bisecting fixing commit since 312017a460d5ea31d646e7148e400e13db799ddc
building syzkaller on 0ae38e44894e5a52fe35a56b1d2ad18477cc6b59
testing commit 312017a460d5ea31d646e7148e400e13db799ddc with gcc (GCC) 8.1.0
kernel signature: 270621637ac977d6191c7eb04d5d56675cb5bb86f2b4e04d229d5674673e9507
all runs: crashed: BUG: unable to handle kernel paging request in insert_char
testing current HEAD c14d30dc9987047b439b03d6e6db7d54d9f7f180
testing commit c14d30dc9987047b439b03d6e6db7d54d9f7f180 with gcc (GCC) 8.1.0
kernel signature: 63962108fc4b23ed7bd5dbb6c585a442ff3cd127b3f075a0b1b5d66ea0fd9576
all runs: OK
# git bisect start c14d30dc9987047b439b03d6e6db7d54d9f7f180 312017a460d5ea31d646e7148e400e13db799ddc
Bisecting: 2427 revisions left to test after this (roughly 11 steps)
[7bc2d23c3ab92645a01dd7f8b72feb0049b664b3] sysrq: Remove duplicated sysrq message
testing commit 7bc2d23c3ab92645a01dd7f8b72feb0049b664b3 with gcc (GCC) 8.1.0
kernel signature: f6f6d95c6d38cf344299b9aec5c4bfab730605f24dab09f000a19f302d32c0d0
all runs: crashed: BUG: unable to handle kernel paging request in insert_char
# git bisect good 7bc2d23c3ab92645a01dd7f8b72feb0049b664b3
Bisecting: 1213 revisions left to test after this (roughly 10 steps)
[fb12b3e643fd5f2474b9ccbff8310716975770c9] net: bcmgenet: code movement
testing commit fb12b3e643fd5f2474b9ccbff8310716975770c9 with gcc (GCC) 8.1.0
kernel signature: 4047b91e09cf05573b33d73164fa1d888ab67975575eaa67044e23d4dcdcc7e9
all runs: crashed: BUG: unable to handle kernel paging request in insert_char
# git bisect good fb12b3e643fd5f2474b9ccbff8310716975770c9
Bisecting: 606 revisions left to test after this (roughly 9 steps)
[e5b20d0b14517d43cc1606590ce4d8ff15e148f6] drm: encoder_slave: fix refcouting error for modules
testing commit e5b20d0b14517d43cc1606590ce4d8ff15e148f6 with gcc (GCC) 8.1.0
kernel signature: f22e1bf2e503402bd3d6e0f893aa3af5ebd66bb695c8799a545f1442d7d1d632
all runs: crashed: BUG: unable to handle kernel paging request in insert_char
# git bisect good e5b20d0b14517d43cc1606590ce4d8ff15e148f6
Bisecting: 303 revisions left to test after this (roughly 8 steps)
[6772d3299cf52d003c6e411de1d839bdb803a2a5] net: sfp: add support for module quirks
testing commit 6772d3299cf52d003c6e411de1d839bdb803a2a5 with gcc (GCC) 8.1.0
kernel signature: d9948428d346c1096d5f2622e2056eed11a337b64142fa4aec9317eb1271a731
all runs: crashed: BUG: unable to handle kernel paging request in insert_char
# git bisect good 6772d3299cf52d003c6e411de1d839bdb803a2a5
Bisecting: 151 revisions left to test after this (roughly 7 steps)
[fffb773c4d93f1415a46192057a8c940917606e4] usb: xhci: Fix ASM2142/ASM3142 DMA addressing
testing commit fffb773c4d93f1415a46192057a8c940917606e4 with gcc (GCC) 8.1.0
kernel signature: ffdc67d1c821917aa5ce11dc805f147fe8a6460eb3b3b23bb61f7eea95afe186
all runs: crashed: BUG: unable to handle kernel paging request in insert_char
# git bisect good fffb773c4d93f1415a46192057a8c940917606e4
Bisecting: 75 revisions left to test after this (roughly 6 steps)
[5858ad8d6af5bdb01c3766febf3d360aa21bdf25] ibmvnic: Fix IRQ mapping disposal in error path
testing commit 5858ad8d6af5bdb01c3766febf3d360aa21bdf25 with gcc (GCC) 8.1.0
kernel signature: 27c5a4d4606eb139888e1d07e3ca49811ff7bd234927c774681e7d18317a5931
all runs: OK
# git bisect bad 5858ad8d6af5bdb01c3766febf3d360aa21bdf25
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[f971676781e347c429db89afa46dca8a3d3a40ab] sctp: shrink stream outq when fails to do addstream reconf
testing commit f971676781e347c429db89afa46dca8a3d3a40ab with gcc (GCC) 8.1.0
kernel signature: 46d19ecfea570bfead3a3c8d8745e3a7d2cdd52351b7dbc50eef68b5b18b19a9
all runs: OK
# git bisect bad f971676781e347c429db89afa46dca8a3d3a40ab
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[159bcd5488602e893a6f0130140885457485afee] x86, vmlinux.lds: Page-align end of ..page_aligned sections
testing commit 159bcd5488602e893a6f0130140885457485afee with gcc (GCC) 8.1.0
kernel signature: a21dbaa5c82da6bba7b7461247c367e9a15b3854b7b08bb792d6938d105f85e3
all runs: OK
# git bisect bad 159bcd5488602e893a6f0130140885457485afee
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0
kernel signature: d3e5efbe5b8f37da81b75045c5ed058e4395cfa2610b1c6f7a7af90a184495c2
all runs: crashed: BUG: unable to handle kernel paging request in insert_char
# git bisect good dd58bd1b95b7127bb975942e14c4a9bd878c28db
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[d87ddcdb2daab79085efe71a8f547aebb5ca9b05] mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
testing commit d87ddcdb2daab79085efe71a8f547aebb5ca9b05 with gcc (GCC) 8.1.0
kernel signature: 7c85c2d35f970dbe41bf564ac1dd8459ef90ecb2d73aa8c24ebdcc8a48bfb1a1
all runs: OK
# git bisect bad d87ddcdb2daab79085efe71a8f547aebb5ca9b05
Bisecting: 2 revisions left to test after this (roughly 1 step)
[69c122751164c3c343eea205fd5c3e1d5132f967] Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
testing commit 69c122751164c3c343eea205fd5c3e1d5132f967 with gcc (GCC) 8.1.0
kernel signature: 40057ca32b42c6b0c0174e95b290cf233cd7a72ccc31b722181cb5a5a37ec016
all runs: OK
# git bisect bad 69c122751164c3c343eea205fd5c3e1d5132f967
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size.
testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0
kernel signature: f2e7748aebce42193aa0cfd9b7f0d7460d48f5314208cce19f897795ffd6e3c2
all runs: OK
# git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5
74752b81eae8ae64e97de222320026367e92c4b5 is the first bad commit
commit 74752b81eae8ae64e97de222320026367e92c4b5
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Sun Jul 12 20:10:12 2020 +0900

    vt: Reject zero-sized screen buffer size.
    
    commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream.
    
    syzbot is reporting general protection fault in do_con_write() [1] caused
    by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0
    caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by
    fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for
    gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate()
     from con_install() from tty_init_dev() from tty_open() on such console
    causes vc->vc_pos == 0x10000000e due to
    ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1).
    
    I don't think that a console with 0 column or 0 row makes sense. And it
    seems that vc_do_resize() does not intend to allow resizing a console to
    0 column or 0 row due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception.
    
    Theoretically, cols and rows can be any range as long as
    0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g.
    cols == 1048576 && rows == 2 is possible) because of
    
      vc->vc_size_row = vc->vc_cols << 1;
      vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
    
    in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate().
    
    Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in
    visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return
    an error, and con_write() will not be called on a console with 0 column
    or 0 row.
    
    We need to make sure that integer overflow in visual_init() won't happen.
    Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying
    1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate()
    will be practically fine.
    
    This patch does not touch con_init(), for returning -EINVAL there
    does not help when we are not returning -ENOMEM.
    
    [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8
    
    Reported-and-tested-by: syzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
culprit signature: f2e7748aebce42193aa0cfd9b7f0d7460d48f5314208cce19f897795ffd6e3c2
parent  signature: d3e5efbe5b8f37da81b75045c5ed058e4395cfa2610b1c6f7a7af90a184495c2
revisions tested: 14, total time: 3h49m37.007764161s (build: 2h13m54.40817461s, test: 1h33m30.866277009s)
first good commit: 74752b81eae8ae64e97de222320026367e92c4b5 vt: Reject zero-sized screen buffer size.
recipients (to): ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"]
recipients (cc): []