ci starts bisection 2023-01-26 13:30:00.833614378 +0000 UTC m=+325114.779676425
bisecting fixing commit since f1583cb1be35c23df60b1c39e3e7e6704d749d0b
building syzkaller on d236a457274375e5273ac4e958722659929c469f
ensuring issue is reproducible on original commit f1583cb1be35c23df60b1c39e3e7e6704d749d0b

testing commit f1583cb1be35c23df60b1c39e3e7e6704d749d0b gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6993423e1ee8ac70b0db652da2b8f196ac26a6bc39f8277d76bd42f9711a6877
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
testing current HEAD 7c46948a6e9cf47ed03b0d489fde894ad46f1437
testing commit 7c46948a6e9cf47ed03b0d489fde894ad46f1437 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ec48f10c5865625c65f7d077ecef19aebd919318f4998b8cda2e006e9f70b706
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect start 7c46948a6e9cf47ed03b0d489fde894ad46f1437 f1583cb1be35c23df60b1c39e3e7e6704d749d0b
Bisecting: 57089 revisions left to test after this (roughly 16 steps)
[2518f226c60d8e04d18ba4295500a5b0b8ac7659] Merge tag 'drm-next-2022-05-25' of git://anongit.freedesktop.org/drm/drm

testing commit 2518f226c60d8e04d18ba4295500a5b0b8ac7659 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 3d7fa144695c692e10a47d20fa86e06b4149f10de5e4ddbd54fc16186ba883b9
run #0: crashed: INFO: rcu detected stall in corrupted
run #1: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #2: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #3: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #4: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #5: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #6: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #7: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #8: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #9: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good 2518f226c60d8e04d18ba4295500a5b0b8ac7659
Bisecting: 28314 revisions left to test after this (roughly 15 steps)
[0326074ff4652329f2a1a9c8685104576bd8d131] Merge tag 'net-next-6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next

testing commit 0326074ff4652329f2a1a9c8685104576bd8d131 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0abc55b9a8fb95de9e2c7499a55221fe8fe53a4d6fdc91bf48a05e86ac36a10a
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good 0326074ff4652329f2a1a9c8685104576bd8d131
Bisecting: 14154 revisions left to test after this (roughly 14 steps)
[043cd1e204a02735228a4bcc1ef094b347b360bf] Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/next-queue

testing commit 043cd1e204a02735228a4bcc1ef094b347b360bf gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2a0e92c77726849804550b2109e9a85709cebfe284792b6914bcb3b523e6b067
run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF
run #1: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #2: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #3: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #4: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #5: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #6: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #7: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #8: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
run #9: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good 043cd1e204a02735228a4bcc1ef094b347b360bf
Bisecting: 7103 revisions left to test after this (roughly 13 steps)
[71946a25f357a51dcce849367501d7fb04c0465b] Merge tag 'mmc-v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

testing commit 71946a25f357a51dcce849367501d7fb04c0465b gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 6315cc045432dd18fda15524236e3061d488003ec7e5f1819a0f7229fa32c11d
all runs: OK
# git bisect bad 71946a25f357a51dcce849367501d7fb04c0465b
Bisecting: 3399 revisions left to test after this (roughly 12 steps)
[ce8a79d5601aab94c02ed4539c48e8605422ac94] Merge tag 'for-6.2/block-2022-12-08' of git://git.kernel.dk/linux

testing commit ce8a79d5601aab94c02ed4539c48e8605422ac94 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: aae153653b3e35e2ad080fec89ce0ad23a655e76dd4cbb1159220009cc7593a6
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good ce8a79d5601aab94c02ed4539c48e8605422ac94
Bisecting: 1965 revisions left to test after this (roughly 11 steps)
[66efff515a6500d4b4976fbab3bee8b92a1137fb] Merge tag 'amd-drm-next-6.2-2022-12-07' of https://gitlab.freedesktop.org/agd5f/linux into drm-next

testing commit 66efff515a6500d4b4976fbab3bee8b92a1137fb gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: e749875200a72833494d0aad8a35025bd050e46ad79860fa866ec248055e41ae
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good 66efff515a6500d4b4976fbab3bee8b92a1137fb
Bisecting: 904 revisions left to test after this (roughly 10 steps)
[cdb9d3537711939e4d8fd0de2889c966f88346eb] Merge tag 'media/v6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

testing commit cdb9d3537711939e4d8fd0de2889c966f88346eb gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9226da9f7cd67e161b0392b84a5a2925b8bd0c850eaac6774493f3f8a4cd0f99
all runs: OK
# git bisect bad cdb9d3537711939e4d8fd0de2889c966f88346eb
Bisecting: 539 revisions left to test after this (roughly 9 steps)
[a14e84dbce2eeebde5e9aacd8bb49e85c1e1a067] media: s5c73m3: Switch to GPIO descriptors

testing commit a14e84dbce2eeebde5e9aacd8bb49e85c1e1a067 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 44be3b4462fcd21f60ff8c29f66943e1fb77920deecf8eb218c4ca505b6c7f3f
all runs: boot failed: WARNING: refcount bug in dvb_register_device
# git bisect skip a14e84dbce2eeebde5e9aacd8bb49e85c1e1a067
Bisecting: 539 revisions left to test after this (roughly 9 steps)
[86ff588c9ea47b92bfa99d6d1e466b2573baf51c] media: microchip: microchip-isc: implement media controller

testing commit 86ff588c9ea47b92bfa99d6d1e466b2573baf51c gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ae4894b7ed64bc215406ce0929f13b2ec1153f1fd9cec622cd945caadf55b4ae
all runs: OK
# git bisect bad 86ff588c9ea47b92bfa99d6d1e466b2573baf51c
Bisecting: 60 revisions left to test after this (roughly 6 steps)
[1e284ea984d3705e042b6b07469a66f1d43371e3] Merge git://linuxtv.org/sailus/media_tree into media_stage

testing commit 1e284ea984d3705e042b6b07469a66f1d43371e3 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 862d366dfbb8853d1b540a40f6bc5a24779ca31959338b0a7978eb0910390af2
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good 1e284ea984d3705e042b6b07469a66f1d43371e3
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[d668c0a73e2c1a39ee7046d4e0f49b9f805f804f] media: davinci/vpbe: Fix a typo ("defualt_mode")

testing commit d668c0a73e2c1a39ee7046d4e0f49b9f805f804f gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ea6f336798ac5efd8f87221930ae574b5222d6a3d29ef6267fd120ee9ffa61c6
all runs: OK
# git bisect bad d668c0a73e2c1a39ee7046d4e0f49b9f805f804f
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[10b5ce6743c839fa75336042c64e2479caec9430] staging: media: tegra-video: fix chan->mipi value on error

testing commit 10b5ce6743c839fa75336042c64e2479caec9430 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0564a2e305e9c1579cc2721f8b6c2deca3012dbbabfdf500a6348db1a25fdc47
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good 10b5ce6743c839fa75336042c64e2479caec9430
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[00c47aa85bb26450edc6059c3d245de062e60b5d] media: rkvdec: Add required padding

testing commit 00c47aa85bb26450edc6059c3d245de062e60b5d gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 15a888b73971d743ccfe558ca5deb42d74273a3573c11c9d51123d218727b43a
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good 00c47aa85bb26450edc6059c3d245de062e60b5d
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[9bf961085b3918773ae6b06680bb3d49bbf2c9f3] media: dvb-core: remove variable n, turn for-loop to while-loop

testing commit 9bf961085b3918773ae6b06680bb3d49bbf2c9f3 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: defd4cf8436719e02929f1838c3f3f007f3d11172d418eb5fb85585b62c7c4a0
all runs: OK
# git bisect bad 9bf961085b3918773ae6b06680bb3d49bbf2c9f3
Bisecting: 1 revision left to test after this (roughly 1 step)
[a3fb9657df6f1ec4a45b1ff5b1e11e5674d4b11e] media: rkisp1: make const arrays ae_wnd_num and hist_wnd_num static

testing commit a3fb9657df6f1ec4a45b1ff5b1e11e5674d4b11e gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 56d0bd0091442197ae28fcede4104a69241ed4f0f879186e039909ffa92a032d
all runs: crashed: KASAN: vmalloc-out-of-bounds Write in tpg_fill_plane_buffer
# git bisect good a3fb9657df6f1ec4a45b1ff5b1e11e5674d4b11e
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[94a7ad9283464b75b12516c5512541d467cefcf8] media: vivid: fix compose size exceed boundary

testing commit 94a7ad9283464b75b12516c5512541d467cefcf8 gcc
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 8171cae4f74fedce3d8915a2a4f9e5315d75351311f7a84c56d5efa90a0867d1
all runs: OK
# git bisect bad 94a7ad9283464b75b12516c5512541d467cefcf8
94a7ad9283464b75b12516c5512541d467cefcf8 is the first bad commit
commit 94a7ad9283464b75b12516c5512541d467cefcf8
Author: Liu Shixin <liushixin2@huawei.com>
Date:   Thu Oct 27 20:38:55 2022 +0800

    media: vivid: fix compose size exceed boundary
    
    syzkaller found a bug:
    
     BUG: unable to handle page fault for address: ffffc9000a3b1000
     #PF: supervisor write access in kernel mode
     #PF: error_code(0x0002) - not-present page
     PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0
     Oops: 0002 [#1] PREEMPT SMP
     CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
     RIP: 0010:memcpy_erms+0x6/0x10
    [...]
     Call Trace:
      <TASK>
      ? tpg_fill_plane_buffer+0x856/0x15b0
      vivid_fillbuff+0x8ac/0x1110
      vivid_thread_vid_cap_tick+0x361/0xc90
      vivid_thread_vid_cap+0x21a/0x3a0
      kthread+0x143/0x180
      ret_from_fork+0x1f/0x30
      </TASK>
    
    This is because we forget to check boundary after adjust compose->height
    int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem
    for this case.
    
    Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")
    Signed-off-by: Liu Shixin <liushixin2@huawei.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

 drivers/media/test-drivers/vivid/vivid-vid-cap.c | 1 +
 1 file changed, 1 insertion(+)

culprit signature: 8171cae4f74fedce3d8915a2a4f9e5315d75351311f7a84c56d5efa90a0867d1
parent  signature: 56d0bd0091442197ae28fcede4104a69241ed4f0f879186e039909ffa92a032d
revisions tested: 18, total time: 5h3m17.694064749s (build: 2h49m6.81098847s, test: 2h9m52.261479533s)
first good commit: 94a7ad9283464b75b12516c5512541d467cefcf8 media: vivid: fix compose size exceed boundary
recipients (to): ["hverkuil-cisco@xs4all.nl" "hverkuil@xs4all.nl" "linux-media@vger.kernel.org" "liushixin2@huawei.com"]
recipients (cc): ["linux-kernel@vger.kernel.org" "mchehab@kernel.org"]