syzbot

 sign-in | mailing list | source | docs
🐞 Open [779]
🐞 Fixed [128]
🐞 Invalid [842]
Missing Backports [74]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in __xfrm_decode_session (2)

Status: upstream: reported C repro on 2025/04/30 13:03
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+cadd4c7c96a74757f198@syzkaller.appspotmail.com
First crash: 116d, last: 54d
Fix bisection: failed (error log, bisect log)
  
Bug presence (2)
Date Name Commit Repro Result
2025/07/01 linux-6.1.y (ToT) 7e69c33e4858 C [report] KASAN: slab-out-of-bounds Read in __xfrm_decode_session
2025/07/01 upstream (ToT) 66701750d556 C Didn't crash
Similar bugs (11)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) net 19 7 1358d 1595d 0/29 auto-closed as invalid on 2022/04/04 17:22
upstream KASAN: use-after-free Read in __xfrm_decode_session net 19 12 1815d 2174d 0/29 auto-closed as invalid on 2021/01/03 02:25
linux-5.15 KASAN: slab-out-of-bounds Read in __xfrm_decode_session origin:upstream 19 C error 7 655d 842d 0/3 auto-obsoleted due to no activity on 2024/02/16 23:16
linux-5.15 KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) 19 4 19d 148d 0/3 upstream: reported on 2025/03/30 08:54
linux-6.1 KASAN: use-after-free Read in __xfrm_decode_session 19 4 701d 833d 0/3 auto-obsoleted due to no activity on 2024/01/01 21:03
linux-6.6 KASAN: slab-use-after-free Read in __xfrm_decode_session 19 19 33d 54d 0/2 upstream: reported on 2025/07/01 19:37
upstream KMSAN: kernel-infoleak in copyout (2) net 17 C 6723 809d 1977d 22/29 fixed on 2023/06/08 14:41
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) net 23 C 138977 913d 1265d 22/29 fixed on 2023/02/24 13:50
linux-6.1 KASAN: slab-out-of-bounds Read in __xfrm_decode_session 17 1 242d 242d 0/3 auto-obsoleted due to no activity on 2025/04/05 09:29
upstream KMSAN: uninit-value in __xfrm_decode_session (4) net 19 C 8 673d 719d 0/29 closed as invalid on 2023/12/14 11:46
upstream KASAN: slab-out-of-bounds Read in __xfrm_decode_session net 17 20 1810d 2096d 0/29 auto-closed as invalid on 2021/01/07 14:52
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2025/08/20 00:08 1h47m fix candidate upstream OK (0) job log
2025/08/02 11:18 14m bisect fix linux-6.1.y error job log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in decode_session6 net/xfrm/xfrm_policy.c:3415 [inline]
BUG: KASAN: use-after-free in __xfrm_decode_session+0x14c4/0x1b8c net/xfrm/xfrm_policy.c:3521
Read of size 1 at addr ffff0000de62a623 by task syz.0.16/4454

CPU: 0 PID: 4454 Comm: syz.0.16 Not tainted 6.1.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x88/0x220 mm/kasan/report.c:316
 print_report+0x50/0x68 mm/kasan/report.c:427
 kasan_report+0xa8/0x100 mm/kasan/report.c:531
 __asan_report_load1_noabort+0x2c/0x38 mm/kasan/report_generic.c:348
 decode_session6 net/xfrm/xfrm_policy.c:3415 [inline]
 __xfrm_decode_session+0x14c4/0x1b8c net/xfrm/xfrm_policy.c:3521
 xfrm_decode_session_reverse include/net/xfrm.h:1183 [inline]
 icmpv6_route_lookup+0x310/0x470 net/ipv6/icmp.c:394
 icmp6_send+0xb98/0x13e4 net/ipv6/icmp.c:603
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x44/0x4a8 net/ipv6/route.c:2827
 dst_link_failure include/net/dst.h:423 [inline]
 ip6_tnl_xmit+0xed8/0x2448 net/ipv6/ip6_tunnel.c:1284
 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1400 [inline]
 ip6_tnl_start_xmit+0xb88/0x1088 net/ipv6/ip6_tunnel.c:1449
 __netdev_start_xmit include/linux/netdevice.h:4896 [inline]
 netdev_start_xmit include/linux/netdevice.h:4910 [inline]
 xmit_one net/core/dev.c:3658 [inline]
 dev_hard_start_xmit+0x244/0x8e0 net/core/dev.c:3674
 sch_direct_xmit+0x204/0x480 net/sched/sch_generic.c:342
 qdisc_restart net/sched/sch_generic.c:407 [inline]
 __qdisc_run+0x8c0/0x1368 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3958 [inline]
 __dev_queue_xmit+0xc18/0x309c net/core/dev.c:4300
 dev_queue_xmit include/linux/netdevice.h:3051 [inline]
 neigh_connected_output+0x358/0x3e8 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:544 [inline]
 ip6_finish_output2+0xd60/0x1844 net/ipv6/ip6_output.c:138
 ip6_fragment+0x1558/0x247c net/ipv6/ip6_output.c:1021
 __ip6_finish_output net/ipv6/ip6_output.c:203 [inline]
 ip6_finish_output+0x444/0x930 net/ipv6/ip6_output.c:216
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip6_output+0x274/0x500 net/ipv6/ip6_output.c:237
 dst_output include/net/dst.h:453 [inline]
 NF_HOOK include/linux/netfilter.h:302 [inline]
 ip6_xmit+0x111c/0x19c4 net/ipv6/ip6_output.c:357
 sctp_v6_xmit+0x83c/0xf70 net/sctp/ipv6.c:250
 sctp_packet_transmit+0x1df4/0x22e4 net/sctp/output.c:653
 sctp_packet_singleton+0x1d0/0x2bc net/sctp/outqueue.c:783
 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
 sctp_outq_flush+0x404/0x27bc net/sctp/outqueue.c:1212
 sctp_outq_uncork+0x84/0xc0 net/sctp/outqueue.c:764
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
 sctp_do_sm+0x427c/0x4894 net/sctp/sm_sideeffect.c:1170
 sctp_primitive_ASSOCIATE+0x98/0xc8 net/sctp/primitive.c:73
 sctp_sendmsg_to_asoc+0xfc8/0x1344 net/sctp/socket.c:1840
 sctp_sendmsg+0x14dc/0x20cc net/sctp/socket.c:2030
 inet_sendmsg+0x154/0x284 net/ipv4/af_inet.c:841
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:730 [inline]
 __sys_sendto+0x304/0x3fc net/socket.c:2153
 __do_sys_sendto net/socket.c:2165 [inline]
 __se_sys_sendto net/socket.c:2161 [inline]
 __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2161
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Allocated by task 4298:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_alloc_info+0x28/0x34 mm/kasan/generic.c:505
 __kasan_slab_alloc+0x70/0x88 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x74/0x43c mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc+0x234/0x318 mm/slub.c:3422
 __sigqueue_alloc+0x3e0/0x4e0 kernel/signal.c:436
 __send_signal_locked+0x1d8/0xc78 kernel/signal.c:1129
 send_signal_locked+0xac/0x854 kernel/signal.c:1258
 do_send_sig_info kernel/signal.c:1301 [inline]
 do_send_specific+0x19c/0x2cc kernel/signal.c:3926
 do_tkill kernel/signal.c:3952 [inline]
 __do_sys_tgkill kernel/signal.c:3971 [inline]
 __se_sys_tgkill kernel/signal.c:3965 [inline]
 __arm64_sys_tgkill+0x1c4/0x244 kernel/signal.c:3965
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Freed by task 4297:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
 kasan_save_free_info+0x3c/0x60 mm/kasan/generic.c:516
 ____kasan_slab_free+0x148/0x1b0 mm/kasan/common.c:236
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook+0x16c/0x1ec mm/slub.c:1750
 slab_free mm/slub.c:3661 [inline]
 kmem_cache_free+0x11c/0x324 mm/slub.c:3683
 __sigqueue_free kernel/signal.c:459 [inline]
 collect_signal kernel/signal.c:602 [inline]
 __dequeue_signal+0x3fc/0x4fc kernel/signal.c:624
 dequeue_signal+0x70/0x3cc kernel/signal.c:644
 get_signal+0x41c/0x1310 kernel/signal.c:2751
 do_signal arch/arm64/kernel/signal.c:1081 [inline]
 do_notify_resume+0x290/0x2b0c arch/arm64/kernel/signal.c:1134
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
 el0_svc+0x98/0x138 arch/arm64/kernel/entry-common.c:638
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the object at ffff0000de62a620
 which belongs to the cache sigqueue of size 80
The buggy address is located 3 bytes inside of
 80-byte region [ffff0000de62a620, ffff0000de62a670)

The buggy address belongs to the physical page:
page:0000000030afacf5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e62a
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c03dd080
raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000de62a500: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb
 ffff0000de62a580: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb
>ffff0000de62a600: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fc fc
                               ^
 ffff0000de62a680: fc fc fa fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff0000de62a700: fa fb fb fb fb fb fb fb fb fb fc fc fc fc fa fb
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/01 08:03 linux-6.1.y 7e69c33e4858 6e83b42d .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/05/02 15:15 linux-6.1.y b6736e03756f d7f099d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/04/30 16:33 linux-6.1.y 535ec20c5027 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/04/30 15:15 linux-6.1.y 535ec20c5027 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/04/30 13:03 linux-6.1.y 535ec20c5027 85a5a23f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in __xfrm_decode_session
2025/07/01 03:35 linux-6.1.y 7e69c33e4858 6e83b42d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in __xfrm_decode_session
2025/05/01 15:50 linux-6.1.y 535ec20c5027 51b137cd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: slab-out-of-bounds Read in __xfrm_decode_session
* Struck through repros no longer work on HEAD.