================================================================== BUG: KASAN: slab-out-of-bounds in fbcon_get_font+0x689/0x6f0 drivers/video/fbdev/core/fbcon.c:2512 Read of size 1 at addr ffff888023d57810 by task syz-executor.3/17734 CPU: 0 PID: 17734 Comm: syz-executor.3 Not tainted 5.9.0-rc2-next-20200826-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 fbcon_get_font+0x689/0x6f0 drivers/video/fbdev/core/fbcon.c:2512 con_font_get drivers/tty/vt/vt.c:4575 [inline] con_font_op+0x1f5/0x1110 drivers/tty/vt/vt.c:4734 vt_io_ioctl drivers/tty/vt/vt_ioctl.c:594 [inline] vt_ioctl+0x1952/0x2cc0 drivers/tty/vt/vt_ioctl.c:855 tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2654 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d5b9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007faeedafac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000001cf80 RCX: 000000000045d5b9 RDX: 0000000020000000 RSI: 0000000000004b60 RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffdb965897f R14: 00007faeedafb9c0 R15: 000000000118cf4c Allocated by task 4729: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 __do_kmalloc mm/slab.c:3655 [inline] __kmalloc+0x1a8/0x320 mm/slab.c:3664 kmalloc include/linux/slab.h:559 [inline] fbcon_set_font+0x34f/0x8b0 drivers/video/fbdev/core/fbcon.c:2694 con_font_set drivers/tty/vt/vt.c:4667 [inline] con_font_op+0xd25/0x1110 drivers/tty/vt/vt.c:4732 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:472 [inline] vt_ioctl+0x2141/0x2cc0 drivers/tty/vt/vt_ioctl.c:851 tty_ioctl+0x1019/0x15f0 drivers/tty/tty_io.c:2654 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888023d50000 which belongs to the cache kmalloc-32k of size 32768 The buggy address is located 30736 bytes inside of 32768-byte region [ffff888023d50000, ffff888023d58000) The buggy address belongs to the page: page:00000000bcdea45d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23d50 head:00000000bcdea45d order:4 compound_mapcount:0 compound_pincount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00006de008 ffffea0001475808 ffff8880aa040c00 raw: 0000000000000000 ffff888023d50000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888023d57700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888023d57780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888023d57800: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888023d57880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888023d57900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================