==================================================================
BUG: KASAN: slab-use-after-free in __skb_datagram_iter+0x550/0x688 net/core/datagram.c:461
Read of size 4 at addr ffff000124fc1cf0 by task syz-executor.2/7515

CPU: 0 PID: 7515 Comm: syz-executor.2 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x174/0x514 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 __skb_datagram_iter+0x550/0x688 net/core/datagram.c:461
 skb_copy_datagram_iter+0x108/0x2fc net/core/datagram.c:546
 skb_copy_datagram_msg include/linux/skbuff.h:3970 [inline]
 packet_recvmsg+0x650/0x1508 net/packet/af_packet.c:3476
 sock_recvmsg_nosec+0x90/0xec net/socket.c:1046
 ____sys_recvmsg+0x5c0/0x6e8 net/socket.c:2801
 ___sys_recvmsg net/socket.c:2845 [inline]
 do_recvmmsg+0x41c/0xb60 net/socket.c:2939
 __sys_recvmmsg net/socket.c:3018 [inline]
 __do_sys_recvmmsg net/socket.c:3041 [inline]
 __se_sys_recvmmsg net/socket.c:3034 [inline]
 __arm64_sys_recvmmsg+0x180/0x23c net/socket.c:3034
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Allocated by task 6158:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x70/0x84 mm/kasan/generic.c:626
 unpoison_slab_object mm/kasan/common.c:314 [inline]
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_node+0x204/0x4c0 mm/slub.c:3903
 __alloc_skb+0x19c/0x3d8 net/core/skbuff.c:641
 alloc_skb include/linux/skbuff.h:1296 [inline]
 sctp_packet_pack net/sctp/output.c:472 [inline]
 sctp_packet_transmit+0xe5c/0x26e4 net/sctp/output.c:621
 sctp_outq_flush_transports net/sctp/outqueue.c:1173 [inline]
 sctp_outq_flush+0xee8/0x2e38 net/sctp/outqueue.c:1221
 sctp_outq_uncork+0x84/0xc0 net/sctp/outqueue.c:764
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1787 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
 sctp_do_sm+0x2f8c/0x4e80 net/sctp/sm_sideeffect.c:1169
 sctp_assoc_bh_rcv+0x380/0x710 net/sctp/associola.c:1051
 sctp_inq_push+0x19c/0x1c0 net/sctp/inqueue.c:80
 sctp_rcv+0x1704/0x1eb8 net/sctp/input.c:243
 sctp6_rcv+0x4c/0x7c net/sctp/ipv6.c:1119
 ip6_protocol_deliver_rcu+0x930/0x11c4 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x164/0x298 net/ipv6/ip6_input.c:483
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip6_input+0x90/0xa8 net/ipv6/ip6_input.c:492
 dst_input include/net/dst.h:461 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:310
 __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
 __netif_receive_skb+0x18c/0x400 net/core/dev.c:5648
 process_backlog+0x3c0/0x70c net/core/dev.c:5976
 __napi_poll+0xb4/0x654 net/core/dev.c:6576
 napi_poll net/core/dev.c:6645 [inline]
 net_rx_action+0x5e4/0xdc4 net/core/dev.c:6778
 __do_softirq+0x2d8/0xce4 kernel/softirq.c:553

Freed by task 6158:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x5c/0x74 mm/kasan/generic.c:640
 poison_slab_object+0x120/0x188 mm/kasan/common.c:241
 __kasan_slab_free+0x3c/0x78 mm/kasan/common.c:257
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4299 [inline]
 kmem_cache_free+0x158/0x3d0 mm/slub.c:4363
 kfree_skbmem+0x10c/0x19c
 __kfree_skb net/core/skbuff.c:1109 [inline]
 consume_skb+0x154/0x414 net/core/skbuff.c:1324
 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline]
 sctp_chunk_put+0x178/0x22c net/sctp/sm_make_chunk.c:1530
 sctp_chunk_free+0x5c/0x6c net/sctp/sm_make_chunk.c:1517
 sctp_inq_free+0x164/0x19c net/sctp/inqueue.c:56
 sctp_association_free+0x1e4/0x6e0 net/sctp/associola.c:345
 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:944 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1330 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
 sctp_do_sm+0x31fc/0x4e80 net/sctp/sm_sideeffect.c:1169
 sctp_assoc_bh_rcv+0x380/0x710 net/sctp/associola.c:1051
 sctp_inq_push+0x19c/0x1c0 net/sctp/inqueue.c:80
 sctp_rcv+0x1704/0x1eb8 net/sctp/input.c:243
 sctp6_rcv+0x4c/0x7c net/sctp/ipv6.c:1119
 ip6_protocol_deliver_rcu+0x930/0x11c4 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x164/0x298 net/ipv6/ip6_input.c:483
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip6_input+0x90/0xa8 net/ipv6/ip6_input.c:492
 dst_input include/net/dst.h:461 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:310
 __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
 __netif_receive_skb+0x18c/0x400 net/core/dev.c:5648
 process_backlog+0x3c0/0x70c net/core/dev.c:5976
 __napi_poll+0xb4/0x654 net/core/dev.c:6576
 napi_poll net/core/dev.c:6645 [inline]
 net_rx_action+0x5e4/0xdc4 net/core/dev.c:6778
 __do_softirq+0x2d8/0xce4 kernel/softirq.c:553

The buggy address belongs to the object at ffff000124fc1c80
 which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 112 bytes inside of
 freed 240-byte region [ffff000124fc1c80, ffff000124fc1d70)

The buggy address belongs to the physical page:
page:00000000d64be96d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x164fc1
flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000800 ffff0000c1cb7640 dead000000000100 dead000000000122
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000124fc1b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff000124fc1c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
>ffff000124fc1c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff000124fc1d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff000124fc1d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================
Unable to handle kernel paging request at virtual address 00218043a02a83f0
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[00218043a02a83f0] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 7515 Comm: syz-executor.2 Tainted: G    B              6.8.0-rc2-syzkaller-g41bccc98fb79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __skb_datagram_iter+0x16c/0x688 net/core/datagram.c:430
lr : skb_end_pointer include/linux/skbuff.h:1619 [inline]
lr : __skb_datagram_iter+0x65c/0x688 net/core/datagram.c:430
sp : ffff80009a9b7350
x29: ffff80009a9b73a0 x28: 0000000000000000 x27: ffff80009a9b7b70
x26: dfff800000000000 x25: 00000000faf4160e x24: ffff000122a1eb4c
x23: 0000000000000000 x22: 0110021d01541f81 x21: 000000000000012b
x20: 0110021d01541f83 x19: 0110021d00001d64 x18: 1fffe000367ff796
x17: ffff80008ec6d000 x16: ffff8000809fbc10 x15: ffff00011a46c440
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000040000 x10: 000000000003758a x9 : ffff800093454780
x8 : 00220043a02a83f0 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800088edee44 x4 : 0000000000000000 x3 : ffff800088ede974
x2 : 0000000000000000 x1 : 0000000000000004 x0 : 0000000000000000
Call trace:
 __skb_datagram_iter+0x16c/0x688 net/core/datagram.c:430
 __skb_datagram_iter+0x4cc/0x688 net/core/datagram.c:465
 skb_copy_datagram_iter+0x108/0x2fc net/core/datagram.c:546
 skb_copy_datagram_msg include/linux/skbuff.h:3970 [inline]
 packet_recvmsg+0x650/0x1508 net/packet/af_packet.c:3476
 sock_recvmsg_nosec+0x90/0xec net/socket.c:1046
 ____sys_recvmsg+0x5c0/0x6e8 net/socket.c:2801
 ___sys_recvmsg net/socket.c:2845 [inline]
 do_recvmmsg+0x41c/0xb60 net/socket.c:2939
 __sys_recvmmsg net/socket.c:3018 [inline]
 __do_sys_recvmmsg net/socket.c:3041 [inline]
 __se_sys_recvmmsg net/socket.c:3034 [inline]
 __arm64_sys_recvmmsg+0x180/0x23c net/socket.c:3034
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
 el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: b9400308 8b080276 91000ad4 d343fe88 (38fa6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	b9400308 	ldr	w8, [x24]
   4:	8b080276 	add	x22, x19, x8
   8:	91000ad4 	add	x20, x22, #0x2
   c:	d343fe88 	lsr	x8, x20, #3
* 10:	38fa6908 	ldrsb	w8, [x8, x26] <-- trapping instruction