bisecting cause commit starting from d96d875ef5dd372f533059a44f98e92de9cf0d42
building syzkaller on 8eda0b957e5b39c0c525e74f51d6b39ab8c5b1ac
testing commit d96d875ef5dd372f533059a44f98e92de9cf0d42 with gcc (GCC) 8.1.0
kernel signature: 8de74ceeeacdaaca0d074606ae1465962650e315d371a8132b38156d8aaf0e7b
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 3f3d25aa18d454d046cffe39f4003169227cf137fdaaf0629160bba3e358d8af
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 68c0dd8f226d45c324161dfde610d2941ab3583d78fff31f66d54f04d0c455e5
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: f852b18d97d3b84a838517bee7f1e3143c581991d96e8bbe00d68927c8128544
all runs: OK
# git bisect start 4d856f72c10ecb060868ed10ff1b1453943fc6c8 0ecfebd2b52404ae0c54a878c872bb93363ada36
Bisecting: 7848 revisions left to test after this (roughly 13 steps)
[43c95d3694cc448fdf50bd53b7ff3a5bb4655883] Merge tag 'pinctrl-v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit 43c95d3694cc448fdf50bd53b7ff3a5bb4655883 with gcc (GCC) 8.1.0
kernel signature: e23d99b8774d4b13aea3675fc4fc9114e77c40aaef61bc4a8d66ccaaf54d7030
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
# git bisect bad 43c95d3694cc448fdf50bd53b7ff3a5bb4655883
Bisecting: 4619 revisions left to test after this (roughly 12 steps)
[8f6ccf6159aed1f04c6d179f61f6fb2691261e84] Merge tag 'clone3-v5.3' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux
testing commit 8f6ccf6159aed1f04c6d179f61f6fb2691261e84 with gcc (GCC) 8.1.0
kernel signature: 7f6612a106ff6cfec1285c1982d3c19e684556334e8afc6e3e7109519eacce95
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
# git bisect bad 8f6ccf6159aed1f04c6d179f61f6fb2691261e84
Bisecting: 1595 revisions left to test after this (roughly 11 steps)
[ed63b9c873601ca113da5c7b1745e3946493e9f3] Merge tag 'media/v5.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
testing commit ed63b9c873601ca113da5c7b1745e3946493e9f3 with gcc (GCC) 8.1.0
kernel signature: c916e510be93d81b5ac05b3814a21486906c62a3ce203ea2e1c082120caf0665
all runs: OK
# git bisect good ed63b9c873601ca113da5c7b1745e3946493e9f3
Bisecting: 798 revisions left to test after this (roughly 10 steps)
[4b4704520d97b74e045154fc3b844b73ae4e7ebd] Merge tag 'acpi-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
testing commit 4b4704520d97b74e045154fc3b844b73ae4e7ebd with gcc (GCC) 8.1.0
kernel signature: 962c4288b3ed61bbac42b388277b9a842d7fb6762df77cec933e998b1aaf049f
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
# git bisect bad 4b4704520d97b74e045154fc3b844b73ae4e7ebd
Bisecting: 398 revisions left to test after this (roughly 9 steps)
[e3303268f9cfa4eb7c2217df471417d4327109fd] ASoC: soc-core: don't use soc_find_component() at snd_soc_find_dai()
testing commit e3303268f9cfa4eb7c2217df471417d4327109fd with gcc (GCC) 8.1.0
kernel signature: c985386021e0952d2e095a4cf834cdcc6bc05017be749361d756b6a82f6683ad
all runs: OK
# git bisect good e3303268f9cfa4eb7c2217df471417d4327109fd
Bisecting: 162 revisions left to test after this (roughly 8 steps)
[3c53c6255d598db7084c5c3d7553d7200e857818] Merge tag 'asoc-v5.3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
testing commit 3c53c6255d598db7084c5c3d7553d7200e857818 with gcc (GCC) 8.1.0
kernel signature: 4643c9015a7047e918163343fecdc3e83aeefd357d03865b9f8d33b837d84ec6
all runs: OK
# git bisect good 3c53c6255d598db7084c5c3d7553d7200e857818
Bisecting: 87 revisions left to test after this (roughly 6 steps)
[4cdd5f9186bbe80306e76f11da7ecb0b9720433c] Merge tag 'sound-5.3-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit 4cdd5f9186bbe80306e76f11da7ecb0b9720433c with gcc (GCC) 8.1.0
kernel signature: 8d6fe2f00ea11b43be548b838a744873116fac5b4e9d406f6d20fc99bc51db76
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
# git bisect bad 4cdd5f9186bbe80306e76f11da7ecb0b9720433c
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[6116b892bd4fd0ddc5f30566a556218bb2e1a9b6] vga_switcheroo: Depend upon fbcon being built-in, if enabled
testing commit 6116b892bd4fd0ddc5f30566a556218bb2e1a9b6 with gcc (GCC) 8.1.0
kernel signature: 751bf625ab77c06a38436768c58fe57684ea26ae2291e180f75131ac26460c59
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
# git bisect bad 6116b892bd4fd0ddc5f30566a556218bb2e1a9b6
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[0e0f3250d4402d60f4571d076ab27d5af049853e] fbcon: call fbcon_fb_bind directly
testing commit 0e0f3250d4402d60f4571d076ab27d5af049853e with gcc (GCC) 8.1.0
kernel signature: 7a0a275a4566459cf30be9224928801fcdbbed759123141ca9cbffc504278962
all runs: OK
# git bisect good 0e0f3250d4402d60f4571d076ab27d5af049853e
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[3667617347ba42c85ec846a9ea5c33f5d6ab9e4a] fbdev: remove FBINFO_MISC_USEREVENT around fb_blank
testing commit 3667617347ba42c85ec846a9ea5c33f5d6ab9e4a with gcc (GCC) 8.1.0
kernel signature: 33aab888d5b65006e8477f33fcd835fb461000f5ea04870394f1ee03b3cf1961
all runs: OK
# git bisect good 3667617347ba42c85ec846a9ea5c33f5d6ab9e4a
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[fe2d70d6f6ff038c20705c34695bd34ac072af14] fbcon: Call con2fb_map functions directly
testing commit fe2d70d6f6ff038c20705c34695bd34ac072af14 with gcc (GCC) 8.1.0
kernel signature: 2d403aeb07854421f48ab6c1e58d9c812991f3ae190fa52fe8cd7d02518ec203
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
# git bisect bad fe2d70d6f6ff038c20705c34695bd34ac072af14
Bisecting: 1 revision left to test after this (roughly 1 step)
[9e1467002630065ed86c65ea28bfc9194fff6f0e] fbcon: replace FB_EVENT_MODE_CHANGE/_ALL with direct calls
testing commit 9e1467002630065ed86c65ea28bfc9194fff6f0e with gcc (GCC) 8.1.0
kernel signature: b9c5934bc0dee17dadd2a562926b2a0da6b92fa542b55192144a6191990e577a
all runs: crashed: KASAN: slab-out-of-bounds Read in vc_do_resize
# git bisect bad 9e1467002630065ed86c65ea28bfc9194fff6f0e
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[c428f35adf0faac11e0cceb7dadf3b29055d7d49] fb: Flatten control flow in fb_set_var
testing commit c428f35adf0faac11e0cceb7dadf3b29055d7d49 with gcc (GCC) 8.1.0
kernel signature: 3c4875f1f4287fce86c3777445e519504ff5700ed95722cce89bb7383491193f
all runs: OK
# git bisect good c428f35adf0faac11e0cceb7dadf3b29055d7d49
9e1467002630065ed86c65ea28bfc9194fff6f0e is the first bad commit
commit 9e1467002630065ed86c65ea28bfc9194fff6f0e
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue May 28 11:02:59 2019 +0200

    fbcon: replace FB_EVENT_MODE_CHANGE/_ALL with direct calls
    
    Create a new wrapper function for this, feels like there's some
    refactoring room here between the two modes.
    
    v2: backlight notifier is also interested in the mode change event,
    it calls lcd->set_mode, of which there are 3 implementations. Thanks
    to Maarten for spotting this. So we keep that. We can ditch the differentiation
    between mode change and all mode changes (because backlight notifier
    doesn't care), and we can drop the FBINFO_MISC_USEREVENT stuff too,
    because that's just to prevent recursion between fbmem.c and fbcon.c.
    
    While at it flatten the control flow a bit.
    
    v3: Need to add a static inline to the dummy function.
    
    v4: Add missing #include <fbcon.h> to sh_mob (Sam).
    
    Cc: Sam Ravnborg <sam@ravnborg.org>
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
    Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
    Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Cc: Lee Jones <lee.jones@linaro.org>
    Cc: Daniel Thompson <daniel.thompson@linaro.org>
    Cc: Jingoo Han <jingoohan1@gmail.com>
    Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
    Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: Hans de Goede <hdegoede@redhat.com>
    Cc: Yisheng Xie <ysxie@foxmail.com>
    Cc: "Michał Mirosław" <mirq-linux@rere.qmqm.pl>
    Cc: Peter Rosin <peda@axentia.se>
    Cc: Mikulas Patocka <mpatocka@redhat.com>
    Cc: linux-fbdev@vger.kernel.org
    Link: https://patchwork.freedesktop.org/patch/msgid/20190528090304.9388-29-daniel.vetter@ffwll.ch

 drivers/video/backlight/lcd.c          |  1 -
 drivers/video/fbdev/core/fbcon.c       | 15 +++++++++------
 drivers/video/fbdev/core/fbmem.c       | 21 ++++++++++-----------
 drivers/video/fbdev/sh_mobile_lcdcfb.c | 12 ++----------
 include/linux/fb.h                     |  2 --
 include/linux/fbcon.h                  |  2 ++
 6 files changed, 23 insertions(+), 30 deletions(-)
culprit signature: b9c5934bc0dee17dadd2a562926b2a0da6b92fa542b55192144a6191990e577a
parent  signature: 3c4875f1f4287fce86c3777445e519504ff5700ed95722cce89bb7383491193f
revisions tested: 17, total time: 3h57m25.520925757s (build: 1h44m41.943995738s, test: 2h11m16.998509445s)
first bad commit: 9e1467002630065ed86c65ea28bfc9194fff6f0e fbcon: replace FB_EVENT_MODE_CHANGE/_ALL with direct calls
cc: ["daniel.thompson@linaro.org" "daniel.vetter@ffwll.ch" "daniel.vetter@intel.com" "maarten.lankhorst@linux.intel.com" "sam@ravnborg.org"]
crash: KASAN: slab-out-of-bounds Read in vc_do_resize
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:359 [inline]
BUG: KASAN: slab-out-of-bounds in scr_memcpyw include/linux/vt_buffer.h:49 [inline]
BUG: KASAN: slab-out-of-bounds in vc_do_resize+0x7e5/0x12d0 drivers/tty/vt/vt.c:1250
Read of size 192 at addr ffff888098b43b40 by task syz-executor.2/14855

CPU: 0 PID: 14855 Comm: syz-executor.2 Not tainted 5.2.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x113/0x167 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188
 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/generic.c:191
 memcpy+0x23/0x50 mm/kasan/common.c:124
 memcpy include/linux/string.h:359 [inline]
 scr_memcpyw include/linux/vt_buffer.h:49 [inline]
 vc_do_resize+0x7e5/0x12d0 drivers/tty/vt/vt.c:1250
 vc_resize+0x3d/0x60 drivers/tty/vt/vt.c:1304
 fbcon_modechanged+0x301/0x740 drivers/video/fbdev/core/fbcon.c:2960
 fbcon_update_vcs+0x15/0x20 drivers/video/fbdev/core/fbcon.c:3018
 fb_set_var+0x989/0xec0 drivers/video/fbdev/core/fbmem.c:1051
 do_fb_ioctl+0x684/0x930 drivers/video/fbdev/core/fbmem.c:1116
 fb_ioctl+0xcb/0x150 drivers/video/fbdev/core/fbmem.c:1220
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45b349
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa83bffcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa83bffd6d4 RCX: 000000000045b349
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000002cd R14: 00000000004c3dc6 R15: 000000000075bf2c

Allocated by task 14855:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc.constprop.12+0xc7/0xd0 mm/kasan/common.c:489
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 __do_kmalloc mm/slab.c:3660 [inline]
 __kmalloc+0x15d/0x760 mm/slab.c:3669
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:742 [inline]
 vc_do_resize+0x1de/0x12d0 drivers/tty/vt/vt.c:1187
 vc_resize+0x3d/0x60 drivers/tty/vt/vt.c:1304
 fbcon_modechanged+0x301/0x740 drivers/video/fbdev/core/fbcon.c:2960
 fbcon_update_vcs+0x15/0x20 drivers/video/fbdev/core/fbcon.c:3018
 fb_set_var+0x989/0xec0 drivers/video/fbdev/core/fbmem.c:1051
 fbcon_resize+0x55e/0x6c0 drivers/video/fbdev/core/fbcon.c:2202
 resize_screen drivers/tty/vt/vt.c:1126 [inline]
 vc_do_resize+0x38b/0x12d0 drivers/tty/vt/vt.c:1205
 vc_resize+0x3d/0x60 drivers/tty/vt/vt.c:1304
 fbcon_modechanged+0x301/0x740 drivers/video/fbdev/core/fbcon.c:2960
 fbcon_update_vcs+0x15/0x20 drivers/video/fbdev/core/fbcon.c:3018
 fb_set_var+0x989/0xec0 drivers/video/fbdev/core/fbmem.c:1051
 do_fb_ioctl+0x684/0x930 drivers/video/fbdev/core/fbmem.c:1116
 fb_ioctl+0xcb/0x150 drivers/video/fbdev/core/fbmem.c:1220
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 13558:
 save_stack+0x21/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 tomoyo_find_next_domain+0x670/0x1c83 security/tomoyo/domain.c:880
 tomoyo_bprm_check_security+0xfe/0x180 security/tomoyo/tomoyo.c:107
 security_bprm_check+0x3a/0x80 security/security.c:747
 search_binary_handler+0x58/0x630 fs/exec.c:1645
 exec_binprm fs/exec.c:1701 [inline]
 __do_execve_file.isra.33+0x1286/0x2000 fs/exec.c:1821
 do_execveat_common fs/exec.c:1868 [inline]
 do_execve fs/exec.c:1885 [inline]
 __do_sys_execve fs/exec.c:1961 [inline]
 __se_sys_execve fs/exec.c:1956 [inline]
 __x64_sys_execve+0x8a/0xb0 fs/exec.c:1956
 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888098b43a00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 320 bytes inside of
 512-byte region [ffff888098b43a00, ffff888098b43c00)
The buggy address belongs to the page:
page:ffffea000262d0c0 refcount:1 mapcount:0 mapping:ffff8880aa400940 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002967188 ffffea000268fbc8 ffff8880aa400940
raw: 0000000000000000 ffff888098b43000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888098b43a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888098b43b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888098b43b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888098b43c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888098b43c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================