bisecting fixing commit since 69b94dd6dcd14d9bfcba35a492f5e27c15cf4d0a
building syzkaller on cb93dc6ac64225e09f44bac6c6cce1dae1b248b0
testing commit 69b94dd6dcd14d9bfcba35a492f5e27c15cf4d0a with gcc (GCC) 8.1.0
kernel signature: 402bd65d2a5193a478c117cbb3b5bfaadfd40e57bcad9e69295d82320fd203e2
run #0: crashed: KASAN: slab-out-of-bounds Read in perf_output_read
run #1: crashed: KASAN: slab-out-of-bounds Read in perf_output_read
run #2: crashed: KASAN: slab-out-of-bounds Read in perf_output_read
run #3: crashed: KASAN: slab-out-of-bounds Read in perf_output_read
run #4: crashed: KASAN: use-after-free Read in perf_output_read
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing current HEAD cbfa1702aaf69b2311ea1b35e04f113c48368c67
testing commit cbfa1702aaf69b2311ea1b35e04f113c48368c67 with gcc (GCC) 8.1.0
kernel signature: fe46e1a05928dc9ca4d250558914e18a8c1146a062fd16c1c1491e1bfd5fec96
run #0: crashed: KASAN: use-after-free Read in perf_output_read
run #1: crashed: KASAN: use-after-free Read in perf_output_read
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
revisions tested: 2, total time: 38m33.275864927s (build: 16m39.634701365s, test: 21m16.197139979s)
the crash still happens on HEAD
commit msg: Linux 4.14.198
crash: KASAN: use-after-free Read in perf_output_read
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
==================================================================
BUG: KASAN: use-after-free in perf_output_read_group kernel/events/core.c:5893 [inline]
BUG: KASAN: use-after-free in perf_output_read+0x1197/0x1500 kernel/events/core.c:5928
Read of size 8 at addr ffff8880966c0dc8 by task syz-executor127/26944

CPU: 0 PID: 26944 Comm: syz-executor127 Not tainted 4.14.198-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x14b/0x1f1 lib/dump_stack.c:58
 print_address_description.cold.6+0x9/0x1ca mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.7+0x11a/0x2d4 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 perf_output_read_group kernel/events/core.c:5893 [inline]
 perf_output_read+0x1197/0x1500 kernel/events/core.c:5928
 perf_output_sample+0x128c/0x1930 kernel/events/core.c:5970
 __perf_event_output kernel/events/core.c:6283 [inline]
 perf_event_output_forward+0x103/0x1d0 kernel/events/core.c:6296
 __perf_event_overflow+0x107/0x300 kernel/events/core.c:7541
 perf_swevent_overflow+0x165/0x210 kernel/events/core.c:7617
 perf_swevent_event+0x1f5/0x2f0 kernel/events/core.c:7650
 do_perf_sw_event kernel/events/core.c:7758 [inline]
 ___perf_sw_event+0x26b/0x3f0 kernel/events/core.c:7789
 __perf_sw_event+0x3c/0x60 kernel/events/core.c:7801
 perf_sw_event include/linux/perf_event.h:1046 [inline]
 __do_page_fault+0x648/0xb10 arch/x86/mm/fault.c:1483
 do_page_fault+0x64/0x3fb arch/x86/mm/fault.c:1517
 page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1123
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 arch/x86/lib/copy_user_64.S:181
RSP: 0018:ffff88808f83f928 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000020e62265 RCX: 0000000000000acb
RDX: 0000000000003866 RSI: 0000000020e65000 RDI: ffff8880839f7535
RBP: ffff88808f83f950 R08: 0000000000000000 R09: 00000000000000e1
R10: ffffed101073efff R11: ffff8880839f7fff R12: ffff8880839f479a
R13: ffff8880917780c0 R14: ffff88808f83fdb0 R15: ffff88808f83fd60
 _copy_from_iter_full+0x166/0x760 lib/iov_iter.c:608
 copy_from_iter_full include/linux/uio.h:126 [inline]
 skb_do_copy_data_nocache include/net/sock.h:1889 [inline]
 skb_copy_to_page_nocache include/net/sock.h:1915 [inline]
 tcp_sendmsg_locked+0xa02/0x3be0 net/ipv4/tcp.c:1360
 tcp_sendmsg+0x27/0x40 net/ipv4/tcp.c:1457
 inet_sendmsg+0x108/0x440 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1e4/0x2c0 net/socket.c:1731
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x44a199
RSP: 002b:00007fd216249da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000006e59e8 RCX: 000000000044a199
RDX: ffffffffffffffef RSI: 0000000020d7cfcb RDI: 0000000000000006
RBP: 00000000006e59e0 R08: 0000000000000000 R09: 0000000000000053
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e59ec
R13: 00007fff973be01f R14: 00007fd21624a9c0 R15: 0000000000000064

Allocated by task 7:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:551
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:536
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.7+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xc1/0x540 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:980 [inline]
 ndisc_alloc_skb+0x13b/0x320 net/ipv6/ndisc.c:402
 ndisc_send_rs+0x2ac/0x5e0 net/ipv6/ndisc.c:661
 addrconf_rs_timer+0x23f/0x590 net/ipv6/addrconf.c:3765
 call_timer_fn+0x142/0x570 kernel/time/timer.c:1280
 expire_timers+0x299/0x440 kernel/time/timer.c:1319
 __run_timers kernel/time/timer.c:1644 [inline]
 run_timer_softirq+0x1cd/0x540 kernel/time/timer.c:1657
 __do_softirq+0x246/0x9b5 kernel/softirq.c:288

Freed by task 7:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xab/0x190 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcc/0x270 mm/slab.c:3815
 skb_free_head+0x74/0x90 net/core/skbuff.c:554
 skb_release_data+0x4e0/0x820 net/core/skbuff.c:574
 skb_release_all+0x3d/0x50 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 kfree_skb+0x8a/0x2b0 net/core/skbuff.c:663
 ip6_mc_input+0x7d7/0xa60 net/ipv6/ip6_input.c:417
 dst_input include/net/dst.h:476 [inline]
 ip6_rcv_finish+0x1f3/0x6d0 net/ipv6/ip6_input.c:71
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ipv6_rcv+0xeee/0x22a0 net/ipv6/ip6_input.c:218
 __netif_receive_skb_core+0x1d02/0x2f80 net/core/dev.c:4474
 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:4512
 process_backlog+0x1f1/0x6d0 net/core/dev.c:5194
 napi_poll net/core/dev.c:5596 [inline]
 net_rx_action+0x456/0xed0 net/core/dev.c:5662
 __do_softirq+0x246/0x9b5 kernel/softirq.c:288

The buggy address belongs to the object at ffff8880966c0cc0
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 264 bytes inside of
 512-byte region [ffff8880966c0cc0, ffff8880966c0ec0)
The buggy address belongs to the page:
page:ffffea000259b000 count:1 mapcount:0 mapping:ffff8880966c0040 index:0xffff8880966c0040
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880966c0040 ffff8880966c0040 0000000100000004
raw: ffffea00024f16e0 ffffea000290b6e0 ffff8880aa800940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880966c0c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880966c0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880966c0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff8880966c0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880966c0e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================