==================================================================
BUG: KASAN: slab-out-of-bounds in string_nocheck lib/vsprintf.c:611 [inline]
BUG: KASAN: slab-out-of-bounds in string+0x39c/0x3d0 lib/vsprintf.c:693
Read of size 1 at addr ffff888106b80bc8 by task syz.2.16/5298

CPU: 0 PID: 5298 Comm: syz.2.16 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xbe/0xf9 lib/dump_stack.c:120
 print_address_description.constprop.0+0x18/0x170 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x7f/0x10e mm/kasan/report.c:413
 string_nocheck lib/vsprintf.c:611 [inline]
 string+0x39c/0x3d0 lib/vsprintf.c:693
 vsnprintf+0xa3f/0x16c0 lib/vsprintf.c:2619
 vprintk_store+0x15d/0x790 kernel/printk/printk.c:1983
 vprintk_emit+0xa2/0x330 kernel/printk/printk.c:2075
 vprintk_func+0x8b/0x140 kernel/printk/printk_safe.c:393
 printk+0xba/0xed kernel/printk/printk.c:2140
 nfacct_mt_checkentry.cold+0x1a/0x1f net/netfilter/xt_nfacct.c:41
 xt_check_match+0x278/0x650 net/netfilter/x_tables.c:501
 __nft_match_init+0x43d/0x620 net/netfilter/nft_compat.c:474
 nf_tables_newexpr net/netfilter/nf_tables_api.c:2669 [inline]
 nf_tables_newrule+0xd6e/0x2740 net/netfilter/nf_tables_api.c:3321
 nfnetlink_rcv_batch+0x7a0/0x1e20 net/netfilter/nfnetlink.c:456
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x64e/0x8f0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd80 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0x151/0x190 net/socket.c:672
 ____sys_sendmsg+0x709/0x870 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x34/0x50 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f0522e1a929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f052288b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f0523041fa0 RCX: 00007f0522e1a929
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000003
RBP: 00007f0522e9cb39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f0523041fa0 R15: 00007ffc7aea58a8

Allocated by task 5298:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x84/0xa0 mm/kasan/common.c:429
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:682 [inline]
 nf_tables_newrule+0xadd/0x2740 net/netfilter/nf_tables_api.c:3303
 nfnetlink_rcv_batch+0x7a0/0x1e20 net/netfilter/nfnetlink.c:456
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x64e/0x8f0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd80 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0x151/0x190 net/socket.c:672
 ____sys_sendmsg+0x709/0x870 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x34/0x50 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xbc/0xe0 mm/kasan/generic.c:344
 __call_rcu kernel/rcu/tree.c:2965 [inline]
 call_rcu+0xb6/0x670 kernel/rcu/tree.c:3038
 nf_hook_entries_free net/netfilter/core.c:88 [inline]
 nf_hook_entries_free net/netfilter/core.c:75 [inline]
 __nf_unregister_net_hook+0x1f8/0x4a0 net/netfilter/core.c:489
 nf_unregister_net_hook net/netfilter/core.c:502 [inline]
 nf_unregister_net_hooks+0x117/0x160 net/netfilter/core.c:576
 ip6table_mangle_net_pre_exit+0x4c/0x60 net/ipv6/netfilter/ip6table_mangle.c:99
 ops_pre_exit_list net/core/net_namespace.c:165 [inline]
 cleanup_net+0x452/0xb10 net/core/net_namespace.c:583
 process_one_work+0x910/0x1250 kernel/workqueue.c:2275
 worker_thread+0x4d4/0xe70 kernel/workqueue.c:2421
 kthread+0x347/0x420 kernel/kthread.c:292
 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296

The buggy address belongs to the object at ffff888106b80b80
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 72 bytes inside of
 96-byte region [ffff888106b80b80, ffff888106b80be0)
The buggy address belongs to the page:
page:00000000cae82224 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106b80
flags: 0x200000000000200(slab)
raw: 0200000000000200 ffffea0004095900 0000000400000004 ffff888100041780
raw: 0000000000000000 0000000080200020 00000001ffffffff ffff88810e6b0601
page dumped because: kasan: bad access detected
pages's memcg:ffff88810e6b0601
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 1977, ts 11687336174
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x136/0x1a0 mm/page_alloc.c:2297
 prep_new_page mm/page_alloc.c:2306 [inline]
 get_page_from_freelist+0x20ee/0x2da0 mm/page_alloc.c:3945
 __alloc_pages_nodemask+0x275/0x5b0 mm/page_alloc.c:4995
 alloc_pages_current+0x1c9/0x370 mm/mempolicy.c:2267
 alloc_pages include/linux/gfp.h:547 [inline]
 alloc_slab_page mm/slub.c:1618 [inline]
 allocate_slab+0x27f/0x450 mm/slub.c:1758
 new_slab mm/slub.c:1821 [inline]
 new_slab_objects mm/slub.c:2578 [inline]
 ___slab_alloc+0x40e/0x6c0 mm/slub.c:2741
 __slab_alloc mm/slub.c:2781 [inline]
 slab_alloc_node mm/slub.c:2857 [inline]
 slab_alloc mm/slub.c:2900 [inline]
 __kmalloc+0x299/0x2b0 mm/slub.c:3981
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:682 [inline]
 tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
 tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
 tomoyo_encode+0x28/0x50 security/tomoyo/realpath.c:80
 tomoyo_realpath_from_path+0x188/0x620 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x255/0x350 security/tomoyo/file.c:771
 tomoyo_file_open security/tomoyo/tomoyo.c:313 [inline]
 tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:308
 security_file_open+0x58/0x500 security/security.c:1576
 do_dentry_open+0x4ec/0x1070 fs/open.c:804
 do_open fs/namei.c:3254 [inline]
 path_openat+0x18c5/0x26b0 fs/namei.c:3371
 do_filp_open+0x17e/0x3c0 fs/namei.c:3398
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1271 [inline]
 free_pcp_prepare+0x44a/0x5a0 mm/page_alloc.c:1306
 free_unref_page_prepare mm/page_alloc.c:3200 [inline]
 free_unref_page+0x39/0x1f0 mm/page_alloc.c:3248
 kasan_depopulate_vmalloc_pte+0x59/0x70 mm/kasan/shadow.c:346
 apply_to_pte_range mm/memory.c:2408 [inline]
 apply_to_pmd_range mm/memory.c:2444 [inline]
 apply_to_pud_range mm/memory.c:2472 [inline]
 apply_to_p4d_range mm/memory.c:2500 [inline]
 __apply_to_page_range+0x7bc/0x1350 mm/memory.c:2527
 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:456
 __purge_vmap_area_lazy+0x8cf/0x1c80 mm/vmalloc.c:1381
 _vm_unmap_aliases.part.0+0x2d7/0x3c0 mm/vmalloc.c:1784
 _vm_unmap_aliases mm/vmalloc.c:1753 [inline]
 vm_unmap_aliases+0x2f/0x40 mm/vmalloc.c:1807
 change_page_attr_set_clr+0x23f/0x4f0 arch/x86/mm/pat/set_memory.c:1732
 change_page_attr_set arch/x86/mm/pat/set_memory.c:1782 [inline]
 set_memory_nx+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1930
 free_init_pages+0x52/0x80 arch/x86/mm/init.c:878
 free_kernel_image_pages+0x20/0x50 arch/x86/mm/init.c:897
 kernel_init+0x17/0x1bc init/main.c:1426
 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296

Memory state around the buggy address:
 ffff888106b80a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888106b80b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff888106b80b80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
                                              ^
 ffff888106b80c00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
 ffff888106b80c80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================