bisecting fixing commit since 050272a0423e68207fd2367831ae610680129062
building syzkaller on 0ce7569ee76fda7e5a68b0fe14c93a3e8eb7d108
testing commit 050272a0423e68207fd2367831ae610680129062 with gcc (GCC) 8.1.0
kernel signature: 901311793cc701c7a8f2e1e5e35344b95d66aa6d3df53b4e36a585c7c35305b5
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font
testing current HEAD 27ce4f2a6817e38ca74c643d47a96359f6cc0c1c
testing commit 27ce4f2a6817e38ca74c643d47a96359f6cc0c1c with gcc (GCC) 8.1.0
kernel signature: 3bf504ed5745edf0f1b1ec9b9500fba8df55ae71b8b78fbee53f882e7d4dbd14
all runs: OK
# git bisect start 27ce4f2a6817e38ca74c643d47a96359f6cc0c1c 050272a0423e68207fd2367831ae610680129062
Bisecting: 1166 revisions left to test after this (roughly 10 steps)
[14b58326976de6ef3998eefec1dd7f8b38b97a75] Linux 4.14.193
testing commit 14b58326976de6ef3998eefec1dd7f8b38b97a75 with gcc (GCC) 8.1.0
kernel signature: 4a1ba52fd9ae228fdd9d10a6bde45b5c58675af1a4caad37b6a30e4b78c2178a
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font
# git bisect good 14b58326976de6ef3998eefec1dd7f8b38b97a75
Bisecting: 583 revisions left to test after this (roughly 9 steps)
[9e9210e578ad74c5d394ba060d5cd9ebd421f9d5] CIFS: Properly process SMB3 lease breaks
testing commit 9e9210e578ad74c5d394ba060d5cd9ebd421f9d5 with gcc (GCC) 8.1.0
kernel signature: f02222047f2837bd84468ddd416caeff2ce451eb31b8eaa271f088d7b7ddb1aa
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font
# git bisect good 9e9210e578ad74c5d394ba060d5cd9ebd421f9d5
Bisecting: 291 revisions left to test after this (roughly 8 steps)
[9144ea5a6cc29fbc2ec9c060188a41e6891ebb99] usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above.
testing commit 9144ea5a6cc29fbc2ec9c060188a41e6891ebb99 with gcc (GCC) 8.1.0
kernel signature: 98160ef162cd22200161902c74598cf88a49ec0d8f57703aaad0572ae65a05ed
all runs: OK
# git bisect bad 9144ea5a6cc29fbc2ec9c060188a41e6891ebb99
Bisecting: 145 revisions left to test after this (roughly 7 steps)
[a98fcb2fc19b158a1d0aa68235827149f7637110] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED
testing commit a98fcb2fc19b158a1d0aa68235827149f7637110 with gcc (GCC) 8.1.0
kernel signature: 784ff8af962b161d576a9c5ffb027b6d8c8905605799445ba255ff63774b9d9d
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font
# git bisect good a98fcb2fc19b158a1d0aa68235827149f7637110
Bisecting: 72 revisions left to test after this (roughly 6 steps)
[f6b47285c4a47f9d8ad9a29161f0df2fdd40e432] ipv4: Restore flowi4_oif update before call to xfrm_lookup_route
testing commit f6b47285c4a47f9d8ad9a29161f0df2fdd40e432 with gcc (GCC) 8.1.0
kernel signature: f33251b00ff1c074462553e29ce42ed52b00ea5733a7d26fa3cafa64abb5f451
all runs: OK
# git bisect bad f6b47285c4a47f9d8ad9a29161f0df2fdd40e432
Bisecting: 36 revisions left to test after this (roughly 5 steps)
[2bb379108c4ad36a761fcf1efaf51bb176b326b3] xfrm: clone whole liftime_cur structure in xfrm_do_migrate
testing commit 2bb379108c4ad36a761fcf1efaf51bb176b326b3 with gcc (GCC) 8.1.0
kernel signature: 47f135bc635d716ce1c458065458055a321d485893f2ce3057d42a422ce7c8ad
all runs: OK
# git bisect bad 2bb379108c4ad36a761fcf1efaf51bb176b326b3
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[515ded02bc4b0d8900d04e0cab781a13408b1fd6] platform/x86: thinkpad_acpi: initialize tp_nvram_state variable
testing commit 515ded02bc4b0d8900d04e0cab781a13408b1fd6 with gcc (GCC) 8.1.0
kernel signature: cfb2554982e6a58a586976a6e192cc6fd423c8f1d8565fe1a48ae2bb07e24aa1
all runs: OK
# git bisect bad 515ded02bc4b0d8900d04e0cab781a13408b1fd6
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[a3915080e95da5257c541bbc39fa4007076d8fa3] ep_create_wakeup_source(): dentry name can change under you...
testing commit a3915080e95da5257c541bbc39fa4007076d8fa3 with gcc (GCC) 8.1.0
kernel signature: 884d809df77c181bc062237dec680262ee12f989e7f3578ef811bec4e12b5cfe
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font
# git bisect good a3915080e95da5257c541bbc39fa4007076d8fa3
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[2832691e0106b31823b0b1ca51f6f7ba34875279] Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
testing commit 2832691e0106b31823b0b1ca51f6f7ba34875279 with gcc (GCC) 8.1.0
kernel signature: 914d6a2d5aac03c1bc1371c023e85ec18d7b0b1a596d05b0ba6863ed98711f2a
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font
# git bisect good 2832691e0106b31823b0b1ca51f6f7ba34875279
Bisecting: 2 revisions left to test after this (roughly 1 step)
[30386c13a1bfb0d1ce59ea83b825aa73bd516bc5] fbcon: Fix global-out-of-bounds read in fbcon_get_font()
testing commit 30386c13a1bfb0d1ce59ea83b825aa73bd516bc5 with gcc (GCC) 8.1.0
kernel signature: 8c8e05f90f78899c44144aed4a9fda48dd76d2dd9a27ea5e8f2cb19b8b4282ab
all runs: OK
# git bisect bad 30386c13a1bfb0d1ce59ea83b825aa73bd516bc5
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[ab5737277fce6bb8f6d2a0a41a88a33f64b03aa6] Revert "ravb: Fixed to be able to unload modules"
testing commit ab5737277fce6bb8f6d2a0a41a88a33f64b03aa6 with gcc (GCC) 8.1.0
kernel signature: 914d6a2d5aac03c1bc1371c023e85ec18d7b0b1a596d05b0ba6863ed98711f2a
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_get_font
# git bisect good ab5737277fce6bb8f6d2a0a41a88a33f64b03aa6
30386c13a1bfb0d1ce59ea83b825aa73bd516bc5 is the first bad commit
commit 30386c13a1bfb0d1ce59ea83b825aa73bd516bc5
Author: Peilin Ye <yepeilin.cs@gmail.com>
Date:   Thu Sep 24 09:43:48 2020 -0400

    fbcon: Fix global-out-of-bounds read in fbcon_get_font()
    
    commit 5af08640795b2b9a940c9266c0260455377ae262 upstream.
    
    fbcon_get_font() is reading out-of-bounds. A malicious user may resize
    `vc->vc_font.height` to a large value, causing fbcon_get_font() to
    read out of `fontdata`.
    
    fbcon_get_font() handles both built-in and user-provided fonts.
    Fortunately, recently we have added FONT_EXTRA_WORDS support for built-in
    fonts, so fix it by adding range checks using FNTSIZE().
    
    This patch depends on patch "fbdev, newport_con: Move FONT_EXTRA_WORDS
    macros into linux/font.h", and patch "Fonts: Support FONT_EXTRA_WORDS
    macros for built-in fonts".
    
    Cc: stable@vger.kernel.org
    Reported-and-tested-by: syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com
    Link: https://syzkaller.appspot.com/bug?id=08b8be45afea11888776f897895aef9ad1c3ecfd
    Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Link: https://patchwork.freedesktop.org/patch/msgid/b34544687a1a09d6de630659eb7a773f4953238b.1600953813.git.yepeilin.cs@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/video/fbdev/core/fbcon.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)
culprit signature: 8c8e05f90f78899c44144aed4a9fda48dd76d2dd9a27ea5e8f2cb19b8b4282ab
parent  signature: 914d6a2d5aac03c1bc1371c023e85ec18d7b0b1a596d05b0ba6863ed98711f2a
revisions tested: 13, total time: 3h11m2.606101658s (build: 1h47m25.641283679s, test: 1h22m14.458737119s)
first good commit: 30386c13a1bfb0d1ce59ea83b825aa73bd516bc5 fbcon: Fix global-out-of-bounds read in fbcon_get_font()
recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "syzbot+29d4ed7f3bdedf2aa2fd@syzkaller.appspotmail.com" "yepeilin.cs@gmail.com"]
recipients (cc): []