bisecting fixing commit since ddef1e8e3f6eb26034833b7255e3fa584d54a230
building syzkaller on b35fad31e9c2d4a970d051deff80ec7cc4c3e459
testing commit ddef1e8e3f6eb26034833b7255e3fa584d54a230 with gcc (GCC) 8.1.0
kernel signature: faedbe84eaccf7a1aa046d9506520b28d613fa2c7ec3b38c5baaf886cd9cb7e2
run #0: crashed: KASAN: use-after-free Read in tls_write_space
run #1: crashed: KASAN: use-after-free Read in tls_write_space
run #2: crashed: KASAN: use-after-free Read in tls_write_space
run #3: crashed: KASAN: use-after-free Read in tls_write_space
run #4: crashed: KASAN: use-after-free Read in tls_write_space
run #5: crashed: KASAN: use-after-free Read in tls_write_space
run #6: crashed: KASAN: use-after-free Read in tls_write_space
run #7: OK
run #8: OK
run #9: OK
testing current HEAD f79dc86058bc0c8317eea2a0f968382c6ffb0cfb
testing commit f79dc86058bc0c8317eea2a0f968382c6ffb0cfb with gcc (GCC) 8.1.0
kernel signature: 0d7ca95832d6f6f107a05c0d2b1d76f838c53b4f42baa6d8bb29f9205ee9a849
run #0: crashed: KASAN: use-after-free Read in tls_write_space
run #1: crashed: KASAN: use-after-free Read in tls_write_space
run #2: crashed: KASAN: use-after-free Read in tls_write_space
run #3: crashed: KASAN: use-after-free Read in tls_write_space
run #4: crashed: KASAN: use-after-free Read in tls_write_space
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
revisions tested: 2, total time: 39m19.175567264s (build: 16m22.542050331s, test: 22m2.014356623s)
the crash still happens on HEAD
commit msg: Linux 4.14.215
crash: KASAN: use-after-free Read in tls_write_space
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in tls_write_space+0x232/0x290 net/tls/tls_main.c:222
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
Read of size 1 at addr ffff8881e7e5ff70 by task syz-executor631/32637

CPU: 1 PID: 32637 Comm: syz-executor631 Not tainted 4.14.215-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xf7/0x13b lib/dump_stack.c:58
 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.8+0x11a/0x2d3 mm/kasan/report.c:409
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
 tls_write_space+0x232/0x290 net/tls/tls_main.c:222
 tcp_new_space net/ipv4/tcp_input.c:5112 [inline]
 tcp_check_space+0x375/0x610 net/ipv4/tcp_input.c:5123
 tcp_data_snd_check net/ipv4/tcp_input.c:5133 [inline]
 tcp_rcv_established+0x5e9/0x1c10 net/ipv4/tcp_input.c:5581
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
 tcp_v6_do_rcv+0x3f7/0x11a0 net/ipv6/tcp_ipv6.c:1301
 sk_backlog_rcv include/net/sock.h:921 [inline]
 __release_sock+0x10b/0x340 net/core/sock.c:2269
 release_sock+0x4f/0x180 net/core/sock.c:2805
 tls_sk_proto_close+0x144/0x790 net/tls/tls_main.c:294
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
 inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:425
 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:450
 __sock_release+0xc2/0x2a0 net/socket.c:602
 sock_close+0x10/0x20 net/socket.c:1139
 __fput+0x232/0x750 fs/file_table.c:210
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
 ____fput+0x9/0x10 fs/file_table.c:244
 task_work_run+0xe5/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x416/0x5b0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x402d50
RSP: 002b:00007ffe55c12408 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000402d50
RDX: fffffffffffffe5b RSI: 0000000020000080 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffffffffffe5b
R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000225
R13: 0000000000000024 R14: 0000000000000000 R15: 0000000000000000
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.

TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
Allocated by task 32637:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x152/0x7a0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 tls_init+0xb1/0x530 net/tls/tls_main.c:518
 tcp_set_ulp+0x162/0x3fd net/ipv4/tcp_ulp.c:127
 do_tcp_setsockopt.isra.34+0x310/0x1c20 net/ipv4/tcp.c:2547
 tcp_setsockopt+0x80/0xd0 net/ipv4/tcp.c:2830
 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:2994
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x130/0x1f0 net/socket.c:1844
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.

Freed by task 32637:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcc/0x270 mm/slab.c:3815
 tls_ctx_free net/tls/tls_main.c:252 [inline]
 tls_sk_proto_close+0x13c/0x790 net/tls/tls_main.c:290
 inet_release+0xd9/0x1c0 net/ipv4/af_inet.c:425
 inet6_release+0x46/0x60 net/ipv6/af_inet6.c:450
 __sock_release+0xc2/0x2a0 net/socket.c:602
 sock_close+0x10/0x20 net/socket.c:1139
 __fput+0x232/0x750 fs/file_table.c:210
 ____fput+0x9/0x10 fs/file_table.c:244
 task_work_run+0xe5/0x170 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x16a/0x1b0 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x416/0x5b0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8881e7e5ff00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
 192-byte region [ffff8881e7e5ff00, ffff8881e7e5ffc0)
The buggy address belongs to the page:
page:ffffea00079f97c0 count:1 mapcount:0 mapping:ffff8881e7e5f000 index:0xffff8881e7e5fd00
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8881e7e5f000 ffff8881e7e5fd00 0000000100000006
raw: ffffea0007a255a0 ffffea0007971c20 ffff8881f6400040 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881e7e5fe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e7e5fe80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8881e7e5ff00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8881e7e5ff80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8881e7e60000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.