bisecting fixing commit since db5b9190ff8202b609fe802ccde41cb28669389f
building syzkaller on f9b6950728295eb8f52b05a0d9e5dccd99f93eaa
testing commit db5b9190ff8202b609fe802ccde41cb28669389f with gcc (GCC) 8.1.0
kernel signature: b96d48de08c4c938409616473ce6bdbabee5e335fd258717f98788785f3133d1
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
testing current HEAD 13af6c74b14a883366e7702c40c52ff548096e7f
testing commit 13af6c74b14a883366e7702c40c52ff548096e7f with gcc (GCC) 8.1.0
kernel signature: 4fe64d47387291c5c39fd81a597bbc844a9d5ccaa35d77630b6924256928cade
all runs: OK
# git bisect start 13af6c74b14a883366e7702c40c52ff548096e7f db5b9190ff8202b609fe802ccde41cb28669389f
Bisecting: 1980 revisions left to test after this (roughly 11 steps)
[e6d506cd2243aa8f6e19fdb4dc61d85275c2c918] futex: Fix inode life-time issue
testing commit e6d506cd2243aa8f6e19fdb4dc61d85275c2c918 with gcc (GCC) 8.1.0
kernel signature: 5032df695cece513a2541457c243cac51fcc4fb5bff7c678207a9dc5a01b63be
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good e6d506cd2243aa8f6e19fdb4dc61d85275c2c918
Bisecting: 990 revisions left to test after this (roughly 10 steps)
[8efa59fc90a590edd772583f9a0d9c780686ecb1] netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
testing commit 8efa59fc90a590edd772583f9a0d9c780686ecb1 with gcc (GCC) 8.1.0
kernel signature: fc81773bf43abb9edeccd4ebf003c63ed35c7ef981303227d006cf81674ad95a
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good 8efa59fc90a590edd772583f9a0d9c780686ecb1
Bisecting: 495 revisions left to test after this (roughly 9 steps)
[ed7db9838fe92127c59ba64bb55bb637e6fc029f] drm/qxl: Use correct notify port address when creating cursor ring
testing commit ed7db9838fe92127c59ba64bb55bb637e6fc029f with gcc (GCC) 8.1.0
kernel signature: 609f13edbf6f07a89617cfa202b6b5f4afa5efa2c8512396c5d5ef4dee03c5f5
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good ed7db9838fe92127c59ba64bb55bb637e6fc029f
Bisecting: 247 revisions left to test after this (roughly 8 steps)
[bff4fad828795d3285697742181b05448ec0b08d] kprobes: Do not expose probe addresses to non-CAP_SYSLOG
testing commit bff4fad828795d3285697742181b05448ec0b08d with gcc (GCC) 8.1.0
kernel signature: 99e06d92da0bde9d10880aa48118bd52485cfb4e181a5e073b4e63e9d1db64a1
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good bff4fad828795d3285697742181b05448ec0b08d
Bisecting: 123 revisions left to test after this (roughly 7 steps)
[daddb90d47cf323c06957f7d70e9e5b159adb9d8] hwmon: (emc2103) fix unable to change fan pwm1_enable attribute
testing commit daddb90d47cf323c06957f7d70e9e5b159adb9d8 with gcc (GCC) 8.1.0
kernel signature: 790189db8a91005376c778c8842674eedad39a9dad7ac7a72d97c626c211e359
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good daddb90d47cf323c06957f7d70e9e5b159adb9d8
Bisecting: 61 revisions left to test after this (roughly 6 steps)
[3384b7b0b47c3b5fca770bba16ae36e2ac694e48] HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
testing commit 3384b7b0b47c3b5fca770bba16ae36e2ac694e48 with gcc (GCC) 8.1.0
kernel signature: 7cc976cd20c2fa972b81ef4faa641c6c1b4c1806db8c0861daffac2a0d8061dc
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good 3384b7b0b47c3b5fca770bba16ae36e2ac694e48
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[91404e91eb85fdb8b6d5d6c01a53cbc63b057e10] mm/memcg: fix refcount error while moving and swapping
testing commit 91404e91eb85fdb8b6d5d6c01a53cbc63b057e10 with gcc (GCC) 8.1.0
kernel signature: 08b33494ff27dd6b713fede0ee8fbea7b7ae2f4b22e96731418d7acc1647013a
all runs: OK
# git bisect bad 91404e91eb85fdb8b6d5d6c01a53cbc63b057e10
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[57880846a2860f8edf2d5fd8051055b76ee78149] x86: math-emu: Fix up 'cmp' insn for clang ias
testing commit 57880846a2860f8edf2d5fd8051055b76ee78149 with gcc (GCC) 8.1.0
kernel signature: 08524082fc5a6b374767ebbabdc99a919e18b03373fe9de89dcd9671f44a988b
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good 57880846a2860f8edf2d5fd8051055b76ee78149
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[8f6e8ce1dbb240314b56a9cd57c2a6249ce9522e] staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
testing commit 8f6e8ce1dbb240314b56a9cd57c2a6249ce9522e with gcc (GCC) 8.1.0
kernel signature: 99fe50f5b235d9546b578c0da382c5fd7b448ce8ec01282e8ab1a7227dd81f55
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good 8f6e8ce1dbb240314b56a9cd57c2a6249ce9522e
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8] serial: 8250_mtk: Fix high-speed baud rates clamping
testing commit 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8 with gcc (GCC) 8.1.0
kernel signature: 59224d2dcca1a28d2ac6e83ae312fc8f75d0d1a405626ffd3f59cefcfec1b383
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8
Bisecting: 1 revision left to test after this (roughly 1 step)
[74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size.
testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0
kernel signature: 7341c4280fd5365ca09e853976723f543d30e87de9a6335bf2a2e10dd6a79640
all runs: OK
# git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0
kernel signature: 04494da0cd682d77c93276cebccd3b080df67d6fea898227301f2f973b471ad7
all runs: crashed: BUG: unable to handle kernel paging request in csi_J
# git bisect good dd58bd1b95b7127bb975942e14c4a9bd878c28db
74752b81eae8ae64e97de222320026367e92c4b5 is the first bad commit
commit 74752b81eae8ae64e97de222320026367e92c4b5
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Sun Jul 12 20:10:12 2020 +0900

    vt: Reject zero-sized screen buffer size.
    
    commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream.
    
    syzbot is reporting general protection fault in do_con_write() [1] caused
    by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0
    caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by
    fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for
    gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate()
     from con_install() from tty_init_dev() from tty_open() on such console
    causes vc->vc_pos == 0x10000000e due to
    ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1).
    
    I don't think that a console with 0 column or 0 row makes sense. And it
    seems that vc_do_resize() does not intend to allow resizing a console to
    0 column or 0 row due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception.
    
    Theoretically, cols and rows can be any range as long as
    0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g.
    cols == 1048576 && rows == 2 is possible) because of
    
      vc->vc_size_row = vc->vc_cols << 1;
      vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
    
    in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate().
    
    Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in
    visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return
    an error, and con_write() will not be called on a console with 0 column
    or 0 row.
    
    We need to make sure that integer overflow in visual_init() won't happen.
    Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying
    1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate()
    will be practically fine.
    
    This patch does not touch con_init(), for returning -EINVAL there
    does not help when we are not returning -ENOMEM.
    
    [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8
    
    Reported-and-tested-by: syzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
culprit signature: 7341c4280fd5365ca09e853976723f543d30e87de9a6335bf2a2e10dd6a79640
parent  signature: 04494da0cd682d77c93276cebccd3b080df67d6fea898227301f2f973b471ad7
revisions tested: 14, total time: 3h19m15.554675968s (build: 2h13m38.157928505s, test: 1h3m26.14480871s)
first good commit: 74752b81eae8ae64e97de222320026367e92c4b5 vt: Reject zero-sized screen buffer size.
cc: ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"]