bisecting fixing commit since 7cc2a8ea104820dd9e702202621e8fd4d9f6c8cf building syzkaller on 510951950dc0ee69cfdaf746061d3dbe31b49fd8 testing commit 7cc2a8ea104820dd9e702202621e8fd4d9f6c8cf with gcc (GCC) 8.1.0 kernel signature: 4c93cb6360da1ec86dfc3238c2dbaafdb0351404e620d8f233594de93b0fbd8c all runs: crashed: no output from test machine testing current HEAD 9c7d619be5a002ea29c172df5e3c1227c22cbb41 testing commit 9c7d619be5a002ea29c172df5e3c1227c22cbb41 with gcc (GCC) 8.1.0 kernel signature: c8239bb7b3db2ae33250e919d09251bb944652903a9ccb136d0814d5131efdea all runs: OK # git bisect start 9c7d619be5a002ea29c172df5e3c1227c22cbb41 7cc2a8ea104820dd9e702202621e8fd4d9f6c8cf Bisecting: 8523 revisions left to test after this (roughly 13 steps) [8186749621ed6b8fc42644c399e8c755a2b6f630] Merge tag 'drm-next-2020-08-06' of git://anongit.freedesktop.org/drm/drm testing commit 8186749621ed6b8fc42644c399e8c755a2b6f630 with gcc (GCC) 8.1.0 kernel signature: 2ae1e55c4fabe4b9e18e1b1f391571165056da707464183b4c1714c28607f53a all runs: OK # git bisect bad 8186749621ed6b8fc42644c399e8c755a2b6f630 Bisecting: 3719 revisions left to test after this (roughly 12 steps) [bbb839901fe865a56d91aa88d70908a7d16268a1] Merge tag 'regulator-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator testing commit bbb839901fe865a56d91aa88d70908a7d16268a1 with gcc (GCC) 8.1.0 kernel signature: fc8a3f17e90adf525da0882ef141202f4e45c29dfc0776cb5f7ed43b69d3d966 all runs: OK # git bisect bad bbb839901fe865a56d91aa88d70908a7d16268a1 Bisecting: 1887 revisions left to test after this (roughly 11 steps) [99f6cf61f175c1239ed8e86d4a1757c380da52d1] Merge branch 'mtd/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit 99f6cf61f175c1239ed8e86d4a1757c380da52d1 with gcc (GCC) 8.1.0 kernel signature: 72d1865b1679d51592366ee9833588784b7cd575beb7267a28328f3e03007a05 all runs: OK # git bisect bad 99f6cf61f175c1239ed8e86d4a1757c380da52d1 Bisecting: 909 revisions left to test after this (roughly 10 steps) [926234f1b8434c4409aa4c53637aa3362ca07cea] staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift testing commit 926234f1b8434c4409aa4c53637aa3362ca07cea with gcc (GCC) 8.1.0 kernel signature: c482e103108fa447e2325ba16923c89dd4024d94b025b474b05cea283473eaa1 all runs: crashed: no output from test machine # git bisect good 926234f1b8434c4409aa4c53637aa3362ca07cea Bisecting: 454 revisions left to test after this (roughly 9 steps) [608769a4e41cceca6908f1807ebe95e0a07a21d3] btrfs: always initialize btrfs_bio::tgtdev_map/raid_map pointers testing commit 608769a4e41cceca6908f1807ebe95e0a07a21d3 with gcc (GCC) 8.1.0 kernel signature: 55c1efd8e62de60d69297382d44d61d527689ab4e67a26f8702c547f5594efab run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: can't ssh into the instance # git bisect bad 608769a4e41cceca6908f1807ebe95e0a07a21d3 Bisecting: 182 revisions left to test after this (roughly 8 steps) [1b64b2e2444c11b8dd2b657f8538c05cb699ed25] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net into master testing commit 1b64b2e2444c11b8dd2b657f8538c05cb699ed25 with gcc (GCC) 8.1.0 kernel signature: 83d09b977afe288a892fa676a2044037d70121e5bdf8aff712f46999a5dc3192 all runs: crashed: no output from test machine # git bisect good 1b64b2e2444c11b8dd2b657f8538c05cb699ed25 Bisecting: 91 revisions left to test after this (roughly 7 steps) [100aa5d9f9f9d1163218bbbaad21bffbd8ee3e8d] btrfs: scrub: clean up temporary page variables in scrub_checksum_tree_block testing commit 100aa5d9f9f9d1163218bbbaad21bffbd8ee3e8d with gcc (GCC) 8.1.0 kernel signature: 21a64102fd5f94fe0433aa8d9749bec7393c0ba0e63825ab20a7d021f20bc35d all runs: OK # git bisect bad 100aa5d9f9f9d1163218bbbaad21bffbd8ee3e8d Bisecting: 44 revisions left to test after this (roughly 6 steps) [f208a76fcb5700a0c5104e5888679acc31d1ce41] Merge tag 'staging-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging into master testing commit f208a76fcb5700a0c5104e5888679acc31d1ce41 with gcc (GCC) 8.1.0 kernel signature: 36af93c471f2fe90f1aaef55c000b4114953935cb51e244e7a30bc9965598cb2 all runs: OK # git bisect bad f208a76fcb5700a0c5104e5888679acc31d1ce41 Bisecting: 21 revisions left to test after this (roughly 5 steps) [fbe0d451bcea569fc0ed3455511a90646c8a9c81] Merge tag 'x86-urgent-2020-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into master testing commit fbe0d451bcea569fc0ed3455511a90646c8a9c81 with gcc (GCC) 8.1.0 kernel signature: 5062e8da2b2f2725ccad051054dc49a4f622245b6108d6a1732a0906c13477ab all runs: crashed: no output from test machine # git bisect good fbe0d451bcea569fc0ed3455511a90646c8a9c81 Bisecting: 10 revisions left to test after this (roughly 4 steps) [17f50e28a858e4bab808733339995133390aae54] Merge tag 'usb-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb into master testing commit 17f50e28a858e4bab808733339995133390aae54 with gcc (GCC) 8.1.0 kernel signature: f8a2b492b003ff60b0fb540615fe7d5e8190a7ffcd5cfa2d2712c7ff96a8172d all runs: crashed: no output from test machine # git bisect good 17f50e28a858e4bab808733339995133390aae54 Bisecting: 5 revisions left to test after this (roughly 3 steps) [f4c23a140d80ef5e6d3d1f8f57007649014b60fa] serial: 8250: fix null-ptr-deref in serial8250_start_tx() testing commit f4c23a140d80ef5e6d3d1f8f57007649014b60fa with gcc (GCC) 8.1.0 kernel signature: 55e5442a37ef94c1cd28e805de363e413152b3108c4ecc326d37b9cae5aac928 all runs: crashed: no output from test machine # git bisect good f4c23a140d80ef5e6d3d1f8f57007649014b60fa Bisecting: 2 revisions left to test after this (roughly 2 steps) [5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9] serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X testing commit 5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9 with gcc (GCC) 8.1.0 kernel signature: 8ba86a196a3491fa60f22297ec0f5cac458fb84694ffcfceaedbc684aac0bcef all runs: OK # git bisect bad 5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9 Bisecting: 0 revisions left to test after this (roughly 1 step) [033724d6864245a11f8e04c066002e6ad22b3fd0] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. testing commit 033724d6864245a11f8e04c066002e6ad22b3fd0 with gcc (GCC) 8.1.0 kernel signature: 2420610d5075a0a594194784b2522b430b49dd204aeef9da15bb7e58db6f1652 all runs: OK # git bisect bad 033724d6864245a11f8e04c066002e6ad22b3fd0 Bisecting: 0 revisions left to test after this (roughly 0 steps) [551e553f0d4ab623e2a6f424ab5834f9c7b5229c] serial: 8250_mtk: Fix high-speed baud rates clamping testing commit 551e553f0d4ab623e2a6f424ab5834f9c7b5229c with gcc (GCC) 8.1.0 kernel signature: fe4d2b6da4ae0fbda786d7f35a14a1ddb9f5a1bfa63d3d66d38e97e79a654020 all runs: crashed: no output from test machine # git bisect good 551e553f0d4ab623e2a6f424ab5834f9c7b5229c 033724d6864245a11f8e04c066002e6ad22b3fd0 is the first bad commit commit 033724d6864245a11f8e04c066002e6ad22b3fd0 Author: Tetsuo Handa Date: Wed Jul 15 10:51:02 2020 +0900 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. syzbot is reporting general protection fault in bitfill_aligned() [1] caused by integer underflow in bit_clear_margins(). The cause of this problem is when and how do_vc_resize() updates vc->vc_{cols,rows}. If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres is going to shrink, vc->vc_{cols,rows} will not be updated. This allows bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will try to overrun the __iomem region and causes general protection fault. Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows); exception. Since cols and lines are calculated as cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres); rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); cols /= vc->vc_font.width; rows /= vc->vc_font.height; vc_resize(vc, cols, rows); in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0 and var.yres < vc->vc_font.height makes rows = 0. This means that const int fd = open("/dev/fb0", O_ACCMODE); struct fb_var_screeninfo var = { }; ioctl(fd, FBIOGET_VSCREENINFO, &var); var.xres = var.yres = 1; ioctl(fd, FBIOPUT_VSCREENINFO, &var); easily reproduces integer underflow bug explained above. Of course, callers of vc_resize() are not handling vc_do_resize() failure is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore, as a band-aid workaround, this patch checks integer underflow in "struct fbcon_ops"->clear_margins call, assuming that vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not cause integer overflow. [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6 Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Acked-by: Daniel Vetter Cc: stable Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 4 ++-- drivers/video/fbdev/core/fbcon_ccw.c | 4 ++-- drivers/video/fbdev/core/fbcon_cw.c | 4 ++-- drivers/video/fbdev/core/fbcon_ud.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) culprit signature: 2420610d5075a0a594194784b2522b430b49dd204aeef9da15bb7e58db6f1652 parent signature: fe4d2b6da4ae0fbda786d7f35a14a1ddb9f5a1bfa63d3d66d38e97e79a654020 revisions tested: 16, total time: 3h41m48.101298932s (build: 1h17m4.241514683s, test: 2h23m13.477707435s) first good commit: 033724d6864245a11f8e04c066002e6ad22b3fd0 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com"] recipients (cc): []