FAT-fs (loop3): Directory bread(block 6) failed
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:373 [inline]
BUG: KASAN: use-after-free in soft_cursor+0x44b/0xa30 drivers/video/fbdev/core/softcursor.c:70
Read of size 9 at addr ffff88808f18b43f by task kworker/0:0/13261

CPU: 0 PID: 13261 Comm: kworker/0:0 Not tainted 4.19.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_power_efficient fb_flashcursor
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report+0x8f/0x96 mm/kasan/report.c:412
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:373 [inline]
 soft_cursor+0x44b/0xa30 drivers/video/fbdev/core/softcursor.c:70
 bit_cursor+0x1126/0x1740 drivers/video/fbdev/core/bitblit.c:377
 fb_flashcursor+0x38c/0x430 drivers/video/fbdev/core/fbcon.c:379
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 4696:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0xae/0x560 net/core/skbuff.c:205
 skb_copy+0x139/0x2f0 net/core/skbuff.c:1349
 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb8a/0x1330 drivers/net/wireless/mac80211_hwsim.c:1353
 mac80211_hwsim_tx_frame+0x12b/0x210 drivers/net/wireless/mac80211_hwsim.c:1556
 mac80211_hwsim_beacon_tx+0x3f8/0x680 drivers/net/wireless/mac80211_hwsim.c:1595
 __iterate_interfaces+0x2e1/0x4a0 net/mac80211/util.c:614
 ieee80211_iterate_active_interfaces_atomic+0x8d/0x170 net/mac80211/util.c:650
 mac80211_hwsim_beacon+0xc9/0x190 drivers/net/wireless/mac80211_hwsim.c:1615
 __tasklet_hrtimer_trampoline+0x29/0xa0 kernel/softirq.c:601
 tasklet_action_common.constprop.0+0x265/0x360 kernel/softirq.c:522
 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292

Freed by task 30333:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 skb_free_head net/core/skbuff.c:554 [inline]
 skb_release_data+0x6de/0x920 net/core/skbuff.c:574
 skb_release_all net/core/skbuff.c:631 [inline]
 __kfree_skb net/core/skbuff.c:645 [inline]
 kfree_skb+0x11a/0x3d0 net/core/skbuff.c:663
 ieee80211_iface_work+0x289/0x8a0 net/mac80211/iface.c:1357
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff88808f18b280
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 447 bytes inside of
 512-byte region [ffff88808f18b280, ffff88808f18b480)
The buggy address belongs to the page:
page:ffffea00023c62c0 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff88808f18ba00
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00017a8e88 ffffea0002cd0208 ffff88813bff0940
raw: ffff88808f18ba00 ffff88808f18b000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808f18b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808f18b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88808f18b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff88808f18b480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88808f18b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================