bisecting fixing commit since 4520f06b03ae667e442da1ab9351fd28cd7ac598 building syzkaller on db9bcd4b9fd510dc1b4b2b2021180c8432844b9b testing commit 4520f06b03ae667e442da1ab9351fd28cd7ac598 with gcc (GCC) 8.1.0 kernel signature: c932e8bfa14b3ff4ad7b8925bcca613bd292e9207c6f2995c6f5c4a55243fb98 run #0: crashed: INFO: task hung in fb_open run #1: crashed: INFO: task hung in fb_open run #2: crashed: INFO: task hung in fb_open run #3: crashed: INFO: task hung in fb_open run #4: crashed: INFO: task hung in fb_open run #5: crashed: INFO: task hung in fb_open run #6: crashed: INFO: task hung in fb_open run #7: crashed: INFO: task hung in fb_open run #8: OK run #9: OK testing current HEAD d7e78d08fa77acdea351c8f628f49ca9a0e1029a testing commit d7e78d08fa77acdea351c8f628f49ca9a0e1029a with gcc (GCC) 8.1.0 kernel signature: 040ee0cb93500d710eecfb8c7613a729d95da6a0172f48cb6c23b18dde07ded6 all runs: OK # git bisect start d7e78d08fa77acdea351c8f628f49ca9a0e1029a 4520f06b03ae667e442da1ab9351fd28cd7ac598 Bisecting: 841 revisions left to test after this (roughly 10 steps) [6456abcad3d39a15532633e2e82ead3a757fea0f] mmc: sdhci-esdhc-imx: fix the mask for tuning start point testing commit 6456abcad3d39a15532633e2e82ead3a757fea0f with gcc (GCC) 8.1.0 kernel signature: 0e5a8f12ed094457a1087b26dd0eaae3e26ffec8ab4f6a8f85686ee94ed5d48c all runs: boot failed: WARNING in kvm_mmu_set_mmio_spte_mask # git bisect skip 6456abcad3d39a15532633e2e82ead3a757fea0f Bisecting: 841 revisions left to test after this (roughly 10 steps) [7f15121bd7ef35c57558d317123aabffc501d434] usb: gadget: net2280: fix memory leak on probe error handling paths testing commit 7f15121bd7ef35c57558d317123aabffc501d434 with gcc (GCC) 8.1.0 kernel signature: 8ca38876e1e4b36c1d69b72b3611fb11aa46959972c74a1b6ad16a910a057e5c all runs: OK # git bisect bad 7f15121bd7ef35c57558d317123aabffc501d434 Bisecting: 740 revisions left to test after this (roughly 10 steps) [0ed324e35aaff4bc3bbf222b788a2eda2eb4920a] crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated testing commit 0ed324e35aaff4bc3bbf222b788a2eda2eb4920a with gcc (GCC) 8.1.0 kernel signature: 7c2848a0043dfd5dab1098613f358dee57ba4a13e736102e4a7290e8834d9bed run #0: crashed: INFO: task hung in fb_open run #1: crashed: INFO: task hung in fb_open run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 0ed324e35aaff4bc3bbf222b788a2eda2eb4920a Bisecting: 370 revisions left to test after this (roughly 9 steps) [653db17384a3a1875d13cab23e7a4bd04188e9e0] SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() testing commit 653db17384a3a1875d13cab23e7a4bd04188e9e0 with gcc (GCC) 8.1.0 kernel signature: a45560ffc574c00fd7508109f4d39fd8bfc099325734ee607559f9e0c537104f all runs: boot failed: WARNING in kvm_mmu_set_mmio_spte_mask # git bisect skip 653db17384a3a1875d13cab23e7a4bd04188e9e0 Bisecting: 370 revisions left to test after this (roughly 9 steps) [8a443ffcf7b572c071398644d35cf9cc55cfa2cb] xfs: set format back to extents if xfs_bmap_extents_to_btree testing commit 8a443ffcf7b572c071398644d35cf9cc55cfa2cb with gcc (GCC) 8.1.0 kernel signature: 4d808dc827e08beb91be14845b44155702003baa2b4880e438b48bf4d44a014f all runs: OK # git bisect bad 8a443ffcf7b572c071398644d35cf9cc55cfa2cb Bisecting: 303 revisions left to test after this (roughly 8 steps) [b5025305521a43684f2b12ead8e8aaaceafd819c] ibmveth: Fix max MTU limit testing commit b5025305521a43684f2b12ead8e8aaaceafd819c with gcc (GCC) 8.1.0 kernel signature: 016e952deefb7d2ff5b577ad3df4410bf0ec92ccfe6abf3e795cb78bfc1265a3 all runs: boot failed: WARNING in kvm_mmu_set_mmio_spte_mask # git bisect skip b5025305521a43684f2b12ead8e8aaaceafd819c Bisecting: 303 revisions left to test after this (roughly 8 steps) [eaca5d0e2899d8140804c0589321f95e65314ea5] ipvs: fix the connection sync failed in some cases testing commit eaca5d0e2899d8140804c0589321f95e65314ea5 with gcc (GCC) 8.1.0 kernel signature: 1db47e48dc14ce0626c7482236b1180a55daff0de3db359264bcec6c79e0f44c run #0: crashed: INFO: task hung in fb_open run #1: crashed: INFO: task hung in fb_open run #2: crashed: INFO: task hung in fb_open run #3: crashed: INFO: task hung in fb_open run #4: crashed: INFO: task hung in fb_open run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good eaca5d0e2899d8140804c0589321f95e65314ea5 Bisecting: 24 revisions left to test after this (roughly 5 steps) [46308fd32f236e646dd9841a7c6136b6007d8d2a] staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift testing commit 46308fd32f236e646dd9841a7c6136b6007d8d2a with gcc (GCC) 8.1.0 kernel signature: 2fec8d41001f751f980f356f09e10ed151bf3c766e5a741753d3e573fb64f566 run #0: crashed: INFO: task hung in fb_open run #1: crashed: INFO: task hung in fb_open run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 46308fd32f236e646dd9841a7c6136b6007d8d2a Bisecting: 11 revisions left to test after this (roughly 4 steps) [1411bf6e5910fdb9d03ac4d4f9bfd0363bd003a5] AX.25: Prevent out-of-bounds read in ax25_sendmsg() testing commit 1411bf6e5910fdb9d03ac4d4f9bfd0363bd003a5 with gcc (GCC) 8.1.0 kernel signature: 9fd070b6bc6e39171a49278a20c9c7b143a25946f2d8287278c56f4481927ef8 all runs: OK # git bisect bad 1411bf6e5910fdb9d03ac4d4f9bfd0363bd003a5 Bisecting: 5 revisions left to test after this (roughly 3 steps) [01f2b73e0da2d2396d254b69bf23a3620269d575] io-mapping: indicate mapping failure testing commit 01f2b73e0da2d2396d254b69bf23a3620269d575 with gcc (GCC) 8.1.0 kernel signature: aa8119ca2b5458265c0a8d81cebf072683144e42b1b52154c10a33287d04b3af all runs: OK # git bisect bad 01f2b73e0da2d2396d254b69bf23a3620269d575 Bisecting: 2 revisions left to test after this (roughly 2 steps) [7cecdf9655ef285b52583f861c2de5193fbbd461] vt: Reject zero-sized screen buffer size. testing commit 7cecdf9655ef285b52583f861c2de5193fbbd461 with gcc (GCC) 8.1.0 kernel signature: 235ee37308609765bf011f537ca545b30a9da96c4a02810557df1a1c48150cdf all runs: OK # git bisect bad 7cecdf9655ef285b52583f861c2de5193fbbd461 Bisecting: 1 revision left to test after this (roughly 1 step) [ead742adb0195bca0be3d2e63c453be14814aa8c] serial: 8250_mtk: Fix high-speed baud rates clamping testing commit ead742adb0195bca0be3d2e63c453be14814aa8c with gcc (GCC) 8.1.0 kernel signature: 9d35b349ea25e7d32111ac28d4360016f3696eb292639242fdf621b1a57d4bf2 run #0: crashed: INFO: task hung in fb_open run #1: crashed: INFO: task hung in fb_open run #2: crashed: INFO: task hung in fb_open run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good ead742adb0195bca0be3d2e63c453be14814aa8c Bisecting: 0 revisions left to test after this (roughly 0 steps) [c388072f90cc2d5884cf42e0c6d605d65d323b41] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. testing commit c388072f90cc2d5884cf42e0c6d605d65d323b41 with gcc (GCC) 8.1.0 kernel signature: 375f570449c61bc597d56e70f96e075a31dcc24dc15d9521d9a54e75b3e1e57d all runs: OK # git bisect bad c388072f90cc2d5884cf42e0c6d605d65d323b41 c388072f90cc2d5884cf42e0c6d605d65d323b41 is the first bad commit commit c388072f90cc2d5884cf42e0c6d605d65d323b41 Author: Tetsuo Handa Date: Wed Jul 15 10:51:02 2020 +0900 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. commit 033724d6864245a11f8e04c066002e6ad22b3fd0 upstream. syzbot is reporting general protection fault in bitfill_aligned() [1] caused by integer underflow in bit_clear_margins(). The cause of this problem is when and how do_vc_resize() updates vc->vc_{cols,rows}. If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres is going to shrink, vc->vc_{cols,rows} will not be updated. This allows bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will try to overrun the __iomem region and causes general protection fault. Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows); exception. Since cols and lines are calculated as cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres); rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); cols /= vc->vc_font.width; rows /= vc->vc_font.height; vc_resize(vc, cols, rows); in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0 and var.yres < vc->vc_font.height makes rows = 0. This means that const int fd = open("/dev/fb0", O_ACCMODE); struct fb_var_screeninfo var = { }; ioctl(fd, FBIOGET_VSCREENINFO, &var); var.xres = var.yres = 1; ioctl(fd, FBIOPUT_VSCREENINFO, &var); easily reproduces integer underflow bug explained above. Of course, callers of vc_resize() are not handling vc_do_resize() failure is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore, as a band-aid workaround, this patch checks integer underflow in "struct fbcon_ops"->clear_margins call, assuming that vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not cause integer overflow. [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6 Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Acked-by: Daniel Vetter Cc: stable Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 4 ++-- drivers/video/fbdev/core/fbcon_ccw.c | 4 ++-- drivers/video/fbdev/core/fbcon_cw.c | 4 ++-- drivers/video/fbdev/core/fbcon_ud.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) culprit signature: 375f570449c61bc597d56e70f96e075a31dcc24dc15d9521d9a54e75b3e1e57d parent signature: 9d35b349ea25e7d32111ac28d4360016f3696eb292639242fdf621b1a57d4bf2 revisions tested: 15, total time: 5h7m37.86809765s (build: 2h24m5.833728955s, test: 2h41m5.22567154s) first good commit: c388072f90cc2d5884cf42e0c6d605d65d323b41 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com"] recipients (cc): []