bisecting fixing commit since e99332e7b4cda6e60f5b5916cf9943a79dbef902
building syzkaller on 8742a2b9dba1ce2869b29fff6c5359cc9116c719
testing commit e99332e7b4cda6e60f5b5916cf9943a79dbef902 with gcc (GCC) 8.1.0
kernel signature: b6b6c734699c3092fd750882f3e200f1d49d27309345b39cfad82c698cc8d690
all runs: crashed: no output from test machine
testing current HEAD b07175dc41babfec057f494d22a750af755297d8
testing commit b07175dc41babfec057f494d22a750af755297d8 with gcc (GCC) 8.1.0
kernel signature: 0f5cd0b2cd3b446b3359c4ad8a646e4ad57cbb4b103f166ff9e34ac9e7ebc8a5
all runs: OK
# git bisect start b07175dc41babfec057f494d22a750af755297d8 e99332e7b4cda6e60f5b5916cf9943a79dbef902
Bisecting: 16001 revisions left to test after this (roughly 14 steps)
[064e8af7159539fc2310870841e7f215b4f633e9] Merge existing fixes from spi/for-5.8
testing commit 064e8af7159539fc2310870841e7f215b4f633e9 with gcc (GCC) 8.1.0
kernel signature: 4afb374d845a8c70596b6a9d4118c3bd5a26194f45652084012d305277de4f57
all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
# git bisect skip 064e8af7159539fc2310870841e7f215b4f633e9
Bisecting: 16000 revisions left to test after this (roughly 14 steps)
[01a9d523017932d526b0e58f877038782b98a03f] arm64: tegra: Add Tegra132 compatible string for host1x
testing commit 01a9d523017932d526b0e58f877038782b98a03f with gcc (GCC) 8.1.0
kernel signature: 043eb69e3441b22bc767dce0ebbd2006525c604d7cd7e41663d0cc3cb34f7067
all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
# git bisect skip 01a9d523017932d526b0e58f877038782b98a03f
Bisecting: 16000 revisions left to test after this (roughly 14 steps)
[f3f2604ae9cbfa32d0f5629e5c61a4d79055e7e8] ARM: dts: stm32: Update pin states for uart4 on stm32mp157c-ed1
testing commit f3f2604ae9cbfa32d0f5629e5c61a4d79055e7e8 with gcc (GCC) 8.1.0
kernel signature: edb5c8e35b3436a91c8338f97dd126c1cd02c79673fb6f9392b9d11e125f71dc
run #0: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #1: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #2: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #3: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #4: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #5: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #6: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #7: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #8: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks
run #9: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in corrupted
# git bisect skip f3f2604ae9cbfa32d0f5629e5c61a4d79055e7e8
Bisecting: 16000 revisions left to test after this (roughly 14 steps)
[a24eaa5c51255b344d5a321f1eeb3205f2775498] drm/amd/display: Revalidate bandwidth before commiting DC updates
testing commit a24eaa5c51255b344d5a321f1eeb3205f2775498 with gcc (GCC) 8.1.0
kernel signature: fcb30360309b813454b2270604a482429286de53b0a521dca870e03f5e2096b7
all runs: crashed: no output from test machine
# git bisect good a24eaa5c51255b344d5a321f1eeb3205f2775498
Bisecting: 15285 revisions left to test after this (roughly 14 steps)
[1ca0fafd73c5268e8fc4b997094b8bb2bfe8deea] tcp: md5: allow changing MD5 keys in all socket states
testing commit 1ca0fafd73c5268e8fc4b997094b8bb2bfe8deea with gcc (GCC) 8.1.0
kernel signature: ab5fcac98a571c7343eaf56b855e73832f29edbca1cae88c04d659c9ae13f14f
run #0: crashed: general protection fault in __switch_to_asm
run #1: crashed: general protection fault in __switch_to_asm
run #2: crashed: general protection fault in __switch_to_asm
run #3: crashed: general protection fault in __switch_to_asm
run #4: crashed: general protection fault in __switch_to_asm
run #5: crashed: general protection fault in __switch_to_asm
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 1ca0fafd73c5268e8fc4b997094b8bb2bfe8deea
Bisecting: 7554 revisions left to test after this (roughly 13 steps)
[8186749621ed6b8fc42644c399e8c755a2b6f630] Merge tag 'drm-next-2020-08-06' of git://anongit.freedesktop.org/drm/drm
testing commit 8186749621ed6b8fc42644c399e8c755a2b6f630 with gcc (GCC) 8.1.0
kernel signature: e548a46c206103b3976805b2d8fa94a15fdfde63f10caf618469053bcb9af022
all runs: OK
# git bisect bad 8186749621ed6b8fc42644c399e8c755a2b6f630
Bisecting: 3847 revisions left to test after this (roughly 12 steps)
[822ef14e9dc73079c646d33aa77e2ac42361b39e] Merge tag 'arm-drivers-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 822ef14e9dc73079c646d33aa77e2ac42361b39e with gcc (GCC) 8.1.0
kernel signature: 9fa16f2b1272dc8e96eea0ed0cbac7fc070b8988a285d6161cf9c067b276e4e8
all runs: OK
# git bisect bad 822ef14e9dc73079c646d33aa77e2ac42361b39e
Bisecting: 1939 revisions left to test after this (roughly 11 steps)
[6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d] Merge tag 'for-5.9-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
testing commit 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d with gcc (GCC) 8.1.0
kernel signature: 6f87029154ae3d3107130107c13a51615ec56da53821e3c5942f3c5c369a87ad
all runs: OK
# git bisect bad 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d
Bisecting: 970 revisions left to test after this (roughly 10 steps)
[8fdcabeac39824fe67480fd9508d80161c541854] drivers/net/wan/x25_asy: Fix to make it work
testing commit 8fdcabeac39824fe67480fd9508d80161c541854 with gcc (GCC) 8.1.0
kernel signature: 0e0185503839d8dffc121fa2c9ff2d1ecf93d3880a55ffc54a47140bbc4f3b3b
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in syscall_trace_enter
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #6: crashed: no output from test machine
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 8fdcabeac39824fe67480fd9508d80161c541854
Bisecting: 488 revisions left to test after this (roughly 9 steps)
[23ee3e4e5bd27bdbc0f1785eef7209ce872794c7] Merge tag 'pci-v5.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci into master
testing commit 23ee3e4e5bd27bdbc0f1785eef7209ce872794c7 with gcc (GCC) 8.1.0
kernel signature: 1248da5e9ce28690da8809ec4768bd785455498435388ad5d4315b8c71b925c1
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #3: crashed: BUG: unable to handle kernel paging request in __syscall_return_slowpath
run #4: crashed: BUG: stack guard page was hit in error_entry
run #5: crashed: BUG: sleeping function called from invalid context in exc_page_fault
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 23ee3e4e5bd27bdbc0f1785eef7209ce872794c7
Bisecting: 243 revisions left to test after this (roughly 8 steps)
[01d01caf19ff7c537527d352d169c4368375c0a1] btrfs: move the chunk_mutex in btrfs_read_chunk_tree
testing commit 01d01caf19ff7c537527d352d169c4368375c0a1 with gcc (GCC) 8.1.0
kernel signature: 9843cee7673ea11cce58bd1d98f2157e6afd9657f9c5b74a0b915ab257f2ca04
all runs: OK
# git bisect bad 01d01caf19ff7c537527d352d169c4368375c0a1
Bisecting: 122 revisions left to test after this (roughly 7 steps)
[100aa5d9f9f9d1163218bbbaad21bffbd8ee3e8d] btrfs: scrub: clean up temporary page variables in scrub_checksum_tree_block
testing commit 100aa5d9f9f9d1163218bbbaad21bffbd8ee3e8d with gcc (GCC) 8.1.0
kernel signature: 5bab5a4b5e7c28e81165748ced0e400641cf37a52d507b8edaa29500a102d7fe
all runs: OK
# git bisect bad 100aa5d9f9f9d1163218bbbaad21bffbd8ee3e8d
Bisecting: 59 revisions left to test after this (roughly 6 steps)
[17f50e28a858e4bab808733339995133390aae54] Merge tag 'usb-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb into master
testing commit 17f50e28a858e4bab808733339995133390aae54 with gcc (GCC) 8.1.0
kernel signature: 52de76719ab7fad56f3345d132aa0f72393cb8684937f7f5d7ca98411d2b8251
run #0: crashed: BUG: sleeping function called from invalid context in corrupted
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #2: crashed: BUG: sleeping function called from invalid context in exc_page_fault
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 17f50e28a858e4bab808733339995133390aae54
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[1ada9010e578150984039a770c98f41799b30bc4] Merge tag 'char-misc-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc into master
testing commit 1ada9010e578150984039a770c98f41799b30bc4 with gcc (GCC) 8.1.0
kernel signature: 667f8ed6dff378519cef460f9f5e2eddcfe92f75e761475070acaed2150415ae
all runs: OK
# git bisect bad 1ada9010e578150984039a770c98f41799b30bc4
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[f208a76fcb5700a0c5104e5888679acc31d1ce41] Merge tag 'staging-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging into master
testing commit f208a76fcb5700a0c5104e5888679acc31d1ce41 with gcc (GCC) 8.1.0
kernel signature: 58cb737311cdf9715018e233769f643a361ef3cb222d7f861990655e6a6a0f49
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect bad f208a76fcb5700a0c5104e5888679acc31d1ce41
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[033724d6864245a11f8e04c066002e6ad22b3fd0] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit 033724d6864245a11f8e04c066002e6ad22b3fd0 with gcc (GCC) 8.1.0
kernel signature: 643fba3e33676e99932067beafb5e4d02b2d9255e83046327b31c2ca7af78f80
all runs: OK
# git bisect bad 033724d6864245a11f8e04c066002e6ad22b3fd0
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[707631ce639651e51bfed9e56326cde86f9e97b8] serial: tegra: drop bogus NULL tty-port checks
testing commit 707631ce639651e51bfed9e56326cde86f9e97b8 with gcc (GCC) 8.1.0
kernel signature: 0280edb160b26df78c94df0e1d4ef939aabae30af014f29f3a1944fd072826f5
run #0: crashed: BUG: sleeping function called from invalid context in corrupted
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #4: crashed: BUG: sleeping function called from invalid context in corrupted
run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #6: crashed: BUG: sleeping function called from invalid context in kallsyms_lookup
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 707631ce639651e51bfed9e56326cde86f9e97b8
Bisecting: 0 revisions left to test after this (roughly 1 step)
[551e553f0d4ab623e2a6f424ab5834f9c7b5229c] serial: 8250_mtk: Fix high-speed baud rates clamping
testing commit 551e553f0d4ab623e2a6f424ab5834f9c7b5229c with gcc (GCC) 8.1.0
kernel signature: 3082bb5fb1caf0b1de7f8653281b8369207893c53df874e819e266b0881a1c3e
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #3: crashed: BUG: stack guard page was hit in mark_held_locks
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #5: crashed: no output from test machine
run #6: crashed: no output from test machine
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 551e553f0d4ab623e2a6f424ab5834f9c7b5229c
033724d6864245a11f8e04c066002e6ad22b3fd0 is the first bad commit
commit 033724d6864245a11f8e04c066002e6ad22b3fd0
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Wed Jul 15 10:51:02 2020 +0900

    fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
    
    syzbot is reporting general protection fault in bitfill_aligned() [1]
    caused by integer underflow in bit_clear_margins(). The cause of this
    problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
    
    If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
    is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
    bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
    info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
    try to overrun the __iomem region and causes general protection fault.
    
    Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception. Since cols and lines are calculated as
    
      cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
      rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
      cols /= vc->vc_font.width;
      rows /= vc->vc_font.height;
      vc_resize(vc, cols, rows);
    
    in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
    and var.yres < vc->vc_font.height makes rows = 0. This means that
    
      const int fd = open("/dev/fb0", O_ACCMODE);
      struct fb_var_screeninfo var = { };
      ioctl(fd, FBIOGET_VSCREENINFO, &var);
      var.xres = var.yres = 1;
      ioctl(fd, FBIOPUT_VSCREENINFO, &var);
    
    easily reproduces integer underflow bug explained above.
    
    Of course, callers of vc_resize() are not handling vc_do_resize() failure
    is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
    as a band-aid workaround, this patch checks integer underflow in
    "struct fbcon_ops"->clear_margins call, assuming that
    vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
    cause integer overflow.
    
    [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6
    
    Reported-and-tested-by: syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/video/fbdev/core/bitblit.c   | 4 ++--
 drivers/video/fbdev/core/fbcon_ccw.c | 4 ++--
 drivers/video/fbdev/core/fbcon_cw.c  | 4 ++--
 drivers/video/fbdev/core/fbcon_ud.c  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)
culprit signature: 643fba3e33676e99932067beafb5e4d02b2d9255e83046327b31c2ca7af78f80
parent  signature: 3082bb5fb1caf0b1de7f8653281b8369207893c53df874e819e266b0881a1c3e
revisions tested: 20, total time: 4h28m55.201842666s (build: 1h44m16.782775414s, test: 2h42m34.02937311s)
first good commit: 033724d6864245a11f8e04c066002e6ad22b3fd0 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com"]
recipients (cc): []