ci starts bisection 2023-03-04 00:28:18.43072982 +0000 UTC m=+224024.801982665 bisecting cause commit starting from 2eb29d59ddf02e39774abfb60b2030b0b7e27c1f building syzkaller on f8902b5747fbe3d5b860bd782eec63fc9c7da6e7 ensuring issue is reproducible on original commit 2eb29d59ddf02e39774abfb60b2030b0b7e27c1f testing commit 2eb29d59ddf02e39774abfb60b2030b0b7e27c1f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b1fdeb274ed84483c2987158020bd98992a9416969b7a7d9db0139012d94122a all runs: crashed: BUG: bad usercopy in con_font_op testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b8531862989643abb885bfd0cf5e7b8fc35d2236851c79139363f408140602e6 all runs: OK # git bisect start 2eb29d59ddf02e39774abfb60b2030b0b7e27c1f c9c3395d5e3dcc6daee66c6908354d47bf98cb0c Bisecting: 6607 revisions left to test after this (roughly 13 steps) [9fc2f99030b55027d84723b0dcbbe9f7e21b9c6c] Merge tag 'nfsd-6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux testing commit 9fc2f99030b55027d84723b0dcbbe9f7e21b9c6c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 810df4475a6cedccc7c08c75e084819edf1debe15fc70416092ba02d793aaa4c all runs: OK # git bisect good 9fc2f99030b55027d84723b0dcbbe9f7e21b9c6c Bisecting: 3186 revisions left to test after this (roughly 12 steps) [693fed981eb9bf6e70bfda66bb872e2bb8155671] Merge tag 'char-misc-6.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit 693fed981eb9bf6e70bfda66bb872e2bb8155671 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3bfdb2ebe928f361de7f5fe7286a4dd02b822a7401bc0f98cf9dd04436e87fc6 all runs: crashed: BUG: bad usercopy in con_font_op # git bisect bad 693fed981eb9bf6e70bfda66bb872e2bb8155671 Bisecting: 1718 revisions left to test after this (roughly 11 steps) [b72b5fecc1b8a2e595bd03d7d257c88ea3f9fd45] Merge tag 'trace-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace testing commit b72b5fecc1b8a2e595bd03d7d257c88ea3f9fd45 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 884bd643959cf0baaa644ffec204b152d4f2017a0e5f3624a4bcbe29b07b92fc all runs: OK # git bisect good b72b5fecc1b8a2e595bd03d7d257c88ea3f9fd45 Bisecting: 851 revisions left to test after this (roughly 10 steps) [d2980d8d826554fa6981d621e569a453787472f8] Merge tag 'mm-nonmm-stable-2023-02-20-15-29' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit d2980d8d826554fa6981d621e569a453787472f8 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a6c15be9dd12842779bf843ac3b778984ce2a757135a7f1ffaf265bf8eb5bc60 all runs: OK # git bisect good d2980d8d826554fa6981d621e569a453787472f8 Bisecting: 459 revisions left to test after this (roughly 9 steps) [17cd4d6f05087ea1ae5c1416ef260e5b7fc5d5c9] Merge tag 'tty-6.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 17cd4d6f05087ea1ae5c1416ef260e5b7fc5d5c9 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fddfac21f38e7cdd756bd7306d94a52db3b8cc445b337399473e01a2c0187ff0 all runs: crashed: BUG: bad usercopy in con_font_op # git bisect bad 17cd4d6f05087ea1ae5c1416ef260e5b7fc5d5c9 Bisecting: 195 revisions left to test after this (roughly 8 steps) [e16cab9c1596e251761d2bfb5e1467950d616963] usb: uvc: Enumerate valid values for color matching testing commit e16cab9c1596e251761d2bfb5e1467950d616963 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e2789eed97191e57794adacaccb1971a15de9bd19c338944426ef470fe60bdd2 all runs: OK # git bisect good e16cab9c1596e251761d2bfb5e1467950d616963 Bisecting: 97 revisions left to test after this (roughly 7 steps) [96f54fd4894711b0dce6a1c8c26c882295dc9234] tty: serial: fsl_lpuart: Enable Receiver Idle Empty function for LPUART testing commit 96f54fd4894711b0dce6a1c8c26c882295dc9234 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cd2fd5b87d97d03e2dcdfd67309b6a0d1c3cdc0474fa46b4dad28b181a41f734 run #0: crashed: KASAN: use-after-free Write in fbcon_get_font run #1: crashed: BUG: bad usercopy in con_font_op run #2: crashed: KASAN: use-after-free Write in fbcon_get_font run #3: crashed: KASAN: use-after-free Write in fbcon_get_font run #4: crashed: BUG: bad usercopy in con_font_op run #5: crashed: KASAN: use-after-free Write in fbcon_get_font run #6: crashed: BUG: bad usercopy in con_font_op run #7: crashed: BUG: bad usercopy in con_font_op run #8: crashed: BUG: bad usercopy in con_font_op run #9: crashed: KASAN: use-after-free Write in fbcon_get_font # git bisect bad 96f54fd4894711b0dce6a1c8c26c882295dc9234 Bisecting: 48 revisions left to test after this (roughly 6 steps) [d0fabb0dc1a6237fc93250114916abc3fb286e98] tty: serial: qcom-geni-serial: drop unneeded forward definitions testing commit d0fabb0dc1a6237fc93250114916abc3fb286e98 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 38441fab56001834b8bd024eeed3532a134fefc819abc94c585af6ec14d14dca all runs: OK # git bisect good d0fabb0dc1a6237fc93250114916abc3fb286e98 Bisecting: 24 revisions left to test after this (roughly 5 steps) [75b20a2ac425b94f06957fb9963e89123a51866c] tty: Cleamup tty_port_set_suspended() bool parameter testing commit 75b20a2ac425b94f06957fb9963e89123a51866c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cebed5bf7a8b067885bea8edba87511b89bf89330e3c68bfb16c4715558573b7 all runs: OK # git bisect good 75b20a2ac425b94f06957fb9963e89123a51866c Bisecting: 12 revisions left to test after this (roughly 4 steps) [0926d8d52d42799806148ce6d57992849e57816c] fpga: dfl: Add DFHv1 Register Definitions testing commit 0926d8d52d42799806148ce6d57992849e57816c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0beb98fd824b6b17134a1a2d8fe1245e015ec9c4c2f96d0f55df92b9ba7b6571 all runs: OK # git bisect good 0926d8d52d42799806148ce6d57992849e57816c Bisecting: 6 revisions left to test after this (roughly 3 steps) [7a6aa989f2e844a22cfab5c8ff30e77d17dabb2f] Merge 6.2-rc5 into tty-next testing commit 7a6aa989f2e844a22cfab5c8ff30e77d17dabb2f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a32c94ea1a0a51ce4381cfb03f4a551fecb28e2b0368ddd6eec24c9181593af5 run #0: crashed: BUG: bad usercopy in con_font_op run #1: crashed: KASAN: use-after-free Write in fbcon_get_font run #2: crashed: BUG: bad usercopy in con_font_op run #3: crashed: BUG: bad usercopy in con_font_op run #4: crashed: KASAN: use-after-free Write in fbcon_get_font run #5: crashed: KASAN: use-after-free Write in fbcon_get_font run #6: crashed: KASAN: use-after-free Write in fbcon_get_font run #7: crashed: BUG: bad usercopy in con_font_op run #8: crashed: BUG: bad usercopy in con_font_op run #9: crashed: BUG: bad usercopy in con_font_op # git bisect bad 7a6aa989f2e844a22cfab5c8ff30e77d17dabb2f Bisecting: 2 revisions left to test after this (roughly 2 steps) [ffc1e089725e3f8a15ddfdce283db42f7d0fa147] VT: Add height parameter to con_font_get/set consw operations testing commit ffc1e089725e3f8a15ddfdce283db42f7d0fa147 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ff788ca5f95f3b45d78c12387e9703f76ba18e44d9583edde9cc6ed88aa79ebe all runs: OK # git bisect good ffc1e089725e3f8a15ddfdce283db42f7d0fa147 Bisecting: 0 revisions left to test after this (roughly 1 step) [05e2600cb0a4d73b0779cf29512819616252aeeb] VT: Bump font size limitation to 64x128 pixels testing commit 05e2600cb0a4d73b0779cf29512819616252aeeb gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d7cd24cc2fc01a91167622b7b7c9f7ab8491f3e34c87b46ba4385cfee6b53d8e run #0: crashed: BUG: bad usercopy in con_font_op run #1: crashed: BUG: bad usercopy in con_font_op run #2: crashed: BUG: bad usercopy in con_font_op run #3: crashed: BUG: bad usercopy in con_font_op run #4: crashed: BUG: bad usercopy in con_font_op run #5: crashed: BUG: bad usercopy in con_font_op run #6: crashed: BUG: bad usercopy in con_font_op run #7: crashed: KASAN: use-after-free Write in fbcon_get_font run #8: crashed: KASAN: use-after-free Write in fbcon_get_font run #9: crashed: BUG: bad usercopy in con_font_op # git bisect bad 05e2600cb0a4d73b0779cf29512819616252aeeb Bisecting: 0 revisions left to test after this (roughly 0 steps) [24d69384bcd34b9dcaf5dab744bf7096e84d1abd] VT: Add KD_FONT_OP_SET/GET_TALL operations testing commit 24d69384bcd34b9dcaf5dab744bf7096e84d1abd gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 76d66248c57b6113104e8a5ce7a27a77e9f52f47b630daee6dfd3f9ba40bfc99 run #0: crashed: KASAN: use-after-free Write in fbcon_get_font run #1: crashed: KASAN: use-after-free Write in fbcon_get_font run #2: crashed: KASAN: slab-out-of-bounds Write in fbcon_get_font run #3: crashed: KASAN: slab-out-of-bounds Write in fbcon_get_font run #4: crashed: KASAN: slab-out-of-bounds Write in fbcon_get_font run #5: crashed: KASAN: slab-out-of-bounds Write in fbcon_get_font run #6: crashed: KASAN: use-after-free Write in fbcon_get_font run #7: crashed: KASAN: use-after-free Write in fbcon_get_font run #8: crashed: KASAN: use-after-free Write in fbcon_get_font run #9: crashed: KASAN: use-after-free Write in fbcon_get_font # git bisect bad 24d69384bcd34b9dcaf5dab744bf7096e84d1abd 24d69384bcd34b9dcaf5dab744bf7096e84d1abd is the first bad commit commit 24d69384bcd34b9dcaf5dab744bf7096e84d1abd Author: Samuel Thibault Date: Thu Jan 19 16:19:16 2023 +0100 VT: Add KD_FONT_OP_SET/GET_TALL operations The KD_FONT_OP_SET/GET operations hardcode vpitch to be 32 pixels, which only dates from the old VGA hardware which as asserting this. Drivers such as fbcon however do not have such limitation, so this introduces KD_FONT_OP_SET/GET_TALL operations, which userland can try to use to avoid this limitation, thus opening the patch to >32 pixels font height. Signed-off-by: Samuel Thibault Link: https://lore.kernel.org/r/20230119151935.013597162@ens-lyon.org Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 14 ++++++++++---- include/uapi/linux/kd.h | 10 ++++++++-- 2 files changed, 18 insertions(+), 6 deletions(-) culprit signature: 76d66248c57b6113104e8a5ce7a27a77e9f52f47b630daee6dfd3f9ba40bfc99 parent signature: ff788ca5f95f3b45d78c12387e9703f76ba18e44d9583edde9cc6ed88aa79ebe revisions tested: 16, total time: 4h7m5.658488105s (build: 2h25m19.937630722s, test: 1h39m16.635915286s) first bad commit: 24d69384bcd34b9dcaf5dab744bf7096e84d1abd VT: Add KD_FONT_OP_SET/GET_TALL operations recipients (to): ["gregkh@linuxfoundation.org" "samuel.thibault@ens-lyon.org"] recipients (cc): [] crash: KASAN: use-after-free Write in fbcon_get_font ================================================================== BUG: KASAN: use-after-free in fbcon_get_font+0x2f8/0x770 drivers/video/fbdev/core/fbcon.c:2293 Write of size 16369 at addr ffff88806fb6c013 by task syz-executor.0/5553 CPU: 0 PID: 5553 Comm: syz-executor.0 Not tainted 6.2.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x5b/0x81 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x45d mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x141/0x190 mm/kasan/generic.c:189 memset+0x24/0x50 mm/kasan/shadow.c:44 fbcon_get_font+0x2f8/0x770 drivers/video/fbdev/core/fbcon.c:2293 con_font_get drivers/tty/vt/vt.c:4556 [inline] con_font_op+0x1a8/0xd00 drivers/tty/vt/vt.c:4670 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x1612/0x24c0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x684/0x1250 drivers/tty/tty_io.c:2777 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x123/0x190 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fcaa448c0f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcaa52a6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcaa45abf80 RCX: 00007fcaa448c0f9 RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000003 RBP: 00007fcaa44e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd4110c59f R14: 00007fcaa52a6300 R15: 0000000000022000 The buggy address belongs to the physical page: page:ffffea0001bed800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6fb60 head:ffffea0001bed800 order:4 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 flags: 0xfff00000010000(head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 4, migratetype Unmovable, gfp_mask 0x140cc0(GFP_USER|__GFP_COMP), pid 5553, tgid 5552 (syz-executor.0), ts 55410633843, free_ts 6323370375 prep_new_page mm/page_alloc.c:2531 [inline] get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283 __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5549 __alloc_pages_node include/linux/gfp.h:237 [inline] alloc_pages_node include/linux/gfp.h:260 [inline] __kmalloc_large_node+0x85/0x160 mm/slab_common.c:1113 kmalloc_large+0x1c/0x70 mm/slab_common.c:1130 kmalloc include/linux/slab.h:577 [inline] con_font_get drivers/tty/vt/vt.c:4546 [inline] con_font_op+0xf3/0xd00 drivers/tty/vt/vt.c:4670 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x1612/0x24c0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x684/0x1250 drivers/tty/tty_io.c:2777 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x123/0x190 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1446 [inline] free_pcp_prepare+0x66a/0xc20 mm/page_alloc.c:1496 free_unref_page_prepare mm/page_alloc.c:3369 [inline] free_unref_page+0x1d/0x490 mm/page_alloc.c:3464 free_contig_range+0xb5/0x180 mm/page_alloc.c:9485 destroy_args+0x7e/0x509 mm/debug_vm_pgtable.c:998 debug_vm_pgtable+0x1ef5/0x1f79 mm/debug_vm_pgtable.c:1318 do_one_initcall+0xf8/0x560 init/main.c:1306 do_initcall_level init/main.c:1379 [inline] do_initcalls init/main.c:1395 [inline] do_basic_setup init/main.c:1414 [inline] kernel_init_freeable+0x5df/0x639 init/main.c:1634 kernel_init+0x18/0x130 init/main.c:1522 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Memory state around the buggy address: ffff88806fb6ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88806fb6ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88806fb70000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88806fb70080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88806fb70100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================