KASAN: global-out-of-bounds Read in soft

ID	Workflow	Correct	Bug	Created	Started	Finished	Revision	Error
0bdf31f6-8daa-4200-b200-225379c6fef6	assessment-security	💥	KASAN: global-out-of-bounds Read in soft_cursor (3)	2026/06/21 00:03	2026/06/21 00:03	2026/06/21 00:03	43bfcdb07c3552e4664e1029672054ac0924d543	failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "c2a9495bd873ccc028a308943bffcaac59e5f454"]: exit status 128 error: insuffici... truncated to first 200 bytes; open job for full error
c5eb2494-c689-4c49-8c33-45f5a0108515	assessment-security	💥	KASAN: global-out-of-bounds Read in soft_cursor (3)	2026/06/18 08:47	2026/06/18 08:47	2026/06/18 08:47	b62b3ded1759f79b37600c5ffe2b0a81b919b0b0	failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "c2a9495bd873ccc028a308943bffcaac59e5f454"]: exit status 128 error: insuffici... truncated to first 200 bytes; open job for full error
be8f3004-f95b-492a-a8a9-c848a44bd97a	assessment-security	💥	KASAN: global-out-of-bounds Read in soft_cursor (3)	2026/06/17 00:03	2026/06/17 00:03	2026/06/17 00:03	0e4b3e40a4572a10f991eaf3b70977db43e1fa9b	failed to run ["git" "-c" "core.hooksPath=/dev/null" "fetch" "--force" "--tags" "433dfd5a8a5d80bbf0669b14e9ed908911a52dd6" "c2a9495bd873ccc028a308943bffcaac59e5f454"]: exit status 128 error: insuffici... truncated to first 200 bytes; open job for full error

Kernel	Title	Rank 🛈	Repro	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in soft_cursor (2) fbdev	17			9	140d	274d	0/29	auto-obsoleted due to no activity on 2026/05/14 02:42
upstream	KASAN: global-out-of-bounds Read in soft_cursor (2) fbdev	17			1	486d	482d	0/29	auto-obsoleted due to no activity on 2025/05/23 01:13
linux-4.19	KASAN: global-out-of-bounds Read in soft_cursor	17	C	done	22	1855d	2323d	1/1	fixed on 2021/06/24 08:01
upstream	KASAN: global-out-of-bounds Read in soft_cursor fbdev	17			11	2159d	2385d	0/29	auto-closed as invalid on 2020/11/22 03:01
linux-4.14	KASAN: global-out-of-bounds Read in soft_cursor	17	C	error	19	1382d	2381d	0/1	upstream: reported C repro on 2019/12/16 00:09
linux-5.15	KASAN: null-ptr-deref Read in soft_cursor origin:lts-only	11	syz	error	1	1122d	1122d	0/3	auto-obsoleted due to no activity on 2024/12/24 15:39
linux-4.14	KASAN: use-after-free Read in soft_cursor	19	C	inconclusive	7	1882d	2393d	0/1	upstream: reported C repro on 2019/12/04 13:11
linux-4.19	KASAN: slab-out-of-bounds Read in soft_cursor (2)	17	C	done	8	1858d	1980d	1/1	fixed on 2021/06/23 17:43
upstream	general protection fault in soft_cursor fbdev	11	C		3	1123d	1123d	22/29	fixed on 2023/07/01 16:05
linux-4.14	KASAN: slab-out-of-bounds Read in soft_cursor	17	C	unreliable	57	1863d	2394d	0/1	upstream: reported C repro on 2019/12/03 14:54

Kernel

Title

Rank 🛈

upstream

KASAN: slab-out-of-bounds Read in soft_cursor (2) fbdev

140d

274d

0/29

auto-obsoleted due to no activity on 2026/05/14 02:42

upstream

KASAN: global-out-of-bounds Read in soft_cursor (2) fbdev

486d

482d

0/29

auto-obsoleted due to no activity on 2025/05/23 01:13

linux-4.19

KASAN: global-out-of-bounds Read in soft_cursor

done

1855d

2323d

1/1

fixed on 2021/06/24 08:01

upstream

KASAN: global-out-of-bounds Read in soft_cursor fbdev

2159d

2385d

0/29

auto-closed as invalid on 2020/11/22 03:01

linux-4.14

KASAN: global-out-of-bounds Read in soft_cursor

error

1382d

2381d

0/1

upstream: reported C repro on 2019/12/16 00:09

linux-5.15

KASAN: null-ptr-deref Read in soft_cursor origin:lts-only

syz

error

1122d

0/3

auto-obsoleted due to no activity on 2024/12/24 15:39

linux-4.14

KASAN: use-after-free Read in soft_cursor

inconclusive

1882d

2393d

0/1

upstream: reported C repro on 2019/12/04 13:11

linux-4.19

KASAN: slab-out-of-bounds Read in soft_cursor (2)

done

1858d

1980d

1/1

fixed on 2021/06/23 17:43

upstream

general protection fault in soft_cursor fbdev

1123d

22/29

fixed on 2023/07/01 16:05

linux-4.14

KASAN: slab-out-of-bounds Read in soft_cursor

unreliable

1863d

2394d

0/1

upstream: reported C repro on 2019/12/03 14:54

================================================================== BUG: KASAN: global-out-of-bounds in soft_cursor+0x378/0x6bc drivers/video/fbdev/core/softcursor.c:70 Read of size 16 at addr ffff800086c57970 by task syz.7.609/8216 CPU: 0 UID: 0 PID: 8216 Comm: syz.7.609 Tainted: G L syzkaller #0 PREEMPT Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xb0/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0x8c/0xc4 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x17c/0x1ac mm/kasan/generic.c:200 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 soft_cursor+0x378/0x6bc drivers/video/fbdev/core/softcursor.c:70 bit_cursor+0xa90/0x1108 drivers/video/fbdev/core/bitblit.c:365 fbcon_cursor+0x344/0x498 drivers/video/fbdev/core/fbcon.c:1427 hide_cursor+0xdc/0x2d0 drivers/tty/vt/vt.c:883 update_region+0x100/0x18c drivers/tty/vt/vt.c:669 vcs_write+0x8ec/0xaf0 drivers/tty/vt/vc_screen.c:685 do_loop_readv_writev+0x24c/0x3dc fs/read_write.c:-1 vfs_writev+0x2c8/0x630 fs/read_write.c:1061 do_writev+0x134/0x2a8 fs/read_write.c:1105 __do_sys_writev fs/read_write.c:1173 [inline] __se_sys_writev fs/read_write.c:1170 [inline] __arm64_sys_writev+0x80/0x94 fs/read_write.c:1170 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 The buggy address belongs to the variable: fontdata_8x16+0x1010/0x1480 The buggy address belongs to a vmalloc virtual mapping The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x219857 flags: 0x5ffc00000002000(reserved|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000002000 fffffdffc76615c8 fffffdffc76615c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800086c57800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff800086c57880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff800086c57900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 ^ ffff800086c57980: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ffff800086c57a00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ==================================================================

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/06/15 17:15	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	c2a9495bd873	50bb0618	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: global-out-of-bounds Read in soft_cursor

Crashes (1):

Assets (help?)