==================================================================
BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 lib/vsprintf.c:592
Read of size 1 at addr ffff8801cafced50 by task syzkaller538128/3345

CPU: 1 PID: 3345 Comm: syzkaller538128 Not tainted 4.9.78-ge9dabe6 #19
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801bf9ff738 ffffffff81d943a9 ffffea00072bf380 ffff8801cafced50
 0000000000000000 ffff8801cafced50 ffff8801bf9ff994 ffff8801bf9ff770
 ffffffff8153dc23 ffff8801cafced50 0000000000000001 0000000000000000
Call Trace:
 [<ffffffff81d943a9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d943a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153dc23>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153e145>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8153e145>] kasan_report+0x275/0x360 mm/kasan/report.c:408
 [<ffffffff8153e244>] __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:426
 [<ffffffff81db6388>] string+0x1e8/0x200 lib/vsprintf.c:592
 [<ffffffff81dbf31d>] vsnprintf+0x7ad/0x16d0 lib/vsprintf.c:2044
 [<ffffffff8117a65f>] __request_module+0x14f/0x750 kernel/kmod.c:146
 [<ffffffff8313beeb>] xt_request_find_target+0x8b/0xb0 net/netfilter/x_tables.c:256
 [<ffffffff8338465a>] find_check_entry net/ipv4/netfilter/ip_tables.c:567 [inline]
 [<ffffffff8338465a>] translate_table+0x177a/0x1e30 net/ipv4/netfilter/ip_tables.c:745
 [<ffffffff810002b8>] ? 0xffffffff810002b8
 [<ffffffff83386eee>] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline]
 [<ffffffff83386eee>] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687
 [<ffffffff830a1a67>] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
 [<ffffffff830a1a67>] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
 [<ffffffff83211b81>] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
 [<ffffffff832314b2>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2737
 [<ffffffff82ede275>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
 [<ffffffff82edb230>] SYSC_setsockopt net/socket.c:1772 [inline]
 [<ffffffff82edb230>] SyS_setsockopt+0x160/0x250 net/socket.c:1751
 [<ffffffff838b2c6e>] entry_SYSCALL_64_fastpath+0x29/0xe8

Allocated by task 3345:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 xt_alloc_table_info+0x71/0x100 net/netfilter/x_tables.c:959
 do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
 do_ipt_set_ctl+0x242/0x470 net/ipv4/netfilter/ip_tables.c:1687
 nf_sockopt net/netfilter/nf_sockopt.c:105 [inline]
 nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114
 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248
 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2737
 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706
 SYSC_setsockopt net/socket.c:1772 [inline]
 SyS_setsockopt+0x160/0x250 net/socket.c:1751
 entry_SYSCALL_64_fastpath+0x29/0xe8

Freed by task 1804:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0x103/0x300 mm/slub.c:3878
 seq_release+0x59/0x70 fs/seq_file.c:372
 kernfs_fop_release+0xcb/0x140 fs/kernfs/file.c:742
 __fput+0x28c/0x6e0 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x115/0x190 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xe6/0xe8

The buggy address belongs to the object at ffff8801cafcec80
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 208 bytes inside of
 256-byte region [ffff8801cafcec80, ffff8801cafced80)
The buggy address belongs to the page:
page:ffffea00072bf380 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cafcec00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801cafcec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cafced00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                 ^
 ffff8801cafced80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801cafcee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================