bisecting fixing commit since b850307b279cbd12ab8c654d1a3dfe55319cc475
building syzkaller on 9ebcc5b1a8145326065b932958d82ada85a5c224
testing commit b850307b279cbd12ab8c654d1a3dfe55319cc475 with gcc (GCC) 8.1.0
kernel signature: 2d3666b4e7e694ea7cbaf3bdfb483be15508f9b1ab6f9f783aac2ee8c1b2f210
run #0: crashed: KASAN: use-after-free Read in get_block
run #1: crashed: KASAN: slab-out-of-bounds Read in get_block
run #2: crashed: KASAN: use-after-free Read in get_block
run #3: crashed: KASAN: use-after-free Read in get_block
run #4: crashed: KASAN: use-after-free Read in get_block
run #5: crashed: KASAN: slab-out-of-bounds Read in get_block
run #6: crashed: KASAN: use-after-free Read in get_block
run #7: crashed: KASAN: slab-out-of-bounds Read in get_block
run #8: crashed: KASAN: slab-out-of-bounds Read in get_block
run #9: crashed: KASAN: slab-out-of-bounds Read in get_block
testing current HEAD 14b58326976de6ef3998eefec1dd7f8b38b97a75
testing commit 14b58326976de6ef3998eefec1dd7f8b38b97a75 with gcc (GCC) 8.1.0
kernel signature: 41fc73f39c205cc97bba4d6493fcc48a525aba40bf8d608b7e96a4a23e0c87cc
run #0: crashed: KASAN: use-after-free Read in get_block
run #1: crashed: KASAN: slab-out-of-bounds Read in get_block
run #2: crashed: KASAN: use-after-free Read in get_block
run #3: crashed: KASAN: slab-out-of-bounds Read in get_block
run #4: crashed: KASAN: use-after-free Read in get_block
run #5: crashed: KASAN: use-after-free Read in get_block
run #6: crashed: KASAN: use-after-free Read in get_block
run #7: crashed: KASAN: use-after-free Read in get_block
run #8: crashed: KASAN: use-after-free Read in get_block
run #9: crashed: KASAN: use-after-free Read in get_block
revisions tested: 2, total time: 25m11.424797138s (build: 17m53.993317645s, test: 6m11.308494542s)
the crash still happens on HEAD
commit msg: Linux 4.14.193
crash: KASAN: use-after-free Read in get_block
Process accounting resumed
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
==================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
BUG: KASAN: use-after-free in add_chain fs/minix/itree_common.c:14 [inline]
BUG: KASAN: use-after-free in get_branch fs/minix/itree_common.c:52 [inline]
BUG: KASAN: use-after-free in get_block+0xd96/0x1040 fs/minix/itree_common.c:160
Read of size 2 at addr ffff8880a158818a by task syz-executor.1/7791

CPU: 1 PID: 7791 Comm: syz-executor.1 Not tainted 4.14.193-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x14b/0x1f1 lib/dump_stack.c:58
 print_address_description.cold.6+0x9/0x1ca mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.7+0x11a/0x2d4 mm/kasan/report.c:409
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
 add_chain fs/minix/itree_common.c:14 [inline]
 get_branch fs/minix/itree_common.c:52 [inline]
 get_block+0xd96/0x1040 fs/minix/itree_common.c:160
 V1_minix_get_block+0x9/0x10 fs/minix/itree_v1.c:56
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
 minix_get_block+0xa7/0x110 fs/minix/inode.c:379
 __block_write_begin_int+0x327/0x1640 fs/buffer.c:2038
device veth0_macvtap entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
 __block_write_begin fs/buffer.c:2088 [inline]
 block_write_begin+0x48/0x240 fs/buffer.c:2147
device veth1_macvtap entered promiscuous mode
 minix_write_begin+0x2f/0xc0 fs/minix/inode.c:415
 generic_perform_write+0x227/0x450 mm/filemap.c:3047
IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
 __generic_file_write_iter+0x201/0x580 mm/filemap.c:3172
IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
 generic_file_write_iter+0x302/0x660 mm/filemap.c:3200
 call_write_iter include/linux/fs.h:1778 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x413/0x840 fs/read_write.c:482
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 __kernel_write+0xe4/0x360 fs/read_write.c:501
 do_acct_process+0xa4a/0xe80 kernel/acct.c:520
 acct_pin_kill+0x27/0xe0 kernel/acct.c:174
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
 pin_kill+0x134/0x600 fs/fs_pin.c:50
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 acct_on kernel/acct.c:254 [inline]
 SYSC_acct kernel/acct.c:286 [inline]
 SyS_acct+0x519/0x7b0 kernel/acct.c:273
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0
RIP: 0033:0x45cba9
RSP: 002b:00007f5eb2dc0c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a3
RAX: ffffffffffffffda RBX: 00000000004da400 RCX: 000000000045cba9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000480
RBP: 000000000078bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000001c R14: 00000000004c2f71 R15: 00007f5eb2dc16d4

Allocated by task 3:
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:551
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:536
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.7+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xc1/0x540 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:980 [inline]
 nlmsg_new include/net/netlink.h:511 [inline]
 rtmsg_ifinfo_build_skb+0x68/0x120 net/core/rtnetlink.c:2909
 rtmsg_ifinfo_event.part.12+0x16/0xb0 net/core/rtnetlink.c:2943
 rtmsg_ifinfo_event net/core/rtnetlink.c:2952 [inline]
 rtmsg_ifinfo+0x4a/0x70 net/core/rtnetlink.c:2951
 netdev_state_change+0xc9/0xe0 net/core/dev.c:1316
 linkwatch_do_dev+0x72/0xc0 net/core/link_watch.c:164
 __linkwatch_run_queue+0x23f/0x450 net/core/link_watch.c:202
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
 linkwatch_event+0x3e/0x50 net/core/link_watch.c:237
 process_one_work+0x74f/0x1620 kernel/workqueue.c:2116
 worker_thread+0xcc/0xed0 kernel/workqueue.c:2250
 kthread+0x338/0x400 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 3:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xab/0x190 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcc/0x270 mm/slab.c:3815
 skb_free_head+0x74/0x90 net/core/skbuff.c:554
 pskb_expand_head+0x55a/0xc60 net/core/skbuff.c:1495
batman_adv: batadv0: Interface activated: batadv_slave_0
 netlink_trim+0x18f/0x200 net/netlink/af_netlink.c:1269
 netlink_broadcast_filtered+0x57/0x8e0 net/netlink/af_netlink.c:1466
 netlink_broadcast+0xe/0x10 net/netlink/af_netlink.c:1511
 nlmsg_multicast include/net/netlink.h:591 [inline]
 nlmsg_notify+0x6e/0x110 net/netlink/af_netlink.c:2476
 rtnl_notify net/core/rtnetlink.c:653 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:2931 [inline]
 rtmsg_ifinfo_event.part.12+0x7a/0xb0 net/core/rtnetlink.c:2945
 rtmsg_ifinfo_event net/core/rtnetlink.c:2952 [inline]
 rtmsg_ifinfo+0x4a/0x70 net/core/rtnetlink.c:2951
 netdev_state_change+0xc9/0xe0 net/core/dev.c:1316
 linkwatch_do_dev+0x72/0xc0 net/core/link_watch.c:164
 __linkwatch_run_queue+0x23f/0x450 net/core/link_watch.c:202
 linkwatch_event+0x3e/0x50 net/core/link_watch.c:237
 process_one_work+0x74f/0x1620 kernel/workqueue.c:2116
 worker_thread+0xcc/0xed0 kernel/workqueue.c:2250
 kthread+0x338/0x400 kernel/kthread.c:232
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff8880a1588ec0
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 3382 bytes to the left of
 4096-byte region [ffff8880a1588ec0, ffff8880a1589ec0)
The buggy address belongs to the page:
page:ffffea0002856200 count:1 mapcount:0 mapping:ffff8880a1588ec0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a1588ec0 0000000000000000 0000000100000001
raw: ffffea000283d0a0 ffffea00028371a0 ffff8880aa800dc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a1588080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
 ffff8880a1588100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a1588180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff8880a1588200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a1588280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================