Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: stack-out-of-bounds Read in xfrm_state_find
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x429b/0x4a00 net/xfrm/xfrm_state.c:1159
Read of size 4 at addr ffffc90002e6f980 by task udevd/389
CPU: 0 PID: 389 Comm: udevd Not tainted 6.2.0-rc2-syzkaller-00127-g69b41ac87e4a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x164/0x510 mm/kasan/report.c:417
kasan_report+0x13f/0x170 mm/kasan/report.c:517
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
jhash2 include/linux/jhash.h:138 [inline]
__xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
__xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
__xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
xfrm_dst_hash net/xfrm/xfrm_state.c:64 [inline]
xfrm_state_find+0x429b/0x4a00 net/xfrm/xfrm_state.c:1159
xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2467 [inline]
xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2512 [inline]
xfrm_resolve_and_create_bundle+0x66d/0x2cb0 net/xfrm/xfrm_policy.c:2805
xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3040 [inline]
xfrm_lookup_with_ifid+0xa1c/0x2640 net/xfrm/xfrm_policy.c:3171
xfrm_lookup net/xfrm/xfrm_policy.c:3268 [inline]
xfrm_lookup_route+0x3b/0x160 net/xfrm/xfrm_policy.c:3279
ip_route_output_flow+0x20d/0x330 net/ipv4/route.c:2880
ip_route_output_ports include/net/route.h:183 [inline]
igmpv3_newpack+0x3b6/0x1010 net/ipv4/igmp.c:369
add_grhead+0x84/0x320 net/ipv4/igmp.c:440
add_grec+0x12f5/0x1600 net/ipv4/igmp.c:574
igmpv3_send_cr net/ipv4/igmp.c:711 [inline]
igmp_ifc_timer_expire+0x89a/0xf80 net/ipv4/igmp.c:810
call_timer_fn+0x35/0x270 kernel/time/timer.c:1700
expire_timers+0x22a/0x3c0 kernel/time/timer.c:1751
__run_timers+0x598/0x6f0 kernel/time/timer.c:2022
run_timer_softirq+0x69/0xf0 kernel/time/timer.c:2035
__do_softirq+0x1a5/0x5a3 kernel/softirq.c:571
invoke_softirq+0x70/0xd0 kernel/softirq.c:445
__irq_exit_rcu+0x4f/0xb0 kernel/softirq.c:650
irq_exit_rcu+0x9/0x10 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x49/0xc0 arch/x86/kernel/apic/apic.c:1107
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0033:0x7f085b6b7052
Code: 48 89 6b 20 48 89 6b 18 48 89 6b 08 4c 89 6b 10 48 89 6b 28 44 89 e0 48 89 6b 30 48 83 c4 08 5b 5d 41 5c 41 5d c3 66 90 41 57 <49> 89 cf 41 56 49 89 d6 41 55 41 54 55 53 44 89 c3 48 81 ec 48 01
RSP: 002b:00007ffd336a5db0 EFLAGS: 00000246
RAX: 00007ffd336a5de0 RBX: 000000000000007a RCX: 00007ffd336a5dc8
RDX: 000055ba2586c0f9 RSI: 0000000000000020 RDI: 00007ffd336a5ea8
RBP: 00007ffd336a648e R08: 0000000000000000 R09: 0000000000000000
R10: 00007f085b7a2ac0 R11: 00007f085b7a33c0 R12: 000055ba26e2e880
R13: 00007ffd336a5ea8 R14: 00007ffd336a648e R15: 0000000000000001
</TASK>
The buggy address belongs to stack of task udevd/389
and is located at offset 96 in frame:
igmpv3_newpack+0x0/0x1010
This frame has 1 object:
[32, 96) 'fl4'
The buggy address belongs to the virtual mapping at
[ffffc90002e68000, ffffc90002e71000) created by:
dup_task_struct+0x95/0x4a0 kernel/fork.c:987
The buggy address belongs to the physical page:
page:ffffea000484d280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12134a
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 95, tgid 95 (udevd), ts 38467798656, free_ts 32094489781
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1eb/0x1f0 mm/page_alloc.c:2524
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x375/0x3f0 mm/page_alloc.c:4283
__alloc_pages+0x3d1/0x7c0 mm/page_alloc.c:5549
__vmalloc_area_node mm/vmalloc.c:3057 [inline]
__vmalloc_node_range+0x8c7/0x1390 mm/vmalloc.c:3227
alloc_thread_stack_node+0x320/0x540 kernel/fork.c:311
dup_task_struct+0x95/0x4a0 kernel/fork.c:987
copy_process+0x51a/0x3350 kernel/fork.c:2097
kernel_clone+0x22d/0x840 kernel/fork.c:2681
__do_sys_clone kernel/fork.c:2822 [inline]
__se_sys_clone kernel/fork.c:2806 [inline]
__x64_sys_clone+0x276/0x2e0 kernel/fork.c:2806
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x4c0/0x4d0 mm/page_alloc.c:1519
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page+0x1c/0x420 mm/page_alloc.c:3464
__folio_put_small mm/swap.c:106 [inline]
__folio_put+0x7b/0xa0 mm/swap.c:129
folio_put include/linux/mm.h:1250 [inline]
put_page include/linux/mm.h:1319 [inline]
anon_pipe_buf_release+0x178/0x1e0 fs/pipe.c:138
pipe_buf_release include/linux/pipe_fs_i.h:183 [inline]
pipe_read+0x5c1/0x1060 fs/pipe.c:324
call_read_iter include/linux/fs.h:2180 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x740/0xb00 fs/read_write.c:470
ksys_read+0x198/0x2c0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x7b/0x90 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffffc90002e6f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90002e6f900: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
>ffffc90002e6f980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc90002e6fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90002e6fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Tested on:
commit: 69b41ac8 Merge tag 'for-6.2-rc2-tag' of git://git.kern..
git tree: git://
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output:
https://syzkaller.appspot.com/x/log.txt?x=16cb1452480000
kernel config:
https://syzkaller.appspot.com/x/.config?x=fb3b16ad6f6aed37
dashboard link:
https://syzkaller.appspot.com/bug?extid=ada7c035554bcee65580
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.