Extracting prog: 57.129599779s
Minimizing prog: 10m23.932646897s
Simplifying prog options: 3m29.869160717s
Extracting C: 27.393248453s
Simplifying C: 7m52.761632317s


extracting reproducer from 50 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-socket$nl_xfrm-sendmsg$nl_xfrm-syz_usb_connect-syz_usb_control_io$hid-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100009e173610ef171e7206de0102030109021200010000000009040000000206"], 0x0)
syz_usb_control_io$hid(r1, 0x0, &(0x7f0000000040)={0x2c, &(0x7f0000000080)={0x40, 0x15, 0x4, "59d11c5f"}, 0x0, 0x0, 0x0, 0x0})
r2 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r2, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
single: successfully extracted reproducer
found reproducer with 9 syscalls
minimizing guilty program
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-socket$nl_xfrm-sendmsg$nl_xfrm-syz_usb_connect-syz_usb_control_io$hid-socket-sendmsg$nl_route
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100009e173610ef171e7206de0102030109021200010000000009040000000206"], 0x0)
syz_usb_control_io$hid(r1, 0x0, &(0x7f0000000040)={0x2c, &(0x7f0000000080)={0x40, 0x15, 0x4, "59d11c5f"}, 0x0, 0x0, 0x0, 0x0})
socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-socket$nl_xfrm-sendmsg$nl_xfrm-syz_usb_connect-syz_usb_control_io$hid-socket-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100009e173610ef171e7206de0102030109021200010000000009040000000206"], 0x0)
syz_usb_control_io$hid(r1, 0x0, &(0x7f0000000040)={0x2c, &(0x7f0000000080)={0x40, 0x15, 0x4, "59d11c5f"}, 0x0, 0x0, 0x0, 0x0})
r2 = socket(0x10, 0x3, 0x0)
sendmmsg(r2, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-socket$nl_xfrm-sendmsg$nl_xfrm-syz_usb_connect-syz_usb_control_io$hid-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100009e173610ef171e7206de0102030109021200010000000009040000000206"], 0x0)
syz_usb_control_io$hid(r1, 0x0, &(0x7f0000000040)={0x2c, &(0x7f0000000080)={0x40, 0x15, 0x4, "59d11c5f"}, 0x0, 0x0, 0x0, 0x0})
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(0xffffffffffffffff, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-socket$nl_xfrm-sendmsg$nl_xfrm-syz_usb_connect-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
syz_usb_connect(0x0, 0x24, &(0x7f0000000000)=ANY=[@ANYBLOB="120100009e173610ef171e7206de0102030109021200010000000009040000000206"], 0x0)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-socket$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
socket$nl_xfrm(0x10, 0x3, 0x6)
r0 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r0, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-bpf$PROG_LOAD-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x9, 0x4, &(0x7f0000000400)=ANY=[@ANYBLOB="9400000000000000711142000000000040000000000000009500000000000000"], &(0x7f0000000080)='GPL\x00', 0x4, 0x3e0, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @cgroup_sock, 0xffffffffffffffff, 0x8, &(0x7f0000000000), 0x0, 0x10, &(0x7f0000000000), 0x76}, 0x21)
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r0 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r0, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): poll-socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
poll(0x0, 0x0, 0x7)
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, 0x0, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={0x0}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0xb8, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}}, 0xb8}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000001080)={&(0x7f0000000540)=ANY=[@ANYBLOB="4800000010000305000000000000000000cf0000", @ANYRES32=0x0, @ANYBLOB="03000000000000002000128008000100677265001400028008000600ac14142e08000700e0"], 0x48}, 0x1, 0x0, 0x0, 0x24040000}, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, 0x0, 0x0, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=33.432919824s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program did not crash
simplifying guilty program options
testing program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
extracting C reproducer
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program did not crash
testing program (duration=33.432919824s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program did not crash
testing program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
extracting C reproducer
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
simplifying C reproducer
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program did not crash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program did not crash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program did not crash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:true UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing compiled C program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
testing program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
validation run: crashed=true
testing program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
validation run: crashed=true
testing program (duration=33.432919824s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:false NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$nl_xfrm-sendmsg$nl_xfrm-socket-sendmsg$nl_route-sendmmsg
detailed listing:
executing program 0:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@updpolicy={0x250, 0x19, 0x1, 0x0, 0x0, {{@in, @in6=@remote, 0x0, 0x0, 0x0, 0x0, 0x2}, {0x0, 0x7, 0x0, 0x0, 0x0, 0x2}, {0x0, 0xd290, 0x9d8}, 0x0, 0x0, 0x1}, [@tmpl={0x44, 0x5, [{{@in6=@initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x2, 0x32}, 0x2, @in6=@private1={0xfc, 0x1, '\x00', 0x4}, 0x3501, 0x4, 0x0, 0x0, 0xfffffff7}]}, @tmpl={0x104, 0x5, [{{@in=@remote, 0x4d4, 0x6c}, 0xa, @in=@remote, 0x0, 0x1, 0x1, 0x53, 0x0, 0x4, 0xf}, {{@in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x4d2, 0x33}, 0xa, @in=@loopback, 0x3504, 0x0, 0x1, 0x93, 0xfffffffa, 0x9, 0x471}, {{@in6=@private2, 0x4d3, 0x6c}, 0xa, @in6=@mcast2, 0x3504, 0x2, 0x2, 0x4, 0x1, 0x5, 0x7}, {{@in=@dev={0xac, 0x14, 0x14, 0x1e}, 0x4d2, 0x6c}, 0x2, @in6=@ipv4={'\x00', '\xff\xff', @broadcast}, 0x0, 0x1, 0x2, 0x7e, 0x3, 0x1, 0x84ef}]}, @migrate={0x50, 0x11, [{@in=@multicast2, @in=@dev={0xac, 0x14, 0x14, 0x41}, @in=@multicast2, @in6=@private2, 0x6c, 0x0, 0x0, 0x3503, 0xa, 0xa}]}]}, 0x250}, 0x1, 0x0, 0x0, 0x4000000}, 0x4008000)
r1 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route(0xffffffffffffffff, 0x0, 0x2000800)
sendmmsg(r1, &(0x7f0000000000), 0x4000000000001f2, 0x0)

program crashed: KASAN: stack-out-of-bounds Read in __xfrm_dst_hash
validation run: crashed=true
reproducing took 25m34.710540692s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x399/0x480 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffffc90000170b18 by task kworker/u4:0/7

CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 jhash2 include/linux/jhash.h:138 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash+0x399/0x480 net/xfrm/xfrm_hash.h:95
 xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
 xfrm_state_find+0x28c/0x28b0 net/xfrm/xfrm_state.c:1068
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2398 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2443 [inline]
 xfrm_resolve_and_create_bundle+0x697/0x29f0 net/xfrm/xfrm_policy.c:2736
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2971 [inline]
 xfrm_lookup_with_ifid+0x7ea/0x1a80 net/xfrm/xfrm_policy.c:3102
 xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
 xfrm_lookup_route+0x3c/0x170 net/xfrm/xfrm_policy.c:3205
 ip_route_output_flow+0x1f8/0x2f0 net/ipv4/route.c:2808
 ip_route_output_ports include/net/route.h:169 [inline]
 igmpv3_newpack+0x281/0xc80 net/ipv4/igmp.c:372
 add_grhead+0x75/0x2e0 net/ipv4/igmp.c:443
 add_grec+0x116b/0x1410 net/ipv4/igmp.c:577
 igmpv3_send_cr net/ipv4/igmp.c:714 [inline]
 igmp_ifc_timer_expire+0x89e/0xf80 net/ipv4/igmp.c:813
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 do_softirq+0xb0/0xf0 kernel/softirq.c:358
 __local_bh_enable_ip+0x70/0x80 kernel/softirq.c:194
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:176 [inline]
 _raw_spin_unlock_bh+0x51/0x60 kernel/locking/spinlock.c:207
 spin_unlock_bh include/linux/spinlock.h:400 [inline]
 netif_addr_unlock_bh include/linux/netdevice.h:4465 [inline]
 dev_uc_del+0x2d3/0x340 net/core/dev_addr_lists.c:615
 macsec_dev_stop+0x482/0x540 drivers/net/macsec.c:3589
 __dev_close_many+0x288/0x360 net/core/dev.c:1626
 dev_close_many+0x221/0x4d0 net/core/dev.c:1651
 unregister_netdevice_many+0x45e/0x1a80 net/core/dev.c:10757
 default_device_exit_batch+0x35e/0x3c0 net/core/dev.c:11300
 ops_exit_list net/core/net_namespace.c:190 [inline]
 cleanup_net+0x603/0xb80 net/core/net_namespace.c:609
 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301
 worker_thread+0xa6a/0x13c0 kernel/workqueue.c:2447
 kthread+0x346/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298


Memory state around the buggy address:
 ffffc90000170a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000170a80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
>ffffc90000170b00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
                            ^
 ffffc90000170b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000170c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:138 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash+0x399/0x480 net/xfrm/xfrm_hash.h:95
Read of size 4 at addr ffffc90000170b18 by task kworker/u4:0/7

CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x1a7/0x208 lib/dump_stack.c:118
 print_address_description+0x7f/0x2c0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0xe2/0x130 mm/kasan/report.c:452
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 jhash2 include/linux/jhash.h:138 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash+0x399/0x480 net/xfrm/xfrm_hash.h:95
 xfrm_dst_hash net/xfrm/xfrm_state.c:63 [inline]
 xfrm_state_find+0x28c/0x28b0 net/xfrm/xfrm_state.c:1068
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2398 [inline]
 xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:2443 [inline]
 xfrm_resolve_and_create_bundle+0x697/0x29f0 net/xfrm/xfrm_policy.c:2736
 xfrm_bundle_lookup net/xfrm/xfrm_policy.c:2971 [inline]
 xfrm_lookup_with_ifid+0x7ea/0x1a80 net/xfrm/xfrm_policy.c:3102
 xfrm_lookup net/xfrm/xfrm_policy.c:3194 [inline]
 xfrm_lookup_route+0x3c/0x170 net/xfrm/xfrm_policy.c:3205
 ip_route_output_flow+0x1f8/0x2f0 net/ipv4/route.c:2808
 ip_route_output_ports include/net/route.h:169 [inline]
 igmpv3_newpack+0x281/0xc80 net/ipv4/igmp.c:372
 add_grhead+0x75/0x2e0 net/ipv4/igmp.c:443
 add_grec+0x116b/0x1410 net/ipv4/igmp.c:577
 igmpv3_send_cr net/ipv4/igmp.c:714 [inline]
 igmp_ifc_timer_expire+0x89e/0xf80 net/ipv4/igmp.c:813
 call_timer_fn+0x38/0x290 kernel/time/timer.c:1450
 expire_timers kernel/time/timer.c:1495 [inline]
 __run_timers+0x650/0x9e0 kernel/time/timer.c:1789
 run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1802
 __do_softirq+0x255/0x563 kernel/softirq.c:309
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x60/0x80 arch/x86/kernel/irq_64.c:77
 do_softirq+0xb0/0xf0 kernel/softirq.c:358
 __local_bh_enable_ip+0x70/0x80 kernel/softirq.c:194
 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:176 [inline]
 _raw_spin_unlock_bh+0x51/0x60 kernel/locking/spinlock.c:207
 spin_unlock_bh include/linux/spinlock.h:400 [inline]
 netif_addr_unlock_bh include/linux/netdevice.h:4465 [inline]
 dev_uc_del+0x2d3/0x340 net/core/dev_addr_lists.c:615
 macsec_dev_stop+0x482/0x540 drivers/net/macsec.c:3589
 __dev_close_many+0x288/0x360 net/core/dev.c:1626
 dev_close_many+0x221/0x4d0 net/core/dev.c:1651
 unregister_netdevice_many+0x45e/0x1a80 net/core/dev.c:10757
 default_device_exit_batch+0x35e/0x3c0 net/core/dev.c:11300
 ops_exit_list net/core/net_namespace.c:190 [inline]
 cleanup_net+0x603/0xb80 net/core/net_namespace.c:609
 process_one_work+0x6e1/0xba0 kernel/workqueue.c:2301
 worker_thread+0xa6a/0x13c0 kernel/workqueue.c:2447
 kthread+0x346/0x3d0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298


Memory state around the buggy address:
 ffffc90000170a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000170a80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
>ffffc90000170b00: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
                            ^
 ffffc90000170b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000170c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================