Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-30 Thread Keyu Tao 

Continued testing and found that this bug:

- Not reproducible in current Linux 6.2-rcX mainline
- Reproducible in Linux 6.1.7-1 (bookworm kernel package)

The git history of drivers/gpu/drm/vmwgfx shows that the offending 
function `vmw_fb_dirty_flush()` in file vmwgfx_fb.c has been removed by 
commit df42523c12f8d58a41f547f471b46deffd18c203. It seems that vmwgfx 
will use "drm fb helpers" instead of its own fb implementation in Linux 
6.2.x so this bug is gone in mainline.


I'm going to send bug report to upstream after a working 6.1.x vanilla 
kernel compiled and tested, as it seems certain that this issue exists 
in all stable & LTS kernels before current mainline 6.2-rcX.


On 1/29/23 20:56, Salvatore Bonaccorso wrote:

Hi,

On Sun, Jan 29, 2023 at 04:46:38PM +0800, taoky wrote:

Hi Bonaccorso,

I have tested the vanilla 5.10.165 and the 6.0.12-1 in bullseye-backports,
and they both have this bug.

I'm going to compile a mainline kernel and then report this bug. BTW, I'm
not sure... does it mean to Cc 1029...@bugs.debian.org when reporting to
upstream to "keep in the loop"?


Yes, Cc the Debian downstream bug as well so we keep informed. It's
not a must but helps noticing if there is upstream change/fix for the
issue. Alternatively let us know when the report has happened upstream
and set the bug forwarded to the upstream report.

Regards,
Salvatore

Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-29 Thread Salvatore Bonaccorso 
Hi,

On Sun, Jan 29, 2023 at 04:46:38PM +0800, taoky wrote:
> Hi Bonaccorso,
> 
> I have tested the vanilla 5.10.165 and the 6.0.12-1 in bullseye-backports,
> and they both have this bug.
> 
> I'm going to compile a mainline kernel and then report this bug. BTW, I'm
> not sure... does it mean to Cc 1029...@bugs.debian.org when reporting to
> upstream to "keep in the loop"?

Yes, Cc the Debian downstream bug as well so we keep informed. It's
not a must but helps noticing if there is upstream change/fix for the
issue. Alternatively let us know when the report has happened upstream
and set the bug forwarded to the upstream report.

Regards,
Salvatore

Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-29 Thread taoky 

Hi Bonaccorso,

I have tested the vanilla 5.10.165 and the 6.0.12-1 in 
bullseye-backports, and they both have this bug.


I'm going to compile a mainline kernel and then report this bug. BTW, 
I'm not sure... does it mean to Cc 1029...@bugs.debian.org when 
reporting to upstream to "keep in the loop"?


Thank you.

On 1/28/23 23:44, Salvatore Bonaccorso wrote:

Hi,

On Wed, Jan 25, 2023 at 06:18:35PM +0800, Keyu Tao wrote:

Source: linux
Severity: normal
X-Debbugs-Cc: taok...@outlook.com

Dear Maintainer,

It seems that fbterm triggers an out-of-bound memory write (memcpy) when vmwgfx 
loads.

Dmesg oops message:

[  214.780971] BUG: unable to handle page fault for address: ae3dc1171000
[  214.781348] #PF: supervisor write access in kernel mode
[  214.781691] #PF: error_code(0x0002) - not-present page
[  214.782130] PGD 167 P4D 167 PUD 11b3067 PMD 2427067 PTE 0
[  214.782610] Oops: 0002 [#1] SMP PTI
[  214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted 
5.10.0-21-amd64 #1 Debian 5.10.162-1
[  214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX 
Desktop Reference Platform, BIOS 6.00 07/22/2020
[  214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
[  214.785153] RIP: 0010:memcpy_orig+0x29/0x123
[  214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.787323] RSP: 0018:ae3dc0807e00 EFLAGS: 00010202
[  214.787721] RAX: ae3dc1170c00 RBX: 9f70f41c9000 RCX: 0c80
[  214.788147] RDX: 0840 RSI: ae3dc0e93a20 RDI: ae3dc1171000
[  214.788553] RBP:  R08:  R09: 
[  214.788983] R10:  R11:  R12: ae3dc0e93600
[  214.789386] R13: 9f70f41c94e8 R14: 9f70e2c56400 R15: 0c80
[  214.790137] FS:  () GS:9f711180() 
knlGS:
[  214.790680] CS:  0010 DS:  ES:  CR0: 80050033
[  214.791290] CR2: ae3dc1171000 CR3: 2360a003 CR4: 003706f0
[  214.791729] Call Trace:
[  214.792302]  vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
[  214.792777]  process_one_work+0x1b3/0x350
[  214.793187]  worker_thread+0x53/0x3e0
[  214.793626]  ? process_one_work+0x350/0x350
[  214.794045]  kthread+0x118/0x140
[  214.794448]  ? __kthread_bind_mask+0x60/0x60
[  214.794871]  ret_from_fork+0x1f/0x30
[  214.795260] Modules linked in: xt_conntrack xt_MASQUERADE 
nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter 
iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter 
bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm 
irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr 
serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi 
snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd 
ecdh_generic rfkill soundcore ecc sg vsock_loopback 
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac 
evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss 
nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 
btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath 
linear md_mod dm_mirror dm_region_hash dm_log dm_mod
[  214.795316]  hid_generic usbhid hid sd_mod t10_pi crc_t10dif 
crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel 
sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci libaes 
crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec xhci_hcd 
ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata psmouse 
scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
[  214.803260] CR2: ae3dc1171000
[  214.803722] ---[ end trace d0b2266ea0877554 ]---
[  214.804283] RIP: 0010:memcpy_orig+0x29/0x123
[  214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.806126] RSP: 0018:ae3dc0807e00 EFLAGS: 00010202
[  214.806585] RAX: ae3dc1170c00 RBX: 9f70f41c9000 RCX: 0c80
[  214.807069] RDX: 0840 RSI: ae3dc0e93a20 RDI: ae3dc1171000
[  214.807549] RBP:  R08:  R09: 
[  214.808025] R10:  R11:  R12: ae3dc0e93600
[  214.808658] R13: 9f70f41c94e8 R14: 9f70e2c56400 R15: 0c80
[  214.809137] FS:  () GS:9f711180() 
knlGS:
[  214.809596] CS:  0010 DS:  ES:  CR0: 80050033
[  214.810078] CR2: ae3dc117

Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-28 Thread Salvatore Bonaccorso 
Hi,

On Wed, Jan 25, 2023 at 06:18:35PM +0800, Keyu Tao wrote:
> Source: linux
> Severity: normal
> X-Debbugs-Cc: taok...@outlook.com
> 
> Dear Maintainer,
> 
> It seems that fbterm triggers an out-of-bound memory write (memcpy) when 
> vmwgfx loads.
> 
> Dmesg oops message:
> 
> [  214.780971] BUG: unable to handle page fault for address: ae3dc1171000
> [  214.781348] #PF: supervisor write access in kernel mode
> [  214.781691] #PF: error_code(0x0002) - not-present page
> [  214.782130] PGD 167 P4D 167 PUD 11b3067 PMD 2427067 PTE 0
> [  214.782610] Oops: 0002 [#1] SMP PTI
> [  214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted 
> 5.10.0-21-amd64 #1 Debian 5.10.162-1
> [  214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX 
> Desktop Reference Platform, BIOS 6.00 07/22/2020
> [  214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
> [  214.785153] RIP: 0010:memcpy_orig+0x29/0x123
> [  214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 
> 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 
> 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
> [  214.787323] RSP: 0018:ae3dc0807e00 EFLAGS: 00010202
> [  214.787721] RAX: ae3dc1170c00 RBX: 9f70f41c9000 RCX: 
> 0c80
> [  214.788147] RDX: 0840 RSI: ae3dc0e93a20 RDI: 
> ae3dc1171000
> [  214.788553] RBP:  R08:  R09: 
> 
> [  214.788983] R10:  R11:  R12: 
> ae3dc0e93600
> [  214.789386] R13: 9f70f41c94e8 R14: 9f70e2c56400 R15: 
> 0c80
> [  214.790137] FS:  () GS:9f711180() 
> knlGS:
> [  214.790680] CS:  0010 DS:  ES:  CR0: 80050033
> [  214.791290] CR2: ae3dc1171000 CR3: 2360a003 CR4: 
> 003706f0
> [  214.791729] Call Trace:
> [  214.792302]  vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
> [  214.792777]  process_one_work+0x1b3/0x350
> [  214.793187]  worker_thread+0x53/0x3e0
> [  214.793626]  ? process_one_work+0x350/0x350
> [  214.794045]  kthread+0x118/0x140
> [  214.794448]  ? __kthread_bind_mask+0x60/0x60
> [  214.794871]  ret_from_fork+0x1f/0x30
> [  214.795260] Modules linked in: xt_conntrack xt_MASQUERADE 
> nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter 
> iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter 
> bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm 
> irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr 
> serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi 
> snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd 
> ecdh_generic rfkill soundcore ecc sg vsock_loopback 
> vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac 
> evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss 
> nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 
> btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq 
> async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 
> multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod
> [  214.795316]  hid_generic usbhid hid sd_mod t10_pi crc_t10dif 
> crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel 
> sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci 
> libaes crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec 
> xhci_hcd ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata 
> psmouse scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
> [  214.803260] CR2: ae3dc1171000
> [  214.803722] ---[ end trace d0b2266ea0877554 ]---
> [  214.804283] RIP: 0010:memcpy_orig+0x29/0x123
> [  214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 
> 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 
> 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
> [  214.806126] RSP: 0018:ae3dc0807e00 EFLAGS: 00010202
> [  214.806585] RAX: ae3dc1170c00 RBX: 9f70f41c9000 RCX: 
> 0c80
> [  214.807069] RDX: 0840 RSI: ae3dc0e93a20 RDI: 
> ae3dc1171000
> [  214.807549] RBP:  R08:  R09: 
> 
> [  214.808025] R10:  R11:  R12: 
> ae3dc0e93600
> [  214.808658] R13: 9f70f41c94e8 R14: 9f70e2c56400 R15: 
> 0c80
> [  214.809137] FS:  () GS:9f711180() 
> knlGS:
> [  214.809596] CS:  0010 DS:  ES:  CR0: 80050033
> [  214.810078] CR2: ae3dc1171000 CR3: 2360a003 CR4: 
> 003706f0
> 
> How to reproduce:
> 
> 1. sudo apt install fbterm
> 2. Switch to TTY (such as tty1), and run fbterm by users with read

Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-25 Thread Keyu Tao 
Did some simple debugging on fbterm just now, and I found out that 
kernel oops when fbterm running `Screen::move()` 
()


The most suspicious function inside is setupOffset(), which calls an 
ioctl(), setting yoffset:


```
void FbDev::setupOffset()
{
vinfo.yoffset = mOffsetCur;
ioctl(fbdev_fd, FBIOPAN_DISPLAY, &vinfo);
}
```

And the "yoffset" may be used in `src_ptr` as `par->fb_y` in 
vmw_fb_dirty_flush():


```
if (w && h) {
dst_ptr = (u8 *)virtual  +
(dst_y1 * par->set_fb->pitches[0] + dst_x1 * cpp);
src_ptr = (u8 *)par->vmalloc +
((dst_y1 + par->fb_y) * info->fix.line_length +
(dst_x1 + par->fb_x) * cpp);

while (h-- > 0) {
memcpy(dst_ptr, src_ptr, w*cpp);
dst_ptr += par->set_fb->pitches[0];
src_ptr += info->fix.line_length;
}

// ...
```

(so it is a out-of-bound read for real?)

On 1/25/23 18:18, Keyu Tao wrote:

Source: linux
Severity: normal
X-Debbugs-Cc: taok...@outlook.com

Dear Maintainer,

It seems that fbterm triggers an out-of-bound memory write (memcpy) when vmwgfx 
loads.

Dmesg oops message:

[  214.780971] BUG: unable to handle page fault for address: ae3dc1171000
[  214.781348] #PF: supervisor write access in kernel mode
[  214.781691] #PF: error_code(0x0002) - not-present page
[  214.782130] PGD 167 P4D 167 PUD 11b3067 PMD 2427067 PTE 0
[  214.782610] Oops: 0002 [#1] SMP PTI
[  214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted 
5.10.0-21-amd64 #1 Debian 5.10.162-1
[  214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX 
Desktop Reference Platform, BIOS 6.00 07/22/2020
[  214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
[  214.785153] RIP: 0010:memcpy_orig+0x29/0x123
[  214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.787323] RSP: 0018:ae3dc0807e00 EFLAGS: 00010202
[  214.787721] RAX: ae3dc1170c00 RBX: 9f70f41c9000 RCX: 0c80
[  214.788147] RDX: 0840 RSI: ae3dc0e93a20 RDI: ae3dc1171000
[  214.788553] RBP:  R08:  R09: 
[  214.788983] R10:  R11:  R12: ae3dc0e93600
[  214.789386] R13: 9f70f41c94e8 R14: 9f70e2c56400 R15: 0c80
[  214.790137] FS:  () GS:9f711180() 
knlGS:
[  214.790680] CS:  0010 DS:  ES:  CR0: 80050033
[  214.791290] CR2: ae3dc1171000 CR3: 2360a003 CR4: 003706f0
[  214.791729] Call Trace:
[  214.792302]  vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
[  214.792777]  process_one_work+0x1b3/0x350
[  214.793187]  worker_thread+0x53/0x3e0
[  214.793626]  ? process_one_work+0x350/0x350
[  214.794045]  kthread+0x118/0x140
[  214.794448]  ? __kthread_bind_mask+0x60/0x60
[  214.794871]  ret_from_fork+0x1f/0x30
[  214.795260] Modules linked in: xt_conntrack xt_MASQUERADE 
nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter 
iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter 
bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm 
irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr 
serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi 
snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd 
ecdh_generic rfkill soundcore ecc sg vsock_loopback 
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac 
evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss 
nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 
btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath 
linear md_mod dm_mirror dm_region_hash dm_log dm_mod
[  214.795316]  hid_generic usbhid hid sd_mod t10_pi crc_t10dif 
crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel 
sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci libaes 
crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec xhci_hcd 
ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata psmouse 
scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
[  214.803260] CR2: ae3dc1171000
[  214.803722] ---[ end trace d0b2266ea0877554 ]---
[  214.804283] RIP: 0010:memcpy_orig+0x29/0x123
[  214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.806126] RSP: 0018:ae3d

Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-25 Thread Diederik de Haas 
Control: found -1 5.10.162-1

On Wednesday, 25 January 2023 11:18:35 CET Keyu Tao wrote:
> [  214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted
> 5.10.0-21-amd64 #1 Debian 5.10.162-1



signature.asc
Description: This is a digitally signed message part.

Processed: Re: Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-25 Thread Debian Bug Tracking System 
Processing control commands:

> found -1 5.10.162-1
Bug #1029602 [src:linux] vmwgfx: kernel oops when using fbterm in vmware
Marked as found in versions linux/5.10.162-1.

-- 
1029602: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029602
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

2023-01-25 Thread Keyu Tao 
Source: linux
Severity: normal
X-Debbugs-Cc: taok...@outlook.com

Dear Maintainer,

It seems that fbterm triggers an out-of-bound memory write (memcpy) when vmwgfx 
loads.

Dmesg oops message:

[  214.780971] BUG: unable to handle page fault for address: ae3dc1171000
[  214.781348] #PF: supervisor write access in kernel mode
[  214.781691] #PF: error_code(0x0002) - not-present page
[  214.782130] PGD 167 P4D 167 PUD 11b3067 PMD 2427067 PTE 0
[  214.782610] Oops: 0002 [#1] SMP PTI
[  214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted 
5.10.0-21-amd64 #1 Debian 5.10.162-1
[  214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX 
Desktop Reference Platform, BIOS 6.00 07/22/2020
[  214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
[  214.785153] RIP: 0010:memcpy_orig+0x29/0x123
[  214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 
48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 
4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.787323] RSP: 0018:ae3dc0807e00 EFLAGS: 00010202
[  214.787721] RAX: ae3dc1170c00 RBX: 9f70f41c9000 RCX: 0c80
[  214.788147] RDX: 0840 RSI: ae3dc0e93a20 RDI: ae3dc1171000
[  214.788553] RBP:  R08:  R09: 
[  214.788983] R10:  R11:  R12: ae3dc0e93600
[  214.789386] R13: 9f70f41c94e8 R14: 9f70e2c56400 R15: 0c80
[  214.790137] FS:  () GS:9f711180() 
knlGS:
[  214.790680] CS:  0010 DS:  ES:  CR0: 80050033
[  214.791290] CR2: ae3dc1171000 CR3: 2360a003 CR4: 003706f0
[  214.791729] Call Trace:
[  214.792302]  vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
[  214.792777]  process_one_work+0x1b3/0x350
[  214.793187]  worker_thread+0x53/0x3e0
[  214.793626]  ? process_one_work+0x350/0x350
[  214.794045]  kthread+0x118/0x140
[  214.794448]  ? __kthread_bind_mask+0x60/0x60
[  214.794871]  ret_from_fork+0x1f/0x30
[  214.795260] Modules linked in: xt_conntrack xt_MASQUERADE 
nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter 
iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter 
bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm 
irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr 
serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi 
snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd 
ecdh_generic rfkill soundcore ecc sg vsock_loopback 
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac 
evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss 
nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 
btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq 
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath 
linear md_mod dm_mirror dm_region_hash dm_log dm_mod
[  214.795316]  hid_generic usbhid hid sd_mod t10_pi crc_t10dif 
crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel 
sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci libaes 
crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec xhci_hcd 
ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata psmouse 
scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
[  214.803260] CR2: ae3dc1171000
[  214.803722] ---[ end trace d0b2266ea0877554 ]---
[  214.804283] RIP: 0010:memcpy_orig+0x29/0x123
[  214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 
48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 
4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[  214.806126] RSP: 0018:ae3dc0807e00 EFLAGS: 00010202
[  214.806585] RAX: ae3dc1170c00 RBX: 9f70f41c9000 RCX: 0c80
[  214.807069] RDX: 0840 RSI: ae3dc0e93a20 RDI: ae3dc1171000
[  214.807549] RBP:  R08:  R09: 
[  214.808025] R10:  R11:  R12: ae3dc0e93600
[  214.808658] R13: 9f70f41c94e8 R14: 9f70e2c56400 R15: 0c80
[  214.809137] FS:  () GS:9f711180() 
knlGS:
[  214.809596] CS:  0010 DS:  ES:  CR0: 80050033
[  214.810078] CR2: ae3dc1171000 CR3: 2360a003 CR4: 003706f0

How to reproduce:

1. sudo apt install fbterm
2. Switch to TTY (such as tty1), and run fbterm by users with read and write 
permission to /dev/fb0
3. Run fbterm, and hold Enter for a few seconds (to make it scroll)
4. Oops!


-- System Information:
Debian Release: 11.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')