KASAN: slab-out-of-bounds Read in bit

KASAN: slab-out-of-bounds Read in bit_putcs
Status: upstream: reported C repro on 2019/12/03 12:47
Reported-by: syzbot+07e7f57313dc988967db@syzkaller.appspotmail.com
First crash: 898d, last: 363d

Fix bisection: the fix commit could be any of (bisect log):
  8c5ec4a731e1 vt: Fix character height handling with VT_RESIZEX
  9a71ed8da907 vgacon: Record video mode changes with VT_RESIZEX
  17d6c58c5fc5 tty: vt: always invoke vc->vc_sw->con_resize callback
  fd8f21c9d234 video: hgafb: fix potential NULL pointer dereference
  1dfd47b684c2 video: hgafb: correctly handle card detect failure during probe

similar bugs (4):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in bit_putcs	C	done	error	343	586d	895d	0/22	upstream: reported C repro on 2019/12/05 16:46
linux-4.14	KASAN: slab-out-of-bounds Read in bit_putcs	C			95	5d14h	897d	0/1	upstream: reported C repro on 2019/12/03 16:38
linux-4.14	KASAN: global-out-of-bounds Read in bit_putcs	C			241	3d17h	893d	0/1	upstream: reported C repro on 2019/12/07 16:26
linux-4.19	KASAN: global-out-of-bounds Read in bit_putcs	C		done	214	359d	896d	1/1	fixed on 2021/06/24 08:01

Sample crash report:

audit: type=1400 audit(1602976135.984:8): avc:  denied  { execmem } for  pid=6489 comm="syz-executor322" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
BUG: KASAN: slab-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
BUG: KASAN: slab-out-of-bounds in bit_putcs+0xbe2/0xd35 drivers/video/fbdev/core/bitblit.c:185
Read of size 1 at addr ffff8880898b123e by task syz-executor322/6489

CPU: 1 PID: 6489 Comm: syz-executor322 Not tainted 4.19.152-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x22c/0x33e lib/dump_stack.c:118
 print_address_description.cold+0x56/0x25c mm/kasan/report.c:256
 kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430
 __fb_pad_aligned_buffer include/linux/fb.h:674 [inline]
 bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline]
 bit_putcs+0xbe2/0xd35 drivers/video/fbdev/core/bitblit.c:185
 fbcon_putcs+0x389/0x5d0 drivers/video/fbdev/core/fbcon.c:1269
 con_flush drivers/tty/vt/vt.c:2559 [inline]
 do_con_write+0x671/0x1f40 drivers/tty/vt/vt.c:2809
 con_write+0x22/0xb0 drivers/tty/vt/vt.c:3145
 process_output_block drivers/tty/n_tty.c:593 [inline]
 n_tty_write+0x3c0/0xff0 drivers/tty/n_tty.c:2331
 do_tty_write drivers/tty/tty_io.c:960 [inline]
 tty_write+0x496/0x890 drivers/tty/tty_io.c:1044
 __vfs_write+0xf7/0x770 fs/read_write.c:485
 vfs_write+0x1f3/0x540 fs/read_write.c:549
 ksys_write+0x12b/0x2a0 fs/read_write.c:599
 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4403c9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff5d8fd448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9
RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30
R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6471:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0xae/0x580 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 __tcp_send_ack+0xb3/0x610 net/ipv4/tcp_output.c:3619
 tcp_delack_timer_handler+0x339/0x760 net/ipv4/tcp_timer.c:303
 tcp_delack_timer+0x95/0x270 net/ipv4/tcp_timer.c:330
 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338
 expire_timers+0x243/0x500 kernel/time/timer.c:1375
 __run_timers kernel/time/timer.c:1703 [inline]
 run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716
 __do_softirq+0x27d/0xad2 kernel/softirq.c:292

Freed by task 0:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x250 mm/slab.c:3822
 skb_free_head net/core/skbuff.c:554 [inline]
 skb_release_data+0x6ea/0x930 net/core/skbuff.c:574
 skb_release_all net/core/skbuff.c:631 [inline]
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb+0x113/0x3e0 net/core/skbuff.c:705
 __dev_kfree_skb_any+0x9c/0xd0 net/core/dev.c:2796
 dev_consume_skb_any include/linux/netdevice.h:3557 [inline]
 napi_consume_skb+0x4a8/0x650 net/core/skbuff.c:769
 free_old_xmit_skbs+0xdb/0x240 drivers/net/virtio_net.c:1379
 start_xmit+0x156/0x17c0 drivers/net/virtio_net.c:1575
 __netdev_start_xmit include/linux/netdevice.h:4333 [inline]
 netdev_start_xmit include/linux/netdevice.h:4347 [inline]
 xmit_one net/core/dev.c:3256 [inline]
 dev_hard_start_xmit+0x1a8/0x960 net/core/dev.c:3272
 sch_direct_xmit+0x2cf/0xf70 net/sched/sch_generic.c:332
 qdisc_restart net/sched/sch_generic.c:395 [inline]
 __qdisc_run+0x4fc/0x1680 net/sched/sch_generic.c:403
 qdisc_run include/net/pkt_sched.h:120 [inline]
 __dev_xmit_skb net/core/dev.c:3451 [inline]
 __dev_queue_xmit+0x21fe/0x2ec0 net/core/dev.c:3807
 neigh_hh_output include/net/neighbour.h:491 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip_finish_output2+0xc04/0x1640 net/ipv4/ip_output.c:230
 ip_finish_output+0x88e/0xd80 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x203/0x650 net/ipv4/ip_output.c:406
 dst_output include/net/dst.h:455 [inline]
 ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
 __ip_queue_xmit+0x8a0/0x1bd0 net/ipv4/ip_output.c:506
 __tcp_transmit_skb+0x1c72/0x36c0 net/ipv4/tcp_output.c:1148
 tcp_transmit_skb net/ipv4/tcp_output.c:1164 [inline]
 tcp_write_xmit+0x839/0x5050 net/ipv4/tcp_output.c:2389
 __tcp_push_pending_frames+0xae/0x280 net/ipv4/tcp_output.c:2568
 tcp_push_pending_frames include/net/tcp.h:1772 [inline]
 tcp_data_snd_check net/ipv4/tcp_input.c:5179 [inline]
 tcp_rcv_established+0x1359/0x1d10 net/ipv4/tcp_input.c:5588
 tcp_v4_do_rcv+0x5d6/0x870 net/ipv4/tcp_ipv4.c:1544
 tcp_v4_rcv+0x2c1d/0x3bd0 net/ipv4/tcp_ipv4.c:1829
 ip_local_deliver_finish+0x4cb/0xc80 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_local_deliver+0x188/0x560 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:461 [inline]
 ip_rcv_finish+0x1ca/0x2e0 net/ipv4/ip_input.c:414
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ip_rcv+0xca/0x420 net/ipv4/ip_input.c:524
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:4954
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066
 netif_receive_skb_internal+0x110/0x450 net/core/dev.c:5156
 napi_skb_finish net/core/dev.c:5600 [inline]
 napi_gro_receive+0x303/0x460 net/core/dev.c:5631
 receive_buf+0x1045/0x6250 drivers/net/virtio_net.c:1072
 virtnet_receive drivers/net/virtio_net.c:1336 [inline]
 virtnet_poll+0x52f/0xda0 drivers/net/virtio_net.c:1441
 napi_poll net/core/dev.c:6272 [inline]
 net_rx_action+0x4e5/0x10d0 net/core/dev.c:6338
 __do_softirq+0x27d/0xad2 kernel/softirq.c:292

The buggy address belongs to the object at ffff8880898b0dc0
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 126 bytes to the right of
 1024-byte region [ffff8880898b0dc0, ffff8880898b11c0)
The buggy address belongs to the page:
page:ffffea0002262c00 count:1 mapcount:0 mapping:ffff88812c3f6ac0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002931388 ffffea0002267b08 ffff88812c3f6ac0
raw: 0000000000000000 ffff8880898b0040 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880898b1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880898b1180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880898b1200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
                                        ^
 ffff8880898b1280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880898b1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (138):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci2-linux-4-19	2020/10/17 23:10	linux-4.19.y	ad326970d25c	fea47c01	.config	log	report	syz	C
ci2-linux-4-19	2020/07/12 10:40	linux-4.19.y	dce0f88600e4	115e1930	.config	log	report	syz	C
ci2-linux-4-19	2020/04/14 17:44	linux-4.19.y	6dd0e32665e5	3f3c5574	.config	log	report	syz	C
ci2-linux-4-19	2019/12/08 09:46	linux-4.19.y	fb683b5e3f53	1508f453	.config	log	report	syz	C
ci2-linux-4-19	2019/12/03 11:46	linux-4.19.y	174651bdf802	ab342da3	.config	log	report	syz	C
ci2-linux-4-19	2021/05/21 06:53	linux-4.19.y	3c8c23092588	3c7fef33	.config	log	report			info	KASAN: slab-out-of-bounds Read in bit_putcs
ci2-linux-4-19	2021/05/07 22:25	linux-4.19.y	3c8c23092588	bc5434be	.config	log	report			info	KASAN: slab-out-of-bounds Read in bit_putcs
ci2-linux-4-19	2021/03/05 18:22	linux-4.19.y	dfb571610ba3	4a024a9b	.config	log	report			info	KASAN: slab-out-of-bounds Read in bit_putcs
ci2-linux-4-19	2021/02/04 09:41	linux-4.19.y	811218eceeaa	624dad51	.config	log	report			info	KASAN: slab-out-of-bounds Read in bit_putcs
ci2-linux-4-19	2021/01/21 12:53	linux-4.19.y	43d555d83c3f	d4f4eca5	.config	log	report			info	KASAN: slab-out-of-bounds Read in bit_putcs
ci2-linux-4-19	2021/01/04 21:06	linux-4.19.y	3207316b3bee	2a28ff1f	.config	log	report			info
ci2-linux-4-19	2020/12/17 21:24	linux-4.19.y	13d2ce42de8c	04201c06	.config	log	report			info
ci2-linux-4-19	2020/11/30 00:09	linux-4.19.y	0c88e405c97e	a0092f9d	.config	log	report			info
ci2-linux-4-19	2020/11/25 20:41	linux-4.19.y	0c88e405c97e	3f581b43	.config	log	report			info
ci2-linux-4-19	2020/11/03 22:35	linux-4.19.y	f5d8eef067ac	cba33199	.config	log	report			info
ci2-linux-4-19	2020/11/03 11:51	linux-4.19.y	f5d8eef067ac	cba33199	.config	log	report			info
ci2-linux-4-19	2020/10/21 03:07	linux-4.19.y	ad326970d25c	ff4a3345	.config	log	report			info
ci2-linux-4-19	2020/10/09 12:44	linux-4.19.y	a1b977b49b66	fa79ed2a	.config	log	report			info
ci2-linux-4-19	2020/10/03 00:42	linux-4.19.y	b09c34517e1a	062c9832	.config	log	report			info
ci2-linux-4-19	2020/09/16 21:16	linux-4.19.y	a87f96283793	77507d02	.config	log	report			info
ci2-linux-4-19	2020/09/16 17:38	linux-4.19.y	a87f96283793	77507d02	.config	log	report			info
ci2-linux-4-19	2020/09/08 20:54	linux-4.19.y	c37da90efff5	abf9ba4f	.config	log	report
ci2-linux-4-19	2020/08/31 06:39	linux-4.19.y	f6d5cb9e2c06	d5a3ae1f	.config	log	report
ci2-linux-4-19	2020/08/22 19:51	linux-4.19.y	d18b78abc0c6	6436ce4b	.config	log	report
ci2-linux-4-19	2020/08/15 20:51	linux-4.19.y	c14d30dc9987	5ce13532	.config	log	report
ci2-linux-4-19	2020/08/14 00:16	linux-4.19.y	c14d30dc9987	54ce1ed6	.config	log	report
ci2-linux-4-19	2020/08/12 23:54	linux-4.19.y	c14d30dc9987	bc15f7db	.config	log	report
ci2-linux-4-19	2020/08/11 03:07	linux-4.19.y	961f830af065	d3694ffb	.config	log	report
ci2-linux-4-19	2020/08/05 16:49	linux-4.19.y	c076c79e03c6	b7129355	.config	log	report
ci2-linux-4-19	2020/07/22 02:43	linux-4.19.y	17a87580a885	21f1765e	.config	log	report
ci2-linux-4-19	2020/07/19 20:25	linux-4.19.y	17a87580a885	9c812472	.config	log	report
ci2-linux-4-19	2020/07/16 12:49	linux-4.19.y	17a87580a885	b090c643	.config	log	report
ci2-linux-4-19	2020/07/15 22:22	linux-4.19.y	dce0f88600e4	ada108d0	.config	log	report
ci2-linux-4-19	2020/07/07 19:20	linux-4.19.y	399849e4654e	08fc4ef1	.config	log	report
ci2-linux-4-19	2020/07/05 12:39	linux-4.19.y	399849e4654e	22f87567	.config	log	report
ci2-linux-4-19	2020/07/04 17:34	linux-4.19.y	399849e4654e	4f739670	.config	log	report
ci2-linux-4-19	2020/07/01 11:12	linux-4.19.y	399849e4654e	090d8f7b	.config	log	report
ci2-linux-4-19	2020/07/01 08:03	linux-4.19.y	a39e75458e1c	c0383ebe	.config	log	report
ci2-linux-4-19	2020/06/27 09:30	linux-4.19.y	a39e75458e1c	032b4239	.config	log	report
ci2-linux-4-19	2020/06/27 05:39	linux-4.19.y	a39e75458e1c	ffec44b5	.config	log	report
ci2-linux-4-19	2020/06/26 12:02	linux-4.19.y	a39e75458e1c	b202c7a8	.config	log	report
ci2-linux-4-19	2020/06/24 18:50	linux-4.19.y	b3a99fd385fa	41694dbf	.config	log	report
ci2-linux-4-19	2020/06/24 16:03	linux-4.19.y	b3a99fd385fa	41694dbf	.config	log	report
ci2-linux-4-19	2020/06/24 09:23	linux-4.19.y	b3a99fd385fa	bbad15ae	.config	log	report
ci2-linux-4-19	2020/06/22 17:06	linux-4.19.y	b3a99fd385fa	1afe1535	.config	log	report
ci2-linux-4-19	2020/06/21 15:12	linux-4.19.y	3fc898571b97	4f2acff9	.config	log	report
ci2-linux-4-19	2020/06/19 15:04	linux-4.19.y	3fc898571b97	123cf502	.config	log	report
ci2-linux-4-19	2020/06/18 16:37	linux-4.19.y	3fc898571b97	3ea11d3f	.config	log	report
ci2-linux-4-19	2020/06/13 22:34	linux-4.19.y	3fc898571b97	dbce178a	.config	log	report
ci2-linux-4-19	2020/06/12 17:31	linux-4.19.y	3fc898571b97	3036d6fd	.config	log	report
ci2-linux-4-19	2020/06/08 16:00	linux-4.19.y	106fa147d3da	7604bb03	.config	log	report
ci2-linux-4-19	2020/06/06 14:10	linux-4.19.y	4707d8e57273	e6b89e4e	.config	log	report
ci2-linux-4-19	2020/06/05 13:53	linux-4.19.y	4707d8e57273	d36418e9	.config	log	report