ci starts bisection 2023-05-03 12:01:17.97840044 +0000 UTC m=+76044.525970010
bisecting fixing commit since f3a2439f20d918930cc4ae8f76fe1c1afd26958f
building syzkaller on e792ae78c524597ed9bdc16cf10503e2c0079be5
ensuring issue is reproducible on original commit f3a2439f20d918930cc4ae8f76fe1c1afd26958f

testing commit f3a2439f20d918930cc4ae8f76fe1c1afd26958f gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 01baa3671346b51ab3a0bc183153e7451b206ab9ad606704b109f82407732f8f
all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find
testing current HEAD 348551ddaf311c76b01cdcbaf61b6fef06a49144
testing commit 348551ddaf311c76b01cdcbaf61b6fef06a49144 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0d3ccce0f139eec505f32b41449e074c1bd7fada7b38e47f06e5083cd20aba28
all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find
revisions tested: 2, total time: 24m33.06931069s (build: 18m11.759147304s, test: 5m42.3142343s)
the crash still happens on HEAD
commit msg: Merge tag 'pinctrl-v6.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
crash: KASAN: stack-out-of-bounds Read in xfrm_state_find
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x52bb/0x6950 net/xfrm/xfrm_state.c:1159
Read of size 4 at addr ffffc90000007b10 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.3.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106
 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
 print_report mm/kasan/report.c:462 [inline]
 kasan_report+0x11c/0x130 mm/kasan/report.c:572
 jhash2 include/linux/jhash.h:138 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
 xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
 xfrm_state_find+0x52bb/0x6950 net/xfrm/xfrm_state.c:1159
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
 xfrm_tmpl_resolve+0x24d/0xa70 net/xfrm/xfrm_policy.c:2512
 xfrm_resolve_and_create_bundle+0x115/0x1e50 net/xfrm/xfrm_policy.c:2805
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
 xfrm_lookup_with_ifid+0x36b/0x16c0 net/xfrm/xfrm_policy.c:3171
 xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
 xfrm_lookup_route+0x1f/0x170 net/xfrm/xfrm_policy.c:3279
 ip_route_output_ports include/net/route.h:177 [inline]
 igmpv3_newpack+0x26a/0xf60 net/ipv4/igmp.c:369
 add_grhead+0x231/0x320 net/ipv4/igmp.c:440
 add_grec+0xb50/0xde0 net/ipv4/igmp.c:574
 igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
 igmp_ifc_timer_expire+0x4c8/0xc90 net/ipv4/igmp.c:810
 call_timer_fn+0x163/0x400 kernel/time/timer.c:1700
 expire_timers+0x224/0x400 kernel/time/timer.c:1751
 __run_timers kernel/time/timer.c:2022 [inline]
 __run_timers kernel/time/timer.c:1995 [inline]
 run_timer_softirq+0x296/0x790 kernel/time/timer.c:2035
 __do_softirq+0x1d4/0x905 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x114/0x190 kernel/softirq.c:650
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:kmap_local_sched_in kernel/sched/core.c:5121 [inline]
RIP: 0010:finish_task_switch.isra.0+0x2bf/0xc30 kernel/sched/core.c:5223
Code: 8b 3a 4c 89 e7 48 c7 02 00 00 00 00 ff d1 4d 85 ff 75 bf 4c 89 e7 e8 60 f8 ff ff e8 eb 1f 2d 00 fb 65 48 8b 1c 25 00 bb 03 00 <48> 8d bb 20 16 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffffffff8b407c18 EFLAGS: 00000202
RAX: 0000000000045a3d RBX: ffffffff8b494300 RCX: 1ffffffff1acf5f1
RDX: 0000000000000000 RSI: ffffffff896b9cc0 RDI: ffffffff89c2b4c0
RBP: ffffffff8b407c60 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff1acfbfa R11: 0000000000000000 R12: ffff8880b9a3c500
R13: ffff8880252b5940 R14: 0000000000000000 R15: ffff8880b9a3cf38
 context_switch kernel/sched/core.c:5346 [inline]
 __schedule+0xc62/0x5840 kernel/sched/core.c:6669
 schedule_idle+0x5b/0x80 kernel/sched/core.c:6773
 do_idle+0x273/0x3c0 kernel/sched/idle.c:310
 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:379
 rest_init+0x14a/0x220 init/main.c:735
 arch_call_rest_init+0xe/0x20 init/main.c:834
 start_kernel+0x300/0x340 init/main.c:1088
 x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:556
 x86_64_start_kernel+0xb3/0xc0 arch/x86/kernel/head64.c:537
 secondary_startup_64_no_verify+0xf4/0xfb
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc90000000000, ffffc90000009000) created by:
 map_irq_stack arch/x86/kernel/irq_64.c:48 [inline]
 irq_init_percpu_irqstack+0x1d0/0x320 arch/x86/kernel/irq_64.c:75

The buggy address belongs to the physical page:
page:ffffea0002e68240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb9a09
flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000001000 ffffea0002e68248 ffffea0002e68248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffc90000007a00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000007a80: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
>ffffc90000007b00: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
                         ^
 ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000007c00: 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	8b 3a                	mov    (%rdx),%edi
   2:	4c 89 e7             	mov    %r12,%rdi
   5:	48 c7 02 00 00 00 00 	movq   $0x0,(%rdx)
   c:	ff d1                	callq  *%rcx
   e:	4d 85 ff             	test   %r15,%r15
  11:	75 bf                	jne    0xffffffd2
  13:	4c 89 e7             	mov    %r12,%rdi
  16:	e8 60 f8 ff ff       	callq  0xfffff87b
  1b:	e8 eb 1f 2d 00       	callq  0x2d200b
  20:	fb                   	sti
  21:	65 48 8b 1c 25 00 bb 	mov    %gs:0x3bb00,%rbx
  28:	03 00
* 2a:	48 8d bb 20 16 00 00 	lea    0x1620(%rbx),%rdi <-- trapping instruction
  31:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  38:	fc ff df
  3b:	48 89 fa             	mov    %rdi,%rdx
  3e:	48                   	rex.W
  3f:	c1                   	.byte 0xc1