================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:381 [inline] BUG: KASAN: slab-out-of-bounds in soft_cursor+0x430/0xc70 drivers/video/fbdev/core/softcursor.c:70 Read of size 9 at addr ffff8880a1d08051 by task syz-executor.3/8058 CPU: 0 PID: 8058 Comm: syz-executor.3 Not tainted 5.7.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:382 __kasan_report.cold.11+0x37/0x4e mm/kasan/report.c:511 kasan_report+0x38/0x50 mm/kasan/common.c:625 check_memory_region_inline mm/kasan/generic.c:187 [inline] check_memory_region+0x1cc/0x1f0 mm/kasan/generic.c:193 memcpy+0x23/0x60 mm/kasan/common.c:106 memcpy include/linux/string.h:381 [inline] soft_cursor+0x430/0xc70 drivers/video/fbdev/core/softcursor.c:70 bit_cursor+0xce1/0x22e0 drivers/video/fbdev/core/bitblit.c:386 fbcon_cursor+0x3db/0x570 drivers/video/fbdev/core/fbcon.c:1411 hide_cursor+0x75/0x230 drivers/tty/vt/vt.c:896 redraw_screen+0x4ec/0x730 drivers/tty/vt/vt.c:1000 vc_do_resize+0xeec/0x12b0 drivers/tty/vt/vt.c:1308 vc_resize+0x3d/0x60 drivers/tty/vt/vt.c:1328 vt_ioctl+0x1010/0x24c0 drivers/tty/vt/vt_ioctl.c:901 tty_ioctl+0x45b/0x12f0 drivers/tty/tty_io.c:2656 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xc1/0x110 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:770 do_syscall_64+0xca/0x630 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f87e0dd8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000004 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f87e0dd96d4 R13: 00000000004c6ce2 R14: 00000000004dd2d0 R15: 00000000ffffffff Allocated by task 1: save_stack+0x21/0x50 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:495 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:503 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x121/0x760 mm/slab.c:3484 mempool_alloc_slab+0x3a/0x50 mm/mempool.c:513 mempool_init_node+0x28b/0x530 mm/mempool.c:202 mempool_init+0x11/0x20 mm/mempool.c:231 mempool_init_slab_pool include/linux/mempool.h:62 [inline] biovec_init_pool block/bio.c:1499 [inline] bioset_init+0x451/0x650 block/bio.c:1566 __blk_alloc_queue+0xc2/0x6c0 block/blk-core.c:483 blk_alloc_queue+0x18/0x90 block/blk-core.c:560 brd_alloc+0x128/0x4e0 drivers/block/brd.c:384 brd_init+0xb0/0x3c7 drivers/block/brd.c:519 do_one_initcall+0xd8/0x5c0 init/main.c:1157 do_initcall_level init/main.c:1230 [inline] do_initcalls init/main.c:1246 [inline] do_basic_setup init/main.c:1266 [inline] kernel_init_freeable+0x492/0x508 init/main.c:1450 kernel_init+0xc/0x111 init/main.c:1357 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880a1d08800 which belongs to the cache biovec-max of size 4096 The buggy address is located 1967 bytes to the left of 4096-byte region [ffff8880a1d08800, ffff8880a1d09800) The buggy address belongs to the page: page:ffffea0002874200 refcount:1 mapcount:0 mapping:000000003e82e272 index:0x0 head:ffffea0002874200 order:1 compound_mapcount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea0002873f88 ffffea0002874308 ffff88821ae17380 raw: 0000000000000000 ffff8880a1d08800 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a1d07f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a1d07f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a1d08000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a1d08080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a1d08100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================