==================================================================
BUG: KFENCE: use-after-free read in memcpy_orig+0x16/0x130 arch/x86/lib/memcpy_64.S:61

Use-after-free read at 0xffff88823bffc060 (in kfence-#253):
 memcpy_orig+0x16/0x130 arch/x86/lib/memcpy_64.S:61
 scr_memcpyw include/linux/vt_buffer.h:38 [inline]
 fbcon_prepare_logo+0x945/0xc50 drivers/video/fbdev/core/fbcon.c:646
 fbcon_init+0x10ee/0x1810 drivers/video/fbdev/core/fbcon.c:1179
 visual_init+0x320/0x620 drivers/tty/vt/vt.c:1020
 do_bind_con_driver.isra.0+0x636/0x9c0 drivers/tty/vt/vt.c:3960
 vt_bind drivers/tty/vt/vt.c:4116 [inline]
 store_bind+0x609/0x730 drivers/tty/vt/vt.c:4188
 dev_attr_store+0x58/0x80 drivers/base/core.c:2437
 sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142
 kernfs_fop_write_iter+0x3e0/0x5f0 fs/kernfs/file.c:352
 iter_file_splice_write+0x82b/0x10a0 fs/splice.c:738
 do_splice_from fs/splice.c:938 [inline]
 direct_splice_actor+0x192/0x6c0 fs/splice.c:1161
 splice_direct_to_actor+0x345/0xa30 fs/splice.c:1105
 do_splice_direct_actor fs/splice.c:1204 [inline]
 do_splice_direct+0x174/0x240 fs/splice.c:1230
 do_sendfile+0xadc/0xe20 fs/read_write.c:1370
 __do_sys_sendfile64 fs/read_write.c:1431 [inline]
 __se_sys_sendfile64 fs/read_write.c:1417 [inline]
 __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1417
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

kfence-#253: 0xffff88823bffc000-0xffff88823bffcfff, size=4096, cache=kmalloc-4k

allocated by task 13 on cpu 1 at 872.819616s (2.089729s ago):
 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:608
 __alloc_skb+0x186/0x410 net/core/skbuff.c:690
 alloc_skb include/linux/skbuff.h:1383 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:818 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:875 [inline]
 nsim_dev_trap_report_work+0x2af/0xd10 drivers/net/netdevsim/dev.c:921
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

freed by task 13 on cpu 1 at 872.819640s (2.089880s ago):
 skb_kfree_head net/core/skbuff.c:1068 [inline]
 skb_free_head+0x119/0x220 net/core/skbuff.c:1080
 skb_release_data+0x540/0x700 net/core/skbuff.c:1107
 skb_release_all net/core/skbuff.c:1182 [inline]
 __kfree_skb net/core/skbuff.c:1196 [inline]
 consume_skb net/core/skbuff.c:1429 [inline]
 consume_skb+0xc4/0x110 net/core/skbuff.c:1423
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:891 [inline]
 nsim_dev_trap_report_work+0x8cf/0xd10 drivers/net/netdevsim/dev.c:921
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

CPU: 0 UID: 0 PID: 20366 Comm: syz.0.3149 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:memcpy_orig+0x16/0x130 arch/x86/lib/memcpy_64.S:66
Code: 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 <4c> 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 4c 89 07
RSP: 0018:ffffc900040775f0 EFLAGS: 00010206
RAX: ffff88823bffc060 RBX: ffff888028923000 RCX: ffffffff852f90f5
RDX: 00000000000000c0 RSI: ffff88823bffc060 RDI: ffff88823bffc060
RBP: ffff88823bffbfc0 R08: 0000000000000001 R09: ffffed10477ff82b
R10: ffff88823bffc15f R11: 0000000000000000 R12: 0000000000000018
R13: ffffffffffffff60 R14: 0000000000000100 R15: ffffed1005124679
FS:  00007f4b808066c0(0000) GS:ffff8881245e2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bffc060 CR3: 000000003e3fc000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 scr_memcpyw include/linux/vt_buffer.h:38 [inline]
 fbcon_prepare_logo+0x945/0xc50 drivers/video/fbdev/core/fbcon.c:646
 fbcon_init+0x10ee/0x1810 drivers/video/fbdev/core/fbcon.c:1179
 visual_init+0x320/0x620 drivers/tty/vt/vt.c:1020
 do_bind_con_driver.isra.0+0x636/0x9c0 drivers/tty/vt/vt.c:3960
 vt_bind drivers/tty/vt/vt.c:4116 [inline]
 store_bind+0x609/0x730 drivers/tty/vt/vt.c:4188
 dev_attr_store+0x58/0x80 drivers/base/core.c:2437
 sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142
 kernfs_fop_write_iter+0x3e0/0x5f0 fs/kernfs/file.c:352
 iter_file_splice_write+0x82b/0x10a0 fs/splice.c:738
 do_splice_from fs/splice.c:938 [inline]
 direct_splice_actor+0x192/0x6c0 fs/splice.c:1161
 splice_direct_to_actor+0x345/0xa30 fs/splice.c:1105
 do_splice_direct_actor fs/splice.c:1204 [inline]
 do_splice_direct+0x174/0x240 fs/splice.c:1230
 do_sendfile+0xadc/0xe20 fs/read_write.c:1370
 __do_sys_sendfile64 fs/read_write.c:1431 [inline]
 __se_sys_sendfile64 fs/read_write.c:1417 [inline]
 __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1417
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4b7f99aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4b80806028 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f4b7fc16180 RCX: 00007f4b7f99aeb9
RDX: 0000000000000000 RSI: 000000000000000c RDI: 0000000000000005
RBP: 00007f4b7fa08c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4b7fc16218 R14: 00007f4b7fc16180 R15: 00007ffdf1108c28
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	66 90                	xchg   %ax,%ax
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	48 89 f8             	mov    %rdi,%rax
  17:	48 83 fa 20          	cmp    $0x20,%rdx
  1b:	72 7e                	jb     0x9b
  1d:	40 38 fe             	cmp    %dil,%sil
  20:	7c 35                	jl     0x57
  22:	48 83 ea 20          	sub    $0x20,%rdx
  26:	48 83 ea 20          	sub    $0x20,%rdx
* 2a:	4c 8b 06             	mov    (%rsi),%r8 <-- trapping instruction
  2d:	4c 8b 4e 08          	mov    0x8(%rsi),%r9
  31:	4c 8b 56 10          	mov    0x10(%rsi),%r10
  35:	4c 8b 5e 18          	mov    0x18(%rsi),%r11
  39:	48 8d 76 20          	lea    0x20(%rsi),%rsi
  3d:	4c 89 07             	mov    %r8,(%rdi)