==================================================================
BUG: KASAN: slab-out-of-bounds in selinux_sock security/selinux/include/objsec.h:207 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_ip_output+0x16c/0x194 security/selinux/hooks.c:5761
Read of size 8 at addr ffff00001cd7e5f8 by task syz.8.2325/10876

CPU: 0 UID: 0 PID: 10876 Comm: syz.8.2325 Not tainted 6.12.0-syzkaller-07749-g28eb75e178d3 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:484 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xf4/0x5a4 mm/kasan/report.c:488
 kasan_report+0xc8/0x108 mm/kasan/report.c:601
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 selinux_sock security/selinux/include/objsec.h:207 [inline]
 selinux_ip_output+0x16c/0x194 security/selinux/hooks.c:5761
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xa4/0x1d8 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:269 [inline]
 __ip_local_out+0x3b8/0x6d4 net/ipv4/ip_output.c:119
 ip_local_out net/ipv4/ip_output.c:128 [inline]
 ip_send_skb+0x4c/0x2a4 net/ipv4/ip_output.c:1505
 ip_push_pending_frames net/ipv4/ip_output.c:1525 [inline]
 ip_send_unicast_reply+0x914/0x1408 net/ipv4/ip_output.c:1672
 tcp_v4_send_ack+0x758/0x11e0 net/ipv4/tcp_ipv4.c:1024
 tcp_v4_timewait_ack net/ipv4/tcp_ipv4.c:1077 [inline]
 tcp_v4_rcv+0x1f88/0x32d8 net/ipv4/tcp_ipv4.c:2428
 ip_protocol_deliver_rcu+0xb8/0x3f4 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x258/0x458 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_local_deliver+0x16c/0x3a4 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:460 [inline]
 ip_rcv_finish+0x140/0x224 net/ipv4/ip_input.c:447
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_rcv+0xc0/0x2c8 net/ipv4/ip_input.c:567
 __netif_receive_skb_one_core+0xf4/0x168 net/core/dev.c:5672
 __netif_receive_skb+0x24/0x14c net/core/dev.c:5785
 process_backlog+0x384/0x1588 net/core/dev.c:6117
 __napi_poll.constprop.0+0x94/0x3b8 net/core/dev.c:6877
 napi_poll net/core/dev.c:6946 [inline]
 net_rx_action+0x804/0xb80 net/core/dev.c:7068
 handle_softirqs+0x2e8/0xd44 kernel/softirq.c:554
 __do_softirq+0x14/0x20 kernel/softirq.c:588
 ____do_softirq+0x10/0x1c arch/arm64/kernel/irq.c:81
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x1c/0x2c arch/arm64/kernel/irq.c:86
 do_softirq kernel/softirq.c:455 [inline]
 do_softirq+0x12c/0x150 kernel/softirq.c:442
 __local_bh_enable_ip+0x414/0x4a4 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0x6d0/0x3324 net/core/dev.c:4461
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xa34/0x1e44 net/ipv4/ip_output.c:236
 __ip_finish_output net/ipv4/ip_output.c:314 [inline]
 __ip_finish_output+0x2bc/0x4e0 net/ipv4/ip_output.c:296
 ip_finish_output+0x34/0x290 net/ipv4/ip_output.c:324
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x144/0x404 net/ipv4/ip_output.c:434
 dst_output include/net/dst.h:450 [inline]
 ip_local_out net/ipv4/ip_output.c:130 [inline]
 __ip_queue_xmit+0x80c/0x18b8 net/ipv4/ip_output.c:536
 ip_queue_xmit+0x44/0x64 net/ipv4/ip_output.c:550
 __tcp_transmit_skb+0x13b8/0x36f4 net/ipv4/tcp_output.c:1466
 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
 tcp_write_xmit+0x11ec/0x82b8 net/ipv4/tcp_output.c:2827
 __tcp_push_pending_frames+0x88/0x2a8 net/ipv4/tcp_output.c:3010
 tcp_send_fin+0x13c/0x9cc net/ipv4/tcp_output.c:3616
 tcp_shutdown net/ipv4/tcp.c:2994 [inline]
 tcp_shutdown+0xf4/0x150 net/ipv4/tcp.c:2979
 mptcp_subflow_shutdown+0x13c/0x2f4 net/mptcp/protocol.c:2928
 mptcp_check_send_data_fin+0x1ac/0x384 net/mptcp/protocol.c:3018
 __mptcp_wr_shutdown+0xac/0x240 net/mptcp/protocol.c:3034
 __mptcp_close+0x60c/0x780 net/mptcp/protocol.c:3114
 mptcp_close+0x2c/0xe0 net/mptcp/protocol.c:3168
 inet_release+0xd4/0x1d0 net/ipv4/af_inet.c:435
 __sock_release+0x8c/0x1f0 net/socket.c:640
 sock_close+0x18/0x28 net/socket.c:1408
 __fput+0x2c4/0x94c fs/file_table.c:450
 ____fput+0x14/0x20 fs/file_table.c:478
 task_work_run+0x128/0x210 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x1d0/0x258 arch/arm64/kernel/entry-common.c:151
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0x100/0x180 arch/arm64/kernel/entry-common.c:745
 el0t_64_sync_handler+0x10c/0x138 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff00001cd7e580
 which belongs to the cache tw_sock_TCPv6 of size 288
The buggy address is located 120 bytes inside of
 allocated 288-byte region [ffff00001cd7e580, ffff00001cd7e6a0)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00001cd7e000 pfn:0x5cd7e
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff0000163c6101
flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 01ffc00000000040 ffff000016255b40 dead000000000122 0000000000000000
raw: ffff00001cd7e000 0000000080170016 00000001f5000000 ffff0000163c6101
head: 01ffc00000000040 ffff000016255b40 dead000000000122 0000000000000000
head: ffff00001cd7e000 0000000080170016 00000001f5000000 ffff0000163c6101
head: 01ffc00000000001 fffffdffc0735f81 ffffffffffffffff 0000000000000000
head: 0000000f00000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff00001cd7e480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00001cd7e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff00001cd7e580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff00001cd7e600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff00001cd7e680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Unable to handle kernel paging request at virtual address dfff800000000002
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000002] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 10876 Comm: syz.8.2325 Tainted: G    B              6.12.0-syzkaller-07749-g28eb75e178d3 #0
Tainted: [B]=BAD_PAGE
Hardware name: linux,dummy-virt (DT)
pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : selinux_ip_output+0xc8/0x194 security/selinux/hooks.c:5762
lr : selinux_sock security/selinux/include/objsec.h:207 [inline]
lr : selinux_ip_output+0x16c/0x194 security/selinux/hooks.c:5761
sp : ffff800080006f00
x29: ffff800080006f00 x28: ffff00000f321030 x27: ffff0000185fc000
x26: ffff800080fb2938 x25: dfff800000000000 x24: 0000000000000002
x23: ffff000012887e00 x22: ffff800080007020 x21: 0000000000000006
x20: 0000000000000000 x19: ffff0000185fc000 x18: 00000000c703a8ff
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 205d304320202020 x12: ffff7000110cd811
x11: 1ffff000110cd810 x10: ffff7000110cd810 x9 : dfff800000000000
x8 : ffff80008866c087 x7 : 0000000000000001 x6 : ffff7000110cd810
x5 : ffff80008866c080 x4 : ffff7000110cd811 x3 : 0000000000000002
x2 : 0000000000000003 x1 : dfff800000000000 x0 : 0000000000000010
Call trace:
 selinux_ip_output+0xc8/0x194 security/selinux/hooks.c:5762 (P)
 selinux_sock security/selinux/include/objsec.h:207 [inline] (L)
 selinux_ip_output+0x16c/0x194 security/selinux/hooks.c:5761 (L)
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xa4/0x1d8 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:269 [inline]
 __ip_local_out+0x3b8/0x6d4 net/ipv4/ip_output.c:119
 ip_local_out net/ipv4/ip_output.c:128 [inline]
 ip_send_skb+0x4c/0x2a4 net/ipv4/ip_output.c:1505
 ip_push_pending_frames net/ipv4/ip_output.c:1525 [inline]
 ip_send_unicast_reply+0x914/0x1408 net/ipv4/ip_output.c:1672
 tcp_v4_send_ack+0x758/0x11e0 net/ipv4/tcp_ipv4.c:1024
 tcp_v4_timewait_ack net/ipv4/tcp_ipv4.c:1077 [inline]
 tcp_v4_rcv+0x1f88/0x32d8 net/ipv4/tcp_ipv4.c:2428
 ip_protocol_deliver_rcu+0xb8/0x3f4 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x258/0x458 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_local_deliver+0x16c/0x3a4 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:460 [inline]
 ip_rcv_finish+0x140/0x224 net/ipv4/ip_input.c:447
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 ip_rcv+0xc0/0x2c8 net/ipv4/ip_input.c:567
 __netif_receive_skb_one_core+0xf4/0x168 net/core/dev.c:5672
 __netif_receive_skb+0x24/0x14c net/core/dev.c:5785
 process_backlog+0x384/0x1588 net/core/dev.c:6117
 __napi_poll.constprop.0+0x94/0x3b8 net/core/dev.c:6877
 napi_poll net/core/dev.c:6946 [inline]
 net_rx_action+0x804/0xb80 net/core/dev.c:7068
 handle_softirqs+0x2e8/0xd44 kernel/softirq.c:554
 __do_softirq+0x14/0x20 kernel/softirq.c:588
 ____do_softirq+0x10/0x1c arch/arm64/kernel/irq.c:81
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x1c/0x2c arch/arm64/kernel/irq.c:86
 do_softirq kernel/softirq.c:455 [inline]
 do_softirq+0x12c/0x150 kernel/softirq.c:442
 __local_bh_enable_ip+0x414/0x4a4 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
 __dev_queue_xmit+0x6d0/0x3324 net/core/dev.c:4461
 dev_queue_xmit include/linux/netdevice.h:3168 [inline]
 neigh_hh_output include/net/neighbour.h:523 [inline]
 neigh_output include/net/neighbour.h:537 [inline]
 ip_finish_output2+0xa34/0x1e44 net/ipv4/ip_output.c:236
 __ip_finish_output net/ipv4/ip_output.c:314 [inline]
 __ip_finish_output+0x2bc/0x4e0 net/ipv4/ip_output.c:296
 ip_finish_output+0x34/0x290 net/ipv4/ip_output.c:324
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x144/0x404 net/ipv4/ip_output.c:434
 dst_output include/net/dst.h:450 [inline]
 ip_local_out net/ipv4/ip_output.c:130 [inline]
 __ip_queue_xmit+0x80c/0x18b8 net/ipv4/ip_output.c:536
 ip_queue_xmit+0x44/0x64 net/ipv4/ip_output.c:550
 __tcp_transmit_skb+0x13b8/0x36f4 net/ipv4/tcp_output.c:1466
 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
 tcp_write_xmit+0x11ec/0x82b8 net/ipv4/tcp_output.c:2827
 __tcp_push_pending_frames+0x88/0x2a8 net/ipv4/tcp_output.c:3010
 tcp_send_fin+0x13c/0x9cc net/ipv4/tcp_output.c:3616
 tcp_shutdown net/ipv4/tcp.c:2994 [inline]
 tcp_shutdown+0xf4/0x150 net/ipv4/tcp.c:2979
 mptcp_subflow_shutdown+0x13c/0x2f4 net/mptcp/protocol.c:2928
 mptcp_check_send_data_fin+0x1ac/0x384 net/mptcp/protocol.c:3018
 __mptcp_wr_shutdown+0xac/0x240 net/mptcp/protocol.c:3034
 __mptcp_close+0x60c/0x780 net/mptcp/protocol.c:3114
 mptcp_close+0x2c/0xe0 net/mptcp/protocol.c:3168
 inet_release+0xd4/0x1d0 net/ipv4/af_inet.c:435
 __sock_release+0x8c/0x1f0 net/socket.c:640
 sock_close+0x18/0x28 net/socket.c:1408
 __fput+0x2c4/0x94c fs/file_table.c:450
 ____fput+0x14/0x20 fs/file_table.c:478
 task_work_run+0x128/0x210 kernel/task_work.c:239
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 do_notify_resume+0x1d0/0x258 arch/arm64/kernel/entry-common.c:151
 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
 el0_svc+0x100/0x180 arch/arm64/kernel/entry-common.c:745
 el0t_64_sync_handler+0x10c/0x138 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: 52800062 8b000294 91004280 d343fc03 (38e16861) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	52800062 	mov	w2, #0x3                   	// #3
   4:	8b000294 	add	x20, x20, x0
   8:	91004280 	add	x0, x20, #0x10
   c:	d343fc03 	lsr	x3, x0, #3
* 10:	38e16861 	ldrsb	w1, [x3, x1] <-- trapping instruction