bisecting cause commit starting from a0cfa79f8470031a06f99172ae7163ceb12cb524
building syzkaller on 2458c1c6c2935db73abd6307d4f12126bef9efb5
testing commit a0cfa79f8470031a06f99172ae7163ceb12cb524 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in tipc_sk_filter_rcv
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start a0cfa79f8470031a06f99172ae7163ceb12cb524 v5.0
Bisecting: 5792 revisions left to test after this (roughly 13 steps)
[e431f2d74e1b91e00e71e97cadcadffc4cda8a9b] Merge tag 'driver-core-5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
testing commit e431f2d74e1b91e00e71e97cadcadffc4cda8a9b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good e431f2d74e1b91e00e71e97cadcadffc4cda8a9b
Bisecting: 2846 revisions left to test after this (roughly 12 steps)
[3601fe43e8164f67a8de3de8e988bfcb3a94af46] Merge tag 'gpio-v5.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
testing commit 3601fe43e8164f67a8de3de8e988bfcb3a94af46 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3601fe43e8164f67a8de3de8e988bfcb3a94af46
Bisecting: 1419 revisions left to test after this (roughly 11 steps)
[b7a7d1c1ec688104fdc922568c26395a756f616d] Merge tag 'dma-mapping-5.1' of git://git.infradead.org/users/hch/dma-mapping
testing commit b7a7d1c1ec688104fdc922568c26395a756f616d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good b7a7d1c1ec688104fdc922568c26395a756f616d
Bisecting: 709 revisions left to test after this (roughly 10 steps)
[dfee9c257b102d7c0407629eef2ed32e152de0d2] Merge tag 'fuse-update-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
testing commit dfee9c257b102d7c0407629eef2ed32e152de0d2 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good dfee9c257b102d7c0407629eef2ed32e152de0d2
Bisecting: 287 revisions left to test after this (roughly 9 steps)
[dc2535be1fd547fbd56aff091370280007b0a1af] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit dc2535be1fd547fbd56aff091370280007b0a1af with gcc (GCC) 8.1.0
all runs: OK
# git bisect good dc2535be1fd547fbd56aff091370280007b0a1af
Bisecting: 160 revisions left to test after this (roughly 7 steps)
[31ef489a026ef2c07383ef336dc9b6601c7b9b93] Merge tag 'dmaengine-5.1-rc1' of git://git.infradead.org/users/vkoul/slave-dma
testing commit 31ef489a026ef2c07383ef336dc9b6601c7b9b93 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 31ef489a026ef2c07383ef336dc9b6601c7b9b93
Bisecting: 79 revisions left to test after this (roughly 6 steps)
[3b319ee220a8795406852a897299dbdfc1b09911] Merge tag 'acpi-5.1-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 3b319ee220a8795406852a897299dbdfc1b09911 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3b319ee220a8795406852a897299dbdfc1b09911
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[9180bb4f046064dfa4541488102703b402bb04e1] tun: add a missing rcu_read_unlock() in error path
testing commit 9180bb4f046064dfa4541488102703b402bb04e1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9180bb4f046064dfa4541488102703b402bb04e1
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[06b39e8506f6dd4e11e1d8fc4d314d72d237ad10] sctp: fix ignoring asoc_id for tcp-style sockets on SCTP_AUTH_ACTIVE_KEY sockopt
testing commit 06b39e8506f6dd4e11e1d8fc4d314d72d237ad10 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 06b39e8506f6dd4e11e1d8fc4d314d72d237ad10
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[7221b727f0079a32aca91f657141e1de564d4b97] s390/qeth: fix race when initializing the IP address table
testing commit 7221b727f0079a32aca91f657141e1de564d4b97 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7221b727f0079a32aca91f657141e1de564d4b97
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[02ec6cafd78c2052283516afc74c309745d20271] tipc: support broadcast/replicast configurable for bc-link
testing commit 02ec6cafd78c2052283516afc74c309745d20271 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 02ec6cafd78c2052283516afc74c309745d20271
Bisecting: 2 revisions left to test after this (roughly 1 step)
[c55c8edafa91139419ed011f7d036274ce96be0b] tipc: smooth change between replicast and broadcast
testing commit c55c8edafa91139419ed011f7d036274ce96be0b with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in tipc_sk_filter_rcv
# git bisect bad c55c8edafa91139419ed011f7d036274ce96be0b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ff2ebbfba6186adf3964eb816f8f255c6e664dc4] tipc: introduce new capability flag for cluster
testing commit ff2ebbfba6186adf3964eb816f8f255c6e664dc4 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good ff2ebbfba6186adf3964eb816f8f255c6e664dc4
c55c8edafa91139419ed011f7d036274ce96be0b is the first bad commit
commit c55c8edafa91139419ed011f7d036274ce96be0b
Author: Hoang Le <hoang.h.le@dektech.com.au>
Date:   Tue Mar 19 18:49:50 2019 +0700

    tipc: smooth change between replicast and broadcast
    
    Currently, a multicast stream may start out using replicast, because
    there are few destinations, and then it should ideally switch to
    L2/broadcast IGMP/multicast when the number of destinations grows beyond
    a certain limit. The opposite should happen when the number decreases
    below the limit.
    
    To eliminate the risk of message reordering caused by method change,
    a sending socket must stick to a previously selected method until it
    enters an idle period of 5 seconds. Means there is a 5 seconds pause
    in the traffic from the sender socket.
    
    If the sender never makes such a pause, the method will never change,
    and transmission may become very inefficient as the cluster grows.
    
    With this commit, we allow such a switch between replicast and
    broadcast without any need for a traffic pause.
    
    Solution is to send a dummy message with only the header, also with
    the SYN bit set, via broadcast or replicast. For the data message,
    the SYN bit is set and sending via replicast or broadcast (inverse
    method with dummy).
    
    Then, at receiving side any messages follow first SYN bit message
    (data or dummy message), they will be held in deferred queue until
    another pair (dummy or data message) arrived in other link.
    
    v2: reverse christmas tree declaration
    
    Acked-by: Jon Maloy <jon.maloy@ericsson.com>
    Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/tipc/bcast.c  | 165 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 net/tipc/bcast.h  |   5 ++
 net/tipc/msg.h    |  10 ++++
 net/tipc/socket.c |   5 ++
 4 files changed, 184 insertions(+), 1 deletion(-)
revisions tested: 15, total time: 3h44m41.88996848s (build: 1h21m7.633128074s, test: 2h19m47.596134383s)
first bad commit: c55c8edafa91139419ed011f7d036274ce96be0b tipc: smooth change between replicast and broadcast
cc: ["davem@davemloft.net" "hoang.h.le@dektech.com.au" "jon.maloy@ericsson.com" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "tipc-discussion@lists.sourceforge.net" "ying.xue@windriver.com"]
crash: KASAN: use-after-free Read in tipc_sk_filter_rcv
==================================================================
BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x19dd/0x2bf0 net/tipc/socket.c:2167
Read of size 4 at addr ffff88802b0f89b4 by task kworker/u4:2/7855

CPU: 0 PID: 7855 Comm: kworker/u4:2 Not tainted 5.0.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Workqueue: tipc_send tipc_conn_send_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 tipc_sk_filter_rcv+0x19dd/0x2bf0 net/tipc/socket.c:2167
 tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
 tipc_sk_rcv+0xaca/0x1db0 net/tipc/socket.c:2305
 tipc_topsrv_kern_evt+0x30c/0x460 net/tipc/topsrv.c:610
 tipc_conn_send_to_sock+0x39d/0x520 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x47/0x60 net/tipc/topsrv.c:303
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x327/0x3f0 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 7855:
 save_stack+0x43/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc.constprop.9+0xc7/0xd0 mm/kasan/common.c:497
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511
 __do_kmalloc_node mm/slab.c:3686 [inline]
 __kmalloc_node_track_caller+0x4d/0x70 mm/slab.c:3700
 __kmalloc_reserve.isra.38+0x2c/0xc0 net/core/skbuff.c:140
 __alloc_skb+0xd7/0x570 net/core/skbuff.c:208
 alloc_skb_fclone include/linux/skbuff.h:1107 [inline]
 tipc_buf_acquire+0x22/0xe0 net/tipc/msg.c:66
 tipc_msg_create+0x2f/0x280 net/tipc/msg.c:98
 tipc_topsrv_kern_evt+0x207/0x460 net/tipc/topsrv.c:602
 tipc_conn_send_to_sock+0x39d/0x520 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x47/0x60 net/tipc/topsrv.c:303
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x327/0x3f0 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Freed by task 7855:
 save_stack+0x43/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3821
 skb_free_head+0x6e/0x90 net/core/skbuff.c:557
 skb_release_data+0x478/0x680 net/core/skbuff.c:577
 skb_release_all+0x3d/0x50 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 kfree_skb+0x97/0x270 net/core/skbuff.c:663
 tipc_sk_proto_rcv net/tipc/socket.c:2009 [inline]
 tipc_sk_filter_rcv+0x1674/0x2bf0 net/tipc/socket.c:2162
 tipc_sk_enqueue net/tipc/socket.c:2254 [inline]
 tipc_sk_rcv+0xaca/0x1db0 net/tipc/socket.c:2305
 tipc_topsrv_kern_evt+0x30c/0x460 net/tipc/topsrv.c:610
 tipc_conn_send_to_sock+0x39d/0x520 net/tipc/topsrv.c:283
 tipc_conn_send_work+0x47/0x60 net/tipc/topsrv.c:303
 process_one_work+0x835/0x16b0 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x327/0x3f0 kernel/kthread.c:253
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88802b0f8900
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 180 bytes inside of
 1024-byte region [ffff88802b0f8900, ffff88802b0f8d00)
The buggy address belongs to the page:
page:ffffea0000ac3e00 count:1 mapcount:0 mapping:ffff88802d400ac0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000081b808 ffff88802d401848 ffff88802d400ac0
raw: 0000000000000000 ffff88802b0f8000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802b0f8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802b0f8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802b0f8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88802b0f8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802b0f8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================