bisecting cause commit starting from 46cf053efec6a3a5f343fead837777efe8252a46
building syzkaller on be5c2c81971442d623dd1b265dabf4644ceeb35b
testing commit 46cf053efec6a3a5f343fead837777efe8252a46 with gcc (GCC) 8.1.0
kernel signature: df13970f5229b0b1662c8cc3bf78e08719788891
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 45f88e7bea0066a8d538be488b3b4903c2ebc65f
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: f5b9425e8383a237b2e6d7fb7f27d19fbd18030e
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 8805e3857400382fbf5e1dc75616d1edc0b27561
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0
kernel signature: e23905d046539fcbed329c01a1e2d65bd3eb5705
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 4619 revisions left to test after this (roughly 12 steps)
[8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0
kernel signature: c4fb4eae997153351edb0112a0eb1501652bacfb
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 8f6ccf6159aed1f04c6d179f61f6fb2691261e84
Bisecting: 1595 revisions left to test after this (roughly 11 steps)
[ed63b9c873601ca113da5c7b1745e3946493e9f3] Merge tag 'media/v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
testing commit ed63b9c873601ca113da5c7b1745e3946493e9f3 with gcc (GCC) 8.1.0
kernel signature: e3dff82b1d095356012f17269510fd27e297f2d9
all runs: OK
# git bisect good ed63b9c873601ca113da5c7b1745e3946493e9f3
Bisecting: 798 revisions left to test after this (roughly 10 steps)
[4b4704520d97b74e045154fc3b844b73ae4e7ebd] Merge tag 'acpi-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 4b4704520d97b74e045154fc3b844b73ae4e7ebd with gcc (GCC) 8.1.0
kernel signature: 4688340c65d515a90cc436016beff775129d86f2
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 4b4704520d97b74e045154fc3b844b73ae4e7ebd
Bisecting: 398 revisions left to test after this (roughly 9 steps)
[e3303268f9cfa4eb7c2217df471417d4327109fd] ASoC: soc-core: don't use soc_find_component() at snd_soc_find_dai()
testing commit e3303268f9cfa4eb7c2217df471417d4327109fd with gcc (GCC) 8.1.0
kernel signature: 20ec55bcfb099ef10f26f94254035aae00783ba1
all runs: OK
# git bisect good e3303268f9cfa4eb7c2217df471417d4327109fd
Bisecting: 162 revisions left to test after this (roughly 8 steps)
[3c53c6255d598db7084c5c3d7553d7200e857818] Merge tag 'asoc-v5.3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
testing commit 3c53c6255d598db7084c5c3d7553d7200e857818 with gcc (GCC) 8.1.0
kernel signature: 920b53fd57ca0170cb9b6cb34af3aafa06490c16
all runs: OK
# git bisect good 3c53c6255d598db7084c5c3d7553d7200e857818
Bisecting: 87 revisions left to test after this (roughly 6 steps)
[4cdd5f9186bbe80306e76f11da7ecb0b9720433c] Merge tag 'sound-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit 4cdd5f9186bbe80306e76f11da7ecb0b9720433c with gcc (GCC) 8.1.0
kernel signature: 1b0a3711ff31ed13a856d4279d8d7901f88ca60f
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 4cdd5f9186bbe80306e76f11da7ecb0b9720433c
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[6116b892bd4fd0ddc5f30566a556218bb2e1a9b6] vga_switcheroo: Depend upon fbcon being built-in, if enabled
testing commit 6116b892bd4fd0ddc5f30566a556218bb2e1a9b6 with gcc (GCC) 8.1.0
kernel signature: ed66ce65b279c6014669c9b597e3a4254b27c49f
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 6116b892bd4fd0ddc5f30566a556218bb2e1a9b6
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[0e0f3250d4402d60f4571d076ab27d5af049853e] fbcon: call fbcon_fb_bind directly
testing commit 0e0f3250d4402d60f4571d076ab27d5af049853e with gcc (GCC) 8.1.0
kernel signature: 864550337ac3a29259f8ce2edda7a7e2216680c0
all runs: OK
# git bisect good 0e0f3250d4402d60f4571d076ab27d5af049853e
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[3667617347ba42c85ec846a9ea5c33f5d6ab9e4a] fbdev: remove FBINFO_MISC_USEREVENT around fb_blank
testing commit 3667617347ba42c85ec846a9ea5c33f5d6ab9e4a with gcc (GCC) 8.1.0
kernel signature: 752ccf23761fdd131cb05f1023c0ce933cf1ecf4
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 3667617347ba42c85ec846a9ea5c33f5d6ab9e4a
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[50c5056356340c8b5be90440d2f32fec8c47a7c3] fbdev: directly call fbcon_suspended/resumed
testing commit 50c5056356340c8b5be90440d2f32fec8c47a7c3 with gcc (GCC) 8.1.0
kernel signature: 5a2c79c1d9f99d2d0ef652da1248bfb176c45488
all runs: OK
# git bisect good 50c5056356340c8b5be90440d2f32fec8c47a7c3
Bisecting: 2 revisions left to test after this (roughly 1 step)
[0526c2239ad8ceef98652fe8e059044c24c62ea7] fbdev: Call fbcon_get_requirement directly
testing commit 0526c2239ad8ceef98652fe8e059044c24c62ea7 with gcc (GCC) 8.1.0
kernel signature: 231318a800f761291a330defcc533dcacd5021ca
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 0526c2239ad8ceef98652fe8e059044c24c62ea7
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[13ff178ccd6d3b8074c542a911300b79c4eec255] fbcon: Call fbcon_mode_deleted/new_modelist directly
testing commit 13ff178ccd6d3b8074c542a911300b79c4eec255 with gcc (GCC) 8.1.0
kernel signature: 314dfcfda2940fc81b6cfd291192c5b250a91baf
all runs: crashed: KASAN: use-after-free Read in fb_mode_is_equal
# git bisect bad 13ff178ccd6d3b8074c542a911300b79c4eec255
13ff178ccd6d3b8074c542a911300b79c4eec255 is the first bad commit
commit 13ff178ccd6d3b8074c542a911300b79c4eec255
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue May 28 11:02:53 2019 +0200

    fbcon: Call fbcon_mode_deleted/new_modelist directly
    
    I'm not entirely clear on what new_modelist actually does, it seems
    exclusively for a sysfs interface. Which in the end does amount to a
    normal fb_set_par to check the mode, but then takes a different path
    in both fbmem.c and fbcon.c.
    
    I have no idea why these 2 paths are different, but then I also don't
    really want to find out. So just do the simple conversion to a direct
    function call.
    
    v2: static inline for the dummy versions, I forgot.
    
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
    Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: Hans de Goede <hdegoede@redhat.com>
    Cc: Mikulas Patocka <mpatocka@redhat.com>
    Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Peter Rosin <peda@axentia.se>
    Cc: Yisheng Xie <ysxie@foxmail.com>
    Cc: "Michał Mirosław" <mirq-linux@rere.qmqm.pl>
    Cc: linux-fbdev@vger.kernel.org
    Link: https://patchwork.freedesktop.org/patch/msgid/20190528090304.9388-23-daniel.vetter@ffwll.ch

 drivers/video/fbdev/core/fbcon.c | 14 +++-----------
 drivers/video/fbdev/core/fbmem.c | 22 +++++++---------------
 include/linux/fb.h               |  5 -----
 include/linux/fbcon.h            |  6 ++++++
 4 files changed, 16 insertions(+), 31 deletions(-)
culprit signature: 314dfcfda2940fc81b6cfd291192c5b250a91baf
parent  signature: 5a2c79c1d9f99d2d0ef652da1248bfb176c45488
revisions tested: 17, total time: 3h15m31.579472788s (build: 1h38m0.523206534s, test: 1h36m14.259075408s)
first bad commit: 13ff178ccd6d3b8074c542a911300b79c4eec255 fbcon: Call fbcon_mode_deleted/new_modelist directly
cc: ["daniel.vetter@ffwll.ch" "daniel.vetter@intel.com" "maarten.lankhorst@linux.intel.com" "sam@ravnborg.org"]
crash: KASAN: use-after-free Read in fb_mode_is_equal
==================================================================
BUG: KASAN: use-after-free in fb_mode_is_equal+0x21c/0x2e0 drivers/video/fbdev/core/modedb.c:981
Read of size 4 at addr ffff888095c1309c by task syz-executor.0/7914

CPU: 0 PID: 7914 Comm: syz-executor.0 Not tainted 5.2.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188
 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 fb_mode_is_equal+0x21c/0x2e0 drivers/video/fbdev/core/modedb.c:981
 fbcon_mode_deleted+0xe6/0x140 drivers/video/fbdev/core/fbcon.c:3040
 fb_set_var+0x968/0xf40 drivers/video/fbdev/core/fbmem.c:970
 do_fb_ioctl+0x6ed/0x990 drivers/video/fbdev/core/fbmem.c:1120
 fb_ioctl+0xcb/0x150 drivers/video/fbdev/core/fbmem.c:1224
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a919
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f80d38c4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000011
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f80d38c56d4
R13: 00000000004c310d R14: 00000000004d8498 R15: 00000000ffffffff

Allocated by task 7645:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc.constprop.12+0xc7/0xd0 mm/kasan/common.c:489
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 kmem_cache_alloc_trace+0x154/0x740 mm/slab.c:3555
 kmalloc include/linux/slab.h:547 [inline]
 fb_add_videomode+0x22e/0x5c0 drivers/video/fbdev/core/modedb.c:1130
 fb_set_var+0x580/0xf40 drivers/video/fbdev/core/fbmem.c:1040
 do_fb_ioctl+0x6ed/0x990 drivers/video/fbdev/core/fbmem.c:1120
 fb_ioctl+0xcb/0x150 drivers/video/fbdev/core/fbmem.c:1224
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7818:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 fb_delete_videomode+0x303/0x720 drivers/video/fbdev/core/modedb.c:1161
 fb_set_var+0x977/0xf40 drivers/video/fbdev/core/fbmem.c:973
 do_fb_ioctl+0x6ed/0x990 drivers/video/fbdev/core/fbmem.c:1120
 fb_ioctl+0xcb/0x150 drivers/video/fbdev/core/fbmem.c:1224
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888095c13080
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 28 bytes inside of
 96-byte region [ffff888095c13080, ffff888095c130e0)
The buggy address belongs to the page:
page:ffffea00025704c0 refcount:1 mapcount:0 mapping:ffff8880aa4004c0 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000260c5c8 ffffea0002373988 ffff8880aa4004c0
raw: 0000000000000000 ffff888095c13000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888095c12f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888095c13000: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff888095c13080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                            ^
 ffff888095c13100: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff888095c13180: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================