bisecting cause commit starting from b50694381cfc22dce3a60a291cdae294a5e5777c
building syzkaller on f48c20b8f9b2a6c26629f11cc15e1c9c316572c8
testing commit b50694381cfc22dce3a60a291cdae294a5e5777c with gcc (GCC) 8.1.0
kernel signature: 72ee0c20ec8205c781e26b1957dee8504034bf5d
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
kernel signature: b75cf9698f05d9bc9ce0e0cb2f8f923a6ea128ed
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
kernel signature: 15df2a64599e19d2a8f91472e188d8f6dca60727
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
kernel signature: 8a597dccdc8b808275298802a7d8b7ef44dd03ff
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
kernel signature: 17eff9303bef1835326783ac2ce51b95a98ac377
all runs: OK
# git bisect start bebc6082da0a9f5d47a1ea2edc099bf671058bd4 569dbb88e80deb68974ef6fdd6a13edb9d686261
Bisecting: 7300 revisions left to test after this (roughly 13 steps)
[15d8ffc96464f6571ecf22043c45fad659f11bdd] Merge tag 'mmc-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc
testing commit 15d8ffc96464f6571ecf22043c45fad659f11bdd with gcc (GCC) 8.1.0
kernel signature: 7c183e80636823173fbf5586019afccc246ec835
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad 15d8ffc96464f6571ecf22043c45fad659f11bdd
Bisecting: 3676 revisions left to test after this (roughly 12 steps)
[bafb0762cb6a906eb4105cccfb3bcd90be7f40d2] Merge tag 'char-misc-4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit bafb0762cb6a906eb4105cccfb3bcd90be7f40d2 with gcc (GCC) 8.1.0
kernel signature: 1ae0e1a0c99853397837615cd5f704d6211014d5
all runs: OK
# git bisect good bafb0762cb6a906eb4105cccfb3bcd90be7f40d2
Bisecting: 1826 revisions left to test after this (roughly 11 steps)
[b63f6044d8e43e4a1eef8b0a2310cec872fd1d38] Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
testing commit b63f6044d8e43e4a1eef8b0a2310cec872fd1d38 with gcc (GCC) 8.1.0
kernel signature: 7c06af872589dc170869aaafd734e01a25aaeb0e
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad b63f6044d8e43e4a1eef8b0a2310cec872fd1d38
Bisecting: 924 revisions left to test after this (roughly 10 steps)
[e08af95df1130883762b388a19bb150ae5d16c09] sctp: remove the typedef sctp_verb_t
testing commit e08af95df1130883762b388a19bb150ae5d16c09 with gcc (GCC) 8.1.0
kernel signature: 114f863581d5689dc7f50594cca32e53b8760a64
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad e08af95df1130883762b388a19bb150ae5d16c09
Bisecting: 462 revisions left to test after this (roughly 9 steps)
[2a4932167772874c5bc4b3dfebf61cfadb5554b9] sctp: remove the typedef sctp_error_t
testing commit 2a4932167772874c5bc4b3dfebf61cfadb5554b9 with gcc (GCC) 8.1.0
kernel signature: de5e9f19604f5b46c8b2ececd6bf39602f978347
all runs: OK
# git bisect good 2a4932167772874c5bc4b3dfebf61cfadb5554b9
Bisecting: 161 revisions left to test after this (roughly 8 steps)
[46d4b68f891bee5d83a32508bfbd9778be6b1b63] Merge tag 'wireless-drivers-next-for-davem-2017-08-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
testing commit 46d4b68f891bee5d83a32508bfbd9778be6b1b63 with gcc (GCC) 8.1.0
kernel signature: 6aac01cc3bce5165589e85623c4e92fca28d99a8
all runs: OK
# git bisect good 46d4b68f891bee5d83a32508bfbd9778be6b1b63
Bisecting: 80 revisions left to test after this (roughly 6 steps)
[58291a7465f6b88248c9f34807c16705bd5698f8] bpf: Move check_uarg_tail_zero() upward
testing commit 58291a7465f6b88248c9f34807c16705bd5698f8 with gcc (GCC) 8.1.0
kernel signature: 6952327a0e59dbef78e83a2645184e8a47ce12ea
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad 58291a7465f6b88248c9f34807c16705bd5698f8
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[2acf4e6a890b0228ed19b228063d69666f61ee19] net: dsa: Remove switchdev dependency from DSA switch notifier chain
testing commit 2acf4e6a890b0228ed19b228063d69666f61ee19 with gcc (GCC) 8.1.0
kernel signature: 5596b0d1d4de050e17ac2ff7c5fb662dfd831961
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad 2acf4e6a890b0228ed19b228063d69666f61ee19
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[b04c80d3a7e228cfb832cdb1c9ce8151f174669c] ipv6: sr: export SRH insertion functions
testing commit b04c80d3a7e228cfb832cdb1c9ce8151f174669c with gcc (GCC) 8.1.0
kernel signature: b5f2a5b54263d891fac4ad4ceb94061ca2db9bb5
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad b04c80d3a7e228cfb832cdb1c9ce8151f174669c
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[d226a2b84d0528da7e35e7e19e052293889cdd21] of_mdio: use of_property_read_u32_array()
testing commit d226a2b84d0528da7e35e7e19e052293889cdd21 with gcc (GCC) 8.1.0
kernel signature: 138c38d2d97754b36ed6df942c089c91c76becee
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad d226a2b84d0528da7e35e7e19e052293889cdd21
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[1801b570dd2ae50b90231f283e79a9a94fbe7875] net: ipv6: add second dif to udp socket lookups
testing commit 1801b570dd2ae50b90231f283e79a9a94fbe7875 with gcc (GCC) 8.1.0
kernel signature: a350c229847f94b20d8edbe7ad53baa3699ad699
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad 1801b570dd2ae50b90231f283e79a9a94fbe7875
Bisecting: 2 revisions left to test after this (roughly 1 step)
[3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b] net: ipv4: add second dif to inet socket lookups
testing commit 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b with gcc (GCC) 8.1.0
kernel signature: 8096c2d5715c0d008b8adcd7004f45630311d3ff
all runs: crashed: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
# git bisect bad 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[fb74c27735f0a34e76dbf1972084e984ad2ea145] net: ipv4: add second dif to udp socket lookups
testing commit fb74c27735f0a34e76dbf1972084e984ad2ea145 with gcc (GCC) 8.1.0
kernel signature: 399210673ead878cd4778f7e10ea8ed463e9022a
all runs: OK
# git bisect good fb74c27735f0a34e76dbf1972084e984ad2ea145
3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b is the first bad commit
commit 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b
Author: David Ahern <dsahern@gmail.com>
Date:   Mon Aug 7 08:44:17 2017 -0700

    net: ipv4: add second dif to inet socket lookups
    
    Add a second device index, sdif, to inet socket lookups. sdif is the
    index for ingress devices enslaved to an l3mdev. It allows the lookups
    to consider the enslaved device as well as the L3 domain when searching
    for a socket.
    
    TCP moves the data in the cb. Prior to tcp_v4_rcv (e.g., early demux) the
    ingress index is obtained from IPCB using inet_sdif and after the cb move
    in  tcp_v4_rcv the tcp_v4_sdif helper is used.
    
    Signed-off-by: David Ahern <dsahern@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 include/net/inet_hashtables.h | 31 +++++++++++++++++--------------
 include/net/tcp.h             | 10 ++++++++++
 net/dccp/ipv4.c               |  4 ++--
 net/ipv4/inet_hashtables.c    | 27 +++++++++++++++++----------
 net/ipv4/tcp_ipv4.c           | 13 ++++++++-----
 net/ipv4/udp.c                |  6 +++---
 net/netfilter/xt_TPROXY.c     |  2 +-
 7 files changed, 58 insertions(+), 35 deletions(-)
kernel signature:   8096c2d5715c0d008b8adcd7004f45630311d3ff
previous signature: 399210673ead878cd4778f7e10ea8ed463e9022a
revisions tested: 18, total time: 3h16m15.487302595s (build: 1h24m33.982744258s, test: 1h46m33.586426947s)
first bad commit: 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b net: ipv4: add second dif to inet socket lookups
cc: ["coreteam@netfilter.org" "davem@davemloft.net" "dccp@vger.kernel.org" "dsahern@gmail.com" "fw@strlen.de" "gerrit@erg.abdn.ac.uk" "kadlec@blackhole.kfki.hu" "kuznet@ms2.inr.ac.ru" "linux-kernel@vger.kernel.org" "netdev@vger.kernel.org" "netfilter-devel@vger.kernel.org" "pablo@netfilter.org" "yoshfuji@linux-ipv6.org"]
crash: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
CPU: 0 PID: 7388 Comm: syz-executor3 Not tainted 4.13.0-rc4-syzkaller #0
dccp_parse_options: DCCP(ffff8801d9786bc0): Option 32 (len=7) error=9
==================================================================
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x2920/0x2991 net/dccp/ccids/ccid2.c:584
Read of size 1 at addr ffff8801c1662642 by task syz-executor4/7384

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x145/0x1e7 lib/dump_stack.c:52
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold.4+0xc/0x19 lib/fault-inject.c:147
 should_failslab+0xba/0xf0 mm/failslab.c:31
 slab_pre_alloc_hook mm/slab.h:418 [inline]
 slab_alloc mm/slab.c:3383 [inline]
 kmem_cache_alloc_trace+0x2c1/0x770 mm/slab.c:3625
 kmalloc include/linux/slab.h:493 [inline]
 dccp_feat_entry_new+0x1a4/0x4f0 net/dccp/feat.c:467
 dccp_feat_push_confirm+0x26/0x280 net/dccp/feat.c:515
 dccp_feat_handle_nn_established net/dccp/feat.c:1339 [inline]
 dccp_feat_parse_options+0x1079/0x1c80 net/dccp/feat.c:1424
 dccp_parse_options+0x857/0x1050 net/dccp/options.c:128
 dccp_rcv_established+0x23/0x70 net/dccp/input.c:374
 dccp_v4_do_rcv+0xfa/0x160 net/dccp/ipv4.c:650
 sk_backlog_rcv include/net/sock.h:911 [inline]
 __release_sock+0x10b/0x330 net/core/sock.c:2269
 release_sock+0x9a/0x270 net/core/sock.c:2784
 dccp_sendmsg+0x590/0xd10 net/dccp/proto.c:798
 inet_sendmsg+0x148/0x5a0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 ___sys_sendmsg+0x2b9/0x9d0 net/socket.c:2049
 __sys_sendmmsg+0x1b6/0x5c0 net/socket.c:2139
 SYSC_sendmmsg net/socket.c:2170 [inline]
 SyS_sendmmsg+0xd/0x20 net/socket.c:2165
 entry_SYSCALL_64_fastpath+0x23/0xc2
RIP: 0033:0x455b59
RSP: 002b:00007fca557ccc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fca557cd6d4 RCX: 0000000000455b59
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000005
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ba6fd
R13: 00007fca557ccbb8 R14: 00000000004ba6fd R15: 0000000000000000
CPU: 1 PID: 7384 Comm: syz-executor4 Not tainted 4.13.0-rc4-syzkaller #0
dccp_parse_options: DCCP(ffff8801c6b96b40): Option 32 (len=7) error=9
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x145/0x1e7 lib/dump_stack.c:52
 print_address_description+0x6c/0x20b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.7+0x121/0x2da mm/kasan/report.c:409
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
 ccid2_hc_tx_packet_recv+0x2920/0x2991 net/dccp/ccids/ccid2.c:584
 ccid_hc_tx_packet_recv net/dccp/ccid.h:192 [inline]
 dccp_deliver_input_to_ccids+0x19f/0x210 net/dccp/input.c:186
 dccp_rcv_established+0x49/0x70 net/dccp/input.c:378
 dccp_v4_do_rcv+0xfa/0x160 net/dccp/ipv4.c:650
 sk_backlog_rcv include/net/sock.h:911 [inline]
 __release_sock+0x10b/0x330 net/core/sock.c:2269
 release_sock+0x9a/0x270 net/core/sock.c:2784
 dccp_sendmsg+0x590/0xd10 net/dccp/proto.c:798
 inet_sendmsg+0x148/0x5a0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 ___sys_sendmsg+0x2b9/0x9d0 net/socket.c:2049
 __sys_sendmmsg+0x1b6/0x5c0 net/socket.c:2139
 SYSC_sendmmsg net/socket.c:2170 [inline]
 SyS_sendmmsg+0xd/0x20 net/socket.c:2165
 entry_SYSCALL_64_fastpath+0x23/0xc2
RIP: 0033:0x455b59
RSP: 002b:00007f0082bc6c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f0082bc76d4 RCX: 0000000000455b59
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000005
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ba6fd
R13: 00007f0082bc6bb8 R14: 00000000004ba6fd R15: 0000000000000000

Allocated by task 7384:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3703
 __kmalloc_reserve.isra.39+0x2c/0xb0 net/core/skbuff.c:138
 __alloc_skb+0x10c/0x6f0 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:975 [inline]
 dccp_send_ack+0xb3/0x340 net/dccp/output.c:580
 ccid2_hc_rx_packet_recv+0xf9/0x170 net/dccp/ccids/ccid2.c:763
 ccid_hc_rx_packet_recv net/dccp/ccid.h:185 [inline]
 dccp_deliver_input_to_ccids+0xc5/0x210 net/dccp/input.c:180
 dccp_rcv_established+0x49/0x70 net/dccp/input.c:378
 dccp_v4_do_rcv+0xfa/0x160 net/dccp/ipv4.c:650
 sk_backlog_rcv include/net/sock.h:911 [inline]
 __sk_receive_skb+0x2dc/0xd50 net/core/sock.c:521
 dccp_v4_rcv+0xddb/0x215d net/dccp/ipv4.c:871
 ip_local_deliver_finish+0x28a/0xa60 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:248 [inline]
 ip_local_deliver+0x1ac/0x650 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:477 [inline]
 ip_rcv_finish+0x896/0x20d0 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:248 [inline]
 ip_rcv+0xd4c/0x19d6 net/ipv4/ip_input.c:488
 __netif_receive_skb_core+0x2094/0x35b0 net/core/dev.c:4418
 __netif_receive_skb+0x1f/0x1a0 net/core/dev.c:4456
 process_backlog+0x1fd/0x710 net/core/dev.c:5131
 napi_poll net/core/dev.c:5528 [inline]
 net_rx_action+0x6d9/0x1770 net/core/dev.c:5594
 __do_softirq+0x2f8/0xb0d kernel/softirq.c:284

Freed by task 7384:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xd6/0x250 mm/slab.c:3820
 skb_free_head+0x74/0x90 net/core/skbuff.c:554
 skb_release_data+0x548/0x830 net/core/skbuff.c:574
 skb_release_all+0x3d/0x50 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 kfree_skb+0x13b/0x430 net/core/skbuff.c:663
 dccp_v4_do_rcv+0x111/0x160 net/dccp/ipv4.c:685
 sk_backlog_rcv include/net/sock.h:911 [inline]
 __release_sock+0x10b/0x330 net/core/sock.c:2269
 release_sock+0x9a/0x270 net/core/sock.c:2784
 dccp_sendmsg+0x590/0xd10 net/dccp/proto.c:798
 inet_sendmsg+0x148/0x5a0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xb5/0xf0 net/socket.c:643
 ___sys_sendmsg+0x2b9/0x9d0 net/socket.c:2049
 __sys_sendmmsg+0x1b6/0x5c0 net/socket.c:2139
 SYSC_sendmmsg net/socket.c:2170 [inline]
 SyS_sendmmsg+0xd/0x20 net/socket.c:2165
 entry_SYSCALL_64_fastpath+0x23/0xc2

The buggy address belongs to the object at ffff8801c16621c0
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1154 bytes inside of
 2048-byte region [ffff8801c16621c0, ffff8801c16629c0)
The buggy address belongs to the page:
page:ffffea0007059880 count:1 mapcount:0 mapping:ffff8801c16621c0 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c16621c0 0000000000000000 0000000100000003
raw: ffffea000707a820 ffffea000706d0a0 ffff8801da800c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c1662500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c1662580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c1662600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801c1662680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c1662700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================