bisecting fixing commit since 174651bdf802a2139065e8e31ce950e2f3fc4a94
building syzkaller on 0ecb9746a701be4544b845514a31a21cce92cc79
testing commit 174651bdf802a2139065e8e31ce950e2f3fc4a94 with gcc (GCC) 8.1.0
kernel signature: 35103a1b2d0624936166e3bd4e1bb9ac6085462e2c33e560b899e676a3674876
all runs: crashed: KASAN: use-after-free Read in soft_cursor
testing current HEAD ad326970d25cc85128cd22d62398751ad072efff
testing commit ad326970d25cc85128cd22d62398751ad072efff with gcc (GCC) 8.1.0
kernel signature: 5e75bad4d822d9c9261b4818ceb7d383e30cec7752f3dc9feb3612da06aa228a
all runs: OK
# git bisect start ad326970d25cc85128cd22d62398751ad072efff 174651bdf802a2139065e8e31ce950e2f3fc4a94
Bisecting: 3254 revisions left to test after this (roughly 12 steps)
[797479da0ae9cf7c45d0e97c0258622b4325a919] signal: avoid double atomic counter increments for user accounting
testing commit 797479da0ae9cf7c45d0e97c0258622b4325a919 with gcc (GCC) 8.1.0
kernel signature: acbe089f4e61cdcb5bc027286eb55de4e67fb634ae61593985848395460b199a
run #0: crashed: KASAN: use-after-free Read in soft_cursor
run #1: crashed: KASAN: use-after-free Read in soft_cursor
run #2: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
run #3: crashed: KASAN: use-after-free Read in soft_cursor
run #4: crashed: KASAN: use-after-free Read in soft_cursor
run #5: crashed: KASAN: use-after-free Read in soft_cursor
run #6: crashed: KASAN: use-after-free Read in soft_cursor
run #7: crashed: KASAN: use-after-free Read in soft_cursor
run #8: crashed: KASAN: slab-out-of-bounds Read in bit_putcs
run #9: crashed: KASAN: use-after-free Read in soft_cursor
# git bisect good 797479da0ae9cf7c45d0e97c0258622b4325a919
Bisecting: 1627 revisions left to test after this (roughly 11 steps)
[061abde39541d563fbaa2154b83dc272b910b31d] net: fix memleak in register_netdevice()
testing commit 061abde39541d563fbaa2154b83dc272b910b31d with gcc (GCC) 8.1.0
kernel signature: 503136d21be1d8dc1c5e9ac8a2887e9bc3d8765779ec3b39b292b3c7d88268c8
run #0: crashed: KASAN: use-after-free Read in soft_cursor
run #1: crashed: KASAN: use-after-free Read in soft_cursor
run #2: crashed: KASAN: use-after-free Read in soft_cursor
run #3: crashed: KASAN: use-after-free Read in soft_cursor
run #4: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
run #5: crashed: KASAN: use-after-free Read in soft_cursor
run #6: crashed: KASAN: use-after-free Read in soft_cursor
run #7: crashed: KASAN: use-after-free Read in soft_cursor
run #8: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
run #9: crashed: KASAN: use-after-free Read in soft_cursor
# git bisect good 061abde39541d563fbaa2154b83dc272b910b31d
Bisecting: 813 revisions left to test after this (roughly 10 steps)
[2ef7ebb143705147bc74db2bc1bd0214c212e6bc] khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()
testing commit 2ef7ebb143705147bc74db2bc1bd0214c212e6bc with gcc (GCC) 8.1.0
kernel signature: 50de94644b3ba1e031239982e9c2d4f7260b64df8066c960ed2678261b1e4677
run #0: crashed: KASAN: slab-out-of-bounds Read in bit_putcs
run #1: crashed: KASAN: use-after-free Read in soft_cursor
run #2: crashed: KASAN: use-after-free Read in soft_cursor
run #3: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
run #4: crashed: KASAN: use-after-free Read in soft_cursor
run #5: crashed: KASAN: use-after-free Read in soft_cursor
run #6: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
run #7: crashed: KASAN: slab-out-of-bounds Read in soft_cursor
run #8: crashed: KASAN: use-after-free Read in soft_cursor
run #9: crashed: KASAN: use-after-free Read in soft_cursor
# git bisect good 2ef7ebb143705147bc74db2bc1bd0214c212e6bc
Bisecting: 406 revisions left to test after this (roughly 9 steps)
[cb0f66eb67d75b93a66063c12414b969ee137b51] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook
testing commit cb0f66eb67d75b93a66063c12414b969ee137b51 with gcc (GCC) 8.1.0
kernel signature: 5cc6a0bc3a28bdd742dc097cd28f89a3fc2108c3a801f0ab7db5e150f3cd0e01
all runs: OK
# git bisect bad cb0f66eb67d75b93a66063c12414b969ee137b51
Bisecting: 203 revisions left to test after this (roughly 8 steps)
[76abdb81893fd282c7844632e20275fffce2ec41] nvmet: Disable keep-alive timer when kato is cleared to 0h
testing commit 76abdb81893fd282c7844632e20275fffce2ec41 with gcc (GCC) 8.1.0
kernel signature: cce5bdd04e03ef514f348e6deaa0e91c45d0784fa8714bb6a1b89e06ffa476f5
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_resize
# git bisect good 76abdb81893fd282c7844632e20275fffce2ec41
Bisecting: 101 revisions left to test after this (roughly 7 steps)
[e3aa4b5bed2b4b18f83d3caec1c9b69462144951] ARM: dts: BCM5301X: Fixed QSPI compatible string
testing commit e3aa4b5bed2b4b18f83d3caec1c9b69462144951 with gcc (GCC) 8.1.0
kernel signature: 78b3a07210187051dc232746d970ac380e4e0c160ddd2b249cd28c2f6a775194
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_resize
# git bisect good e3aa4b5bed2b4b18f83d3caec1c9b69462144951
Bisecting: 50 revisions left to test after this (roughly 6 steps)
[770adb5d2b8ebe94a92e4c9510f4f2517f4204eb] fbcon: remove soft scrollback code
testing commit 770adb5d2b8ebe94a92e4c9510f4f2517f4204eb with gcc (GCC) 8.1.0
kernel signature: 760f240fcb16e0a7fc969e567506e2553265945614fab9b7b11c063a7f7d852e
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_resize
# git bisect good 770adb5d2b8ebe94a92e4c9510f4f2517f4204eb
Bisecting: 25 revisions left to test after this (roughly 5 steps)
[d7c720df355273db19093c487c460fb2067068dd] scsi: libfc: Fix for double free()
testing commit d7c720df355273db19093c487c460fb2067068dd with gcc (GCC) 8.1.0
kernel signature: f4986a440fc5b7667e4323c95310a351f16a215beffcf3bedb8d2e89ad9f0263
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_resize
# git bisect good d7c720df355273db19093c487c460fb2067068dd
Bisecting: 12 revisions left to test after this (roughly 4 steps)
[80c468d9abc9d4129809c1ffc90b3c835a1202c2] spi: Fix memory leak on splited transfers
testing commit 80c468d9abc9d4129809c1ffc90b3c835a1202c2 with gcc (GCC) 8.1.0
kernel signature: 6aa151ab0c46769a8d7be81178433d37e3a9cb9b9a03ec967aae71bd45ad5814
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_resize
# git bisect good 80c468d9abc9d4129809c1ffc90b3c835a1202c2
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[c5dbe21652cd7a0ab49274d79077a8655255611a] perf test: Fix the "signal" test inline assembly
testing commit c5dbe21652cd7a0ab49274d79077a8655255611a with gcc (GCC) 8.1.0
kernel signature: 6aa151ab0c46769a8d7be81178433d37e3a9cb9b9a03ec967aae71bd45ad5814
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_resize
# git bisect good c5dbe21652cd7a0ab49274d79077a8655255611a
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[76fe92986c5c2fff36d8fb83e86332113b6c1725] fbcon: Fix user font detection test at fbcon_resize().
testing commit 76fe92986c5c2fff36d8fb83e86332113b6c1725 with gcc (GCC) 8.1.0
kernel signature: 105d61235d4b80e2b51f56575dc34b8ab3a1bf8505d81850ee886dca4e2d7cb6
all runs: OK
# git bisect bad 76fe92986c5c2fff36d8fb83e86332113b6c1725
Bisecting: 0 revisions left to test after this (roughly 1 step)
[1e96d27099ef4b9ee2c3ad09025083779657e175] perf test: Free formats for perf pmu parse test
testing commit 1e96d27099ef4b9ee2c3ad09025083779657e175 with gcc (GCC) 8.1.0
kernel signature: 6aa151ab0c46769a8d7be81178433d37e3a9cb9b9a03ec967aae71bd45ad5814
all runs: crashed: KASAN: global-out-of-bounds Read in fbcon_resize
# git bisect good 1e96d27099ef4b9ee2c3ad09025083779657e175
76fe92986c5c2fff36d8fb83e86332113b6c1725 is the first bad commit
commit 76fe92986c5c2fff36d8fb83e86332113b6c1725
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Fri Sep 11 07:57:06 2020 +0900

    fbcon: Fix user font detection test at fbcon_resize().
    
    [ Upstream commit ec0972adecb391a8d8650832263a4790f3bfb4df ]
    
    syzbot is reporting OOB read at fbcon_resize() [1], for
    commit 39b3cffb8cf31117 ("fbcon: prevent user font height or width change
     from causing potential out-of-bounds access") is by error using
    registered_fb[con2fb_map[vc->vc_num]]->fbcon_par->p->userfont (which was
    set to non-zero) instead of fb_display[vc->vc_num].userfont (which remains
    zero for that display).
    
    We could remove tricky userfont flag [2], for we can determine it by
    comparing address of the font data and addresses of built-in font data.
    But since that commit is failing to fix the original OOB read [3], this
    patch keeps the change minimal in case we decide to revert altogether.
    
    [1] https://syzkaller.appspot.com/bug?id=ebcbbb6576958a496500fee9cf7aa83ea00b5920
    [2] https://syzkaller.appspot.com/text?tag=Patch&x=14030853900000
    [3] https://syzkaller.appspot.com/bug?id=6fba8c186d97cf1011ab17660e633b1cc4e080c9
    
    Reported-by: syzbot <syzbot+b38b1ef6edf0c74a8d97@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Fixes: 39b3cffb8cf31117 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access")
    Cc: George Kennedy <george.kennedy@oracle.com>
    Link: https://lore.kernel.org/r/f6e3e611-8704-1263-d163-f52c906a4f06@I-love.SAKURA.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 drivers/video/fbdev/core/fbcon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
culprit signature: 105d61235d4b80e2b51f56575dc34b8ab3a1bf8505d81850ee886dca4e2d7cb6
parent  signature: 6aa151ab0c46769a8d7be81178433d37e3a9cb9b9a03ec967aae71bd45ad5814
revisions tested: 14, total time: 3h1m53.445164019s (build: 1h56m53.212064347s, test: 1h3m26.369653973s)
first good commit: 76fe92986c5c2fff36d8fb83e86332113b6c1725 fbcon: Fix user font detection test at fbcon_resize().
recipients (to): ["gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "sashal@kernel.org"]
recipients (cc): []