================================================================== BUG: KASAN: slab-out-of-bounds in scr_memcpyw include/linux/vt_buffer.h:49 [inline] BUG: KASAN: slab-out-of-bounds in vc_do_resize+0xb8e/0x1a10 drivers/tty/vt/vt.c:1274 Read of size 4 at addr ffff888092e9c7a2 by task syz-executor.1/16300 CPU: 0 PID: 16300 Comm: syz-executor.1 Not tainted 5.7.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1e9/0x30e lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:382 __kasan_report+0x103/0x1a0 mm/kasan/report.c:511 kasan_report+0x4d/0x80 mm/kasan/common.c:625 Allocated by task 16300: save_stack mm/kasan/common.c:49 [inline] set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc+0x114/0x160 mm/kasan/common.c:495 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x24b/0x330 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] kzalloc+0x1d/0x40 include/linux/slab.h:669 vc_do_resize+0x28e/0x1a10 drivers/tty/vt/vt.c:1211 fbcon_modechanged+0x710/0xd90 drivers/video/fbdev/core/fbcon.c:2989 fb_set_var+0x822/0xcc0 drivers/video/fbdev/core/fbmem.c:1056 fbcon_resize+0x7bb/0xff0 drivers/video/fbdev/core/fbcon.c:2231 resize_screen drivers/tty/vt/vt.c:1150 [inline] vc_do_resize+0x42a/0x1a10 drivers/tty/vt/vt.c:1229 fbcon_modechanged+0x710/0xd90 drivers/video/fbdev/core/fbcon.c:2989 fb_set_var+0x822/0xcc0 drivers/video/fbdev/core/fbmem.c:1056 do_fb_ioctl+0x502/0x6f0 drivers/video/fbdev/core/fbmem.c:1109 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl fs/ioctl.c:763 [inline] __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl+0xf9/0x160 fs/ioctl.c:770 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 4109: save_stack mm/kasan/common.c:49 [inline] set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0x125/0x190 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x220 mm/slab.c:3757 security_cred_free+0xbf/0x100 security/security.c:1599 put_cred_rcu+0xca/0x350 kernel/cred.c:114 put_cred include/linux/cred.h:287 [inline] do_faccessat+0x613/0x780 fs/open.c:439 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff888092e9c700 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 162 bytes inside of 192-byte region [ffff888092e9c700, ffff888092e9c7c0) The buggy address belongs to the page: page:ffffea00024ba700 refcount:1 mapcount:0 mapping:000000008e2ec188 index:0xffff888092e9cf00 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00023c2dc8 ffffea0002a6c148 ffff8880aa400000 raw: ffff888092e9cf00 ffff888092e9c000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888092e9c680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888092e9c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888092e9c780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888092e9c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888092e9c880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================