bisecting fixing commit since 397a88b2cc869c823bf40bc403d36a62afec1edd
building syzkaller on e4b4d570a88c0d2e0420c6e21fc20d90564636b1
testing commit 397a88b2cc869c823bf40bc403d36a62afec1edd with gcc (GCC) 8.4.1 20210217
kernel signature: d6a3cabeba1d81bda82e1fc19da4fe322261403c19611ddce1dd1de3a36ee229
run #0: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #1: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #2: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #3: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #4: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #5: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #6: OK
run #7: OK
run #8: OK
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
reproducer seems to be flaky
testing current HEAD bd634aa6416382439890b78f7be0023020a86207
testing commit bd634aa6416382439890b78f7be0023020a86207 with gcc (GCC) 8.4.1 20210217
kernel signature: 04285cf5d46735e412440dc9abff245b1c5111e8f016e2967f134f7d62c2bce1
run #0: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #1: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #2: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #3: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #4: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #5: OK
run #6: OK
run #7: OK
run #8: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #9: OK
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: crashed: KASAN: use-after-free Read in rht_deferred_worker
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
Reproducer flagged being flaky
revisions tested: 2, total time: 36m26.251720882s (build: 14m59.545210144s, test: 21m5.870367298s)
the crash still happens on HEAD
commit msg: Linux 4.14.228
crash: KASAN: use-after-free Read in rht_deferred_worker
netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'.
netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'.
==================================================================
BUG: KASAN: use-after-free in rhashtable_rehash_one lib/rhashtable.c:276 [inline]
BUG: KASAN: use-after-free in rhashtable_rehash_chain lib/rhashtable.c:316 [inline]
BUG: KASAN: use-after-free in rhashtable_rehash_table lib/rhashtable.c:364 [inline]
BUG: KASAN: use-after-free in rht_deferred_worker+0x116a/0x1610 lib/rhashtable.c:465
Read of size 8 at addr ffff8880388add00 by task kworker/1:1/4076

CPU: 1 PID: 4076 Comm: kworker/1:1 Not tainted 4.14.228-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events rht_deferred_worker
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x14b/0x1e7 lib/dump_stack.c:58
 print_address_description.cold.6+0x9/0x1ca mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold.7+0x11a/0x2d3 mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 rhashtable_rehash_one lib/rhashtable.c:276 [inline]
 rhashtable_rehash_chain lib/rhashtable.c:316 [inline]
 rhashtable_rehash_table lib/rhashtable.c:364 [inline]
 rht_deferred_worker+0x116a/0x1610 lib/rhashtable.c:465
 process_one_work+0x74f/0x1620 kernel/workqueue.c:2116
 worker_thread+0xcc/0xee0 kernel/workqueue.c:2250
 kthread+0x338/0x400 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 20870:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:551
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:536
 kmem_cache_alloc_trace+0x152/0x3f0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 fl_change+0x32a/0x4820 net/sched/cls_flower.c:919
 tc_ctl_tfilter+0x1141/0x1b20 net/sched/cls_api.c:738
 rtnetlink_rcv_msg+0x34c/0x9e0 net/core/rtnetlink.c:4316
 netlink_rcv_skb+0x12f/0x3b0 net/netlink/af_netlink.c:2433
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4328
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x40b/0x610 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x639/0xbe0 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:656
 ___sys_sendmsg+0x282/0x920 net/socket.c:2062
 __sys_sendmmsg+0x126/0x300 net/socket.c:2152
 SYSC_sendmmsg net/socket.c:2183 [inline]
 SyS_sendmmsg+0xd/0x20 net/socket.c:2178
 do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 7315:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xab/0x190 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcc/0x270 mm/slab.c:3815
 __fl_destroy_filter+0x4c/0x70 net/sched/cls_flower.c:226
 fl_destroy_filter_work+0x19/0x30 net/sched/cls_flower.c:234
 process_one_work+0x74f/0x1620 kernel/workqueue.c:2116
 worker_thread+0xcc/0xee0 kernel/workqueue.c:2250
 kthread+0x338/0x400 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff8880388add00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff8880388add00, ffff8880388adf00)
The buggy address belongs to the page:
page:ffffea0000e22b40 count:1 mapcount:0 mapping:ffff8880388ad080 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880388ad080 0000000000000000 0000000100000006
raw: ffffea0000860060 ffffea000052b520 ffff88813fe60940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880388adc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880388adc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880388add00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880388add80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880388ade00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================