bisecting fixing commit since 04300d66f0a06d572d9f2ad6768c38cabde22179 building syzkaller on 512651955aad51ef5f916aa2d84732e84d1c5e48 testing commit 04300d66f0a06d572d9f2ad6768c38cabde22179 with gcc (GCC) 8.1.0 kernel signature: 8131d9eb5511d00a67eec4ae68a177a7e9310df73aa713d308fb123d33686871 all runs: crashed: BUG: unable to handle kernel paging request in bitfill_aligned testing current HEAD 270315b8235e3d10c2e360cff56c2f9e0915a252 testing commit 270315b8235e3d10c2e360cff56c2f9e0915a252 with gcc (GCC) 8.1.0 kernel signature: 1d700f51f9d84772f2a8f2d32aaacbddbfa963cd6bc55a3320aed0ff4455e2d6 all runs: OK # git bisect start 270315b8235e3d10c2e360cff56c2f9e0915a252 04300d66f0a06d572d9f2ad6768c38cabde22179 Bisecting: 14199 revisions left to test after this (roughly 14 steps) [2f4b769e4d18c1a38dc892668971fc2f0c4e6f5b] drm/panel: novatek,nt39016: Reorder calls in probe testing commit 2f4b769e4d18c1a38dc892668971fc2f0c4e6f5b with gcc (GCC) 8.1.0 kernel signature: afd7f9d78cfeb02a233e483ea2e17e7258f621c4cd7e0825c9737d607799d23a all runs: OK # git bisect bad 2f4b769e4d18c1a38dc892668971fc2f0c4e6f5b Bisecting: 7977 revisions left to test after this (roughly 13 steps) [8186749621ed6b8fc42644c399e8c755a2b6f630] Merge tag 'drm-next-2020-08-06' of git://anongit.freedesktop.org/drm/drm testing commit 8186749621ed6b8fc42644c399e8c755a2b6f630 with gcc (GCC) 8.1.0 kernel signature: 1d53d62a1aad53805aab6e45ca31d73fcc9132db570a61bedd5c360ab2fdf36f all runs: OK # git bisect bad 8186749621ed6b8fc42644c399e8c755a2b6f630 Bisecting: 3152 revisions left to test after this (roughly 12 steps) [a754292348bf88ec6b55563eca4faba7dcfe2ae7] Merge tag 'printk-for-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux testing commit a754292348bf88ec6b55563eca4faba7dcfe2ae7 with gcc (GCC) 8.1.0 kernel signature: 7a191eac7d7becca9c95c2fd91ffe11a5ed01dcc158030ffba55d739a9ef5985 all runs: OK # git bisect bad a754292348bf88ec6b55563eca4faba7dcfe2ae7 Bisecting: 1547 revisions left to test after this (roughly 11 steps) [92c59e126b21fd212195358a0d296e787e444087] Merge tag 'arm-defconfig-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 92c59e126b21fd212195358a0d296e787e444087 with gcc (GCC) 8.1.0 kernel signature: f23c9d2831d9bb71830e33b6f106934d5736e759530f320bc11fed0a59fd2e20 all runs: OK # git bisect bad 92c59e126b21fd212195358a0d296e787e444087 Bisecting: 770 revisions left to test after this (roughly 10 steps) [382625d0d4325fb14a29444eb8dce8dcc2eb9b51] Merge tag 'for-5.9/block-20200802' of git://git.kernel.dk/linux-block testing commit 382625d0d4325fb14a29444eb8dce8dcc2eb9b51 with gcc (GCC) 8.1.0 kernel signature: 8f46a8cd45e64b3ee7f9c799f82ea9ab94e8a9277665e2dce414d76e22acae45 all runs: OK # git bisect bad 382625d0d4325fb14a29444eb8dce8dcc2eb9b51 Bisecting: 315 revisions left to test after this (roughly 9 steps) [6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d] Merge tag 'for-5.9-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d with gcc (GCC) 8.1.0 kernel signature: 441723b87248f35836de9ab5b39175e42d8eb1a81b83e603dd7583eb451b252c all runs: OK # git bisect bad 6dec9f406c1f2de6d750de0fc9d19872d9c4bf0d Bisecting: 236 revisions left to test after this (roughly 8 steps) [5e548b32018d96c377fda4bdac2bf511a448ca67] btrfs: do not set the full sync flag on the inode during page release testing commit 5e548b32018d96c377fda4bdac2bf511a448ca67 with gcc (GCC) 8.1.0 kernel signature: b1d5cfeb3d4eb09aa93dc3e26be953292cb8a9e9c69a65445bb40369cf8bbcc2 all runs: OK # git bisect bad 5e548b32018d96c377fda4bdac2bf511a448ca67 Bisecting: 97 revisions left to test after this (roughly 7 steps) [1cb1f0b2486b0893a3ebf20c42f2df27649ae2b4] btrfs: tracepoints: fix qgroup reservation type printing testing commit 1cb1f0b2486b0893a3ebf20c42f2df27649ae2b4 with gcc (GCC) 8.1.0 kernel signature: 4d786d14022c95294a2bd93a7e328c9a9b405cffeb90ce269fa0ba3d104bcc8d all runs: OK # git bisect bad 1cb1f0b2486b0893a3ebf20c42f2df27649ae2b4 Bisecting: 48 revisions left to test after this (roughly 6 steps) [89d7da9bc592aa6a341d00f2d949615a89bb1eb7] btrfs: get mapping tree directly from fsinfo in find_first_block_group testing commit 89d7da9bc592aa6a341d00f2d949615a89bb1eb7 with gcc (GCC) 8.1.0 kernel signature: 1047e514177d142dcf9d6019d522fce440b05df89e1fa499838621444fd6f6df all runs: OK # git bisect bad 89d7da9bc592aa6a341d00f2d949615a89bb1eb7 Bisecting: 25 revisions left to test after this (roughly 5 steps) [7f2e231c316591246284b10b008cadfc953f16d3] Merge tag 'driver-core-5.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core into master testing commit 7f2e231c316591246284b10b008cadfc953f16d3 with gcc (GCC) 8.1.0 kernel signature: 33f40660ba71350ae52229bbd4f57f8d144fada82ab100224c8ab83ca1424875 all runs: OK # git bisect bad 7f2e231c316591246284b10b008cadfc953f16d3 Bisecting: 14 revisions left to test after this (roughly 4 steps) [5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9] serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X testing commit 5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9 with gcc (GCC) 8.1.0 kernel signature: 747d2f1ca810bf12d76bb0cbdff4b8fbb8dc7f2de1660522d9deec735622a6a4 all runs: OK # git bisect bad 5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9 Bisecting: 3 revisions left to test after this (roughly 2 steps) [707631ce639651e51bfed9e56326cde86f9e97b8] serial: tegra: drop bogus NULL tty-port checks testing commit 707631ce639651e51bfed9e56326cde86f9e97b8 with gcc (GCC) 8.1.0 kernel signature: ad87b1ed8c1f66c7c52ff156bf697325edb663d70b75f8f8237e2c7d696bac60 all runs: crashed: BUG: unable to handle kernel paging request in bitfill_aligned # git bisect good 707631ce639651e51bfed9e56326cde86f9e97b8 Bisecting: 1 revision left to test after this (roughly 1 step) [551e553f0d4ab623e2a6f424ab5834f9c7b5229c] serial: 8250_mtk: Fix high-speed baud rates clamping testing commit 551e553f0d4ab623e2a6f424ab5834f9c7b5229c with gcc (GCC) 8.1.0 kernel signature: 2c611ef99e6b9d272be124864ae3dfa89f03d42c05849fd4201d9b3079f926ba run #0: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #1: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #2: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #3: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #4: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #5: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #6: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #7: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #8: crashed: BUG: unable to handle kernel paging request in bitfill_aligned run #9: boot failed: can't ssh into the instance # git bisect good 551e553f0d4ab623e2a6f424ab5834f9c7b5229c Bisecting: 0 revisions left to test after this (roughly 0 steps) [033724d6864245a11f8e04c066002e6ad22b3fd0] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. testing commit 033724d6864245a11f8e04c066002e6ad22b3fd0 with gcc (GCC) 8.1.0 kernel signature: 747d2f1ca810bf12d76bb0cbdff4b8fbb8dc7f2de1660522d9deec735622a6a4 all runs: OK # git bisect bad 033724d6864245a11f8e04c066002e6ad22b3fd0 033724d6864245a11f8e04c066002e6ad22b3fd0 is the first bad commit commit 033724d6864245a11f8e04c066002e6ad22b3fd0 Author: Tetsuo Handa Date: Wed Jul 15 10:51:02 2020 +0900 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. syzbot is reporting general protection fault in bitfill_aligned() [1] caused by integer underflow in bit_clear_margins(). The cause of this problem is when and how do_vc_resize() updates vc->vc_{cols,rows}. If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres is going to shrink, vc->vc_{cols,rows} will not be updated. This allows bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will try to overrun the __iomem region and causes general protection fault. Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows); exception. Since cols and lines are calculated as cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres); rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); cols /= vc->vc_font.width; rows /= vc->vc_font.height; vc_resize(vc, cols, rows); in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0 and var.yres < vc->vc_font.height makes rows = 0. This means that const int fd = open("/dev/fb0", O_ACCMODE); struct fb_var_screeninfo var = { }; ioctl(fd, FBIOGET_VSCREENINFO, &var); var.xres = var.yres = 1; ioctl(fd, FBIOPUT_VSCREENINFO, &var); easily reproduces integer underflow bug explained above. Of course, callers of vc_resize() are not handling vc_do_resize() failure is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore, as a band-aid workaround, this patch checks integer underflow in "struct fbcon_ops"->clear_margins call, assuming that vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not cause integer overflow. [1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c6 Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Acked-by: Daniel Vetter Cc: stable Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 4 ++-- drivers/video/fbdev/core/fbcon_ccw.c | 4 ++-- drivers/video/fbdev/core/fbcon_cw.c | 4 ++-- drivers/video/fbdev/core/fbcon_ud.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) culprit signature: 747d2f1ca810bf12d76bb0cbdff4b8fbb8dc7f2de1660522d9deec735622a6a4 parent signature: 2c611ef99e6b9d272be124864ae3dfa89f03d42c05849fd4201d9b3079f926ba revisions tested: 16, total time: 4h14m28.794272177s (build: 1h36m21.986856367s, test: 2h36m8.710751705s) first good commit: 033724d6864245a11f8e04c066002e6ad22b3fd0 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. recipients (to): ["daniel.vetter@ffwll.ch" "gregkh@linuxfoundation.org" "penguin-kernel@i-love.sakura.ne.jp" "syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com"] recipients (cc): []