==================================================================
BUG: KASAN: slab-out-of-bounds in btf_name_valid_section kernel/bpf/btf.c:823 [inline]
BUG: KASAN: slab-out-of-bounds in btf_datasec_check_meta+0x868/0x8e6 kernel/bpf/btf.c:4582
Read of size 1 at addr ff600000150db3ac by task syz.0.958/12515

CPU: 0 PID: 12515 Comm: syz.0.958 Not tainted 6.10.0-rc6-syzkaller-gc562ba719df5 #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000f6fc>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85df2034>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85e4d502>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff85e4d502>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:114
[<ffffffff85dfc3a4>] print_address_description mm/kasan/report.c:377 [inline]
[<ffffffff85dfc3a4>] print_report+0x288/0x596 mm/kasan/report.c:488
[<ffffffff8091ece8>] kasan_report+0xec/0x118 mm/kasan/report.c:601
[<ffffffff80920b32>] __asan_report_load1_noabort+0x12/0x1a mm/kasan/report_generic.c:378
[<ffffffff805c125c>] btf_name_valid_section kernel/bpf/btf.c:823 [inline]
[<ffffffff805c125c>] btf_datasec_check_meta+0x868/0x8e6 kernel/bpf/btf.c:4582
[<ffffffff805e87f8>] btf_check_meta kernel/bpf/btf.c:5064 [inline]
[<ffffffff805e87f8>] btf_check_all_metas kernel/bpf/btf.c:5088 [inline]
[<ffffffff805e87f8>] btf_parse_type_sec kernel/bpf/btf.c:5224 [inline]
[<ffffffff805e87f8>] btf_parse kernel/bpf/btf.c:5616 [inline]
[<ffffffff805e87f8>] btf_new_fd+0x17fa/0x4bee kernel/bpf/btf.c:7482
[<ffffffff804c59e0>] bpf_btf_load kernel/bpf/syscall.c:5014 [inline]
[<ffffffff804c59e0>] __sys_bpf+0x135e/0x4240 kernel/bpf/syscall.c:5733
[<ffffffff804c9516>] __do_sys_bpf kernel/bpf/syscall.c:5795 [inline]
[<ffffffff804c9516>] __se_sys_bpf kernel/bpf/syscall.c:5793 [inline]
[<ffffffff804c9516>] __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5793
[<ffffffff8000e204>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85e4f7bc>] do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330
[<ffffffff85e7296c>] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112

Allocated by task 12515:
 stack_trace_save+0xa0/0xd2 kernel/stacktrace.c:122
 kasan_save_stack+0x3e/0x6a mm/kasan/common.c:47
 kasan_save_track+0x16/0x28 mm/kasan/common.c:68
 kasan_save_alloc_info+0x30/0x3e mm/kasan/generic.c:565
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xa0/0xa6 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4123 [inline]
 __kmalloc_node_noprof+0x270/0x512 mm/slub.c:4130
 kmalloc_node_noprof include/linux/slab.h:681 [inline]
 kvmalloc_node_noprof+0xba/0x254 mm/util.c:634
 btf_parse kernel/bpf/btf.c:5592 [inline]
 btf_new_fd+0x728/0x4bee kernel/bpf/btf.c:7482
 bpf_btf_load kernel/bpf/syscall.c:5014 [inline]
 __sys_bpf+0x135e/0x4240 kernel/bpf/syscall.c:5733
 __do_sys_bpf kernel/bpf/syscall.c:5795 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5793 [inline]
 __riscv_sys_bpf+0x6c/0x9e kernel/bpf/syscall.c:5793
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330
 ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112

The buggy address belongs to the object at ff600000150db380
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
 allocated 44-byte region [ff600000150db380, ff600000150db3ac)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x950db
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 0ffe000000000000 ff6000000b8018c0 ff1c00000055dd00 0000000000000004
raw: 0000000000000000 0000000080200020 00000001ffffefff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 3005, tgid 3005 (dhcpcd), ts 247338433400, free_ts 246698311500
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x123c/0x27e8 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x1f0/0x213e mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x52/0x130 mm/slub.c:2265
 allocate_slab mm/slub.c:2428 [inline]
 new_slab+0x7a/0x2d4 mm/slub.c:2481
 ___slab_alloc+0xa02/0x100a mm/slub.c:3667
 __slab_alloc.constprop.0+0x60/0xb2 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3990 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x33a/0x4e4 mm/slub.c:4136
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 tomoyo_encode2+0x11e/0x3e6 security/tomoyo/realpath.c:45
 tomoyo_encode security/tomoyo/realpath.c:80 [inline]
 tomoyo_realpath_from_path+0x18a/0x64a security/tomoyo/realpath.c:283
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x2fe/0x3d6 security/tomoyo/file.c:771
 tomoyo_file_open security/tomoyo/tomoyo.c:334 [inline]
 tomoyo_file_open+0xa2/0xc6 security/tomoyo/tomoyo.c:328
 security_file_open+0x72/0x7ac security/security.c:2962
 do_dentry_open+0x4ee/0x142a fs/open.c:942
 vfs_open+0xb0/0xce fs/open.c:1089
page last free pid 3101 tgid 3101 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_page+0x59c/0xe9c mm/page_alloc.c:2588
 __folio_put+0x1ba/0x23a mm/swap.c:129
 folio_put include/linux/mm.h:1513 [inline]
 free_page_and_swap_cache+0x1a8/0x1de mm/swap_state.c:305
 __tlb_remove_table arch/riscv/include/asm/tlb.h:26 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:227 [inline]
 tlb_remove_table_rcu+0x86/0xee mm/mmu_gather.c:282
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0xa8c/0x201e kernel/rcu/tree.c:2809
 rcu_core_si+0xc/0x14 kernel/rcu/tree.c:2826
 handle_softirqs+0x4a6/0x10e0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0x182/0x36c kernel/softirq.c:637
 irq_exit_rcu+0x10/0xf8 kernel/softirq.c:649
 handle_riscv_irq+0x40/0x4c arch/riscv/kernel/traps.c:378
 call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:261

Memory state around the buggy address:
 ff600000150db280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ff600000150db300: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ff600000150db380: 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc
                                  ^
 ff600000150db400: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ff600000150db480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================