================================================================== BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x689/0x6f0 drivers/video/fbdev/core/fbcon.c:2491 Read of size 1 at addr ffff888046422710 by task syz-executor.2/27140 CPU: 0 PID: 27140 Comm: syz-executor.2 Not tainted 5.8.0-next-20200814-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 fbcon_get_font+0x689/0x6f0 drivers/video/fbdev/core/fbcon.c:2491 con_font_get drivers/tty/vt/vt.c:4570 [inline] con_font_op+0x1f5/0x1110 drivers/tty/vt/vt.c:4729 do_fontx_ioctl drivers/tty/vt/vt_ioctl.c:514 [inline] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:611 [inline] vt_ioctl+0x18fe/0x2c20 drivers/tty/vt/vt_ioctl.c:846 tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2656 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d239 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fad878b6c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000000e540 RCX: 000000000045d239 RDX: 0000000020000480 RSI: 0000000000004b6b RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffc2b07f26f R14: 00007fad878b79c0 R15: 000000000118cf4c Allocated by task 27057: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x1a8/0x320 mm/slab.c:3664 kmalloc include/linux/slab.h:559 [inline] fbcon_set_font+0x34f/0x8b0 drivers/video/fbdev/core/fbcon.c:2673 con_font_set drivers/tty/vt/vt.c:4662 [inline] con_font_op+0xd25/0x1110 drivers/tty/vt/vt.c:4727 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:473 [inline] vt_ioctl+0x20b9/0x2c20 drivers/tty/vt/vt_ioctl.c:842 tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2656 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888046420000 which belongs to the cache kmalloc-16k of size 16384 The buggy address is located 10000 bytes inside of 16384-byte region [ffff888046420000, ffff888046424000) The buggy address belongs to the page: page:000000001a84a9d1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x46420 head:000000001a84a9d1 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea000148b608 ffff8880aa041c50 ffff8880aa040b00 raw: 0000000000000000 ffff888046420000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888046422600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888046422680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888046422700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888046422780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888046422800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================