bisecting cause commit starting from 56f200c78ce4d94680a27a1ce97a29ebeb4f23e1
building syzkaller on 3de7aabbb79a6c2267f5d7ee8a8aaa83f63305b7
testing commit 56f200c78ce4d94680a27a1ce97a29ebeb4f23e1 with gcc (GCC) 8.1.0
kernel signature: 189f3a585b751ff6e230d58d76fe76ac3d3f1b61
all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 294a41574194302427b6132101d081f24b12af64
all runs: OK
# git bisect start 56f200c78ce4d94680a27a1ce97a29ebeb4f23e1 219d54332a09e8d8741c1e1982f5eae56099de85
Bisecting: 7057 revisions left to test after this (roughly 13 steps)
[a6ed68d6468bd5a3da78a103344ded1435fed57a] Merge tag 'drm-next-2019-11-27' of git://anongit.freedesktop.org/drm/drm
testing commit a6ed68d6468bd5a3da78a103344ded1435fed57a with gcc (GCC) 8.1.0
kernel signature: f62685b77cdc6f959dcabce1cdff7c980c561fc7
all runs: OK
# git bisect good a6ed68d6468bd5a3da78a103344ded1435fed57a
Bisecting: 3684 revisions left to test after this (roughly 12 steps)
[ec939e4c94bd3ef2fd4f34c15f8aaf79bd0c5ee1] Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit ec939e4c94bd3ef2fd4f34c15f8aaf79bd0c5ee1 with gcc (GCC) 8.1.0
kernel signature: de3f948afe5dc64f800edf9ab987125885b15ac9
all runs: OK
# git bisect good ec939e4c94bd3ef2fd4f34c15f8aaf79bd0c5ee1
Bisecting: 1845 revisions left to test after this (roughly 11 steps)
[5f096c0ecd53263a94124bdfa516a29f154e44ed] Merge tag 'pm-5.5-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 5f096c0ecd53263a94124bdfa516a29f154e44ed with gcc (GCC) 8.1.0
kernel signature: 1bb8b8fd919877712fa09d78559a46bcaef6b7c7
all runs: OK
# git bisect good 5f096c0ecd53263a94124bdfa516a29f154e44ed
Bisecting: 988 revisions left to test after this (roughly 10 steps)
[9e41fbf3dd38327d440a8f3ba0c234519dbb5280] Merge branch 's390-qeth-next'
testing commit 9e41fbf3dd38327d440a8f3ba0c234519dbb5280 with gcc (GCC) 8.1.0
kernel signature: 21a9314eee0b425709b4a455adc13f6d5f0ac2e8
all runs: OK
# git bisect good 9e41fbf3dd38327d440a8f3ba0c234519dbb5280
Bisecting: 494 revisions left to test after this (roughly 9 steps)
[cbefe2c95770a8b04bbe26a684f546c61d2ee8e6] Merge branch 'Documentation-stmmac-documentation-improvements'
testing commit cbefe2c95770a8b04bbe26a684f546c61d2ee8e6 with gcc (GCC) 8.1.0
kernel signature: f413d4c62096c5eb50c4444ea5c636c25c44bcb0
all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering
# git bisect bad cbefe2c95770a8b04bbe26a684f546c61d2ee8e6
Bisecting: 285 revisions left to test after this (roughly 8 steps)
[684ea87cc312c98386c667d1046c61eb92ea8379] igc: Remove serdes comments from a description of methods
testing commit 684ea87cc312c98386c667d1046c61eb92ea8379 with gcc (GCC) 8.1.0
kernel signature: 7adf71460ebe3ebfee3f71733754a08fd3e4437b
all runs: OK
# git bisect good 684ea87cc312c98386c667d1046c61eb92ea8379
Bisecting: 142 revisions left to test after this (roughly 7 steps)
[738d2902773e30939a982c8df7a7f94293659810] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 738d2902773e30939a982c8df7a7f94293659810 with gcc (GCC) 8.1.0
kernel signature: c79e0438dcd29946414e18a41faa59c2ffd23639
all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering
# git bisect bad 738d2902773e30939a982c8df7a7f94293659810
Bisecting: 70 revisions left to test after this (roughly 6 steps)
[d75663868d60f74bda33135fd737a7967532c357] Merge tag 'locks-v5.5-1' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux
testing commit d75663868d60f74bda33135fd737a7967532c357 with gcc (GCC) 8.1.0
kernel signature: 2080cd475b975f2478c8445ea2c8c03efc29a361
all runs: OK
# git bisect good d75663868d60f74bda33135fd737a7967532c357
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[ec34c0157580a68c10dccbdd18c7701f0b317172] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
testing commit ec34c0157580a68c10dccbdd18c7701f0b317172 with gcc (GCC) 8.1.0
kernel signature: e8383ca67948fb4edb1cb2f646b6b9d38e02855b
all runs: OK
# git bisect good ec34c0157580a68c10dccbdd18c7701f0b317172
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[9fcf024dd6fae082f05e8c1fcdae23972b2f6971] net: dsa: sja1105: Take PTP egress timestamp by port, not mgmt slot
testing commit 9fcf024dd6fae082f05e8c1fcdae23972b2f6971 with gcc (GCC) 8.1.0
kernel signature: 22acaee4174216127363240be90c4aa45bbb3f5c
all runs: OK
# git bisect good 9fcf024dd6fae082f05e8c1fcdae23972b2f6971
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[c5c928c667cd1e34cbcac6af5b7c2f9f4512d612] Merge tag 'tomoyo-fixes-for-5.5' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1
testing commit c5c928c667cd1e34cbcac6af5b7c2f9f4512d612 with gcc (GCC) 8.1.0
kernel signature: eb9f3a04f8093a537e549e7310b68590e71cb079
all runs: OK
# git bisect good c5c928c667cd1e34cbcac6af5b7c2f9f4512d612
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[54fa49ee88138756df0fcf867cb1849904710a8c] net: dsa: sja1105: Reconcile the meaning of TPID and TPID2 for E/T and P/Q/R/S
testing commit 54fa49ee88138756df0fcf867cb1849904710a8c with gcc (GCC) 8.1.0
kernel signature: 79fae1fe1e81166eb6903eea004f02cc4ef7df3c
all runs: OK
# git bisect good 54fa49ee88138756df0fcf867cb1849904710a8c
Bisecting: 2 revisions left to test after this (roughly 1 step)
[853697504de043ff0bfd815bd3a64de1dce73dc7] tcp: Fix highest_sack and highest_sack_seq
testing commit 853697504de043ff0bfd815bd3a64de1dce73dc7 with gcc (GCC) 8.1.0
kernel signature: 6ae9af1627596d407ff0cd9b6207845488f14414
all runs: crashed: KASAN: use-after-free Read in tcp_check_sack_reordering
# git bisect bad 853697504de043ff0bfd815bd3a64de1dce73dc7
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[a33121e5487b424339636b25c35d3a180eaa5f5e] ptp: fix the race between the release of ptp_clock and cdev
testing commit a33121e5487b424339636b25c35d3a180eaa5f5e with gcc (GCC) 8.1.0
kernel signature: 8886860792f557319d92d35b1f646cc78a8f0b32
all runs: OK
# git bisect good a33121e5487b424339636b25c35d3a180eaa5f5e
853697504de043ff0bfd815bd3a64de1dce73dc7 is the first bad commit
commit 853697504de043ff0bfd815bd3a64de1dce73dc7
Author: Cambda Zhu <cambda@linux.alibaba.com>
Date:   Fri Dec 27 16:52:37 2019 +0800

    tcp: Fix highest_sack and highest_sack_seq
    
    >From commit 50895b9de1d3 ("tcp: highest_sack fix"), the logic about
    setting tp->highest_sack to the head of the send queue was removed.
    Of course the logic is error prone, but it is logical. Before we
    remove the pointer to the highest sack skb and use the seq instead,
    we need to set tp->highest_sack to NULL when there is no skb after
    the last sack, and then replace NULL with the real skb when new skb
    inserted into the rtx queue, because the NULL means the highest sack
    seq is tp->snd_nxt. If tp->highest_sack is NULL and new data sent,
    the next ACK with sack option will increase tp->reordering unexpectedly.
    
    This patch sets tp->highest_sack to the tail of the rtx queue if
    it's NULL and new data is sent. The patch keeps the rule that the
    highest_sack can only be maintained by sack processing, except for
    this only case.
    
    Fixes: 50895b9de1d3 ("tcp: highest_sack fix")
    Signed-off-by: Cambda Zhu <cambda@linux.alibaba.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/ipv4/tcp_output.c | 3 +++
 1 file changed, 3 insertions(+)
culprit signature: 6ae9af1627596d407ff0cd9b6207845488f14414
parent  signature: 8886860792f557319d92d35b1f646cc78a8f0b32
revisions tested: 16, total time: 4h17m43.921337082s (build: 1h45m23.560056571s, test: 2h30m46.441058955s)
first bad commit: 853697504de043ff0bfd815bd3a64de1dce73dc7 tcp: Fix highest_sack and highest_sack_seq
cc: ["cambda@linux.alibaba.com" "davem@davemloft.net" "edumazet@google.com"]
crash: KASAN: use-after-free Read in tcp_check_sack_reordering
==================================================================
BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1852 [inline]
BUG: KASAN: use-after-free in tcp_check_sack_reordering+0x2ef/0x360 net/ipv4/tcp_input.c:891
Read of size 4 at addr ffff888099fa2a68 by task syz-executor.4/8149

CPU: 0 PID: 8149 Comm: syz-executor.4 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374
 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 tcp_highest_sack_seq include/net/tcp.h:1852 [inline]
 tcp_check_sack_reordering+0x2ef/0x360 net/ipv4/tcp_input.c:891
 tcp_try_undo_partial net/ipv4/tcp_input.c:2727 [inline]
 tcp_fastretrans_alert+0xe2f/0x2550 net/ipv4/tcp_input.c:2844
 tcp_ack+0x1f61/0x5aa0 net/ipv4/tcp_input.c:3707
 tcp_rcv_established+0x830/0x2260 net/ipv4/tcp_input.c:5698
 tcp_v4_do_rcv+0x526/0x790 net/ipv4/tcp_ipv4.c:1562
 sk_backlog_rcv include/net/sock.h:954 [inline]
 __release_sock+0x10b/0x330 net/core/sock.c:2437
 release_sock+0x4f/0x180 net/core/sock.c:2953
 sk_stream_wait_memory+0x4df/0xcb0 net/core/stream.c:145
 tcp_sendmsg_locked+0xb2e/0x37f0 net/ipv4/tcp.c:1394
 tcp_sendmsg+0x27/0x40 net/ipv4/tcp.c:1434
 inet_sendmsg+0x8f/0xb0 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:659
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1985
 __do_sys_sendto net/socket.c:1997 [inline]
 __se_sys_sendto net/socket.c:1993 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1993
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45aff9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5d69d20c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f5d69d216d4 RCX: 000000000045aff9
RDX: ffffffffffffff67 RSI: 0000000020000640 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: ffffffffffffff4f
R10: 00000000040007bd R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000992 R14: 00000000004cacca R15: 000000000075bf2c

Allocated by task 8149:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:513
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:521
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slab.c:3263 [inline]
 kmem_cache_alloc_node+0x138/0x760 mm/slab.c:3575
 __alloc_skb+0xa7/0x570 net/core/skbuff.c:197
 alloc_skb_fclone include/linux/skbuff.h:1099 [inline]
 sk_stream_alloc_skb+0x278/0xbb0 net/ipv4/tcp.c:877
 tcp_sendmsg_locked+0xa3d/0x37f0 net/ipv4/tcp.c:1284
 tcp_sendmsg+0x27/0x40 net/ipv4/tcp.c:1434
 inet_sendmsg+0x8f/0xb0 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:659
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1985
 __do_sys_sendto net/socket.c:1997 [inline]
 __se_sys_sendto net/socket.c:1993 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1993
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8155:
 save_stack+0x21/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:335 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
 __cache_free mm/slab.c:3426 [inline]
 kmem_cache_free+0x83/0x320 mm/slab.c:3694
 kfree_skbmem+0xfd/0x130 net/core/skbuff.c:644
 __kfree_skb+0x15/0x20 net/core/skbuff.c:680
 sk_eat_skb include/net/sock.h:2468 [inline]
 tcp_recvmsg+0x163a/0x24e0 net/ipv4/tcp.c:2166
 inet_recvmsg+0x110/0x6a0 net/ipv4/af_inet.c:838
 sock_recvmsg_nosec net/socket.c:873 [inline]
 sock_recvmsg+0xb7/0xf0 net/socket.c:891
 __sys_recvfrom+0x327/0x3f0 net/socket.c:2042
 __do_sys_recvfrom net/socket.c:2060 [inline]
 __se_sys_recvfrom net/socket.c:2056 [inline]
 __x64_sys_recvfrom+0xdc/0x1a0 net/socket.c:2056
 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888099fa2a40
 which belongs to the cache skbuff_fclone_cache of size 456
The buggy address is located 40 bytes inside of
 456-byte region [ffff888099fa2a40, ffff888099fa2c08)
The buggy address belongs to the page:
page:ffffea000267e880 refcount:1 mapcount:0 mapping:ffff88821b0511c0 index:0x0
raw: 00fffe0000000200 ffffea0002a57e88 ffffea0002503d48 ffff88821b0511c0
raw: 0000000000000000 ffff888099fa2040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888099fa2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099fa2980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888099fa2a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                          ^
 ffff888099fa2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099fa2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================