BUG: unable to handle kernel NULL pointer dereference in fbcon

BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
Status: upstream: reported C repro on 2020/11/16 08:36
Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
Fix commit: 01faae5193d6 drivers: video: fbcon: fix NULL dereference in fbcon_cursor()
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-arm32]
First crash: 256d, last: 118d

Cause bisection: introduced by (bisect log) :
commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Fri Oct 9 23:21:56 2020 +0000

drm/vkms: fbdev emulation support

Crash: BUG: unable to handle kernel NULL pointer dereference in hide_cursor (log)
Repro: C syz .config

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/03/31 06:44	0m	hassan@shahbazi.fi	patch	upstream	error
2021/03/12 15:14	14m	ducheng2@gmail.com	patch	upstream	OK
2021/03/12 14:56	9m	ducheng2@gmail.com	patch	upstream	report log
2021/03/12 14:51	14m	ducheng2@gmail.com	patch	upstream	OK
2021/03/12 14:50	14m	ducheng2@gmail.com	patch	upstream	OK
2021/03/12 14:35	9m	ducheng2@gmail.com	patch	upstream	report log
2021/03/12 14:33	15m	ducheng2@gmail.com	patch	upstream	OK
2021/03/10 17:39	9m	ducheng2@gmail.com		upstream	report log

Sample crash report:

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 139e9067 P4D 139e9067 PUD 18ec0067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8419 Comm: syz-executor302 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc90000eef850 EFLAGS: 00010292
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000002 RSI: ffff8880194cf000 RDI: ffff888010879000
RBP: ffff888010879000 R08: 0000000000000000 R09: ffffffff83f62fda
R10: 0000000000000003 R11: 0000000000000018 R12: ffff8880194cf000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  0000000000e36300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000155e5000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1336
 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907
 redraw_screen+0x5b4/0x740 drivers/tty/vt/vt.c:1012
 vc_do_resize+0xed8/0x1150 drivers/tty/vt/vt.c:1325
 fbcon_set_disp+0x7a8/0xe10 drivers/video/fbdev/core/fbcon.c:1402
 con2fb_init_display drivers/video/fbdev/core/fbcon.c:808 [inline]
 set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:879
 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3010
 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43eed9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff742ea708 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043eed9
RDX: 0000000020000040 RSI: 0000000000004610 RDI: 0000000000000004
RBP: 0000000000402ec0 R08: 0000000000400488 R09: 0000000000400488
R10: 0000000000400488 R11: 0000000000000246 R12: 0000000000402f50
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
Modules linked in:
CR2: 0000000000000000
---[ end trace a82c7f1a7531a47d ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc90000eef850 EFLAGS: 00010292
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000002 RSI: ffff8880194cf000 RDI: ffff888010879000
RBP: ffff888010879000 R08: 0000000000000000 R09: ffffffff83f62fda
R10: 0000000000000003 R11: 0000000000000018 R12: ffff8880194cf000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  0000000000e36300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000155e5000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (21):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2021/03/25 16:19	upstream	4ee998b0ef8b	607e3baf	.config	log	report	syz	C		BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce	2021/03/25 15:38	upstream	4ee998b0ef8b	607e3baf	.config	log	report	syz	C		BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-386	2021/03/28 14:51	upstream	0f4498cef9f5	a8529b82	.config	log	report	syz	C		BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-386	2021/03/28 08:37	upstream	0f4498cef9f5	a8529b82	.config	log	report	syz	C		BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce	2021/01/17 09:22	upstream	0da0a8a0a0e1	65a7a854	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2021/01/17 08:53	linux-next	b3a3cbdec55b	65a7a854	.config	log	report	syz	C
ci-upstream-kasan-gce	2021/03/29 00:00	upstream	81b1d39fd39a	a8529b82	.config	log	report			info	BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce	2021/03/05 14:23	upstream	280d542f6ffa	9d751681	.config	log	report			info	BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce	2021/02/28 08:27	upstream	5695e5161974	4c37c133	.config	log	report			info	BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-selinux-root	2021/02/16 14:40	upstream	f40ddce88593	98682e5e	.config	log	report			info	BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce	2021/01/25 03:13	upstream	e68061375f79	52e37319	.config	log	report			info	BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-selinux-root	2021/01/19 16:13	upstream	1e2a199f6ccd	63631df1	.config	log	report			info	BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce	2021/01/17 08:24	upstream	0da0a8a0a0e1	65a7a854	.config	log	report			info
ci-upstream-kasan-gce	2021/01/15 14:42	upstream	146620506274	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/14 23:27	upstream	65f0d2414b70	65a7a854	.config	log	report			info
ci-upstream-kasan-gce-root	2021/01/13 10:17	upstream	e609571b5ffa	0cdd6185	.config	log	report			info
ci-upstream-kasan-gce-386	2021/01/02 03:11	upstream	eda809aef534	79264ae3	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/17 08:02	linux-next	b3a3cbdec55b	65a7a854	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/06 03:47	linux-next	83dadd4cfb0c	b1c228e1	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2021/01/05 13:52	linux-next	83dadd4cfb0c	a0234d98	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/11 17:04	linux-next	6dd65e60af98	cca87986	.config	log	report			info