BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un

BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un

[Tommi Rantala]

Hello,

Hit the following oops while fuzzing the kernel with Trinity in a qemu
virtual machine:

[ 2143.140647] BUG: unable to handle kernel paging request at ffffc90000669000
[ 2143.140652] IP: [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.140654] PGD 3e073067 PUD 3e074067 PMD 3ca84067 PTE 0
[ 2143.140656] Oops: 0002 [#1] SMP
[ 2143.140660] CPU 0
[ 2143.140660] Pid: 2894, comm: trinity-child0 Not tainted 3.8.0-rc7+
#86 Bochs Bochs
[ 2143.140662] RIP: 0010:[<ffffffff8139d84a>]  [<ffffffff8139d84a>]
bitfill_unaligned+0x10a/0x1a0
[ 2143.140663] RSP: 0018:ffff88003a967888  EFLAGS: 00010246
[ 2143.140664] RAX: 0000000003fffe1f RBX: 0000000000000000 RCX: 0000000000000008
[ 2143.140664] RDX: 0000000003f87fff RSI: ffffc900002a9f08 RDI: 0000000000000000
[ 2143.140665] RBP: ffff88003a9678a8 R08: 0000000000000008 R09: 0000000000000010
[ 2143.140666] R10: ffffc90000668fe8 R11: 0000000000000000 R12: 00000000ffff8800
[ 2143.140666] R13: 00000000ffffffc0 R14: ffffffffffffffff R15: 0000000000000018
[ 2143.140668] FS:  00007f965fc5e700(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[ 2143.140668] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2143.140669] CR2: ffffc90000669000 CR3: 0000000039c50000 CR4: 00000000000006f0
[ 2143.140675] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2143.140678] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2143.140679] Process trinity-child0 (pid: 2894, threadinfo
ffff88003a966000, task ffff88003b0c0000)
[ 2143.140679] Stack:
[ 2143.140682]  ffff88003ca8d800 0000000000000000 ffffc900002a9f00
0000000000000000
[ 2143.140683]  ffff88003a967938 ffffffff8139debf ffffffffffff8800
ffff880000000040
[ 2143.140685]  ffffffff8225f1a0 ffff000000000000 ffff88003a9678e8
ffffffff810f5aed
[ 2143.140685] Call Trace:
[ 2143.140688]  [<ffffffff8139debf>] sys_fillrect+0x34f/0x370
[ 2143.140692]  [<ffffffff810f5aed>] ? trace_hardirqs_on+0xd/0x10
[ 2143.140693]  [<ffffffff8139d740>] ? bitfill_aligned+0x120/0x120
[ 2143.140696]  [<ffffffff814bbcef>] cirrus_fillrect+0x1f/0x40
[ 2143.140697]  [<ffffffff8139aaba>] bit_clear_margins+0x12a/0x170
[ 2143.140701]  [<ffffffff81395641>] fbcon_clear_margins+0x71/0x80
[ 2143.140702]  [<ffffffff813998a9>] fbcon_switch+0x479/0x540
[ 2143.140705]  [<ffffffff814166c1>] redraw_screen+0x131/0x250
[ 2143.140707]  [<ffffffff81396c1c>] fbcon_modechanged+0x18c/0x210
[ 2143.140709]  [<ffffffff81397739>] fbcon_event_notify+0x1f9/0x850
[ 2143.140712]  [<ffffffff810c671d>] notifier_call_chain+0xbd/0xf0
[ 2143.140714]  [<ffffffff810c6c08>] __blocking_notifier_call_chain+0x98/0xc0
[ 2143.140716]  [<ffffffff810c6c41>] blocking_notifier_call_chain+0x11/0x20
[ 2143.140718]  [<ffffffff81389146>] fb_notifier_call_chain+0x16/0x20
[ 2143.140720]  [<ffffffff8138ae19>] fb_set_var+0x439/0x480
[ 2143.140721]  [<ffffffff8138b089>] do_fb_ioctl+0x189/0x5d0
[ 2143.140723]  [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[ 2143.140724]  [<ffffffff810d552a>] ? local_clock+0x4a/0x70
[ 2143.140726]  [<ffffffff810f1e98>] ? lock_release_holdtime+0x28/0x170
[ 2143.140728]  [<ffffffff8138b90a>] fb_ioctl+0x3a/0x40
[ 2143.140731]  [<ffffffff811b5ff2>] do_vfs_ioctl+0x532/0x580
[ 2143.140735]  [<ffffffff812fc7d3>] ? file_has_perm+0x83/0xa0
[ 2143.140737]  [<ffffffff811b609d>] sys_ioctl+0x5d/0xa0
[ 2143.140739]  [<ffffffff813571de>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 2143.140741]  [<ffffffff81ca06e9>] system_call_fastpath+0x16/0x1b
[ 2143.140758] Code: 89 7a 08 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48
09 df 48 89 fb 49 89 7a 10 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48 09
df 48 89 fb <49> 89 7a 18 49 83 c2 20 48 d3 e3 44 89 c9 48 d3 ef 48 09
df 83
[ 2143.140760] RIP  [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.140760]  RSP <ffff88003a967888>
[ 2143.140761] CR2: ffffc90000669000
[ 2143.146366] BUG: unable to handle kernel paging request at ffffc90000669000
[ 2143.146369] IP: [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.146371] PGD 3e073067 PUD 3e074067 PMD 3ca84067 PTE 0
[ 2143.146372] Oops: 0002 [#2] SMP
[ 2143.146375] CPU 0
[ 2143.146375] Pid: 2894, comm: trinity-child0 Not tainted 3.8.0-rc7+
#86 Bochs Bochs
[ 2143.146377] RIP: 0010:[<ffffffff8139d84a>]  [<ffffffff8139d84a>]
bitfill_unaligned+0x10a/0x1a0
[ 2143.146378] RSP: 0018:ffff88003a967218  EFLAGS: 00010246
[ 2143.146378] RAX: 0000000003fffe1f RBX: 0000000000000000 RCX: 0000000000000008
[ 2143.146379] RDX: 0000000003f87fff RSI: ffffc900002a9f08 RDI: 0000000000000000
[ 2143.146380] RBP: ffff88003a967238 R08: 0000000000000008 R09: 0000000000000010
[ 2143.146380] R10: ffffc90000668fe8 R11: 0000000000000000 R12: 00000000ffff8800
[ 2143.146381] R13: 00000000ffffffc0 R14: ffffffffffffffff R15: 0000000000000018
[ 2143.146382] FS:  00007f965fc5e700(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[ 2143.146383] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2143.146383] CR2: ffffc90000669000 CR3: 0000000039c50000 CR4: 00000000000006f0
[ 2143.146388] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2143.146391] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2143.146391] Process trinity-child0 (pid: 2894, threadinfo
ffff88003a966000, task ffff88003b0c0000)
[ 2143.146392] Stack:
[ 2143.146394]  ffff88003ca8d800 0000000000000000 ffffc900002a9f00
0000000000000000
[ 2143.146395]  ffff88003a9672c8 ffffffff8139debf ffffffffffff8800
ffff880000000040
[ 2143.146397]  ffffffff8225f1a0 ffff000000000000 ffff88003a967278
ffffffff810f5aed
[ 2143.146397] Call Trace:
[ 2143.146399]  [<ffffffff8139debf>] sys_fillrect+0x34f/0x370
[ 2143.146402]  [<ffffffff810f5aed>] ? trace_hardirqs_on+0xd/0x10
[ 2143.146403]  [<ffffffff8139d740>] ? bitfill_aligned+0x120/0x120
[ 2143.146405]  [<ffffffff814bbcef>] cirrus_fillrect+0x1f/0x40
[ 2143.146406]  [<ffffffff8139aaba>] bit_clear_margins+0x12a/0x170
[ 2143.146408]  [<ffffffff81395641>] fbcon_clear_margins+0x71/0x80
[ 2143.146410]  [<ffffffff813998a9>] fbcon_switch+0x479/0x540
[ 2143.146412]  [<ffffffff814166c1>] redraw_screen+0x131/0x250
[ 2143.146414]  [<ffffffff81397f9a>] fbcon_blank+0x20a/0x2d0
[ 2143.146417]  [<ffffffff81c9effc>] ? _raw_spin_lock_irqsave+0x7c/0x90
[ 2143.146420]  [<ffffffff810a8ee3>] ? lock_timer_base.isra.25+0x33/0x70
[ 2143.146422]  [<ffffffff810f5b18>] ? trace_hardirqs_off_caller+0x28/0xd0
[ 2143.146423]  [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[ 2143.146425]  [<ffffffff81c9f174>] ? _raw_spin_unlock_irqrestore+0x44/0x70
[ 2143.146427]  [<ffffffff810aa17b>] ? mod_timer+0x1ab/0x200
[ 2143.146429]  [<ffffffff814180f8>] do_unblank_screen+0xf8/0x1d0
[ 2143.146430]  [<ffffffff814181db>] unblank_screen+0xb/0x10
[ 2143.146432]  [<ffffffff81358239>] bust_spinlocks+0x19/0x30
[ 2143.146435]  [<ffffffff8105cde2>] oops_end+0x42/0xe0
[ 2143.146438]  [<ffffffff81c89d82>] no_context+0x253/0x27e
[ 2143.146439]  [<ffffffff81c89f73>] __bad_area_nosemaphore+0x1c6/0x1e5
[ 2143.146442]  [<ffffffff81091681>] ? kmemcheck_pte_lookup+0x11/0x40
[ 2143.146444]  [<ffffffff81c89fa0>] bad_area_nosemaphore+0xe/0x10
[ 2143.146445]  [<ffffffff8108a35e>] __do_page_fault+0x43e/0x4d0
[ 2143.146447]  [<ffffffff810f58d3>] ? mark_held_locks+0x123/0x140
[ 2143.146449]  [<ffffffff81c9fdb3>] ? retint_restore_args+0x13/0x13
[ 2143.146451]  [<ffffffff810f58d3>] ? mark_held_locks+0x123/0x140
[ 2143.146452]  [<ffffffff8135721d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
[ 2143.146454]  [<ffffffff8108a419>] do_page_fault+0x9/0x10
[ 2143.146456]  [<ffffffff8108492c>] do_async_page_fault+0x4c/0xa0
[ 2143.146458]  [<ffffffff81ca00b8>] async_page_fault+0x28/0x30
[ 2143.146459]  [<ffffffff8139d84a>] ? bitfill_unaligned+0x10a/0x1a0
[ 2143.146460]  [<ffffffff8139debf>] sys_fillrect+0x34f/0x370
[ 2143.146462]  [<ffffffff810f5aed>] ? trace_hardirqs_on+0xd/0x10
[ 2143.146464]  [<ffffffff8139d740>] ? bitfill_aligned+0x120/0x120
[ 2143.146465]  [<ffffffff814bbcef>] cirrus_fillrect+0x1f/0x40
[ 2143.146466]  [<ffffffff8139aaba>] bit_clear_margins+0x12a/0x170
[ 2143.146468]  [<ffffffff81395641>] fbcon_clear_margins+0x71/0x80
[ 2143.146470]  [<ffffffff813998a9>] fbcon_switch+0x479/0x540
[ 2143.146472]  [<ffffffff814166c1>] redraw_screen+0x131/0x250
[ 2143.146473]  [<ffffffff81396c1c>] fbcon_modechanged+0x18c/0x210
[ 2143.146475]  [<ffffffff81397739>] fbcon_event_notify+0x1f9/0x850
[ 2143.146477]  [<ffffffff810c671d>] notifier_call_chain+0xbd/0xf0
[ 2143.146479]  [<ffffffff810c6c08>] __blocking_notifier_call_chain+0x98/0xc0
[ 2143.146481]  [<ffffffff810c6c41>] blocking_notifier_call_chain+0x11/0x20
[ 2143.146483]  [<ffffffff81389146>] fb_notifier_call_chain+0x16/0x20
[ 2143.146484]  [<ffffffff8138ae19>] fb_set_var+0x439/0x480
[ 2143.146486]  [<ffffffff8138b089>] do_fb_ioctl+0x189/0x5d0
[ 2143.146487]  [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[ 2143.146488]  [<ffffffff810d552a>] ? local_clock+0x4a/0x70
[ 2143.146490]  [<ffffffff810f1e98>] ? lock_release_holdtime+0x28/0x170
[ 2143.146492]  [<ffffffff8138b90a>] fb_ioctl+0x3a/0x40
[ 2143.146494]  [<ffffffff811b5ff2>] do_vfs_ioctl+0x532/0x580
[ 2143.146496]  [<ffffffff812fc7d3>] ? file_has_perm+0x83/0xa0
[ 2143.146498]  [<ffffffff811b609d>] sys_ioctl+0x5d/0xa0
[ 2143.146499]  [<ffffffff813571de>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 2143.146501]  [<ffffffff81ca06e9>] system_call_fastpath+0x16/0x1b
[ 2143.146518] Code: 89 7a 08 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48
09 df 48 89 fb 49 89 7a 10 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48 09
df 48 89 fb <49> 89 7a 18 49 83 c2 20 48 d3 e3 44 89 c9 48 d3 ef 48 09
df 83
[ 2143.146519] RIP  [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.146520]  RSP <ffff88003a967218>
[ 2143.146520] CR2: ffffc90000669000
[ 2143.146522] ---[ end trace bc6146191d8a6170 ]---

Tommi

BUG: unable to handle kernel paging request in sys_imageblit

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    6794862a Merge tag 'for-5.5-rc1-kconfig-tag' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x1574aaeae00000
kernel config:  https://syzkaller.appspot.com/x/.config?xyf79de2a27d3e3d
dashboard link: https://syzkaller.appspot.com/bug?extid3f89a9a6b6acd893b11
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+33f89a9a6b6acd893b11@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: fffff5200124c3fc
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7ffcd067 P4D 7ffcd067 PUD 2cd1c067 PMD 299b2067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 9109 Comm: syz-executor.2 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x61c/0x1240  
drivers/video/fbdev/core/sysimgblt.c:275
Code: 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 57 0b 00 00 48 b9 00 00 00 00 00  
fc ff df 4c 89 fa 8b 45 b0 23 07 4d 8d 77 04 48 c1 ea 03 <0f> b6 0c 0a 4c  
89 fa 83 e2 07 33 45 c4 83 c2 03 38 ca 7c 08 84 c9
RSP: 0018:ffffc900042c7168 EFLAGS: 00010a06
RAX: 0000000000000000 RBX: ffff888076970800 RCX: dffffc0000000000
RDX: 1ffff9200124c3fc RSI: ffffffff83b4fada RDI: ffffffff887498e0
RBP: ffffc900042c7230 R08: ffff88805d278e40 R09: 000000000000007f
R10: fffffbfff14f3347 R11: ffffffff8a799a3b R12: 0000000000000007
R13: 0000000000000007 R14: ffffc90009261fe4 R15: ffffc90009261fe0
FS:  00007f0af02fc700(0000) GS:ffff88802d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5200124c3fc CR3: 00000000278c2000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  drm_fb_helper_sys_imageblit+0x21/0x180 drivers/gpu/drm/drm_fb_helper.c:768
  bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
  bit_putcs+0x9a3/0xf10 drivers/video/fbdev/core/bitblit.c:188
  fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353
  do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677
  invert_screen+0x2da/0x650 drivers/tty/vt/vt.c:794
  highlight drivers/tty/vt/selection.c:53 [inline]
  clear_selection drivers/tty/vt/selection.c:81 [inline]
  clear_selection+0x59/0x70 drivers/tty/vt/selection.c:77
  vc_do_resize+0x1163/0x1460 drivers/tty/vt/vt.c:1200
  vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304
  fbcon_do_set_font+0x4a6/0x960 drivers/video/fbdev/core/fbcon.c:2599
  fbcon_set_font+0x72e/0x860 drivers/video/fbdev/core/fbcon.c:2696
  con_font_set drivers/tty/vt/vt.c:4538 [inline]
  con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4603
  vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913
  tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
  vfs_ioctl fs/ioctl.c:47 [inline]
  file_ioctl fs/ioctl.c:545 [inline]
  do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
  ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
  __do_sys_ioctl fs/ioctl.c:756 [inline]
  __se_sys_ioctl fs/ioctl.c:754 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a7c9
Code: bd b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 8b b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0af02fbc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000072bf00 RCX: 000000000045a7c9
RDX: 0000000020000000 RSI: 0000000000004b61 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0af02fc6d4
R13: 00000000004ab60f R14: 00000000006ede60 R15: 00000000ffffffff
Modules linked in:
CR2: fffff5200124c3fc
---[ end trace 7698227ca2d5f789 ]---
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x61c/0x1240  
drivers/video/fbdev/core/sysimgblt.c:275
Code: 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 57 0b 00 00 48 b9 00 00 00 00 00  
fc ff df 4c 89 fa 8b 45 b0 23 07 4d 8d 77 04 48 c1 ea 03 <0f> b6 0c 0a 4c  
89 fa 83 e2 07 33 45 c4 83 c2 03 38 ca 7c 08 84 c9
RSP: 0018:ffffc900042c7168 EFLAGS: 00010a06
RAX: 0000000000000000 RBX: ffff888076970800 RCX: dffffc0000000000
RDX: 1ffff9200124c3fc RSI: ffffffff83b4fada RDI: ffffffff887498e0
RBP: ffffc900042c7230 R08: ffff88805d278e40 R09: 000000000000007f
R10: fffffbfff14f3347 R11: ffffffff8a799a3b R12: 0000000000000007
R13: 0000000000000007 R14: ffffc90009261fe4 R15: ffffc90009261fe0
FS:  00007f0af02fc700(0000) GS:ffff88802d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5200124c3fc CR3: 00000000278c2000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

BUG: unable to handle kernel paging request in vga16fb_imageblit

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    46cf053e Linux 5.5-rc3
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x12e35351e00000
kernel config:  https://syzkaller.appspot.com/x/.config?xí9d672709340e35
dashboard link: https://syzkaller.appspot.com/bug?extidƒ449358d6355b0b9728
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+83449358d6355b0b9728@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff8880ffff7900
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD c201067 P4D c201067 PUD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 31197 Comm: syz-executor.4 Not tainted 5.5.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa52/0x2200 drivers/video/fbdev/vga16fb.c:1260
Code: df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0  
7c 09 84 d2 74 05 e8 16 9f f9 fd 41 8b 45 14 48 8b 4d c8 <88> 01 0f ae e8  
8a 01 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 d8
RSP: 0018:ffffc90004e57450 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffff8880ffff7900
RDX: 0000000000000000 RSI: ffffffff83b944b6 RDI: ffffc90004e5760c
RBP: ffffc90004e574e8 R08: ffff88804b708240 R09: 0000000000000000
R10: ffffed10432d371b R11: ffff88821969b8df R12: ffffc90004e575fc
R13: ffffc90004e575f8 R14: ffff8880a3f140c0 R15: 0000000000000001
FS:  00007f4674e1a700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffff7900 CR3: 000000004de7b000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
  bit_putcs+0x9a3/0xf10 drivers/video/fbdev/core/bitblit.c:188
  fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353
  fbcon_redraw_move.isra.0+0x258/0x2a0 drivers/video/fbdev/core/fbcon.c:1733
  ypan_down_redraw drivers/video/fbdev/core/fbcon.c:1598 [inline]
  fbcon_scroll+0x2e07/0x35b0 drivers/video/fbdev/core/fbcon.c:2048
  con_scroll+0x3fd/0x650 drivers/tty/vt/vt.c:631
  csi_L drivers/tty/vt/vt.c:1974 [inline]
  do_con_trol+0x5317/0x61b0 drivers/tty/vt/vt.c:2373
  do_con_write.part.0+0xfd9/0x1ef0 drivers/tty/vt/vt.c:2797
  do_con_write drivers/tty/vt/vt.c:2565 [inline]
  con_write+0x46/0xd0 drivers/tty/vt/vt.c:3135
  process_output_block drivers/tty/n_tty.c:595 [inline]
  n_tty_write+0x40e/0x1080 drivers/tty/n_tty.c:2333
  do_tty_write drivers/tty/tty_io.c:962 [inline]
  tty_write+0x496/0x7f0 drivers/tty/tty_io.c:1046
  __vfs_write+0x8a/0x110 fs/read_write.c:494
  vfs_write+0x268/0x5d0 fs/read_write.c:558
  ksys_write+0x14f/0x290 fs/read_write.c:611
  __do_sys_write fs/read_write.c:623 [inline]
  __se_sys_write fs/read_write.c:620 [inline]
  __x64_sys_write+0x73/0xb0 fs/read_write.c:620
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a919
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4674e19c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
RDX: 00000000000002c1 RSI: 0000000020000880 RDI: 0000000000000009
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4674e1a6d4
R13: 00000000004cbd7a R14: 00000000004e5b48 R15: 00000000ffffffff
Modules linked in:
CR2: ffff8880ffff7900
---[ end trace 80930dfe0366796b ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa52/0x2200 drivers/video/fbdev/vga16fb.c:1260
Code: df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0  
7c 09 84 d2 74 05 e8 16 9f f9 fd 41 8b 45 14 48 8b 4d c8 <88> 01 0f ae e8  
8a 01 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 d8
RSP: 0018:ffffc90004e57450 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffff8880ffff7900
RDX: 0000000000000000 RSI: ffffffff83b944b6 RDI: ffffc90004e5760c
RBP: ffffc90004e574e8 R08: ffff88804b708240 R09: 0000000000000000
R10: ffffed10432d371b R11: ffff88821969b8df R12: ffffc90004e575fc
R13: ffffc90004e575f8 R14: ffff8880a3f140c0 R15: 0000000000000001
FS:  00007f4674e1a700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffff7900 CR3: 000000004de7b000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

BUG: unable to handle kernel paging request in vga16fb_imageblit (2)

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    262f7a6b Merge tag 'for-5.7-rc3-tag' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x12786888100000
kernel config:  https://syzkaller.appspot.com/x/.config?x[075813ec8b93cd
dashboard link: https://syzkaller.appspot.com/bug?extid\x1f29e126cf461c4de3b3
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff8880ffca0e80
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD d401067 P4D d401067 PUD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 710 Comm: syz-executor.5 Not tainted 5.7.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa5b/0x2210 drivers/video/fbdev/vga16fb.c:1260
Code: 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 ee 59 ed fd 41 8b 47 14 48 8b 74 24 08 <88> 06 0f ae e8 8a 06 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 18
RSP: 0000:ffffc90002ea71f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffffc90014391000
RDX: 0000000000000000 RSI: ffff8880ffca0e80 RDI: ffffc90002ea739c
RBP: ffffc90002ea738c R08: ffff8880922ac200 R09: 0000000000000000
R10: ffffffff8a895007 R11: fffffbfff1512a00 R12: 0000000000000000
R13: ffff888218de5140 R14: 0000000000000001 R15: ffffc90002ea7388
FS:  00007fbeeb282700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffca0e80 CR3: 000000008e9c5000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x910/0xe10 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x345/0x3f0 drivers/video/fbdev/core/fbcon.c:1362
 con_flush drivers/tty/vt/vt.c:2569 [inline]
 do_con_write.part.0+0x7d1/0x1dc0 drivers/tty/vt/vt.c:2772
 do_con_write drivers/tty/vt/vt.c:2588 [inline]
 con_write+0x41/0xe0 drivers/tty/vt/vt.c:3154
 process_output_block drivers/tty/n_tty.c:595 [inline]
 n_tty_write+0x3f0/0xf90 drivers/tty/n_tty.c:2333
 do_tty_write drivers/tty/tty_io.c:962 [inline]
 tty_write+0x495/0x800 drivers/tty/tty_io.c:1046
 __vfs_write+0x76/0x100 fs/read_write.c:495
 __kernel_write+0x11c/0x3a0 fs/read_write.c:516
 write_pipe_buf+0x153/0x1e0 fs/splice.c:809
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x3e6/0x7b0 fs/splice.c:636
 splice_from_pipe+0xd9/0x140 fs/splice.c:671
 default_file_splice_write+0x37/0x90 fs/splice.c:821
 do_splice_from fs/splice.c:863 [inline]
 direct_splice_actor+0x115/0x160 fs/splice.c:1037
 splice_direct_to_actor+0x38c/0x980 fs/splice.c:992
 do_splice_direct+0x1b4/0x280 fs/splice.c:1080
 do_sendfile+0x555/0xc50 fs/read_write.c:1521
 __do_sys_sendfile64 fs/read_write.c:1582 [inline]
 __se_sys_sendfile64 fs/read_write.c:1568 [inline]
 __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1568
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbeeb281c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004fc0c0 RCX: 000000000045c829
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0800000080004103 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008d6 R14: 00000000004cb7a1 R15: 00007fbeeb2826d4
Modules linked in:
CR2: ffff8880ffca0e80
---[ end trace 5bb103c4fc7bf525 ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa5b/0x2210 drivers/video/fbdev/vga16fb.c:1260
Code: 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 ee 59 ed fd 41 8b 47 14 48 8b 74 24 08 <88> 06 0f ae e8 8a 06 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 18
RSP: 0000:ffffc90002ea71f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffffc90014391000
RDX: 0000000000000000 RSI: ffff8880ffca0e80 RDI: ffffc90002ea739c
RBP: ffffc90002ea738c R08: ffff8880922ac200 R09: 0000000000000000
R10: ffffffff8a895007 R11: fffffbfff1512a00 R12: 0000000000000000
R13: ffff888218de5140 R14: 0000000000000001 R15: ffffc90002ea7388
FS:  00007fbeeb282700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffca0e80 CR3: 000000008e9c5000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

BUG: unable to handle kernel paging request in bitfill_aligned

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    1d3962ae Merge tag 'io_uring-5.7-2020-05-08' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x14874258100000
kernel config:  https://syzkaller.appspot.com/x/.config?x°212dbee046bc1f
dashboard link: https://syzkaller.appspot.com/bug?extid\0ed1cf405874e141432
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+00ed1cf405874e141432@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff888000cf5080
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD d401067 P4D d401067 PUD d402067 PMD cf4063 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 30473 Comm: syz-executor.4 Not tainted 5.7.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline]
RIP: 0010:bitfill_aligned drivers/video/fbdev/core/cfbfillrect.c:64 [inline]
RIP: 0010:bitfill_aligned+0xfc/0x200 drivers/video/fbdev/core/cfbfillrect.c:35
Code: fd 44 89 e0 31 d2 bf 07 00 00 00 f7 f5 41 89 c4 89 c6 89 c5 e8 c5 ab b3 fd 41 83 fc 07 76 62 45 89 e7 4c 89 ed e8 44 aa b3 fd <48> 89 5d 00 48 89 5d 08 48 89 5d 10 48 89 5d 18 48 89 5d 20 48 89
RSP: 0018:ffffc90001c474e0 EFLAGS: 00010246
RAX: 0000000000040000 RBX: 0000000000000000 RCX: ffffc90012324000
RDX: 0000000000040000 RSI: ffffffff83bf846c RDI: 0000000000000005
RBP: ffff888000cf5080 R08: ffff888056a6a340 R09: 0000000000000040
R10: ffff888218d3331f R11: ffffed10431a6663 R12: 0000000000000030
R13: ffff888000cf5080 R14: 0000000000000000 R15: 0000000000000030
FS:  00007fe0d9986700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888000cf5080 CR3: 000000008ea77000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 cfb_fillrect+0x418/0x7a0 drivers/video/fbdev/core/cfbfillrect.c:327
 vga16fb_fillrect+0x68f/0x1960 drivers/video/fbdev/vga16fb.c:951
 bit_clear_margins+0x2d5/0x4a0 drivers/video/fbdev/core/bitblit.c:232
 fbcon_clear_margins+0x1de/0x240 drivers/video/fbdev/core/fbcon.c:1381
 fbcon_switch+0xcde/0x16f0 drivers/video/fbdev/core/fbcon.c:2363
 redraw_screen+0x2ae/0x770 drivers/tty/vt/vt.c:1015
 fbcon_modechanged+0x581/0x720 drivers/video/fbdev/core/fbcon.c:3000
 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:3047
 fb_set_var+0xad0/0xd40 drivers/video/fbdev/core/fbmem.c:1056
 do_fb_ioctl+0x390/0x6e0 drivers/video/fbdev/core/fbmem.c:1109
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:771
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl fs/ioctl.c:778 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe0d9985c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e4860 RCX: 000000000045c829
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000002f2 R14: 00000000004c54c8 R15: 00007fe0d99866d4
Modules linked in:
CR2: ffff888000cf5080

===========================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: BUG: unable to handle kernel paging request in sys_imageblit

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit:    435faf5c Merge tag 'riscv-for-linus-5.8-mw0' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x1768c725100000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bb617b9c2a5bdf
dashboard link: https://syzkaller.appspot.com/bug?extid3f89a9a6b6acd893b11
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x\x11f3f485100000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+33f89a9a6b6acd893b11@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: fffff520013df608
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7ffcd067 P4D 7ffcd067 PUD 2c920067 PMD 29858067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 8457 Comm: syz-executor.0 Not tainted 5.7.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x616/0x1240 drivers/video/fbdev/core/sysimgblt.c:275
Code: 0f b6 14 28 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 5c 0b 00 00 8b 44 24 20 4d 8d 77 04 4c 89 fa 48 c1 ea 03 23 07 <42> 0f b6 0c 2a 4c 89 fa 83 e2 07 33 44 24 14 83 c2 03 38 ca 7c 08
RSP: 0018:ffffc90001867578 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888023ac8402 RCX: ffffffff88786a40
RDX: 1ffff920013df608 RSI: ffffffff83c3bbbc RDI: ffffffff88786a40
RBP: 0000000000000fef R08: ffff888029cf8040 R09: 0000000000000001
R10: ffffffff8a8b743f R11: fffffbfff1516e87 R12: 0000000000000007
R13: dffffc0000000000 R14: ffffc90009efb044 R15: ffffc90009efb040
FS:  0000000000000000(0000) GS:ffff88802d000000(0063) knlGS:00000000f7f0fb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: fffff520013df608 CR3: 000000001b812000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 drm_fb_helper_sys_imageblit+0x1c/0x180 drivers/gpu/drm/drm_fb_helper.c:747
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x8d0/0xd60 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x345/0x3f0 drivers/video/fbdev/core/fbcon.c:1362
 do_update_region+0x398/0x630 drivers/tty/vt/vt.c:683
 invert_screen+0x2a7/0x600 drivers/tty/vt/vt.c:800
 highlight drivers/tty/vt/selection.c:57 [inline]
 clear_selection drivers/tty/vt/selection.c:84 [inline]
 clear_selection+0x55/0x70 drivers/tty/vt/selection.c:80
 vc_do_resize+0xff3/0x1370 drivers/tty/vt/vt.c:1230
 fbcon_do_set_font+0x4a0/0x950 drivers/video/fbdev/core/fbcon.c:2608
 fbcon_set_font+0x732/0x870 drivers/video/fbdev/core/fbcon.c:2705
 con_font_set drivers/tty/vt/vt.c:4571 [inline]
 con_font_op+0xd65/0x1160 drivers/tty/vt/vt.c:4636
 compat_kdfontop_ioctl drivers/tty/vt/vt_ioctl.c:1151 [inline]
 vt_compat_ioctl+0x23a/0x6c0 drivers/tty/vt/vt_ioctl.c:1213
 tty_compat_ioctl+0x19c/0x410 drivers/tty/tty_io.c:2847
 __do_compat_sys_ioctl fs/ioctl.c:865 [inline]
 __se_compat_sys_ioctl fs/ioctl.c:816 [inline]
 __ia32_compat_sys_ioctl+0x23d/0x2b0 fs/ioctl.c:816
 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
 do_fast_syscall_32+0x270/0xe90 arch/x86/entry/common.c:396
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
Modules linked in:
CR2: fffff520013df608
---[ end trace fbceb2e52f6d552c ]---
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x616/0x1240 drivers/video/fbdev/core/sysimgblt.c:275
Code: 0f b6 14 28 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 5c 0b 00 00 8b 44 24 20 4d 8d 77 04 4c 89 fa 48 c1 ea 03 23 07 <42> 0f b6 0c 2a 4c 89 fa 83 e2 07 33 44 24 14 83 c2 03 38 ca 7c 08
RSP: 0018:ffffc90001867578 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888023ac8402 RCX: ffffffff88786a40
RDX: 1ffff920013df608 RSI: ffffffff83c3bbbc RDI: ffffffff88786a40
RBP: 0000000000000fef R08: ffff888029cf8040 R09: 0000000000000001
R10: ffffffff8a8b743f R11: fffffbfff1516e87 R12: 0000000000000007
R13: dffffc0000000000 R14: ffffc90009efb044 R15: ffffc90009efb040
FS:  0000000000000000(0000) GS:ffff88802d000000(0063) knlGS:00000000f7f0fb40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: fffff520013df608 CR3: 000000001b812000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

BUG: unable to handle kernel paging request in cfb_imageblit

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    22fbc037 Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x133731eb900000
kernel config:  https://syzkaller.appspot.com/x/.config?xN672827d2ffab1f
dashboard link: https://syzkaller.appspot.com/bug?extidßd0b1c6705301cc4847
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x\x11ba9a5d900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x\x17cfd4af900000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x\x1536a750500000
final oops:     https://syzkaller.appspot.com/x/report.txt?x\x1736a750500000
console output: https://syzkaller.appspot.com/x/log.txt?x\x1336a750500000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dfd0b1c6705301cc4847@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff888001000018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD c801067 P4D c801067 PUD c802067 PMD 80000000010001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8241 Comm: syz-executor265 Not tainted 5.9.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline]
RIP: 0010:slow_imageblit drivers/video/fbdev/core/cfbimgblt.c:178 [inline]
RIP: 0010:cfb_imageblit+0xb15/0x11e0 drivers/video/fbdev/core/cfbimgblt.c:302
Code: 89 e6 89 e9 41 d3 e6 41 09 de 89 ef 8b 5c 24 28 89 de e8 0e db 81 fd 39 dd 73 0a e8 65 d9 81 fd eb 42 0f 1f 00 48 8b 44 24 30 <44> 89 30 48 83 c0 04 48 89 44 24 30 89 ef 89 de e8 e6 da 81 fd 39
RSP: 0018:ffffc9000a037558 EFLAGS: 00010246
RAX: ffff888001000018 RBX: 000000000000001c RCX: 000000000000001c
RDX: ffff8880a79880c0 RSI: 000000000000001c RDI: 000000000000001c
RBP: 000000000000001c R08: ffffffff83f32412 R09: ffffffff83f31b7c
R10: 0000000000000002 R11: ffff8880a79880c0 R12: 0000000000000000
R13: ffff888218a81f72 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f8534532700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000018 CR3: 00000000a80b4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 soft_cursor+0xb44/0xdb0 drivers/video/fbdev/core/softcursor.c:74
 bit_cursor+0x1753/0x2110 drivers/video/fbdev/core/bitblit.c:377
 set_cursor drivers/tty/vt/vt.c:919 [inline]
 con_flush_chars+0x4e1/0x640 drivers/tty/vt/vt.c:3330
 con_write+0x2a/0x40 drivers/tty/vt/vt.c:3251
 do_output_char+0x63b/0x940 drivers/tty/n_tty.c:447
 __process_echoes+0x2a3/0x930 drivers/tty/n_tty.c:739
 flush_echoes drivers/tty/n_tty.c:829 [inline]
 __receive_buf drivers/tty/n_tty.c:1648 [inline]
 n_tty_receive_buf_common+0x29fa/0x3100 drivers/tty/n_tty.c:1742
 paste_selection+0x32c/0x450 drivers/tty/vt/selection.c:408
 vt_ioctl+0x105a/0x3d70 drivers/tty/vt/vt_ioctl.c:862
 tty_ioctl+0xee4/0x15c0 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x449809
Code: e8 8c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8534531db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dec68 RCX: 0000000000449809
RDX: 0000000020000080 RSI: 000000000000541c RDI: 0000000000000007
RBP: 00000000006dec60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec6c
R13: 00007ffe8074321f R14: 00007f85345329c0 R15: 0000000000000064
Modules linked in:
CR2: ffff888001000018
---[ end trace 4ec628432d38a26a ]---
RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline]
RIP: 0010:slow_imageblit drivers/video/fbdev/core/cfbimgblt.c:178 [inline]
RIP: 0010:cfb_imageblit+0xb15/0x11e0 drivers/video/fbdev/core/cfbimgblt.c:302
Code: 89 e6 89 e9 41 d3 e6 41 09 de 89 ef 8b 5c 24 28 89 de e8 0e db 81 fd 39 dd 73 0a e8 65 d9 81 fd eb 42 0f 1f 00 48 8b 44 24 30 <44> 89 30 48 83 c0 04 48 89 44 24 30 89 ef 89 de e8 e6 da 81 fd 39
RSP: 0018:ffffc9000a037558 EFLAGS: 00010246
RAX: ffff888001000018 RBX: 000000000000001c RCX: 000000000000001c
RDX: ffff8880a79880c0 RSI: 000000000000001c RDI: 000000000000001c
RBP: 000000000000001c R08: ffffffff83f32412 R09: ffffffff83f31b7c
R10: 0000000000000002 R11: ffff8880a79880c0 R12: 0000000000000000
R13: ffff888218a81f72 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f8534532700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000018 CR3: 00000000a80b4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: BUG: unable to handle kernel paging request in cfb_imageblit

[syzbot]

syzbot suspects this issue was fixed by commit:

commit a49145acfb975d921464b84fe00279f99827d816
Author: George Kennedy <george.kennedy@oracle.com>
Date:   Tue Jul 7 19:26:03 2020 +0000

    fbmem: add margin check to fb_check_caps()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1149f30f500000
start commit:   22fbc037 Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=4e672827d2ffab1f
dashboard link: https://syzkaller.appspot.com/bug?extid=dfd0b1c6705301cc4847
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ba9a5d900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17cfd4af900000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: fbmem: add margin check to fb_check_caps()

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: BUG: unable to handle kernel paging request in cfb_imageblit

[Dmitry Vyukov]

On Fri, Dec 18, 2020 at 4:26 PM syzbot
<syzbot+dfd0b1c6705301cc4847@syzkaller.appspotmail.com> wrote:
>
> syzbot suspects this issue was fixed by commit:
>
> commit a49145acfb975d921464b84fe00279f99827d816
> Author: George Kennedy <george.kennedy@oracle.com>
> Date:   Tue Jul 7 19:26:03 2020 +0000
>
>     fbmem: add margin check to fb_check_caps()
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1149f30f500000
> start commit:   22fbc037 Merge tag 'for-linus' of git://git.kernel.org/pub..
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4e672827d2ffab1f
> dashboard link: https://syzkaller.appspot.com/bug?extid=dfd0b1c6705301cc4847
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ba9a5d900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17cfd4af900000
>
> If the result looks correct, please mark the issue as fixed by replying with:
>
> #syz fix: fbmem: add margin check to fb_check_caps()
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

#syz fix: fbmem: add margin check to fb_check_caps()

Re: [syzbot] BUG: unable to handle kernel paging request in vga16fb_imageblit (2)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    d2b6f8a1 Merge tag 'xfs-5.13-merge-3' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11d80be1d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=53fdf14defd48c56
dashboard link: https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3
compiler:       Debian clang version 11.0.1-2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16d9ff43d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10981693d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff888001000040
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD 11201067 P4D 11201067 PUD 11202067 PMD 80000000010001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8403 Comm: syz-executor112 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline]
RIP: 0010:vga16fb_imageblit+0xcee/0x1cb0 drivers/video/fbdev/vga16fb.c:1260
Code: 66 66 2e 0f 1f 84 00 00 00 00 00 90 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 75 1b 41 0f b6 04 24 <41> 88 06 85 ed 74 2b 49 ff c4 49 ff c6 e8 80 ae 43 fd ff cd eb cc
RSP: 0018:ffffc9000163f0a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888001000040 RCX: dffffc0000000000
RDX: ffff888022ad54c0 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff843b289b R09: 0000000000000000
R10: 0000000000000002 R11: ffff888022ad54c0 R12: ffff8880181bcea8
R13: ffffc9000163f2cc R14: ffff888001000040 R15: 0000000000000004
FS:  0000000001207300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000040 CR3: 0000000028d32000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bit_putcs+0x18e8/0x1de0 drivers/video/fbdev/core/bitblit.c:105
 fbcon_putcs+0x2ae/0x430 drivers/video/fbdev/core/fbcon.c:1296
 do_update_region+0x4d6/0x6a0 drivers/tty/vt/vt.c:676
 redraw_screen+0x8f6/0x1270 drivers/tty/vt/vt.c:1035
 fbcon_blank+0x556/0xa50 drivers/video/fbdev/core/fbcon.c:2207
 do_unblank_screen+0x27e/0xb20 drivers/tty/vt/vt.c:4406
 vt_kdsetmode drivers/tty/vt/vt_ioctl.c:276 [inline]
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:381 [inline]
 vt_ioctl+0x2a82/0x3180 drivers/tty/vt/vt_ioctl.c:713
 tty_ioctl+0xf51/0x1720 drivers/tty/tty_io.c:2805
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:1069 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055
 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43fef9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc931a4c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000013f84 RCX: 000000000043fef9
RDX: 0000000000000000 RSI: 0000000000004b3a RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 00007ffc931a4de8
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc931a4c5c
R13: 431bde82d7b634db R14: 00000000004ae018 R15: 0000000000400488
Modules linked in:
CR2: ffff888001000040
---[ end trace 96734cf7ef5cce91 ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline]
RIP: 0010:vga16fb_imageblit+0xcee/0x1cb0 drivers/video/fbdev/vga16fb.c:1260
Code: 66 66 2e 0f 1f 84 00 00 00 00 00 90 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 75 1b 41 0f b6 04 24 <41> 88 06 85 ed 74 2b 49 ff c4 49 ff c6 e8 80 ae 43 fd ff cd eb cc
RSP: 0018:ffffc9000163f0a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888001000040 RCX: dffffc0000000000
RDX: ffff888022ad54c0 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff843b289b R09: 0000000000000000
R10: 0000000000000002 R11: ffff888022ad54c0 R12: ffff8880181bcea8
R13: ffffc9000163f2cc R14: ffff888001000040 R15: 0000000000000004
FS:  0000000001207300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000040 CR3: 0000000028d32000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Re: [syzbot] BUG: unable to handle kernel paging request in vga16fb_imageblit (2)

[syzbot]

syzbot has bisected this issue to:

commit 988d0763361bb65690d60e2bc53a6b72777040c3
Author: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Date:   Sun Sep 27 11:46:30 2020 +0000

    vt_ioctl: make VT_RESIZEX behave like VT_RESIZE

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=15633759d00000
start commit:   d2b6f8a1 Merge tag 'xfs-5.13-merge-3' of git://git.kernel...
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=17633759d00000
console output: https://syzkaller.appspot.com/x/log.txt?x=13633759d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=53fdf14defd48c56
dashboard link: https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16d9ff43d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10981693d00000

Reported-by: syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com
Fixes: 988d0763361b ("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] BUG: unable to handle kernel paging request in vga16fb_imageblit (2)

[Tetsuo Handa]

On 2021/05/02 10:53, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 988d0763361bb65690d60e2bc53a6b72777040c3
> Author: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
> Date:   Sun Sep 27 11:46:30 2020 +0000
> 
>     vt_ioctl: make VT_RESIZEX behave like VT_RESIZE
> 

That commit is irrelevant. Below is a simplified reproducer.

----------
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/kd.h>
#include <linux/vt.h>

int main(int argc, char *argv[])
{
        const int fd = open("/dev/char/4:1", O_RDWR);
        struct vt_sizes vt = { 0x4100, 2 };

        ioctl(fd, KDSETMODE, KD_GRAPHICS);
        ioctl(fd, VT_RESIZE, &vt);
        ioctl(fd, KDSETMODE, KD_TEXT);
        return 0;
}
----------

In vga16fb_probe(), we have

----------
        /* XXX share VGA_FB_PHYS and I/O region with vgacon and others */
        info->screen_base = (void __iomem *)VGA_MAP_MEM(VGA_FB_PHYS, 0);

        if (!info->screen_base) {
                printk(KERN_ERR "vga16fb: unable to map device\n");
                ret = -ENOMEM;
                goto err_ioremap;
        }

        printk(KERN_INFO "vga16fb: mapped to 0x%p\n", info->screen_base);
----------

and ffff8880000a0000 is assigned for 80 x 30 screen upon boot.

----------
[    4.584361][    T1] vga16fb: mapped to 0xffff8880000a0000
[    6.137556][    T1] Console: switching to colour frame buffer device 80x30
[    7.829276][    T1] fb0: VGA16 VGA frame buffer device
----------

With debug printk() patch shown below,

----------
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 01645e87b3d5..af860b12db44 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -641,6 +641,8 @@ static void con_scroll(struct vc_data *vc, unsigned int t, unsigned int b,
 	scr_memsetw(clear, vc->vc_video_erase_char, vc->vc_size_row * nr);
 }
 
+extern struct task_struct *trace_me;
+
 static void do_update_region(struct vc_data *vc, unsigned long start, int count)
 {
 	unsigned int xx, yy, offset;
@@ -656,6 +658,8 @@ static void do_update_region(struct vc_data *vc, unsigned long start, int count)
 		start = vc->vc_sw->con_getxy(vc, start, &nxx, &nyy);
 		xx = nxx; yy = nyy;
 	}
+	if (trace_me == current)
+		pr_info("p=%px vc->{ vc_origin=%lx vc_rows=%u vc_cols=%u vc_scr_end=%lx } start=%lx count=%d xx=%u yy=%u\n", p, vc->vc_origin, vc->vc_rows, vc->vc_cols, vc->vc_scr_end, start, count, xx, yy);
 	for(;;) {
 		u16 attrib = scr_readw(p) & 0xff00;
 		int startx = xx;
@@ -1227,6 +1231,8 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc,
 	newscreen = kzalloc(new_screen_size, GFP_USER);
 	if (!newscreen)
 		return -ENOMEM;
+	if (trace_me == current)
+		pr_info("vc=%px new_cols=%u new_rows=%u new_screen_size=%u newscreen=%px\n", vc, new_cols, new_rows, new_screen_size, newscreen);
 
 	if (get_vc_uniscr(vc)) {
 		new_uniscr = vc_uniscr_alloc(new_cols, new_rows);
diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
index 89aeaf3c1bca..137befd09d22 100644
--- a/drivers/tty/vt/vt_ioctl.c
+++ b/drivers/tty/vt/vt_ioctl.c
@@ -240,6 +240,8 @@ int vt_waitactive(int n)
 #define GPLAST 0x3df
 #define GPNUM (GPLAST - GPFIRST + 1)
 
+struct task_struct *trace_me;
+
 /*
  * currently, setting the mode from KD_TEXT to KD_GRAPHICS doesn't do a whole
  * lot. i'm not sure if it should do any restoration of modes or what...
@@ -272,10 +274,12 @@ static int vt_kdsetmode(struct vc_data *vc, unsigned long mode)
 
 	/* explicitly blank/unblank the screen if switching modes */
 	console_lock();
+	trace_me = current;
 	if (mode == KD_TEXT)
 		do_unblank_screen(1);
 	else
 		do_blank_screen(1);
+	trace_me = NULL;
 	console_unlock();
 
 	return 0;
@@ -877,6 +881,7 @@ int vt_ioctl(struct tty_struct *tty,
 			return -EFAULT;
 
 		console_lock();
+		trace_me = current;
 		for (i = 0; i < MAX_NR_CONSOLES; i++) {
 			vc = vc_cons[i].d;
 
@@ -886,6 +891,7 @@ int vt_ioctl(struct tty_struct *tty,
 				vc_resize(vc_cons[i].d, cc, ll);
 			}
 		}
+		trace_me = NULL;
 		console_unlock();
 		break;
 	}
diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index 1e8a38a7967d..fca76f6b9ab6 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -1145,6 +1145,8 @@ static void vga_8planes_imageblit(struct fb_info *info, const struct fb_image *i
         setindex(oldindex);
 }
 
+extern struct task_struct *trace_me;
+
 static void vga_imageblit_expand(struct fb_info *info, const struct fb_image *image)
 {
 	char __iomem *where = info->screen_base + (image->dx/8) +
@@ -1170,6 +1172,9 @@ static void vga_imageblit_expand(struct fb_info *info, const struct fb_image *im
 				readb(where); /* fill latches */
 				setmode(3);
 				wmb();
+				if (trace_me == current)
+					pr_info_ratelimited("image->{ data=%px dx=%u dy=%u height=%u width=%u } info->{ screen_base=%px fix.line_length=%u } where=%px\n",
+							    cdat, image->dx, image->dy, image->height, image->width, info->screen_base, info->fix.line_length, where);
 				for (y = 0; y < image->height; y++) {
 					dst = where;
 					for (x = image->width/8; x--;) 
----------

we can see that at least ffff8880000a0000-ffff888001000040 are accessed, and 'dy'
would be 201520 when 'where' is ffff888001000000, which corresponds with 'real_y()'
being 12595, for ioctl(VT_RESIZE) changed screen size to 2 x 16640.

----------
[  222.885841][ T1675] vc=ffff888100109800 new_cols=2 new_rows=16640 new_screen_size=66560 newscreen=ffff888112120000
[  222.886520][ T1675] vc=ffff888105d26800 new_cols=2 new_rows=16640 new_screen_size=66560 newscreen=ffff888112140000
[  222.886662][ T1675] vc=ffff888105ca5800 new_cols=2 new_rows=16640 new_screen_size=66560 newscreen=ffff888112140000
[  222.886799][ T1675] vc=ffff8881017ff800 new_cols=2 new_rows=16640 new_screen_size=66560 newscreen=ffff888112140000
[  222.886951][ T1675] vc=ffff888102770800 new_cols=2 new_rows=16640 new_screen_size=66560 newscreen=ffff888112140000
[  222.887089][ T1675] vc=ffff8881052e5800 new_cols=2 new_rows=16640 new_screen_size=66560 newscreen=ffff888112140000
[  222.956019][ T1675] image->{ data=ffff888100a6e180 dx=8 dy=48 height=16 width=8 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a0f01
[  223.252930][ T1675] p=ffff888112120000 vc->{ vc_origin=ffff888112120000 vc_rows=16640 vc_cols=2 vc_scr_end=ffff888112130400 } start=ffff888112120004 count=33280 xx=0 yy=0
[  223.253187][ T1675] image->{ data=ffff888100a6e190 dx=0 dy=0 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a0000
[  223.253777][ T1675] image->{ data=ffff888100a6e1b0 dx=0 dy=16 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a0500
[  223.254373][ T1675] image->{ data=ffff888100a6e1d0 dx=0 dy=32 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a0a00
[  223.254867][ T1675] image->{ data=ffff888100a6e1f0 dx=0 dy=48 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a0f00
[  223.255340][ T1675] image->{ data=ffff888100a6e210 dx=0 dy=64 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a1400
[  223.255834][ T1675] image->{ data=ffff888100a6e230 dx=0 dy=80 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a1900
[  223.256307][ T1675] image->{ data=ffff888100a6e250 dx=0 dy=96 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a1e00
[  223.256800][ T1675] image->{ data=ffff888100a6e270 dx=0 dy=112 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a2300
[  223.257274][ T1675] image->{ data=ffff888100a6e290 dx=0 dy=128 height=16 width=16 } info->{ screen_base=ffff8880000a0000 fix.line_length=80 } where=ffff8880000a2800
[  224.897239][ T1675] BUG: unable to handle page fault for address: ffff888001000040
[  224.897276][ T1675] #PF: supervisor write access in kernel mode
[  224.897316][ T1675] #PF: error_code(0x0003) - permissions violation
[  224.897354][ T1675] PGD 3c01067 P4D 3c01067 PUD 3c02067 PMD 80000000010001e1 
[  224.897454][ T1675] Oops: 0003 [#1] PREEMPT SMP
[  224.897516][ T1675] CPU: 3 PID: 1675 Comm: a.out Not tainted 5.12.0+ #652
[  224.897591][ T1675] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  224.897632][ T1675] RIP: 0010:vga16fb_imageblit+0x4b1/0x9d0
[  224.897740][ T1675] Code: f6 74 47 45 89 fe 48 89 1c 24 4d 89 ef e8 b7 a0 9d ff 48 8b 04 24 49 83 c7 01 48 89 c2 48 83 c0 01 48 89 04 24 41 0f b6 47 ff <88> 02 31 ff 44 89 f6 41 83 ee 01 e8 ef a1 9d ff 41 83 fe ff 75 cd
[  224.897820][ T1675] RSP: 0018:ffffc900010d3a30 EFLAGS: 00010286
[  224.897879][ T1675] RAX: 0000000000000000 RBX: ffff888001000040 RCX: ffff888103a40100
[  224.897972][ T1675] RDX: ffff888001000040 RSI: ffff888103a40100 RDI: 0000000000000002
[  224.898027][ T1675] RBP: ffffc900010d3af8 R08: ffffffff8182e1b9 R09: 0000000000000000
[  224.898083][ T1675] R10: 0000000000000005 R11: 0000000000080000 R12: ffff888101f36800
[  224.898137][ T1675] R13: ffff888100a6ebc8 R14: 0000000000000001 R15: ffff888100a6ebc9
[  224.898194][ T1675] FS:  00007fbefdeb6540(0000) GS:ffff88811bd80000(0000) knlGS:0000000000000000
[  224.898269][ T1675] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  224.898328][ T1675] CR2: ffff888001000040 CR3: 0000000103a56003 CR4: 00000000000706e0
[  224.898387][ T1675] Call Trace:
[  224.898405][ T1675]  bit_putcs+0x4dd/0x700
[  224.898493][ T1675]  ? write_comp_data+0x1c/0x70
[  224.898568][ T1675]  ? __sanitizer_cov_trace_switch+0x50/0x90
[  224.898655][ T1675]  ? bit_clear+0x1e0/0x1e0
[  224.898742][ T1675]  fbcon_putcs+0x13c/0x150
[  224.898823][ T1675]  do_update_region+0x1c6/0x2b0
[  224.898935][ T1675]  redraw_screen+0x2e4/0x310
[  224.899051][ T1675]  fbcon_blank+0x38f/0x440
[  224.899139][ T1675]  do_unblank_screen+0x10f/0x210
[  224.899240][ T1675]  vt_ioctl+0x116f/0x19c0
[  224.899325][ T1675]  ? lock_is_held_type+0xfc/0x170
[  224.899413][ T1675]  ? write_comp_data+0x1c/0x70
[  224.899488][ T1675]  ? __sanitizer_cov_trace_switch+0x50/0x90
[  224.899576][ T1675]  ? complete_change_console+0x160/0x160
[  224.899661][ T1675]  tty_ioctl+0x630/0xbb0
[  224.899731][ T1675]  ? __sanitizer_cov_trace_pc+0x1a/0x40
[  224.899813][ T1675]  ? do_vfs_ioctl+0x9b/0xca0
[  224.899904][ T1675]  ? lock_is_held_type+0xfc/0x170
[  224.899982][ T1675]  ? tty_vhangup+0x30/0x30
[  224.900053][ T1675]  __x64_sys_ioctl+0xbb/0x110
[  224.900134][ T1675]  do_syscall_64+0x3a/0xb0
[  224.900229][ T1675]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  224.900326][ T1675] RIP: 0033:0x7fbefddda50b
[  224.900379][ T1675] Code: 0f 1e fa 48 8b 05 85 39 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 55 39 0d 00 f7 d8 64 89 01 48
[  224.900459][ T1675] RSP: 002b:00007ffe60c4e2b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  224.900532][ T1675] RAX: ffffffffffffffda RBX: 0000557f9f780220 RCX: 00007fbefddda50b
[  224.900589][ T1675] RDX: 0000000000000000 RSI: 0000000000004b3a RDI: 0000000000000003
[  224.900641][ T1675] RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fbefded0d50
[  224.900694][ T1675] R10: 0000000000000000 R11: 0000000000000246 R12: 0000557f9f780130
[  224.900748][ T1675] R13: 00007ffe60c4e3c0 R14: 0000000000000000 R15: 0000000000000000
[  224.900804][ T1675] Modules linked in: sg video rapl evdev backlight input_leds mousedev led_class button ac binfmt_misc sd_mod t10_pi crc_t10dif crct10dif_generic sr_mod cdrom crct10dif_pclmul ata_generic crct10dif_common crc32_pclmul crc32c_intel ahci ghash_clmulni_intel psmouse libahci aesni_intel atkbd ata_piix libaes libps2 crypto_simd i2c_piix4 libata i8042 rtc_cmos i2c_core cryptd serio scsi_mod
[  224.901745][ T1675] CR2: ffff888001000040
[  224.901777][ T1675] ---[ end trace 045541aa43f10c56 ]---
[  224.901841][ T1675] RIP: 0010:vga16fb_imageblit+0x4b1/0x9d0
[  224.901948][ T1675] Code: f6 74 47 45 89 fe 48 89 1c 24 4d 89 ef e8 b7 a0 9d ff 48 8b 04 24 49 83 c7 01 48 89 c2 48 83 c0 01 48 89 04 24 41 0f b6 47 ff <88> 02 31 ff 44 89 f6 41 83 ee 01 e8 ef a1 9d ff 41 83 fe ff 75 cd
[  224.902062][ T1675] RSP: 0018:ffffc900010d3a30 EFLAGS: 00010286
[  224.902181][ T1675] RAX: 0000000000000000 RBX: ffff888001000040 RCX: ffff888103a40100
[  224.902245][ T1675] RDX: ffff888001000040 RSI: ffff888103a40100 RDI: 0000000000000002
[  224.902347][ T1675] RBP: ffffc900010d3af8 R08: ffffffff8182e1b9 R09: 0000000000000000
[  224.902461][ T1675] R10: 0000000000000005 R11: 0000000000080000 R12: ffff888101f36800
[  224.902524][ T1675] R13: ffff888100a6ebc8 R14: 0000000000000001 R15: ffff888100a6ebc9
[  224.902580][ T1675] FS:  00007fbefdeb6540(0000) GS:ffff88811bd80000(0000) knlGS:0000000000000000
[  224.902655][ T1675] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  224.902714][ T1675] CR2: ffff888001000040 CR3: 0000000103a56003 CR4: 00000000000706e0
[  224.902777][ T1675] Kernel panic - not syncing: Fatal exception
[  224.903014][ T1675] Kernel Offset: disabled
[  225.661115][ T1675] Rebooting in 10 seconds..
----------

Therefore, I guess that the problem is that fbcon_putcs() from do_update_region() from
redraw_screen() from vt_kdsetmode(KD_TEXT) from ioctl(fd, KDSETMODE, KD_TEXT) tries to
redraw 2 x 16640 despite memory amount allocated for actual screen is only 80 x 30.

I don't know how to fix this problem...

Re: [syzbot] BUG: unable to handle kernel paging request in vga16fb_imageblit (2)

[Tetsuo Handa]

On 2021/05/03 22:41, Tetsuo Handa wrote:
> Therefore, I guess that the problem is that fbcon_putcs() from do_update_region() from
> redraw_screen() from vt_kdsetmode(KD_TEXT) from ioctl(fd, KDSETMODE, KD_TEXT) tries to
> redraw 2 x 16640 despite memory amount allocated for actual screen is only 80 x 30.
> 
> I don't know how to fix this problem...
> 

Daniel Vetter suggested me that parameter validation is missing/wrong somewhere, for
resize requests that don't fit should be rejected. Thus, I'm thinking how to add
parameter validation.

Like a diff shown bottom, adding a hook for validating whether rows / columns are
small enough (VGA_FB_PHYS_LEN bytes starting from VGA_FB_PHYS ?) survives the

----------
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/kd.h>
#include <linux/vt.h>

int main(int argc, char *argv[])
{
        const int fd = open("/dev/char/4:1", O_RDWR);
        struct vt_sizes vt = { 0x4100, 2 };

        ioctl(fd, KDSETMODE, KD_GRAPHICS);
        ioctl(fd, VT_RESIZE, &vt);
        ioctl(fd, KDSETMODE, KD_TEXT);
        return 0;
}
----------

reproducer. But I don't know how to calculate upper boundary values for vga16fb_tty_resize(),
for I even don't know where these values are derived from...

Also, currently resize_screen() calls vc->vc_sw->con_resize() only if vc->vc_mode != KD_GRAPHICS.
But we need to unconditionally call vga16fb_tty_resize() in order to survive the reproducer; we
need to prevent vc->vc_{rows,cols} from exceeding the upper boundary values regardless of current
vc->vc_mode setting. The "vc->vc_mode != KD_GRAPHICS" check predates the git history, and I don't
know the side effect of removing this check...

----------
e400b6ec4ede4 drivers/char/vt.c   (Antonino A. Daplas   2007-10-16 01:29:35 -0700 1168) static inline int resize_screen(struct vc_data *vc, int width, int height,
e400b6ec4ede4 drivers/char/vt.c   (Antonino A. Daplas   2007-10-16 01:29:35 -0700 1169)                                 int user)
^1da177e4c3f4 drivers/char/vt.c   (Linus Torvalds       2005-04-16 15:20:36 -0700 1170) {
^1da177e4c3f4 drivers/char/vt.c   (Linus Torvalds       2005-04-16 15:20:36 -0700 1171)         /* Resizes the resolution of the display adapater */
^1da177e4c3f4 drivers/char/vt.c   (Linus Torvalds       2005-04-16 15:20:36 -0700 1172)         int err = 0;
^1da177e4c3f4 drivers/char/vt.c   (Linus Torvalds       2005-04-16 15:20:36 -0700 1173)
^1da177e4c3f4 drivers/char/vt.c   (Linus Torvalds       2005-04-16 15:20:36 -0700 1174)         if (vc->vc_mode != KD_GRAPHICS && vc->vc_sw->con_resize)
e400b6ec4ede4 drivers/char/vt.c   (Antonino A. Daplas   2007-10-16 01:29:35 -0700 1175)                 err = vc->vc_sw->con_resize(vc, width, height, user);
e400b6ec4ede4 drivers/char/vt.c   (Antonino A. Daplas   2007-10-16 01:29:35 -0700 1176)
^1da177e4c3f4 drivers/char/vt.c   (Linus Torvalds       2005-04-16 15:20:36 -0700 1177)         return err;
^1da177e4c3f4 drivers/char/vt.c   (Linus Torvalds       2005-04-16 15:20:36 -0700 1178) }
----------

I need more help from those who know this area.

 drivers/tty/vt/vt.c              |    2 +-
 drivers/video/fbdev/core/fbcon.c |    7 +++++++
 drivers/video/fbdev/vga16fb.c    |    8 ++++++++
 include/linux/fb.h               |    3 +++
 4 files changed, 19 insertions(+), 1 deletion(-)

----------
diff --git a/include/linux/fb.h b/include/linux/fb.h
index a8dccd23c249..870384afb5e9 100644
--- a/include/linux/fb.h
+++ b/include/linux/fb.h
@@ -289,14 +289,17 @@ struct fb_ops {
 
 	/* teardown any resources to do with this framebuffer */
 	void (*fb_destroy)(struct fb_info *info);
 
 	/* called at KDB enter and leave time to prepare the console */
 	int (*fb_debug_enter)(struct fb_info *info);
 	int (*fb_debug_leave)(struct fb_info *info);
+
+	/* Check if resizing TTY to these sizes is safe. */
+	int (*fb_tty_resize)(struct fb_info *info, unsigned int cols, unsigned int rows);
 };
 
 #ifdef CONFIG_FB_TILEBLITTING
 #define FB_TILE_CURSOR_NONE        0
 #define FB_TILE_CURSOR_UNDERLINE   1
 #define FB_TILE_CURSOR_LOWER_THIRD 2
 #define FB_TILE_CURSOR_LOWER_HALF  3
diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index 1e8a38a7967d..54aa6a99b09c 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -1266,27 +1266,35 @@ static void vga16fb_destroy(struct fb_info *info)
 {
 	iounmap(info->screen_base);
 	fb_dealloc_cmap(&info->cmap);
 	/* XXX unshare VGA regions */
 	framebuffer_release(info);
 }
 
+static int vga16fb_tty_resize(struct fb_info *info, unsigned int cols, unsigned int rows)
+{
+	if (cols <= 80 && rows <= 30)
+		return 0;
+	return -EINVAL;
+}
+
 static const struct fb_ops vga16fb_ops = {
 	.owner		= THIS_MODULE,
 	.fb_open        = vga16fb_open,
 	.fb_release     = vga16fb_release,
 	.fb_destroy	= vga16fb_destroy,
 	.fb_check_var	= vga16fb_check_var,
 	.fb_set_par	= vga16fb_set_par,
 	.fb_setcolreg 	= vga16fb_setcolreg,
 	.fb_pan_display = vga16fb_pan_display,
 	.fb_blank 	= vga16fb_blank,
 	.fb_fillrect	= vga16fb_fillrect,
 	.fb_copyarea	= vga16fb_copyarea,
 	.fb_imageblit	= vga16fb_imageblit,
+	.fb_tty_resize  = vga16fb_tty_resize,
 };
 
 #ifndef MODULE
 static int __init vga16fb_setup(char *options)
 {
 	char *this_opt;
 	
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 3406067985b1..c0eac87a2a56 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -1990,14 +1990,21 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width,
 		if (pitch <= 0)
 			return -EINVAL;
 		size = CALC_FONTSZ(vc->vc_font.height, pitch, vc->vc_font.charcount);
 		if (size > FNTSIZE(vc->vc_font.data))
 			return -EINVAL;
 	}
 
+	if (info->fbops && info->fbops->fb_tty_resize) {
+		int err = info->fbops->fb_tty_resize(info, width, height);
+
+		if (err)
+			return err;
+	}
+
 	virt_w = FBCON_SWAP(ops->rotate, width, height);
 	virt_h = FBCON_SWAP(ops->rotate, height, width);
 	virt_fw = FBCON_SWAP(ops->rotate, vc->vc_font.width,
 				 vc->vc_font.height);
 	virt_fh = FBCON_SWAP(ops->rotate, vc->vc_font.height,
 				 vc->vc_font.width);
 	var.xres = virt_w * virt_fw;
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 01645e87b3d5..fa1548d4f94b 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1167,15 +1167,15 @@ int vc_allocate(unsigned int currcons)	/* return 0 on success */
 
 static inline int resize_screen(struct vc_data *vc, int width, int height,
 				int user)
 {
 	/* Resizes the resolution of the display adapater */
 	int err = 0;
 
-	if (vc->vc_mode != KD_GRAPHICS && vc->vc_sw->con_resize)
+	if (vc->vc_sw->con_resize)
 		err = vc->vc_sw->con_resize(vc, width, height, user);
 
 	return err;
 }
 
 /**
  *	vc_do_resize	-	resizing method for the tty
----------

[PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Tetsuo Handa]

syzbot is reporting that a local user with the framebuffer console can
crash the kernel [1], for ioctl(VT_RESIZE) allows a TTY to set arbitrary
rows/columns values regardless of amount of memory reserved for
the graphical screen.

----------
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/kd.h>
#include <linux/vt.h>

int main(int argc, char *argv[])
{
        const int fd = open("/dev/char/4:1", O_RDWR);
        struct vt_sizes vt = { 0x4100, 2 };

        ioctl(fd, KDSETMODE, KD_GRAPHICS);
        ioctl(fd, VT_RESIZE, &vt);
        ioctl(fd, KDSETMODE, KD_TEXT);
        return 0;
}
----------

Currently it is impossible to control upper limit of rows/columns values
based on amount of memory reserved for the graphical screen, for
resize_screen() calls vc->vc_sw->con_resize() only if vc->vc_mode is not
already KD_GRAPHICS. I don't know the reason, and this condition predates
the git history. Even if it turns out to be safe to always call this
callback, we will need to involve another callback via "struct fb_ops" for
checking the upper limits from fbcon_resize(). As a result, we will need
to modify

 drivers/tty/vt/vt.c
 drivers/video/fbdev/core/fbcon.c
 drivers/video/fbdev/vga16fb.c
 include/linux/fb.h

files only for checking rows/columns values passed to ioctl(VT_RESIZE)
request.

Therefore, instead of introducing such a complicated callback chain, avoid
this problem by simply checking whether the address to read or write is in
[VGA_FB_PHYS, VGA_FB_PHYS + VGA_FB_PHYS_LEN) range.

[1] https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3

Reported-by: syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>
---
 drivers/video/fbdev/vga16fb.c | 54 +++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 18 deletions(-)

diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c
index e2757ff1c23d..13732a3b1d69 100644
--- a/drivers/video/fbdev/vga16fb.c
+++ b/drivers/video/fbdev/vga16fb.c
@@ -98,6 +98,18 @@ static const struct fb_fix_screeninfo vga16fb_fix = {
 	.accel		= FB_ACCEL_NONE
 };
 
+/*
+ * Verify that the address to read or write is in [VGA_FB_PHYS, VGA_FB_PHYS + VGA_FB_PHYS_LEN)
+ * range, for ioctl(VT_RESIZE) allows a TTY to set arbitrary rows/columns values which will crash
+ * the kernel due to out of bounds access when trying to redraw the screen.
+ */
+static inline bool is_valid_iomem(const struct fb_info *info, const char __iomem *where)
+{
+	return info->screen_base <= where && where < info->screen_base + VGA_FB_PHYS_LEN;
+}
+
+#define IS_SAFE(where) is_valid_iomem(info, (where))
+
 /* The VGA's weird architecture often requires that we read a byte and
    write a byte to the same location.  It doesn't matter *what* byte
    we write, however.  This is because all the action goes on behind
@@ -851,7 +863,7 @@ static void vga_8planes_fillrect(struct fb_info *info, const struct fb_fillrect
                         int x;
 
                         /* we can do memset... */
-                        for (x = width; x > 0; --x) {
+			for (x = width; x > 0 && IS_SAFE(where); --x) {
                                 writeb(rect->color, where);
                                 where++;
                         }
@@ -864,7 +876,7 @@ static void vga_8planes_fillrect(struct fb_info *info, const struct fb_fillrect
                 oldop = setop(0x18);
                 oldsr = setsr(0xf);
                 setmask(0x0F);
-                for (y = 0; y < rect->height; y++) {
+		for (y = 0; y < rect->height && IS_SAFE(where) && IS_SAFE(where + 1); y++) {
                         rmw(where);
                         rmw(where+1);
                         where += info->fix.line_length;
@@ -919,7 +931,7 @@ static void vga16fb_fillrect(struct fb_info *info, const struct fb_fillrect *rec
 				setmask(0xff);
 
 				while (height--) {
-					for (x = 0; x < width; x++) {
+					for (x = 0; x < width && IS_SAFE(dst); x++) {
 						writeb(0, dst);
 						dst++;
 					}
@@ -935,7 +947,7 @@ static void vga16fb_fillrect(struct fb_info *info, const struct fb_fillrect *rec
 
 				setmask(0xff);
 				while (height--) {
-					for (x = 0; x < width; x++) {
+					for (x = 0; x < width && IS_SAFE(dst); x++) {
 						rmw(dst);
 						dst++;
 					}
@@ -975,7 +987,7 @@ static void vga_8planes_copyarea(struct fb_info *info, const struct fb_copyarea
                 dest = info->screen_base + dx + area->dy * info->fix.line_length;
                 src = info->screen_base + sx + area->sy * info->fix.line_length;
                 while (height--) {
-                        for (x = 0; x < width; x++) {
+			for (x = 0; x < width && IS_SAFE(src) && IS_SAFE(dest); x++) {
                                 readb(src);
                                 writeb(0, dest);
                                 src++;
@@ -991,7 +1003,7 @@ static void vga_8planes_copyarea(struct fb_info *info, const struct fb_copyarea
                 src = info->screen_base + sx + width +
 			(area->sy + height - 1) * info->fix.line_length;
                 while (height--) {
-                        for (x = 0; x < width; x++) {
+			for (x = 0; x < width && IS_SAFE(src - 1) && IS_SAFE(dest - 1); x++) {
                                 --src;
                                 --dest;
                                 readb(src);
@@ -1065,7 +1077,7 @@ static void vga16fb_copyarea(struct fb_info *info, const struct fb_copyarea *are
 				dst = info->screen_base + (dx/8) + dy * info->fix.line_length;
 				src = info->screen_base + (sx/8) + sy * info->fix.line_length;
 				while (height--) {
-					for (x = 0; x < width; x++) {
+					for (x = 0; x < width && IS_SAFE(src) && IS_SAFE(dst); x++) {
 						readb(src);
 						writeb(0, dst);
 						dst++;
@@ -1080,7 +1092,7 @@ static void vga16fb_copyarea(struct fb_info *info, const struct fb_copyarea *are
 				src = info->screen_base + (sx/8) + width + 
 					(sy + height  - 1) * info->fix.line_length;
 				while (height--) {
-					for (x = 0; x < width; x++) {
+					for (x = 0; x < width && IS_SAFE(src - 1) && IS_SAFE(dst - 1); x++) {
 						dst--;
 						src--;
 						readb(src);
@@ -1130,13 +1142,15 @@ static void vga_8planes_imageblit(struct fb_info *info, const struct fb_image *i
         where = info->screen_base + dx + image->dy * info->fix.line_length;
 
         setmask(0xff);
-        writeb(image->bg_color, where);
-        readb(where);
+	if (IS_SAFE(where)) {
+		writeb(image->bg_color, where);
+		readb(where);
+	}
         selectmask();
         setmask(image->fg_color ^ image->bg_color);
         setmode(0x42);
         setop(0x18);
-        for (y = 0; y < image->height; y++, where += info->fix.line_length)
+	for (y = 0; y < image->height && IS_SAFE(where); y++, where += info->fix.line_length)
                 writew(transl_h[cdat[y]&0xF] | transl_l[cdat[y] >> 4], where);
         setmask(oldmask);
         setsr(oldsr);
@@ -1165,14 +1179,16 @@ static void vga_imageblit_expand(struct fb_info *info, const struct fb_image *im
 				selectmask();
 				
 				setmask(0xff);
-				writeb(image->bg_color, where);
-				rmb();
-				readb(where); /* fill latches */
+				if (IS_SAFE(where)) {
+					writeb(image->bg_color, where);
+					rmb();
+					readb(where); /* fill latches */
+				}
 				setmode(3);
 				wmb();
 				for (y = 0; y < image->height; y++) {
 					dst = where;
-					for (x = image->width/8; x--;) 
+					for (x = image->width/8; x-- && IS_SAFE(dst);)
 						writeb(*cdat++, dst++);
 					where += info->fix.line_length;
 				}
@@ -1187,7 +1203,7 @@ static void vga_imageblit_expand(struct fb_info *info, const struct fb_image *im
 				setmask(0xff);
 				for (y = 0; y < image->height; y++) {
 					dst = where;
-					for (x=image->width/8; x--;){
+					for (x = image->width/8 && IS_SAFE(dst); x--;) {
 						rmw(dst);
 						setcolor(image->fg_color);
 						selectmask();
@@ -1237,8 +1253,10 @@ static void vga_imageblit_color(struct fb_info *info, const struct fb_image *ima
 					setcolor(*cdat);
 					selectmask();
 					setmask(1 << (7 - (x % 8)));
-					fb_readb(dst);
-					fb_writeb(0, dst);
+					if (IS_SAFE(dst)) {
+						fb_readb(dst);
+						fb_writeb(0, dst);
+					}
 
 					cdat++;
 				}
-- 
2.18.4

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Linus Torvalds]

On Fri, May 14, 2021 at 9:20 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
>
> Currently it is impossible to control upper limit of rows/columns values
> based on amount of memory reserved for the graphical screen, for
> resize_screen() calls vc->vc_sw->con_resize() only if vc->vc_mode is not
> already KD_GRAPHICS

Honestly, the saner approach would seem to be to simply error out if
vc_mode is KD_GRAPHICS.

Doing VT_RESIZE while in KD_GRAPHICS mode seems _very_ questionable,
and is clearly currently very buggy.

So why not just say "that clearly already doesn't work, so make it
explicitly not permitted"?

              Linus

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Linus Torvalds]

On Fri, May 14, 2021 at 10:29 AM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> So why not just say "that clearly already doesn't work, so make it
> explicitly not permitted"?

IOW, something like this would seem fairly simple and straightforward:

  diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
  index 01645e87b3d5..f24e627b7402 100644
  --- a/drivers/tty/vt/vt.c
  +++ b/drivers/tty/vt/vt.c
  @@ -1171,8 +1171,13 @@ static inline int resize_screen(struct
vc_data *vc, int width, int height,
          /* Resizes the resolution of the display adapater */
          int err = 0;

  -       if (vc->vc_mode != KD_GRAPHICS && vc->vc_sw->con_resize)
  +       if (vc->vc_sw->con_resize) {
  +               // If we have a resize function but are in KD_GRAPHICS mode,
  +               // we can't actually do a resize and need to error out.
  +               if (vc->vc_mode == KD_GRAPHICS)
  +                       return -EINVAL;
                  err = vc->vc_sw->con_resize(vc, width, height, user);
  +       }

          return err;
   }

not tested, but it looks ObviouslyCorrect(tm), and since we know the
old case didn't work right, it seems very safe to do.

           Linus

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Linus Torvalds]

[-- Attachment #1: Type: text/plain, Size: 232 bytes --]

On Fri, May 14, 2021 at 10:37 AM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> IOW, something like this would seem fairly simple and straightforward:

Proper patch in case syzbot can test this..

                  Linus

[-- Attachment #2: 0001-vt-don-t-allow-text-mode-resizing-when-in-KD_GRAPHIC.patch --]
[-- Type: text/x-patch, Size: 1486 bytes --]

From b33ca195cecea478768de353b3ae976c07a65615 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri, 14 May 2021 11:06:12 -0700
Subject: [PATCH] vt: don't allow text-mode resizing when in KD_GRAPHICS mode

The VT layer itself just keeps track of the underlying text contents
just fine, but if the underlying hardware driver has a con_resize()
function, we can't just ignore it when in KD_GRAPHICS mode.

So just refuse to do a text mode resize if we're not in text mode.

Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Reported-by: syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 drivers/tty/vt/vt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 01645e87b3d5..f24e627b7402 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1171,8 +1171,13 @@ static inline int resize_screen(struct vc_data *vc, int width, int height,
 	/* Resizes the resolution of the display adapater */
 	int err = 0;
 
-	if (vc->vc_mode != KD_GRAPHICS && vc->vc_sw->con_resize)
+	if (vc->vc_sw->con_resize) {
+		// If we have a resize function but are in KD_GRAPHICS mode,
+		// we can't actually do a resize and need to error out.
+		if (vc->vc_mode == KD_GRAPHICS)
+			return -EINVAL;
 		err = vc->vc_sw->con_resize(vc, width, height, user);
+	}
 
 	return err;
 }
-- 
2.31.1.365.ga2a05a39c5

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Maciej W. Rozycki]

On Fri, 14 May 2021, Linus Torvalds wrote:

> > Currently it is impossible to control upper limit of rows/columns values
> > based on amount of memory reserved for the graphical screen, for
> > resize_screen() calls vc->vc_sw->con_resize() only if vc->vc_mode is not
> > already KD_GRAPHICS
> 
> Honestly, the saner approach would seem to be to simply error out if
> vc_mode is KD_GRAPHICS.
> 
> Doing VT_RESIZE while in KD_GRAPHICS mode seems _very_ questionable,
> and is clearly currently very buggy.

 I haven't looked into it any further beyond tracking down (again, using 
the LMO tree) the originating change as the other fix took precedence.  It 
came with:

commit 094e0a9cdbdf1e11a28dd756a6cbd750b6303d10
Author: Ralf Baechle <ralf@linux-mips.org>
Date:   Sun Jun 1 12:07:37 2003 +0000

    Merge with Linux 2.5.51

along with framebuffer console support:

+inline int resize_screen(int currcons, int width, int height)
+{
+	/* Resizes the resolution of the display adapater */
+	int err = 0;
+
+	if (vcmode != KD_GRAPHICS && sw->con_resize)
+		err = sw->con_resize(vc_cons[currcons].d, width, height);
+	return err;
+}
+

A handler for fbcon was added shortly afterwards with:

commit bab384bdbe279efd7acc2146ef13b0b0395b2a42
Author: Ralf Baechle <ralf@linux-mips.org>
Date:   Tue Jun 3 17:04:10 2003 +0000

    Merge with Linux 2.5.59.

however vgacon didn't have a handler for it until commit 28254d439b8c 
("[PATCH] vga text console and stty cols/rows") two years later only.

 Overall I think it does make sense to resize the text console at any 
time, even if the visible console (VT) chosen is in the graphics mode, as 
my understanding (and experience at least with vgacon) is that resizing 
the console applies globally across all the VTs.  So the intent of the 
original change appears valid to me, and the choice not to reprogram the 
visible console and only store the settings for a future use if it's in 
the graphics mode correct.

 Which means any bug triggered here needs to be fixed elsewhere rather 
than by making the request fail.

 NB for fbcon the usual ioctl to resize the console is FBIOPUT_VSCREENINFO 
rather than VT_RESIZEX; fbset(8) uses it, and I actually experimented with 
it and a TGA-like (SFB+) framebuffer when at my lab last time, as Linux is 
kind enough to know how to fiddle with its clockchip.  It works just fine.

  Maciej

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Linus Torvalds]

On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki <macro@orcam.me.uk> wrote:
>
>  Overall I think it does make sense to resize the text console at any
> time, even if the visible console (VT) chosen is in the graphics mode,

It might make sense, but only if we call the function to update the
low-level data.

Not calling it, and then starting to randomly use the (wrong)
geometry, and just limiting it so that it's all within the buffer -
THAT does not make sense.

So I think your patch is fundamentally wrong. It basically says "let's
use random stale incorrect data, but just make sure that the end
result is still within the allocated buffer".

My patch is at least conceptually sane.

An alternative would be to just remove the "vcmode != KD_GRAPHICS"
check entirely, and always call con_resize() to update the low-level
data, but honestly, that seems very likelty to break something very
fundamentally, since it's not how any of fbcon has ever been tested,

Another alternative would be to just delay the resize to when vcmode
is put back to text mode again. That sounds somewhat reasonable to me,
but it's a pretty big thing.

But no, your patch to just "knowingly use entirely wrong values, then
add a limit check because we know the values are possibly garbage and
not consistent with reality" is simply not acceptable.

              Linus

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Linus Torvalds]

On Fri, May 14, 2021 at 1:32 PM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> Another alternative would be to just delay the resize to when vcmode
> is put back to text mode again. That sounds somewhat reasonable to me,
> but it's a pretty big thing.

Actually thinking more about that option, it sounds horrible. It would
mean that we'd continue to use the old geometry for the actual VC
buffers for a random time, and then change it to the new geometry at
some arbitrary point.

So I think the only reasonable approach (apart from just my "don't do
that then") might be to just always call ->con_resize().

There are only actually three cases of "->con_resize()", so it might
not be too bad.

Looking at it, both sisusbcon_resize() and vgacon_resize() seem to be
trivially fine in KD_GRAPHICS mode.

vgacon already seems to have that "!vga_is_gfx" test, and does
vgacon_doresize() at vgacon_switch(). It might need to add a
vgacon_doresize() to the vgacon_blank() case 0 code so that it
actually does the right thing when going back to KD_TEXT mode.

And fbcon_resize() looks like it might be mostly ok with it too.
Again, there is a con_is_visible() test, and I suspect that might need
to be changed to

        if (con_is_visible(vc) && vc->vc_mode == KD_TEXT)

instead,  but it doesn't look _too_ bad.

So I think just removing the "vc->vc_mode != KD_GRAPHICS" test from
resize_screen() might be the way to go. That way, the low-level data
structures actually are in sync with the resize, and the "out of
bounds" bug should never happen.

Would you mind testing that?

               Linus

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Tetsuo Handa]

On 2021/05/15 5:25, Maciej W. Rozycki wrote:
>  NB for fbcon the usual ioctl to resize the console is FBIOPUT_VSCREENINFO 
> rather than VT_RESIZEX; fbset(8) uses it, and I actually experimented with 
> it and a TGA-like (SFB+) framebuffer when at my lab last time, as Linux is 
> kind enough to know how to fiddle with its clockchip.  It works just fine.

fbcon_update_vcs() from FBIOPUT_VSCREENINFO is no-op if vc->vc_mode != KD_TEXT
(which is equivalent to "if vc->vc_mode == KD_GRAPHICS" because KD_TEXT0/KD_TEXT1
are treated as KD_TEXT). Then, maybe it is OK to let resize_screen() return -EINVAL
in order to make vc_do_resize() request fail if vc->vc_mode == KD_GRAPHICS.

>  Overall I think it does make sense to resize the text console at any 
> time, even if the visible console (VT) chosen is in the graphics mode, as 
> my understanding (and experience at least with vgacon) is that resizing 
> the console applies globally across all the VTs.  So the intent of the 
> original change appears valid to me, and the choice not to reprogram the 
> visible console and only store the settings for a future use if it's in 
> the graphics mode correct.
>
>  Which means any bug triggered here needs to be fixed elsewhere rather 
> than by making the request fail.

Since syzbot does not trigger this problem with Linus's patch, I think we can
try Linus's patch with

  pr_info_once("Resizing text console while in graphical mode is ignored. Please report if you need this.\n");

added in order to see if somebody wants "only store the settings for a future use".

[PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback

[Tetsuo Handa]

On 2021/05/15 1:19, Tetsuo Handa wrote:
> Even if it turns out to be safe to always call this
> callback, we will need to involve another callback via "struct fb_ops" for
> checking the upper limits from fbcon_resize(). As a result, we will need
> to modify
> 
>  drivers/tty/vt/vt.c
>  drivers/video/fbdev/core/fbcon.c
>  drivers/video/fbdev/vga16fb.c
>  include/linux/fb.h
> 
> files only for checking rows/columns values passed to ioctl(VT_RESIZE)
> request.

I was by error assuming that fbcon_resize() cannot reject bogus rows/columns
and thus we need to add another callback via "struct fb_ops" for that purpose.
But fbcon_resize() does reject bogus rows/columns; it was simply because
resize_screen() did not call fbcon_resize() if vc->vc_mode == KD_GRAPHICS.
Thus, removing vc->vc_mode check alone is sufficient.

On 2021/05/15 6:10, Linus Torvalds wrote:
> So I think just removing the "vc->vc_mode != KD_GRAPHICS" test from
> resize_screen() might be the way to go. That way, the low-level data
> structures actually are in sync with the resize, and the "out of
> bounds" bug should never happen.
> 
> Would you mind testing that?

OK. Your suggested changes passed the test by me and by syzbot.



From e5e326c90c5b919c6aba30072d665a00b18715a5 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Sat, 15 May 2021 03:00:37 +0000
Subject: [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback

syzbot is reporting OOB write at vga16fb_imageblit() [1], for
resize_screen() from ioctl(VT_RESIZE) returns 0 without checking whether
requested rows/columns fit the amount of memory reserved for the graphical
screen if current mode is KD_GRAPHICS.

----------
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/kd.h>
#include <linux/vt.h>

int main(int argc, char *argv[])
{
        const int fd = open("/dev/char/4:1", O_RDWR);
        struct vt_sizes vt = { 0x4100, 2 };

        ioctl(fd, KDSETMODE, KD_GRAPHICS);
        ioctl(fd, VT_RESIZE, &vt);
        ioctl(fd, KDSETMODE, KD_TEXT);
        return 0;
}
----------

Allow framebuffer drivers to return -EINVAL, by moving
vc->vc_mode != KD_GRAPHICS check from resize_screen() to fbcon_resize().

[1] https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3

Reported-by: syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com>
---
 drivers/tty/vt/vt.c              | 2 +-
 drivers/video/fbdev/core/fbcon.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 01645e87b3d5..fa1548d4f94b 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1171,7 +1171,7 @@ static inline int resize_screen(struct vc_data *vc, int width, int height,
 	/* Resizes the resolution of the display adapater */
 	int err = 0;
 
-	if (vc->vc_mode != KD_GRAPHICS && vc->vc_sw->con_resize)
+	if (vc->vc_sw->con_resize)
 		err = vc->vc_sw->con_resize(vc, width, height, user);
 
 	return err;
diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
index 3406067985b1..22bb3892f6bd 100644
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2019,7 +2019,7 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width,
 			return -EINVAL;
 
 		pr_debug("resize now %ix%i\n", var.xres, var.yres);
-		if (con_is_visible(vc)) {
+		if (con_is_visible(vc) && vc->vc_mode == KD_TEXT) {
 			var.activate = FB_ACTIVATE_NOW |
 				FB_ACTIVATE_FORCE;
 			fb_set_var(info, &var);
-- 
2.25.1

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Maciej W. Rozycki]

On Fri, 14 May 2021, Linus Torvalds wrote:

> >  Overall I think it does make sense to resize the text console at any
> > time, even if the visible console (VT) chosen is in the graphics mode,
> 
> It might make sense, but only if we call the function to update the
> low-level data.
> 
> Not calling it, and then starting to randomly use the (wrong)
> geometry, and just limiting it so that it's all within the buffer -
> THAT does not make sense.
> 
> So I think your patch is fundamentally wrong. It basically says "let's
> use random stale incorrect data, but just make sure that the end
> result is still within the allocated buffer".

 I guess you mean Tetsuo-san's patch, right?  I haven't sent any in this 
discussion.

> My patch is at least conceptually sane.
> 
> An alternative would be to just remove the "vcmode != KD_GRAPHICS"
> check entirely, and always call con_resize() to update the low-level
> data, but honestly, that seems very likelty to break something very
> fundamentally, since it's not how any of fbcon has ever been tested,

 Umm, there isn't much to change as far as console data structures are 
concerned with a resize: obviously the width and the height, which affect 
the size of the character/attribute buffer, and maybe some cursor data 
such as the size and screen coordinates.

 For vgacon we have:

	if (con_is_visible(c) && !vga_is_gfx) /* who knows */
		vgacon_doresize(c, width, height);

in `vgacon_resize' already, following all the sanity checks, so the CRTC 
isn't poked at if `vga_is_gfx', exactly as we want.

 I can see fbcon does not have equivalent code and instead has relied on 
the KD_GRAPHICS check made by the caller.  Which I think has been a bug 
since fbcon's inception.  Instead I think `fbcon_resize' ought to make all 
the sanity checks I can see it does and only then check for KD_GRAPHICS 
and if so, then exit without poking at hardware.  Then upon exit from the 
gfx mode the `fb_set_var' call made from `fbcon_blank' will DTRT.

 I can try verifying the latter hypothesis, though my framebuffer setups 
(with DECstation hardware) have always been somewhat incomplete.  I do 
believe I have a MIPS fbdev X server binary somewhere to fiddle with, 
which should work with that TGA/SFB+ video adapter I mentioned before.

> Another alternative would be to just delay the resize to when vcmode
> is put back to text mode again. That sounds somewhat reasonable to me,
> but it's a pretty big thing.

 Methinks it works exactly like that already.  On exit from the graphics 
mode (a VT switch or gfx program termination) hardware is reprogrammed 
according to the console geometry previously set.  We just must not break 
it.

  Maciej

Re: [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback

[Maciej W. Rozycki]

On Sat, 15 May 2021, Tetsuo Handa wrote:

> diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> index 3406067985b1..22bb3892f6bd 100644
> --- a/drivers/video/fbdev/core/fbcon.c
> +++ b/drivers/video/fbdev/core/fbcon.c
> @@ -2019,7 +2019,7 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width,
>  			return -EINVAL;
>  
>  		pr_debug("resize now %ix%i\n", var.xres, var.yres);
> -		if (con_is_visible(vc)) {
> +		if (con_is_visible(vc) && vc->vc_mode == KD_TEXT) {
>  			var.activate = FB_ACTIVATE_NOW |
>  				FB_ACTIVATE_FORCE;
>  			fb_set_var(info, &var);

 LGTM, although I'll yet try to verify it with hardware.  But it'll have 
to wait another week or so as I'm currently away from my lab and this 
requires physical presence.

Reviewed-by: Maciej W. Rozycki <macro@orcam.me.uk>

  Maciej

Re: [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback

[Maciej W. Rozycki]

On Sat, 15 May 2021, Maciej W. Rozycki wrote:

> On Sat, 15 May 2021, Tetsuo Handa wrote:
> 
> > diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c
> > index 3406067985b1..22bb3892f6bd 100644
> > --- a/drivers/video/fbdev/core/fbcon.c
> > +++ b/drivers/video/fbdev/core/fbcon.c
> > @@ -2019,7 +2019,7 @@ static int fbcon_resize(struct vc_data *vc, unsigned int width,
> >  			return -EINVAL;
> >  
> >  		pr_debug("resize now %ix%i\n", var.xres, var.yres);
> > -		if (con_is_visible(vc)) {
> > +		if (con_is_visible(vc) && vc->vc_mode == KD_TEXT) {
> >  			var.activate = FB_ACTIVATE_NOW |
> >  				FB_ACTIVATE_FORCE;
> >  			fb_set_var(info, &var);
> 
>  LGTM, although I'll yet try to verify it with hardware.  But it'll have 
> to wait another week or so as I'm currently away from my lab and this 
> requires physical presence.

 NB I suggest that you request your change to be backported, i.e. post v3 
with:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org # v2.6.12+

  Maciej

Re: [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback

[Linus Torvalds]

On Sat, May 15, 2021 at 9:33 AM Maciej W. Rozycki <macro@orcam.me.uk> wrote:
>
>  NB I suggest that you request your change to be backported, i.e. post v3
> with:
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org # v2.6.12+

I've applied it to my tree, but let's wait to see that it doesn't
cause any issues before notifying the stable people.

               Linus

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Daniel Vetter]

On Fri, May 14, 2021 at 10:33 PM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki <macro@orcam.me.uk> wrote:
> >
> >  Overall I think it does make sense to resize the text console at any
> > time, even if the visible console (VT) chosen is in the graphics mode,
>
> It might make sense, but only if we call the function to update the
> low-level data.
>
> Not calling it, and then starting to randomly use the (wrong)
> geometry, and just limiting it so that it's all within the buffer -
> THAT does not make sense.
>
> So I think your patch is fundamentally wrong. It basically says "let's
> use random stale incorrect data, but just make sure that the end
> result is still within the allocated buffer".
>
> My patch is at least conceptually sane.
>
> An alternative would be to just remove the "vcmode != KD_GRAPHICS"
> check entirely, and always call con_resize() to update the low-level
> data, but honestly, that seems very likelty to break something very
> fundamentally, since it's not how any of fbcon has ever been tested,

Just an aside: I think with fbdev drivers this would go boom, because
you'd have fbcon interferring with a direct /dev/fb/* user.

But if your fbdev driver is actually a drm modeset driver, then we
have additional limitations: If the userspace accesses the display
through /dev/dri/card0, then the kernel blocks all access through
/dev/fb/* (including fbcon) to the actual display (it only goes into
the buffer used for fbdev emulation). And everything would be fine.

Also generally you'd get away with this even in problematic cases,
since usually you resize your console when looking at it, not when X
or something else is using your fbdev direct access.

The one thing that's left out here a bit in the cold is userspace
modeset drivers in X. Those would get hosed. But also, we stopped
supporting those in at least i915/amd/radeon/nouveau drivers,
automatically falling back to the fbdev stuff in most cases (with or
without the drm drivers underneath that), and no one screamed. So
probably not many users left.

So I /think/ we could wager this, if it's the least intrusive fix from
the kernel pov. But it has some risks that we need to revert again if
we break some of the really old use-cases here.

Cheers, Daniel

> Another alternative would be to just delay the resize to when vcmode
> is put back to text mode again. That sounds somewhat reasonable to me,
> but it's a pretty big thing.
>
> But no, your patch to just "knowingly use entirely wrong values, then
> add a limit check because we know the values are possibly garbage and
> not consistent with reality" is simply not acceptable.
>
>               Linus



-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()

[Daniel Vetter]

On Mon, May 17, 2021 at 3:07 PM Daniel Vetter <daniel@ffwll.ch> wrote:
>
> On Fri, May 14, 2021 at 10:33 PM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki <macro@orcam.me.uk> wrote:
> > >
> > >  Overall I think it does make sense to resize the text console at any
> > > time, even if the visible console (VT) chosen is in the graphics mode,
> >
> > It might make sense, but only if we call the function to update the
> > low-level data.
> >
> > Not calling it, and then starting to randomly use the (wrong)
> > geometry, and just limiting it so that it's all within the buffer -
> > THAT does not make sense.
> >
> > So I think your patch is fundamentally wrong. It basically says "let's
> > use random stale incorrect data, but just make sure that the end
> > result is still within the allocated buffer".
> >
> > My patch is at least conceptually sane.
> >
> > An alternative would be to just remove the "vcmode != KD_GRAPHICS"
> > check entirely, and always call con_resize() to update the low-level
> > data, but honestly, that seems very likelty to break something very
> > fundamentally, since it's not how any of fbcon has ever been tested,
>
> Just an aside: I think with fbdev drivers this would go boom, because
> you'd have fbcon interferring with a direct /dev/fb/* user.

Boom here means a bit of screen corruption, because fbcon overdraws
your X sessions. Fixed by the next redraw of X.

> But if your fbdev driver is actually a drm modeset driver, then we
> have additional limitations: If the userspace accesses the display
> through /dev/dri/card0, then the kernel blocks all access through
> /dev/fb/* (including fbcon) to the actual display (it only goes into
> the buffer used for fbdev emulation). And everything would be fine.
>
> Also generally you'd get away with this even in problematic cases,
> since usually you resize your console when looking at it, not when X
> or something else is using your fbdev direct access.
>
> The one thing that's left out here a bit in the cold is userspace
> modeset drivers in X. Those would get hosed. But also, we stopped
> supporting those in at least i915/amd/radeon/nouveau drivers,
> automatically falling back to the fbdev stuff in most cases (with or
> without the drm drivers underneath that), and no one screamed. So
> probably not many users left.

This one could lead to incosistent hw state, which would be worse.

> So I /think/ we could wager this, if it's the least intrusive fix from
> the kernel pov. But it has some risks that we need to revert again if
> we break some of the really old use-cases here.

Cheers, Daniel

> > Another alternative would be to just delay the resize to when vcmode
> > is put back to text mode again. That sounds somewhat reasonable to me,
> > but it's a pretty big thing.
> >
> > But no, your patch to just "knowingly use entirely wrong values, then
> > add a limit check because we know the values are possibly garbage and
> > not consistent with reality" is simply not acceptable.
> >
> >               Linus
>
>
>
> --
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch



-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

Re: [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback

[Daniel Vetter]

On Sat, May 15, 2021 at 6:42 PM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Sat, May 15, 2021 at 9:33 AM Maciej W. Rozycki <macro@orcam.me.uk> wrote:
> >
> >  NB I suggest that you request your change to be backported, i.e. post v3
> > with:
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Cc: stable@vger.kernel.org # v2.6.12+
>
> I've applied it to my tree, but let's wait to see that it doesn't
> cause any issues before notifying the stable people.

Ah I missed all the fun with the long w/e. fwiw I think this looks
very reasonable, see my other reply why I think this shouldn't cause
issues. Especially when fbcon_resize only touches hw when in KD_TEXT
mode.
-Daniel
-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch