==================================================================
BUG: KASAN: slab-out-of-bounds in vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
Read of size 1 at addr ffff8880895cc24c by task syz-executor.4/17099

CPU: 0 PID: 17099 Comm: syz-executor.4 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x25/0x50 mm/kasan/common.c:641
 vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
 sscanf+0x6c/0x90 lib/vsprintf.c:3481
 smk_set_cipso+0x33a/0x6a0 security/smack/smackfs.c:898
 __vfs_write+0xa7/0x710 fs/read_write.c:494
 __kernel_write+0x12c/0x340 fs/read_write.c:515
 write_pipe_buf+0xf9/0x150 fs/splice.c:809
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x329/0x870 fs/splice.c:636
 splice_from_pipe fs/splice.c:671 [inline]
 default_file_splice_write+0x112/0x1b0 fs/splice.c:821
 splice_direct_to_actor+0x482/0xb40 fs/splice.c:992
 do_splice_direct+0x1fb/0x330 fs/splice.c:1080
 do_sendfile+0x803/0xfd0 fs/read_write.c:1520
 __do_sys_sendfile64 fs/read_write.c:1575 [inline]
 __se_sys_sendfile64 fs/read_write.c:1567 [inline]
 __x64_sys_sendfile64+0xed/0x1a0 fs/read_write.c:1567
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c849
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe146783c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007fe1467846d4 RCX: 000000000045c849
RDX: 0000000020000000 RSI: 0000000000000003 RDI: 0000000000000003
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000009 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008d4 R14: 00000000004cb786 R15: 000000000076bf0c

Allocated by task 17099:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc_track_caller+0x249/0x320 mm/slab.c:3671
 memdup_user_nul+0x26/0xf0 mm/util.c:259
 smk_set_cipso+0xff/0x6a0 security/smack/smackfs.c:859
 __vfs_write+0xa7/0x710 fs/read_write.c:494
 __kernel_write+0x12c/0x340 fs/read_write.c:515
 write_pipe_buf+0xf9/0x150 fs/splice.c:809
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x329/0x870 fs/splice.c:636
 splice_from_pipe fs/splice.c:671 [inline]
 default_file_splice_write+0x112/0x1b0 fs/splice.c:821
 splice_direct_to_actor+0x482/0xb40 fs/splice.c:992
 do_splice_direct+0x1fb/0x330 fs/splice.c:1080
 do_sendfile+0x803/0xfd0 fs/read_write.c:1520
 __do_sys_sendfile64 fs/read_write.c:1575 [inline]
 __se_sys_sendfile64 fs/read_write.c:1567 [inline]
 __x64_sys_sendfile64+0xed/0x1a0 fs/read_write.c:1567
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7785:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 security_sk_free+0x4d/0x90 security/security.c:2106
 sk_prot_free net/core/sock.c:1636 [inline]
 __sk_destruct+0x5f9/0x740 net/core/sock.c:1724
 inet_release+0x135/0x180 net/ipv4/af_inet.c:427
 __sock_release net/socket.c:605 [inline]
 sock_close+0xd8/0x260 net/socket.c:1283
 __fput+0x2d8/0x730 fs/file_table.c:280
 task_work_run+0x176/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
 prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880895cc240
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 12 bytes inside of
 32-byte region [ffff8880895cc240, ffff8880895cc260)
The buggy address belongs to the page:
page:ffffea0002257300 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880895ccfc1
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002445ac8 ffffea0002864d88 ffff8880aa4001c0
raw: ffff8880895ccfc1 ffff8880895cc000 0000000100000039 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880895cc100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8880895cc180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
>ffff8880895cc200: fb fb fb fb fc fc fc fc 00 02 fc fc fc fc fc fc
                                              ^
 ffff8880895cc280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
 ffff8880895cc300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================