==================================================================
BUG: KASAN: slab-out-of-bounds in bq_xmit_all+0x134/0x11d0 kernel/bpf/devmap.c:385
Read of size 8 at addr ffff888068278880 by task syz.0.1155/11477

CPU: 0 UID: 0 PID: 11477 Comm: syz.0.1155 Not tainted 6.10.0-next-20240726-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 bq_xmit_all+0x134/0x11d0 kernel/bpf/devmap.c:385
 __dev_flush+0x81/0x160 kernel/bpf/devmap.c:425
 xdp_do_check_flushed+0x129/0x240 net/core/filter.c:4307
 __napi_poll+0xe4/0x490 net/core/dev.c:6774
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6962
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 do_softirq+0x11b/0x1e0 kernel/softirq.c:455
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]
 __dev_queue_xmit+0x1763/0x3e90 net/core/dev.c:4450
 dev_queue_xmit include/linux/netdevice.h:3105 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip6_finish_output2+0xfc2/0x1680 net/ipv6/ip6_output.c:137
 ip6_finish_output+0x41e/0x810 net/ipv6/ip6_output.c:222
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358
 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248
 sctp_packet_transmit+0x26af/0x2ca0 net/sctp/output.c:653
 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783
 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
 sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212
 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
 sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169
 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73
 sctp_sendmsg_to_asoc+0xfa5/0x1800 net/sctp/socket.c:1841
 sctp_sendmsg+0x1bc3/0x3520 net/sctp/socket.c:2031
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x1a6/0x270 net/socket.c:745
 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
 ___sys_sendmsg net/socket.c:2651 [inline]
 __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
 __do_sys_sendmmsg net/socket.c:2766 [inline]
 __se_sys_sendmmsg net/socket.c:2763 [inline]
 __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff608577299
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff6093ba048 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007ff608705f80 RCX: 00007ff608577299
RDX: 0000000000000002 RSI: 00000000200005c0 RDI: 000000000000000d
RBP: 00007ff6085e48e6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007ff608705f80 R15: 00007ffea97682e8
 </TASK>

Allocated by task 10170:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3988 [inline]
 slab_alloc_node mm/slub.c:4037 [inline]
 kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044
 sk_prot_alloc+0x58/0x210 net/core/sock.c:2090
 sk_alloc+0x38/0x370 net/core/sock.c:2149
 inet6_create+0x6d4/0x1100 net/ipv6/af_inet6.c:193
 __sock_create+0x490/0x920 net/socket.c:1571
 inet_ctl_sock_create+0xc2/0x250 net/ipv4/af_inet.c:1649
 sctp_ctl_sock_init net/sctp/protocol.c:838 [inline]
 sctp_ctrlsock_init+0x44/0xd0 net/sctp/protocol.c:1463
 ops_init+0x359/0x610 net/core/net_namespace.c:139
 setup_net+0x515/0xca0 net/core/net_namespace.c:343
 copy_net_ns+0x4e2/0x7b0 net/core/net_namespace.c:508
 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228
 ksys_unshare+0x619/0xc10 kernel/fork.c:3316
 __do_sys_unshare kernel/fork.c:3387 [inline]
 __se_sys_unshare kernel/fork.c:3385 [inline]
 __x64_sys_unshare+0x38/0x40 kernel/fork.c:3385
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888068278000
 which belongs to the cache SCTPv6 of size 2120
The buggy address is located 56 bytes to the right of
 allocated 2120-byte region [ffff888068278000, ffff888068278848)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88806827a400 pfn:0x68278
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88802a805b01
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88802b887500 dead000000000122 0000000000000000
raw: ffff88806827a400 00000000800e0007 00000001fdffffff ffff88802a805b01
head: 00fff00000000040 ffff88802b887500 dead000000000122 0000000000000000
head: ffff88806827a400 00000000800e0007 00000001fdffffff ffff88802a805b01
head: 00fff00000000003 ffffea0001a09e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5235, tgid 5235 (syz-executor), ts 55932689337, free_ts 15021402935
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
 prep_new_page mm/page_alloc.c:1501 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3442
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4700
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2321
 allocate_slab+0x5a/0x2f0 mm/slub.c:2484
 new_slab mm/slub.c:2537 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723
 __slab_alloc+0x58/0xa0 mm/slub.c:3813
 __slab_alloc_node mm/slub.c:3866 [inline]
 slab_alloc_node mm/slub.c:4025 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4044
 sk_prot_alloc+0x58/0x210 net/core/sock.c:2090
 sk_alloc+0x38/0x370 net/core/sock.c:2149
 inet6_create+0x6d4/0x1100 net/ipv6/af_inet6.c:193
 __sock_create+0x490/0x920 net/socket.c:1571
 inet_ctl_sock_create+0xc2/0x250 net/ipv4/af_inet.c:1649
 sctp_ctl_sock_init net/sctp/protocol.c:838 [inline]
 sctp_ctrlsock_init+0x44/0xd0 net/sctp/protocol.c:1463
 ops_init+0x359/0x610 net/core/net_namespace.c:139
 setup_net+0x515/0xca0 net/core/net_namespace.c:343
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1094 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
 free_contig_range+0x9e/0x160 mm/page_alloc.c:6673
 destroy_args+0x8a/0x890 mm/debug_vm_pgtable.c:1017
 debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1397
 do_one_initcall+0x248/0x880 init/main.c:1267
 do_initcall_level+0x157/0x210 init/main.c:1329
 do_initcalls+0x3f/0x80 init/main.c:1345
 kernel_init_freeable+0x435/0x5d0 init/main.c:1578
 kernel_init+0x1d/0x2b0 init/main.c:1467
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:144
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff888068278780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888068278800: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff888068278880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888068278900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888068278980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================