bisecting fixing commit since 3ffe1e79c174b2093f7ee3df589a7705572c9620 building syzkaller on aff9e255cd708709adef545d1f932020ee5c0978 testing commit 3ffe1e79c174b2093f7ee3df589a7705572c9620 with gcc (GCC) 8.1.0 kernel signature: 161648ae146b12ea98976f2cba592d0d0ea89751 all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto testing current HEAD fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: fd9e544c7a253af695dc08cdf4f1214c21cf58ab run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #3: crashed: KASAN: use-after-free Read in bpf_skb_change_proto run #4: crashed: KASAN: use-after-free Read in bpf_skb_change_proto run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto revisions tested: 2, total time: 23m2.679306319s (build: 15m27.280060375s, test: 6m24.847510896s) the crash still happens on HEAD commit msg: Linux 4.14.157 crash: KASAN: slab-out-of-bounds Read in bpf_skb_change_proto 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready ================================================================== 8021q: adding VLAN 0 to HW filter on device bond0 BUG: KASAN: slab-out-of-bounds in bpf_skb_proto_xlat net/core/filter.c:2151 [inline] BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_proto net/core/filter.c:2189 [inline] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xd0c/0x1070 net/core/filter.c:2164 Read of size 2 at addr ffff888091dbf480 by task syz-executor.1/6846 IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready CPU: 1 PID: 6846 Comm: syz-executor.1 Not tainted 4.14.157-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xf7/0x13b lib/dump_stack.c:58 IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252 IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.8+0x11a/0x2d3 mm/kasan/report.c:409 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428 bpf_skb_proto_xlat net/core/filter.c:2151 [inline] ____bpf_skb_change_proto net/core/filter.c:2189 [inline] bpf_skb_change_proto+0xd0c/0x1070 net/core/filter.c:2164 bpf_prog_0a61b7f223ef83f3+0xcfe/0x1000 8021q: adding VLAN 0 to HW filter on device team0 IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888091dbf480 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 0 bytes inside of 232-byte region [ffff888091dbf480, ffff888091dbf568) IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready The buggy address belongs to the page: page:ffffea0002476fc0 count:1 mapcount:0 mapping:ffff888091dbf0c0 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff888091dbf0c0 0000000000000000 000000010000000c IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready raw: ffffea0002a7cf20 ffffea0002a7baa0 ffff8880a9e19a80 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888091dbf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888091dbf400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888091dbf480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888091dbf500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888091dbf580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ==================================================================