==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffffc900001d0ab8 by task kauditd/30
CPU: 1 PID: 30 Comm: kauditd Not tainted 5.15.106-syzkaller-06050-g36f4f6fb72d5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:427 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:444
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
xfrm_state_find+0x2f1/0x2f70 net/xfrm/xfrm_state.c:1092
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2393 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2438 [inline]
xfrm_resolve_and_create_bundle+0x65a/0x2b70 net/xfrm/xfrm_policy.c:2731
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2966 [inline]
xfrm_lookup_with_ifid+0x6fc/0x20d0 net/xfrm/xfrm_policy.c:3097
xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3205
ip_route_output_flow+0x1ef/0x310 net/ipv4/route.c:2889
ip_route_output_ports include/net/route.h:169 [inline]
igmpv3_newpack+0x425/0x1090 net/ipv4/igmp.c:369
add_grhead+0x84/0x330 net/ipv4/igmp.c:440
add_grec+0x12ca/0x15d0 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x83b/0xf50 net/ipv4/igmp.c:810
call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1427
expire_timers kernel/time/timer.c:1472 [inline]
__run_timers+0x72a/0xa10 kernel/time/timer.c:1743
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1756
__do_softirq+0x26d/0x5bf kernel/softirq.c:565
invoke_softirq kernel/softirq.c:425 [inline]
__irq_exit_rcu+0x50/0xf0 kernel/softirq.c:647
irq_exit_rcu+0x9/0x10 kernel/softirq.c:659
sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:console_lock_spinning_disable_and_check kernel/printk/printk.c:1840 [inline]
RIP: 0010:console_unlock+0xc5b/0x10e0 kernel/printk/printk.c:2763
Code: 48 89 de 48 81 e6 00 02 00 00 31 ff e8 ce 01 19 00 48 81 e3 00 02 00 00 75 07 e8 80 fd 18 00 eb 06 e8 79 fd 18 00 fb 45 31 ff <45> 84 f6 0f 94 c1 0f 95 c0 84 4c 24 0f 74 0f e8 61 fd 18 00 2e 2e
RSP: 0018:ffffc900001ff860 EFLAGS: 00000246
RAX: ffffffff81564de7 RBX: 0000000000000200 RCX: ffff88810818cf00
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
RBP: ffffc900001ffaf0 R08: ffffffff81564dd2 R09: 0000000000000003
R10: fffff5200003fefc R11: dffffc0000000001 R12: ffffffff860d1368
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
vprintk_emit+0x12c/0x330 kernel/printk/printk.c:2288
vprintk_default+0x26/0x30 kernel/printk/printk.c:2299
vprintk+0x86/0x90 kernel/printk/printk_safe.c:50
_printk+0xd1/0x111 kernel/printk/printk.c:2309
kauditd_printk_skb kernel/audit.c:538 [inline]
kauditd_hold_skb+0x1bb/0x200 kernel/audit.c:573
kauditd_send_queue+0x28d/0x2e0 kernel/audit.c:758
kauditd_thread+0x529/0x8b0 kernel/audit.c:882
kthread+0x421/0x510 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
Memory state around the buggy address:
ffffc900001d0980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001d0a00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffffc900001d0a80: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
^
ffffc900001d0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc900001d0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 48 89 de mov %rbx,%rsi
3: 48 81 e6 00 02 00 00 and $0x200,%rsi
a: 31 ff xor %edi,%edi
c: e8 ce 01 19 00 callq 0x1901df
11: 48 81 e3 00 02 00 00 and $0x200,%rbx
18: 75 07 jne 0x21
1a: e8 80 fd 18 00 callq 0x18fd9f
1f: eb 06 jmp 0x27
21: e8 79 fd 18 00 callq 0x18fd9f
26: fb sti
27: 45 31 ff xor %r15d,%r15d
* 2a: 45 84 f6 test %r14b,%r14b <-- trapping instruction
2d: 0f 94 c1 sete %cl
30: 0f 95 c0 setne %al
33: 84 4c 24 0f test %cl,0xf(%rsp)
37: 74 0f je 0x48
39: e8 61 fd 18 00 callq 0x18fd9f
3e: 2e cs
3f: 2e cs