syzbot

 sign-in | mailing list | source | docs
🐞 Open [750]
🐞 Fixed [120]
🐞 Invalid [785]
Missing Backports [75]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in __xfrm_decode_session (2)

Status: upstream: reported on 2025/04/30 13:03
Reported-by: syzbot+cadd4c7c96a74757f198@syzkaller.appspotmail.com
First crash: 55d, last: 53d
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) net 7 1297d 1533d 0/29 auto-closed as invalid on 2022/04/04 17:22
upstream KASAN: use-after-free Read in __xfrm_decode_session net 12 1753d 2112d 0/29 auto-closed as invalid on 2021/01/03 02:25
linux-5.15 KASAN: slab-out-of-bounds Read in __xfrm_decode_session origin:upstream C error 7 594d 781d 0/3 auto-obsoleted due to no activity on 2024/02/16 23:16
linux-6.1 KASAN: use-after-free Read in __xfrm_decode_session 4 640d 771d 0/3 auto-obsoleted due to no activity on 2024/01/01 21:03
upstream KMSAN: kernel-infoleak in copyout (2) net C 6723 747d 1916d 22/29 fixed on 2023/06/08 14:41
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) net C 138977 851d 1203d 22/29 fixed on 2023/02/24 13:50
linux-6.1 KASAN: slab-out-of-bounds Read in __xfrm_decode_session 1 180d 180d 0/3 auto-obsoleted due to no activity on 2025/04/05 09:29
upstream KMSAN: uninit-value in __xfrm_decode_session (4) net C 8 611d 658d 0/29 closed as invalid on 2023/12/14 11:46
linux-5.15 KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) 3 7d01h 86d 0/3 upstream: reported on 2025/03/30 08:54
upstream KASAN: slab-out-of-bounds Read in __xfrm_decode_session net 20 1749d 2034d 0/29 auto-closed as invalid on 2021/01/07 14:52

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in decode_session6 net/xfrm/xfrm_policy.c:3412 [inline]
BUG: KASAN: use-after-free in __xfrm_decode_session+0x14c4/0x1b8c net/xfrm/xfrm_policy.c:3518
Read of size 1 at addr ffff0000f03dee9c by task syz.1.1540/9604

CPU: 1 PID: 9604 Comm: syz.1.1540 Not tainted 6.1.136-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x88/0x220 mm/kasan/report.c:316
 print_report+0x50/0x68 mm/kasan/report.c:427
 kasan_report+0xa8/0x100 mm/kasan/report.c:531
 __asan_report_load1_noabort+0x2c/0x38 mm/kasan/report_generic.c:348
 decode_session6 net/xfrm/xfrm_policy.c:3412 [inline]
 __xfrm_decode_session+0x14c4/0x1b8c net/xfrm/xfrm_policy.c:3518
 xfrm_decode_session_reverse include/net/xfrm.h:1184 [inline]
 icmpv6_route_lookup+0x310/0x470 net/ipv6/icmp.c:394
 icmp6_send+0xb98/0x13e4 net/ipv6/icmp.c:603
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x44/0x4a8 net/ipv6/route.c:2827
 dst_link_failure include/net/dst.h:423 [inline]
 ip6_tnl_xmit+0xed8/0x2448 net/ipv6/ip6_tunnel.c:1284
 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1400 [inline]
 ip6_tnl_start_xmit+0xb88/0x1088 net/ipv6/ip6_tunnel.c:1449
 __netdev_start_xmit include/linux/netdevice.h:4896 [inline]
 netdev_start_xmit include/linux/netdevice.h:4910 [inline]
 xmit_one net/core/dev.c:3658 [inline]
 dev_hard_start_xmit+0x244/0x8e0 net/core/dev.c:3674
 sch_direct_xmit+0x204/0x480 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x8c0/0x1368 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3958 [inline]
 __dev_queue_xmit+0xc18/0x309c net/core/dev.c:4300
 dev_queue_xmit include/linux/netdevice.h:3051 [inline]
 neigh_connected_output+0x358/0x3e8 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0xd60/0x1844 net/ipv6/ip6_output.c:138
 ip6_fragment+0x1558/0x247c net/ipv6/ip6_output.c:1021
 __ip6_finish_output net/ipv6/ip6_output.c:203 [inline]
 ip6_finish_output+0x444/0x930 net/ipv6/ip6_output.c:216
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x274/0x500 net/ipv6/ip6_output.c:237
 dst_output include/net/dst.h:453 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ip6_xmit+0x111c/0x19c4 net/ipv6/ip6_output.c:357
 sctp_v6_xmit+0x83c/0xf70 net/sctp/ipv6.c:250
 sctp_packet_transmit+0x1df4/0x22e4 net/sctp/output.c:653
 sctp_packet_singleton+0x1d0/0x2bc net/sctp/outqueue.c:783
 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
 sctp_outq_flush+0x404/0x27bc net/sctp/outqueue.c:1212
 sctp_outq_uncork+0x84/0xc0 net/sctp/outqueue.c:764
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
 sctp_do_sm+0x427c/0x4894 net/sctp/sm_sideeffect.c:1170
 sctp_primitive_ASSOCIATE+0x98/0xc8 net/sctp/primitive.c:73
 sctp_sendmsg_to_asoc+0xfc8/0x1344 net/sctp/socket.c:1840
 sctp_sendmsg+0x14dc/0x20cc net/sctp/socket.c:2030
 inet_sendmsg+0x154/0x284 net/ipv4/af_inet.c:841
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:730 [inline]
 __sys_sendto+0x304/0x3fc net/socket.c:2153
 __do_sys_sendto net/socket.c:2165 [inline]
 __se_sys_sendto net/socket.c:2161 [inline]
 __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2161
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Allocated by task 3913:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_alloc_info+0x28/0x34 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa0/0xb8 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:936 [inline]
 __kmalloc+0xec/0x178 mm/slab_common.c:949
 kmalloc include/linux/slab.h:568 [inline]
 tomoyo_realpath_from_path+0xc4/0x4d4 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x1b4/0x440 security/tomoyo/file.c:822
 tomoyo_inode_getattr+0x28/0x38 security/tomoyo/tomoyo.c:122
 security_inode_getattr+0xd8/0x124 security/security.c:1361
 vfs_getattr fs/stat.c:158 [inline]
 vfs_statx+0x128/0x588 fs/stat.c:233
 vfs_fstatat fs/stat.c:267 [inline]
 __do_sys_newfstatat fs/stat.c:437 [inline]
 __se_sys_newfstatat fs/stat.c:431 [inline]
 __arm64_sys_newfstatat+0x12c/0x1b8 fs/stat.c:431
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Freed by task 3913:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_free_info+0x3c/0x60 mm/kasan/generic.c:516
 ____kasan_slab_free+0x148/0x1b0 mm/kasan/common.c:236
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0x16c/0x1ec mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0xc0/0x224 mm/slub.c:3674
 kfree+0xd0/0x1ac mm/slab_common.c:988
 tomoyo_realpath_from_path+0x48c/0x4d4 security/tomoyo/realpath.c:286
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x1b4/0x440 security/tomoyo/file.c:822
 tomoyo_inode_getattr+0x28/0x38 security/tomoyo/tomoyo.c:122
 security_inode_getattr+0xd8/0x124 security/security.c:1361
 vfs_getattr fs/stat.c:158 [inline]
 vfs_statx+0x128/0x588 fs/stat.c:233
 vfs_fstatat fs/stat.c:267 [inline]
 __do_sys_newfstatat fs/stat.c:437 [inline]
 __se_sys_newfstatat fs/stat.c:431 [inline]
 __arm64_sys_newfstatat+0x12c/0x1b8 fs/stat.c:431
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the object at ffff0000f03de000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 3740 bytes inside of
 4096-byte region [ffff0000f03de000, ffff0000f03df000)

The buggy address belongs to the physical page:
page:0000000080f00ff4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1303d8
head:0000000080f00ff4 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc0003721000 dead000000000002 ffff0000c0002a80
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000f03ded80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000f03dee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000f03dee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff0000f03def00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000f03def80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/05/02 15:15 linux-6.1.y b6736e03756f d7f099d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/04/30 16:33 linux-6.1.y 535ec20c5027 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/04/30 15:15 linux-6.1.y 535ec20c5027 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/04/30 13:03 linux-6.1.y 535ec20c5027 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/05/01 15:50 linux-6.1.y 535ec20c5027 51b137cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in __xfrm_decode_session
* Struck through repros no longer work on HEAD.