bisecting cause commit starting from 596cf45cbf6e4fa7bcb0df33e373a7d062b644b5
building syzkaller on ab342da3f9aa45e3f2d9e872576ab5cd3e3c350b
testing commit 596cf45cbf6e4fa7bcb0df33e373a7d062b644b5 with gcc (GCC) 8.1.0
kernel signature: e46aaf560a0cbc2c6e190e2dafd91d39cbce5833
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: b572695b18d6d08794e9f2bdaba7178db4d31df2
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: a1dd1a79c4003e986fd2d668d6cb111ac393e8b0
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: 0ac2d9c9e4d21397e9ce48855f25bdc350fbe38e
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: f7f87f225419ca7db798931c088225db512d348a
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 31cd00b8efbc6c31f5c734db3d2994d9ccad134a
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 033b48b64575e5149645ec296dcb79a8003b1b8d
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: 80f23214b32fb855f8a7d55d552ad0056918698a
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: c6cc34df7f9867e1824bfa70aebddce5abd22475
all runs: OK
# git bisect start 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d 94710cac0ef4ee177a63b5227664b38c95bbf703
Bisecting: 7596 revisions left to test after this (roughly 13 steps)
[db06f826ec12bf0701ea7fc0a3c0aa00b84417c8] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
testing commit db06f826ec12bf0701ea7fc0a3c0aa00b84417c8 with gcc (GCC) 8.1.0
kernel signature: 14a4b1bb24a15ed6d5b5f297cb47d7612d144ab1
all runs: OK
# git bisect good db06f826ec12bf0701ea7fc0a3c0aa00b84417c8
Bisecting: 3768 revisions left to test after this (roughly 12 steps)
[cd9b44f90763c3367e8dd0601849ffb028e8ba52] Merge branch 'akpm' (patches from Andrew)
testing commit cd9b44f90763c3367e8dd0601849ffb028e8ba52 with gcc (GCC) 8.1.0
kernel signature: b5a124ca0e0fcd1985f28b8b8f6c9584e1992141
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
# git bisect bad cd9b44f90763c3367e8dd0601849ffb028e8ba52
Bisecting: 2297 revisions left to test after this (roughly 11 steps)
[336722eb9d9732c5a497fb6299bf38cde413592b] Merge tag 'tty-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
testing commit 336722eb9d9732c5a497fb6299bf38cde413592b with gcc (GCC) 8.1.0
kernel signature: d1262dea1ef000705e9ed46126ec7a33aff308a1
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
# git bisect bad 336722eb9d9732c5a497fb6299bf38cde413592b
Bisecting: 739 revisions left to test after this (roughly 10 steps)
[5e2d059b52e397d9ac42f4c4d9d9a841887b5818] Merge tag 'powerpc-4.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
testing commit 5e2d059b52e397d9ac42f4c4d9d9a841887b5818 with gcc (GCC) 8.1.0
kernel signature: 68bd0af016e7bc8ac09844a32ecd6b67f21937e9
all runs: OK
# git bisect good 5e2d059b52e397d9ac42f4c4d9d9a841887b5818
Bisecting: 375 revisions left to test after this (roughly 9 steps)
[9bd553929f68921be0f2014dd06561e0c8249a0d] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
testing commit 9bd553929f68921be0f2014dd06561e0c8249a0d with gcc (GCC) 8.1.0
kernel signature: 742852f927ce0bd9159419d3d6ab58a11a1462a4
all runs: OK
# git bisect good 9bd553929f68921be0f2014dd06561e0c8249a0d
Bisecting: 209 revisions left to test after this (roughly 8 steps)
[29c692c96b3a39cd1911fb79cd2505af8d070f07] USB: serial: pl2303: add a new device id for ATEN
testing commit 29c692c96b3a39cd1911fb79cd2505af8d070f07 with gcc (GCC) 8.1.0
kernel signature: dd03d757f9fc79bad5635b042bed81ab0f7cc35c
all runs: OK
# git bisect good 29c692c96b3a39cd1911fb79cd2505af8d070f07
Bisecting: 104 revisions left to test after this (roughly 7 steps)
[87a5ffc163966b2eb675c9c863c0caccab3183f6] mm/list_lru.c: use list_lru_walk_one() in list_lru_walk_node()
testing commit 87a5ffc163966b2eb675c9c863c0caccab3183f6 with gcc (GCC) 8.1.0
kernel signature: d9480035bd37873b05337f9fb37ecfd8fc008091
all runs: OK
# git bisect good 87a5ffc163966b2eb675c9c863c0caccab3183f6
Bisecting: 52 revisions left to test after this (roughly 6 steps)
[36ecc1481dc8d8c52d43ba18c6b642c1d2fde789] pty: fix O_CLOEXEC for TIOCGPTPEER
testing commit 36ecc1481dc8d8c52d43ba18c6b642c1d2fde789 with gcc (GCC) 8.1.0
kernel signature: ea1d6dfee3defb173a880ba35807bbf722c5bbee
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
# git bisect bad 36ecc1481dc8d8c52d43ba18c6b642c1d2fde789
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[eb3c74c27d059234c58e40caefa3d64cbf998a45] dt-bindings: mtk-uart: add mt6765 uart bindings
testing commit eb3c74c27d059234c58e40caefa3d64cbf998a45 with gcc (GCC) 8.1.0
kernel signature: a5b6f165a6c83e6fbe4c2bf2f672e106395335e8
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
# git bisect bad eb3c74c27d059234c58e40caefa3d64cbf998a45
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[68d12bb267da44f50167e64a95f1581cb729e5fc] serial: xuartps: fix typo in cdns_uart_startup
testing commit 68d12bb267da44f50167e64a95f1581cb729e5fc with gcc (GCC) 8.1.0
kernel signature: e043fd2ae61a74a07d66e87d31bd009c9743f2d4
all runs: OK
# git bisect good 68d12bb267da44f50167e64a95f1581cb729e5fc
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[16ecf49c10a1e8ecf917f91b93dd85624349e930] Merge 4.18-rc3 into tty-next
testing commit 16ecf49c10a1e8ecf917f91b93dd85624349e930 with gcc (GCC) 8.1.0
kernel signature: 29686869ce195f0b48bab81c51b83ba5657d3a06
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
# git bisect bad 16ecf49c10a1e8ecf917f91b93dd85624349e930
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[d8ae7242718738ee1bf9bfdd632d2a4b150fdd26] vt: preserve unicode values corresponding to screen characters
testing commit d8ae7242718738ee1bf9bfdd632d2a4b150fdd26 with gcc (GCC) 8.1.0
kernel signature: c6edf9b33cc3b01aefd72974df95db04f8fb4888
all runs: OK
# git bisect good d8ae7242718738ee1bf9bfdd632d2a4b150fdd26
Bisecting: 0 revisions left to test after this (roughly 1 step)
[708d0bff9121506db08adb73845a3c70312fadf3] vt: unicode fallback for scrollback
testing commit 708d0bff9121506db08adb73845a3c70312fadf3 with gcc (GCC) 8.1.0
kernel signature: 7948d821e1362d30eb79af6ea2b1938ba9640cc2
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
# git bisect bad 708d0bff9121506db08adb73845a3c70312fadf3
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[d21b0be246bf3bbf569e6e239f56abb529c7154e] vt: introduce unicode mode for /dev/vcs
testing commit d21b0be246bf3bbf569e6e239f56abb529c7154e with gcc (GCC) 8.1.0
kernel signature: 509c819fd092c5a9635dc432ae247322699fb98b
all runs: crashed: KASAN: slab-out-of-bounds Read in vcs_scr_readw
# git bisect bad d21b0be246bf3bbf569e6e239f56abb529c7154e
d21b0be246bf3bbf569e6e239f56abb529c7154e is the first bad commit
commit d21b0be246bf3bbf569e6e239f56abb529c7154e
Author: Nicolas Pitre <nicolas.pitre@linaro.org>
Date:   Tue Jun 26 23:56:41 2018 -0400

    vt: introduce unicode mode for /dev/vcs
    
    Now that the core vt code knows how to preserve unicode values for each
    displayed character, it is then possible to let user space access it via
    /dev/vcs*.
    
    Unicode characters are presented as 32 bit values in native endianity
    via the /dev/vcsu* devices, mimicking the simple /dev/vcs* devices.
    Unicode with attributes (similarly to /dev/vcsa*) is not supported at
    the moment.
    
    Data is available only as long as the console is in UTF-8 mode. ENODATA
    is returned otherwise.
    
    This was tested with the latest development version (to become
    version 5.7) of BRLTTY. Amongst other things, this allows ⠋⠕⠗ ⠞⠓⠊⠎
    ⠃⠗⠁⠊⠇⠇⠑⠀⠞⠑⠭⠞⠀to appear directly on braille displays regardless of the
    console font being used.
    
    Signed-off-by: Nicolas Pitre <nico@linaro.org>
    Tested-by: Dave Mielke <Dave@mielke.cc>
    Acked-by: Adam Borowski <kilobyte@angband.pl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vc_screen.c | 89 ++++++++++++++++++++++++++++++++++++++--------
 drivers/tty/vt/vt.c        | 61 +++++++++++++++++++++++++++++++
 include/linux/selection.h  |  5 +++
 3 files changed, 141 insertions(+), 14 deletions(-)
kernel signature:   509c819fd092c5a9635dc432ae247322699fb98b
previous signature: c6edf9b33cc3b01aefd72974df95db04f8fb4888
revisions tested: 23, total time: 4h31m4.270487274s (build: 2h15m36.861010613s, test: 2h8m29.302542353s)
first bad commit: d21b0be246bf3bbf569e6e239f56abb529c7154e vt: introduce unicode mode for /dev/vcs
cc: ["dave@mielke.cc" "gregkh@linuxfoundation.org" "kilobyte@angband.pl" "nico@linaro.org" "nicolas.pitre@linaro.org"]
crash: KASAN: slab-out-of-bounds Read in vcs_scr_readw
bridge0: port 2(bridge_slave_1) entered blocking state
bridge0: port 2(bridge_slave_1) entered forwarding state
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready
==================================================================
BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0x81/0xa0 drivers/tty/vt/vt.c:4543
Read of size 2 at addr ffff88021933d440 by task syz-executor.1/6840

CPU: 1 PID: 6840 Comm: syz-executor.1 Not tainted 4.18.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x109/0x15a lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431
 vcs_scr_readw+0x81/0xa0 drivers/tty/vt/vt.c:4543
 vcs_write+0x44d/0xaa0 drivers/tty/vt/vc_screen.c:525
 __vfs_write+0xe3/0x880 fs/read_write.c:485
 vfs_write+0x150/0x4f0 fs/read_write.c:549
 ksys_write+0xcd/0x1b0 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:607
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a679
Code: ad b6 fb ff c3 66 2e 
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007f6df08d3c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679
RDX: 00000000fffffecb RSI: 0000000020000300 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6df08d46d4
R13: 00000000004d3700 R14: 00000000004e52f0 R15: 00000000ffffffff

Allocated by task 1:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc mm/slab.c:3718 [inline]
 __kmalloc+0x14e/0x7a0 mm/slab.c:3727
 kmalloc include/linux/slab.h:518 [inline]
 vc_do_resize+0x1ba/0x1270 drivers/tty/vt/vt.c:1104
 vc_resize+0x3d/0x60 drivers/tty/vt/vt.c:1220
 fbcon_init+0xefa/0x1fd0 drivers/video/fbdev/core/fbcon.c:1165
 visual_init+0x314/0x5d0 drivers/tty/vt/vt.c:976
 do_bind_con_driver+0x4c5/0x8d0 drivers/tty/vt/vt.c:3440
 do_take_over_console+0x3d2/0x560 drivers/tty/vt/vt.c:4001
 do_fbcon_takeover+0xcb/0x1a0 drivers/video/fbdev/core/fbcon.c:544
 fbcon_fb_registered drivers/video/fbdev/core/fbcon.c:3192 [inline]
 fbcon_event_notify+0x1604/0x1d90 drivers/video/fbdev/core/fbcon.c:3322
 notifier_call_chain+0x8a/0x160 kernel/notifier.c:93
 __blocking_notifier_call_chain kernel/notifier.c:317 [inline]
 blocking_notifier_call_chain+0x6b/0xa0 kernel/notifier.c:328
 fb_notifier_call_chain+0x16/0x20 drivers/video/fbdev/core/fb_notify.c:45
 do_register_framebuffer drivers/video/fbdev/core/fbmem.c:1700 [inline]
 register_framebuffer+0x55f/0x8f0 drivers/video/fbdev/core/fbmem.c:1794
 vga16fb_probe+0x680/0x75b drivers/video/fbdev/vga16fb.c:1373
 platform_drv_probe+0x79/0x110 drivers/base/platform.c:579
 really_probe drivers/base/dd.c:446 [inline]
 driver_probe_device+0x46b/0x6a0 drivers/base/dd.c:588
 __device_attach_driver+0x1bf/0x250 drivers/base/dd.c:684
 bus_for_each_drv+0x11d/0x1c0 drivers/base/bus.c:461
 __device_attach+0x1f2/0x2d0 drivers/base/dd.c:741
 device_initial_probe+0xe/0x10 drivers/base/dd.c:788
 bus_probe_device+0x1a4/0x250 drivers/base/bus.c:521
 device_add+0x92f/0x14b0 drivers/base/core.c:1875
 platform_device_add+0x2a8/0x5d0 drivers/base/platform.c:417
 vga16fb_init+0x127/0x18b drivers/video/fbdev/vga16fb.c:1431
 do_one_initcall+0xbc/0x5b0 init/main.c:884
 do_initcall_level init/main.c:952 [inline]
 do_initcalls init/main.c:960 [inline]
 do_basic_setup init/main.c:978 [inline]
 kernel_init_freeable+0x43b/0x4df init/main.c:1135
 kernel_init+0xc/0x114 init/main.c:1061
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88021933c180
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 4800 bytes inside of
 8192-byte region [ffff88021933c180, ffff88021933e180)
The buggy address belongs to the page:
page:ffffea000864cf00 count:1 mapcount:0 mapping:ffff8800aa802080 index:0x0 compound_mapcount: 0
flags: 0x57ffe0000008100(slab|head)
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
raw: 057ffe0000008100 ffffea000864c408 ffffea0008619f08 ffff8800aa802080
raw: 0000000000000000 ffff88021933c180 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88021933d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88021933d380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88021933d400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff88021933d480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88021933d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================