bisecting fixing commit since daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b
building syzkaller on f12ba0c59fb470378fd054bba8ce424156c4f164
testing commit daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b with gcc (GCC) 8.4.1 20210217
kernel signature: 00b8b7359d929101178ee9446ece023adc1aa0b18b5312e46fc7106d77273180
all runs: crashed: KASAN: global-out-of-bounds Read in soft_cursor
testing current HEAD eb575cd5d7f60241d016fdd13a9e86d962093c9b
testing commit eb575cd5d7f60241d016fdd13a9e86d962093c9b with gcc (GCC) 8.4.1 20210217
kernel signature: 6087065493f37875d3fea015fb3df876c37780ee276e87be25aba0936fe0be03
all runs: OK
# git bisect start eb575cd5d7f60241d016fdd13a9e86d962093c9b daefdc9eb24bfa11ab77a4b2a9c3923f1051fe0b
Bisecting: 1219 revisions left to test after this (roughly 10 steps)
[1eee7382abc87d537c51d5c20d998112b24174db] virtio-blk: modernize sysfs attribute creation

testing commit 1eee7382abc87d537c51d5c20d998112b24174db with gcc (GCC) 8.4.1 20210217
kernel signature: e34c7e7222cfe12bc19623a496a1930ac45873b5c337024d460bc24f9668a5e6
all runs: crashed: KASAN: global-out-of-bounds Read in soft_cursor
# git bisect good 1eee7382abc87d537c51d5c20d998112b24174db
Bisecting: 609 revisions left to test after this (roughly 9 steps)
[f891b65c7ad087af9099e70ccf8f060b9abda561] usb: gadget: dummy_hcd: fix gpf in gadget_setup

testing commit f891b65c7ad087af9099e70ccf8f060b9abda561 with gcc (GCC) 8.4.1 20210217
kernel signature: 5000124747ed0a7fc30ac96c1e3a1026dcef43da79f7c4d389a7cfbb1bba778c
all runs: crashed: KASAN: global-out-of-bounds Read in soft_cursor
# git bisect good f891b65c7ad087af9099e70ccf8f060b9abda561
Bisecting: 304 revisions left to test after this (roughly 8 steps)
[6da8d5e13f8a8d9c6b9736348e473abaf0256d9d] gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055

testing commit 6da8d5e13f8a8d9c6b9736348e473abaf0256d9d with gcc (GCC) 8.4.1 20210217
kernel signature: 17e6bdbad10eb75fc1d169cac09ab4d6d2958c68b7aa5d22640d402f35c97955
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip 6da8d5e13f8a8d9c6b9736348e473abaf0256d9d
Bisecting: 304 revisions left to test after this (roughly 8 steps)
[165f3f9c24a8703189285c267865037a80af400f] USB: serial: ftdi_sio: add NovaTech OrionMX product ID

testing commit 165f3f9c24a8703189285c267865037a80af400f with gcc (GCC) 8.4.1 20210217
kernel signature: 7ff4363fcbaf00b9efd4abe148dd42014eb383e88ab70fb9a963be2a4cca015a
all runs: OK
# git bisect bad 165f3f9c24a8703189285c267865037a80af400f
Bisecting: 291 revisions left to test after this (roughly 8 steps)
[147434d72d0a81cbadf672f70a418e9773638a8d] isdn: capi: fix mismatched prototypes

testing commit 147434d72d0a81cbadf672f70a418e9773638a8d with gcc (GCC) 8.4.1 20210217
kernel signature: 2d32632e304351ffab71d364d0854b28e4c1df7bd5ced8936a1fef12aef23712
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip 147434d72d0a81cbadf672f70a418e9773638a8d
Bisecting: 291 revisions left to test after this (roughly 8 steps)
[dae0929f31e3b58b7eaa10e6e000ae4203e085aa] vsock/vmci: log once the failed queue pair allocation

testing commit dae0929f31e3b58b7eaa10e6e000ae4203e085aa with gcc (GCC) 8.4.1 20210217
kernel signature: bfdb185f1d49661e2ab1ec1bcc8add9e06e802fb5b1a7999a24641b71fcdb266
all runs: crashed: KASAN: global-out-of-bounds Read in soft_cursor
# git bisect good dae0929f31e3b58b7eaa10e6e000ae4203e085aa
Bisecting: 205 revisions left to test after this (roughly 8 steps)
[582a9b9813ecc89a3b5944ea412f383d02904c50] proc: Check /proc/$pid/attr/ writes against file opener

testing commit 582a9b9813ecc89a3b5944ea412f383d02904c50 with gcc (GCC) 8.4.1 20210217
kernel signature: e61f9c051cb83d75c5349ce7991672cf3a9160b959f2a5fece1300d99e09714b
all runs: OK
# git bisect bad 582a9b9813ecc89a3b5944ea412f383d02904c50
Bisecting: 102 revisions left to test after this (roughly 7 steps)
[a9ab69e4b3896415792408d79bdebfffe733e4e9] iio: gyro: mpu3050: Fix reported temperature value

testing commit a9ab69e4b3896415792408d79bdebfffe733e4e9 with gcc (GCC) 8.4.1 20210217
kernel signature: ee3ba973e2ad03dca21ea8be83225829dcebeb40bc34b7319f13fc22c74b9937
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip a9ab69e4b3896415792408d79bdebfffe733e4e9
Bisecting: 102 revisions left to test after this (roughly 7 steps)
[0c0b8be4234ca03ccd0a25f9855d21e29c9152a5] ARC: entry: fix off-by-one error in syscall number validation

testing commit 0c0b8be4234ca03ccd0a25f9855d21e29c9152a5 with gcc (GCC) 8.4.1 20210217
kernel signature: 3237240f000ab1e0b6146c93b16de7888e8c9801d8c35895a6dd60b5f42a2767
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip 0c0b8be4234ca03ccd0a25f9855d21e29c9152a5
Bisecting: 102 revisions left to test after this (roughly 7 steps)
[12b6934b22083a9ab30db104d81c49e43a5ab1c8] Revert "scsi: ufs: fix a missing check of devm_reset_control_get"

testing commit 12b6934b22083a9ab30db104d81c49e43a5ab1c8 with gcc (GCC) 8.4.1 20210217
kernel signature: e901157445a62cb79f157ea0673c38f325b1a1f0df6b51310d87a88e38528e82
all runs: crashed: KASAN: global-out-of-bounds Read in soft_cursor
# git bisect good 12b6934b22083a9ab30db104d81c49e43a5ab1c8
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[9a71ed8da907c36de4e96a8d78216231c0fe8df5] vgacon: Record video mode changes with VT_RESIZEX

testing commit 9a71ed8da907c36de4e96a8d78216231c0fe8df5 with gcc (GCC) 8.4.1 20210217
kernel signature: eb9e342d2b54e24c6c6d8921f1f1013641c6c9f61edfac79ba7a810f09a12b71
all runs: crashed: KASAN: global-out-of-bounds Read in soft_cursor
# git bisect good 9a71ed8da907c36de4e96a8d78216231c0fe8df5
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[e8fbd40aa4f3a5b77584cc44c21228b7912ccc70] usb: dwc3: gadget: Enable suspend events

testing commit e8fbd40aa4f3a5b77584cc44c21228b7912ccc70 with gcc (GCC) 8.4.1 20210217
kernel signature: 3a6776d3c917053542111f32900f3f5cd5cfdaa96937eb355f3d94000e9d38b8
all runs: OK
# git bisect bad e8fbd40aa4f3a5b77584cc44c21228b7912ccc70
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[1dfd47b684c28eaa568f7d1d1702a110bd9eb612] video: hgafb: correctly handle card detect failure during probe

testing commit 1dfd47b684c28eaa568f7d1d1702a110bd9eb612 with gcc (GCC) 8.4.1 20210217
kernel signature: 733ed05ec8c7d3ed4896a13746e393e14b99012c7afaa1f1c939bdcc2975862f
all runs: OK
# git bisect bad 1dfd47b684c28eaa568f7d1d1702a110bd9eb612
Bisecting: 0 revisions left to test after this (roughly 1 step)
[17d6c58c5fc522561daa4d3fb270edba933ac0a6] tty: vt: always invoke vc->vc_sw->con_resize callback

testing commit 17d6c58c5fc522561daa4d3fb270edba933ac0a6 with gcc (GCC) 8.4.1 20210217
kernel signature: 733ed05ec8c7d3ed4896a13746e393e14b99012c7afaa1f1c939bdcc2975862f
all runs: OK
# git bisect bad 17d6c58c5fc522561daa4d3fb270edba933ac0a6
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[8c5ec4a731e1e2d9b6906bcde62de57a609a9b86] vt: Fix character height handling with VT_RESIZEX

testing commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 with gcc (GCC) 8.4.1 20210217
kernel signature: 6093052f97dfc6b99dc2544c492a5b4ec71e40f59684e019e5edccf209008487
all runs: OK
# git bisect bad 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 is the first bad commit
commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Author: Maciej W. Rozycki <macro@orcam.me.uk>
Date:   Thu May 13 11:51:50 2021 +0200

    vt: Fix character height handling with VT_RESIZEX
    
    commit 860dafa902595fb5f1d23bbcce1215188c3341e6 upstream.
    
    Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter
    which is the number of pixel rows per character (cell) rather than the
    height of the font used.
    
    For framebuffer devices the two values are always the same, because the
    former is inferred from the latter one.  For VGA used as a true text
    mode device these two parameters are independent from each other: the
    number of pixel rows per character is set in the CRT controller, while
    font height is in fact hardwired to 32 pixel rows and fonts of heights
    below that value are handled by padding their data with blanks when
    loaded to hardware for use by the character generator.  One can change
    the setting in the CRT controller and it will update the screen contents
    accordingly regardless of the font loaded.
    
    The `v_clin' parameter is used by the `vgacon' driver to set the height
    of the character cell and then the cursor position within.  Make the
    parameter explicit then, by defining a new `vc_cell_height' struct
    member of `vc_data', set it instead of `vc_font.height' from `v_clin' in
    the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver
    except where actual font data is accessed which as noted above is
    independent from the CRTC setting.
    
    This way the framebuffer console driver is free to ignore the `v_clin'
    parameter as irrelevant, as it always should have, avoiding any issues
    attempts to give the parameter a meaning there could have caused, such
    as one that has led to commit 988d0763361b ("vt_ioctl: make VT_RESIZEX
    behave like VT_RESIZE"):
    
     "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2],
      for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height
      larger than actual font height calculated by con_font_set() from
      ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates
      minimal amount of memory based on actual font height calculated by
      con_font_set(), use of vt_resizex() can cause UAF/OOB read for font
      data."
    
    The problem first appeared around Linux 2.5.66 which predates our repo
    history, but the origin could be identified with the old MIPS/Linux repo
    also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git>
    as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX
    code in `vt_ioctl' was updated as follows:
    
                    if (clin)
    -                       video_font_height = clin;
    +                       vc->vc_font.height = clin;
    
    making the parameter apply to framebuffer devices as well, perhaps due
    to the use of "font" in the name of the original `video_font_height'
    variable.  Use "cell" in the new struct member then to avoid ambiguity.
    
    References:
    
    [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837
    [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3
    
    Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable@vger.kernel.org # v2.6.12+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt_ioctl.c      |  6 +++---
 drivers/video/console/vgacon.c | 44 +++++++++++++++++++++---------------------
 include/linux/console_struct.h |  1 +
 3 files changed, 26 insertions(+), 25 deletions(-)

culprit signature: 6093052f97dfc6b99dc2544c492a5b4ec71e40f59684e019e5edccf209008487
parent  signature: eb9e342d2b54e24c6c6d8921f1f1013641c6c9f61edfac79ba7a810f09a12b71
revisions tested: 17, total time: 3h50m23.522909711s (build: 2h19m2.138671047s, test: 1h30m8.160574431s)
first good commit: 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 vt: Fix character height handling with VT_RESIZEX
recipients (to): ["gregkh@linuxfoundation.org" "macro@orcam.me.uk" "torvalds@linux-foundation.org"]
recipients (cc): []