================================================================== BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline] BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x5f79/0x6d80 net/xfrm/xfrm_state.c:1159 Read of size 4 at addr ffffc90000007ad0 by task udevd/5074 CPU: 0 PID: 5074 Comm: udevd Not tainted 6.1.0-syzkaller-04343-gd039535850ee #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x45d mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 jhash2 include/linux/jhash.h:138 [inline] __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline] xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline] xfrm_state_find+0x5f79/0x6d80 net/xfrm/xfrm_state.c:1159 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline] xfrm_tmpl_resolve+0x2f3/0xd40 net/xfrm/xfrm_policy.c:2512 xfrm_resolve_and_create_bundle+0x123/0x2580 net/xfrm/xfrm_policy.c:2805 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline] xfrm_lookup_with_ifid+0x449/0x20f0 net/xfrm/xfrm_policy.c:3171 xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline] xfrm_lookup_route+0x3a/0x1e0 net/xfrm/xfrm_policy.c:3279 ip_route_output_flow+0x118/0x150 net/ipv4/route.c:2880 ip_route_output_ports include/net/route.h:183 [inline] igmpv3_newpack+0x29d/0x1110 net/ipv4/igmp.c:369 add_grhead+0x266/0x300 net/ipv4/igmp.c:440 add_grec+0xea5/0x1100 net/ipv4/igmp.c:574 igmpv3_send_cr net/ipv4/igmp.c:711 [inline] igmp_ifc_timer_expire+0x636/0xf70 net/ipv4/igmp.c:810 call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700 expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751 __run_timers kernel/time/timer.c:2022 [inline] __run_timers kernel/time/timer.c:1995 [inline] run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 __do_softirq+0x1fb/0xadc kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x9/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649 RIP: 0010:instrument_atomic_read include/linux/instrumented.h:72 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] RIP: 0010:folio_memcg_lock+0x189/0x630 mm/memcontrol.c:2118 Code: d0 d6 81 58 e8 38 1e 8d ff 4d 85 f6 0f 85 9e 02 00 00 9c 58 f6 c4 02 0f 85 53 03 00 00 4d 85 f6 74 01 fb 4c 8d b3 40 09 00 00 04 00 00 00 4c 89 f7 e8 0a 86 f8 ff 4c 89 f0 48 c1 e8 03 42 0f RSP: 0000:ffffc90003cefab8 EFLAGS: 00000206 RAX: 0000000000000002 RBX: ffff888140140000 RCX: 1ffffffff22670ae RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffffc90003cefb08 R08: 0000000000000001 R09: ffffffff91335ac7 R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000 R13: ffffea0002e655f8 R14: ffff888140140940 R15: ffffea0002e655c8 page_add_file_rmap+0x3d/0x970 mm/rmap.c:1332 do_set_pte+0x431/0x7b0 mm/memory.c:4307 filemap_map_pages+0xcd3/0x1a80 mm/filemap.c:3407 do_fault_around mm/memory.c:4483 [inline] do_read_fault mm/memory.c:4509 [inline] do_fault mm/memory.c:4643 [inline] handle_pte_fault mm/memory.c:4931 [inline] __handle_mm_fault+0x22d0/0x3c90 mm/memory.c:5073 handle_mm_fault+0x1b6/0x850 mm/memory.c:5219 do_user_addr_fault+0x475/0x1210 arch/x86/mm/fault.c:1428 handle_page_fault arch/x86/mm/fault.c:1519 [inline] exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1575 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x7f21962ae850 Code: Unable to access opcode bytes at 0x7f21962ae826. RSP: 002b:00007ffe53c84dc8 EFLAGS: 00010206 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f219633432a RDX: 000000000000000c RSI: 000055c20721172e RDI: 000055c20720f185 RBP: 000055c208618670 R08: 0000000000000007 R09: 000055c2085f4d10 R10: 00007f219633476a R11: 0000000000000246 R12: 000055c2072155c5 R13: 0000000000000004 R14: 00007ffe53c84e1c R15: 000055c2085f4910 The buggy address belongs to the virtual mapping at [ffffc90000000000, ffffc90000009000) created by: map_irq_stack arch/x86/kernel/irq_64.c:48 [inline] irq_init_percpu_irqstack+0x1d0/0x320 arch/x86/kernel/irq_64.c:75 The buggy address belongs to the physical page: page:ffffea0002e60240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb9809 flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000001000 ffffea0002e60248 ffffea0002e60248 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffc90000007980: 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000007a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 >ffffc90000007a80: f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 ^ ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 ================================================================== ---------------- Code disassembly (best guess): 0: d0 d6 rcl %dh 2: 81 58 e8 38 1e 8d ff sbbl $0xff8d1e38,-0x18(%rax) 9: 4d 85 f6 test %r14,%r14 c: 0f 85 9e 02 00 00 jne 0x2b0 12: 9c pushfq 13: 58 pop %rax 14: f6 c4 02 test $0x2,%ah 17: 0f 85 53 03 00 00 jne 0x370 1d: 4d 85 f6 test %r14,%r14 20: 74 01 je 0x23 22: fb sti 23: 4c 8d b3 40 09 00 00 lea 0x940(%rbx),%r14 * 2a: be 04 00 00 00 mov $0x4,%esi <-- trapping instruction 2f: 4c 89 f7 mov %r14,%rdi 32: e8 0a 86 f8 ff callq 0xfff88641 37: 4c 89 f0 mov %r14,%rax 3a: 48 c1 e8 03 shr $0x3,%rax 3e: 42 rex.X 3f: 0f .byte 0xf