==================================================================
BUG: KASAN: slab-out-of-bounds in vsscanf+0x2666/0x2ef0 lib/vsprintf.c:3275
Read of size 1 at addr ffff88809c8a9a0a by task syz-executor.1/11984

CPU: 1 PID: 11984 Comm: syz-executor.1 Not tainted 5.7.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:382
 __kasan_report+0x103/0x1a0 mm/kasan/report.c:511
 kasan_report+0x4d/0x80 mm/kasan/common.c:625

Allocated by task 11984:
 save_stack mm/kasan/common.c:49 [inline]
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc+0x114/0x160 mm/kasan/common.c:495
 __do_kmalloc mm/slab.c:3656 [inline]
 __kmalloc_track_caller+0x249/0x320 mm/slab.c:3671
 memdup_user_nul+0x26/0xf0 mm/util.c:259
 smk_set_cipso+0xff/0x6a0 security/smack/smackfs.c:859
 __vfs_write+0xa7/0x710 fs/read_write.c:495
 __kernel_write+0x120/0x350 fs/read_write.c:516
 write_pipe_buf+0xf9/0x150 fs/splice.c:809
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x329/0x870 fs/splice.c:636
 splice_from_pipe fs/splice.c:671 [inline]
 default_file_splice_write+0x112/0x1b0 fs/splice.c:821
 splice_direct_to_actor+0x482/0xb40 fs/splice.c:992
 do_splice_direct+0x201/0x340 fs/splice.c:1080
 do_sendfile+0x809/0xfe0 fs/read_write.c:1521
 __do_sys_sendfile64 fs/read_write.c:1582 [inline]
 __se_sys_sendfile64 fs/read_write.c:1568 [inline]
 __x64_sys_sendfile64+0x164/0x1a0 fs/read_write.c:1568
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 11187:
 save_stack mm/kasan/common.c:49 [inline]
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0x125/0x190 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 tomoyo_path_perm+0x59b/0x740 security/tomoyo/file.c:842
 security_inode_getattr+0xc0/0x140 security/security.c:1273
 vfs_getattr+0x27/0x6e0 fs/stat.c:117
 vfs_statx fs/stat.c:201 [inline]
 vfs_lstat include/linux/fs.h:3284 [inline]
 __do_sys_newlstat fs/stat.c:364 [inline]
 __se_sys_newlstat+0x85/0x140 fs/stat.c:358
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff88809c8a9a00
 which belongs to the cache kmalloc-32 of size 32
The buggy address is located 10 bytes inside of
 32-byte region [ffff88809c8a9a00, ffff88809c8a9a20)
The buggy address belongs to the page:
page:ffffea0002722a40 refcount:1 mapcount:0 mapping:000000006a9d43ba index:0xffff88809c8a9fc1
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002905348 ffffea00029a4bc8 ffff8880aa4001c0
raw: ffff88809c8a9fc1 ffff88809c8a9000 000000010000003f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809c8a9900: 06 fc fc fc fc fc fc fc 00 04 fc fc fc fc fc fc
 ffff88809c8a9980: 05 fc fc fc fc fc fc fc 00 00 01 fc fc fc fc fc
>ffff88809c8a9a00: 00 01 fc fc fc fc fc fc 07 fc fc fc fc fc fc fc
                      ^
 ffff88809c8a9a80: 00 00 fc fc fc fc fc fc 07 fc fc fc fc fc fc fc
 ffff88809c8a9b00: fb fb fb fb fc fc fc fc 07 fc fc fc fc fc fc fc
==================================================================