BUG: unable to handle kernel paging request in vga16fb

BUG: unable to handle kernel paging request in vga16fb_imageblit (2)
Status: upstream: reported C repro on 2020/05/08 07:07
Reported-by: syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com
Fix commit: ffb324e6f874 tty: vt: always invoke vc->vc_sw->con_resize callback
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-arm32]
First crash: 512d, last: 139d

Cause bisection: introduced by (bisect log) :
commit 988d0763361bb65690d60e2bc53a6b72777040c3
Author: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date: Sun Sep 27 11:46:30 2020 +0000

vt_ioctl: make VT_RESIZEX behave like VT_RESIZE

Crash: BUG: unable to handle kernel paging request in vga16fb_imageblit (log)
Repro: C syz .config

similar bugs (4):
Kernel	Title	Count	Last	Reported	Patched	Status
linux-4.19	BUG: unable to handle kernel paging request in vga16fb_imageblit	4	544d	641d	0/1	auto-closed as invalid on 2020/07/31 03:49
upstream	BUG: unable to handle kernel paging request in vga16fb_imageblit	1	642d	641d	0/22	auto-closed as invalid on 2020/04/23 17:11
linux-4.19	BUG: unable to handle kernel paging request in vga16fb_imageblit (2)	10	9d04h	330d	0/1	upstream: reported on 2020/11/01 15:15
linux-4.14	BUG: unable to handle kernel paging request in vga16fb_imageblit	8	139d	530d	0/1	auto-closed as invalid on 2021/09/09 11:30

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/05/15 03:05	20m	penguin-kernel@i-love.sakura.ne.jp	patch	git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.13-rc1	OK
2021/05/14 23:40	20m	penguin-kernel@i-love.sakura.ne.jp	patch	git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.13-rc1	OK
2021/05/14 12:09	20m	penguin-kernel@i-love.sakura.ne.jp	patch	git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.13-rc1	OK

Sample crash report:

BUG: unable to handle page fault for address: ffff888001000040
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD 11201067 P4D 11201067 PUD 11202067 PMD 80000000010001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8403 Comm: syz-executor112 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline]
RIP: 0010:vga16fb_imageblit+0xcee/0x1cb0 drivers/video/fbdev/vga16fb.c:1260
Code: 66 66 2e 0f 1f 84 00 00 00 00 00 90 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 75 1b 41 0f b6 04 24 <41> 88 06 85 ed 74 2b 49 ff c4 49 ff c6 e8 80 ae 43 fd ff cd eb cc
RSP: 0018:ffffc9000163f0a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888001000040 RCX: dffffc0000000000
RDX: ffff888022ad54c0 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff843b289b R09: 0000000000000000
R10: 0000000000000002 R11: ffff888022ad54c0 R12: ffff8880181bcea8
R13: ffffc9000163f2cc R14: ffff888001000040 R15: 0000000000000004
FS:  0000000001207300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000040 CR3: 0000000028d32000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bit_putcs+0x18e8/0x1de0 drivers/video/fbdev/core/bitblit.c:105
 fbcon_putcs+0x2ae/0x430 drivers/video/fbdev/core/fbcon.c:1296
 do_update_region+0x4d6/0x6a0 drivers/tty/vt/vt.c:676
 redraw_screen+0x8f6/0x1270 drivers/tty/vt/vt.c:1035
 fbcon_blank+0x556/0xa50 drivers/video/fbdev/core/fbcon.c:2207
 do_unblank_screen+0x27e/0xb20 drivers/tty/vt/vt.c:4406
 vt_kdsetmode drivers/tty/vt/vt_ioctl.c:276 [inline]
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:381 [inline]
 vt_ioctl+0x2a82/0x3180 drivers/tty/vt/vt_ioctl.c:713
 tty_ioctl+0xf51/0x1720 drivers/tty/tty_io.c:2805
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:1069 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055
 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43fef9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc931a4c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000013f84 RCX: 000000000043fef9
RDX: 0000000000000000 RSI: 0000000000004b3a RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 00007ffc931a4de8
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc931a4c5c
R13: 431bde82d7b634db R14: 00000000004ae018 R15: 0000000000400488
Modules linked in:
CR2: ffff888001000040
---[ end trace 96734cf7ef5cce91 ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline]
RIP: 0010:vga16fb_imageblit+0xcee/0x1cb0 drivers/video/fbdev/vga16fb.c:1260
Code: 66 66 2e 0f 1f 84 00 00 00 00 00 90 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 75 1b 41 0f b6 04 24 <41> 88 06 85 ed 74 2b 49 ff c4 49 ff c6 e8 80 ae 43 fd ff cd eb cc
RSP: 0018:ffffc9000163f0a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888001000040 RCX: dffffc0000000000
RDX: ffff888022ad54c0 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff843b289b R09: 0000000000000000
R10: 0000000000000002 R11: ffff888022ad54c0 R12: ffff8880181bcea8
R13: ffffc9000163f2cc R14: ffff888001000040 R15: 0000000000000004
FS:  0000000001207300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000040 CR3: 0000000028d32000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (27):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-smack-root	2021/05/01 20:30	upstream	d2b6f8a17919	77e2b668	.config	log	report	syz	C		BUG: unable to handle kernel paging request in vga16fb_imageblit
ci-upstream-kasan-gce-root	2021/05/11 22:22	upstream	88b06399c9c7	b3c3bb8e	.config	log	report			info	BUG: unable to handle kernel paging request in vga16fb_imageblit
ci-upstream-kasan-gce-root	2021/05/02 02:43	upstream	d2b6f8a17919	77e2b668	.config	log	report			info	BUG: unable to handle kernel paging request in vga16fb_imageblit
ci-upstream-kasan-gce-smack-root	2021/05/01 19:31	upstream	d2b6f8a17919	77e2b668	.config	log	report			info	BUG: unable to handle kernel paging request in vga16fb_imageblit
ci-upstream-kasan-gce-root	2021/03/31 15:42	upstream	5e46d1b78a03	6a81331a	.config	log	report			info	BUG: unable to handle kernel paging request in vga16fb_imageblit
ci-upstream-kasan-gce-root	2021/03/10 12:08	upstream	144c79ef3353	26967e35	.config	log	report			info	BUG: unable to handle kernel paging request in vga16fb_imageblit
ci-upstream-linux-next-kasan-gce-root	2021/04/20 18:53	linux-next	1216f02e46a4	c0ced557	.config	log	report			info	BUG: unable to handle kernel paging request in vga16fb_imageblit
ci-upstream-kasan-gce-selinux-root	2021/01/10 02:36	upstream	996e435fd401	2c1f2513	.config	log	report			info
ci-upstream-kasan-gce-root	2020/11/20 06:23	upstream	3494d58865ad	0767f13f	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2020/10/07 01:56	upstream	c85fb28b6f99	1880b4a9	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/10/02 18:04	upstream	472e5b056f00	4969d6ca	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2020/09/30 07:08	upstream	ccc1d052eff9	5abc3f1a	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/07/28 21:21	upstream	92ed30191993	cb93dc6a	.config	log	report
ci-upstream-kasan-gce-selinux-root	2020/07/06 18:16	upstream	7cc2a8ea1048	51095195	.config	log	report
ci-upstream-kasan-gce	2020/07/03 06:50	upstream	cd77006e01b3	bed10395	.config	log	report
ci-upstream-kasan-gce	2020/06/28 01:53	upstream	1590a2e1c681	ffec44b5	.config	log	report
ci-upstream-kasan-gce	2020/06/27 23:32	upstream	1590a2e1c681	ffec44b5	.config	log	report
ci-upstream-kasan-gce	2020/06/27 20:09	upstream	1590a2e1c681	ffec44b5	.config	log	report
ci-upstream-kasan-gce	2020/06/24 11:38	upstream	7ae77150d94d	54566aff	.config	log	report
ci-upstream-kasan-gce-root	2020/05/04 01:37	upstream	262f7a6b8317	58ae5e18	.config	log	report
ci-upstream-kasan-gce-386	2020/12/01 15:02	upstream	b65054597872	07bfe8a5	.config	log	report			info
ci-upstream-kasan-gce-386	2020/11/30 16:14	upstream	b65054597872	78d50c1d	.config	log	report			info
ci-upstream-kasan-gce-386	2020/11/27 18:14	upstream	85a2c56cb445	486f93ef	.config	log	report			info
ci-upstream-kasan-gce-386	2020/11/24 05:33	upstream	d5beb3140f91	1ab681a4	.config	log	report			info
ci-upstream-kasan-gce-386	2020/10/11 12:54	upstream	da690031a5d6	4a77ae0b	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/12/19 11:42	linux-next	0d52778b8710	04201c06	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/07/07 01:48	linux-next	9e50b94b3eb0	51095195	.config	log	report