================================================================== BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95 Read of size 4 at addr ffffc90000007aa0 by task kauditd/28 CPU: 0 PID: 28 Comm: kauditd Not tainted 6.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x155/0x1c0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0x15d/0x540 mm/kasan/report.c:462 kasan_report+0x16d/0x1a0 mm/kasan/report.c:572 __asan_report_load4_noabort+0x18/0x20 mm/kasan/report_generic.c:380 jhash2 include/linux/jhash.h:138 [inline] __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95 xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline] xfrm_state_find+0x2e2/0x4040 net/xfrm/xfrm_state.c:1159 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline] xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline] xfrm_resolve_and_create_bundle+0x66c/0x2a90 net/xfrm/xfrm_policy.c:2805 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline] xfrm_lookup_with_ifid+0x73f/0x2030 net/xfrm/xfrm_policy.c:3171 xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline] xfrm_lookup_route+0x3f/0x170 net/xfrm/xfrm_policy.c:3279 ip_route_output_flow+0x219/0x340 net/ipv4/route.c:2876 ip_route_output_ports include/net/route.h:177 [inline] igmpv3_newpack+0x3cb/0x1040 net/ipv4/igmp.c:369 add_grhead+0x84/0x330 net/ipv4/igmp.c:440 add_grec+0x12c8/0x15c0 net/ipv4/igmp.c:574 igmpv3_send_cr net/ipv4/igmp.c:711 [inline] igmp_ifc_timer_expire+0x833/0xf40 net/ipv4/igmp.c:810 call_timer_fn+0x3b/0x2e0 kernel/time/timer.c:1700 expire_timers kernel/time/timer.c:1751 [inline] __run_timers+0x739/0xa30 kernel/time/timer.c:2022 run_timer_softirq+0x6d/0xf0 kernel/time/timer.c:2035 __do_softirq+0x193/0x57c kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0xbb/0x170 kernel/softirq.c:650 irq_exit_rcu+0xd/0x10 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1106 asm_sysvec_apic_timer_interrupt+0x1f/0x30 arch/x86/include/asm/idtentry.h:645 RIP: 0010:console_flush_all+0x739/0xb90 Code: f6 48 81 e6 00 02 00 00 31 ff e8 52 c6 1a 00 49 81 e6 00 02 00 00 75 07 e8 e4 c1 1a 00 eb 06 e8 dd c1 1a 00 fb 4c 8b 74 24 58 <48> 8b 44 24 70 42 0f b6 04 38 84 c0 48 8b 7c 24 30 0f 85 fd 01 00 RSP: 0018:ffffc900001df840 EFLAGS: 00000293 RAX: ffffffff815a5613 RBX: 0000000000000001 RCX: ffff8881089aa180 RDX: 0000000000000000 RSI: 0000000000000200 RDI: 0000000000000000 RBP: ffffc900001df9d0 R08: ffffffff815a55fe R09: 0000000000000003 R10: ffffffffffffffff R11: dffffc0000000001 R12: ffffffff862d80d8 R13: ffffffff862d8080 R14: ffffffff862d80d8 R15: dffffc0000000000 console_unlock+0x1bc/0x3b0 kernel/printk/printk.c:3007 vprintk_emit+0x145/0x440 kernel/printk/printk.c:2307 vprintk_default+0x2a/0x30 kernel/printk/printk.c:2318 vprintk+0x8a/0x90 kernel/printk/printk_safe.c:50 _printk+0xd5/0x120 kernel/printk/printk.c:2328 kauditd_printk_skb kernel/audit.c:536 [inline] kauditd_hold_skb+0x1c4/0x210 kernel/audit.c:571 kauditd_send_queue+0x28d/0x2e0 kernel/audit.c:756 kauditd_thread+0x4f5/0x740 kernel/audit.c:880 kthread+0x2ba/0x350 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the virtual mapping at [ffffc90000000000, ffffc90000009000) created by: map_irq_stack arch/x86/kernel/irq_64.c:48 [inline] irq_init_percpu_irqstack+0x337/0x490 arch/x86/kernel/irq_64.c:75 The buggy address belongs to the physical page: page:ffffea0007dc8240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f7209 flags: 0x4000000000001000(reserved|zone=1) page_type: 0xffffffff() raw: 4000000000001000 ffffea0007dc8248 ffffea0007dc8248 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000007a00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 >ffffc90000007a80: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ^ ffffc90000007b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ---------------- Code disassembly (best guess): 0: f6 48 81 e6 testb $0xe6,-0x7f(%rax) 4: 00 02 add %al,(%rdx) 6: 00 00 add %al,(%rax) 8: 31 ff xor %edi,%edi a: e8 52 c6 1a 00 callq 0x1ac661 f: 49 81 e6 00 02 00 00 and $0x200,%r14 16: 75 07 jne 0x1f 18: e8 e4 c1 1a 00 callq 0x1ac201 1d: eb 06 jmp 0x25 1f: e8 dd c1 1a 00 callq 0x1ac201 24: fb sti 25: 4c 8b 74 24 58 mov 0x58(%rsp),%r14 * 2a: 48 8b 44 24 70 mov 0x70(%rsp),%rax <-- trapping instruction 2f: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax 34: 84 c0 test %al,%al 36: 48 8b 7c 24 30 mov 0x30(%rsp),%rdi 3b: 0f .byte 0xf 3c: 85 fd test %edi,%ebp 3e: 01 00 add %eax,(%rax)