bisecting cause commit starting from 2ef96a5bb12be62ef75b5828c0aab838ebb29cb8
building syzkaller on f8f57555cd9496188673f14b02ce8e1f13ce508c
testing commit 2ef96a5bb12be62ef75b5828c0aab838ebb29cb8 with gcc (GCC) 8.1.0
kernel signature: c6f295da0667df519d46bb331d520f72cfd2178955586abd8ee1f00f4cba9b1c
all runs: crashed: KASAN: slab-out-of-bounds Read in fl6_update_dst
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: aaef7cd410f515f98f2f7a76eeaf857419772e705f4f8d6fdec57d959f798646
all runs: OK
# git bisect start 2ef96a5bb12be62ef75b5828c0aab838ebb29cb8 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 6767 revisions left to test after this (roughly 13 steps)
[f365ab31efacb70bed1e821f7435626e0b2528a6] Merge tag 'drm-next-2020-04-01' of git://anongit.freedesktop.org/drm/drm
testing commit f365ab31efacb70bed1e821f7435626e0b2528a6 with gcc (GCC) 8.1.0
kernel signature: f2fa1ee2a0b72321d0844db1d84a2abc2108385b57b5fcb6be3f36af5e617459
all runs: OK
# git bisect good f365ab31efacb70bed1e821f7435626e0b2528a6
Bisecting: 3417 revisions left to test after this (roughly 12 steps)
[828907ef25e0133f50c346ef5a3c79a707a9b100] Merge tag 'gpio-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
testing commit 828907ef25e0133f50c346ef5a3c79a707a9b100 with gcc (GCC) 8.1.0
kernel signature: 9533bb8d596e15f168fbbd0adabfbbacc3d89fbf61cbd1beb5460bf9f6566f07
all runs: OK
# git bisect good 828907ef25e0133f50c346ef5a3c79a707a9b100
Bisecting: 1711 revisions left to test after this (roughly 11 steps)
[f8693b3eb59f9055edca86b0789fd6593a57edf4] Merge tag 'libata-5.7-2020-04-09' of git://git.kernel.dk/linux-block
testing commit f8693b3eb59f9055edca86b0789fd6593a57edf4 with gcc (GCC) 8.1.0
kernel signature: 6416f7b1198b45c62689ba2fe04fc96a9825c47096b1a6e11df77dd54a793bf7
all runs: OK
# git bisect good f8693b3eb59f9055edca86b0789fd6593a57edf4
Bisecting: 874 revisions left to test after this (roughly 10 steps)
[88412a4e00f6baab2752e99ffdbdb0ee661cac30] Merge tag 'drm-fixes-2020-04-24' of git://anongit.freedesktop.org/drm/drm
testing commit 88412a4e00f6baab2752e99ffdbdb0ee661cac30 with gcc (GCC) 8.1.0
kernel signature: 1f6e1de21f96a0de1c4cfc02751359bae93878209c4eca923cbc85665995ef41
all runs: OK
# git bisect good 88412a4e00f6baab2752e99ffdbdb0ee661cac30
Bisecting: 433 revisions left to test after this (roughly 9 steps)
[477bfeb9a3d712b6e1aeb4e37607faebf4b7f6d4] Merge tag 'drm-fixes-2020-05-01' of git://anongit.freedesktop.org/drm/drm
testing commit 477bfeb9a3d712b6e1aeb4e37607faebf4b7f6d4 with gcc (GCC) 8.1.0
kernel signature: 9183d6988a768ed46b28e73a0b229a32512f08ee65ca97d9607fc66e1f4c1970
all runs: OK
# git bisect good 477bfeb9a3d712b6e1aeb4e37607faebf4b7f6d4
Bisecting: 192 revisions left to test after this (roughly 8 steps)
[a811c1fa0a02c062555b54651065899437bacdbe] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit a811c1fa0a02c062555b54651065899437bacdbe with gcc (GCC) 8.1.0
kernel signature: 19465e16454c1ad7492fd7b5f254f30bfaaa3c840dde117af0747f84d9583e68
all runs: crashed: KASAN: slab-out-of-bounds Read in fl6_update_dst
# git bisect bad a811c1fa0a02c062555b54651065899437bacdbe
Bisecting: 119 revisions left to test after this (roughly 7 steps)
[d3f3e6acb26b171e4572aaaafc7d2e918b35be35] Merge branch 'wireguard-fixes'
testing commit d3f3e6acb26b171e4572aaaafc7d2e918b35be35 with gcc (GCC) 8.1.0
kernel signature: fe820f012ecc859e38d769b47010e130981aca03dffc5d0e5dead397be3f64f3
all runs: crashed: KASAN: slab-out-of-bounds Read in fl6_update_dst
# git bisect bad d3f3e6acb26b171e4572aaaafc7d2e918b35be35
Bisecting: 60 revisions left to test after this (roughly 6 steps)
[c778980a6594880204a44207e5cdceea6e859a1c] Merge branch 'net-ipa-three-bug-fixes'
testing commit c778980a6594880204a44207e5cdceea6e859a1c with gcc (GCC) 8.1.0
kernel signature: 9f0dc9d658d6655c03abc43cb03c9791b6b1b159b488798ddd14a4842bd4083e
all runs: OK
# git bisect good c778980a6594880204a44207e5cdceea6e859a1c
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[d975cb7ea915e64a3ebcfef8a33051f3e6bf22a8] net: enetc: fix an issue about leak system resources
testing commit d975cb7ea915e64a3ebcfef8a33051f3e6bf22a8 with gcc (GCC) 8.1.0
kernel signature: 9fc3d3dc91bec7c426a6d5c3f77fec4de86731750bbd75b77cd4499634288515
all runs: OK
# git bisect good d975cb7ea915e64a3ebcfef8a33051f3e6bf22a8
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[a84724178bd7081cf3bd5b558616dd6a9a4ca63b] selftests: net: tcp_mmap: fix SO_RCVLOWAT setting
testing commit a84724178bd7081cf3bd5b558616dd6a9a4ca63b with gcc (GCC) 8.1.0
kernel signature: d24577128bace90b0a5ff469fcdc4c74cf3918e1e02f018a4b5268f6594feaad
all runs: OK
# git bisect good a84724178bd7081cf3bd5b558616dd6a9a4ca63b
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[050569fc8384c8056bacefcc246bcb2dfe574936] net: dsa: Do not leave DSA master with NULL netdev_ops
testing commit 050569fc8384c8056bacefcc246bcb2dfe574936 with gcc (GCC) 8.1.0
kernel signature: e7a1cf118281c3f0d4ea8051f3d5af6003dfc015c46d614d4a92616def6f12a8
all runs: crashed: KASAN: slab-out-of-bounds Read in fl6_update_dst
# git bisect bad 050569fc8384c8056bacefcc246bcb2dfe574936
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[6e0ddb6530b5010b33f91f0939029d2819b2dc3f] Merge branch 'FDB-fixes-for-Felix-and-Ocelot-switches'
testing commit 6e0ddb6530b5010b33f91f0939029d2819b2dc3f with gcc (GCC) 8.1.0
kernel signature: 519090c8c86ae38c43b545100b9c7de6e9453f5bf7bfcb8fbac08b9f2af122ca
all runs: OK
# git bisect good 6e0ddb6530b5010b33f91f0939029d2819b2dc3f
Bisecting: 1 revision left to test after this (roughly 1 step)
[9274124f023b5c56dc4326637d4f787968b03607] net: stricter validation of untrusted gso packets
testing commit 9274124f023b5c56dc4326637d4f787968b03607 with gcc (GCC) 8.1.0
kernel signature: e1d6cca0d5da4c747a885ebaa39f669415a179445e0c24119d428559b7089036
all runs: crashed: KASAN: slab-out-of-bounds Read in fl6_update_dst
# git bisect bad 9274124f023b5c56dc4326637d4f787968b03607
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[0cb7498f234e4e7d75187a8cae6c7c2053f2488a] seg6: fix SRH processing to comply with RFC8754
testing commit 0cb7498f234e4e7d75187a8cae6c7c2053f2488a with gcc (GCC) 8.1.0
kernel signature: 2c748b135f9621c6aa651774e74b9ab498ce8fd27044b765d8a65d68ee709521
all runs: crashed: KASAN: slab-out-of-bounds Read in fl6_update_dst
# git bisect bad 0cb7498f234e4e7d75187a8cae6c7c2053f2488a
0cb7498f234e4e7d75187a8cae6c7c2053f2488a is the first bad commit
commit 0cb7498f234e4e7d75187a8cae6c7c2053f2488a
Author: Ahmed Abdelsalam <ahabdels@gmail.com>
Date:   Mon May 4 14:42:11 2020 +0000

    seg6: fix SRH processing to comply with RFC8754
    
    The Segment Routing Header (SRH) which defines the SRv6 dataplane is defined
    in RFC8754.
    
    RFC8754 (section 4.1) defines the SR source node behavior which encapsulates
    packets into an outer IPv6 header and SRH. The SR source node encodes the
    full list of Segments that defines the packet path in the SRH. Then, the
    first segment from list of Segments is copied into the Destination address
    of the outer IPv6 header and the packet is sent to the first hop in its path
    towards the destination.
    
    If the Segment list has only one segment, the SR source node can omit the SRH
    as he only segment is added in the destination address.
    
    RFC8754 (section 4.1.1) defines the Reduced SRH, when a source does not
    require the entire SID list to be preserved in the SRH. A reduced SRH does
    not contain the first segment of the related SR Policy (the first segment is
    the one already in the DA of the IPv6 header), and the Last Entry field is
    set to n-2, where n is the number of elements in the SR Policy.
    
    RFC8754 (section 4.3.1.1) defines the SRH processing and the logic to
    validate the SRH (S09, S10, S11) which works for both reduced and
    non-reduced behaviors.
    
    This patch updates seg6_validate_srh() to validate the SRH as per RFC8754.
    
    Signed-off-by: Ahmed Abdelsalam <ahabdels@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv6/seg6.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
culprit signature: 2c748b135f9621c6aa651774e74b9ab498ce8fd27044b765d8a65d68ee709521
parent  signature: 519090c8c86ae38c43b545100b9c7de6e9453f5bf7bfcb8fbac08b9f2af122ca
revisions tested: 16, total time: 3h45m7.720684047s (build: 1h36m11.725188402s, test: 2h7m15.553146235s)
first bad commit: 0cb7498f234e4e7d75187a8cae6c7c2053f2488a seg6: fix SRH processing to comply with RFC8754
cc: ["ahabdels@gmail.com" "davem@davemloft.net" "kuba@kernel.org" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "yoshfuji@linux-ipv6.org"]
crash: KASAN: slab-out-of-bounds Read in fl6_update_dst
==================================================================
BUG: KASAN: slab-out-of-bounds in fl6_update_dst+0x2cb/0x2f0 net/ipv6/exthdrs.c:1356
Read of size 16 at addr ffff8880a49e39d8 by task syz-executor.2/8387

CPU: 1 PID: 8387 Comm: syz-executor.2 Not tainted 5.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:382
 __kasan_report.cold.11+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x32/0x50 mm/kasan/common.c:625
 fl6_update_dst+0x2cb/0x2f0 net/ipv6/exthdrs.c:1356
 sctp_v6_get_dst+0x49c/0x1590 net/sctp/ipv6.c:276
 sctp_transport_route+0x124/0x330 net/sctp/transport.c:297
 sctp_assoc_add_peer+0x511/0xea0 net/sctp/associola.c:659
 sctp_connect_new_asoc+0x139/0x490 net/sctp/socket.c:1092
 sctp_sendmsg_new_asoc net/sctp/socket.c:1694 [inline]
 sctp_sendmsg+0x118e/0x1c60 net/sctp/socket.c:2004
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xac/0xe0 net/socket.c:672
 ____sys_sendmsg+0x376/0x760 net/socket.c:2362
 ___sys_sendmsg+0xe4/0x160 net/socket.c:2416
 __sys_sendmmsg+0x145/0x330 net/socket.c:2506
 __do_sys_sendmmsg net/socket.c:2535 [inline]
 __se_sys_sendmmsg net/socket.c:2532 [inline]
 __x64_sys_sendmmsg+0x94/0x100 net/socket.c:2532
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3eb0861c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004fc3e0 RCX: 000000000045c829
RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008e0 R14: 00000000004cb843 R15: 00007f3eb08626d4

Allocated by task 8387:
 save_stack+0x19/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:495
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc+0x164/0x7b0 mm/slab.c:3665
 kmalloc include/linux/slab.h:560 [inline]
 sock_kmalloc+0x83/0xc0 net/core/sock.c:2166
 ipv6_renew_options+0x1f2/0x8b0 net/ipv6/exthdrs.c:1275
 do_ipv6_setsockopt.isra.8+0x21ec/0x36e0 net/ipv6/ipv6_sockglue.c:435
 ipv6_setsockopt+0x6e/0xe0 net/ipv6/ipv6_sockglue.c:949
 sctp_setsockopt+0x14a/0x58e0 net/sctp/socket.c:4685
 __sys_setsockopt+0x228/0x430 net/socket.c:2132
 __do_sys_setsockopt net/socket.c:2148 [inline]
 __se_sys_setsockopt net/socket.c:2145 [inline]
 __x64_sys_setsockopt+0xb5/0x150 net/socket.c:2145
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8880a49e3980
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 88 bytes inside of
 96-byte region [ffff8880a49e3980, ffff8880a49e39e0)
The buggy address belongs to the page:
page:ffffea00029278c0 refcount:1 mapcount:0 mapping:0000000036b272c3 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00028790c8 ffffea00027aac48 ffff8880aa400540
raw: 0000000000000000 ffff8880a49e3000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a49e3880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a49e3900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a49e3980: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
                                                    ^
 ffff8880a49e3a00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
 ffff8880a49e3a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================