el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
dccp_parse_options: DCCP(000000001bfb0b4f): Option 32 (len=7) error=9
==================================================================
BUG: KASAN: slab-use-after-free in dccp_ackvec_runlen net/dccp/ackvec.h:43 [inline]
BUG: KASAN: slab-use-after-free in ccid2_hc_tx_packet_recv+0x1498/0x1af0 net/dccp/ccids/ccid2.c:593
Read of size 1 at addr ffff0000d90ef494 by task syz.0.15/7012

CPU: 1 UID: 0 PID: 7012 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x178/0x518 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
 dccp_ackvec_runlen net/dccp/ackvec.h:43 [inline]
 ccid2_hc_tx_packet_recv+0x1498/0x1af0 net/dccp/ccids/ccid2.c:593
 ccid_hc_tx_packet_recv net/dccp/ccid.h:189 [inline]
 dccp_deliver_input_to_ccids net/dccp/input.c:182 [inline]
 dccp_rcv_established+0x26c/0x2d8 net/dccp/input.c:374
 dccp_v6_do_rcv+0x24c/0x91c net/dccp/ipv6.c:625
 sk_backlog_rcv include/net/sock.h:1115 [inline]
 __release_sock+0x1a8/0x3d8 net/core/sock.c:3072
 release_sock+0x68/0x1b8 net/core/sock.c:3626
 dccp_sendmsg+0x460/0xb08 net/dccp/proto.c:803
 inet_sendmsg+0x15c/0x290 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg net/socket.c:744 [inline]
 ____sys_sendmsg+0x56c/0x840 net/socket.c:2607
 ___sys_sendmsg net/socket.c:2661 [inline]
 __sys_sendmmsg+0x318/0x7e0 net/socket.c:2747
 __do_sys_sendmmsg net/socket.c:2776 [inline]
 __se_sys_sendmmsg net/socket.c:2773 [inline]
 __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2773
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Allocated by task 7012:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:257 [inline]
 __do_kmalloc_node mm/slub.c:4264 [inline]
 __kmalloc_node_track_caller_noprof+0x2d0/0x4d8 mm/slub.c:4283
 kmalloc_reserve+0x144/0x280 net/core/skbuff.c:609
 __alloc_skb+0x20c/0x420 net/core/skbuff.c:678
 alloc_skb include/linux/skbuff.h:1322 [inline]
 dccp_send_ack+0xa4/0x2bc net/dccp/output.c:585
 ccid2_hc_rx_packet_recv+0x114/0x1b8 net/dccp/ccids/ccid2.c:772
 ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline]
 dccp_deliver_input_to_ccids net/dccp/input.c:176 [inline]
 dccp_rcv_established+0x1ac/0x2d8 net/dccp/input.c:374
 dccp_v6_do_rcv+0x24c/0x91c net/dccp/ipv6.c:625
 sk_backlog_rcv include/net/sock.h:1115 [inline]
 __sk_receive_skb+0x3e8/0x8c0 net/core/sock.c:570
 dccp_v6_rcv+0xe6c/0x1330 net/dccp/ipv6.c:794
 ip6_protocol_deliver_rcu+0x988/0x12a8 net/ipv6/ip6_input.c:436
 ip6_input_finish+0x16c/0x2a4 net/ipv6/ip6_input.c:481
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ip6_input+0x90/0xa8 net/ipv6/ip6_input.c:490
 dst_input include/net/dst.h:460 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:314
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core net/core/dev.c:5670 [inline]
 __netif_receive_skb+0x18c/0x3c8 net/core/dev.c:5783
 process_backlog+0x640/0x123c net/core/dev.c:6115
 __napi_poll+0xb4/0x3fc net/core/dev.c:6779
 napi_poll net/core/dev.c:6848 [inline]
 net_rx_action+0x6a8/0xf4c net/core/dev.c:6970
 handle_softirqs+0x2e0/0xbf8 kernel/softirq.c:554
 __do_softirq+0x14/0x20 kernel/softirq.c:588

Freed by task 7012:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2342 [inline]
 slab_free mm/slub.c:4579 [inline]
 kfree+0x184/0x47c mm/slub.c:4727
 skb_kfree_head net/core/skbuff.c:1086 [inline]
 skb_free_head+0xf4/0x1bc net/core/skbuff.c:1098
 skb_release_data+0x484/0x618 net/core/skbuff.c:1125
 skb_release_all net/core/skbuff.c:1190 [inline]
 __kfree_skb net/core/skbuff.c:1204 [inline]
 sk_skb_reason_drop+0x1d4/0x43c net/core/skbuff.c:1242
 dccp_v6_do_rcv+0x130/0x91c
 sk_backlog_rcv include/net/sock.h:1115 [inline]
 __release_sock+0x1a8/0x3d8 net/core/sock.c:3072
 release_sock+0x68/0x1b8 net/core/sock.c:3626
 dccp_sendmsg+0x460/0xb08 net/dccp/proto.c:803
 inet_sendmsg+0x15c/0x290 net/ipv4/af_inet.c:853
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg net/socket.c:744 [inline]
 ____sys_sendmsg+0x56c/0x840 net/socket.c:2607
 ___sys_sendmsg net/socket.c:2661 [inline]
 __sys_sendmmsg+0x318/0x7e0 net/socket.c:2747
 __do_sys_sendmmsg net/socket.c:2776 [inline]
 __se_sys_sendmmsg net/socket.c:2773 [inline]
 __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2773
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The buggy address belongs to the object at ffff0000d90ef000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1172 bytes inside of
 freed 2048-byte region [ffff0000d90ef000, ffff0000d90ef800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1190e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0002000 dead000000000122 0000000000000000
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc3643a01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d90ef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000d90ef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000d90ef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff0000d90ef500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000d90ef580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================