ci2 starts bisection 2023-04-03 22:53:27.440538538 +0000 UTC m=+62019.533696335
bisecting fixing commit since c73b4619ad86a2a29fc998e950e98bcdfa2f6d8f
building syzkaller on ab32d50881df9f96f2af301aadca62ad00b7e099
ensuring issue is reproducible on original commit c73b4619ad86a2a29fc998e950e98bcdfa2f6d8f
testing commit c73b4619ad86a2a29fc998e950e98bcdfa2f6d8f gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 078dec9f0587431c20303803013ab22b0fab7ac94e10a3bce31e56469ba5d870
all runs: crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing current HEAD 7364b7abbafbeaab61d763c46d84145488b98a3c
testing commit 7364b7abbafbeaab61d763c46d84145488b98a3c gcc
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: de7a50844d9580c9dcbeff49c2c89217993c7eab95a97d85e50c6dc0e142ae09
all runs: crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
revisions tested: 2, total time: 17m49.135931178s (build: 10m47.624164267s, test: 5m34.228757744s)
the crash still happens on HEAD
commit msg: Merge branch 'android13-5.15' into android13-5.15-lts
crash: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x3dd/0x4d0 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffffc90000007ab8 by task kauditd/30
CPU: 0 PID: 30 Comm: kauditd Not tainted 5.15.98-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x105/0x148 lib/dump_stack.c:106
print_address_description+0x87/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:444
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash+0x3dd/0x4d0 net/xfrm/xfrm_hash.h:95
xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
xfrm_state_find+0x2fb/0x2c80 net/xfrm/xfrm_state.c:1092
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2393 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2438 [inline]
xfrm_resolve_and_create_bundle+0x57c/0x28e0 net/xfrm/xfrm_policy.c:2731
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2966 [inline]
xfrm_lookup_with_ifid+0x7dd/0x1900 net/xfrm/xfrm_policy.c:3097
xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
xfrm_lookup_route+0x1d/0x120 net/xfrm/xfrm_policy.c:3205
ip_route_output_flow+0x1c3/0x2f0 net/ipv4/route.c:2889
ip_route_output_ports include/net/route.h:169 [inline]
igmpv3_newpack+0x40a/0xf70 net/ipv4/igmp.c:369
add_grhead+0x70/0x310 net/ipv4/igmp.c:440
add_grec+0x104b/0x1340 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x735/0xd20 net/ipv4/igmp.c:810
call_timer_fn+0x28/0x1c0 kernel/time/timer.c:1427
expire_timers kernel/time/timer.c:1472 [inline]
__run_timers+0x675/0x850 kernel/time/timer.c:1743
run_timer_softirq+0x4a/0xb0 kernel/time/timer.c:1756
__do_softirq+0x26d/0x5bf kernel/softirq.c:565
invoke_softirq kernel/softirq.c:425 [inline]
__irq_exit_rcu+0x50/0xf0 kernel/softirq.c:647
irq_exit_rcu+0x9/0x10 kernel/softirq.c:659
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:console_lock_spinning_disable_and_check kernel/printk/printk.c:1840 [inline]
RIP: 0010:console_unlock+0x97d/0xcc0 kernel/printk/printk.c:2763
Code: e8 98 e8 07 03 84 db 74 07 c6 05 fd fd f2 04 00 e8 68 4a 00 00 f7 44 24 30 00 02 00 00 4c 8d a4 24 d0 01 00 00 74 01 fb 84 db <0f> 94 c0 22 44 24 07 3c 01 0f 84 00 f9 ff ff 0f b6 c3 85 c0 0f 84
RSP: 0018:ffffc900001ff8c0 EFLAGS: 00000202
RAX: 0000000080000001 RBX: 0000000000000001 RCX: 0000000000000002
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001
RBP: ffffc900001ffb30 R08: dffffc0000000000 R09: 0000000000000003
R10: fffff5200003ff08 R11: dffffc0000000001 R12: ffffc900001ffa90
R13: dffffc0000000000 R14: 0000000000000000 R15: 00000000000000ec
vprintk_emit+0xd1/0x250 kernel/printk/printk.c:2288
vprintk_default+0x18/0x20 kernel/printk/printk.c:2299
vprintk+0x49/0x50 kernel/printk/printk_safe.c:50
_printk+0xca/0x10a kernel/printk/printk.c:2309
kauditd_printk_skb kernel/audit.c:538 [inline]
kauditd_hold_skb+0x103/0x150 kernel/audit.c:573
kauditd_send_queue+0x1ab/0x1d0 kernel/audit.c:758
kauditd_thread+0x427/0x670 kernel/audit.c:882
kthread+0x3a1/0x480 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 :298
Memory state around the buggy address:
ffffc90000007980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007a00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffffc90000007a80: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
^
ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: e8 98 e8 07 03 callq 0x307e89d
5: 84 db test %bl,%bl
7: 74 07 je 0x10
9: c6 05 fd fd f2 04 00 movb $0x0,0x4f2fdfd(%rip) # 0x4f2fe0d
10: e8 68 4a 00 00 callq 0x4a7d
15: f7 44 24 30 00 02 00 testl $0x200,0x30(%rsp)
1c: 00
1d: 4c 8d a4 24 d0 01 00 lea 0x1d0(%rsp),%r12
24: 00
25: 74 01 je 0x28
27: fb sti
28: 84 db test %bl,%bl
* 2a: 0f 94 c0 sete %al <-- trapping instruction
2d: 22 44 24 07 and 0x7(%rsp),%al
31: 3c 01 cmp $0x1,%al
33: 0f 84 00 f9 ff ff je 0xfffff939
39: 0f b6 c3 movzbl %bl,%eax
3c: 85 c0 test %eax,%eax
3e: 0f .byte 0xf
3f: 84 .byte 0x84