bisecting fixing commit since 610bdbf6a174c9a91e34e276a9594114b44bef74
building syzkaller on 2c1f2513486f21d26b1942ce77ffc782677fbf4e
testing commit 610bdbf6a174c9a91e34e276a9594114b44bef74 with gcc (GCC) 8.4.1 20210217
kernel signature: f58de124f425d55df04886a4dc56f06df23afe181261c329dfc1ba5e182d6cac
all runs: crashed: KASAN: global-out-of-bounds Read in bit_putcs
testing current HEAD eb575cd5d7f60241d016fdd13a9e86d962093c9b
testing commit eb575cd5d7f60241d016fdd13a9e86d962093c9b with gcc (GCC) 8.4.1 20210217
kernel signature: ac80a1b2ce2c0742b26a3eaa8af9ff71f300b2705399ec932587545f884b2d4c
all runs: OK
# git bisect start eb575cd5d7f60241d016fdd13a9e86d962093c9b 610bdbf6a174c9a91e34e276a9594114b44bef74
Bisecting: 990 revisions left to test after this (roughly 10 steps)
[d21116af58f1e676e95a9c6d0ee744af7740cfa4] arm64: dts: ls1043a: mark crypto engine dma coherent

testing commit d21116af58f1e676e95a9c6d0ee744af7740cfa4 with gcc (GCC) 8.4.1 20210217
kernel signature: de076b8f3b35c83d43c3da70f2352fd4c964821df22e583c25aa5b1168e990b2
all runs: crashed: KASAN: global-out-of-bounds Read in bit_putcs
# git bisect good d21116af58f1e676e95a9c6d0ee744af7740cfa4
Bisecting: 495 revisions left to test after this (roughly 9 steps)
[feb4750ef9b8cb26c8ae5933479cad9f16451f6a] Drivers: hv: vmbus: Increase wait time for VMbus unload

testing commit feb4750ef9b8cb26c8ae5933479cad9f16451f6a with gcc (GCC) 8.4.1 20210217
kernel signature: 7326942715789fe3fe694f2f587d6a0e6b8329e82041a73f76aeb006837ce5a7
all runs: crashed: KASAN: global-out-of-bounds Read in bit_putcs
# git bisect good feb4750ef9b8cb26c8ae5933479cad9f16451f6a
Bisecting: 247 revisions left to test after this (roughly 8 steps)
[fd8f21c9d234111e1d73903e74672df8862d8c3a] video: hgafb: fix potential NULL pointer dereference

testing commit fd8f21c9d234111e1d73903e74672df8862d8c3a with gcc (GCC) 8.4.1 20210217
kernel signature: e901157445a62cb79f157ea0673c38f325b1a1f0df6b51310d87a88e38528e82
all runs: crashed: KASAN: global-out-of-bounds Read in bit_putcs
# git bisect good fd8f21c9d234111e1d73903e74672df8862d8c3a
Bisecting: 123 revisions left to test after this (roughly 7 steps)
[3f9186ee7a306d7f974e759b084245155e5e709a] ALSA: usb: update old-style static const declaration

testing commit 3f9186ee7a306d7f974e759b084245155e5e709a with gcc (GCC) 8.4.1 20210217
kernel signature: 8186e177535782000cc2cd1ff22a75eee71165d1ce4858d649d7f15b00ca463a
all runs: OK
# git bisect bad 3f9186ee7a306d7f974e759b084245155e5e709a
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[963e62364c8028090b64818ac455fbe40a52579e] bpf: Wrap aux data inside bpf_sanitize_info container

testing commit 963e62364c8028090b64818ac455fbe40a52579e with gcc (GCC) 8.4.1 20210217
kernel signature: ad2d68137f24c7f18b41ebaa85c8265b4f7f99f285043acaa6b8f84354080896
all runs: OK
# git bisect bad 963e62364c8028090b64818ac455fbe40a52579e
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[73d4262de798478a1fc5055fe6f58b507a8315bf] thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue

testing commit 73d4262de798478a1fc5055fe6f58b507a8315bf with gcc (GCC) 8.4.1 20210217
kernel signature: 3337867ecfd698dca263c5018f78caf13aa7dcdd032698c68c5522f348cd2f92
all runs: OK
# git bisect bad 73d4262de798478a1fc5055fe6f58b507a8315bf
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[582a9b9813ecc89a3b5944ea412f383d02904c50] proc: Check /proc/$pid/attr/ writes against file opener

testing commit 582a9b9813ecc89a3b5944ea412f383d02904c50 with gcc (GCC) 8.4.1 20210217
kernel signature: e61f9c051cb83d75c5349ce7991672cf3a9160b959f2a5fece1300d99e09714b
all runs: OK
# git bisect bad 582a9b9813ecc89a3b5944ea412f383d02904c50
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[b8a9a6df60319813ccbdc3e613792c211b7d511e] mm, vmstat: drop zone->lock in /proc/pagetypeinfo

testing commit b8a9a6df60319813ccbdc3e613792c211b7d511e with gcc (GCC) 8.4.1 20210217
kernel signature: 7ba6a7a822a358568cfe0fcf45a72c78aa05465709c04d534ce2b07a34bd7f6f
all runs: OK
# git bisect bad b8a9a6df60319813ccbdc3e613792c211b7d511e
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[17d6c58c5fc522561daa4d3fb270edba933ac0a6] tty: vt: always invoke vc->vc_sw->con_resize callback

testing commit 17d6c58c5fc522561daa4d3fb270edba933ac0a6 with gcc (GCC) 8.4.1 20210217
kernel signature: 733ed05ec8c7d3ed4896a13746e393e14b99012c7afaa1f1c939bdcc2975862f
all runs: OK
# git bisect bad 17d6c58c5fc522561daa4d3fb270edba933ac0a6
Bisecting: 0 revisions left to test after this (roughly 1 step)
[8c5ec4a731e1e2d9b6906bcde62de57a609a9b86] vt: Fix character height handling with VT_RESIZEX

testing commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 with gcc (GCC) 8.4.1 20210217
kernel signature: 6093052f97dfc6b99dc2544c492a5b4ec71e40f59684e019e5edccf209008487
all runs: OK
# git bisect bad 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[9a71ed8da907c36de4e96a8d78216231c0fe8df5] vgacon: Record video mode changes with VT_RESIZEX

testing commit 9a71ed8da907c36de4e96a8d78216231c0fe8df5 with gcc (GCC) 8.4.1 20210217
kernel signature: eb9e342d2b54e24c6c6d8921f1f1013641c6c9f61edfac79ba7a810f09a12b71
all runs: crashed: KASAN: global-out-of-bounds Read in bit_putcs
# git bisect good 9a71ed8da907c36de4e96a8d78216231c0fe8df5
8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 is the first bad commit
commit 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86
Author: Maciej W. Rozycki <macro@orcam.me.uk>
Date:   Thu May 13 11:51:50 2021 +0200

    vt: Fix character height handling with VT_RESIZEX
    
    commit 860dafa902595fb5f1d23bbcce1215188c3341e6 upstream.
    
    Restore the original intent of the VT_RESIZEX ioctl's `v_clin' parameter
    which is the number of pixel rows per character (cell) rather than the
    height of the font used.
    
    For framebuffer devices the two values are always the same, because the
    former is inferred from the latter one.  For VGA used as a true text
    mode device these two parameters are independent from each other: the
    number of pixel rows per character is set in the CRT controller, while
    font height is in fact hardwired to 32 pixel rows and fonts of heights
    below that value are handled by padding their data with blanks when
    loaded to hardware for use by the character generator.  One can change
    the setting in the CRT controller and it will update the screen contents
    accordingly regardless of the font loaded.
    
    The `v_clin' parameter is used by the `vgacon' driver to set the height
    of the character cell and then the cursor position within.  Make the
    parameter explicit then, by defining a new `vc_cell_height' struct
    member of `vc_data', set it instead of `vc_font.height' from `v_clin' in
    the VT_RESIZEX ioctl, and then use it throughout the `vgacon' driver
    except where actual font data is accessed which as noted above is
    independent from the CRTC setting.
    
    This way the framebuffer console driver is free to ignore the `v_clin'
    parameter as irrelevant, as it always should have, avoiding any issues
    attempts to give the parameter a meaning there could have caused, such
    as one that has led to commit 988d0763361b ("vt_ioctl: make VT_RESIZEX
    behave like VT_RESIZE"):
    
     "syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2],
      for vt_resizex() from ioctl(VT_RESIZEX) allows setting font height
      larger than actual font height calculated by con_font_set() from
      ioctl(PIO_FONT). Since fbcon_set_font() from con_font_set() allocates
      minimal amount of memory based on actual font height calculated by
      con_font_set(), use of vt_resizex() can cause UAF/OOB read for font
      data."
    
    The problem first appeared around Linux 2.5.66 which predates our repo
    history, but the origin could be identified with the old MIPS/Linux repo
    also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git>
    as commit 9736a3546de7 ("Merge with Linux 2.5.66."), where VT_RESIZEX
    code in `vt_ioctl' was updated as follows:
    
                    if (clin)
    -                       video_font_height = clin;
    +                       vc->vc_font.height = clin;
    
    making the parameter apply to framebuffer devices as well, perhaps due
    to the use of "font" in the name of the original `video_font_height'
    variable.  Use "cell" in the new struct member then to avoid ambiguity.
    
    References:
    
    [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837
    [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3
    
    Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable@vger.kernel.org # v2.6.12+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt_ioctl.c      |  6 +++---
 drivers/video/console/vgacon.c | 44 +++++++++++++++++++++---------------------
 include/linux/console_struct.h |  1 +
 3 files changed, 26 insertions(+), 25 deletions(-)

culprit signature: 6093052f97dfc6b99dc2544c492a5b4ec71e40f59684e019e5edccf209008487
parent  signature: eb9e342d2b54e24c6c6d8921f1f1013641c6c9f61edfac79ba7a810f09a12b71
revisions tested: 13, total time: 3h34m21.773543185s (build: 1h47m4.053775049s, test: 1h46m19.525317176s)
first good commit: 8c5ec4a731e1e2d9b6906bcde62de57a609a9b86 vt: Fix character height handling with VT_RESIZEX
recipients (to): ["gregkh@linuxfoundation.org" "macro@orcam.me.uk" "torvalds@linux-foundation.org"]
recipients (cc): []