bisecting fixing commit since 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e building syzkaller on 598ca6c8b8766304c3b2865e38f5f301c39bd299 testing commit 43598c571e7ed29e4c81e35b4a870fe6b9f8d58e with gcc (GCC) 8.1.0 kernel signature: e955928317960f35b09bbacbc711de3b2ea16056 run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #2: crashed: general protection fault in bpf_skb_change_head run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #7: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head testing current HEAD e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b testing commit e1f7d50ae3a3ec342e87a9b1ce6787bfb8b3c08b with gcc (GCC) 8.1.0 kernel signature: 975ae0df809414483010f8f2fdc01f3d9d16c9a4 run #0: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #1: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #2: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #3: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #4: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #5: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #6: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #7: crashed: KASAN: use-after-free Read in bpf_skb_change_head run #8: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head run #9: crashed: KASAN: slab-out-of-bounds Read in bpf_skb_change_head revisions tested: 2, total time: 23m49.922390697s (build: 16m53.892545135s, test: 6m11.060701561s) the crash still happens on HEAD commit msg: Linux 4.14.160 crash: KASAN: slab-out-of-bounds Read in bpf_skb_change_head IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready device hsr_slave_0 entered promiscuous mode ================================================================== BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_head net/core/filter.c:2422 [inline] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x55e/0x6b0 net/core/filter.c:2419 Read of size 8 at addr ffff88806f42a450 by task syz-executor.0/6870 CPU: 0 PID: 6870 Comm: syz-executor.0 Not tainted 4.14.160-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xf7/0x13b lib/dump_stack.c:58 print_address_description.cold.7+0x9/0x1c9 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.8+0x11a/0x2d3 mm/kasan/report.c:409 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 ____bpf_skb_change_head net/core/filter.c:2422 [inline] bpf_skb_change_head+0x55e/0x6b0 net/core/filter.c:2419 bpf_prog_147a7bac71f62ca7+0x3ff/0x1000 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88806f42a3c0 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 144 bytes inside of 232-byte region [ffff88806f42a3c0, ffff88806f42a4a8) The buggy address belongs to the page: page:ffffea0001bd0a80 count:1 mapcount:0 mapping:ffff88806f42a000 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff88806f42a000 0000000000000000 000000010000000c raw: ffffea0001bd81a0 ffffea0002a11e60 ffff88821b75e540 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88806f42a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806f42a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88806f42a400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88806f42a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806f42a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================