__alloc_pages_slowpath+0xc42/0xce0 mm/page_alloc.c:4888 __alloc_frozen_pages_noprof+0x319/0x370 mm/page_alloc.c:5161 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4306 __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4337 __do_kmalloc_node mm/slub.c:4353 [inline] __kmalloc_noprof+0x36f/0x4f0 mm/slub.c:4377 kmalloc_noprof include/linux/slab.h:909 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] vc_do_resize+0x326/0x1770 drivers/tty/vt/vt.c:1182 vc_resize include/linux/vt_kern.h:49 [inline] fbcon_set_disp+0x9ec/0xf80 drivers/video/fbdev/core/fbcon.c:1428 con2fb_init_display drivers/video/fbdev/core/fbcon.c:828 [inline] set_con2fb_map+0xb53/0x13c0 drivers/video/fbdev/core/fbcon.c:901 fbcon_set_con2fb_map_ioctl+0x18a/0x1f0 drivers/video/fbdev/core/fbcon.c:3131 do_fb_ioctl+0x3df/0x750 drivers/video/fbdev/core/fb_chrdev.c:138 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f10d018eb69 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f10d0fc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f10d03b5fa0 RCX: 00007f10d018eb69 RDX: 00002000000000c0 RSI: 0000000000004610 RDI: 0000000000000005 RBP: 00007f10d0211df1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f10d03b5fa0 R15: 00007fff84abdc38 Mem-Info: active_anon:3084 inactive_anon:2127 isolated_anon:0 active_file:570 inactive_file:38689 isolated_file:0 unevictable:1768 dirty:0 writeback:0 slab_reclaimable:7434 slab_unreclaimable:30664 mapped:10212 shmem:4640 pagetables:658 sec_pagetables:289 bounce:0 kernel_misc_reclaimable:0 free:34132 free_pcp:7 free_cma:0 Node 0 active_anon:108kB inactive_anon:7860kB active_file:1484kB inactive_file:0kB unevictable:192kB isolated(anon):0kB isolated(file):0kB mapped:1464kB dirty:0kB writeback:0kB shmem:7912kB shmem_thp:0kB shmem_pmdmapped:0kB anon_thp:0kB kernel_stack:3176kB pagetables:632kB sec_pagetables:1092kB all_unreclaimable? no Balloon:0kB Node 0 DMA free:3340kB boost:2048kB min:2808kB low:2996kB high:3184kB reserved_highatomic:0KB free_highatomic:0KB active_anon:0kB inactive_anon:144kB active_file:0kB inactive_file:0kB unevictable:192kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:8kB local_pcp:8kB free_cma:0kB lowmem_reserve[]: 0 119 119 119 119 Node 0 DMA32 free:9700kB boost:6144kB min:10896kB low:12084kB high:13272kB reserved_highatomic:0KB free_highatomic:0KB active_anon:108kB inactive_anon:7716kB active_file:1484kB inactive_file:0kB unevictable:0kB writepending:0kB present:770052kB managed:122352kB mlocked:0kB bounce:0kB free_pcp:20kB local_pcp:20kB free_cma:0kB lowmem_reserve[]: 0 0 0 0 0 Node 0 DMA: 22*4kB (UME) 20*8kB (UME) 29*16kB (UME) 40*32kB (UME) 5*64kB (UME) 2*128kB (UM) 1*256kB (E) 1*512kB (E) 0*1024kB 0*2048kB 0*4096kB = 3336kB Node 0 DMA32: 231*4kB (UM) 112*8kB (UME) 31*16kB (UM) 109*32kB (UME) 41*64kB (UM) 4*128kB (UM) 1*256kB (M) 1*512kB (M) 0*1024kB 0*2048kB 0*4096kB = 9708kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=1048576kB Node 0 hugepages_total=2 hugepages_free=2 hugepages_surp=0 hugepages_size=2048kB 43953 total pagecache pages 47 pages in swap cache Free swap = 116756kB Total swap = 124996kB 393083 pages RAM 0 pages HighMem/MovableOnly 185952 pages reserved 0 pages cma reserved ================================================================== BUG: KASAN: vmalloc-out-of-bounds in fb_write_offset drivers/video/fbdev/core/sysmem.h:30 [inline] BUG: KASAN: vmalloc-out-of-bounds in fb_bitmap_2ppw drivers/video/fbdev/core/fb_imageblit.h:364 [inline] BUG: KASAN: vmalloc-out-of-bounds in fb_bitmap_imageblit drivers/video/fbdev/core/fb_imageblit.h:462 [inline] BUG: KASAN: vmalloc-out-of-bounds in fb_imageblit drivers/video/fbdev/core/fb_imageblit.h:492 [inline] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0xfe2/0x1e50 drivers/video/fbdev/core/sysimgblt.c:24 Write of size 8 at addr ffffc90001e49000 by task syz.0.0/5357 CPU: 0 UID: 0 PID: 5357 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-11489-gd2eedaa3909b #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 fb_write_offset drivers/video/fbdev/core/sysmem.h:30 [inline] fb_bitmap_2ppw drivers/video/fbdev/core/fb_imageblit.h:364 [inline] fb_bitmap_imageblit drivers/video/fbdev/core/fb_imageblit.h:462 [inline] fb_imageblit drivers/video/fbdev/core/fb_imageblit.h:492 [inline] sys_imageblit+0xfe2/0x1e50 drivers/video/fbdev/core/sysimgblt.c:24 drm_fbdev_shmem_defio_imageblit+0x2c/0x110 drivers/gpu/drm/drm_fbdev_shmem.c:38 bit_putcs+0x1763/0x1a50 drivers/video/fbdev/core/bitblit.c:-1 fbcon_putcs+0x3e5/0x5f0 drivers/video/fbdev/core/fbcon.c:1326 do_update_region+0x388/0x440 drivers/tty/vt/vt.c:627 redraw_screen+0x91a/0xe90 drivers/tty/vt/vt.c:979 con2fb_init_display drivers/video/fbdev/core/fbcon.c:828 [inline] set_con2fb_map+0xb53/0x13c0 drivers/video/fbdev/core/fbcon.c:901 fbcon_set_con2fb_map_ioctl+0x18a/0x1f0 drivers/video/fbdev/core/fbcon.c:3131 do_fb_ioctl+0x3df/0x750 drivers/video/fbdev/core/fb_chrdev.c:138 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f10d018eb69 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f10d0fc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f10d03b5fa0 RCX: 00007f10d018eb69 RDX: 00002000000000c0 RSI: 0000000000004610 RDI: 0000000000000005 RBP: 00007f10d0211df1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f10d03b5fa0 R15: 00007fff84abdc38 The buggy address belongs to a 0-page vmalloc region starting at 0xffffc90001b49000 allocated at drm_gem_shmem_vmap_locked+0x556/0x790 drivers/gpu/drm/drm_gem_shmem_helper.c:371 Memory state around the buggy address: ffffc90001e48f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90001e48f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90001e49000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90001e49080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90001e49100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ==================================================================