bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready ================================================================== BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0x81/0xa0 drivers/tty/vt/vt.c:4543 Read of size 2 at addr ffff88021933d440 by task syz-executor.1/6840 CPU: 1 PID: 6840 Comm: syz-executor.1 Not tainted 4.18.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x109/0x15a lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431 vcs_scr_readw+0x81/0xa0 drivers/tty/vt/vt.c:4543 vcs_write+0x44d/0xaa0 drivers/tty/vt/vc_screen.c:525 __vfs_write+0xe3/0x880 fs/read_write.c:485 vfs_write+0x150/0x4f0 fs/read_write.c:549 ksys_write+0xcd/0x1b0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:607 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f6df08d3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 RDX: 00000000fffffecb RSI: 0000000020000300 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6df08d46d4 R13: 00000000004d3700 R14: 00000000004e52f0 R15: 00000000ffffffff Allocated by task 1: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x14e/0x7a0 mm/slab.c:3727 kmalloc include/linux/slab.h:518 [inline] vc_do_resize+0x1ba/0x1270 drivers/tty/vt/vt.c:1104 vc_resize+0x3d/0x60 drivers/tty/vt/vt.c:1220 fbcon_init+0xefa/0x1fd0 drivers/video/fbdev/core/fbcon.c:1165 visual_init+0x314/0x5d0 drivers/tty/vt/vt.c:976 do_bind_con_driver+0x4c5/0x8d0 drivers/tty/vt/vt.c:3440 do_take_over_console+0x3d2/0x560 drivers/tty/vt/vt.c:4001 do_fbcon_takeover+0xcb/0x1a0 drivers/video/fbdev/core/fbcon.c:544 fbcon_fb_registered drivers/video/fbdev/core/fbcon.c:3192 [inline] fbcon_event_notify+0x1604/0x1d90 drivers/video/fbdev/core/fbcon.c:3322 notifier_call_chain+0x8a/0x160 kernel/notifier.c:93 __blocking_notifier_call_chain kernel/notifier.c:317 [inline] blocking_notifier_call_chain+0x6b/0xa0 kernel/notifier.c:328 fb_notifier_call_chain+0x16/0x20 drivers/video/fbdev/core/fb_notify.c:45 do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1700 [inline] register_framebuffer+0x55f/0x8f0 drivers/video/fbdev/core/fbmem.c:1794 vga16fb_probe+0x680/0x75b drivers/video/fbdev/vga16fb.c:1373 platform_drv_probe+0x79/0x110 drivers/base/platform.c:579 really_probe drivers/base/dd.c:446 [inline] driver_probe_device+0x46b/0x6a0 drivers/base/dd.c:588 __device_attach_driver+0x1bf/0x250 drivers/base/dd.c:684 bus_for_each_drv+0x11d/0x1c0 drivers/base/bus.c:461 __device_attach+0x1f2/0x2d0 drivers/base/dd.c:741 device_initial_probe+0xe/0x10 drivers/base/dd.c:788 bus_probe_device+0x1a4/0x250 drivers/base/bus.c:521 device_add+0x92f/0x14b0 drivers/base/core.c:1875 platform_device_add+0x2a8/0x5d0 drivers/base/platform.c:417 vga16fb_init+0x127/0x18b drivers/video/fbdev/vga16fb.c:1431 do_one_initcall+0xbc/0x5b0 init/main.c:884 do_initcall_level init/main.c:952 [inline] do_initcalls init/main.c:960 [inline] do_basic_setup init/main.c:978 [inline] kernel_init_freeable+0x43b/0x4df init/main.c:1135 kernel_init+0xc/0x114 init/main.c:1061 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff88021933c180 which belongs to the cache kmalloc-8192 of size 8192 The buggy address is located 4800 bytes inside of 8192-byte region [ffff88021933c180, ffff88021933e180) The buggy address belongs to the page: page:ffffea000864cf00 count:1 mapcount:0 mapping:ffff8800aa802080 index:0x0 compound_mapcount: 0 flags: 0x57ffe0000008100(slab|head) IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready raw: 057ffe0000008100 ffffea000864c408 ffffea0008619f08 ffff8800aa802080 raw: 0000000000000000 ffff88021933c180 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88021933d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88021933d380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88021933d400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff88021933d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88021933d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================