bisecting fixing commit since 76bb8b05960c3d1668e6bee7624ed886cbd135ba building syzkaller on ae13a849e613cd929bbcf98bec83e1bdb30a62b1 testing commit 76bb8b05960c3d1668e6bee7624ed886cbd135ba with gcc (GCC) 8.1.0 kernel signature: f2fda8dcc05750daec35584da9185b8237f1ef5af87c176a59e6a8d9c277c6de run #0: crashed: divide error in fbcon_switch run #1: crashed: divide error in fbcon_switch run #2: crashed: divide error in fbcon_switch run #3: crashed: divide error in fbcon_switch run #4: crashed: divide error in fbcon_switch run #5: crashed: divide error in fbcon_switch run #6: crashed: divide error in fbcon_switch run #7: crashed: divide error in fbcon_switch run #8: crashed: divide error in fbcon_switch run #9: basic kernel testing failed: failed to copy test binary to VM: timedout ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/syzkaller/jobs/linux/workdir/repro.prog" "root@10.128.10.50:./repro.prog"] Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. testing current HEAD 92ed301919932f777713b9172e525674157e983d testing commit 92ed301919932f777713b9172e525674157e983d with gcc (GCC) 8.1.0 kernel signature: 7cede6e81151250d66746a8afeb8c933199e6d4b35803ba04943eec6a40d2c08 all runs: OK # git bisect start 92ed301919932f777713b9172e525674157e983d 76bb8b05960c3d1668e6bee7624ed886cbd135ba Bisecting: 25002 revisions left to test after this (roughly 15 steps) [f365ab31efacb70bed1e821f7435626e0b2528a6] Merge tag 'drm-next-2020-04-01' of git://anongit.freedesktop.org/drm/drm testing commit f365ab31efacb70bed1e821f7435626e0b2528a6 with gcc (GCC) 8.1.0 kernel signature: 39043933b7921f358ac66f2259f548bdfb81dfd5692cb58b18e662f5be897ca4 all runs: crashed: divide error in fbcon_switch # git bisect good f365ab31efacb70bed1e821f7435626e0b2528a6 Bisecting: 12941 revisions left to test after this (roughly 14 steps) [2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0 kernel signature: 5a0a21eaf7dc77d42b4f286a1b331df6d0c249b0e9340912885c0f20346797c1 all runs: crashed: divide error in fbcon_switch # git bisect good 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 Bisecting: 6498 revisions left to test after this (roughly 13 steps) [b25c6644bfd3affd7d0127ce95c5c96c155a7515] Merge tag 'for-5.8/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit b25c6644bfd3affd7d0127ce95c5c96c155a7515 with gcc (GCC) 8.1.0 kernel signature: 4ac469fd33b94eb002fc70d7bc57b13497b47ca397201bee06a2e02192894cd9 all runs: crashed: divide error in fbcon_switch # git bisect good b25c6644bfd3affd7d0127ce95c5c96c155a7515 Bisecting: 3249 revisions left to test after this (roughly 12 steps) [931b94145981e411bd2c934657649347ba8a9083] x86/entry: Provide helpers for executing on the irqstack testing commit 931b94145981e411bd2c934657649347ba8a9083 with gcc (GCC) 8.1.0 kernel signature: 3e881eb4c5f5141512fa9e0e423a4b23b11947a374c49ecdf24402b42f975d75 all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 931b94145981e411bd2c934657649347ba8a9083 Bisecting: 3248 revisions left to test after this (roughly 12 steps) [1f44328ea24c9de368a3cfe5cc0e110b949afb2e] compiler_types.h, kasan: Use __SANITIZE_ADDRESS__ instead of CONFIG_KASAN to decide inlining testing commit 1f44328ea24c9de368a3cfe5cc0e110b949afb2e with gcc (GCC) 8.1.0 kernel signature: a59c81972882cddd2057de619e49ac38bce658ebede77517771dde6919dd2897 all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip 1f44328ea24c9de368a3cfe5cc0e110b949afb2e Bisecting: 3248 revisions left to test after this (roughly 12 steps) [4e1d96306d8b8790bc157afa233dc2a2be86ccf5] Merge tag 'iio-for-5.8a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next testing commit 4e1d96306d8b8790bc157afa233dc2a2be86ccf5 with gcc (GCC) 8.1.0 kernel signature: 332f1d745a0ef02e1ede02a6a1ce87e1cddb64e73e88b4e6a299778cc3c480b9 all runs: crashed: divide error in fbcon_switch # git bisect good 4e1d96306d8b8790bc157afa233dc2a2be86ccf5 Bisecting: 3112 revisions left to test after this (roughly 12 steps) [a58dfea29731a93339529ce48fe239b383011c7c] Merge tag 'block-5.8-2020-06-11' of git://git.kernel.dk/linux-block testing commit a58dfea29731a93339529ce48fe239b383011c7c with gcc (GCC) 8.1.0 kernel signature: 159616c054ee385f1b1708378602629cb5fd0029b778d9f82bb00b23aea767da all runs: basic kernel testing failed: BUG: using smp_processor_id() in preemptible code in ext4_mb_new_blocks # git bisect skip a58dfea29731a93339529ce48fe239b383011c7c Bisecting: 3112 revisions left to test after this (roughly 12 steps) [8982ae527fbef170ef298650c15d55a9ccd33973] mm/slab: use memzero_explicit() in kzfree() testing commit 8982ae527fbef170ef298650c15d55a9ccd33973 with gcc (GCC) 8.1.0 kernel signature: 913017c4b519c2796fce78ca72cf764ae5adbe579b296f3b9603a81e70d39acd all runs: crashed: kernel panic: Fatal exception # git bisect good 8982ae527fbef170ef298650c15d55a9ccd33973 Bisecting: 909 revisions left to test after this (roughly 10 steps) [f4c8824cbcc64524905f83388eb1139747829756] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit f4c8824cbcc64524905f83388eb1139747829756 with gcc (GCC) 8.1.0 kernel signature: 376bfd985329b64f0c324985b7958da17052d6d22f9181dae14f0c5e3b44bb3f all runs: crashed: kernel panic: Fatal exception # git bisect good f4c8824cbcc64524905f83388eb1139747829756 Bisecting: 451 revisions left to test after this (roughly 9 steps) [a570f4198906a88b959ddcc56ddabc634397e810] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux into master testing commit a570f4198906a88b959ddcc56ddabc634397e810 with gcc (GCC) 8.1.0 kernel signature: 6ee5d7d50d504cb6d49f77b0400739f07bd33a854996e0d79207dd862559895c all runs: crashed: kernel panic: Fatal exception # git bisect good a570f4198906a88b959ddcc56ddabc634397e810 Bisecting: 223 revisions left to test after this (roughly 8 steps) [0669704270e142483d80cfda5c526426c1a89711] Merge tag 'for-5.8-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into master testing commit 0669704270e142483d80cfda5c526426c1a89711 with gcc (GCC) 8.1.0 kernel signature: 9973005bcd909ce857497fdf88e955139c4849d7d846a1d9f9c5092c14a165af all runs: crashed: kernel panic: Fatal exception # git bisect good 0669704270e142483d80cfda5c526426c1a89711 Bisecting: 111 revisions left to test after this (roughly 7 steps) [c75d1d5248c0c97996051809ad0e9f154ba5d76e] bonding: check return value of register_netdevice() in bond_newlink() testing commit c75d1d5248c0c97996051809ad0e9f154ba5d76e with gcc (GCC) 8.1.0 kernel signature: c6b86488cf1fbd7d40126c38af4b60b342c15f6c74205384890fca04f33ea816 all runs: crashed: kernel panic: Fatal exception # git bisect good c75d1d5248c0c97996051809ad0e9f154ba5d76e Bisecting: 54 revisions left to test after this (roughly 6 steps) [78b1afe22d51996c1916a332d43b853ff2b10ade] Merge tag 'perf-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into master testing commit 78b1afe22d51996c1916a332d43b853ff2b10ade with gcc (GCC) 8.1.0 kernel signature: fb84281e9ee97b04af9b0e75014ec49cdb223343b863f6d3e953abe6bbf28d72 run #0: crashed: kernel panic: Fatal exception run #1: crashed: kernel panic: Fatal exception run #2: crashed: kernel panic: Fatal exception run #3: crashed: kernel panic: Fatal exception run #4: crashed: kernel panic: Fatal exception run #5: crashed: kernel panic: Fatal exception run #6: crashed: kernel panic: Fatal exception run #7: crashed: kernel panic: Fatal exception run #8: crashed: kernel panic: Fatal exception run #9: boot failed: can't ssh into the instance # git bisect good 78b1afe22d51996c1916a332d43b853ff2b10ade Bisecting: 29 revisions left to test after this (roughly 5 steps) [7d22af6c5bdb001c5ed0a20185138304ad2af91b] Merge tag 'tty-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty into master testing commit 7d22af6c5bdb001c5ed0a20185138304ad2af91b with gcc (GCC) 8.1.0 kernel signature: c5ba82ed6793dce012bd5fda2062c1a8d00d4fc78a9f7e0c3c9e110c6e7a2129 all runs: OK # git bisect bad 7d22af6c5bdb001c5ed0a20185138304ad2af91b Bisecting: 12 revisions left to test after this (roughly 4 steps) [cf48f79b74de2bf900d27c924528bb41d73689c3] Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi into master testing commit cf48f79b74de2bf900d27c924528bb41d73689c3 with gcc (GCC) 8.1.0 kernel signature: 51dd4e4f5491125ede365eee6128c617e76932d0ea521059ba1adebbd1ed82f1 all runs: crashed: kernel panic: Fatal exception # git bisect good cf48f79b74de2bf900d27c924528bb41d73689c3 Bisecting: 5 revisions left to test after this (roughly 3 steps) [033724d6864245a11f8e04c066002e6ad22b3fd0] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. testing commit 033724d6864245a11f8e04c066002e6ad22b3fd0 with gcc (GCC) 8.1.0 kernel signature: c48b7302969cae020b6d005fc53d49fd2197d0f1b2f6f8a8de255b9901712c83 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: boot failed: can't ssh into the instance run #8: boot failed: can't ssh into the instance run #9: boot failed: can't ssh into the instance # git bisect bad 033724d6864245a11f8e04c066002e6ad22b3fd0 Bisecting: 2 revisions left to test after this (roughly 2 steps) [707631ce639651e51bfed9e56326cde86f9e97b8] serial: tegra: drop bogus NULL tty-port checks testing commit 707631ce639651e51bfed9e56326cde86f9e97b8 with gcc (GCC) 8.1.0 kernel signature: 82f5ce3effcdeec43a585a8a4fd2d55db57df918a849d5ee14f4478539d123cd run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad 707631ce639651e51bfed9e56326cde86f9e97b8 Bisecting: 1 revision left to test after this (roughly 1 step) [22a82fa7d6c3e16d56a036b1fa697a39b954adf0] tty: xilinx_uartps: Really fix id assignment testing commit 22a82fa7d6c3e16d56a036b1fa697a39b954adf0 with gcc (GCC) 8.1.0 kernel signature: f61f3a671afb5076bcc888d6620c600b5a1431492def9ed8097f801abc750590 all runs: OK # git bisect bad 22a82fa7d6c3e16d56a036b1fa697a39b954adf0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [ce684552a266cb1c7cc2f7e623f38567adec6653] vt: Reject zero-sized screen buffer size. testing commit ce684552a266cb1c7cc2f7e623f38567adec6653 with gcc (GCC) 8.1.0 kernel signature: 41fd1d57d8ad7769a9985c3000dd9780d593db7b5cccff7768fc8f665a9ed985 all runs: OK # git bisect bad ce684552a266cb1c7cc2f7e623f38567adec6653 ce684552a266cb1c7cc2f7e623f38567adec6653 is the first bad commit commit ce684552a266cb1c7cc2f7e623f38567adec6653 Author: Tetsuo Handa Date: Sun Jul 12 20:10:12 2020 +0900 vt: Reject zero-sized screen buffer size. syzbot is reporting general protection fault in do_con_write() [1] caused by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0 caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate() from con_install() from tty_init_dev() from tty_open() on such console causes vc->vc_pos == 0x10000000e due to ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1). I don't think that a console with 0 column or 0 row makes sense. And it seems that vc_do_resize() does not intend to allow resizing a console to 0 column or 0 row due to new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows); exception. Theoretically, cols and rows can be any range as long as 0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g. cols == 1048576 && rows == 2 is possible) because of vc->vc_size_row = vc->vc_cols << 1; vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate(). Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return an error, and con_write() will not be called on a console with 0 column or 0 row. We need to make sure that integer overflow in visual_init() won't happen. Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying 1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate() will be practically fine. This patch does not touch con_init(), for returning -EINVAL there does not help when we are not returning -ENOMEM. [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8 Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Cc: stable Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) parent commit ba47d845d715a010f7b51f6f89bae32845e6acb7 wasn't tested testing commit ba47d845d715a010f7b51f6f89bae32845e6acb7 with gcc (GCC) 8.1.0 kernel signature: 2a97538df38a6024945c03d9c3dbd0ea1ddc8fbee6d13be5f973673f98d17eae culprit signature: 41fd1d57d8ad7769a9985c3000dd9780d593db7b5cccff7768fc8f665a9ed985 parent signature: 2a97538df38a6024945c03d9c3dbd0ea1ddc8fbee6d13be5f973673f98d17eae revisions tested: 21, total time: 3h53m39.003354186s (build: 1h57m7.918294424s, test: 1h53m59.903148407s) first good commit: ce684552a266cb1c7cc2f7e623f38567adec6653 vt: Reject zero-sized screen buffer size. cc: ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"]