==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:380 [inline]
BUG: KASAN: use-after-free in soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70
Read of size 32 at addr ffff888025f5c410 by task syz-executor.1/14392

CPU: 2 PID: 14392 Comm: syz-executor.1 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
 memcpy+0x24/0x50 mm/kasan/common.c:125
 memcpy include/linux/string.h:380 [inline]
 soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70
 bit_cursor+0x12fc/0x1a60 drivers/video/fbdev/core/bitblit.c:386
 fbcon_cursor+0x487/0x660 drivers/video/fbdev/core/fbcon.c:1402
 hide_cursor+0x9d/0x2b0 drivers/tty/vt/vt.c:895
 redraw_screen+0x60b/0x7d0 drivers/tty/vt/vt.c:988
 vc_do_resize+0x10c9/0x1460 drivers/tty/vt/vt.c:1284
 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304
 vt_ioctl+0x2076/0x26d0 drivers/tty/vt/vt_ioctl.c:887
 vt_compat_ioctl+0x457/0x7a0 drivers/tty/vt/vt_ioctl.c:1232
 tty_compat_ioctl+0x1b0/0x420 drivers/tty/tty_io.c:2849
 __do_compat_sys_ioctl fs/compat_ioctl.c:214 [inline]
 __se_compat_sys_ioctl fs/compat_ioctl.c:142 [inline]
 __ia32_compat_sys_ioctl+0x233/0x610 fs/compat_ioctl.c:142
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f21a39
Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f5d1d0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000560a
RDX: 0000000020000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 10:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
 __do_kmalloc_node mm/slab.c:3616 [inline]
 __kmalloc_node_track_caller+0x4e/0x70 mm/slab.c:3630
 __kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:141
 __alloc_skb+0x10b/0x5e0 net/core/skbuff.c:209
 alloc_skb include/linux/skbuff.h:1049 [inline]
 nlmsg_new include/net/netlink.h:888 [inline]
 fdb_notify+0x9f/0x190 net/bridge/br_fdb.c:698
 br_fdb_update+0x39d/0xbf0 net/bridge/br_fdb.c:596
 br_handle_frame_finish+0x847/0x1670 net/bridge/br_input.c:91
 br_nf_hook_thresh+0x2e9/0x370 net/bridge/br_netfilter_hooks.c:1019
 br_nf_pre_routing_finish_ipv6+0x6fa/0xdb0 net/bridge/br_netfilter_ipv6.c:206
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_nf_pre_routing_ipv6+0x456/0x830 net/bridge/br_netfilter_ipv6.c:236
 br_nf_pre_routing+0x1896/0x22b3 net/bridge/br_netfilter_hooks.c:505
 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:224 [inline]
 br_handle_frame+0x806/0x1340 net/bridge/br_input.c:349
 __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5051
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5148
 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5264
 process_backlog+0x206/0x750 net/core/dev.c:6095
 napi_poll net/core/dev.c:6532 [inline]
 net_rx_action+0x508/0x1120 net/core/dev.c:6600
 __do_softirq+0x262/0x98c kernel/softirq.c:292

Freed by task 10:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:335 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x2c0 mm/slab.c:3757
 skb_free_head+0x93/0xb0 net/core/skbuff.c:591
 skb_release_data+0x551/0x8d0 net/core/skbuff.c:611
 skb_release_all+0x4d/0x60 net/core/skbuff.c:665
 __kfree_skb net/core/skbuff.c:679 [inline]
 consume_skb net/core/skbuff.c:838 [inline]
 consume_skb+0xfb/0x410 net/core/skbuff.c:832
 netlink_broadcast_filtered+0x34e/0xd20 net/netlink/af_netlink.c:1512
 netlink_broadcast net/netlink/af_netlink.c:1534 [inline]
 nlmsg_multicast include/net/netlink.h:968 [inline]
 nlmsg_notify+0x93/0x250 net/netlink/af_netlink.c:2520
 rtnl_notify+0xc5/0xf0 net/core/rtnetlink.c:737
 fdb_notify+0xfa/0x190 net/bridge/br_fdb.c:709
 br_fdb_update+0x39d/0xbf0 net/bridge/br_fdb.c:596
 br_handle_frame_finish+0x847/0x1670 net/bridge/br_input.c:91
 br_nf_hook_thresh+0x2e9/0x370 net/bridge/br_netfilter_hooks.c:1019
 br_nf_pre_routing_finish_ipv6+0x6fa/0xdb0 net/bridge/br_netfilter_ipv6.c:206
 NF_HOOK include/linux/netfilter.h:307 [inline]
 br_nf_pre_routing_ipv6+0x456/0x830 net/bridge/br_netfilter_ipv6.c:236
 br_nf_pre_routing+0x1896/0x22b3 net/bridge/br_netfilter_hooks.c:505
 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:224 [inline]
 br_handle_frame+0x806/0x1340 net/bridge/br_input.c:349
 __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5051
 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5148
 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5264
 process_backlog+0x206/0x750 net/core/dev.c:6095
 napi_poll net/core/dev.c:6532 [inline]
 net_rx_action+0x508/0x1120 net/core/dev.c:6600
 __do_softirq+0x262/0x98c kernel/softirq.c:292

The buggy address belongs to the object at ffff888025f5c400
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 16 bytes inside of
 512-byte region [ffff888025f5c400, ffff888025f5c600)
The buggy address belongs to the page:
page:ffffea000097d700 refcount:1 mapcount:0 mapping:ffff88802cc00a80 index:0xffff888025f5c800
raw: 00fffe0000000200 ffffea00005b94c8 ffffea0000794948 ffff88802cc00a80
raw: ffff888025f5c800 ffff888025f5c000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888025f5c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888025f5c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888025f5c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888025f5c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888025f5c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================