==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2ed7/0x33f0 net/xfrm/xfrm_state.c:1068
Read of size 4 at addr ffffc90000007a78 by task kworker/0:4/428
CPU: 0 PID: 428 Comm: kworker/0:4 Not tainted 5.10.160-syzkaller-01321-g003c389455eb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events linkwatch_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3c0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
xfrm_state_find+0x2ed7/0x33f0 net/xfrm/xfrm_state.c:1068
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2400 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2445 [inline]
xfrm_resolve_and_create_bundle+0x66d/0x2c80 net/xfrm/xfrm_policy.c:2738
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2973 [inline]
xfrm_lookup_with_ifid+0xc7d/0x2440 net/xfrm/xfrm_policy.c:3104
xfrm_lookup net/xfrm/xfrm_policy.c:3196 [inline]
xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3207
ip_route_output_flow+0x1e7/0x310 net/ipv4/route.c:2792
ip_route_output_ports include/net/route.h:169 [inline]
igmpv3_newpack+0x405/0xff0 net/ipv4/igmp.c:369
add_grhead+0x84/0x320 net/ipv4/igmp.c:440
add_grec+0x12f8/0x1600 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x8b0/0xfa0 net/ipv4/igmp.c:809
call_timer_fn+0x35/0x270 kernel/time/timer.c:1420
expire_timers+0x21b/0x3a0 kernel/time/timer.c:1465
__run_timers+0x598/0x6f0 kernel/time/timer.c:1759
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1772
__do_softirq+0x27e/0x596 kernel/softirq.c:305
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:402 [inline]
__irq_exit_rcu+0x128/0x150 kernel/softirq.c:432
irq_exit_rcu+0x9/0x10 kernel/softirq.c:444
sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline]
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline]
RIP: 0010:console_unlock+0xb5c/0xf20 kernel/printk/printk.c:2555
Code: 85 db 4c 8d b4 24 60 01 00 00 0f 85 82 03 00 00 e8 49 6e 00 00 48 8b 44 24 30 48 89 84 24 90 00 00 00 ff b4 24 90 00 00 00 9d <48> 8b 44 24 38 42 80 3c 38 00 74 08 4c 89 f7 e8 d0 1a 53 00 48 c7
RSP: 0018:ffffc900010975a0 EFLAGS: 00000246
RAX: 0000000000000246 RBX: 0000000000000000 RCX: ffff88810c84cf00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc90001097830 R08: ffffffff815408fb R09: 0000000000000003
R10: fffff52000212ea5 R11: 1ffff92000212ea4 R12: ffffc900010977a0
R13: 1ffffffff0cbb111 R14: ffffc90001097700 R15: dffffc0000000000
vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063
vprintk_default+0x26/0x30 kernel/printk/printk.c:2080
vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401
printk+0xcf/0x10f kernel/printk/printk.c:2111
addrconf_notify+0xbf4/0xe90 net/ipv6/addrconf.c:3620
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0x9e/0x110 kernel/notifier.c:410
call_netdevice_notifiers_info net/core/dev.c:2054 [inline]
netdev_state_change+0x1ba/0x280 net/core/dev.c:1484
linkwatch_do_dev+0xfe/0x140 net/core/link_watch.c:167
__linkwatch_run_queue+0x4f5/0x7f0 net/core/link_watch.c:213
linkwatch_event+0x4c/0x60 net/core/link_watch.c:252
process_one_work+0x726/0xc10 kernel/workqueue.c:2296
worker_thread+0xb27/0x1550 kernel/workqueue.c:2442
kthread+0x349/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299
Memory state around the buggy address:
ffffc90000007900: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90000007a00: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f3
^
ffffc90000007a80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 85 db test %ebx,%ebx
2: 4c 8d b4 24 60 01 00 lea 0x160(%rsp),%r14
9: 00
a: 0f 85 82 03 00 00 jne 0x392
10: e8 49 6e 00 00 callq 0x6e5e
15: 48 8b 44 24 30 mov 0x30(%rsp),%rax
1a: 48 89 84 24 90 00 00 mov %rax,0x90(%rsp)
21: 00
22: ff b4 24 90 00 00 00 pushq 0x90(%rsp)
29: 9d popfq
* 2a: 48 8b 44 24 38 mov 0x38(%rsp),%rax <-- trapping instruction
2f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
34: 74 08 je 0x3e
36: 4c 89 f7 mov %r14,%rdi
39: e8 d0 1a 53 00 callq 0x531b0e
3e: 48 rex.W
3f: c7 .byte 0xc7