bisecting fixing commit since 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7
building syzkaller on c88c7b75a4e022b758f4b0f1bf3db8ebb2fb25e6
testing commit 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7 with gcc (GCC) 8.1.0
kernel signature: 22f8e5df48f777f4dedcbe56f3d99ccb8f672a6020910dee1fa0befa131fb9d0
all runs: crashed: no output from test machine
testing current HEAD c9c9735c46f589b9877b7fc00c89ef1b61a31e18
testing commit c9c9735c46f589b9877b7fc00c89ef1b61a31e18 with gcc (GCC) 8.1.0
kernel signature: e9a24487cd6ae560f045155e39c6f49be0a39cfe260e65790e462cf31d693b0c
all runs: OK
# git bisect start c9c9735c46f589b9877b7fc00c89ef1b61a31e18 63623fd44972d1ed2bfb6e0fb631dfcf547fd1e7
Bisecting: 23667 revisions left to test after this (roughly 15 steps)
[ee01c4d72adffb7d424535adf630f2955748fa8b] Merge branch 'akpm' (patches from Andrew)
testing commit ee01c4d72adffb7d424535adf630f2955748fa8b with gcc (GCC) 8.1.0
kernel signature: 9f57c068ac80543c0c08bda2d2dea4e805bdb2ecccb451b9a95068c4b66dafe0
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in do_syscall_64
run #2: crashed: no output from test machine
run #3: crashed: no output from test machine
run #4: crashed: no output from test machine
run #5: crashed: no output from test machine
run #6: crashed: no output from test machine
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good ee01c4d72adffb7d424535adf630f2955748fa8b
Bisecting: 11867 revisions left to test after this (roughly 14 steps)
[bd69058f50d5ffa659423bcfa6fe6280ce9c760a] net: ll_temac: Use devm_platform_ioremap_resource_byname()
testing commit bd69058f50d5ffa659423bcfa6fe6280ce9c760a with gcc (GCC) 8.1.0
kernel signature: e2839ad07c6e587cbd1042fad051216a8577daa32fe3194f08327cd3e7cfb45b
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __switch_to_asm
run #1: crashed: no output from test machine
run #2: crashed: no output from test machine
run #3: crashed: no output from test machine
run #4: crashed: no output from test machine
run #5: crashed: no output from test machine
run #6: crashed: no output from test machine
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good bd69058f50d5ffa659423bcfa6fe6280ce9c760a
Bisecting: 5663 revisions left to test after this (roughly 13 steps)
[8186749621ed6b8fc42644c399e8c755a2b6f630] Merge tag 'drm-next-2020-08-06' of git://anongit.freedesktop.org/drm/drm
testing commit 8186749621ed6b8fc42644c399e8c755a2b6f630 with gcc (GCC) 8.1.0
kernel signature: 9fb37343d2c9101dae132c8858841fdb2e825d2bd871f2097c5dda71fe326040
all runs: OK
# git bisect bad 8186749621ed6b8fc42644c399e8c755a2b6f630
Bisecting: 3152 revisions left to test after this (roughly 12 steps)
[a754292348bf88ec6b55563eca4faba7dcfe2ae7] Merge tag 'printk-for-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux
testing commit a754292348bf88ec6b55563eca4faba7dcfe2ae7 with gcc (GCC) 8.1.0
kernel signature: 95a0f7c5743cfbd437e4af58518fb60ec5a6cc1711a56227c001dc0ffc2697ca
all runs: OK
# git bisect bad a754292348bf88ec6b55563eca4faba7dcfe2ae7
Bisecting: 1530 revisions left to test after this (roughly 11 steps)
[92c59e126b21fd212195358a0d296e787e444087] Merge tag 'arm-defconfig-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 92c59e126b21fd212195358a0d296e787e444087 with gcc (GCC) 8.1.0
kernel signature: 131906e63c6677be8f0175c58dd126e82045451cad369de6da870978fa9119d2
all runs: OK
# git bisect bad 92c59e126b21fd212195358a0d296e787e444087
Bisecting: 770 revisions left to test after this (roughly 10 steps)
[382625d0d4325fb14a29444eb8dce8dcc2eb9b51] Merge tag 'for-5.9/block-20200802' of git://git.kernel.dk/linux-block
testing commit 382625d0d4325fb14a29444eb8dce8dcc2eb9b51 with gcc (GCC) 8.1.0
kernel signature: 6e52d6c6f167e6f89f0c1ecf46accfc319d9a55759a36a2e4141aa66fa28b59b
all runs: OK
# git bisect bad 382625d0d4325fb14a29444eb8dce8dcc2eb9b51
Bisecting: 315 revisions left to test after this (roughly 9 steps)
[6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d] Merge tag 'for-5.9-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
testing commit 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d with gcc (GCC) 8.1.0
kernel signature: 84d92e55eff8f575455f5d75f3c621e357af9a88cfcdd16ffed99c0a8b599346
all runs: OK
# git bisect bad 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d
Bisecting: 236 revisions left to test after this (roughly 8 steps)
[5e548b32018d96c377fda4bdac2bf511a448ca67] btrfs: do not set the full sync flag on the inode during page release
testing commit 5e548b32018d96c377fda4bdac2bf511a448ca67 with gcc (GCC) 8.1.0
kernel signature: 389cf4fcaa840725b7629833bd1881ae9ef659c18d278f8b9799df90f8673fe2
all runs: OK
# git bisect bad 5e548b32018d96c377fda4bdac2bf511a448ca67
Bisecting: 97 revisions left to test after this (roughly 7 steps)
[1cb1f0b2486b0893a3ebf20c42f2df27649ae2b4] btrfs: tracepoints: fix qgroup reservation type printing
testing commit 1cb1f0b2486b0893a3ebf20c42f2df27649ae2b4 with gcc (GCC) 8.1.0
kernel signature: 39ee5d1320c957c960d562f4106b54225ff932ec42cef8b6e9b0ee91546f05f4
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect bad 1cb1f0b2486b0893a3ebf20c42f2df27649ae2b4
Bisecting: 48 revisions left to test after this (roughly 6 steps)
[89d7da9bc592aa6a341d00f2d949615a89bb1eb7] btrfs: get mapping tree directly from fsinfo in find_first_block_group
testing commit 89d7da9bc592aa6a341d00f2d949615a89bb1eb7 with gcc (GCC) 8.1.0
kernel signature: 43a7d5472482e9eb89558831544e0e6e6d5e006b2bc05029e4081afd2f6e45ab
all runs: OK
# git bisect bad 89d7da9bc592aa6a341d00f2d949615a89bb1eb7
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[7f2e231c316591246284b10b008cadfc953f16d3] Merge tag 'driver-core-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core into master
testing commit 7f2e231c316591246284b10b008cadfc953f16d3 with gcc (GCC) 8.1.0
kernel signature: dd14902703d9a8ac25a17069ebdcec3e675cff983181b509de4dbab140d061d6
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect bad 7f2e231c316591246284b10b008cadfc953f16d3
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9] serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
testing commit 5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9 with gcc (GCC) 8.1.0
kernel signature: 236fe76fbc0d4f76f8ab4a3a2a1f5dd68599e65c5d373f5d407566f873a585ce
all runs: OK
# git bisect bad 5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[707631ce639651e51bfed9e56326cde86f9e97b8] serial: tegra: drop bogus NULL tty-port checks
testing commit 707631ce639651e51bfed9e56326cde86f9e97b8 with gcc (GCC) 8.1.0
kernel signature: f54a6913aebe2606dcc51fb51a542e12eb3c955bc6e3de5de9c6f0e93e1ca4a1
all runs: crashed: no output from test machine
# git bisect good 707631ce639651e51bfed9e56326cde86f9e97b8
Bisecting: 1 revision left to test after this (roughly 1 step)
[551e553f0d4ab623e2a6f424ab5834f9c7b5229c] serial: 8250_mtk: Fix high-speed baud rates clamping
testing commit 551e553f0d4ab623e2a6f424ab5834f9c7b5229c with gcc (GCC) 8.1.0
kernel signature: 615ef67502c62f2cca8b5ff8004e3a92803eff9160511967eb6692a9cad439d9
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in __syscall_return_slowpath
run #1: crashed: no output from test machine
run #2: crashed: no output from test machine
run #3: crashed: no output from test machine
run #4: crashed: no output from test machine
run #5: crashed: no output from test machine
run #6: crashed: no output from test machine
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
# git bisect good 551e553f0d4ab623e2a6f424ab5834f9c7b5229c
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[033724d6864245a11f8e04c066002e6ad22b3fd0] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit 033724d6864245a11f8e04c066002e6ad22b3fd0 with gcc (GCC) 8.1.0
kernel signature: 25c48957853a93a100fbbde53d3f88069c71c15f247d03036a88a24a47902423
all runs: OK
# git bisect bad 033724d6864245a11f8e04c066002e6ad22b3fd0
033724d6864245a11f8e04c066002e6ad22b3fd0 is the first bad commit
commit 033724d6864245a11f8e04c066002e6ad22b3fd0
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Wed Jul 15 10:51:02 2020 +0900

    fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
    
    syzbot is reporting general protection fault in bitfill_aligned() [1]
    caused by integer underflow in bit_clear_margins(). The cause of this
    problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
    
    If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres
    is going to shrink, vc->vc_{cols,rows} will not be updated. This allows
    bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or
    info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will
    try to overrun the __iomem region and causes general protection fault.
    
    Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception. Since cols and lines are calculated as
    
      cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres);
      rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres);
      cols /= vc->vc_font.width;
      rows /= vc->vc_font.height;
      vc_resize(vc, cols, rows);
    
    in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0
    and var.yres < vc->vc_font.height makes rows = 0. This means that
    
      const int fd = open("/dev/fb0", O_ACCMODE);
      struct fb_var_screeninfo var = { };
      ioctl(fd, FBIOGET_VSCREENINFO, &var);
      var.xres = var.yres = 1;
      ioctl(fd, FBIOPUT_VSCREENINFO, &var);
    
    easily reproduces integer underflow bug explained above.
    
    Of course, callers of vc_resize() are not handling vc_do_resize() failure
    is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore,
    as a band-aid workaround, this patch checks integer underflow in
    "struct fbcon_ops"->clear_margins call, assuming that
    vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not
    cause integer overflow.
    
    [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6
    
    Reported-and-tested-by: syzbot <syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/video/fbdev/core/bitblit.c   | 4 ++--
 drivers/video/fbdev/core/fbcon_ccw.c | 4 ++--
 drivers/video/fbdev/core/fbcon_cw.c  | 4 ++--
 drivers/video/fbdev/core/fbcon_ud.c  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)
culprit signature: 25c48957853a93a100fbbde53d3f88069c71c15f247d03036a88a24a47902423
parent  signature: 615ef67502c62f2cca8b5ff8004e3a92803eff9160511967eb6692a9cad439d9
revisions tested: 17, total time: 4h3m39.361373817s (build: 1h23m36.101285956s, test: 2h38m12.536945311s)
first good commit: 033724d6864245a11f8e04c066002e6ad22b3fd0 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com"]
recipients (cc): []