ci starts bisection 2023-05-03 12:01:17.97840044 +0000 UTC m=+76044.525970010
bisecting fixing commit since f3a2439f20d918930cc4ae8f76fe1c1afd26958f
building syzkaller on e792ae78c524597ed9bdc16cf10503e2c0079be5
ensuring issue is reproducible on original commit f3a2439f20d918930cc4ae8f76fe1c1afd26958f
testing commit f3a2439f20d918930cc4ae8f76fe1c1afd26958f gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 01baa3671346b51ab3a0bc183153e7451b206ab9ad606704b109f82407732f8f
all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find
testing current HEAD 348551ddaf311c76b01cdcbaf61b6fef06a49144
testing commit 348551ddaf311c76b01cdcbaf61b6fef06a49144 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0d3ccce0f139eec505f32b41449e074c1bd7fada7b38e47f06e5083cd20aba28
all runs: crashed: KASAN: stack-out-of-bounds Read in xfrm_state_find
revisions tested: 2, total time: 24m33.06931069s (build: 18m11.759147304s, test: 5m42.3142343s)
the crash still happens on HEAD
commit msg: Merge tag 'pinctrl-v6.4-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
crash: KASAN: stack-out-of-bounds Read in xfrm_state_find
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x52bb/0x6950 net/xfrm/xfrm_state.c:1159
Read of size 4 at addr ffffc90000007b10 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.3.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351
print_report mm/kasan/report.c:462 [inline]
kasan_report+0x11c/0x130 mm/kasan/report.c:572
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
xfrm_state_find+0x52bb/0x6950 net/xfrm/xfrm_state.c:1159
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
xfrm_tmpl_resolve+0x24d/0xa70 net/xfrm/xfrm_policy.c:2512
xfrm_resolve_and_create_bundle+0x115/0x1e50 net/xfrm/xfrm_policy.c:2805
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
xfrm_lookup_with_ifid+0x36b/0x16c0 net/xfrm/xfrm_policy.c:3171
xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
xfrm_lookup_route+0x1f/0x170 net/xfrm/xfrm_policy.c:3279
ip_route_output_ports include/net/route.h:177 [inline]
igmpv3_newpack+0x26a/0xf60 net/ipv4/igmp.c:369
add_grhead+0x231/0x320 net/ipv4/igmp.c:440
add_grec+0xb50/0xde0 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x4c8/0xc90 net/ipv4/igmp.c:810
call_timer_fn+0x163/0x400 kernel/time/timer.c:1700
expire_timers+0x224/0x400 kernel/time/timer.c:1751
__run_timers kernel/time/timer.c:2022 [inline]
__run_timers kernel/time/timer.c:1995 [inline]
run_timer_softirq+0x296/0x790 kernel/time/timer.c:2035
__do_softirq+0x1d4/0x905 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x114/0x190 kernel/softirq.c:650
irq_exit_rcu+0x9/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:kmap_local_sched_in kernel/sched/core.c:5121 [inline]
RIP: 0010:finish_task_switch.isra.0+0x2bf/0xc30 kernel/sched/core.c:5223
Code: 8b 3a 4c 89 e7 48 c7 02 00 00 00 00 ff d1 4d 85 ff 75 bf 4c 89 e7 e8 60 f8 ff ff e8 eb 1f 2d 00 fb 65 48 8b 1c 25 00 bb 03 00 <48> 8d bb 20 16 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffffffff8b407c18 EFLAGS: 00000202
RAX: 0000000000045a3d RBX: ffffffff8b494300 RCX: 1ffffffff1acf5f1
RDX: 0000000000000000 RSI: ffffffff896b9cc0 RDI: ffffffff89c2b4c0
RBP: ffffffff8b407c60 R08: 0000000000000001 R09: 0000000000000001
R10: fffffbfff1acfbfa R11: 0000000000000000 R12: ffff8880b9a3c500
R13: ffff8880252b5940 R14: 0000000000000000 R15: ffff8880b9a3cf38
context_switch kernel/sched/core.c:5346 [inline]
__schedule+0xc62/0x5840 kernel/sched/core.c:6669
schedule_idle+0x5b/0x80 kernel/sched/core.c:6773
do_idle+0x273/0x3c0 kernel/sched/idle.c:310
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:379
rest_init+0x14a/0x220 init/main.c:735
arch_call_rest_init+0xe/0x20 init/main.c:834
start_kernel+0x300/0x340 init/main.c:1088
x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:556
x86_64_start_kernel+0xb3/0xc0 arch/x86/kernel/head64.c:537
secondary_startup_64_no_verify+0xf4/0xfb
The buggy address belongs to the virtual mapping at
[ffffc90000000000, ffffc90000009000) created by:
map_irq_stack arch/x86/kernel/irq_64.c:48 [inline]
irq_init_percpu_irqstack+0x1d0/0x320 arch/x86/kernel/irq_64.c:75
The buggy address belongs to the physical page:
page:ffffea0002e68240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb9a09
flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000001000 ffffea0002e68248 ffffea0002e68248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffc90000007a00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007a80: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
>ffffc90000007b00: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
^
ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90000007c00: 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 8b 3a mov (%rdx),%edi
2: 4c 89 e7 mov %r12,%rdi
5: 48 c7 02 00 00 00 00 movq $0x0,(%rdx)
c: ff d1 callq *%rcx
e: 4d 85 ff test %r15,%r15
11: 75 bf jne 0xffffffd2
13: 4c 89 e7 mov %r12,%rdi
16: e8 60 f8 ff ff callq 0xfffff87b
1b: e8 eb 1f 2d 00 callq 0x2d200b
20: fb sti
21: 65 48 8b 1c 25 00 bb mov %gs:0x3bb00,%rbx
28: 03 00
* 2a: 48 8d bb 20 16 00 00 lea 0x1620(%rbx),%rdi <-- trapping instruction
31: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38: fc ff df
3b: 48 89 fa mov %rdi,%rdx
3e: 48 rex.W
3f: c1 .byte 0xc1