bisecting fixing commit since 3ffe1e79c174b2093f7ee3df589a7705572c9620
building syzkaller on 0d298d6b2e4a48a2b4d3413cabc199e5f61c1dd4
testing commit 3ffe1e79c174b2093f7ee3df589a7705572c9620 with gcc (GCC) 8.1.0
kernel signature: ba47dfb1c385febb9d2c117ed6303047922cf691
run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #3: crashed: KASAN: use-after-free Read in bpf_skb_change_tail
run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
testing current HEAD 4c5bf01e16a7ec59e59a38a61f793c5d1d5560c7
testing commit 4c5bf01e16a7ec59e59a38a61f793c5d1d5560c7 with gcc (GCC) 8.1.0
kernel signature: e222b5dc0a4d43946188ebb4482d1d9526a43da2
all runs: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
revisions tested: 2, total time: 23m42.542216474s (build: 16m7.775739591s, test: 6m28.227571322s)
the crash still happens on HEAD
commit msg: Linux 4.14.161
crash: KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
==================================================================
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_tail net/core/filter.c:2371 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_tail+0xa77/0xd50 net/core/filter.c:2368
Read of size 8 at addr ffff888095b269d0 by task syz-executor.1/6797

CPU: 0 PID: 6797 Comm: syz-executor.1 Not tainted 4.14.161-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xf7/0x13b lib/dump_stack.c:58
 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.8+0x11a/0x2d3 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 ____bpf_skb_change_tail net/core/filter.c:2371 [inline]
 bpf_skb_change_tail+0xa77/0xd50 net/core/filter.c:2368
 bpf_prog_ac477e10ee530e9d+0x614/0x1000

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888095b26940
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 144 bytes inside of
 232-byte region [ffff888095b26940, ffff888095b26a28)
The buggy address belongs to the page:
page:ffffea000256c980 count:1 mapcount:0 mapping:ffff888095b26080 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888095b26080 0000000000000000 000000010000000c
raw: ffffea0002244620 ffffea00022433a0 ffff88821b75e540 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888095b26880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888095b26900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888095b26980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffff888095b26a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888095b26a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================