================================================================== BUG: KFENCE: out-of-bounds read in memcpy_orig+0x8c/0x130 arch/x86/lib/memcpy_64.S:115 Out-of-bounds read at 0xffff88823beff12a (490B right of kfence-#126): memcpy_orig+0x8c/0x130 arch/x86/lib/memcpy_64.S:115 scr_memcpyw include/linux/vt_buffer.h:38 [inline] fbcon_prepare_logo+0x94e/0xc60 drivers/video/fbdev/core/fbcon.c:686 fbcon_init+0x1065/0x1830 drivers/video/fbdev/core/fbcon.c:1228 visual_init+0x320/0x620 drivers/tty/vt/vt.c:1048 do_bind_con_driver.isra.0+0x636/0x9c0 drivers/tty/vt/vt.c:4056 vt_bind drivers/tty/vt/vt.c:4212 [inline] store_bind+0x609/0x730 drivers/tty/vt/vt.c:4284 dev_attr_store+0x58/0x80 drivers/base/core.c:2437 sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142 kernfs_fop_write_iter+0x3e0/0x5f0 fs/kernfs/file.c:352 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x10b/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f kfence-#126: 0xffff88823befef40-0xffff88823befefdb, size=156, cache=kmalloc-192 allocated by task 7761 on cpu 0 at 215.046336s (0.027344s ago): kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] vc_do_resize+0x1dd/0xeb0 drivers/tty/vt/vt.c:1211 vc_resize include/linux/vt_kern.h:49 [inline] fbcon_init+0x1041/0x1830 drivers/video/fbdev/core/fbcon.c:1225 visual_init+0x320/0x620 drivers/tty/vt/vt.c:1048 do_bind_con_driver.isra.0+0x636/0x9c0 drivers/tty/vt/vt.c:4056 vt_bind drivers/tty/vt/vt.c:4212 [inline] store_bind+0x609/0x730 drivers/tty/vt/vt.c:4284 dev_attr_store+0x58/0x80 drivers/base/core.c:2437 sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142 kernfs_fop_write_iter+0x3e0/0x5f0 fs/kernfs/file.c:352 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x10b/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 7761 Comm: syz.1.512 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:memcpy_orig+0x8c/0x130 arch/x86/lib/memcpy_64.S:120 Code: 5e e0 48 8d 76 e0 4c 89 47 f8 4c 89 4f f0 4c 89 57 e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 <4c> 8b 06 4c 8b 4e 08 4c 8b 54 16 f0 4c 8b 5c 16 f8 4c 89 07 4c 89 RSP: 0018:ffffc900035679e8 EFLAGS: 00010206 RAX: ffff88823beff12a RBX: ffff88813feba000 RCX: ffffffff8542b24e RDX: 000000000000001a RSI: ffff88823beff12a RDI: ffff88823beff12a RBP: ffff88823beff08a R08: 0000000000000001 R09: ffffed10477dfe28 R10: ffff88823beff143 R11: 0000000000000000 R12: 0000000000000018 R13: ffffffffffffff60 R14: 000000000000001a R15: ffffed1027fd7477 FS: 00007f72c178c6c0(0000) GS:ffff88812437d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823beff12a CR3: 0000000075916000 CR4: 00000000003526f0 Call Trace: scr_memcpyw include/linux/vt_buffer.h:38 [inline] fbcon_prepare_logo+0x94e/0xc60 drivers/video/fbdev/core/fbcon.c:686 fbcon_init+0x1065/0x1830 drivers/video/fbdev/core/fbcon.c:1228 visual_init+0x320/0x620 drivers/tty/vt/vt.c:1048 do_bind_con_driver.isra.0+0x636/0x9c0 drivers/tty/vt/vt.c:4056 vt_bind drivers/tty/vt/vt.c:4212 [inline] store_bind+0x609/0x730 drivers/tty/vt/vt.c:4284 dev_attr_store+0x58/0x80 drivers/base/core.c:2437 sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142 kernfs_fop_write_iter+0x3e0/0x5f0 fs/kernfs/file.c:352 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:688 ksys_write+0x12a/0x250 fs/read_write.c:740 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x10b/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f72c099cdd9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f72c178c028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f72c0c15fa0 RCX: 00007f72c099cdd9 RDX: 000000000008083a RSI: 00002000000000c0 RDI: 0000000000000006 RBP: 00007f72c0a32d69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f72c0c16038 R14: 00007f72c0c15fa0 R15: 00007fffa1a78ae8 ================================================================== ---------------- Code disassembly (best guess): 0: 5e pop %rsi 1: e0 48 loopne 0x4b 3: 8d 76 e0 lea -0x20(%rsi),%esi 6: 4c 89 47 f8 mov %r8,-0x8(%rdi) a: 4c 89 4f f0 mov %r9,-0x10(%rdi) e: 4c 89 57 e8 mov %r10,-0x18(%rdi) 12: 4c 89 5f e0 mov %r11,-0x20(%rdi) 16: 48 8d 7f e0 lea -0x20(%rdi),%rdi 1a: 73 d2 jae 0xffffffee 1c: 83 c2 20 add $0x20,%edx 1f: 48 29 d6 sub %rdx,%rsi 22: 48 29 d7 sub %rdx,%rdi 25: 83 fa 10 cmp $0x10,%edx 28: 72 34 jb 0x5e * 2a: 4c 8b 06 mov (%rsi),%r8 <-- trapping instruction 2d: 4c 8b 4e 08 mov 0x8(%rsi),%r9 31: 4c 8b 54 16 f0 mov -0x10(%rsi,%rdx,1),%r10 36: 4c 8b 5c 16 f8 mov -0x8(%rsi,%rdx,1),%r11 3b: 4c 89 07 mov %r8,(%rdi) 3e: 4c rex.WR 3f: 89 .byte 0x89