bisecting fixing commit since fb683b5e3f53a73e761952735736180939a313df
building syzkaller on 4b83c8fbed7b9cea831be880ec8aa1098b465f25
testing commit fb683b5e3f53a73e761952735736180939a313df with gcc (GCC) 8.1.0
kernel signature: 5c45f4027538d70e21d0c6dea8974054fb6d6c4191bb7d7b3b680fd4e5e8597c
all runs: crashed: KASAN: user-memory-access Read in insert_char
testing current HEAD 961f830af0658ef5ef8a7708786d634a6115f16b
testing commit 961f830af0658ef5ef8a7708786d634a6115f16b with gcc (GCC) 8.1.0
kernel signature: 275f7a01b831d3f4e8360c00580a27365a18ae37317f6eb2633a2ed32d60fdce
all runs: OK
# git bisect start 961f830af0658ef5ef8a7708786d634a6115f16b fb683b5e3f53a73e761952735736180939a313df
Bisecting: 2529 revisions left to test after this (roughly 11 steps)
[267e902d6c9ef88af4d0ba452d02d18297f06204] jbd2: make sure ESHUTDOWN to be recorded in the journal superblock
testing commit 267e902d6c9ef88af4d0ba452d02d18297f06204 with gcc (GCC) 8.1.0
kernel signature: 364bd5f47189da626da0b891e4fbf517fa4600671ab9060ae0a6e8162547d7c6
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good 267e902d6c9ef88af4d0ba452d02d18297f06204
Bisecting: 1264 revisions left to test after this (roughly 10 steps)
[d2413ec1f789f6e21134ff895cd47b5b82613b99] netfilter: conntrack: avoid gcc-10 zero-length-bounds warning
testing commit d2413ec1f789f6e21134ff895cd47b5b82613b99 with gcc (GCC) 8.1.0
kernel signature: f73229d49f2052d5958d45d89d6a625d1acc127d836ddb77b1ead7272340cda7
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good d2413ec1f789f6e21134ff895cd47b5b82613b99
Bisecting: 632 revisions left to test after this (roughly 9 steps)
[0a562db7c43f64a0f2a8dd2983b87871dba37f95] scsi: target: tcmu: Userspace must not complete queued commands
testing commit 0a562db7c43f64a0f2a8dd2983b87871dba37f95 with gcc (GCC) 8.1.0
kernel signature: ec8a382042579b01eb34c3317b082d0a8b9f924aa8ebf29ab932bac21ba7d9ef
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good 0a562db7c43f64a0f2a8dd2983b87871dba37f95
Bisecting: 316 revisions left to test after this (roughly 8 steps)
[27ce7d1ceb435ab84407fc7c52906a8b2df4e622] KVM: arm64: Fix definition of PAGE_HYP_DEVICE
testing commit 27ce7d1ceb435ab84407fc7c52906a8b2df4e622 with gcc (GCC) 8.1.0
kernel signature: 111f260fa4239affe531e48d5d98496edecc8df274a5d7f1ee33eb3482932fa6
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good 27ce7d1ceb435ab84407fc7c52906a8b2df4e622
Bisecting: 158 revisions left to test after this (roughly 7 steps)
[8fba1b38af76dec291d1519055d1efe14bc095d3] scsi: scsi_transport_spi: Fix function pointer check
testing commit 8fba1b38af76dec291d1519055d1efe14bc095d3 with gcc (GCC) 8.1.0
kernel signature: 5e91214cf2f4d0d46708871ac1fdd6764bca5c2d46331664b16189864c9447ee
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good 8fba1b38af76dec291d1519055d1efe14bc095d3
Bisecting: 79 revisions left to test after this (roughly 6 steps)
[654ae85f1e1823688cda33cba130220d52a57989] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
testing commit 654ae85f1e1823688cda33cba130220d52a57989 with gcc (GCC) 8.1.0
kernel signature: 14110690108b8b57060bdfb16ecd2d85278357fdb8b2dba9bc55b1d90a808de0
all runs: OK
# git bisect bad 654ae85f1e1823688cda33cba130220d52a57989
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[77e1ed91b139c5578bdb6f7ef2297f87c3d42558] HID: steam: fixes race in handling device list.
testing commit 77e1ed91b139c5578bdb6f7ef2297f87c3d42558 with gcc (GCC) 8.1.0
kernel signature: 8d274e467d088b45eed21fb56480844c5209c3cd7112bb047818f46dbc9c239a
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good 77e1ed91b139c5578bdb6f7ef2297f87c3d42558
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[97ab1fd6d47f2f3c66b4f8e221e440fdd348cb14] staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
testing commit 97ab1fd6d47f2f3c66b4f8e221e440fdd348cb14 with gcc (GCC) 8.1.0
kernel signature: 87f41525b8f34cdca9ee39e87e52e1dd2daf13d3d59cdf9d170a8429f8ec4fdf
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good 97ab1fd6d47f2f3c66b4f8e221e440fdd348cb14
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[763b04c6b26bc12c2df36390210e5377b241a8a8] mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock
testing commit 763b04c6b26bc12c2df36390210e5377b241a8a8 with gcc (GCC) 8.1.0
kernel signature: 119741b335fe24e88cd87e1804986a2ca68f8b987a72a5fd39479230c19aa028
all runs: OK
# git bisect bad 763b04c6b26bc12c2df36390210e5377b241a8a8
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8] serial: 8250_mtk: Fix high-speed baud rates clamping
testing commit 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8 with gcc (GCC) 8.1.0
kernel signature: ad64627d997114972707a1eecc9d8a30894e7dd768ab53f096388bc91b05c914
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8
Bisecting: 2 revisions left to test after this (roughly 1 step)
[74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size.
testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0
kernel signature: 6d55f34cc0e7931c1444a13f193f0470ac13c08c49f5961a1d67a1ace1810f48
all runs: OK
# git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0
kernel signature: b3029792664ac7075fa6b13dbc7c2641a3a196c393399bd93b95eba723200979
all runs: crashed: KASAN: user-memory-access Read in insert_char
# git bisect good dd58bd1b95b7127bb975942e14c4a9bd878c28db
74752b81eae8ae64e97de222320026367e92c4b5 is the first bad commit
commit 74752b81eae8ae64e97de222320026367e92c4b5
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Sun Jul 12 20:10:12 2020 +0900

    vt: Reject zero-sized screen buffer size.
    
    commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream.
    
    syzbot is reporting general protection fault in do_con_write() [1] caused
    by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0
    caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by
    fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for
    gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate()
     from con_install() from tty_init_dev() from tty_open() on such console
    causes vc->vc_pos == 0x10000000e due to
    ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1).
    
    I don't think that a console with 0 column or 0 row makes sense. And it
    seems that vc_do_resize() does not intend to allow resizing a console to
    0 column or 0 row due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception.
    
    Theoretically, cols and rows can be any range as long as
    0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g.
    cols == 1048576 && rows == 2 is possible) because of
    
      vc->vc_size_row = vc->vc_cols << 1;
      vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
    
    in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate().
    
    Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in
    visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return
    an error, and con_write() will not be called on a console with 0 column
    or 0 row.
    
    We need to make sure that integer overflow in visual_init() won't happen.
    Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying
    1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate()
    will be practically fine.
    
    This patch does not touch con_init(), for returning -EINVAL there
    does not help when we are not returning -ENOMEM.
    
    [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8
    
    Reported-and-tested-by: syzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
culprit signature: 6d55f34cc0e7931c1444a13f193f0470ac13c08c49f5961a1d67a1ace1810f48
parent  signature: b3029792664ac7075fa6b13dbc7c2641a3a196c393399bd93b95eba723200979
revisions tested: 14, total time: 3h28m52.070342206s (build: 2h16m59.399267201s, test: 1h9m33.200218566s)
first good commit: 74752b81eae8ae64e97de222320026367e92c4b5 vt: Reject zero-sized screen buffer size.
recipients (to): ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"]
recipients (cc): []