bisecting fixing commit since 3c8c23092588a23bf1856a64f58c37f477a413be
building syzkaller on a343ba6b077a3efe7feb57783dcbb7496d2c3572
testing commit 3c8c23092588a23bf1856a64f58c37f477a413be with gcc (GCC) 8.4.1 20210217
kernel signature: e50ec80852faf1fd822e60482760a9d10a4cdef7e0f0287f952591559b5a872d
all runs: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
testing current HEAD eb575cd5d7f60241d016fdd13a9e86d962093c9b
testing commit eb575cd5d7f60241d016fdd13a9e86d962093c9b with gcc (GCC) 8.4.1 20210217
kernel signature: f09cef4c8bf884864419d25d09a17ab8fd1779e01968cef9bcb4e48c0a8f203a
all runs: OK
# git bisect start eb575cd5d7f60241d016fdd13a9e86d962093c9b 3c8c23092588a23bf1856a64f58c37f477a413be
Bisecting: 358 revisions left to test after this (roughly 9 steps)
[434ea8c1d1bf296a2597aeb28f6ccf62ae82f235] sched/fair: Fix unfairness caused by missing load decay

testing commit 434ea8c1d1bf296a2597aeb28f6ccf62ae82f235 with gcc (GCC) 8.4.1 20210217
kernel signature: 11459172f3bcf9d8fe99c6a38ddd63f862bb4729ded3cb2d39521062fc3bee03
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip 434ea8c1d1bf296a2597aeb28f6ccf62ae82f235
Bisecting: 358 revisions left to test after this (roughly 9 steps)
[7d233ba700ceb593905ea82b42dadb4ec8ef85e9] drm: Fix use-after-free read in drm_getunique()

testing commit 7d233ba700ceb593905ea82b42dadb4ec8ef85e9 with gcc (GCC) 8.4.1 20210217
kernel signature: a37f58ac9ae8b635e56013563f3a6b6580459e148eac84f5ceed0daae375f1ad
all runs: OK
# git bisect bad 7d233ba700ceb593905ea82b42dadb4ec8ef85e9
Bisecting: 338 revisions left to test after this (roughly 8 steps)
[e5370bd9e419fcac4f8cf7b242455ba121212037] NFSv4.2: Always flush out writes in nfs42_proc_fallocate()

testing commit e5370bd9e419fcac4f8cf7b242455ba121212037 with gcc (GCC) 8.4.1 20210217
kernel signature: 185b0aa07ea9a643e53a93420e12e2e505c9359dbd35b39eeb01230566e1343d
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip e5370bd9e419fcac4f8cf7b242455ba121212037
Bisecting: 338 revisions left to test after this (roughly 8 steps)
[a03ed6e6dd0321a7e501f66c912c986e3f4f03f8] net: stmmac: Do not enable RX FIFO overflow interrupts

testing commit a03ed6e6dd0321a7e501f66c912c986e3f4f03f8 with gcc (GCC) 8.4.1 20210217
kernel signature: 927b38b6277c49907858b113e581fb039b46c42de59ef8023f28653a0f7832a4
all runs: basic kernel testing failed: unregister_netdevice: waiting for DEV to become free
# git bisect skip a03ed6e6dd0321a7e501f66c912c986e3f4f03f8
Bisecting: 338 revisions left to test after this (roughly 8 steps)
[65281d6aeca781b024a3cc83df6b55b987877ae8] tipc: add extack messages for bearer/media failure

testing commit 65281d6aeca781b024a3cc83df6b55b987877ae8 with gcc (GCC) 8.4.1 20210217
kernel signature: 6bdddeecf3c16757706324610f4a303b5f77245b8a77ab77b5dd7ab1d24ec6ad
all runs: OK
# git bisect bad 65281d6aeca781b024a3cc83df6b55b987877ae8
Bisecting: 303 revisions left to test after this (roughly 8 steps)
[a2db2877255f8ae34f892e102c53e5b2a7990752] ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF

testing commit a2db2877255f8ae34f892e102c53e5b2a7990752 with gcc (GCC) 8.4.1 20210217
kernel signature: 4263af640bb303b74b6f853f75832c0763d5f3353417fef17bd0e052efce3e3b
all runs: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
# git bisect good a2db2877255f8ae34f892e102c53e5b2a7990752
Bisecting: 151 revisions left to test after this (roughly 7 steps)
[69d17230341a313091ad10713acd2aa33acfc3b7] Revert "gdrom: fix a memory leak bug"

testing commit 69d17230341a313091ad10713acd2aa33acfc3b7 with gcc (GCC) 8.4.1 20210217
kernel signature: e901157445a62cb79f157ea0673c38f325b1a1f0df6b51310d87a88e38528e82
all runs: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
# git bisect good 69d17230341a313091ad10713acd2aa33acfc3b7
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[9324bd041d5c0a9c41238d390838778b9387030e] bpf: Fix mask direction swap upon off reg sign change

testing commit 9324bd041d5c0a9c41238d390838778b9387030e with gcc (GCC) 8.4.1 20210217
kernel signature: ea8e328ecbd07e5f5ce29f2b863c1ef3f12c98058856af7a3363e98439313a7e
all runs: OK
# git bisect bad 9324bd041d5c0a9c41238d390838778b9387030e
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[24347f561816634ab780bf7e03deeb049898b3bc] mac80211: do not accept/forward invalid EAPOL frames

testing commit 24347f561816634ab780bf7e03deeb049898b3bc with gcc (GCC) 8.4.1 20210217
kernel signature: a288b278ded70ddf3e051e682a4a8feec4d3dd7f878e3c22f1e220fd9f4c8bd4
all runs: OK
# git bisect bad 24347f561816634ab780bf7e03deeb049898b3bc
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[6b7b0056defc6eb5c87bbe4690ccda547b2891aa] Linux 4.19.192

testing commit 6b7b0056defc6eb5c87bbe4690ccda547b2891aa with gcc (GCC) 8.4.1 20210217
kernel signature: cfa14ac6dadeb38554c0270ac1d0698794505775dd0533f74dbee2c064da9af2
all runs: OK
# git bisect bad 6b7b0056defc6eb5c87bbe4690ccda547b2891aa
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[11ffb2d6035fcd7c445ca93b2ed835da6e7f8757] scsi: ufs: handle cleanup correctly on devm_reset_control_get error

testing commit 11ffb2d6035fcd7c445ca93b2ed835da6e7f8757 with gcc (GCC) 8.4.1 20210217
kernel signature: e901157445a62cb79f157ea0673c38f325b1a1f0df6b51310d87a88e38528e82
all runs: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
# git bisect good 11ffb2d6035fcd7c445ca93b2ed835da6e7f8757
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[9a71ed8da907c36de4e96a8d78216231c0fe8df5] vgacon: Record video mode changes with VT_RESIZEX

testing commit 9a71ed8da907c36de4e96a8d78216231c0fe8df5 with gcc (GCC) 8.4.1 20210217
kernel signature: eb9e342d2b54e24c6c6d8921f1f1013641c6c9f61edfac79ba7a810f09a12b71
all runs: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
# git bisect good 9a71ed8da907c36de4e96a8d78216231c0fe8df5
Bisecting: 2 revisions left to test after this (roughly 1 step)
[17d6c58c5fc522561daa4d3fb270edba933ac0a6] tty: vt: always invoke vc->vc_sw->con_resize callback

testing commit 17d6c58c5fc522561daa4d3fb270edba933ac0a6 with gcc (GCC) 8.4.1 20210217
kernel signature: 733ed05ec8c7d3ed4896a13746e393e14b99012c7afaa1f1c939bdcc2975862f
all runs: OK
# git bisect bad 17d6c58c5fc522561daa4d3fb270edba933ac0a6
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[8c5ec4a731e1e2d9b6906bcde62de57a609a9b86] vt: Fix character height handling with VT_RESIZEX

testing commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 with gcc (GCC) 8.4.1 20210217
kernel signature: 6093052f97dfc6b99dc2544c492a5b4ec71e40f59684e019e5edccf209008487
all runs: OK
# git bisect bad 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 is the first bad commit
commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Author: Maciej W. Rozycki <macro@orcam.me.uk>
Date:   Thu May 13 11:51:50 2021 +0200

    vt: Fix character height handling with VT_RESIZEX
    
    commit 860dafa902595fb5f1d23bbcce1215188c3341e6 upstream.
    
    Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter
    which is the number of pixel rows per character (cell) rather than the
    height of the font used.
    
    For framebuffer devices the two values are always the same, because the
    former is inferred from the latter one.  For VGA used as a true text
    mode device these two parameters are independent from each other: the
    number of pixel rows per character is set in the CRT controller, while
    font height is in fact hardwired to 32 pixel rows and fonts of heights
    below that value are handled by padding their data with blanks when
    loaded to hardware for use by the character generator.  One can change
    the setting in the CRT controller and it will update the screen contents
    accordingly regardless of the font loaded.
    
    The `v_clin' parameter is used by the `vgacon' driver to set the height
    of the character cell and then the cursor position within.  Make the
    parameter explicit then, by defining a new `vc_cell_height' struct
    member of `vc_data', set it instead of `vc_font.height' from `v_clin' in
    the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver
    except where actual font data is accessed which as noted above is
    independent from the CRTC setting.
    
    This way the framebuffer console driver is free to ignore the `v_clin'
    parameter as irrelevant, as it always should have, avoiding any issues
    attempts to give the parameter a meaning there could have caused, such
    as one that has led to commit 988d0763361b ("vt_ioctl: make VT_RESIZEX
    behave like VT_RESIZE"):
    
     "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2],
      for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height
      larger than actual font height calculated by con_font_set() from
      ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates
      minimal amount of memory based on actual font height calculated by
      con_font_set(), use of vt_resizex() can cause UAF/OOB read for font
      data."
    
    The problem first appeared around Linux 2.5.66 which predates our repo
    history, but the origin could be identified with the old MIPS/Linux repo
    also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git>
    as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX
    code in `vt_ioctl' was updated as follows:
    
                    if (clin)
    -                       video_font_height = clin;
    +                       vc->vc_font.height = clin;
    
    making the parameter apply to framebuffer devices as well, perhaps due
    to the use of "font" in the name of the original `video_font_height'
    variable.  Use "cell" in the new struct member then to avoid ambiguity.
    
    References:
    
    [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837
    [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3
    
    Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable@vger.kernel.org # v2.6.12+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt_ioctl.c      |  6 +++---
 drivers/video/console/vgacon.c | 44 +++++++++++++++++++++---------------------
 include/linux/console_struct.h |  1 +
 3 files changed, 26 insertions(+), 25 deletions(-)

culprit signature: 6093052f97dfc6b99dc2544c492a5b4ec71e40f59684e019e5edccf209008487
parent  signature: eb9e342d2b54e24c6c6d8921f1f1013641c6c9f61edfac79ba7a810f09a12b71
revisions tested: 16, total time: 4h25m0.249436148s (build: 2h20m15.17838083s, test: 2h3m30.627839082s)
first good commit: 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 vt: Fix character height handling with VT_RESIZEX
recipients (to): ["gregkh@linuxfoundation.org" "macro@orcam.me.uk" "torvalds@linux-foundation.org"]
recipients (cc): []