================================================================== BUG: KASAN: slab-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:656 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs+0x103a/0x1bf0 drivers/video/fbdev/core/bitblit.c:185 Read of size 1 at addr ffff8880a1afa008 by task syz-executor.3/32434 CPU: 1 PID: 32434 Comm: syz-executor.3 Not tainted 5.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1f0/0x31e lib/dump_stack.c:118 print_address_description+0x66/0x5a0 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report+0x132/0x1d0 mm/kasan/report.c:530 __fb_pad_aligned_buffer include/linux/fb.h:656 [inline] bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] bit_putcs+0x103a/0x1bf0 drivers/video/fbdev/core/bitblit.c:185 fbcon_putcs+0x790/0xaf0 drivers/video/fbdev/core/fbcon.c:1362 do_update_region+0x462/0x620 drivers/tty/vt/vt.c:675 redraw_screen+0xa25/0x1420 drivers/tty/vt/vt.c:1034 vc_do_resize+0x11ab/0x1790 drivers/tty/vt/vt.c:1325 vt_resizex drivers/tty/vt/vt_ioctl.c:814 [inline] vt_ioctl+0x3032/0x3c60 drivers/tty/vt/vt_ioctl.c:1026 tty_ioctl+0xee4/0x15c0 drivers/tty/tty_io.c:2656 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45ce79 Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fbd3d181c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000001c340 RCX: 000000000045ce79 RDX: 0000000020000000 RSI: 000000000000560a RDI: 0000000000000003 RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007fff6a499a8f R14: 00007fbd3d1829c0 R15: 000000000118bf2c Allocated by task 1: save_stack mm/kasan/common.c:48 [inline] set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x1f5/0x2d0 mm/slab.c:3484 kmem_cache_zalloc include/linux/slab.h:659 [inline] __kernfs_new_node+0x8b/0x630 fs/kernfs/dir.c:627 kernfs_new_node+0x95/0x160 fs/kernfs/dir.c:689 __kernfs_create_file+0x45/0x2d0 fs/kernfs/file.c:1002 sysfs_add_file_mode_ns+0x2fe/0x3c0 fs/sysfs/file.c:305 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0x445/0xd20 fs/sysfs/group.c:149 internal_create_groups fs/sysfs/group.c:189 [inline] sysfs_create_groups+0x5d/0x130 fs/sysfs/group.c:215 device_add_groups drivers/base/core.c:2024 [inline] device_add_attrs drivers/base/core.c:2178 [inline] device_add+0x772/0x19b0 drivers/base/core.c:2881 register_disk block/genhd.c:699 [inline] __device_add_disk+0x7a0/0x1150 block/genhd.c:830 add_disk include/linux/genhd.h:295 [inline] brd_init+0x358/0x439 drivers/block/brd.c:534 do_one_initcall+0x14b/0x350 init/main.c:1202 do_initcall_level+0x101/0x14c init/main.c:1275 do_initcalls+0x59/0x9b init/main.c:1291 kernel_init_freeable+0x382/0x4a7 init/main.c:1510 kernel_init+0xd/0x290 init/main.c:1400 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880a1afa040 which belongs to the cache kernfs_node_cache of size 168 The buggy address is located 56 bytes to the left of 168-byte region [ffff8880a1afa040, ffff8880a1afa0e8) The buggy address belongs to the page: page:ffffea000286be80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea000286c408 ffffea000286c348 ffff8880aa648a80 raw: 0000000000000000 ffff8880a1afa040 0000000100000011 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a1af9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a1af9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a1afa000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff8880a1afa080: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ffff8880a1afa100: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 ==================================================================