==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffffc900001b0aa0 by task kauditd/28
CPU: 1 PID: 28 Comm: kauditd Tainted: G W 6.4.0-rc1-syzkaller-00222-ga94fd40a18ae #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x155/0x1c0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:351 [inline]
print_report+0x15d/0x540 mm/kasan/report.c:462
kasan_report+0x16d/0x1a0 mm/kasan/report.c:572
__asan_report_load4_noabort+0x18/0x20 mm/kasan/report_generic.c:380
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
xfrm_state_find+0x2e2/0x4040 net/xfrm/xfrm_state.c:1159
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline]
xfrm_resolve_and_create_bundle+0x66c/0x2a90 net/xfrm/xfrm_policy.c:2805
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
xfrm_lookup_with_ifid+0x73f/0x2030 net/xfrm/xfrm_policy.c:3171
xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
xfrm_lookup_route+0x3f/0x170 net/xfrm/xfrm_policy.c:3279
ip_route_output_flow+0x219/0x340 net/ipv4/route.c:2876
ip_route_output_ports include/net/route.h:177 [inline]
igmpv3_newpack+0x3cb/0x1040 net/ipv4/igmp.c:369
add_grhead+0x84/0x330 net/ipv4/igmp.c:440
add_grec+0x12c8/0x15c0 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x833/0xf40 net/ipv4/igmp.c:810
call_timer_fn+0x3b/0x2e0 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x739/0xa30 kernel/time/timer.c:2022
run_timer_softirq+0x6d/0xf0 kernel/time/timer.c:2035
__do_softirq+0x193/0x57c kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0xbb/0x170 kernel/softirq.c:650
irq_exit_rcu+0xd/0x10 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:645
RIP: 0010:console_flush_all+0x739/0xb90
Code: f6 48 81 e6 00 02 00 00 31 ff e8 f2 c5 1a 00 49 81 e6 00 02 00 00 75 07 e8 84 c1 1a 00 eb 06 e8 7d c1 1a 00 fb 4c 8b 74 24 58 <48> 8b 44 24 70 42 0f b6 04 38 84 c0 48 8b 7c 24 30 0f 85 fd 01 00
RSP: 0018:ffffc900001df840 EFLAGS: 00000293
RAX: ffffffff815a5ed3 RBX: 0000000000000001 RCX: ffff8881089ad3c0
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
RBP: ffffc900001df9d0 R08: ffffffff815a5ebe R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffffffff862d80d8
R13: ffffffff862d8080 R14: ffffffff862d80d8 R15: dffffc0000000000
console_unlock+0x1bc/0x3b0 kernel/printk/printk.c:3007
vprintk_emit+0x145/0x440 kernel/printk/printk.c:2307
vprintk_default+0x2a/0x30 kernel/printk/printk.c:2318
vprintk+0x8a/0x90 kernel/printk/printk_safe.c:50
_printk+0xd5/0x120 kernel/printk/printk.c:2328
kauditd_printk_skb kernel/audit.c:536 [inline]
kauditd_hold_skb+0x1c4/0x210 kernel/audit.c:571
kauditd_send_queue+0x28d/0x2e0 kernel/audit.c:756
kauditd_thread+0x4f5/0x740 kernel/audit.c:880
kthread+0x2ba/0x350 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
The buggy address belongs to the virtual mapping at
[ffffc900001a9000, ffffc900001b2000) created by:
map_irq_stack arch/x86/kernel/irq_64.c:48 [inline]
irq_init_percpu_irqstack+0x337/0x490 arch/x86/kernel/irq_64.c:75
The buggy address belongs to the physical page:
page:ffffea0007dcc240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f7309
flags: 0x4000000000001000(reserved|zone=1)
page_type: 0xffffffff()
raw: 4000000000001000 ffffea0007dcc248 ffffea0007dcc248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffc900001b0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001b0a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
>ffffc900001b0a80: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
^
ffffc900001b0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001b0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: f6 48 81 e6 testb $0xe6,-0x7f(%rax)
4: 00 02 add %al,(%rdx)
6: 00 00 add %al,(%rax)
8: 31 ff xor %edi,%edi
a: e8 f2 c5 1a 00 callq 0x1ac601
f: 49 81 e6 00 02 00 00 and $0x200,%r14
16: 75 07 jne 0x1f
18: e8 84 c1 1a 00 callq 0x1ac1a1
1d: eb 06 jmp 0x25
1f: e8 7d c1 1a 00 callq 0x1ac1a1
24: fb sti
25: 4c 8b 74 24 58 mov 0x58(%rsp),%r14
* 2a: 48 8b 44 24 70 mov 0x70(%rsp),%rax <-- trapping instruction
2f: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
34: 84 c0 test %al,%al
36: 48 8b 7c 24 30 mov 0x30(%rsp),%rdi
3b: 0f .byte 0xf
3c: 85 fd test %edi,%ebp
3e: 01 00 add %eax,(%rax)