bisecting cause commit starting from d2b6f8a179194de0ffc4886ffc2c4358d86047b8
building syzkaller on 77e2b66864e69c17416614228723a1ebd3581ddc
testing commit d2b6f8a179194de0ffc4886ffc2c4358d86047b8 with gcc (GCC) 10.2.1 20210217
kernel signature: 523d4a52ea04efead30aef648120a4fb24b157f7ae1c3543a937726d7770b3cc
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
testing release v5.12
testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217
kernel signature: 730f820ef927730b5ef5036ebf8e045defb185547743f53f909f9d8782e2962b
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
testing release v5.11
testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217
kernel signature: cd0624c313eee9dbe883c84613088a076004fb5606005959d8903d734f96eead
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217
kernel signature: a767d1c0748b262bedcbdaea0dcd8525f36dfd860e55e3011071d79cdd546eb7
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217
kernel signature: c1eb7e909f8378967dad0ace2a253c918d67954b67bcd2832ebee20390200107
all runs: OK
# git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 bbf5c979011a099af5dc76498918ed7df445635b
Bisecting: 9594 revisions left to test after this (roughly 13 steps)
[4d0e9df5e43dba52d38b251e3b909df8fa1110be] lib, uaccess: add failure injection to usercopy functions

testing commit 4d0e9df5e43dba52d38b251e3b909df8fa1110be with gcc (GCC) 10.2.1 20210217
kernel signature: 1c596d2a9f2f8cf0eb7bab7e11004752999ab9df835aa821d676f5b5c36942f4
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
# git bisect bad 4d0e9df5e43dba52d38b251e3b909df8fa1110be
Bisecting: 3935 revisions left to test after this (roughly 12 steps)
[f888bdf9823c85fe945c4eb3ba353f749dec3856] Merge tag 'devicetree-for-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

testing commit f888bdf9823c85fe945c4eb3ba353f749dec3856 with gcc (GCC) 10.2.1 20210217
kernel signature: ba54f6e97211dcef90c1b173224d18a2beaab6974676ced4b16ea37692fca65d
all runs: OK
# git bisect good f888bdf9823c85fe945c4eb3ba353f749dec3856
Bisecting: 2410 revisions left to test after this (roughly 11 steps)
[640eee067d9aae0bb98d8706001976ff1affaf00] Merge tag 'drm-misc-next-fixes-2020-10-13' of git://anongit.freedesktop.org/drm/drm-misc into drm-next

testing commit 640eee067d9aae0bb98d8706001976ff1affaf00 with gcc (GCC) 8.4.1 20210217
kernel signature: 082468b94710876deaabed50be441a43afc28b134dd1accbb837371d4e54e0b2
all runs: OK
# git bisect good 640eee067d9aae0bb98d8706001976ff1affaf00
Bisecting: 1374 revisions left to test after this (roughly 10 steps)
[c6dbef7307629cce855aa6b482b60cbf7777ed88] Merge tag 'usb-5.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

testing commit c6dbef7307629cce855aa6b482b60cbf7777ed88 with gcc (GCC) 10.2.1 20210217
kernel signature: 9ddb3db1286b6facbf9f6cb1694f7febfa4a7a9ed74edf30dd7a97f42ab2498e
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
# git bisect bad c6dbef7307629cce855aa6b482b60cbf7777ed88
Bisecting: 554 revisions left to test after this (roughly 9 steps)
[e1f13c879a7c21bd207dc6242455e8e3a1e88b40] staging: comedi: check validity of wMaxPacketSize of usb endpoints found

testing commit e1f13c879a7c21bd207dc6242455e8e3a1e88b40 with gcc (GCC) 8.4.1 20210217
kernel signature: aba02c0bcdfeb5d2ea3aaabb7e62acc27cc0492b97f93787b7342e9a9482e479
all runs: OK
# git bisect good e1f13c879a7c21bd207dc6242455e8e3a1e88b40
Bisecting: 307 revisions left to test after this (roughly 8 steps)
[97b65223c18f131e18d662448381b727c04c2325] USB: core: remove polling for /sys/kernel/debug/usb/devices

testing commit 97b65223c18f131e18d662448381b727c04c2325 with gcc (GCC) 8.4.1 20210217
kernel signature: d0fe6f7d10e6332858a036c72b708ad5de5aa92234e682eb8352da25db5911eb
all runs: OK
# git bisect good 97b65223c18f131e18d662448381b727c04c2325
Bisecting: 148 revisions left to test after this (roughly 7 steps)
[fe151462bd0f7ad0e758f1cdcbeb6426e3d1ee8e] Merge tag 'driver-core-5.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

testing commit fe151462bd0f7ad0e758f1cdcbeb6426e3d1ee8e with gcc (GCC) 10.2.1 20210217
kernel signature: ec8bde9b995b68aff0c2dd4a18d34c9c29b2624c3e066be3e9aa758c02a4e1d8
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
# git bisect bad fe151462bd0f7ad0e758f1cdcbeb6426e3d1ee8e
Bisecting: 79 revisions left to test after this (roughly 6 steps)
[a27eb0cb4b2104461de1a1284059b3ac875e45b5] tty/sysrq: Extend the sysrq_key_table to cover capital letters

testing commit a27eb0cb4b2104461de1a1284059b3ac875e45b5 with gcc (GCC) 8.4.1 20210217
kernel signature: 020740b396f38a7706d6c5fda8943f169e9d9f763d51fa139aec17ce073fb3c6
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
# git bisect bad a27eb0cb4b2104461de1a1284059b3ac875e45b5
Bisecting: 39 revisions left to test after this (roughly 5 steps)
[ea43a60b15486bca1c406b59034e3561d543d571] serial: 8250: Simplify with dev_err_probe()

testing commit ea43a60b15486bca1c406b59034e3561d543d571 with gcc (GCC) 8.4.1 20210217
kernel signature: d56fae6b6440d41c9dbdbd9d4454362e5ec69b8429f78529bb8a418775955010
all runs: OK
# git bisect good ea43a60b15486bca1c406b59034e3561d543d571
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[33f16b25a091687388152d4b29593a39d819aa22] Merge 5.9.0-rc6 into tty-next

testing commit 33f16b25a091687388152d4b29593a39d819aa22 with gcc (GCC) 8.4.1 20210217
kernel signature: c0cf06d205f45df9cbedf5180dfa053ada8bcbe4b3221f5159fbbf254ccc91c6
all runs: OK
# git bisect good 33f16b25a091687388152d4b29593a39d819aa22
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[c9ca43d42ed8d5fd635d327a664ed1d8579eb2af] serial: qcom_geni_serial: To correct QUP Version detection logic

testing commit c9ca43d42ed8d5fd635d327a664ed1d8579eb2af with gcc (GCC) 8.4.1 20210217
kernel signature: 335aeaedf7fd1f651facbc27e593fe66bcd3366b81a7686286a7d5c423d4f8c9
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
# git bisect bad c9ca43d42ed8d5fd635d327a664ed1d8579eb2af
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[75fc65079d8253e1c25a5f8348111a85d71e0f01] tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n

testing commit 75fc65079d8253e1c25a5f8348111a85d71e0f01 with gcc (GCC) 8.4.1 20210217
kernel signature: c0cf06d205f45df9cbedf5180dfa053ada8bcbe4b3221f5159fbbf254ccc91c6
run #0: boot failed: can't ssh into the instance
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect good 75fc65079d8253e1c25a5f8348111a85d71e0f01
Bisecting: 2 revisions left to test after this (roughly 1 step)
[b63537020db34ac3f88086095cc49df65283fb61] serial: mvebu-uart: simplify the return expression of mvebu_uart_probe()

testing commit b63537020db34ac3f88086095cc49df65283fb61 with gcc (GCC) 8.4.1 20210217
kernel signature: c0cf06d205f45df9cbedf5180dfa053ada8bcbe4b3221f5159fbbf254ccc91c6
all runs: OK
# git bisect good b63537020db34ac3f88086095cc49df65283fb61
Bisecting: 0 revisions left to test after this (roughly 1 step)
[58e49346672f738cf6eeb62009a5b0ae194374c4] serial: mvebu-uart: fix unused variable warning

testing commit 58e49346672f738cf6eeb62009a5b0ae194374c4 with gcc (GCC) 8.4.1 20210217
kernel signature: 335aeaedf7fd1f651facbc27e593fe66bcd3366b81a7686286a7d5c423d4f8c9
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
# git bisect bad 58e49346672f738cf6eeb62009a5b0ae194374c4
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[988d0763361bb65690d60e2bc53a6b72777040c3] vt_ioctl: make VT_RESIZEX behave like VT_RESIZE

testing commit 988d0763361bb65690d60e2bc53a6b72777040c3 with gcc (GCC) 8.4.1 20210217
kernel signature: 335aeaedf7fd1f651facbc27e593fe66bcd3366b81a7686286a7d5c423d4f8c9
all runs: crashed: BUG: unable to handle kernel paging request in vga16fb_imageblit
# git bisect bad 988d0763361bb65690d60e2bc53a6b72777040c3
988d0763361bb65690d60e2bc53a6b72777040c3 is the first bad commit
commit 988d0763361bb65690d60e2bc53a6b72777040c3
Author: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date:   Sun Sep 27 20:46:30 2020 +0900

    vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
    
    syzbot is reporting UAF/OOB read at bit_putcs()/soft_cursor() [1][2], for
    vt_resizex() from ioctl(VT_RESIZEX) allows setting font height larger than
    actual font height calculated by con_font_set() from ioctl(PIO_FONT).
    Since fbcon_set_font() from con_font_set() allocates minimal amount of
    memory based on actual font height calculated by con_font_set(),
    use of vt_resizex() can cause UAF/OOB read for font data.
    
    VT_RESIZEX was introduced in Linux 1.3.3, but it is unclear that what
    comes to the "+ more" part, and I couldn't find a user of VT_RESIZEX.
    
      #define VT_RESIZE   0x5609 /* set kernel's idea of screensize */
      #define VT_RESIZEX  0x560A /* set kernel's idea of screensize + more */
    
    So far we are not aware of syzbot reports caused by setting non-zero value
    to v_vlin parameter. But given that it is possible that nobody is using
    VT_RESIZEX, we can try removing support for v_clin and v_vlin parameters.
    
    Therefore, this patch effectively makes VT_RESIZEX behave like VT_RESIZE,
    with emitting a message if somebody is still using v_clin and/or v_vlin
    parameters.
    
    [1] https://syzkaller.appspot.com/bug?id=32577e96d88447ded2d3b76d71254fb855245837
    [2] https://syzkaller.appspot.com/bug?id=6b8355d27b2b94fb5cedf4655e3a59162d9e48e3
    
    Reported-by: syzbot <syzbot+b308f5fd049fbbc6e74f@syzkaller.appspotmail.com>
    Reported-by: syzbot <syzbot+16469b5e8e5a72e9131e@syzkaller.appspotmail.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/4933b81b-9b1a-355b-df0e-9b31e8280ab9@i-love.sakura.ne.jp
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/tty/vt/vt_ioctl.c | 57 +++++++++--------------------------------------
 1 file changed, 10 insertions(+), 47 deletions(-)

culprit signature: 335aeaedf7fd1f651facbc27e593fe66bcd3366b81a7686286a7d5c423d4f8c9
parent  signature: c0cf06d205f45df9cbedf5180dfa053ada8bcbe4b3221f5159fbbf254ccc91c6
revisions tested: 20, total time: 4h41m24.57170896s (build: 2h17m36.90085656s, test: 2h20m28.637517372s)
first bad commit: 988d0763361bb65690d60e2bc53a6b72777040c3 vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
recipients (to): ["gregkh@linuxfoundation.org" "gregkh@linuxfoundation.org" "jirislaby@kernel.org" "linux-kernel@vger.kernel.org" "penguin-kernel@i-love.sakura.ne.jp"]
recipients (cc): []
crash: BUG: unable to handle kernel paging request in vga16fb_imageblit
BUG: unable to handle page fault for address: ffff888001000040
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD f601067 P4D f601067 PUD f602067 PMD 80000000010001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10215 Comm: syz-executor.5 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline]
RIP: 0010:vga16fb_imageblit+0xacd/0x2260 drivers/video/fbdev/vga16fb.c:1260
Code: 48 89 f8 49 89 f9 4c 8d 67 01 48 c1 e8 03 41 83 e1 07 42 0f b6 04 18 44 38 c8 7f 08 84 c0 0f 85 95 0e 00 00 41 0f b6 44 24 ff <88> 45 00 4d 39 f8 4c 89 fd 4c 89 e7 75 c4 4d 63 ed 4f 8d 74 2e 01
RSP: 0018:ffffc9000abf74a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc9000abf7638 RCX: ffff888001000040
RDX: 0000000000000004 RSI: 0000000000000007 RDI: ffff8882388f8868
RBP: ffff888001000040 R08: ffff888001000042 R09: 0000000000000000
R10: fffff5200157eec8 R11: dffffc0000000000 R12: ffff8882388f8869
R13: 0000000000000001 R14: ffff8882388f8868 R15: ffff888001000041
FS:  00007fd221fca700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000040 CR3: 0000000088ec6000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x60f/0xbc0 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x35d/0x5d0 drivers/video/fbdev/core/fbcon.c:1308
 do_update_region+0x2d8/0x5c0 drivers/tty/vt/vt.c:676
 redraw_screen+0x567/0x710 drivers/tty/vt/vt.c:1035
 fbcon_blank+0x857/0xb60 drivers/video/fbdev/core/fbcon.c:2252
 do_unblank_screen drivers/tty/vt/vt.c:4406 [inline]
 do_unblank_screen+0x1de/0x3b0 drivers/tty/vt/vt.c:4374
 vt_kdsetmode drivers/tty/vt/vt_ioctl.c:276 [inline]
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:381 [inline]
 vt_ioctl+0xde2/0x2610 drivers/tty/vt/vt_ioctl.c:814
 tty_ioctl+0x461/0x1220 drivers/tty/tty_io.c:2654
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x120/0x190 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4665f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd221fca188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9
RDX: 0000000000000000 RSI: 0000000000004b3a RDI: 0000000000000003
RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffdec20eaaf R14: 00007fd221fca300 R15: 0000000000022000
Modules linked in:
CR2: ffff888001000040
---[ end trace 1d8347ac81ff754b ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline]
RIP: 0010:vga16fb_imageblit+0xacd/0x2260 drivers/video/fbdev/vga16fb.c:1260
Code: 48 89 f8 49 89 f9 4c 8d 67 01 48 c1 e8 03 41 83 e1 07 42 0f b6 04 18 44 38 c8 7f 08 84 c0 0f 85 95 0e 00 00 41 0f b6 44 24 ff <88> 45 00 4d 39 f8 4c 89 fd 4c 89 e7 75 c4 4d 63 ed 4f 8d 74 2e 01
RSP: 0018:ffffc9000abf74a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc9000abf7638 RCX: ffff888001000040
RDX: 0000000000000004 RSI: 0000000000000007 RDI: ffff8882388f8868
RBP: ffff888001000040 R08: ffff888001000042 R09: 0000000000000000
R10: fffff5200157eec8 R11: dffffc0000000000 R12: ffff8882388f8869
R13: 0000000000000001 R14: ffff8882388f8868 R15: ffff888001000041
FS:  00007fd221fca700(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000040 CR3: 0000000088ec6000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400