==================================================================
BUG: KASAN: slab-out-of-bounds in strlen+0x87/0x90 lib/string.c:565
Read of size 1 at addr ffff8881033c4548 by task syz.2.15/4991

CPU: 1 PID: 4991 Comm: syz.2.15 Not tainted 5.11.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xbe/0xf9 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f9 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 strlen+0x87/0x90 lib/string.c:565
 kstrdup+0x22/0x70 mm/util.c:59
 led_tg_check+0x1dd/0x480 net/netfilter/xt_LED.c:116
 xt_check_target+0x26f/0x650 net/netfilter/x_tables.c:1019
 nft_target_init+0x3e3/0x630 net/netfilter/nft_compat.c:252
 nf_tables_newexpr net/netfilter/nf_tables_api.c:2669 [inline]
 nf_tables_newrule+0xd58/0x2730 net/netfilter/nf_tables_api.c:3321
 nfnetlink_rcv_batch+0x81b/0x1f40 net/netfilter/nfnetlink.c:456
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x64e/0x8f0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x84c/0xd80 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0x151/0x190 net/socket.c:672
 ____sys_sendmsg+0x706/0x870 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x34/0x50 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f9934048719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9933ac9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f99341fff80 RCX: 00007f9934048719
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007f99340bb75e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f99341fff80 R15: 00007fffed48e658

Allocated by task 4991:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:682 [inline]
 nf_tables_newrule+0xac5/0x2730 net/netfilter/nf_tables_api.c:3303
 nfnetlink_rcv_batch+0x81b/0x1f40 net/netfilter/nfnetlink.c:456
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x64e/0x8f0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x84c/0xd80 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0x151/0x190 net/socket.c:672
 ____sys_sendmsg+0x706/0x870 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x34/0x50 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xc5/0xf0 mm/kasan/generic.c:344
 insert_work+0x4a/0x3f0 kernel/workqueue.c:1331
 __queue_work+0x677/0xd80 kernel/workqueue.c:1497
 queue_work_on+0x6a/0x80 kernel/workqueue.c:1524
 queue_work include/linux/workqueue.h:507 [inline]
 schedule_work include/linux/workqueue.h:568 [inline]
 nfc_genl_rcv_nl_event net/nfc/netlink.c:1825 [inline]
 nfc_genl_rcv_nl_event+0x213/0x2e0 net/nfc/netlink.c:1810
 notifier_call_chain+0xba/0x1f0 kernel/notifier.c:83
 blocking_notifier_call_chain kernel/notifier.c:337 [inline]
 blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:325
 netlink_release+0x1410/0x16c0 net/netlink/af_netlink.c:783
 __sock_release+0xd2/0x290 net/socket.c:597
 sock_close+0x18/0x20 net/socket.c:1256
 __fput+0x230/0x890 fs/file_table.c:280
 task_work_run+0xe2/0x190 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x172/0x180 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x13/0x40 kernel/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8881033c4500
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 72 bytes inside of
 96-byte region [ffff8881033c4500, ffff8881033c4560)
The buggy address belongs to the page:
page:0000000099b0fd3d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1033c4
flags: 0x200000000000200(slab)
raw: 0200000000000200 ffffea00043ba540 0000000200000002 ffff888100041780
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 1969, ts 10062000431
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x136/0x1a0 mm/page_alloc.c:2297
 prep_new_page mm/page_alloc.c:2306 [inline]
 get_page_from_freelist+0x12fe/0x33d0 mm/page_alloc.c:3945
 __alloc_pages_nodemask+0x26c/0x5b0 mm/page_alloc.c:4995
 alloc_pages_current+0x1c9/0x370 mm/mempolicy.c:2267
 alloc_pages include/linux/gfp.h:547 [inline]
 alloc_slab_page mm/slub.c:1618 [inline]
 allocate_slab+0x289/0x460 mm/slub.c:1758
 new_slab mm/slub.c:1821 [inline]
 new_slab_objects mm/slub.c:2578 [inline]
 ___slab_alloc+0x3f0/0x690 mm/slub.c:2741
 __slab_alloc mm/slub.c:2781 [inline]
 slab_alloc_node mm/slub.c:2857 [inline]
 slab_alloc mm/slub.c:2900 [inline]
 __kmalloc+0x299/0x2b0 mm/slub.c:3981
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:682 [inline]
 tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
 tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
 tomoyo_encode security/tomoyo/realpath.c:80 [inline]
 tomoyo_realpath_from_path+0x1a6/0x650 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x255/0x350 security/tomoyo/file.c:771
 tomoyo_file_open security/tomoyo/tomoyo.c:313 [inline]
 tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:308
 security_file_open+0x58/0x500 security/security.c:1576
 do_dentry_open+0x4ec/0x1070 fs/open.c:804
 do_open fs/namei.c:3254 [inline]
 path_openat+0x18bb/0x26b0 fs/namei.c:3371
 do_filp_open+0x17e/0x3c0 fs/namei.c:3398
 do_sys_openat2+0x16d/0x420 fs/open.c:1172
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1271 [inline]
 free_pcp_prepare+0x374/0x460 mm/page_alloc.c:1306
 free_unref_page_prepare mm/page_alloc.c:3200 [inline]
 free_unref_page+0x10/0x1c0 mm/page_alloc.c:3248
 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:346
 apply_to_pte_range mm/memory.c:2408 [inline]
 apply_to_pmd_range mm/memory.c:2444 [inline]
 apply_to_pud_range mm/memory.c:2472 [inline]
 apply_to_p4d_range mm/memory.c:2500 [inline]
 __apply_to_page_range+0x659/0xdf0 mm/memory.c:2527
 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:456
 __purge_vmap_area_lazy+0x8e6/0x1c00 mm/vmalloc.c:1381
 _vm_unmap_aliases.part.0+0x2d3/0x3d0 mm/vmalloc.c:1784
 _vm_unmap_aliases mm/vmalloc.c:1753 [inline]
 vm_unmap_aliases+0x2f/0x40 mm/vmalloc.c:1807
 change_page_attr_set_clr+0x23f/0x4f0 arch/x86/mm/pat/set_memory.c:1732
 change_page_attr_set arch/x86/mm/pat/set_memory.c:1782 [inline]
 set_memory_nx+0xb2/0x110 arch/x86/mm/pat/set_memory.c:1930
 free_init_pages+0x52/0x80 arch/x86/mm/init.c:878
 free_kernel_image_pages+0x20/0x50 arch/x86/mm/init.c:897
 kernel_init+0x17/0x1bc init/main.c:1426
 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296

Memory state around the buggy address:
 ffff8881033c4400: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff8881033c4480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8881033c4500: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
                                              ^
 ffff8881033c4580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff8881033c4600: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================