bisecting fixing commit since 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c
building syzkaller on ddc3e85997efdad885e208db6a98bca86e5dd52f
testing commit 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c with gcc (GCC) 8.1.0
kernel signature: 0b58e233fe2fe02654f69a0145cea791fb8ba46102755f74d6a7b2e319ac791c
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
testing current HEAD c14d30dc9987047b439b03d6e6db7d54d9f7f180
testing commit c14d30dc9987047b439b03d6e6db7d54d9f7f180 with gcc (GCC) 8.1.0
kernel signature: 827fa34dc2d6be153a8baa0b0dfcfae5473b978c1910b56b38de1f29e2a704cb
all runs: OK
# git bisect start c14d30dc9987047b439b03d6e6db7d54d9f7f180 3d40d7117e353b84627c1e8c5ed9ae0b1237ef5c
Bisecting: 2157 revisions left to test after this (roughly 11 steps)
[1c89b531db4269712f689f3ddc55625c60aadab1] driver core: Fix adding device links to probing suppliers
testing commit 1c89b531db4269712f689f3ddc55625c60aadab1 with gcc (GCC) 8.1.0
kernel signature: 380552e56e35a9b60d34e30aad238e21e359a648b1ccde2ad7baeff2d1d3fdd0
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good 1c89b531db4269712f689f3ddc55625c60aadab1
Bisecting: 1078 revisions left to test after this (roughly 10 steps)
[a0006477c6af2b0b9b59beb6695d469ebb48f9b2] evm: Fix RCU list related warnings
testing commit a0006477c6af2b0b9b59beb6695d469ebb48f9b2 with gcc (GCC) 8.1.0
kernel signature: dcdc20a77c8f162111b73a0f60c45c673cc419b5b34315b33dd771ebd0da8bb1
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good a0006477c6af2b0b9b59beb6695d469ebb48f9b2
Bisecting: 539 revisions left to test after this (roughly 9 steps)
[000904251905e2b5a85bba3effdae1de2ac93535] tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes
testing commit 000904251905e2b5a85bba3effdae1de2ac93535 with gcc (GCC) 8.1.0
kernel signature: c00182d437774a74a8cb81d247647eaf0ef02baabc69ce7ab78ef15296b12d17
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good 000904251905e2b5a85bba3effdae1de2ac93535
Bisecting: 269 revisions left to test after this (roughly 8 steps)
[ffa3794f702cfda48f4122bdcff0552ca04c3f34] mtd: rawnand: oxnas: Keep track of registered devices
testing commit ffa3794f702cfda48f4122bdcff0552ca04c3f34 with gcc (GCC) 8.1.0
kernel signature: 2e81e6ef9caddeaf9a65f003cc4e45e9ee5448ef030fc2f5814fc05ffd9773f1
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good ffa3794f702cfda48f4122bdcff0552ca04c3f34
Bisecting: 134 revisions left to test after this (roughly 7 steps)
[c24131ef099a065e4b9263440b03031b9328809c] drm/amd/powerplay: fix a crash when overclocking Vega M
testing commit c24131ef099a065e4b9263440b03031b9328809c with gcc (GCC) 8.1.0
kernel signature: 76b771b04d3ddd0d6b0a62ebe62a34b890fc95fc239a26e2da2c80e2cda53c2b
all runs: OK
# git bisect bad c24131ef099a065e4b9263440b03031b9328809c
Bisecting: 67 revisions left to test after this (roughly 6 steps)
[07904836043b7059c2dee83f5e4db4b2f91a8dae] drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
testing commit 07904836043b7059c2dee83f5e4db4b2f91a8dae with gcc (GCC) 8.1.0
kernel signature: 5c51ee36ed56f5ec7adf7f4821103cc9add873a38ade5eec08c3afb1ca83d7c2
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good 07904836043b7059c2dee83f5e4db4b2f91a8dae
Bisecting: 33 revisions left to test after this (roughly 5 steps)
[77e1ed91b139c5578bdb6f7ef2297f87c3d42558] HID: steam: fixes race in handling device list.
testing commit 77e1ed91b139c5578bdb6f7ef2297f87c3d42558 with gcc (GCC) 8.1.0
kernel signature: 3178ba79c30d0a01c775cee9ed43432b22fd46ce438f8b2b88ec67967965ce06
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good 77e1ed91b139c5578bdb6f7ef2297f87c3d42558
Bisecting: 16 revisions left to test after this (roughly 4 steps)
[fffb773c4d93f1415a46192057a8c940917606e4] usb: xhci: Fix ASM2142/ASM3142 DMA addressing
testing commit fffb773c4d93f1415a46192057a8c940917606e4 with gcc (GCC) 8.1.0
kernel signature: f1cb0d9d1264739df4768234b21792d2770051b664219c8e4c3c67d1d2338d75
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good fffb773c4d93f1415a46192057a8c940917606e4
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8] serial: 8250_mtk: Fix high-speed baud rates clamping
testing commit 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8 with gcc (GCC) 8.1.0
kernel signature: ef99dcd711bcd50d3ec4750a4580a78cb576bfaaace5a6d0a49846eab5ba049b
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good 5ccfaf3878968fbf40134ab5c6e3f3addd24ceb8
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[91404e91eb85fdb8b6d5d6c01a53cbc63b057e10] mm/memcg: fix refcount error while moving and swapping
testing commit 91404e91eb85fdb8b6d5d6c01a53cbc63b057e10 with gcc (GCC) 8.1.0
kernel signature: 1d2fc86f80c53c8c87a43ab1ca0a82e2c7fbd319282c7ca5c2e4cf44652d65a8
all runs: OK
# git bisect bad 91404e91eb85fdb8b6d5d6c01a53cbc63b057e10
Bisecting: 1 revision left to test after this (roughly 1 step)
[74752b81eae8ae64e97de222320026367e92c4b5] vt: Reject zero-sized screen buffer size.
testing commit 74752b81eae8ae64e97de222320026367e92c4b5 with gcc (GCC) 8.1.0
kernel signature: 68d7b39ab54f3373fd5c8a1266acf3b0147d5b3681e93fceb516e2bad5c05d0a
all runs: OK
# git bisect bad 74752b81eae8ae64e97de222320026367e92c4b5
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[dd58bd1b95b7127bb975942e14c4a9bd878c28db] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
testing commit dd58bd1b95b7127bb975942e14c4a9bd878c28db with gcc (GCC) 8.1.0
kernel signature: 79f20c8c7626a23699fc5266593201e5d04b0971ba91aee1b010f297b041bf1e
all runs: crashed: KASAN: null-ptr-deref Read in insert_char
# git bisect good dd58bd1b95b7127bb975942e14c4a9bd878c28db
74752b81eae8ae64e97de222320026367e92c4b5 is the first bad commit
commit 74752b81eae8ae64e97de222320026367e92c4b5
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Sun Jul 12 20:10:12 2020 +0900

    vt: Reject zero-sized screen buffer size.
    
    commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream.
    
    syzbot is reporting general protection fault in do_con_write() [1] caused
    by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0
    caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by
    fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for
    gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate()
     from con_install() from tty_init_dev() from tty_open() on such console
    causes vc->vc_pos == 0x10000000e due to
    ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1).
    
    I don't think that a console with 0 column or 0 row makes sense. And it
    seems that vc_do_resize() does not intend to allow resizing a console to
    0 column or 0 row due to
    
      new_cols = (cols ? cols : vc->vc_cols);
      new_rows = (lines ? lines : vc->vc_rows);
    
    exception.
    
    Theoretically, cols and rows can be any range as long as
    0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g.
    cols == 1048576 && rows == 2 is possible) because of
    
      vc->vc_size_row = vc->vc_cols << 1;
      vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
    
    in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate().
    
    Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in
    visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return
    an error, and con_write() will not be called on a console with 0 column
    or 0 row.
    
    We need to make sure that integer overflow in visual_init() won't happen.
    Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying
    1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate()
    will be practically fine.
    
    This patch does not touch con_init(), for returning -EINVAL there
    does not help when we are not returning -ENOMEM.
    
    [1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8
    
    Reported-and-tested-by: syzbot <syzbot+017265e8553724e514e8@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)
culprit signature: 68d7b39ab54f3373fd5c8a1266acf3b0147d5b3681e93fceb516e2bad5c05d0a
parent  signature: 79f20c8c7626a23699fc5266593201e5d04b0971ba91aee1b010f297b041bf1e
revisions tested: 14, total time: 3h28m54.6758725s (build: 2h16m43.414516344s, test: 1h9m54.466197216s)
first good commit: 74752b81eae8ae64e97de222320026367e92c4b5 vt: Reject zero-sized screen buffer size.
recipients (to): ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+017265e8553724e514e8@syzkaller.appspotmail.com"]
recipients (cc): []