==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x5f79/0x6d80 net/xfrm/xfrm_state.c:1159
Read of size 4 at addr ffffc90000007ad0 by task udevd/5074
CPU: 0 PID: 5074 Comm: udevd Not tainted 6.1.0-syzkaller-04343-gd039535850ee #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
xfrm_state_find+0x5f79/0x6d80 net/xfrm/xfrm_state.c:1159
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
xfrm_tmpl_resolve+0x2f3/0xd40 net/xfrm/xfrm_policy.c:2512
xfrm_resolve_and_create_bundle+0x123/0x2580 net/xfrm/xfrm_policy.c:2805
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
xfrm_lookup_with_ifid+0x449/0x20f0 net/xfrm/xfrm_policy.c:3171
xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
xfrm_lookup_route+0x3a/0x1e0 net/xfrm/xfrm_policy.c:3279
ip_route_output_flow+0x118/0x150 net/ipv4/route.c:2880
ip_route_output_ports include/net/route.h:183 [inline]
igmpv3_newpack+0x29d/0x1110 net/ipv4/igmp.c:369
add_grhead+0x266/0x300 net/ipv4/igmp.c:440
add_grec+0xea5/0x1100 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x636/0xf70 net/ipv4/igmp.c:810
call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700
expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751
__run_timers kernel/time/timer.c:2022 [inline]
__run_timers kernel/time/timer.c:1995 [inline]
run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035
__do_softirq+0x1fb/0xadc kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x9/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:instrument_atomic_read include/linux/instrumented.h:72 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
RIP: 0010:folio_memcg_lock+0x189/0x630 mm/memcontrol.c:2118
Code: d0 d6 81 58 e8 38 1e 8d ff 4d 85 f6 0f 85 9e 02 00 00 9c 58 f6 c4 02 0f 85 53 03 00 00 4d 85 f6 74 01 fb 4c 8d b3 40 09 00 00 04 00 00 00 4c 89 f7 e8 0a 86 f8 ff 4c 89 f0 48 c1 e8 03 42 0f
RSP: 0000:ffffc90003cefab8 EFLAGS: 00000206
RAX: 0000000000000002 RBX: ffff888140140000 RCX: 1ffffffff22670ae
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90003cefb08 R08: 0000000000000001 R09: ffffffff91335ac7
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffea0002e655f8 R14: ffff888140140940 R15: ffffea0002e655c8
page_add_file_rmap+0x3d/0x970 mm/rmap.c:1332
do_set_pte+0x431/0x7b0 mm/memory.c:4307
filemap_map_pages+0xcd3/0x1a80 mm/filemap.c:3407
do_fault_around mm/memory.c:4483 [inline]
do_read_fault mm/memory.c:4509 [inline]
do_fault mm/memory.c:4643 [inline]
handle_pte_fault mm/memory.c:4931 [inline]
__handle_mm_fault+0x22d0/0x3c90 mm/memory.c:5073
handle_mm_fault+0x1b6/0x850 mm/memory.c:5219
do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1428
handle_page_fault arch/x86/mm/fault.c:1519 [inline]
exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1575
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f21962ae850
Code: Unable to access opcode bytes at 0x7f21962ae826.
RSP: 002b:00007ffe53c84dc8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f219633432a
RDX: 000000000000000c RSI: 000055c20721172e RDI: 000055c20720f185
RBP: 000055c208618670 R08: 0000000000000007 R09: 000055c2085f4d10
R10: 00007f219633476a R11: 0000000000000246 R12: 000055c2072155c5
R13: 0000000000000004 R14: 00007ffe53c84e1c R15: 000055c2085f4910
The buggy address belongs to the virtual mapping at
[ffffc90000000000, ffffc90000009000) created by:
map_irq_stack arch/x86/kernel/irq_64.c:48 [inline]
irq_init_percpu_irqstack+0x1d0/0x320 arch/x86/kernel/irq_64.c:75
The buggy address belongs to the physical page:
page:ffffea0002e60240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb9809
flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000001000 ffffea0002e60248 ffffea0002e60248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffc90000007980: 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
>ffffc90000007a80: f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
^
ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
==================================================================
----------------
Code disassembly (best guess):
0: d0 d6 rcl %dh
2: 81 58 e8 38 1e 8d ff sbbl $0xff8d1e38,-0x18(%rax)
9: 4d 85 f6 test %r14,%r14
c: 0f 85 9e 02 00 00 jne 0x2b0
12: 9c pushfq
13: 58 pop %rax
14: f6 c4 02 test $0x2,%ah
17: 0f 85 53 03 00 00 jne 0x370
1d: 4d 85 f6 test %r14,%r14
20: 74 01 je 0x23
22: fb sti
23: 4c 8d b3 40 09 00 00 lea 0x940(%rbx),%r14
* 2a: be 04 00 00 00 mov $0x4,%esi <-- trapping instruction
2f: 4c 89 f7 mov %r14,%rdi
32: e8 0a 86 f8 ff callq 0xfff88641
37: 4c 89 f0 mov %r14,%rax
3a: 48 c1 e8 03 shr $0x3,%rax
3e: 42 rex.X
3f: 0f .byte 0xf