==================================================================
BUG: KASAN: slab-use-after-free in sctp_outq_select_transport+0x50f/0x580
Read of size 4 at addr ffff88801546f95c by task repro_20250320-/14868

CPU: 1 UID: 65534 PID: 14868 Comm: repro_20250320- Not tainted 6.14.0 #9
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x201/0x300
 ? __pfx_dump_stack_lvl+0x10/0x10
 ? __pfx__printk+0x10/0x10
 ? _printk+0xc4/0x110
 ? __virt_addr_valid+0x180/0x4d0
 print_report+0x16e/0x580
 ? __virt_addr_valid+0x180/0x4d0
 ? __virt_addr_valid+0x41c/0x4d0
 ? __phys_addr+0xba/0x170
 ? sctp_outq_select_transport+0x50f/0x580
 kasan_report+0xce/0x100
 ? sctp_outq_select_transport+0x50f/0x580
 sctp_outq_select_transport+0x50f/0x580
 ? sctp_chunk_abandoned+0x423/0x770
 sctp_outq_flush+0x1bd4/0x3df0
 ? __pfx_sctp_outq_flush+0x10/0x10
 ? sctp_outq_tail+0x67a/0x930
 ? sctp_outq_uncork+0x4f/0xb0
 sctp_do_sm+0x59c2/0x60a0
 ? __pfx_sctp_do_sm+0x10/0x10
 ? __kasan_slab_alloc+0x66/0x80
 ? __pfx__copy_from_iter+0x10/0x10
 ? __virt_addr_valid+0x180/0x4d0
 ? __virt_addr_valid+0x41c/0x4d0
 ? __check_object_size+0x47d/0x730
 ? sctp_user_addto_chunk+0xa8/0x220
 ? skb_set_owner_w+0x246/0x380
 sctp_primitive_SEND+0x98/0xc0
 sctp_sendmsg_to_asoc+0x10ff/0x17d0
 ? __pfx_sctp_hash_cmp+0x10/0x10
 ? __pfx_sctp_sendmsg_to_asoc+0x10/0x10
 ? __pfx_autoremove_wake_function+0x10/0x10
 ? sctp_sendmsg+0xb84/0x3490
 ? __local_bh_enable_ip+0x130/0x1b0
 ? sctp_sendmsg_check_sflags+0x181/0x2c0
 sctp_sendmsg+0x2206/0x3490
 ? __pfx_sctp_sendmsg+0x10/0x10
 ? __might_fault+0xaa/0x120
 ? __pfx_lock_release+0x10/0x10
 ? inet_sendmsg+0x330/0x390
 ? __might_fault+0xc6/0x120
 __sock_sendmsg+0x1a6/0x270
 __sys_sendto+0x334/0x490
 ? __pfx___sys_sendto+0x10/0x10
 ? do_futex+0x394/0x560
 ? __might_fault+0xaa/0x120
 ? __might_fault+0xc6/0x120
 ? __rseq_handle_notify_resume+0x35c/0x1530
 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
 __x64_sys_sendto+0xde/0x100
 do_syscall_64+0x69/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x43728d
Code: 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 90 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 d0 ff ff ff f78
RSP: 002b:00007f8fbc4b2018 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000400000000244 RCX: 000000000043728d
RDX: 0000000000000001 RSI: 0000400000000180 RDI: 0000000000000003
RBP: 00007f8fbc4b2160 R08: 0000400000000240 R09: 000000000000001c
R10: 0000000000000080 R11: 0000000000000216 R12: ffffffffffffffd0
R13: 000000000000000b R14: 00007ffc98841490 R15: 00007f8fbc492000
 </TASK>

Allocated by task 14868:
 kasan_save_track+0x30/0x70
 __kasan_kmalloc+0x9d/0xb0
 __kmalloc_cache_noprof+0x254/0x3b0
 sctp_transport_new+0x7e/0x5a0
 sctp_assoc_add_peer+0x228/0x15c0
 sctp_connect_new_asoc+0x303/0x6a0
 sctp_sendmsg+0x1d84/0x3490
 __sock_sendmsg+0x1a6/0x270
 __sys_sendto+0x334/0x490
 __x64_sys_sendto+0xde/0x100
 do_syscall_64+0x69/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 24:
 kasan_save_track+0x30/0x70
 kasan_save_free_info+0x40/0x50
 __kasan_slab_free+0x59/0x70
 kfree+0x199/0x420
 rcu_do_batch+0x533/0xdf0
 rcu_core+0x408/0x640
 handle_softirqs+0x2aa/0xa10
 run_ksoftirqd+0x9f/0x100
 smpboot_thread_fn+0x4c8/0x970
 kthread+0x67b/0x7d0
 ret_from_fork+0x4b/0x80
 ret_from_fork_asm+0x1a/0x30

Last potentially related work creation:
 kasan_save_stack+0x2f/0x50
 kasan_record_aux_stack+0xbf/0xd0
 call_rcu+0x16c/0x1560
 sctp_process_asconf+0x153e/0x1cd0
 sctp_sf_do_asconf+0x81f/0xc00
 sctp_do_sm+0x1e7/0x60a0
 sctp_assoc_bh_rcv+0x3f1/0x640
 sctp_backlog_rcv+0x177/0x3f0
 __release_sock+0x184/0x260
 release_sock+0x61/0x1f0
 sctp_setsockopt+0xb91/0x11c0
 do_sock_setsockopt+0x3af/0x720
 __x64_sys_setsockopt+0x187/0x210
 do_syscall_64+0x69/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

The buggy address belongs to the object at ffff88801546f800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 348 bytes inside of
 freed 1024-byte region [ffff88801546f800, ffff88801546fc00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88801546b000 pfn:0x15468
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x240(workingset|head|node=0|zone=0)
page_type: f5(slab)
raw: 0000000000000240 ffff888000141dc0 ffffea0000513a10 ffffea0000544010
raw: ffff88801546b000 000000000010000d 00000000f5000000 0000000000000000
head: 0000000000000240 ffff888000141dc0 ffffea0000513a10 ffffea0000544010
head: ffff88801546b000 000000000010000d 00000000f5000000 0000000000000000
head: 0000000000000003 ffffea0000551a01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 12101, tgid 12101 (kworker/u9:6)1
 post_alloc_hook+0x1f4/0x240
 get_page_from_freelist+0x3866/0x3a50
 __alloc_frozen_pages_noprof+0x292/0x790
 alloc_pages_mpol+0x311/0x610
 allocate_slab+0x93/0x4a0
 ___slab_alloc+0xc7f/0x1230
 __kmalloc_noprof+0x305/0x4c0
 load_elf_phdrs+0x162/0x260
 load_elf_binary+0x929/0x2780
 bprm_execve+0x99f/0x14c0
 kernel_execve+0x92d/0xa50
 call_usermodehelper_exec_async+0x237/0x380
 ret_from_fork+0x4b/0x80
 ret_from_fork_asm+0x1a/0x30
page last free pid 11965 tgid 11965 stack trace:
 free_frozen_pages+0xe2a/0x1100
 __put_partials+0x15e/0x1b0
 put_cpu_partial+0x14d/0x200
 qlist_free_all+0x9a/0x140
 kasan_quarantine_reduce+0x14f/0x170
 __kasan_slab_alloc+0x23/0x80
 kmem_cache_alloc_noprof+0x1e2/0x3a0
 getname_flags+0xb7/0x540
 __se_sys_newfstatat+0xb2/0x1d0
 do_syscall_64+0x69/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Memory state around the buggy address:
 ffff88801546f800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801546f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801546f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88801546f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801546fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Kernel panic - not syncing: KASAN: panic_on_warn set ...
CPU: 1 UID: 65534 PID: 14868 Comm: repro_20250320- Not tainted 6.14.0 #9
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x201/0x300
 ? mark_lock+0x9a/0x350
 ? __pfx_dump_stack_lvl+0x10/0x10
 ? __pfx__printk+0x10/0x10
 ? lockdep_hardirqs_on_prepare+0x375/0x740
 ? vscnprintf+0x5d/0x90
 panic+0x31a/0x860
 ? check_panic_on_warn+0x21/0xb0
 ? __pfx_panic+0x10/0x10
 ? _raw_spin_unlock_irqrestore+0x8f/0x110
 ? _raw_spin_unlock_irqrestore+0xc2/0x110
 ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
 ? print_report+0x4ed/0x580
 check_panic_on_warn+0x86/0xb0
 ? sctp_outq_select_transport+0x50f/0x580
 end_report+0x7a/0x150
 kasan_report+0xdf/0x100
 ? sctp_outq_select_transport+0x50f/0x580
 sctp_outq_select_transport+0x50f/0x580
 ? sctp_chunk_abandoned+0x423/0x770
 sctp_outq_flush+0x1bd4/0x3df0
 ? __pfx_sctp_outq_flush+0x10/0x10
 ? sctp_outq_tail+0x67a/0x930
 ? sctp_outq_uncork+0x4f/0xb0
 sctp_do_sm+0x59c2/0x60a0
 ? __pfx_sctp_do_sm+0x10/0x10
 ? __kasan_slab_alloc+0x66/0x80
 ? __pfx__copy_from_iter+0x10/0x10
 ? __virt_addr_valid+0x180/0x4d0
 ? __virt_addr_valid+0x41c/0x4d0
 ? __check_object_size+0x47d/0x730
 ? sctp_user_addto_chunk+0xa8/0x220
 ? skb_set_owner_w+0x246/0x380
 sctp_primitive_SEND+0x98/0xc0
 sctp_sendmsg_to_asoc+0x10ff/0x17d0
 ? __pfx_sctp_hash_cmp+0x10/0x10
 ? __pfx_sctp_sendmsg_to_asoc+0x10/0x10
 ? __pfx_autoremove_wake_function+0x10/0x10
 ? sctp_sendmsg+0xb84/0x3490
 ? __local_bh_enable_ip+0x130/0x1b0
 ? sctp_sendmsg_check_sflags+0x181/0x2c0
 sctp_sendmsg+0x2206/0x3490
 ? __pfx_sctp_sendmsg+0x10/0x10
 ? __might_fault+0xaa/0x120
 ? __pfx_lock_release+0x10/0x10
 ? inet_sendmsg+0x330/0x390
 ? __might_fault+0xc6/0x120
 __sock_sendmsg+0x1a6/0x270
 __sys_sendto+0x334/0x490
 ? __pfx___sys_sendto+0x10/0x10
 ? do_futex+0x394/0x560
 ? __might_fault+0xaa/0x120
 ? __might_fault+0xc6/0x120
 ? __rseq_handle_notify_resume+0x35c/0x1530
 ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
 __x64_sys_sendto+0xde/0x100
 do_syscall_64+0x69/0x110
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x43728d
Code: 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 90 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 d0 ff ff ff f78
RSP: 002b:00007f8fbc4b2018 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000400000000244 RCX: 000000000043728d
RDX: 0000000000000001 RSI: 0000400000000180 RDI: 0000000000000003
RBP: 00007f8fbc4b2160 R08: 0000400000000240 R09: 000000000000001c
R10: 0000000000000080 R11: 0000000000000216 R12: ffffffffffffffd0
R13: 000000000000000b R14: 00007ffc98841490 R15: 00007f8fbc492000
 </TASK>