bisecting cause commit starting from 7fc5253f5a13271e9df35d6b936ff97b74540a59
building syzkaller on b838eb76eef06deea9b4ec66dd328e77ca00eb0f
testing commit 7fc5253f5a13271e9df35d6b936ff97b74540a59
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9e943be2c7b6e534189720f85c2e2bd7b0dfdc27c7b7446a6805461eede19828
run #0: crashed: BUG: unable to handle kernel paging request in imageblit
run #1: crashed: BUG: unable to handle kernel paging request in imageblit
run #2: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #3: crashed: BUG: unable to handle kernel paging request in imageblit
run #4: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #5: crashed: BUG: unable to handle kernel paging request in imageblit
run #6: crashed: BUG: unable to handle kernel paging request in imageblit
run #7: crashed: BUG: unable to handle kernel paging request in imageblit
run #8: crashed: BUG: unable to handle kernel paging request in imageblit
run #9: crashed: BUG: unable to handle kernel paging request in imageblit
run #10: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #11: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #12: crashed: BUG: unable to handle kernel paging request in imageblit
run #13: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #14: crashed: BUG: unable to handle kernel paging request in imageblit
run #15: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #16: crashed: BUG: unable to handle kernel paging request in imageblit
run #17: crashed: BUG: unable to handle kernel paging request in imageblit
run #18: crashed: BUG: unable to handle kernel paging request in imageblit
run #19: crashed: BUG: unable to handle kernel paging request in imageblit
testing release v5.16
testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: dc2a2c7d575af44d915bbe3a8000120d7313cb9a4124c4d908262a6689b355f0
all runs: OK
# git bisect start 7fc5253f5a13271e9df35d6b936ff97b74540a59 df0cc57e057f18e44dac8e6c18aba47ab53202f9
Bisecting: 6347 revisions left to test after this (roughly 13 steps)
[11fc88c2e49ba8e3ca827dc9bdd7b7216be30a36] Merge tag 'xfs-5.17-merge-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

testing commit 11fc88c2e49ba8e3ca827dc9bdd7b7216be30a36
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e3f08a4577cf0a474a432c08473a05793d1a45074659b0cd5f19cd8423cbf53e
all runs: OK
# git bisect good 11fc88c2e49ba8e3ca827dc9bdd7b7216be30a36
Bisecting: 3040 revisions left to test after this (roughly 12 steps)
[3bad80dab94a16c9b7991105e3bffd5fe5957e9a] Merge tag 'char-misc-5.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

testing commit 3bad80dab94a16c9b7991105e3bffd5fe5957e9a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3b87dd87b72c90bac248c401cbc0af348b009e52e4a6705a8cfd4abafa03deb8
all runs: OK
# git bisect good 3bad80dab94a16c9b7991105e3bffd5fe5957e9a
Bisecting: 1540 revisions left to test after this (roughly 11 steps)
[fd6f57bfda7c36f2d465cee39d5d8c623db5d7aa] Merge tag 'kbuild-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

testing commit fd6f57bfda7c36f2d465cee39d5d8c623db5d7aa
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 50609b362b59b5d08a6caf1fe4020c0fab8559e071f38cf173b7696671ea52b0
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #2: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #3: crashed: BUG: unable to handle kernel paging request in imageblit
run #4: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #5: crashed: BUG: unable to handle kernel paging request in imageblit
run #6: crashed: BUG: unable to handle kernel paging request in imageblit
run #7: crashed: BUG: unable to handle kernel paging request in imageblit
run #8: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #9: crashed: BUG: unable to handle kernel paging request in imageblit
# git bisect bad fd6f57bfda7c36f2d465cee39d5d8c623db5d7aa
Bisecting: 628 revisions left to test after this (roughly 10 steps)
[79e06c4c4950be2abd8ca5d2428a8c915aa62c24] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

testing commit 79e06c4c4950be2abd8ca5d2428a8c915aa62c24
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 42fd1f69e194ca5471c799c1a15d361fb0152f809e1683a7eeb10bebd0ef121c
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM
run #1: crashed: BUG: unable to handle kernel paging request in imageblit
run #2: crashed: BUG: unable to handle kernel paging request in imageblit
run #3: crashed: BUG: unable to handle kernel paging request in imageblit
run #4: crashed: BUG: unable to handle kernel paging request in imageblit
run #5: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #6: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #7: crashed: BUG: unable to handle kernel paging request in imageblit
run #8: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #9: crashed: BUG: unable to handle kernel paging request in imageblit
# git bisect bad 79e06c4c4950be2abd8ca5d2428a8c915aa62c24
Bisecting: 354 revisions left to test after this (roughly 9 steps)
[d0a231f01e5b25bacd23e6edc7c979a18a517b2b] Merge tag 'pci-v5.17-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

testing commit d0a231f01e5b25bacd23e6edc7c979a18a517b2b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1a8f6ba75b9c69efe8755263f715ab4c64b5ce7ee57a67f3a9c9662adb8d0a2e
run #0: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #1: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #2: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #3: crashed: BUG: unable to handle kernel paging request in imageblit
run #4: crashed: BUG: unable to handle kernel paging request in imageblit
run #5: crashed: BUG: unable to handle kernel paging request in imageblit
run #6: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #7: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #8: crashed: BUG: unable to handle kernel paging request in imageblit
run #9: crashed: BUG: unable to handle kernel paging request in imageblit
# git bisect bad d0a231f01e5b25bacd23e6edc7c979a18a517b2b
Bisecting: 251 revisions left to test after this (roughly 8 steps)
[59d41458f143b7a20997b1e78b5c15d9d3e998c3] Merge tag 'drm-next-2022-01-14' of git://anongit.freedesktop.org/drm/drm

testing commit 59d41458f143b7a20997b1e78b5c15d9d3e998c3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d66acaeb02ab734ef12d409ddda6fc69885bc9f3d2ce6e4e0801942d0d1a68bb
run #0: crashed: BUG: unable to handle kernel paging request in imageblit
run #1: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #2: crashed: BUG: unable to handle kernel paging request in imageblit
run #3: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #4: crashed: BUG: unable to handle kernel paging request in imageblit
run #5: crashed: BUG: unable to handle kernel paging request in imageblit
run #6: crashed: BUG: unable to handle kernel paging request in imageblit
run #7: crashed: BUG: unable to handle kernel paging request in imageblit
run #8: crashed: BUG: unable to handle kernel paging request in imageblit
run #9: crashed: BUG: unable to handle kernel paging request in imageblit
# git bisect bad 59d41458f143b7a20997b1e78b5c15d9d3e998c3
Bisecting: 131 revisions left to test after this (roughly 7 steps)
[4492bf452af532493b6591d2e090a0f8f7c11674] Docs/admin-guide/mm/damon/usage: mention tracepoint at the beginning

testing commit 4492bf452af532493b6591d2e090a0f8f7c11674
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3f34bdceb89dbf84259e733899eba29cdf9fa2ba5114b23f8beaf9359787eabf
all runs: OK
# git bisect good 4492bf452af532493b6591d2e090a0f8f7c11674
Bisecting: 71 revisions left to test after this (roughly 6 steps)
[a33f5c380c4bd3fa5278d690421b72052456d9fe] Merge tag 'xfs-5.17-merge-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

testing commit a33f5c380c4bd3fa5278d690421b72052456d9fe
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0358f54d13fc98a8504182fb2b1c9a001455acacee2d2ba447a50c736721d318
all runs: OK
# git bisect good a33f5c380c4bd3fa5278d690421b72052456d9fe
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[5eb877b282fecc8b8a6ac6d4ce0d5057f9d3bad0] drm/amdkfd: Fix ASIC name typos

testing commit 5eb877b282fecc8b8a6ac6d4ce0d5057f9d3bad0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f21a06634d99512e39689c9aac2a17351f8ce64dbaefa52f12069c85dc90f98b
all runs: OK
# git bisect good 5eb877b282fecc8b8a6ac6d4ce0d5057f9d3bad0
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[820e690e4eb88eaee68bf0b2d89fa9597bc00a45] Merge tag 'drm-misc-next-fixes-2022-01-14' of git://anongit.freedesktop.org/drm/drm-misc into drm-next

testing commit 820e690e4eb88eaee68bf0b2d89fa9597bc00a45
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d816504b3952fe234ed8026c32a132962e7eab8250b1930e7e5c5e63ef2b5b1f
run #0: crashed: BUG: unable to handle kernel paging request in imageblit
run #1: crashed: BUG: unable to handle kernel paging request in imageblit
run #2: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #3: crashed: BUG: unable to handle kernel paging request in imageblit
run #4: crashed: BUG: unable to handle kernel paging request in imageblit
run #5: crashed: BUG: unable to handle kernel paging request in imageblit
run #6: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #7: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #8: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #9: crashed: BUG: unable to handle kernel paging request in imageblit
# git bisect bad 820e690e4eb88eaee68bf0b2d89fa9597bc00a45
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[ad783ff5a20f851c6d9bca03d12d44f98f494af7] Merge tag 'drm-misc-next-fixes-2022-01-13' of git://anongit.freedesktop.org/drm/drm-misc into drm-next

testing commit ad783ff5a20f851c6d9bca03d12d44f98f494af7
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 10fca52643f890d1c0b532f02795dda9e4fcddfb72f25c4c9c40df3941665c68
all runs: OK
# git bisect good ad783ff5a20f851c6d9bca03d12d44f98f494af7
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[54329e6f7beea6af56c1230da293acc97d6a6ee7] dma-buf: cma_heap: Fix mutex locking section

testing commit 54329e6f7beea6af56c1230da293acc97d6a6ee7
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 1ea3b9bbb04f770dd000cb2e898be7ba8462388d22d0c123050476f8f4f145df
run #0: crashed: BUG: unable to handle kernel paging request in imageblit
run #1: crashed: BUG: unable to handle kernel paging request in imageblit
run #2: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #3: crashed: BUG: unable to handle kernel paging request in imageblit
run #4: crashed: BUG: unable to handle kernel paging request in imageblit
run #5: crashed: BUG: unable to handle kernel paging request in imageblit
run #6: crashed: BUG: unable to handle kernel paging request in imageblit
run #7: crashed: BUG: unable to handle kernel paging request in imageblit
run #8: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #9: crashed: BUG: unable to handle kernel paging request in imageblit
# git bisect bad 54329e6f7beea6af56c1230da293acc97d6a6ee7
Bisecting: 2 revisions left to test after this (roughly 1 step)
[22bf4047d26980807611b7e2030803db375afd87] dt-bindings: display: meson-dw-hdmi: add missing sound-name-prefix property

testing commit 22bf4047d26980807611b7e2030803db375afd87
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4a45711b1ed694e1bc1f24e74323fc602fe32b01610c2227afb6f93f8ee94446
all runs: OK
# git bisect good 22bf4047d26980807611b7e2030803db375afd87
Bisecting: 0 revisions left to test after this (roughly 1 step)
[0499f419b76f94ede08304aad5851144813ac55c] video: vga16fb: Only probe for EGA and VGA 16 color graphic cards

testing commit 0499f419b76f94ede08304aad5851144813ac55c
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 220f6474eabc8414e1055f59dbb66ccf240d5271d43c07a85ff834186d79f683
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe
run #1: crashed: KASAN: vmalloc-out-of-bounds Write in imageblit
run #2: crashed: BUG: unable to handle kernel paging request in imageblit
run #3: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #4: crashed: KASAN: stack-out-of-bounds Write in imageblit
run #5: crashed: BUG: unable to handle kernel paging request in imageblit
run #6: crashed: BUG: unable to handle kernel paging request in imageblit
run #7: crashed: BUG: unable to handle kernel paging request in imageblit
run #8: crashed: BUG: unable to handle kernel paging request in imageblit
run #9: crashed: KASAN: stack-out-of-bounds Write in imageblit
# git bisect bad 0499f419b76f94ede08304aad5851144813ac55c
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[c71af3dae3e34d2fde0c19623cf7f8483321f0e3] drm/sun4i: dw-hdmi: Fix missing put_device() call in sun8i_hdmi_phy_get

testing commit c71af3dae3e34d2fde0c19623cf7f8483321f0e3
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 4a45711b1ed694e1bc1f24e74323fc602fe32b01610c2227afb6f93f8ee94446
all runs: OK
# git bisect good c71af3dae3e34d2fde0c19623cf7f8483321f0e3
0499f419b76f94ede08304aad5851144813ac55c is the first bad commit
commit 0499f419b76f94ede08304aad5851144813ac55c
Author: Javier Martinez Canillas <javierm@redhat.com>
Date:   Mon Jan 10 10:56:25 2022 +0100

    video: vga16fb: Only probe for EGA and VGA 16 color graphic cards
    
    The vga16fb framebuffer driver only supports Enhanced Graphics Adapter
    (EGA) and Video Graphics Array (VGA) 16 color graphic cards.
    
    But it doesn't check if the adapter is one of those or if a VGA16 mode
    is used. This means that the driver will be probed even if a VESA BIOS
    Extensions (VBE) or Graphics Output Protocol (GOP) interface is used.
    
    This issue has been present for a long time but it was only exposed by
    commit d391c5827107 ("drivers/firmware: move x86 Generic System
    Framebuffers support") since the platform device registration to match
    the {vesa,efi}fb drivers is done later as a consequence of that change.
    
    All non-x86 architectures though treat orig_video_isVGA as a boolean so
    only do the supported video mode check for x86 and not for other arches.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=215001
    Fixes: d391c5827107 ("drivers/firmware: move x86 Generic System Framebuffers support")
    Reported-by: Kris Karas <bugs-a21@moonlit-rail.com>
    Cc: <stable@vger.kernel.org> # 5.15.x
    Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
    Tested-by: Kris Karas <bugs-a21@moonlit-rail.com>
    Acked-by: Maxime Ripard <maxime@cerno.tech>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220110095625.278836-3-javierm@redhat.com

 drivers/video/fbdev/vga16fb.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

culprit signature: 220f6474eabc8414e1055f59dbb66ccf240d5271d43c07a85ff834186d79f683
parent  signature: 4a45711b1ed694e1bc1f24e74323fc602fe32b01610c2227afb6f93f8ee94446
revisions tested: 17, total time: 2h50m10.37257812s (build: 2h0m1.706784003s, test: 48m29.503210357s)
first bad commit: 0499f419b76f94ede08304aad5851144813ac55c video: vga16fb: Only probe for EGA and VGA 16 color graphic cards
recipients (to): ["bugs-a21@moonlit-rail.com" "javierm@redhat.com" "maxime@cerno.tech"]
recipients (cc): []
crash: KASAN: stack-out-of-bounds Write in imageblit
==================================================================
BUG: KASAN: stack-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
BUG: KASAN: stack-out-of-bounds in sys_imageblit+0x1182/0x1390 drivers/video/fbdev/core/sysimgblt.c:275
Write of size 4 at addr ffffc90004787d38 by task syz-executor699/4051

CPU: 1 PID: 4051 Comm: syz-executor699 Not tainted 5.16.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
 sys_imageblit+0x1182/0x1390 drivers/video/fbdev/core/sysimgblt.c:275
 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:794 [inline]
 drm_fbdev_fb_imageblit+0x131/0x320 drivers/gpu/drm/drm_fb_helper.c:2288
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:124 [inline]
 bit_putcs+0x647/0xc20 drivers/video/fbdev/core/bitblit.c:173
 fbcon_putcs+0x310/0x500 drivers/video/fbdev/core/fbcon.c:1277
 do_update_region+0x2dc/0x5b0 drivers/tty/vt/vt.c:676
 invert_screen+0x177/0x520 drivers/tty/vt/vt.c:800
 highlight drivers/tty/vt/selection.c:57 [inline]
 clear_selection drivers/tty/vt/selection.c:84 [inline]
 clear_selection+0x3f/0x50 drivers/tty/vt/selection.c:80
 vc_do_resize+0xc0f/0xf50 drivers/tty/vt/vt.c:1257
 fbcon_do_set_font+0x3b1/0x8a0 drivers/video/fbdev/core/fbcon.c:1928
 con_font_set drivers/tty/vt/vt.c:4666 [inline]
 con_font_op+0x5d7/0xac0 drivers/tty/vt/vt.c:4710
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
 vt_ioctl+0x169f/0x2120 drivers/tty/vt/vt_ioctl.c:752
 tty_ioctl+0x478/0x12d0 drivers/tty/tty_io.c:2805
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x11f/0x190 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f8e86e07339
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc4740d3b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8e86e07339
RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00007f8e86dcb120 R08: 000000000000000d R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8e86dcb1b0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>


Memory state around the buggy address:
 ffffc90004787c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90004787c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90004787d00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00
                                        ^
 ffffc90004787d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90004787e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================