==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:137 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x355/0x430 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffff8881f6e09a78 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.290-syzkaller-05053-g41adfeb3d639 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 jhash2 include/linux/jhash.h:137 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash+0x355/0x430 net/xfrm/xfrm_hash.h:95
 xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
 xfrm_state_find+0x2cc/0x2dc0 net/xfrm/xfrm_state.c:1063
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2397 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2442 [inline]
 xfrm_resolve_and_create_bundle+0x6aa/0x31d0 net/xfrm/xfrm_policy.c:2736
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2960 [inline]
 xfrm_lookup_with_ifid+0x549/0x1c90 net/xfrm/xfrm_policy.c:3091
 xfrm_lookup net/xfrm/xfrm_policy.c:3183 [inline]
 xfrm_lookup_route+0x37/0x170 net/xfrm/xfrm_policy.c:3194
 ip_route_output_flow+0x1fe/0x330 net/ipv4/route.c:2750
 ip_route_output_ports include/net/route.h:163 [inline]
 igmpv3_newpack+0x437/0x1070 net/ipv4/igmp.c:374
 add_grhead+0x75/0x2c0 net/ipv4/igmp.c:445
 add_grec+0x12c9/0x15d0 net/ipv4/igmp.c:579
 igmpv3_send_cr net/ipv4/igmp.c:716 [inline]
 igmp_ifc_timer_expire+0x7bc/0xea0 net/ipv4/igmp.c:814
 call_timer_fn+0x36/0x390 kernel/time/timer.c:1448
 expire_timers kernel/time/timer.c:1493 [inline]
 __run_timers+0x879/0xbe0 kernel/time/timer.c:1817
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1830
 __do_softirq+0x23b/0x6b7 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x195/0x1c0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:539 [inline]
 smp_apic_timer_interrupt+0x11a/0x490 arch/x86/kernel/apic/apic.c:1161
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:834
 </IRQ>
RIP: 0010:default_idle+0x1f/0x30 arch/x86/kernel/process.c:573
Code: 90 90 90 90 90 90 90 90 90 90 90 e8 8b af da fd bf 01 00 00 00 89 c6 e8 ef 93 d1 fc 0f 1f 44 00 00 0f 00 2d 23 a3 4d 00 fb f4 <e8> 6c af da fd bf ff ff ff ff 89 c6 e9 d0 93 d1 fc 41 57 41 56 53
RSP: 0018:ffffffff85e07d18 EFLAGS: 000002d2 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff85e1adc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffffff85e07e20 R08: ffffffff8231cd01 R09: fffffbfff0bc35b9
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffffff864c4d68
R13: ffffffff85e1adc0 R14: 1ffffffff0bc35b8 R15: 0000000000000000
 default_idle_call kernel/sched/idle.c:94 [inline]
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x248/0x660 kernel/sched/idle.c:264
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:356
 start_kernel+0x6d9/0x81d init/main.c:1036
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241

The buggy address belongs to the page:
page:ffffea0007db8240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000001000(reserved)
raw: 8000000000001000 ffffea0007db8248 ffffea0007db8248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881f6e09900: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
 ffff8881f6e09980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881f6e09a00: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f3
                                                                ^
 ffff8881f6e09a80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881f6e09b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	e8 8b af da fd       	call   0xfddaaf9b
  10:	bf 01 00 00 00       	mov    $0x1,%edi
  15:	89 c6                	mov    %eax,%esi
  17:	e8 ef 93 d1 fc       	call   0xfcd1940b
  1c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  21:	0f 00 2d 23 a3 4d 00 	verw   0x4da323(%rip)        # 0x4da34b
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	e8 6c af da fd       	call   0xfddaaf9b <-- trapping instruction
  2f:	bf ff ff ff ff       	mov    $0xffffffff,%edi
  34:	89 c6                	mov    %eax,%esi
  36:	e9 d0 93 d1 fc       	jmp    0xfcd1940b
  3b:	41 57                	push   %r15
  3d:	41 56                	push   %r14
  3f:	53                   	push   %rbx