bisecting fixing commit since 399849e4654ea496a6217ba4e5ee3d304c995ab4 building syzkaller on 6e569755ce2f0efcad474398871ff75693e770fc testing commit 399849e4654ea496a6217ba4e5ee3d304c995ab4 with gcc (GCC) 8.1.0 kernel signature: 7b56e014d8b60367aa470c23f13b6b6d0ada701171695e0e1c03727000d4eaa7 all runs: crashed: general protection fault in do_con_write testing current HEAD f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a testing commit f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a with gcc (GCC) 8.1.0 kernel signature: 78290fe4949e1bda7af7aa6078a332a8c33d47d3eb6b02a57f91524971763c59 all runs: OK # git bisect start f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a 399849e4654ea496a6217ba4e5ee3d304c995ab4 Bisecting: 387 revisions left to test after this (roughly 9 steps) [29204c846894d73108f87e78aea4757a8ec52c74] random32: update the net random state on interrupt and activity testing commit 29204c846894d73108f87e78aea4757a8ec52c74 with gcc (GCC) 8.1.0 kernel signature: d28e4bfaa30ed1648427f36fdc492cedccf0ab533e987e56815a8c303429c4c7 all runs: OK # git bisect bad 29204c846894d73108f87e78aea4757a8ec52c74 Bisecting: 193 revisions left to test after this (roughly 8 steps) [39a35dfb082563b89013fd171e6563729cfdfa80] virt: vbox: Fix VBGL_IOCTL_VMMDEV_REQUEST_BIG and _LOG req numbers to match upstream testing commit 39a35dfb082563b89013fd171e6563729cfdfa80 with gcc (GCC) 8.1.0 kernel signature: c8fd7f40910d0cecefe4ebfc084e2b5858b21614deacfab3d159fab1cb707dc1 all runs: crashed: general protection fault in do_con_write # git bisect good 39a35dfb082563b89013fd171e6563729cfdfa80 Bisecting: 96 revisions left to test after this (roughly 7 steps) [fffb773c4d93f1415a46192057a8c940917606e4] usb: xhci: Fix ASM2142/ASM3142 DMA addressing testing commit fffb773c4d93f1415a46192057a8c940917606e4 with gcc (GCC) 8.1.0 kernel signature: b00943baac17138c7c541637bf07f28ee202214dbee0de4915642d8a7d7bf4e1 all runs: crashed: general protection fault in do_con_write # git bisect good fffb773c4d93f1415a46192057a8c940917606e4 Bisecting: 48 revisions left to test after this (roughly 6 steps) [7deb2dcb8963812742ed08420cfa4e23bbeda074] tracing: Have error path in predicate_parse() free its allocated memory testing commit 7deb2dcb8963812742ed08420cfa4e23bbeda074 with gcc (GCC) 8.1.0 kernel signature: 50812039ed81043a00a9c19c645fdfdc7a81ce8d9d8b2e9339aab60cdfaf5f43 all runs: OK # git bisect bad 7deb2dcb8963812742ed08420cfa4e23bbeda074 Bisecting: 23 revisions left to test after this (roughly 5 steps) [f3c154542ff7bda1ce2c398fce0181f9ab70a29b] ath9k: Fix regression with Atheros 9271 testing commit f3c154542ff7bda1ce2c398fce0181f9ab70a29b with gcc (GCC) 8.1.0 kernel signature: 3da3eaadc1fa7cc89fb43b4cdf42ca2c86da76d1ae926583250b2a87a74935f0 all runs: OK # git bisect bad f3c154542ff7bda1ce2c398fce0181f9ab70a29b Bisecting: 11 revisions left to test after this (roughly 4 steps) [91404e91eb85fdb8b6d5d6c01a53cbc63b057e10] mm/memcg: fix refcount error while moving and swapping testing commit 91404e91eb85fdb8b6d5d6c01a53cbc63b057e10 with gcc (GCC) 8.1.0 kernel signature: 0271e3f3dfc9d19e7d27770a19bf35fff10af8335fe0cd65ce7467e2f060fb18 all runs: OK # git bisect bad 91404e91eb85fdb8b6d5d6c01a53cbc63b057e10 Bisecting: 5 revisions left to test after this (roughly 3 steps) [f96ab42f29656efef6cd3cb1a68d8757e4286df1] staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift testing commit f96ab42f29656efef6cd3cb1a68d8757e4286df1 with gcc (GCC) 8.1.0 kernel signature: 3114d2fed97aa731e152450ed0346d4066b6a8e85ff66ac3bfe42a180aa9ff1c all runs: crashed: general protection fault in do_con_write # git bisect good f96ab42f29656efef6cd3cb1a68d8757e4286df1 Bisecting: 2 revisions left to test after this (roughly 2 steps) [dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0 kernel signature: e9770583de4ac3cd4112f83ab401a83a8617dd96572defd4c1217393aab08258 all runs: crashed: general protection fault in do_con_write # git bisect good dd58bd1b95b7127bb975942e14c4a9bd878c28db Bisecting: 0 revisions left to test after this (roughly 1 step) [69c122751164c3c343eea205fd5c3e1d5132f967] Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation testing commit 69c122751164c3c343eea205fd5c3e1d5132f967 with gcc (GCC) 8.1.0 kernel signature: f9506685753a6be5d1e3314cca6b78d4080c75909d3c085527812243833c60c8 all runs: OK # git bisect bad 69c122751164c3c343eea205fd5c3e1d5132f967 Bisecting: 0 revisions left to test after this (roughly 0 steps) [74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size. testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0 kernel signature: 89d702fbf992c69f93b6b4684c448326dda751b46225afc9164613637fae9f3b all runs: OK # git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5 74752b81eae8ae64e97de222320026367e92c4b5 is the first bad commit commit 74752b81eae8ae64e97de222320026367e92c4b5 Author: Tetsuo Handa Date: Sun Jul 12 20:10:12 2020 +0900 vt: Reject zero-sized screen buffer size. commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream. syzbot is reporting general protection fault in do_con_write() [1] caused by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0 caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate() from con_install() from tty_init_dev() from tty_open() on such console causes vc->vc_pos == 0x10000000e due to ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1). I don't think that a console with 0 column or 0 row makes sense. And it seems that vc_do_resize() does not intend to allow resizing a console to 0 column or 0 row due to new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows); exception. Theoretically, cols and rows can be any range as long as 0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g. cols == 1048576 && rows == 2 is possible) because of vc->vc_size_row = vc->vc_cols << 1; vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate(). Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return an error, and con_write() will not be called on a console with 0 column or 0 row. We need to make sure that integer overflow in visual_init() won't happen. Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying 1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate() will be practically fine. This patch does not touch con_init(), for returning -EINVAL there does not help when we are not returning -ENOMEM. [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8 Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Cc: stable Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) culprit signature: 89d702fbf992c69f93b6b4684c448326dda751b46225afc9164613637fae9f3b parent signature: e9770583de4ac3cd4112f83ab401a83a8617dd96572defd4c1217393aab08258 revisions tested: 12, total time: 3h26m22.943412482s (build: 1h58m55.002006136s, test: 1h25m30.101188484s) first good commit: 74752b81eae8ae64e97de222320026367e92c4b5 vt: Reject zero-sized screen buffer size. recipients (to): ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"] recipients (cc): []