ci starts bisection 2022-11-26 21:43:34.128325412 +0000 UTC m=+147620.244908679
bisecting fixing commit since 98555239e4c3aab1810d84073166eef6d54eeb3d
building syzkaller on 86777b7fb4a452ebbd7430a2c4add0486734922b
ensuring issue is reproducible on original commit 98555239e4c3aab1810d84073166eef6d54eeb3d

testing commit 98555239e4c3aab1810d84073166eef6d54eeb3d gcc
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f0aa5d01b08ee2b5ada2acf4bc4544b319132160b767ed7e985e610305365f8e
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #2: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #3: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #4: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #5: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #6: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #7: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #8: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #9: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #10: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #11: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #12: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #13: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #14: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #15: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #16: crashed: SYZFATAL: executor failed NUM times: executor NUM: exit status NUM
run #17: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #18: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #19: crashed: KASAN: use-after-free Read in __skb_flow_dissect
testing current HEAD 644e9524388a5dbc6d4f58c492ee9ef7bd4ddf4d
testing commit 644e9524388a5dbc6d4f58c492ee9ef7bd4ddf4d gcc
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 52eeb3626ad44a1cf98b4e5ffc77d6556efa5aa39c84b5231a4a00ec031696a9
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #2: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #3: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #4: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #5: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #6: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #7: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #8: crashed: KASAN: use-after-free Read in __skb_flow_dissect
run #9: crashed: KASAN: use-after-free Read in __skb_flow_dissect
revisions tested: 2, total time: 25m23.653534392s (build: 16m17.484473975s, test: 7m16.066524089s)
the crash still happens on HEAD
commit msg: Merge tag 'for-v6.1-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
crash: KASAN: use-after-free Read in __skb_flow_dissect
==================================================================
BUG: KASAN: use-after-free in __skb_flow_dissect+0x5c0d/0x88e0 net/core/flow_dissector.c:1090
Read of size 1 at addr ffff88816cc2000e by task syz-executor.0/4190

CPU: 1 PID: 4190 Comm: syz-executor.0 Not tainted 6.1.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x163/0x213 lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:284
 print_report+0x107/0x220 mm/kasan/report.c:395
 kasan_report+0x139/0x170 mm/kasan/report.c:495
 __skb_flow_dissect+0x5c0d/0x88e0 net/core/flow_dissector.c:1090
 skb_flow_dissect_flow_keys include/linux/skbuff.h:1495 [inline]
 ___skb_get_hash+0x50/0x740 net/core/flow_dissector.c:1698
 __skb_get_hash+0xaa/0x300 net/core/flow_dissector.c:1764
 skb_get_hash include/linux/skbuff.h:1537 [inline]
 ip_tunnel_xmit+0x8f4/0x2910 net/ipv4/ip_tunnel.c:733
 ipip_tunnel_xmit+0x278/0x420 net/ipv4/ipip.c:307
 __netdev_start_xmit include/linux/netdevice.h:4840 [inline]
 netdev_start_xmit include/linux/netdevice.h:4854 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x1a8/0x350 net/core/dev.c:3606
 __dev_queue_xmit+0x14be/0x3000 net/core/dev.c:4256
 neigh_output include/net/neighbour.h:546 [inline]
 ip_finish_output2+0x94d/0xd60 net/ipv4/ip_output.c:228
 iptunnel_xmit+0x47e/0x7d0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1d51/0x2910 net/ipv4/ip_tunnel.c:813
 __gre_xmit net/ipv4/ip_gre.c:469 [inline]
 ipgre_xmit+0x668/0x9d0 net/ipv4/ip_gre.c:661
 __netdev_start_xmit include/linux/netdevice.h:4840 [inline]
 netdev_start_xmit include/linux/netdevice.h:4854 [inline]
 xmit_one net/core/dev.c:3590 [inline]
 dev_hard_start_xmit+0x1a8/0x350 net/core/dev.c:3606
 __dev_queue_xmit+0x14be/0x3000 net/core/dev.c:4256
 dev_queue_xmit include/linux/netdevice.h:3008 [inline]
 __bpf_tx_skb net/core/filter.c:2116 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2141 [inline]
 __bpf_redirect+0x5c3/0xd80 net/core/filter.c:2164
 ____bpf_clone_redirect net/core/filter.c:2431 [inline]
 bpf_clone_redirect+0x22f/0x310 net/core/filter.c:2403
 bpf_prog_801cabf80fc815cd+0x59/0x5e
 bpf_dispatcher_nop_func include/linux/bpf.h:968 [inline]
 __bpf_prog_run include/linux/filter.h:600 [inline]
 bpf_prog_run include/linux/filter.h:607 [inline]
 bpf_test_run+0x4a6/0x880 net/bpf/test_run.c:402
 bpf_prog_test_run_skb+0x99b/0x1470 net/bpf/test_run.c:1183
 bpf_prog_test_run+0x24c/0x2c0 kernel/bpf/syscall.c:3630
 __sys_bpf+0x29d/0x490 kernel/bpf/syscall.c:4983
 __do_sys_bpf kernel/bpf/syscall.c:5069 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5067 [inline]
 __x64_sys_bpf+0x73/0x80 kernel/bpf/syscall.c:5067
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f967b48b5a9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f967c224168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f967b5abf80 RCX: 00007f967b48b5a9
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 00007f967b4e67b0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdaf0cd03f R14: 00007f967c224300 R15: 0000000000022000
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0005b30800 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16cc20
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000000 ffffea0005b30808 ffffea0005b30808 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff88816cc1ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88816cc1ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88816cc20000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff88816cc20080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88816cc20100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================