bisecting fixing commit since 17a87580a8856170d59aab302226811a4ae69149
building syzkaller on e562dd8adff015d44bec3d7fd8e6608a3a031ff3
testing commit 17a87580a8856170d59aab302226811a4ae69149 with gcc (GCC) 8.1.0
kernel signature: 04adbd9b60f4a84dc19162a091e827b728d675add30f732067a1334a6ea0bfd7
all runs: crashed: divide error in fbcon_switch
testing current HEAD f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a
testing commit f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a with gcc (GCC) 8.1.0
kernel signature: d9b71d522942da059496b57fcdef3d5bc46e3c83636ce1396c4f3e35310bd0f8
all runs: OK
# git bisect start f6d5cb9e2c06f7d583dd9f4f7cca21d13d78c32a 17a87580a8856170d59aab302226811a4ae69149
Bisecting: 340 revisions left to test after this (roughly 8 steps)
[719a92fae0434d11ee86d0f679663c14a2a13fc1] Revert "vxlan: fix tos value before xmit"
testing commit 719a92fae0434d11ee86d0f679663c14a2a13fc1 with gcc (GCC) 8.1.0
kernel signature: f3906c086c936415307d55813a2854217437bb03b838bbff20f9a300c55f76e4
all runs: OK
# git bisect bad 719a92fae0434d11ee86d0f679663c14a2a13fc1
Bisecting: 169 revisions left to test after this (roughly 7 steps)
[8a330edef54f270c440034419f0694cee64c3075] ipvs: fix the connection sync failed in some cases
testing commit 8a330edef54f270c440034419f0694cee64c3075 with gcc (GCC) 8.1.0
kernel signature: 29747b49ab2af7165c0e4e7f981deb7a653c0884f040dabbeda71c9e346416a3
all runs: crashed: divide error in fbcon_switch
# git bisect good 8a330edef54f270c440034419f0694cee64c3075
Bisecting: 84 revisions left to test after this (roughly 6 steps)
[7b88c1ef512b2e4e08096773b35596c16678f038] Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers"
testing commit 7b88c1ef512b2e4e08096773b35596c16678f038 with gcc (GCC) 8.1.0
kernel signature: 5bdcf783ebf222e6c4a3f66d1f2d2af1c1edee9e0ab2a1d94ba92bf03ac587f1
all runs: OK
# git bisect bad 7b88c1ef512b2e4e08096773b35596c16678f038
Bisecting: 42 revisions left to test after this (roughly 5 steps)
[9468cf97910aea551c0d8f423cc30a13bda7490e] drm/amdgpu: Fix NULL dereference in dpm sysfs handlers
testing commit 9468cf97910aea551c0d8f423cc30a13bda7490e with gcc (GCC) 8.1.0
kernel signature: ab0aac85651a14b5a9d6a7e60d242be9187b004d48ec260c9c204991ee907600
all runs: OK
# git bisect bad 9468cf97910aea551c0d8f423cc30a13bda7490e
Bisecting: 20 revisions left to test after this (roughly 4 steps)
[768ae54563b7347f5c6bb97100a3161b726705e9] arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
testing commit 768ae54563b7347f5c6bb97100a3161b726705e9 with gcc (GCC) 8.1.0
kernel signature: 70f046ac90de9d8a4cf052020cef8e617aa6722e52dc924938cc5959a0b2628d
all runs: crashed: divide error in fbcon_switch
# git bisect good 768ae54563b7347f5c6bb97100a3161b726705e9
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[3027b255ebfbce099279f9dc0ae16448a5966dad] staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
testing commit 3027b255ebfbce099279f9dc0ae16448a5966dad with gcc (GCC) 8.1.0
kernel signature: a4d6c5e6780d906b0afd0992a7c5c221f141c2e09dd9dea83e19d9cb3e5fb07c
all runs: crashed: divide error in fbcon_switch
# git bisect good 3027b255ebfbce099279f9dc0ae16448a5966dad
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size.
testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0
kernel signature: a0baaa090df4e24020e28493e74165a912f94c12bf149bb90605d93931380ef3
all runs: OK
# git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5
Bisecting: 2 revisions left to test after this (roughly 1 step)
[c358255ff1dfa51ddbcbc8dfcc4eaa5719008daa] serial: 8250: fix null-ptr-deref in serial8250_start_tx()
testing commit c358255ff1dfa51ddbcbc8dfcc4eaa5719008daa with gcc (GCC) 8.1.0
kernel signature: 04298130bbe3dd4b65c9056335a837f8959caab3be92d53c80c6c043c0dc7bfb
all runs: crashed: divide error in fbcon_switch
# git bisect good c358255ff1dfa51ddbcbc8dfcc4eaa5719008daa
Bisecting: 0 revisions left to test after this (roughly 1 step)
[dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0
kernel signature: 7bfde59be2e88d1eeb3929579ec429f3d7859b65144d34f707fad9aebe0c838f
all runs: crashed: divide error in fbcon_switch
# git bisect good dd58bd1b95b7127bb975942e14c4a9bd878c28db
74752b81eae8ae64e97de222320026367e92c4b5 is the first bad commit
commit 74752b81eae8ae64e97de222320026367e92c4b5
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Sun Jul 12 20:10:12 2020 +0900

    vt: Reject zero-sized screen buffer size.
    
    commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream.
    
    syzbot is reporting general protection fault in do_con_write() [1] caused
    by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0
    caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by
    fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for
    gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate()
     from con_install() from tty_init_dev() from tty_open() on such console
    causes vc->vc_pos == 0x10000000e due to
    ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1).
    
    I don't think that a console with 0 column or 0 row makes sense. And it
    seems that vc_do_resize() does not intend to allow resizing a console to
    0 column or 0 row due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception.
    
    Theoretically, cols and rows can be any range as long as
    0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g.
    cols == 1048576 && rows == 2 is possible) because of
    
      vc->vc_size_row = vc->vc_cols << 1;
      vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
    
    in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate().
    
    Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in
    visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return
    an error, and con_write() will not be called on a console with 0 column
    or 0 row.
    
    We need to make sure that integer overflow in visual_init() won't happen.
    Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying
    1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate()
    will be practically fine.
    
    This patch does not touch con_init(), for returning -EINVAL there
    does not help when we are not returning -ENOMEM.
    
    [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8
    
    Reported-and-tested-by: syzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
culprit signature: a0baaa090df4e24020e28493e74165a912f94c12bf149bb90605d93931380ef3
parent  signature: 7bfde59be2e88d1eeb3929579ec429f3d7859b65144d34f707fad9aebe0c838f
revisions tested: 11, total time: 2h56m39.541040992s (build: 1h47m39.730730772s, test: 1h7m0.899545469s)
first good commit: 74752b81eae8ae64e97de222320026367e92c4b5 vt: Reject zero-sized screen buffer size.
recipients (to): ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"]
recipients (cc): []