==================================================================
BUG: KASAN: global-out-of-bounds in vga_8planes_imageblit drivers/video/fbdev/vga16fb.c:1140 [inline]
BUG: KASAN: global-out-of-bounds in vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1203 [inline]
BUG: KASAN: global-out-of-bounds in vga16fb_imageblit+0x1c8b/0x2200 drivers/video/fbdev/vga16fb.c:1260
Read of size 2 at addr ffffffff8874be58 by task syz-executor177/9104

CPU: 0 PID: 9104 Comm: syz-executor177 Not tainted 5.4.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:638
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:133
 vga_8planes_imageblit drivers/video/fbdev/vga16fb.c:1140 [inline]
 vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1203 [inline]
 vga16fb_imageblit+0x1c8b/0x2200 drivers/video/fbdev/vga16fb.c:1260
 soft_cursor+0x4fb/0xa30 drivers/video/fbdev/core/softcursor.c:74
 bit_cursor+0x12fc/0x1a60 drivers/video/fbdev/core/bitblit.c:386
 fbcon_cursor+0x487/0x660 drivers/video/fbdev/core/fbcon.c:1402
 hide_cursor+0x9d/0x2b0 drivers/tty/vt/vt.c:895
 redraw_screen+0x60b/0x7d0 drivers/tty/vt/vt.c:988
 vc_do_resize+0x10c9/0x1460 drivers/tty/vt/vt.c:1284
 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304
 fbcon_modechanged+0x367/0x790 drivers/video/fbdev/core/fbcon.c:2980
 fbcon_update_vcs+0x42/0x50 drivers/video/fbdev/core/fbcon.c:3038
 fb_set_var+0xb32/0xdd0 drivers/video/fbdev/core/fbmem.c:1051
 do_fb_ioctl+0x390/0x7d0 drivers/video/fbdev/core/fbmem.c:1104
 fb_compat_ioctl+0x305/0xc50 drivers/video/fbdev/core/fbmem.c:1310
 __do_compat_sys_ioctl fs/compat_ioctl.c:202 [inline]
 __se_compat_sys_ioctl fs/compat_ioctl.c:142 [inline]
 __ia32_compat_sys_ioctl+0x22d/0x5c0 fs/compat_ioctl.c:142
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f02a39
Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000ff9c25ac EFLAGS: 00000213 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000004601
RDX: 0000000020000100 RSI: 00000000080ea078 RDI: 00000000ff9c2600
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the variable:
 transl_h+0x38/0x40

Memory state around the buggy address:
 ffffffff8874bd00: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa
 ffffffff8874bd80: 00 00 00 00 00 fa fa fa fa fa fa fa 04 fa fa fa
>ffffffff8874be00: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00
                                                    ^
 ffffffff8874be80: fa fa fa fa 00 01 fa fa fa fa fa fa 00 00 00 04
 ffffffff8874bf00: fa fa fa fa 00 00 04 fa fa fa fa fa 00 00 00 00
==================================================================