================================================================== BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95 Read of size 4 at addr ffffc90000187960 by task ksoftirqd/1/23 CPU: 1 PID: 23 Comm: ksoftirqd/1 Not tainted 6.3.0-syzkaller-13294-g418d5c98319f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x155/0x1c0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0x15d/0x540 mm/kasan/report.c:462 kasan_report+0x16d/0x1a0 mm/kasan/report.c:572 __asan_report_load4_noabort+0x18/0x20 mm/kasan/report_generic.c:380 jhash2 include/linux/jhash.h:138 [inline] __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline] __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline] __xfrm_dst_hash+0x38d/0x460 net/xfrm/xfrm_hash.h:95 xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline] xfrm_state_find+0x2e2/0x4040 net/xfrm/xfrm_state.c:1159 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline] xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline] xfrm_resolve_and_create_bundle+0x66c/0x2a90 net/xfrm/xfrm_policy.c:2805 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline] xfrm_lookup_with_ifid+0x73f/0x2030 net/xfrm/xfrm_policy.c:3171 xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline] xfrm_lookup_route+0x3f/0x170 net/xfrm/xfrm_policy.c:3279 ip_route_output_flow+0x219/0x340 net/ipv4/route.c:2876 ip_route_output_ports include/net/route.h:177 [inline] igmpv3_newpack+0x3cb/0x1040 net/ipv4/igmp.c:369 add_grhead+0x84/0x330 net/ipv4/igmp.c:440 add_grec+0x12c8/0x15c0 net/ipv4/igmp.c:574 igmpv3_send_cr net/ipv4/igmp.c:711 [inline] igmp_ifc_timer_expire+0x833/0xf40 net/ipv4/igmp.c:810 call_timer_fn+0x3b/0x2e0 kernel/time/timer.c:1700 expire_timers kernel/time/timer.c:1751 [inline] __run_timers+0x739/0xa30 kernel/time/timer.c:2022 run_timer_softirq+0x6d/0xf0 kernel/time/timer.c:2035 __do_softirq+0x193/0x57c kernel/softirq.c:571 run_ksoftirqd+0x27/0x40 kernel/softirq.c:939 smpboot_thread_fn+0x46a/0x8d0 kernel/smpboot.c:164 kthread+0x2ba/0x350 kernel/kthread.c:379 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to stack of task ksoftirqd/1/23 and is located at offset 96 in frame: igmpv3_newpack+0x0/0x1040 This frame has 1 object: [32, 96) 'fl4' The buggy address belongs to the virtual mapping at [ffffc90000180000, ffffc90000189000) created by: copy_process+0x58c/0x3570 kernel/fork.c:2333 The buggy address belongs to the physical page: page:ffffea000420e080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x108382 flags: 0x4000000000000000(zone=1) page_type: 0xffffffff() raw: 4000000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 1084126969, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x223/0x230 mm/page_alloc.c:1731 prep_new_page mm/page_alloc.c:1738 [inline] get_page_from_freelist+0x3442/0x3510 mm/page_alloc.c:3502 __alloc_pages+0x3e7/0x890 mm/page_alloc.c:4768 __vmalloc_area_node mm/vmalloc.c:3085 [inline] __vmalloc_node_range+0x8c4/0x1590 mm/vmalloc.c:3257 alloc_thread_stack_node kernel/fork.c:313 [inline] dup_task_struct+0x400/0x6b0 kernel/fork.c:1116 copy_process+0x58c/0x3570 kernel/fork.c:2333 kernel_clone+0x22d/0x890 kernel/fork.c:2918 kernel_thread+0x1bc/0x230 kernel/fork.c:2980 create_kthread kernel/kthread.c:402 [inline] kthreadd+0x392/0x500 kernel/kthread.c:737 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 page_owner free stack trace missing Memory state around the buggy address: ffffc90000187800: 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ffffc90000187880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90000187900: f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3 f3 f3 ^ ffffc90000187980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000187a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================