bisecting fixing commit since 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 building syzkaller on 5d7b90f1af2e3bf33992b75e7fcf0bab6bf49bd6 testing commit 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 with gcc (GCC) 8.1.0 kernel signature: 4ade258e7d8c7d46e9eb9e4327c6fade191946a0b7c794f966ba044854499076 all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol testing current HEAD c14d30dc9987047b439b03d6e6db7d54d9f7f180 testing commit c14d30dc9987047b439b03d6e6db7d54d9f7f180 with gcc (GCC) 8.1.0 kernel signature: 0be1cfbb03e113ec08e9b3e55ec3fafc3b5c7c0e0d227ddb7ec74c66c3e81dda all runs: OK # git bisect start c14d30dc9987047b439b03d6e6db7d54d9f7f180 357668399cf70ccdc0ee8967bff3448d0f4f9ae1 Bisecting: 1414 revisions left to test after this (roughly 11 steps) [dfc37cb5e7f779cb854893ebfa75bfa1ea2a683f] net: bcmgenet: suppress warnings on failed Rx SKB allocations testing commit dfc37cb5e7f779cb854893ebfa75bfa1ea2a683f with gcc (GCC) 8.1.0 kernel signature: 412ac93d98cfbd6bac57cb380424afbb10146bc1bf0f56eeabf8ca52ff7da9cd all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol # git bisect good dfc37cb5e7f779cb854893ebfa75bfa1ea2a683f Bisecting: 707 revisions left to test after this (roughly 10 steps) [cd74de676af119f4110be9f828f22da953dd94b0] drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish testing commit cd74de676af119f4110be9f828f22da953dd94b0 with gcc (GCC) 8.1.0 kernel signature: c092fa3e801cbca3d4091258af782a554f64cb908d02796aac2ad26271f45f8b all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol # git bisect good cd74de676af119f4110be9f828f22da953dd94b0 Bisecting: 353 revisions left to test after this (roughly 9 steps) [8ee0358025644679e532562216bce76935cc0bbb] btrfs: fix fatal extent_buffer readahead vs releasepage race testing commit 8ee0358025644679e532562216bce76935cc0bbb with gcc (GCC) 8.1.0 kernel signature: 89456e429461c473504ffa87c08566f45b46296935d78803fd8581a0be5ddb6e all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol # git bisect good 8ee0358025644679e532562216bce76935cc0bbb Bisecting: 176 revisions left to test after this (roughly 8 steps) [535f366f079650db7f2de9e526fa9d82e3c618ac] net: ethernet: ave: Fix error returns in ave_init testing commit 535f366f079650db7f2de9e526fa9d82e3c618ac with gcc (GCC) 8.1.0 kernel signature: 7f20627bd9e343ee266dbad76256abfff1dee9c875cfd97ef02f24669da0c98b all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol # git bisect good 535f366f079650db7f2de9e526fa9d82e3c618ac Bisecting: 88 revisions left to test after this (roughly 7 steps) [ab6291837dcd31b595f1a867768cc73661a6da9e] xfs: fix missed wakeup on l_flush_wait testing commit ab6291837dcd31b595f1a867768cc73661a6da9e with gcc (GCC) 8.1.0 kernel signature: 165502f1496f06ac94077e008085b59428aedb46280c4474a94690ee6d389318 all runs: OK # git bisect bad ab6291837dcd31b595f1a867768cc73661a6da9e Bisecting: 43 revisions left to test after this (roughly 6 steps) [159bcd5488602e893a6f0130140885457485afee] x86, vmlinux.lds: Page-align end of ..page_aligned sections testing commit 159bcd5488602e893a6f0130140885457485afee with gcc (GCC) 8.1.0 kernel signature: eafad6e7699f22ce28081bd287b1dbbe0275ab7318028c5e1e1f4971aad8fc73 all runs: OK # git bisect bad 159bcd5488602e893a6f0130140885457485afee Bisecting: 21 revisions left to test after this (roughly 5 steps) [77c14a5e4db6d3b09ff665ebae85706317ff8af0] RISC-V: Upgrade smp_mb__after_spinlock() to iorw,iorw testing commit 77c14a5e4db6d3b09ff665ebae85706317ff8af0 with gcc (GCC) 8.1.0 kernel signature: 16142dddfe4564d644add4f12313cc91963d282134176a1bd6edf5e744db4091 all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol # git bisect good 77c14a5e4db6d3b09ff665ebae85706317ff8af0 Bisecting: 10 revisions left to test after this (roughly 4 steps) [5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8] serial: 8250_mtk: Fix high-speed baud rates clamping testing commit 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8 with gcc (GCC) 8.1.0 kernel signature: fcd4c587361b7b09ed7c0fd3894b9fdf7eb540f69111f521ec17774d949fb0d6 all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol # git bisect good 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8 Bisecting: 5 revisions left to test after this (roughly 3 steps) [763b04c6b26bc12c2df36390210e5377b241a8a8] mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock testing commit 763b04c6b26bc12c2df36390210e5377b241a8a8 with gcc (GCC) 8.1.0 kernel signature: 6f3c0633ddd02e6e694634bdc2a78c9c3a13283ceb61b074976d8b5fe8e91759 all runs: OK # git bisect bad 763b04c6b26bc12c2df36390210e5377b241a8a8 Bisecting: 2 revisions left to test after this (roughly 1 step) [74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size. testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0 kernel signature: 6702689851ee4633208ebbb2d257de19784410b79f87020e1b4c77014177f359 all runs: OK # git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0 kernel signature: 0ff0f0cb1ad6f9b0b3a241f72f3d1d114676c365494c4ab9fe3a48910b117b74 all runs: crashed: KASAN: null-ptr-deref Read in do_con_trol # git bisect good dd58bd1b95b7127bb975942e14c4a9bd878c28db 74752b81eae8ae64e97de222320026367e92c4b5 is the first bad commit commit 74752b81eae8ae64e97de222320026367e92c4b5 Author: Tetsuo Handa Date: Sun Jul 12 20:10:12 2020 +0900 vt: Reject zero-sized screen buffer size. commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream. syzbot is reporting general protection fault in do_con_write() [1] caused by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0 caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate() from con_install() from tty_init_dev() from tty_open() on such console causes vc->vc_pos == 0x10000000e due to ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1). I don't think that a console with 0 column or 0 row makes sense. And it seems that vc_do_resize() does not intend to allow resizing a console to 0 column or 0 row due to new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows); exception. Theoretically, cols and rows can be any range as long as 0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g. cols == 1048576 && rows == 2 is possible) because of vc->vc_size_row = vc->vc_cols << 1; vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row; in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate(). Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return an error, and con_write() will not be called on a console with 0 column or 0 row. We need to make sure that integer overflow in visual_init() won't happen. Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying 1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate() will be practically fine. This patch does not touch con_init(), for returning -EINVAL there does not help when we are not returning -ENOMEM. [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8 Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Cc: stable Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) culprit signature: 6702689851ee4633208ebbb2d257de19784410b79f87020e1b4c77014177f359 parent signature: 0ff0f0cb1ad6f9b0b3a241f72f3d1d114676c365494c4ab9fe3a48910b117b74 revisions tested: 13, total time: 3h19m23.158452991s (build: 2h2m8.224209271s, test: 1h14m52.806908172s) first good commit: 74752b81eae8ae64e97de222320026367e92c4b5 vt: Reject zero-sized screen buffer size. recipients (to): ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"] recipients (cc): []