================================================================== BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline] BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x2ed7/0x33f0 net/xfrm/xfrm_state.c:1068 Read of size 4 at addr ffffc90000007a78 by task kworker/0:4/428 CPU: 0 PID: 428 Comm: kworker/0:4 Not tainted 5.10.160-syzkaller-01321-g003c389455eb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: events linkwatch_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3c0 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 jhash2 include/linux/jhash.h:138 [inline] __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline] xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline] xfrm_state_find+0x2ed7/0x33f0 net/xfrm/xfrm_state.c:1068 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2400 [inline] xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2445 [inline] xfrm_resolve_and_create_bundle+0x66d/0x2c80 net/xfrm/xfrm_policy.c:2738 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2973 [inline] xfrm_lookup_with_ifid+0xc7d/0x2440 net/xfrm/xfrm_policy.c:3104 xfrm_lookup net/xfrm/xfrm_policy.c:3196 [inline] xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3207 ip_route_output_flow+0x1e7/0x310 net/ipv4/route.c:2792 ip_route_output_ports include/net/route.h:169 [inline] igmpv3_newpack+0x405/0xff0 net/ipv4/igmp.c:369 add_grhead+0x84/0x320 net/ipv4/igmp.c:440 add_grec+0x12f8/0x1600 net/ipv4/igmp.c:574 igmpv3_send_cr net/ipv4/igmp.c:711 [inline] igmp_ifc_timer_expire+0x8b0/0xfa0 net/ipv4/igmp.c:809 call_timer_fn+0x35/0x270 kernel/time/timer.c:1420 expire_timers+0x21b/0x3a0 kernel/time/timer.c:1465 __run_timers+0x598/0x6f0 kernel/time/timer.c:1759 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1772 __do_softirq+0x27e/0x596 kernel/softirq.c:305 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:402 [inline] __irq_exit_rcu+0x128/0x150 kernel/softirq.c:432 irq_exit_rcu+0x9/0x10 kernel/softirq.c:444 sysvec_apic_timer_interrupt+0xbf/0xe0 arch/x86/kernel/apic/apic.c:1095 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:native_restore_fl arch/x86/include/asm/irqflags.h:41 [inline] RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:84 [inline] RIP: 0010:console_unlock+0xb5c/0xf20 kernel/printk/printk.c:2555 Code: 85 db 4c 8d b4 24 60 01 00 00 0f 85 82 03 00 00 e8 49 6e 00 00 48 8b 44 24 30 48 89 84 24 90 00 00 00 ff b4 24 90 00 00 00 9d <48> 8b 44 24 38 42 80 3c 38 00 74 08 4c 89 f7 e8 d0 1a 53 00 48 c7 RSP: 0018:ffffc900010975a0 EFLAGS: 00000246 RAX: 0000000000000246 RBX: 0000000000000000 RCX: ffff88810c84cf00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffffc90001097830 R08: ffffffff815408fb R09: 0000000000000003 R10: fffff52000212ea5 R11: 1ffff92000212ea4 R12: ffffc900010977a0 R13: 1ffffffff0cbb111 R14: ffffc90001097700 R15: dffffc0000000000 vprintk_emit+0x44b/0x640 kernel/printk/printk.c:2063 vprintk_default+0x26/0x30 kernel/printk/printk.c:2080 vprintk_func+0x19d/0x1e0 kernel/printk/printk_safe.c:401 printk+0xcf/0x10f kernel/printk/printk.c:2111 addrconf_notify+0xbf4/0xe90 net/ipv6/addrconf.c:3620 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0x9e/0x110 kernel/notifier.c:410 call_netdevice_notifiers_info net/core/dev.c:2054 [inline] netdev_state_change+0x1ba/0x280 net/core/dev.c:1484 linkwatch_do_dev+0xfe/0x140 net/core/link_watch.c:167 __linkwatch_run_queue+0x4f5/0x7f0 net/core/link_watch.c:213 linkwatch_event+0x4c/0x60 net/core/link_watch.c:252 process_one_work+0x726/0xc10 kernel/workqueue.c:2296 worker_thread+0xb27/0x1550 kernel/workqueue.c:2442 kthread+0x349/0x3d0 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:299 Memory state around the buggy address: ffffc90000007900: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90000007a00: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f3 ^ ffffc90000007a80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ---------------- Code disassembly (best guess): 0: 85 db test %ebx,%ebx 2: 4c 8d b4 24 60 01 00 lea 0x160(%rsp),%r14 9: 00 a: 0f 85 82 03 00 00 jne 0x392 10: e8 49 6e 00 00 callq 0x6e5e 15: 48 8b 44 24 30 mov 0x30(%rsp),%rax 1a: 48 89 84 24 90 00 00 mov %rax,0x90(%rsp) 21: 00 22: ff b4 24 90 00 00 00 pushq 0x90(%rsp) 29: 9d popfq * 2a: 48 8b 44 24 38 mov 0x38(%rsp),%rax <-- trapping instruction 2f: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) 34: 74 08 je 0x3e 36: 4c 89 f7 mov %r14,%rdi 39: e8 d0 1a 53 00 callq 0x531b0e 3e: 48 rex.W 3f: c7 .byte 0xc7