================================================================== BUG: KASAN: use-after-free in __fb_pad_aligned_buffer include/linux/fb.h:655 [inline] BUG: KASAN: use-after-free in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] BUG: KASAN: use-after-free in bit_putcs+0xc08/0xd60 drivers/video/fbdev/core/bitblit.c:185 Read of size 1 at addr ffff88809e40f008 by task syz-executor.0/21531 CPU: 0 PID: 21531 Comm: syz-executor.0 Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 __fb_pad_aligned_buffer include/linux/fb.h:655 [inline] bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] bit_putcs+0xc08/0xd60 drivers/video/fbdev/core/bitblit.c:185 fbcon_putcs+0x345/0x3f0 drivers/video/fbdev/core/fbcon.c:1362 do_update_region+0x398/0x630 drivers/tty/vt/vt.c:683 redraw_screen+0x64c/0x770 drivers/tty/vt/vt.c:1029 vc_do_resize+0x1007/0x1370 drivers/tty/vt/vt.c:1314 vt_ioctl+0x200c/0x2640 drivers/tty/vt/vt_ioctl.c:901 tty_ioctl+0xedc/0x1440 drivers/tty/tty_io.c:2656 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0x11a/0x180 fs/ioctl.c:771 __do_sys_ioctl fs/ioctl.c:780 [inline] __se_sys_ioctl fs/ioctl.c:778 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ca59 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f6978571c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004f3060 RCX: 000000000045ca59 RDX: 0000000020000040 RSI: 000000000000560a RDI: 0000000000000003 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000067a R14: 00000000004c973d R15: 00007f69785726d4 Allocated by task 21048: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:494 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] call_usermodehelper_setup+0x98/0x300 kernel/umh.c:386 kobject_uevent_env+0xd9c/0x12e0 lib/kobject_uevent.c:613 netdev_queue_add_kobject net/core/net-sysfs.c:1554 [inline] netdev_queue_update_kobjects+0x2ee/0x3c0 net/core/net-sysfs.c:1588 register_queue_kobjects net/core/net-sysfs.c:1649 [inline] netdev_register_kobject+0x297/0x3b0 net/core/net-sysfs.c:1892 register_netdevice+0xa80/0x10b0 net/core/dev.c:9510 register_netdev+0x2d/0x50 net/core/dev.c:9634 loopback_net_init+0x73/0x160 drivers/net/loopback.c:216 ops_init+0xaf/0x420 net/core/net_namespace.c:151 setup_net+0x2de/0x860 net/core/net_namespace.c:341 copy_net_ns+0x293/0x590 net/core/net_namespace.c:482 create_new_namespaces+0x3fb/0xb30 kernel/nsproxy.c:110 copy_namespaces+0x385/0x470 kernel/nsproxy.c:179 copy_process+0x2a4a/0x7130 kernel/fork.c:2102 _do_fork+0x12d/0x1010 kernel/fork.c:2444 __do_sys_clone+0xef/0x150 kernel/fork.c:2600 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 21051: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 call_usermodehelper_freeinfo kernel/umh.c:48 [inline] umh_complete kernel/umh.c:62 [inline] umh_complete+0x81/0x90 kernel/umh.c:51 call_usermodehelper_exec_async+0x45f/0x710 kernel/umh.c:122 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 The buggy address belongs to the object at ffff88809e40f000 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of 192-byte region [ffff88809e40f000, ffff88809e40f0c0) The buggy address belongs to the page: page:ffffea00027903c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e40fe00 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00025b5b48 ffffea00027af148 ffff8880aa000000 raw: ffff88809e40fe00 ffff88809e40f000 000000010000000d 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809e40ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809e40ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809e40f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809e40f080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88809e40f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================