==================================================================
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user include/linux/instrumented.h:118 [inline]
BUG: KASAN: slab-out-of-bounds in _copy_to_user lib/usercopy.c:32 [inline]
BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user include/linux/instrumented.h:118 [inline] lib/usercopy.c:26
BUG: KASAN: slab-out-of-bounds in _copy_to_user lib/usercopy.c:32 [inline] lib/usercopy.c:26
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0xc7/0x150 lib/usercopy.c:26 lib/usercopy.c:26
Read of size 42 at addr ffff8880183b8980 by task syz-executor274/3615

CPU: 1 PID: 3615 Comm: syz-executor274 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 mm/kasan/report.c:450
 check_region_inline mm/kasan/generic.c:183 [inline]
 check_region_inline mm/kasan/generic.c:183 [inline] mm/kasan/generic.c:189
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 mm/kasan/generic.c:189
 instrument_copy_to_user include/linux/instrumented.h:118 [inline]
 _copy_to_user lib/usercopy.c:32 [inline]
 instrument_copy_to_user include/linux/instrumented.h:118 [inline] lib/usercopy.c:26
 _copy_to_user lib/usercopy.c:32 [inline] lib/usercopy.c:26
 _copy_to_user+0xc7/0x150 lib/usercopy.c:26 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:200 [inline]
 copy_to_user include/linux/uaccess.h:200 [inline] kernel/bpf/hashtab.c:1768
 __htab_map_lookup_and_delete_batch+0xec3/0x1880 kernel/bpf/hashtab.c:1768 kernel/bpf/hashtab.c:1768
 bpf_map_do_batch+0x2dd/0x5c0 kernel/bpf/syscall.c:4221 kernel/bpf/syscall.c:4221
 __sys_bpf+0x288b/0x5950 kernel/bpf/syscall.c:4693 kernel/bpf/syscall.c:4693
 __do_sys_bpf kernel/bpf/syscall.c:4737 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4735 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:4737 [inline] kernel/bpf/syscall.c:4735
 __se_sys_bpf kernel/bpf/syscall.c:4735 [inline] kernel/bpf/syscall.c:4735
 __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4735 kernel/bpf/syscall.c:4735
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_x64 arch/x86/entry/common.c:50 [inline] arch/x86/entry/common.c:80
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb117482b89
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb1174132f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fb11750b3f0 RCX: 00007fb117482b89
RDX: 0000000000000038 RSI: 0000000020000080 RDI: 0000000000000019
RBP: 00007fb1174d88f0 R08: 00007fb117413700 R09: 0000000000000000
R10: 00007fb117413700 R11: 0000000000000246 R12: 00000000200031c0
R13: 00007fb1174d8078 R14: 00000000200021c0 R15: 00007fb11750b3f8
 </TASK>

Allocated by task 3615:
 kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 ____kasan_kmalloc mm/kasan/common.c:472 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline] mm/kasan/common.c:522
 set_alloc_info mm/kasan/common.c:434 [inline] mm/kasan/common.c:522
 ____kasan_kmalloc mm/kasan/common.c:513 [inline] mm/kasan/common.c:522
 ____kasan_kmalloc mm/kasan/common.c:472 [inline] mm/kasan/common.c:522
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522 mm/kasan/common.c:522
 kmalloc_node include/linux/slab.h:613 [inline]
 kmalloc_node include/linux/slab.h:613 [inline] mm/util.c:587
 kvmalloc_node+0x61/0x120 mm/util.c:587 mm/util.c:587
 kvmalloc include/linux/slab.h:741 [inline]
 kvmalloc_array include/linux/slab.h:759 [inline]
 kvmalloc include/linux/slab.h:741 [inline] kernel/bpf/hashtab.c:1647
 kvmalloc_array include/linux/slab.h:759 [inline] kernel/bpf/hashtab.c:1647
 __htab_map_lookup_and_delete_batch+0x525/0x1880 kernel/bpf/hashtab.c:1647 kernel/bpf/hashtab.c:1647
 bpf_map_do_batch+0x2dd/0x5c0 kernel/bpf/syscall.c:4221 kernel/bpf/syscall.c:4221
 __sys_bpf+0x288b/0x5950 kernel/bpf/syscall.c:4693 kernel/bpf/syscall.c:4693
 __do_sys_bpf kernel/bpf/syscall.c:4737 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4735 [inline]
 __do_sys_bpf kernel/bpf/syscall.c:4737 [inline] kernel/bpf/syscall.c:4735
 __se_sys_bpf kernel/bpf/syscall.c:4735 [inline] kernel/bpf/syscall.c:4735
 __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4735 kernel/bpf/syscall.c:4735
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_x64 arch/x86/entry/common.c:50 [inline] arch/x86/entry/common.c:80
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880183b8980
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff8880183b8980, ffff8880183b89c0)
The buggy address belongs to the page:
page:ffffea000060ee00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x183b8
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0000714c80 dead000000000005 ffff888010c41640
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 2970, ts 13072649837, free_ts 11258641957
 prep_new_page mm/page_alloc.c:2418 [inline]
 prep_new_page mm/page_alloc.c:2418 [inline] mm/page_alloc.c:4149
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369 mm/page_alloc.c:5369
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191 mm/mempolicy.c:2191
 alloc_slab_page mm/slub.c:1793 [inline]
 allocate_slab mm/slub.c:1930 [inline]
 alloc_slab_page mm/slub.c:1793 [inline] mm/slub.c:1993
 allocate_slab mm/slub.c:1930 [inline] mm/slub.c:1993
 new_slab+0x32d/0x4a0 mm/slub.c:1993 mm/slub.c:1993
 ___slab_alloc+0x918/0xfe0 mm/slub.c:3022 mm/slub.c:3022
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109 mm/slub.c:3109
 slab_alloc_node mm/slub.c:3200 [inline]
 slab_alloc mm/slub.c:3242 [inline]
 slab_alloc_node mm/slub.c:3200 [inline] mm/slub.c:4419
 slab_alloc mm/slub.c:3242 [inline] mm/slub.c:4419
 __kmalloc+0x2fb/0x340 mm/slub.c:4419 mm/slub.c:4419
 kmalloc include/linux/slab.h:595 [inline]
 kzalloc include/linux/slab.h:724 [inline]
 kmalloc include/linux/slab.h:595 [inline] security/tomoyo/realpath.c:45
 kzalloc include/linux/slab.h:724 [inline] security/tomoyo/realpath.c:45
 tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45 security/tomoyo/realpath.c:45
 tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
 tomoyo_encode2 security/tomoyo/realpath.c:31 [inline] security/tomoyo/realpath.c:80
 tomoyo_encode+0x28/0x50 security/tomoyo/realpath.c:80 security/tomoyo/realpath.c:80
 tomoyo_realpath_from_path+0x186/0x620 security/tomoyo/realpath.c:288 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] security/tomoyo/file.c:771
 tomoyo_check_open_permission+0x272/0x380 security/tomoyo/file.c:771 security/tomoyo/file.c:771
 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline]
 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline] security/tomoyo/tomoyo.c:306
 tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:306 security/tomoyo/tomoyo.c:306
 security_file_open+0x45/0xb0 security/security.c:1635 security/security.c:1635
 do_dentry_open+0x353/0x1250 fs/open.c:809 fs/open.c:809
 do_open fs/namei.c:3426 [inline]
 do_open fs/namei.c:3426 [inline] fs/namei.c:3559
 path_openat+0x1cad/0x2750 fs/namei.c:3559 fs/namei.c:3559
 do_filp_open+0x1aa/0x400 fs/namei.c:3586 fs/namei.c:3586
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 reset_page_owner include/linux/page_owner.h:24 [inline] mm/page_alloc.c:1389
 free_pages_prepare mm/page_alloc.c:1338 [inline] mm/page_alloc.c:1389
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3309 [inline]
 free_unref_page_prepare mm/page_alloc.c:3309 [inline] mm/page_alloc.c:3388
 free_unref_page+0x19/0x690 mm/page_alloc.c:3388 mm/page_alloc.c:3388
 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:380 mm/kasan/shadow.c:380
 apply_to_pte_range mm/memory.c:2518 [inline]
 apply_to_pmd_range mm/memory.c:2562 [inline]
 apply_to_pud_range mm/memory.c:2598 [inline]
 apply_to_p4d_range mm/memory.c:2634 [inline]
 apply_to_pte_range mm/memory.c:2518 [inline] mm/memory.c:2668
 apply_to_pmd_range mm/memory.c:2562 [inline] mm/memory.c:2668
 apply_to_pud_range mm/memory.c:2598 [inline] mm/memory.c:2668
 apply_to_p4d_range mm/memory.c:2634 [inline] mm/memory.c:2668
 __apply_to_page_range+0x694/0x1080 mm/memory.c:2668 mm/memory.c:2668
 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:490 mm/kasan/shadow.c:490
 __purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1708 mm/vmalloc.c:1708
 _vm_unmap_aliases.part.0+0x3f0/0x500 mm/vmalloc.c:2111 mm/vmalloc.c:2111
 _vm_unmap_aliases mm/vmalloc.c:2085 [inline]
 _vm_unmap_aliases mm/vmalloc.c:2085 [inline] mm/vmalloc.c:2134
 vm_unmap_aliases+0x45/0x50 mm/vmalloc.c:2134 mm/vmalloc.c:2134
 change_page_attr_set_clr+0x241/0x500 arch/x86/mm/pat/set_memory.c:1743 arch/x86/mm/pat/set_memory.c:1743
 change_page_attr_set arch/x86/mm/pat/set_memory.c:1793 [inline]
 change_page_attr_set arch/x86/mm/pat/set_memory.c:1793 [inline] arch/x86/mm/pat/set_memory.c:1941
 set_memory_nx+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1941 arch/x86/mm/pat/set_memory.c:1941
 free_init_pages+0x73/0xc0 arch/x86/mm/init.c:894 arch/x86/mm/init.c:894
 kernel_init+0x2e/0x1d0 init/main.c:1508 init/main.c:1508
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff8880183b8880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff8880183b8900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880183b8980: 00 00 00 00 03 fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff8880183b8a00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
 ffff8880183b8a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================