================================================================== BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323 Write of size 4 at addr ffffc90004421000 by task syz-executor.5/2171 CPU: 0 PID: 2171 Comm: syz-executor.5 Not tainted 5.19.0-rc5-syzkaller-00228-ge5524c2a1fc4 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline] sys_imageblit+0x1ed0/0x2240 drivers/video/fbdev/core/sysimgblt.c:323 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:825 [inline] drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2328 soft_cursor+0x514/0xa30 drivers/video/fbdev/core/softcursor.c:74 bit_cursor+0x11bc/0x1770 drivers/video/fbdev/core/bitblit.c:377 fbcon_cursor+0x3dc/0x540 drivers/video/fbdev/core/fbcon.c:1328 set_cursor drivers/tty/vt/vt.c:920 [inline] set_cursor+0x1d2/0x240 drivers/tty/vt/vt.c:911 con_flush_chars drivers/tty/vt/vt.c:3368 [inline] con_flush_chars+0x6c/0x90 drivers/tty/vt/vt.c:3357 con_write+0x2c/0x40 drivers/tty/vt/vt.c:3296 do_output_char+0x5de/0x850 drivers/tty/n_tty.c:435 process_output drivers/tty/n_tty.c:501 [inline] n_tty_write+0x4c3/0xfc0 drivers/tty/n_tty.c:2309 do_tty_write drivers/tty/tty_io.c:1024 [inline] file_tty_write.constprop.0+0x520/0x900 drivers/tty/tty_io.c:1095 call_write_iter include/linux/fs.h:2058 [inline] do_iter_readv_writev+0x3d1/0x640 fs/read_write.c:742 do_iter_write+0x182/0x700 fs/read_write.c:868 vfs_iter_write+0x70/0xa0 fs/read_write.c:909 iter_file_splice_write+0x723/0xc70 fs/splice.c:689 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0x110/0x180 fs/splice.c:936 splice_direct_to_actor+0x34b/0x8c0 fs/splice.c:891 do_splice_direct+0x1a7/0x270 fs/splice.c:979 do_sendfile+0xae0/0x1240 fs/read_write.c:1262 __do_sys_sendfile64 fs/read_write.c:1327 [inline] __se_sys_sendfile64 fs/read_write.c:1313 [inline] __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1313 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f0da4889109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0da59d1168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f0da499c030 RCX: 00007f0da4889109 RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000007 RBP: 00007f0da48e305d R08: 0000000000000000 R09: 0000000000000000 R10: 0800000080004107 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcd719fa3f R14: 00007f0da59d1300 R15: 0000000000022000 The buggy address belongs to the virtual mapping at [ffffc90004121000, ffffc90004422000) created by: drm_gem_shmem_vmap_locked drivers/gpu/drm/drm_gem_shmem_helper.c:319 [inline] drm_gem_shmem_vmap+0x3d7/0x5a0 drivers/gpu/drm/drm_gem_shmem_helper.c:366 Memory state around the buggy address: ffffc90004420f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90004420f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90004421000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90004421080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90004421100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================