: 0 PID: 47 Comm: kworker/u8:3 Not tainted syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Workqueue: netns cleanup_net Call Trace: dump_stack_lvl+0xf4/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 __hlist_del include/linux/list.h:980 [inline] hlist_del_rcu include/linux/rculist.h:560 [inline] __xfrm_state_delete+0x528/0x740 net/xfrm/xfrm_state.c:836 xfrm_state_delete net/xfrm/xfrm_state.c:860 [inline] xfrm_state_flush+0x1fe/0x460 net/xfrm/xfrm_state.c:943 xfrm_state_fini+0x49/0x1f0 net/xfrm/xfrm_state.c:3313 ops_exit_list net/core/net_namespace.c:200 [inline] ops_undo_list+0x49d/0x720 net/core/net_namespace.c:253 cleanup_net+0x45a/0x720 net/core/net_namespace.c:686 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0x995/0x12d0 kernel/workqueue.c:3321 worker_thread+0x850/0xc60 kernel/workqueue.c:3402 kthread+0x59b/0x690 kernel/kthread.c:464 ret_from_fork+0x139/0x2d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 3963: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_noprof+0x1b1/0x400 mm/slub.c:4204 xfrm_state_alloc+0x1f/0x2d0 net/xfrm/xfrm_state.c:733 __find_acq_core+0x1a0/0x1a20 net/xfrm/xfrm_state.c:1847 xfrm_find_acq+0x73/0xa0 net/xfrm/xfrm_state.c:2362 xfrm_alloc_userspi+0x557/0xaa0 net/xfrm/xfrm_user.c:1862 xfrm_user_rcv_msg+0x461/0x730 net/xfrm/xfrm_user.c:3500 netlink_rcv_skb+0x1e6/0x3b0 net/netlink/af_netlink.c:2534 xfrm_netlink_rcv+0x6f/0x80 net/xfrm/xfrm_user.c:3522 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x551/0x770 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x60d/0x920 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x1dd/0x220 net/socket.c:727 ____sys_sendmsg+0x4ac/0x710 net/socket.c:2612 ___sys_sendmsg+0x1d7/0x250 net/socket.c:2666 __sys_sendmsg net/socket.c:2698 [inline] __do_sys_sendmsg net/socket.c:2703 [inline] __se_sys_sendmsg net/socket.c:2701 [inline] __x64_sys_sendmsg+0x175/0x200 net/socket.c:2701 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8f/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 47: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kmem_cache_free+0x175/0x460 mm/slub.c:4745 __xfrm_state_destroy net/xfrm/xfrm_state.c:806 [inline] xfrm_state_put_sync include/net/xfrm.h:935 [inline] xfrm_state_flush+0x264/0x460 net/xfrm/xfrm_state.c:947 xfrm_state_fini+0x49/0x1f0 net/xfrm/xfrm_state.c:3313 ops_exit_list net/core/net_namespace.c:200 [inline] ops_undo_list+0x49d/0x720 net/core/net_namespace.c:253 cleanup_net+0x45a/0x720 net/core/net_namespace.c:686 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0x995/0x12d0 kernel/workqueue.c:3321 worker_thread+0x850/0xc60 kernel/workqueue.c:3402 kthread+0x59b/0x690 kernel/kthread.c:464 ret_from_fork+0x139/0x2d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff88810f745100 which belongs to the cache xfrm_state of size 928 The buggy address is located 40 bytes inside of freed 928-byte region [ffff88810f745100, ffff88810f7454a0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f744 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: f5(slab) raw: 0200000000000040 ffff8881072b73c0 dead000000000122 0000000000000000 raw: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000 head: 0200000000000040 ffff8881072b73c0 dead000000000122 0000000000000000 head: 0000000000000000 00000000000f000f 00000000f5000000 0000000000000000 head: 0200000000000002 ffffea00043dd101 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3947, tgid 3946 (syz.3.521), ts 91357951899, free_ts 75037225975 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x168/0x1a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x2cf9/0x2eb0 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x26b/0x460 mm/page_alloc.c:4959 alloc_pages_mpol+0xcb/0x270 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab+0x8a/0x350 mm/slub.c:2619 new_slab mm/slub.c:2673 [inline] ___slab_alloc+0x9dc/0x10e0 mm/slub.c:3859 __slab_alloc mm/slub.c:3949 [inline] __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] kmem_cache_alloc_noprof+0x26e/0x400 mm/slub.c:4204 xfrm_state_alloc+0x1f/0x2d0 net/xfrm/xfrm_state.c:733 __find_acq_core+0x1a0/0x1a20 net/xfrm/xfrm_state.c:1847 xfrm_find_acq+0x73/0xa0 net/xfrm/xfrm_state.c:2362 xfrm_alloc_userspi+0x557/0xaa0 net/xfrm/xfrm_user.c:1862 xfrm_user_rcv_msg+0x461/0x730 net/xfrm/xfrm_user.c:3500 netlink_rcv_skb+0x1e6/0x3b0 net/netlink/af_netlink.c:2534 xfrm_netlink_rcv+0x6f/0x80 net/xfrm/xfrm_user.c:3522 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x551/0x770 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x60d/0x920 net/netlink/af_netlink.c:1883 page last free pid 2349 tgid 2349 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0xa6d/0xc50 mm/page_alloc.c:2706 discard_slab mm/slub.c:2717 [inline] __put_partials+0x157/0x1b0 mm/slub.c:3186 put_cpu_partial+0x154/0x1c0 mm/slub.c:3261 __slab_free+0x2a5/0x3a0 mm/slub.c:4513 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_noprof+0x1b1/0x400 mm/slub.c:4204 anon_vma_chain_alloc mm/rmap.c:142 [inline] __anon_vma_prepare+0x84/0x3f0 mm/rmap.c:195 __vmf_anon_prepare mm/memory.c:3523 [inline] vmf_anon_prepare mm/internal.h:410 [inline] do_anonymous_page mm/memory.c:5087 [inline] do_pte_missing mm/memory.c:4249 [inline] handle_pte_fault mm/memory.c:6089 [inline] __handle_mm_fault mm/memory.c:6232 [inline] handle_mm_fault+0x202e/0x2450 mm/memory.c:6401 do_user_addr_fault+0x31a/0xc30 arch/x86/mm/fault.c:1336 handle_page_fault arch/x86/mm/fault.c:1476 [inline] exc_page_fault+0x62/0xa0 arch/x86/mm/fault.c:1532 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 Memory state around the buggy address: ffff88810f745000: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff88810f745080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88810f745100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88810f745180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88810f745200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================