bisecting cause commit starting from 441870ee4240cf67b5d3ab8e16216a9ff42eb5d6
building syzkaller on 365fba2440cee3aed74c774867a1f43e3e2f7aac
testing commit 441870ee4240cf67b5d3ab8e16216a9ff42eb5d6 with gcc (GCC) 8.1.0
kernel signature: 90df468de68a4d7680350783da93bbdd06471eaba8b330698f3ce508b6be20e2
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 20a75029cb783c3de8d23f5e2a42feba9c9aeffe1d6d6849ef1dbaf3083af989
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: e46fcda8ceb3d4824f8270952b743226d146d2b627bdbc24abd289c3e447dd21
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: f5c8a2c78aba8d121d13d3df6c7e820b9b2593198463b939c509cc421d9b0b8f
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 26c8fcdc864a60ff8396ab629d696771df30dbab11746687ba4b3abd3bfc284f
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 11be095f11ceb2c668ff01c0684e5bdbe63a9c9afe6cd8f2736bad692f9bb57e
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: 1b4bfce30224cf38d686700fe21a2ba9a45a8ada5b4a8390d8419511d013c503
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 6dcc22ff327d85e6e64b17502eafd720391b59ea46582c2c29ec75110ecf40e2
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 0b542d5c25f724d32ef4ef5146299d310a0ac27acb20c9bc7c200059688e0fc9
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: 168bc9bb7740336b850534cd4b8879f17ce2b92acb831146715ba6c02b750f44
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: 7da42db34c2c194090e411fd0d51bfe884d7e4c09d087245e602274102ac12a1
all runs: OK
# git bisect start 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d 94710cac0ef4ee177a63b5227664b38c95bbf703
Bisecting: 7596 revisions left to test after this (roughly 13 steps)
[db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0
kernel signature: f7332a75db8fdaf2adfcf5ab0f54e6f58688c26a92c2e14faad0a2bb7419b8b1
all runs: OK
# git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8
Bisecting: 3768 revisions left to test after this (roughly 12 steps)
[cd9b44f90763c3367e8dd0601849ffb028e8ba52] Merge branch 'akpm' (patches from Andrew)
testing commit cd9b44f90763c3367e8dd0601849ffb028e8ba52 with gcc (GCC) 8.1.0
kernel signature: ad0424df45f4763b8541081123bb74bce3aa325c486dd8c03290bbb813256f17
all runs: OK
# git bisect good cd9b44f90763c3367e8dd0601849ffb028e8ba52
Bisecting: 1886 revisions left to test after this (roughly 11 steps)
[4290d5b9ca018be10c7582524f7500df731bfab0] Merge tag 'for-linus-4.19b-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
testing commit 4290d5b9ca018be10c7582524f7500df731bfab0 with gcc (GCC) 8.1.0
kernel signature: 4dd29eb8336579752fc9afdff634452e176668c2829055e18fa7efc3ce29b735
all runs: OK
# git bisect good 4290d5b9ca018be10c7582524f7500df731bfab0
Bisecting: 942 revisions left to test after this (roughly 10 steps)
[576156bb01a62c1f64b32b416593862bb34bddaa] Merge branch 'for-upstream/malidp-fixes' of git://linux-arm.org/linux-ld into drm-fixes
testing commit 576156bb01a62c1f64b32b416593862bb34bddaa with gcc (GCC) 8.1.0
kernel signature: 7a34e57b0145b98cb45f79d417117208dacdda3be156ad75b5232de19913c824
all runs: OK
# git bisect good 576156bb01a62c1f64b32b416593862bb34bddaa
Bisecting: 470 revisions left to test after this (roughly 9 steps)
[4fbeba43b9b6f76a270108edcf5305dc1882a478] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
testing commit 4fbeba43b9b6f76a270108edcf5305dc1882a478 with gcc (GCC) 8.1.0
kernel signature: ab5010acd06c570046f7d405b7d09cd12eab39579107493ec0e811b9dfa611a3
all runs: OK
# git bisect good 4fbeba43b9b6f76a270108edcf5305dc1882a478
Bisecting: 218 revisions left to test after this (roughly 8 steps)
[90ad18418c2d3db23ee827cdd74fed2ca9b70a18] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
testing commit 90ad18418c2d3db23ee827cdd74fed2ca9b70a18 with gcc (GCC) 8.1.0
kernel signature: ccccb29af81750767202b073502c5cc7d0af18e55a4975cb9e4e418236864ec4
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
# git bisect bad 90ad18418c2d3db23ee827cdd74fed2ca9b70a18
Bisecting: 124 revisions left to test after this (roughly 7 steps)
[4ebaf0754c7a1109e66693f488f02b78f5875fee] Merge tag 'tty-4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
testing commit 4ebaf0754c7a1109e66693f488f02b78f5875fee with gcc (GCC) 8.1.0
kernel signature: f08a0c53af4d892143abd92d7222e47a7896d19ff844d9f849dd10ca3f2de463
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
# git bisect bad 4ebaf0754c7a1109e66693f488f02b78f5875fee
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[5943a9bbbb98b5c957662edd2fc902cc14e65895] Merge tag 'pci-v4.19-fixes-3' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit 5943a9bbbb98b5c957662edd2fc902cc14e65895 with gcc (GCC) 8.1.0
kernel signature: 2dbe85211ed3ffa5036dcf29055139fd67acdaf6ebad7e3c7a7b51ac6ede7877
all runs: OK
# git bisect good 5943a9bbbb98b5c957662edd2fc902cc14e65895
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[35f3625c21852ad839f20c91c7d81c4c1101e207] net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
testing commit 35f3625c21852ad839f20c91c7d81c4c1101e207 with gcc (GCC) 8.1.0
kernel signature: 720d55e30492f574048c41e0cbca4c95e15797f39d47339595586f58d08ac23a
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
# git bisect bad 35f3625c21852ad839f20c91c7d81c4c1101e207
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[17c357efe5eceebdc3971a48b3d4d61a03c1178b] openvswitch: load NAT helper
testing commit 17c357efe5eceebdc3971a48b3d4d61a03c1178b with gcc (GCC) 8.1.0
kernel signature: f807bd468769e42664ba62d0c9c8b8781cafdf69c0bd12b8cffe882012522db0
all runs: OK
# git bisect good 17c357efe5eceebdc3971a48b3d4d61a03c1178b
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
testing commit b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35 with gcc (GCC) 8.1.0
kernel signature: d5f4eb8cfa2f920bc9b0b61af7b91b975c83395e9c913328ce4cc4554064bf32
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
# git bisect bad b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[7e4183752735deb7543e179a44f4f4b44917cd6f] net: phy: phylink: fix SFP interface autodetection
testing commit 7e4183752735deb7543e179a44f4f4b44917cd6f with gcc (GCC) 8.1.0
kernel signature: ef151e1ff203769b8b8ade36e6c5ef41e5b312745c46095bf440aa5d0b914d85
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
# git bisect bad 7e4183752735deb7543e179a44f4f4b44917cd6f
Bisecting: 1 revision left to test after this (roughly 1 step)
[9d2f67e43b73e8af7438be219b66a5de0cfa8bd9] net/packet: fix packet drop as of virtio gso
testing commit 9d2f67e43b73e8af7438be219b66a5de0cfa8bd9 with gcc (GCC) 8.1.0
kernel signature: a63c517f59027b0cd7e1ce41e695b26135803ae982d5f0e18c653ce768a22cfd
all runs: crashed: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
# git bisect bad 9d2f67e43b73e8af7438be219b66a5de0cfa8bd9
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ca8931948344c485569b04821d1f6bcebccd376b] net: dsa: b53: Keep CPU port as tagged in all VLANs
testing commit ca8931948344c485569b04821d1f6bcebccd376b with gcc (GCC) 8.1.0
kernel signature: eb76987c965953e6b45bffcb070332192fe05089be4737290cc2404b701d2146
all runs: OK
# git bisect good ca8931948344c485569b04821d1f6bcebccd376b
9d2f67e43b73e8af7438be219b66a5de0cfa8bd9 is the first bad commit
commit 9d2f67e43b73e8af7438be219b66a5de0cfa8bd9
Author: Jianfeng Tan <jianfeng.tan@linux.alibaba.com>
Date:   Sat Sep 29 15:41:27 2018 +0000

    net/packet: fix packet drop as of virtio gso
    
    When we use raw socket as the vhost backend, a packet from virito with
    gso offloading information, cannot be sent out in later validaton at
    xmit path, as we did not set correct skb->protocol which is further used
    for looking up the gso function.
    
    To fix this, we set this field according to virito hdr information.
    
    Fixes: e858fae2b0b8f4 ("virtio_net: use common code for virtio_net_hdr and skb GSO conversion")
    Signed-off-by: Jianfeng Tan <jianfeng.tan@linux.alibaba.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/linux/virtio_net.h | 18 ++++++++++++++++++
 net/packet/af_packet.c     | 11 +++++++----
 2 files changed, 25 insertions(+), 4 deletions(-)
culprit signature: a63c517f59027b0cd7e1ce41e695b26135803ae982d5f0e18c653ce768a22cfd
parent  signature: eb76987c965953e6b45bffcb070332192fe05089be4737290cc2404b701d2146
revisions tested: 25, total time: 4h43m46.245312209s (build: 2h24m28.964157081s, test: 2h17m20.676649718s)
first bad commit: 9d2f67e43b73e8af7438be219b66a5de0cfa8bd9 net/packet: fix packet drop as of virtio gso
cc: ["davem@davemloft.net" "jasowang@redhat.com" "jianfeng.tan@linux.alibaba.com" "linux-kernel@vger.kernel.org" "mst@redhat.com" "netdev@vger.kernel.org" "virtualization@lists.linux-foundation.org"]
crash: KASAN: slab-out-of-bounds Read in skb_gso_transport_seglen
netlink: 1996 bytes leftover after parsing attributes in process `syz-executor.3'.
sch_tbf: burst 549 is lower than device lo mtu (65550) !
netlink: 1996 bytes leftover after parsing attributes in process `syz-executor.1'.
sch_tbf: burst 549 is lower than device lo mtu (65550) !
==================================================================
BUG: KASAN: slab-out-of-bounds in __tcp_hdrlen include/linux/tcp.h:35 [inline]
BUG: KASAN: slab-out-of-bounds in tcp_hdrlen include/linux/tcp.h:40 [inline]
BUG: KASAN: slab-out-of-bounds in skb_gso_transport_seglen+0x2ec/0x300 net/core/skbuff.c:4943
Read of size 2 at addr ffff88008cc55edc by task syz-executor.3/7763

CPU: 1 PID: 7763 Comm: syz-executor.3 Not tainted 4.19.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x15a/0x20d lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
 __tcp_hdrlen include/linux/tcp.h:35 [inline]
 tcp_hdrlen include/linux/tcp.h:40 [inline]
 skb_gso_transport_seglen+0x2ec/0x300 net/core/skbuff.c:4943
 skb_gso_mac_seglen net/core/skbuff.c:4987 [inline]
 skb_gso_validate_mac_len+0x85/0x2f0 net/core/skbuff.c:5056
 tbf_enqueue+0x1bf/0x7e9 net/sched/sch_tbf.c:192
 __dev_xmit_skb net/core/dev.c:3454 [inline]
 __dev_queue_xmit+0x11a0/0x2920 net/core/dev.c:3770
 dev_queue_xmit+0xb/0x10 net/core/dev.c:3835
 packet_snd net/packet/af_packet.c:2928 [inline]
 packet_sendmsg+0x2f16/0x5040 net/packet/af_packet.c:2953
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:631
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto net/socket.c:1796 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1796
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c869
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb1e8adcc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fb1e8add6d4 RCX: 000000000045c869
RDX: 0000000000004e60 RSI: 0000000020000180 RDI: 0000000000000005
RBP: 000000000076bf00 R08: 0000000000000000 R09: fffffffffffffe5d
R10: 0000000000000810 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000a09 R14: 00000000004ccc7a R15: 000000000076bf0c

Allocated by task 7763:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.8+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xd7/0x580 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 alloc_skb_with_frags+0x8a/0x4a0 net/core/skbuff.c:5268
 sock_alloc_send_pskb+0x574/0x750 net/core/sock.c:2082
 packet_alloc_skb net/packet/af_packet.c:2781 [inline]
 packet_snd net/packet/af_packet.c:2872 [inline]
 packet_sendmsg+0x1481/0x5040 net/packet/af_packet.c:2953
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:631
 __sys_sendto+0x1f2/0x2e0 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto net/socket.c:1796 [inline]
 __x64_sys_sendto+0xdc/0x1a0 net/socket.c:1796
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88008cc55c80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 92 bytes to the right of
 512-byte region [ffff88008cc55c80, ffff88008cc55e80)
The buggy address belongs to the page:
page:ffffea0002331540 count:1 mapcount:0 mapping:ffff88012c298940 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002322808 ffffea0002480388 ffff88012c298940
raw: 0000000000000000 ffff88008cc55000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88008cc55d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88008cc55e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88008cc55e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                    ^
 ffff88008cc55f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88008cc55f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================