==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffffc900001d0ab8 by task kauditd/30

CPU: 1 PID: 30 Comm: kauditd Not tainted 5.15.106-syzkaller-06050-g36f4f6fb72d5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 jhash2 include/linux/jhash.h:138 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95
 xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
 xfrm_state_find+0x2f1/0x2f70 net/xfrm/xfrm_state.c:1092
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2393 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2438 [inline]
 xfrm_resolve_and_create_bundle+0x65a/0x2b70 net/xfrm/xfrm_policy.c:2731
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2966 [inline]
 xfrm_lookup_with_ifid+0x6fc/0x20d0 net/xfrm/xfrm_policy.c:3097
 xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
 xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3205
 ip_route_output_flow+0x1ef/0x310 net/ipv4/route.c:2889
 ip_route_output_ports include/net/route.h:169 [inline]
 igmpv3_newpack+0x425/0x1090 net/ipv4/igmp.c:369
 add_grhead+0x84/0x330 net/ipv4/igmp.c:440
 add_grec+0x12ca/0x15d0 net/ipv4/igmp.c:574
 igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
 igmp_ifc_timer_expire+0x83b/0xf50 net/ipv4/igmp.c:810
 call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1427
 expire_timers kernel/time/timer.c:1472 [inline]
 __run_timers+0x72a/0xa10 kernel/time/timer.c:1743
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1756
 __do_softirq+0x26d/0x5bf kernel/softirq.c:565
 invoke_softirq kernel/softirq.c:425 [inline]
 __irq_exit_rcu+0x50/0xf0 kernel/softirq.c:647
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:659
 sysvec_apic_timer_interrupt+0x9a/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:console_lock_spinning_disable_and_check kernel/printk/printk.c:1840 [inline]
RIP: 0010:console_unlock+0xc5b/0x10e0 kernel/printk/printk.c:2763
Code: 48 89 de 48 81 e6 00 02 00 00 31 ff e8 ce 01 19 00 48 81 e3 00 02 00 00 75 07 e8 80 fd 18 00 eb 06 e8 79 fd 18 00 fb 45 31 ff <45> 84 f6 0f 94 c1 0f 95 c0 84 4c 24 0f 74 0f e8 61 fd 18 00 2e 2e
RSP: 0018:ffffc900001ff860 EFLAGS: 00000246
RAX: ffffffff81564de7 RBX: 0000000000000200 RCX: ffff88810818cf00
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000
RBP: ffffc900001ffaf0 R08: ffffffff81564dd2 R09: 0000000000000003
R10: fffff5200003fefc R11: dffffc0000000001 R12: ffffffff860d1368
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
 vprintk_emit+0x12c/0x330 kernel/printk/printk.c:2288
 vprintk_default+0x26/0x30 kernel/printk/printk.c:2299
 vprintk+0x86/0x90 kernel/printk/printk_safe.c:50
 _printk+0xd1/0x111 kernel/printk/printk.c:2309
 kauditd_printk_skb kernel/audit.c:538 [inline]
 kauditd_hold_skb+0x1bb/0x200 kernel/audit.c:573
 kauditd_send_queue+0x28d/0x2e0 kernel/audit.c:758
 kauditd_thread+0x529/0x8b0 kernel/audit.c:882
 kthread+0x421/0x510 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>


Memory state around the buggy address:
 ffffc900001d0980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900001d0a00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>ffffc900001d0a80: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
                                        ^
 ffffc900001d0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900001d0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
   0:	48 89 de             	mov    %rbx,%rsi
   3:	48 81 e6 00 02 00 00 	and    $0x200,%rsi
   a:	31 ff                	xor    %edi,%edi
   c:	e8 ce 01 19 00       	callq  0x1901df
  11:	48 81 e3 00 02 00 00 	and    $0x200,%rbx
  18:	75 07                	jne    0x21
  1a:	e8 80 fd 18 00       	callq  0x18fd9f
  1f:	eb 06                	jmp    0x27
  21:	e8 79 fd 18 00       	callq  0x18fd9f
  26:	fb                   	sti
  27:	45 31 ff             	xor    %r15d,%r15d
* 2a:	45 84 f6             	test   %r14b,%r14b <-- trapping instruction
  2d:	0f 94 c1             	sete   %cl
  30:	0f 95 c0             	setne  %al
  33:	84 4c 24 0f          	test   %cl,0xf(%rsp)
  37:	74 0f                	je     0x48
  39:	e8 61 fd 18 00       	callq  0x18fd9f
  3e:	2e                   	cs
  3f:	2e                   	cs