bisecting cause commit starting from c4762993129f48f5f5e233f09c246696815ef263
building syzkaller on 98682e5e2aefc9aad61354f4f3ac93be96002a2a
testing commit c4762993129f48f5f5e233f09c246696815ef263 with gcc (GCC) 10.2.1 20210217
kernel signature: 899fd6b585b967f38fe908141d53ce7dbf13d9d4af39effc6e7db769928f7f35
run #0: crashed: KASAN: use-after-free Read in ip6_pol_route
run #1: crashed: KASAN: use-after-free Read in ip6_pol_route
run #2: crashed: KASAN: use-after-free Read in ip6_pol_route
run #3: crashed: KASAN: use-after-free Read in ip6_pol_route
run #4: crashed: KASAN: use-after-free Read in ip6_pol_route
run #5: crashed: KASAN: use-after-free Read in __sk_dst_check
run #6: crashed: KASAN: use-after-free Read in ip6_pol_route
run #7: crashed: KASAN: use-after-free Read in ip6_pol_route
run #8: crashed: KASAN: use-after-free Read in ip6_pol_route
run #9: crashed: KASAN: use-after-free Read in ip6_pol_route
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217
kernel signature: ad0020076c568fd04e3712999367961eadbdf96cf6f928f88e3fec927cee834c
all runs: OK
# git bisect start c4762993129f48f5f5e233f09c246696815ef263 2c85ebc57b3e1817b6ce1a6b703928e113a90442
Bisecting: 8530 revisions left to test after this (roughly 13 steps)
[ba1d41a55e4d07c7b27ee2f6e7cf5b5348849261] Merge tag 'pstore-v5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

testing commit ba1d41a55e4d07c7b27ee2f6e7cf5b5348849261 with gcc (GCC) 10.2.1 20210217
kernel signature: 29b9744cac67d33ab751a246c5b6f1abb6f6ca0df53fe68fd1f20ab7692aebf7
all runs: OK
# git bisect good ba1d41a55e4d07c7b27ee2f6e7cf5b5348849261
Bisecting: 4273 revisions left to test after this (roughly 12 steps)
[c45647f9f562b52915b43b6bb447827cebf511bd] Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux

testing commit c45647f9f562b52915b43b6bb447827cebf511bd with gcc (GCC) 10.2.1 20210217
kernel signature: 9ff853198343d0a3c134bea61db11cd63c3e2e6b0e5efee1d3c3b704e6e4ff79
all runs: OK
# git bisect good c45647f9f562b52915b43b6bb447827cebf511bd
Bisecting: 2136 revisions left to test after this (roughly 11 steps)
[088f8a2396d813e7ee49272a1a59b55139c81e64] net: ipa: be explicit about endianness

testing commit 088f8a2396d813e7ee49272a1a59b55139c81e64 with gcc (GCC) 10.2.1 20210217
kernel signature: 0712d567e71904eb660531ed5e9925bb7c4cdfcc5fc15775f2f941b6c10af36d
all runs: OK
# git bisect good 088f8a2396d813e7ee49272a1a59b55139c81e64
Bisecting: 1068 revisions left to test after this (roughly 10 steps)
[e94c0df984d3f428b81e03a73b31b7a7e30a8361] ice: Replace one-element array with flexible-array member

testing commit e94c0df984d3f428b81e03a73b31b7a7e30a8361 with gcc (GCC) 10.2.1 20210217
kernel signature: c8532165c07275d22b7a4548e943842921ee5d9dea422de4cb024635dacb5384
all runs: OK
# git bisect good e94c0df984d3f428b81e03a73b31b7a7e30a8361
Bisecting: 525 revisions left to test after this (roughly 9 steps)
[dc9d87581d464e7b7d38853d6904b70b6c920d99] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

testing commit dc9d87581d464e7b7d38853d6904b70b6c920d99 with gcc (GCC) 10.2.1 20210217
kernel signature: 07c4e899fff95c6bf71845d517ac4ed6c3d651b01896588529cc69cf374cf951
all runs: OK
# git bisect good dc9d87581d464e7b7d38853d6904b70b6c920d99
Bisecting: 291 revisions left to test after this (roughly 8 steps)
[9d083348e938eb0330639ad08dcfe493a59a8a40] rtw88: 8822c: update RF_B (2/2) parameter tables to v60

testing commit 9d083348e938eb0330639ad08dcfe493a59a8a40 with gcc (GCC) 10.2.1 20210217
kernel signature: 0288ee0937adbcdce7f7a22051300b35dfd1f877735825e07b01a3da3b0e8d0f
all runs: OK
# git bisect good 9d083348e938eb0330639ad08dcfe493a59a8a40
Bisecting: 118 revisions left to test after this (roughly 7 steps)
[0ae20159e88fece0e5f1e71fe1e5a62427f73b41] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kern el/git/bluetooth/bluetooth-next

testing commit 0ae20159e88fece0e5f1e71fe1e5a62427f73b41 with gcc (GCC) 10.2.1 20210217
kernel signature: 6bcd18d34c0ee0ccd1a6c962075820159ca4d43694645938832f0e2c9f8854bc
run #0: boot failed: create image operation failed: &{Code:INTERNAL_ERROR Location: Message:Internal error. Please try again or contact Google Support. (Code: '-7500468033820764067') ForceSendFields:[] NullFields:[]}.
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 0ae20159e88fece0e5f1e71fe1e5a62427f73b41
Bisecting: 65 revisions left to test after this (roughly 6 steps)
[93efb0c656837f4a31d7cc6117a7c8cecc8fadac] octeontx2-pf: Fix out-of-bounds read in otx2_get_fecparam()

testing commit 93efb0c656837f4a31d7cc6117a7c8cecc8fadac with gcc (GCC) 10.2.1 20210217
kernel signature: c7ea3f21e513532336230280f0ae4f4391b4e4d4e4f659494450342b57a67341
run #0: crashed: KASAN: use-after-free Read in ip6_pol_route
run #1: crashed: KASAN: use-after-free Read in ip6_pol_route
run #2: crashed: KASAN: use-after-free Read in ip6_pol_route
run #3: crashed: KASAN: use-after-free Read in ip6_pol_route
run #4: crashed: KASAN: use-after-free Read in ip6_pol_route
run #5: crashed: KASAN: use-after-free Read in ip6_pol_route
run #6: crashed: KASAN: use-after-free Read in ip6_pol_route
run #7: crashed: KASAN: use-after-free Read in ip6_pol_route
run #8: crashed: KASAN: use-after-free Read in ip6_pol_route
run #9: crashed: KASAN: use-after-free Read in __sk_dst_check
# git bisect bad 93efb0c656837f4a31d7cc6117a7c8cecc8fadac
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[eaede835675cbae3b84309255f81e9a5e1b502a2] net: hns3: use ipv6_addr_any() helper

testing commit eaede835675cbae3b84309255f81e9a5e1b502a2 with gcc (GCC) 10.2.1 20210217
kernel signature: 162295d4afb8b60ba20f974e9a13b1be66197e5ec2b071ba0d7fdbe3b78d6144
all runs: OK
# git bisect good eaede835675cbae3b84309255f81e9a5e1b502a2
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[45759a871593ea726f44a107c05a345609ad0754] selftests: mptcp: display warnings on one line

testing commit 45759a871593ea726f44a107c05a345609ad0754 with gcc (GCC) 10.2.1 20210217
kernel signature: 162295d4afb8b60ba20f974e9a13b1be66197e5ec2b071ba0d7fdbe3b78d6144
all runs: OK
# git bisect good 45759a871593ea726f44a107c05a345609ad0754
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[6c714f1b547feb0402520357c91024375a4236f7] mptcp: pass subflow socket to a few helpers

testing commit 6c714f1b547feb0402520357c91024375a4236f7 with gcc (GCC) 10.2.1 20210217
kernel signature: 41a0f487d4ed1e3c4ba34328dcca0627bf67b54b57a22a8bf11c608a75b30cbc
run #0: crashed: KASAN: use-after-free Read in ip6_pol_route
run #1: crashed: KASAN: use-after-free Read in ip6_pol_route
run #2: crashed: KASAN: use-after-free Read in ip6_pol_route
run #3: crashed: KASAN: use-after-free Read in ip6_pol_route
run #4: crashed: KASAN: use-after-free Read in ip6_pol_route
run #5: crashed: KASAN: use-after-free Read in ip6_pol_route
run #6: crashed: KASAN: use-after-free Read in tcp_current_mss
run #7: crashed: KASAN: use-after-free Read in ip6_pol_route
run #8: crashed: KASAN: use-after-free Read in ip6_pol_route
run #9: crashed: KASAN: use-after-free Read in ip6_pol_route
# git bisect bad 6c714f1b547feb0402520357c91024375a4236f7
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[e98014306840f58072f50a55ad49400f227a5b65] mptcp: move pm netlink work into pm_netlink

testing commit e98014306840f58072f50a55ad49400f227a5b65 with gcc (GCC) 10.2.1 20210217
kernel signature: 732ba79109cd7c13287b260d663862d59077a35b559e696f34ef1752c8b05f79
all runs: OK
# git bisect good e98014306840f58072f50a55ad49400f227a5b65
Bisecting: 1 revision left to test after this (roughly 1 step)
[40947e13997a1cba4e875893ca6e5d5e61a0689d] mptcp: schedule worker when subflow is closed

testing commit 40947e13997a1cba4e875893ca6e5d5e61a0689d with gcc (GCC) 10.2.1 20210217
kernel signature: 9870e1d46e1ce9ed0adf109886e109d0ba1d644c3df6c2518600bcf329dd8afa
run #0: crashed: KASAN: use-after-free Read in ip6_pol_route
run #1: crashed: WARNING in dst_release
run #2: crashed: KASAN: use-after-free Read in ip6_pol_route
run #3: crashed: KASAN: use-after-free Read in ip6_pol_route
run #4: crashed: KASAN: use-after-free Read in ip6_pol_route
run #5: crashed: KASAN: use-after-free Read in ip6_pol_route
run #6: crashed: KASAN: use-after-free Read in ip6_pol_route
run #7: crashed: KASAN: use-after-free Read in ip6_pol_route
run #8: crashed: KASAN: use-after-free Read in ip6_pol_route
run #9: crashed: KASAN: use-after-free Read in ip6_pol_route
# git bisect bad 40947e13997a1cba4e875893ca6e5d5e61a0689d
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[a141e02e393370e082b25636401c49978b61bfcf] mptcp: split __mptcp_close_ssk helper

testing commit a141e02e393370e082b25636401c49978b61bfcf with gcc (GCC) 10.2.1 20210217
kernel signature: 64456a31e87e3bc84100d034dbf54e697bb6b43a4a29979c591187189cd2ddb4
all runs: OK
# git bisect good a141e02e393370e082b25636401c49978b61bfcf
40947e13997a1cba4e875893ca6e5d5e61a0689d is the first bad commit
commit 40947e13997a1cba4e875893ca6e5d5e61a0689d
Author: Florian Westphal <fw@strlen.de>
Date:   Fri Feb 12 15:59:56 2021 -0800

    mptcp: schedule worker when subflow is closed
    
    When remote side closes a subflow we should schedule the worker to
    dispose of the subflow in a timely manner.
    
    Otherwise, SF_CLOSED event won't be generated until the mptcp
    socket itself is closing or local side is closing another subflow.
    
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 net/mptcp/protocol.c |  4 ++++
 net/mptcp/subflow.c  | 25 +++++++++++++++++++++++--
 2 files changed, 27 insertions(+), 2 deletions(-)

culprit signature: 9870e1d46e1ce9ed0adf109886e109d0ba1d644c3df6c2518600bcf329dd8afa
parent  signature: 64456a31e87e3bc84100d034dbf54e697bb6b43a4a29979c591187189cd2ddb4
revisions tested: 16, total time: 6h45m35.836072316s (build: 1h49m40.634355221s, test: 4h54m28.609030174s)
first bad commit: 40947e13997a1cba4e875893ca6e5d5e61a0689d mptcp: schedule worker when subflow is closed
recipients (to): ["davem@davemloft.net" "fw@strlen.de" "mathew.j.martineau@linux.intel.com"]
recipients (cc): []
crash: KASAN: use-after-free Read in ip6_pol_route
==================================================================
BUG: KASAN: use-after-free in rt6_get_pcpu_route net/ipv6/route.c:1413 [inline]
BUG: KASAN: use-after-free in ip6_pol_route+0xcc5/0xe00 net/ipv6/route.c:2265
Read of size 4 at addr ffff88802080c578 by task syz-executor.4/10143

CPU: 1 PID: 10143 Comm: syz-executor.4 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x9a/0xcc lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 rt6_get_pcpu_route net/ipv6/route.c:1413 [inline]
 ip6_pol_route+0xcc5/0xe00 net/ipv6/route.c:2265
 pol_lookup_func include/net/ip6_fib.h:579 [inline]
 fib6_rule_lookup+0x3e0/0x630 net/ipv6/fib6_rules.c:120
 ip6_route_output_flags+0x60/0x230 net/ipv6/route.c:2525
 ip6_route_output include/net/ip6_route.h:98 [inline]
 ip6_dst_lookup_tail+0x84c/0x11f0 net/ipv6/ip6_output.c:1064
 ip6_dst_lookup_flow+0x7f/0x180 net/ipv6/ip6_output.c:1194
 tcp_v6_connect+0xad8/0x1b10 net/ipv6/tcp_ipv6.c:283
 __inet_stream_connect+0x6d0/0xd00 net/ipv4/af_inet.c:661
 inet_stream_connect+0x4e/0xa0 net/ipv4/af_inet.c:725
 mptcp_stream_connect+0x138/0x700 net/mptcp/protocol.c:3192
 __sys_connect+0xf5/0x120 net/socket.c:1852
 __do_sys_connect net/socket.c:1862 [inline]
 __se_sys_connect net/socket.c:1859 [inline]
 __x64_sys_connect+0x6a/0xb0 net/socket.c:1859
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x465d99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa0fd815188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465d99
RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003
RBP: 00000000004bcf27 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffe7155c4ef R14: 00007fa0fd815300 R15: 0000000000022000

Allocated by task 10132:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
 kasan_slab_alloc include/linux/kasan.h:209 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2892 [inline]
 slab_alloc mm/slub.c:2900 [inline]
 kmem_cache_alloc+0x1c6/0x440 mm/slub.c:2905
 dst_alloc+0x7c/0x5c0 net/core/dst.c:93
 ip6_dst_alloc+0x21/0xf0 net/ipv6/route.c:358
 ip6_rt_pcpu_alloc net/ipv6/route.c:1386 [inline]
 rt6_make_pcpu_route net/ipv6/route.c:1434 [inline]
 ip6_pol_route+0x6e5/0xe00 net/ipv6/route.c:2268
 pol_lookup_func include/net/ip6_fib.h:579 [inline]
 fib6_rule_lookup+0x3e0/0x630 net/ipv6/fib6_rules.c:120
 ip6_route_output_flags+0x60/0x230 net/ipv6/route.c:2525
 ip6_route_output include/net/ip6_route.h:98 [inline]
 ip6_dst_lookup_tail+0x84c/0x11f0 net/ipv6/ip6_output.c:1064
 ip6_dst_lookup_flow+0x7f/0x180 net/ipv6/ip6_output.c:1194
 tcp_v6_connect+0xad8/0x1b10 net/ipv6/tcp_ipv6.c:283
 __inet_stream_connect+0x6d0/0xd00 net/ipv4/af_inet.c:661
 inet_stream_connect+0x4e/0xa0 net/ipv4/af_inet.c:725
 mptcp_stream_connect+0x138/0x700 net/mptcp/protocol.c:3192
 __sys_connect+0xf5/0x120 net/socket.c:1852
 __do_sys_connect net/socket.c:1862 [inline]
 __se_sys_connect net/socket.c:1859 [inline]
 __x64_sys_connect+0x6a/0xb0 net/socket.c:1859
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 18:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356
 ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:362
 kasan_slab_free include/linux/kasan.h:192 [inline]
 slab_free_hook mm/slub.c:1547 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580
 slab_free mm/slub.c:3143 [inline]
 kmem_cache_free+0x82/0x350 mm/slub.c:3159
 dst_destroy+0x237/0x330 net/core/dst.c:129
 rcu_do_batch kernel/rcu/tree.c:2489 [inline]
 rcu_core+0x5eb/0xf00 kernel/rcu/tree.c:2723
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xc5/0xf0 mm/kasan/generic.c:344
 __call_rcu kernel/rcu/tree.c:2965 [inline]
 call_rcu+0xbb/0x700 kernel/rcu/tree.c:3038
 sk_dst_set include/net/sock.h:1999 [inline]
 sk_dst_reset include/net/sock.h:2011 [inline]
 ipv6_update_options+0x2b8/0x350 net/ipv6/ipv6_sockglue.c:114
 ipv6_set_opt_hdr net/ipv6/ipv6_sockglue.c:383 [inline]
 do_ipv6_setsockopt.constprop.0+0x76d/0x35b0 net/ipv6/ipv6_sockglue.c:657
 ipv6_setsockopt+0xbb/0x120 net/ipv6/ipv6_sockglue.c:1003
 tcp_setsockopt+0x10d/0x1ed0 net/ipv4/tcp.c:3644
 __sys_setsockopt+0x1fd/0x4e0 net/socket.c:2115
 __do_sys_setsockopt net/socket.c:2126 [inline]
 __se_sys_setsockopt net/socket.c:2123 [inline]
 __x64_sys_setsockopt+0xb5/0x150 net/socket.c:2123
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88802080c500
 which belongs to the cache ip6_dst_cache of size 232
The buggy address is located 120 bytes inside of
 232-byte region [ffff88802080c500, ffff88802080c5e8)
The buggy address belongs to the page:
page:000000005288d2da refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2080c
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff88814736ac80
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802080c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802080c480: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>ffff88802080c500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff88802080c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff88802080c600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================