bisecting fixing commit since 17a87580a8856170d59aab302226811a4ae69149
building syzkaller on e562dd8adff015d44bec3d7fd8e6608a3a031ff3
testing commit 17a87580a8856170d59aab302226811a4ae69149 with gcc (GCC) 8.1.0
kernel signature: 4cb047b145d38bd3ac5bed65e7e1629f14541020ca181368baffa27b6a389cfc
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #4: crashed: unexpected kernel reboot
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
testing current HEAD f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a
testing commit f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a with gcc (GCC) 8.1.0
kernel signature: e6f4c1c6d6cc359aa9ae9a34bcd56ddc7e4dd219b0151131fba7ae251e6be08d
all runs: OK
# git bisect start f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a 17a87580a8856170d59aab302226811a4ae69149
Bisecting: 340 revisions left to test after this (roughly 8 steps)
[719a92fae0434d11ee86d0f679663c14a2a13fc1] Revert "vxlan: fix tos value before xmit"
testing commit 719a92fae0434d11ee86d0f679663c14a2a13fc1 with gcc (GCC) 8.1.0
kernel signature: 5c441f3f4f08451aaf193498e524d4104fcde92fa23f0ab681905a76518188f5
all runs: OK
# git bisect bad 719a92fae0434d11ee86d0f679663c14a2a13fc1
Bisecting: 169 revisions left to test after this (roughly 7 steps)
[8a330edef54f270c440034419f0694cee64c3075] ipvs: fix the connection sync failed in some cases
testing commit 8a330edef54f270c440034419f0694cee64c3075 with gcc (GCC) 8.1.0
kernel signature: 2f044fa09460a1813c9974f3389f8f22735388734d77e8218b295d87faf35c1a
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in syscall_trace_enter
run #2: crashed: unexpected kernel reboot
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #4: crashed: unexpected kernel reboot
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #6: crashed: unexpected kernel reboot
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 8a330edef54f270c440034419f0694cee64c3075
Bisecting: 84 revisions left to test after this (roughly 6 steps)
[7b88c1ef512b2e4e08096773b35596c16678f038] Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers"
testing commit 7b88c1ef512b2e4e08096773b35596c16678f038 with gcc (GCC) 8.1.0
kernel signature: c3d7c0e6b635cecb8da208b07551da7d8efea8243657f2960638ac43c404d1ae
all runs: OK
# git bisect bad 7b88c1ef512b2e4e08096773b35596c16678f038
Bisecting: 42 revisions left to test after this (roughly 5 steps)
[9468cf97910aea551c0d8f423cc30a13bda7490e] drm/amdgpu: Fix NULL dereference in dpm sysfs handlers
testing commit 9468cf97910aea551c0d8f423cc30a13bda7490e with gcc (GCC) 8.1.0
kernel signature: 3941ec97c533eb1af25ba6543f15c13d7b54af7c232e521195f06c79c965f898
all runs: OK
# git bisect bad 9468cf97910aea551c0d8f423cc30a13bda7490e
Bisecting: 20 revisions left to test after this (roughly 4 steps)
[768ae54563b7347f5c6bb97100a3161b726705e9] arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
testing commit 768ae54563b7347f5c6bb97100a3161b726705e9 with gcc (GCC) 8.1.0
kernel signature: f1e62f123258c1946146dbfeffa237ce6df6c694f53c8d5aa0b7d4d4bf8bada5
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #3: crashed: unexpected kernel reboot
run #4: crashed: unexpected kernel reboot
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 768ae54563b7347f5c6bb97100a3161b726705e9
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[3027b255ebfbce099279f9dc0ae16448a5966dad] staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
testing commit 3027b255ebfbce099279f9dc0ae16448a5966dad with gcc (GCC) 8.1.0
kernel signature: b323f171a3053b283173208c976b029f7efd726690a22ee382bbb4eb92c58455
run #0: crashed: BUG: sleeping function called from invalid context in __do_page_fault
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #5: crashed: unexpected kernel reboot
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #8: crashed: unexpected kernel reboot
run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
# git bisect good 3027b255ebfbce099279f9dc0ae16448a5966dad
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size.
testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0
kernel signature: 4b1a030a8c98cc9bd4bb6bc36a750badd4943a73d688cc3bb49310da1d81dc79
all runs: OK
# git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5
Bisecting: 2 revisions left to test after this (roughly 1 step)
[c358255ff1dfa51ddbcbc8dfcc4eaa5719008daa] serial: 8250: fix null-ptr-deref in serial8250_start_tx()
testing commit c358255ff1dfa51ddbcbc8dfcc4eaa5719008daa with gcc (GCC) 8.1.0
kernel signature: 5d903b391b1080649699576f346b09b70c865a2c61e2e4efd79a6bec8dbfa2f8
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #4: crashed: unexpected kernel reboot
run #5: crashed: general protection fault in update_vsyscall
run #6: crashed: unexpected kernel reboot
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #8: crashed: unexpected kernel reboot
run #9: crashed: unexpected kernel reboot
# git bisect good c358255ff1dfa51ddbcbc8dfcc4eaa5719008daa
Bisecting: 0 revisions left to test after this (roughly 1 step)
[dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0
kernel signature: f54d34539892b0bad760ae6b9e2460ec8c6e30bd0e7802990914e7a5bfef61c1
all runs: OK
# git bisect bad dd58bd1b95b7127bb975942e14c4a9bd878c28db
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8] serial: 8250_mtk: Fix high-speed baud rates clamping
testing commit 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8 with gcc (GCC) 8.1.0
kernel signature: c7d022bfeb1c76db8437de488ba05e7a5a14ef7e83e66316172e087c9efb4fe1
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in arch_setup_additional_pages
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #3: crashed: unexpected kernel reboot
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #5: crashed: unexpected kernel reboot
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #7: crashed: unexpected kernel reboot
run #8: crashed: unexpected kernel reboot
run #9: crashed: no output from test machine
# git bisect good 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8
dd58bd1b95b7127bb975942e14c4a9bd878c28db is the first bad commit
commit dd58bd1b95b7127bb975942e14c4a9bd878c28db
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Wed Jul 15 10:51:02 2020 +0900

    fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
    
    commit 033724d6864245a11f8e04c066002e6ad22b3fd0 upstream.
    
    syzbot is reporting general protection fault in bitfill_aligned() [1]
    caused by integer underflow in bit_clear_margins(). The cause of this
    problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
    
    If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
    is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
    bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
    info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
    try to overrun the __iomem region and causes general protection fault.
    
    Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception. Since cols and lines are calculated as
    
      cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
      rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
      cols /= vc->vc_font.width;
      rows /= vc->vc_font.height;
      vc_resize(vc, cols, rows);
    
    in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
    and var.yres < vc->vc_font.height makes rows = 0. This means that
    
      const int fd = open("/dev/fb0", O_ACCMODE);
      struct fb_var_screeninfo var = { };
      ioctl(fd, FBIOGET_VSCREENINFO, &var);
      var.xres = var.yres = 1;
      ioctl(fd, FBIOPUT_VSCREENINFO, &var);
    
    easily reproduces integer underflow bug explained above.
    
    Of course, callers of vc_resize() are not handling vc_do_resize() failure
    is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
    as a band-aid workaround, this patch checks integer underflow in
    "struct fbcon_ops"->clear_margins call, assuming that
    vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
    cause integer overflow.
    
    [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6
    
    Reported-and-tested-by: syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/video/fbdev/core/bitblit.c   | 4 ++--
 drivers/video/fbdev/core/fbcon_ccw.c | 4 ++--
 drivers/video/fbdev/core/fbcon_cw.c  | 4 ++--
 drivers/video/fbdev/core/fbcon_ud.c  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)
culprit signature: f54d34539892b0bad760ae6b9e2460ec8c6e30bd0e7802990914e7a5bfef61c1
parent  signature: c7d022bfeb1c76db8437de488ba05e7a5a14ef7e83e66316172e087c9efb4fe1
revisions tested: 12, total time: 3h46m41.123003545s (build: 2h2m19.277808407s, test: 1h42m18.235953733s)
first good commit: dd58bd1b95b7127bb975942e14c4a9bd878c28db fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com"]
recipients (cc): []