bisecting fixing commit since 670d6552eda8ff0c5f396d3d6f0174237917c66c
building syzkaller on a8529b82fb3bb45832b08a099e7eb51707da9b37
testing commit 670d6552eda8ff0c5f396d3d6f0174237917c66c with gcc (GCC) 8.4.1 20210217
kernel signature: 1000669283bc6122bc52b4af17060c22e6263c667d93ec2aaf139e97c5f70dad
all runs: crashed: KASAN: use-after-free Read in ip_tunnel_xmit
testing current HEAD 7d7d1c0ab3eb7c8d8f63a126535018007823b207
testing commit 7d7d1c0ab3eb7c8d8f63a126535018007823b207 with gcc (GCC) 8.4.1 20210217
kernel signature: 7f9d729e93d1603ef0adc9b7baa3b19fa4a6016d584b9253dd0426404019c559
all runs: crashed: KASAN: use-after-free Read in ip_tunnel_xmit
revisions tested: 2, total time: 25m52.010903193s (build: 18m34.251840035s, test: 6m45.766809358s)
the crash still happens on HEAD
commit msg: Linux 4.14.232
crash: KASAN: use-after-free Read in ip_tunnel_xmit
device veth0_vlan entered promiscuous mode
device veth0_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
==================================================================
IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
BUG: KASAN: use-after-free in ip_tunnel_xmit+0x20c9/0x30c0 net/ipv4/ip_tunnel.c:659
Read of size 4 at addr ffff888099c7f130 by task syz-executor.3/9643

CPU: 1 PID: 9643 Comm: syz-executor.3 Not tainted 4.14.232-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x14b/0x1e7 lib/dump_stack.c:58
 print_address_description.cold.6+0x9/0x1ca mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold.7+0x11a/0x2d3 mm/kasan/report.c:393
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 ip_tunnel_xmit+0x20c9/0x30c0 net/ipv4/ip_tunnel.c:659
IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
 __gre_xmit+0x554/0x8a0 net/ipv4/ip_gre.c:441
IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
 ipgre_xmit+0x367/0x760 net/ipv4/ip_gre.c:670
 __netdev_start_xmit include/linux/netdevice.h:4051 [inline]
 netdev_start_xmit include/linux/netdevice.h:4060 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x15e/0x780 net/core/dev.c:3021
device veth0_macvtap entered promiscuous mode
 __dev_queue_xmit+0x1d8b/0x25b0 net/core/dev.c:3521
 dev_queue_xmit+0xb/0x10 net/core/dev.c:3554
 packet_snd.isra.30+0x9ad/0x2aa0 net/packet/af_packet.c:3024
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
 packet_sendmsg+0x10c9/0x2da0 net/packet/af_packet.c:3049
device veth1_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:656
 kernel_sendmsg+0x26/0x30 net/socket.c:664
 sock_no_sendpage+0xf7/0x130 net/core/sock.c:2595
 kernel_sendpage+0x60/0xd0 net/socket.c:3407
 sock_sendpage+0x6d/0xd0 net/socket.c:871
 pipe_to_sendpage+0x206/0x420 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:626
 splice_from_pipe+0xb5/0x110 fs/splice.c:661
 generic_splice_sendpage+0x10/0x20 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0x6f1/0x1590 fs/splice.c:1382
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x466459
RSP: 002b:00007f2775394188 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 000000000056c008 RCX: 0000000000466459
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000004bf9fb R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c008
R13: 00007fffbcaff93f R14: 00007f2775394300 R15: 0000000000022000

Allocated by task 9643:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:551
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:536
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.7+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xc1/0x540 net/core/skbuff.c:205
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 skb_segment+0x5f1/0x3190 net/core/skbuff.c:3680
 udp4_ufo_fragment net/ipv4/udp_offload.c:242 [inline]
 udp4_ufo_fragment+0x3f0/0x730 net/ipv4/udp_offload.c:190
 inet_gso_segment+0x431/0x1290 net/ipv4/af_inet.c:1272
 skb_mac_gso_segment+0x218/0x4a0 net/core/dev.c:2745
 __skb_gso_segment+0x2e0/0x620 net/core/dev.c:2818
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
 skb_gso_segment include/linux/netdevice.h:4002 [inline]
 validate_xmit_skb+0x447/0x910 net/core/dev.c:3071
 __dev_queue_xmit+0x578/0x25b0 net/core/dev.c:3513
 dev_queue_xmit+0xb/0x10 net/core/dev.c:3554
 packet_snd.isra.30+0x9ad/0x2aa0 net/packet/af_packet.c:3024
 packet_sendmsg+0x10c9/0x2da0 net/packet/af_packet.c:3049
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:656
 kernel_sendmsg+0x26/0x30 net/socket.c:664
 sock_no_sendpage+0xf7/0x130 net/core/sock.c:2595
 kernel_sendpage+0x60/0xd0 net/socket.c:3407
 sock_sendpage+0x6d/0xd0 net/socket.c:871
 pipe_to_sendpage+0x206/0x420 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:626
 splice_from_pipe+0xb5/0x110 fs/splice.c:661
 generic_splice_sendpage+0x10/0x20 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0x6f1/0x1590 fs/splice.c:1382
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 9643:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xab/0x190 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcc/0x270 mm/slab.c:3815
 skb_free_head+0x74/0x90 net/core/skbuff.c:563
 pskb_expand_head+0x55a/0xc60 net/core/skbuff.c:1504
 __pskb_pull_tail+0xb6/0x1e50 net/core/skbuff.c:1907
 pskb_may_pull include/linux/skbuff.h:2180 [inline]
 ip_tunnel_xmit+0x1287/0x30c0 net/ipv4/ip_tunnel.c:651
 __gre_xmit+0x554/0x8a0 net/ipv4/ip_gre.c:441
 ipgre_xmit+0x367/0x760 net/ipv4/ip_gre.c:670
 __netdev_start_xmit include/linux/netdevice.h:4051 [inline]
 netdev_start_xmit include/linux/netdevice.h:4060 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x15e/0x780 net/core/dev.c:3021
 __dev_queue_xmit+0x1d8b/0x25b0 net/core/dev.c:3521
 dev_queue_xmit+0xb/0x10 net/core/dev.c:3554
 packet_snd.isra.30+0x9ad/0x2aa0 net/packet/af_packet.c:3024
 packet_sendmsg+0x10c9/0x2da0 net/packet/af_packet.c:3049
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:656
 kernel_sendmsg+0x26/0x30 net/socket.c:664
 sock_no_sendpage+0xf7/0x130 net/core/sock.c:2595
 kernel_sendpage+0x60/0xd0 net/socket.c:3407
 sock_sendpage+0x6d/0xd0 net/socket.c:871
 pipe_to_sendpage+0x206/0x420 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x2cb/0x720 fs/splice.c:626
 splice_from_pipe+0xb5/0x110 fs/splice.c:661
 generic_splice_sendpage+0x10/0x20 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 do_splice fs/splice.c:1147 [inline]
 SYSC_splice fs/splice.c:1402 [inline]
 SyS_splice+0x6f1/0x1590 fs/splice.c:1382
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff888099c7f080
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 176 bytes inside of
 512-byte region [ffff888099c7f080, ffff888099c7f280)
The buggy address belongs to the page:
page:ffffea0002671fc0 count:1 mapcount:0 mapping:ffff888099c7f080 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff888099c7f080 0000000000000000 0000000100000006
raw: ffffea00026f0320 ffffea00026acf20 ffff88813fe60940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888099c7f000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
batman_adv: batadv0: Interface activated: batadv_slave_0
 ffff888099c7f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888099c7f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff888099c7f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099c7f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!