From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=FROM_LOCAL_HEX, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EDCFC43603 for ; Sat, 7 Dec 2019 10:05:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CCEB324670 for ; Sat, 7 Dec 2019 10:05:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726399AbfLGKFK (ORCPT ); Sat, 7 Dec 2019 05:05:10 -0500 Received: from mail-io1-f71.google.com ([209.85.166.71]:50417 "EHLO mail-io1-f71.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726106AbfLGKFJ (ORCPT ); Sat, 7 Dec 2019 05:05:09 -0500 Received: by mail-io1-f71.google.com with SMTP id t193so6686680iof.17 for ; Sat, 07 Dec 2019 02:05:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=JpYQV+AWM+mnMWgwQ0nH4DdPd34Sic4MN/MkWFQj1ok=; b=O9G2WChemwWe+S8XvX7HjJE/BQFoDu2QWEK9QOMlfnSLPH92v+IYx+RhQfjH7W7hzd WClA4NBS/JR8CFkSaunELNLCa7EkM0dbvO3jUPwCAzoq4sECM4tLes5oRSLv236YcRe4 FlZPm9JEgPUuyP8OcZ94kfynUlpP5noY7TIMz7q6HDzpv3IMjkfwSBEMx4S+9fYBi60y w3xHmOlr3lHMhMxwjKfGnwHsF6RnnnhdTR6UTv8OzxzE+nTKAfQMXo9oEIWIAYGvH3Dj rdEDrQUadLIWpQZN3+LxTKG7tom9tIraysjf1WVvAFU9l3rmDZ4v4IAriAhSdDVyufTE Dc5w== X-Gm-Message-State: APjAAAVoaIy4JS+3/vMmQPLZXx4yTqebXFj+6nWmWsYAnAbrF2HoblZ+ VKvwcyS/PpIHncIDhfR0fLkOJmb7mjnwxZoTR5D1mUzl5G91 X-Google-Smtp-Source: APXvYqzeipCOGfynVdwRuYHS6CTvxr6M3Ja8bZMTy9Vq6/49j8ukhkZLP3HZ6Ggn5Cp+1VYLq4VkY96VIrax3nB3P+iXJjEPkjMx MIME-Version: 1.0 X-Received: by 2002:a5d:8cda:: with SMTP id k26mr14417470iot.26.1575713108600; Sat, 07 Dec 2019 02:05:08 -0800 (PST) Date: Sat, 07 Dec 2019 02:05:08 -0800 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000001b2f4605991a4cc0@google.com> Subject: KASAN: use-after-free Read in fb_mode_is_equal From: syzbot To: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, mojha@codeaurora.org, shile.zhang@linux.alibaba.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, syzbot found the following crash on: HEAD commit: 7ada90eb Merge tag 'drm-next-2019-12-06' of git://anongit... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16997c82e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=f07a23020fd7d21a dashboard link: https://syzkaller.appspot.com/bug?extid=f11cda116c57db68c227 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+f11cda116c57db68c227@syzkaller.appspotmail.com ================================================================== BUG: KASAN: use-after-free in fb_mode_is_equal+0x297/0x300 drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff8880992d5d9c by task syz-executor.0/32283 CPU: 0 PID: 32283 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134 fb_mode_is_equal+0x297/0x300 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:3060 fb_set_var+0xab9/0xdd0 drivers/video/fbdev/core/fbmem.c:971 do_fb_ioctl+0x390/0x7d0 drivers/video/fbdev/core/fbmem.c:1104 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a6f9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7aefd54c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a6f9 RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7aefd556d4 R13: 00000000004c2ef7 R14: 00000000004d8138 R15: 00000000ffffffff Allocated by task 9205: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3551 kmalloc include/linux/slab.h:556 [inline] fb_add_videomode drivers/video/fbdev/core/modedb.c:1073 [inline] fb_add_videomode+0x2fb/0x610 drivers/video/fbdev/core/modedb.c:1057 fb_set_var+0x5ef/0xdd0 drivers/video/fbdev/core/fbmem.c:1041 do_fb_ioctl+0x390/0x7d0 drivers/video/fbdev/core/fbmem.c:1104 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 32276: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 fb_delete_videomode+0x3fa/0x540 drivers/video/fbdev/core/modedb.c:1104 fb_set_var+0xac8/0xdd0 drivers/video/fbdev/core/fbmem.c:974 do_fb_ioctl+0x390/0x7d0 drivers/video/fbdev/core/fbmem.c:1104 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880992d5d80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 28 bytes inside of 96-byte region [ffff8880992d5d80, ffff8880992d5de0) The buggy address belongs to the page: page:ffffea000264b540 refcount:1 mapcount:0 mapping:ffff8880aa400540 index:0x0 raw: 00fffe0000000200 ffffea00025470c8 ffffea0002992508 ffff8880aa400540 raw: 0000000000000000 ffff8880992d5000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880992d5c80: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc ffff8880992d5d00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc > ffff8880992d5d80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff8880992d5e00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff8880992d5e80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. From mboxrd@z Thu Jan 1 00:00:00 1970 From: syzbot Date: Sat, 07 Dec 2019 10:05:08 +0000 Subject: KASAN: use-after-free Read in fb_mode_is_equal Message-Id: <0000000000001b2f4605991a4cc0@google.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, mojha@codeaurora.org, shile.zhang@linux.alibaba.com, syzkaller-bugs@googlegroups.com Hello, syzbot found the following crash on: HEAD commit: 7ada90eb Merge tag 'drm-next-2019-12-06' of git://anongit... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16997c82e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=F07a23020fd7d21a dashboard link: https://syzkaller.appspot.com/bug?extid=F11cda116c57db68c227 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+f11cda116c57db68c227@syzkaller.appspotmail.com =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: use-after-free in fb_mode_is_equal+0x297/0x300 =20 drivers/video/fbdev/core/modedb.c:924 Read of size 4 at addr ffff8880992d5d9c by task syz-executor.0/32283 CPU: 0 PID: 32283 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS =20 Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:3= 74 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134 fb_mode_is_equal+0x297/0x300 drivers/video/fbdev/core/modedb.c:924 fbcon_mode_deleted+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:3060 fb_set_var+0xab9/0xdd0 drivers/video/fbdev/core/fbmem.c:971 do_fb_ioctl+0x390/0x7d0 drivers/video/fbdev/core/fbmem.c:1104 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a6f9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 = =20 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff = ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7aefd54c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a6f9 RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7aefd556d4 R13: 00000000004c2ef7 R14: 00000000004d8138 R15: 00000000ffffffff Allocated by task 9205: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3551 kmalloc include/linux/slab.h:556 [inline] fb_add_videomode drivers/video/fbdev/core/modedb.c:1073 [inline] fb_add_videomode+0x2fb/0x610 drivers/video/fbdev/core/modedb.c:1057 fb_set_var+0x5ef/0xdd0 drivers/video/fbdev/core/fbmem.c:1041 do_fb_ioctl+0x390/0x7d0 drivers/video/fbdev/core/fbmem.c:1104 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 32276: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 fb_delete_videomode+0x3fa/0x540 drivers/video/fbdev/core/modedb.c:1104 fb_set_var+0xac8/0xdd0 drivers/video/fbdev/core/fbmem.c:974 do_fb_ioctl+0x390/0x7d0 drivers/video/fbdev/core/fbmem.c:1104 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880992d5d80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 28 bytes inside of 96-byte region [ffff8880992d5d80, ffff8880992d5de0) The buggy address belongs to the page: page:ffffea000264b540 refcount:1 mapcount:0 mapping:ffff8880aa400540 =20 index:0x0 raw: 00fffe0000000200 ffffea00025470c8 ffffea0002992508 ffff8880aa400540 raw: 0000000000000000 ffff8880992d5000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880992d5c80: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc ffff8880992d5d00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc > ffff8880992d5d80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff8880992d5e00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ffff8880992d5e80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=FROM_LOCAL_HEX, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E88D6C43603 for ; Mon, 9 Dec 2019 09:46:52 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C7DED20726 for ; Mon, 9 Dec 2019 09:46:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C7DED20726 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id BFCF16E342; Mon, 9 Dec 2019 09:46:37 +0000 (UTC) Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) by gabe.freedesktop.org (Postfix) with ESMTPS id 68A576E054 for ; Sat, 7 Dec 2019 10:05:09 +0000 (UTC) Received: by mail-io1-f71.google.com with SMTP id b186so6713797iof.13 for ; Sat, 07 Dec 2019 02:05:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=JpYQV+AWM+mnMWgwQ0nH4DdPd34Sic4MN/MkWFQj1ok=; b=gfBvGzrdirsLzUH0fV53jkI8S2YZTN9I/GyHO9TTopNVfYK62Gb4WoEswN7jNmRrr1 90xL3nHAksk/VhV5cXrj+G8LyGi5ZZ8Ju1FzWdGlV7BZqsM2nfnl9LAPh+OWAqprZ3m6 z98SoxXjpjwEZ9Mc678khXCOSvt+4JEqBziMAW1NVouEEv3sCECPohQMG37onjM5ZUVF xvmwuiYR+AQS8MwGdT2LkNVQ8Uv0oFGA2lVuPtbZfjnR6Nv6EfsKfJmWC2ckMrT7GuVQ zSH7wz3FGKOG6CVz7L3HX3a2bhgHUzYfMLvVQy5+B0yNvuY93bzjjwXTbRX3rsS4s8vx Uw2w== X-Gm-Message-State: APjAAAVebdT+D+TaA9AclBZhXWYRAYmKMhfIiKvnBzfvlaLwZRvCxQha O4AAk78oblTUyvhFXOFGK8PWRPn9Z+3bNHeFxcCLuVgki7Dh X-Google-Smtp-Source: APXvYqzeipCOGfynVdwRuYHS6CTvxr6M3Ja8bZMTy9Vq6/49j8ukhkZLP3HZ6Ggn5Cp+1VYLq4VkY96VIrax3nB3P+iXJjEPkjMx MIME-Version: 1.0 X-Received: by 2002:a5d:8cda:: with SMTP id k26mr14417470iot.26.1575713108600; Sat, 07 Dec 2019 02:05:08 -0800 (PST) Date: Sat, 07 Dec 2019 02:05:08 -0800 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000001b2f4605991a4cc0@google.com> Subject: KASAN: use-after-free Read in fb_mode_is_equal From: syzbot To: b.zolnierkie@samsung.com, daniel.vetter@ffwll.ch, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, mojha@codeaurora.org, shile.zhang@linux.alibaba.com, syzkaller-bugs@googlegroups.com X-Mailman-Approved-At: Mon, 09 Dec 2019 09:46:36 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed"; DelSp="yes" Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" SGVsbG8sCgpzeXpib3QgZm91bmQgdGhlIGZvbGxvd2luZyBjcmFzaCBvbjoKCkhFQUQgY29tbWl0 OiAgICA3YWRhOTBlYiBNZXJnZSB0YWcgJ2RybS1uZXh0LTIwMTktMTItMDYnIG9mIGdpdDovL2Fu b25naXQuLi4KZ2l0IHRyZWU6ICAgICAgIHVwc3RyZWFtCmNvbnNvbGUgb3V0cHV0OiBodHRwczov L3N5emthbGxlci5hcHBzcG90LmNvbS94L2xvZy50eHQ/eD0xNjk5N2M4MmUwMDAwMAprZXJuZWwg Y29uZmlnOiAgaHR0cHM6Ly9zeXprYWxsZXIuYXBwc3BvdC5jb20veC8uY29uZmlnP3g9ZjA3YTIz MDIwZmQ3ZDIxYQpkYXNoYm9hcmQgbGluazogaHR0cHM6Ly9zeXprYWxsZXIuYXBwc3BvdC5jb20v YnVnP2V4dGlkPWYxMWNkYTExNmM1N2RiNjhjMjI3CmNvbXBpbGVyOiAgICAgICBnY2MgKEdDQykg OS4wLjAgMjAxODEyMzEgKGV4cGVyaW1lbnRhbCkKClVuZm9ydHVuYXRlbHksIEkgZG9uJ3QgaGF2 ZSBhbnkgcmVwcm9kdWNlciBmb3IgdGhpcyBjcmFzaCB5ZXQuCgpJTVBPUlRBTlQ6IGlmIHlvdSBm aXggdGhlIGJ1ZywgcGxlYXNlIGFkZCB0aGUgZm9sbG93aW5nIHRhZyB0byB0aGUgY29tbWl0OgpS ZXBvcnRlZC1ieTogc3l6Ym90K2YxMWNkYTExNmM1N2RiNjhjMjI3QHN5emthbGxlci5hcHBzcG90 bWFpbC5jb20KCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQpCVUc6IEtBU0FOOiB1c2UtYWZ0ZXItZnJlZSBpbiBmYl9tb2Rl X2lzX2VxdWFsKzB4Mjk3LzB4MzAwICAKZHJpdmVycy92aWRlby9mYmRldi9jb3JlL21vZGVkYi5j OjkyNApSZWFkIG9mIHNpemUgNCBhdCBhZGRyIGZmZmY4ODgwOTkyZDVkOWMgYnkgdGFzayBzeXot ZXhlY3V0b3IuMC8zMjI4MwoKQ1BVOiAwIFBJRDogMzIyODMgQ29tbTogc3l6LWV4ZWN1dG9yLjAg Tm90IHRhaW50ZWQgNS40LjAtc3l6a2FsbGVyICMwCkhhcmR3YXJlIG5hbWU6IEdvb2dsZSBHb29n bGUgQ29tcHV0ZSBFbmdpbmUvR29vZ2xlIENvbXB1dGUgRW5naW5lLCBCSU9TICAKR29vZ2xlIDAx LzAxLzIwMTEKQ2FsbCBUcmFjZToKICBfX2R1bXBfc3RhY2sgbGliL2R1bXBfc3RhY2suYzo3NyBb aW5saW5lXQogIGR1bXBfc3RhY2srMHgxOTcvMHgyMTAgbGliL2R1bXBfc3RhY2suYzoxMTgKICBw cmludF9hZGRyZXNzX2Rlc2NyaXB0aW9uLmNvbnN0cHJvcC4wLmNvbGQrMHhkNC8weDMwYiBtbS9r YXNhbi9yZXBvcnQuYzozNzQKICBfX2thc2FuX3JlcG9ydC5jb2xkKzB4MWIvMHg0MSBtbS9rYXNh bi9yZXBvcnQuYzo1MDYKICBrYXNhbl9yZXBvcnQrMHgxMi8weDIwIG1tL2thc2FuL2NvbW1vbi5j OjYzOQogIF9fYXNhbl9yZXBvcnRfbG9hZDRfbm9hYm9ydCsweDE0LzB4MjAgbW0va2FzYW4vZ2Vu ZXJpY19yZXBvcnQuYzoxMzQKICBmYl9tb2RlX2lzX2VxdWFsKzB4Mjk3LzB4MzAwIGRyaXZlcnMv dmlkZW8vZmJkZXYvY29yZS9tb2RlZGIuYzo5MjQKICBmYmNvbl9tb2RlX2RlbGV0ZWQrMHgxMmMv MHgxOTAgZHJpdmVycy92aWRlby9mYmRldi9jb3JlL2ZiY29uLmM6MzA2MAogIGZiX3NldF92YXIr MHhhYjkvMHhkZDAgZHJpdmVycy92aWRlby9mYmRldi9jb3JlL2ZibWVtLmM6OTcxCiAgZG9fZmJf aW9jdGwrMHgzOTAvMHg3ZDAgZHJpdmVycy92aWRlby9mYmRldi9jb3JlL2ZibWVtLmM6MTEwNAog IGZiX2lvY3RsKzB4ZTYvMHgxMzAgZHJpdmVycy92aWRlby9mYmRldi9jb3JlL2ZibWVtLmM6MTE4 MAogIHZmc19pb2N0bCBmcy9pb2N0bC5jOjQ3IFtpbmxpbmVdCiAgZmlsZV9pb2N0bCBmcy9pb2N0 bC5jOjU0NSBbaW5saW5lXQogIGRvX3Zmc19pb2N0bCsweDk3Ny8weDE0ZTAgZnMvaW9jdGwuYzo3 MzIKICBrc3lzX2lvY3RsKzB4YWIvMHhkMCBmcy9pb2N0bC5jOjc0OQogIF9fZG9fc3lzX2lvY3Rs IGZzL2lvY3RsLmM6NzU2IFtpbmxpbmVdCiAgX19zZV9zeXNfaW9jdGwgZnMvaW9jdGwuYzo3NTQg W2lubGluZV0KICBfX3g2NF9zeXNfaW9jdGwrMHg3My8weGIwIGZzL2lvY3RsLmM6NzU0CiAgZG9f c3lzY2FsbF82NCsweGZhLzB4NzkwIGFyY2gveDg2L2VudHJ5L2NvbW1vbi5jOjI5NAogIGVudHJ5 X1NZU0NBTExfNjRfYWZ0ZXJfaHdmcmFtZSsweDQ5LzB4YmUKUklQOiAwMDMzOjB4NDVhNmY5CkNv ZGU6IGFkIGI2IGZiIGZmIGMzIDY2IDJlIDBmIDFmIDg0IDAwIDAwIDAwIDAwIDAwIDY2IDkwIDQ4 IDg5IGY4IDQ4IDg5IGY3ICAKNDggODkgZDYgNDggODkgY2EgNGQgODkgYzIgNGQgODkgYzggNGMg OGIgNGMgMjQgMDggMGYgMDUgPDQ4PiAzZCAwMSBmMCBmZiAgCmZmIDBmIDgzIDdiIGI2IGZiIGZm IGMzIDY2IDJlIDBmIDFmIDg0IDAwIDAwIDAwIDAwClJTUDogMDAyYjowMDAwN2Y3YWVmZDU0Yzc4 IEVGTEFHUzogMDAwMDAyNDYgT1JJR19SQVg6IDAwMDAwMDAwMDAwMDAwMTAKUkFYOiBmZmZmZmZm ZmZmZmZmZmRhIFJCWDogMDAwMDAwMDAwMDAwMDAwMyBSQ1g6IDAwMDAwMDAwMDA0NWE2ZjkKUkRY OiAwMDAwMDAwMDIwMDAwMDAwIFJTSTogMDAwMDAwMDAwMDAwNDYwMSBSREk6IDAwMDAwMDAwMDAw MDAwMDMKUkJQOiAwMDAwMDAwMDAwNzViZjIwIFIwODogMDAwMDAwMDAwMDAwMDAwMCBSMDk6IDAw MDAwMDAwMDAwMDAwMDAKUjEwOiAwMDAwMDAwMDAwMDAwMDAwIFIxMTogMDAwMDAwMDAwMDAwMDI0 NiBSMTI6IDAwMDA3ZjdhZWZkNTU2ZDQKUjEzOiAwMDAwMDAwMDAwNGMyZWY3IFIxNDogMDAwMDAw MDAwMDRkODEzOCBSMTU6IDAwMDAwMDAwZmZmZmZmZmYKCkFsbG9jYXRlZCBieSB0YXNrIDkyMDU6 CiAgc2F2ZV9zdGFjaysweDIzLzB4OTAgbW0va2FzYW4vY29tbW9uLmM6NzIKICBzZXRfdHJhY2sg bW0va2FzYW4vY29tbW9uLmM6ODAgW2lubGluZV0KICBfX2thc2FuX2ttYWxsb2MgbW0va2FzYW4v Y29tbW9uLmM6NTEzIFtpbmxpbmVdCiAgX19rYXNhbl9rbWFsbG9jLmNvbnN0cHJvcC4wKzB4Y2Yv MHhlMCBtbS9rYXNhbi9jb21tb24uYzo0ODYKICBrYXNhbl9rbWFsbG9jKzB4OS8weDEwIG1tL2th c2FuL2NvbW1vbi5jOjUyNwogIGttZW1fY2FjaGVfYWxsb2NfdHJhY2UrMHgxNTgvMHg3OTAgbW0v c2xhYi5jOjM1NTEKICBrbWFsbG9jIGluY2x1ZGUvbGludXgvc2xhYi5oOjU1NiBbaW5saW5lXQog IGZiX2FkZF92aWRlb21vZGUgZHJpdmVycy92aWRlby9mYmRldi9jb3JlL21vZGVkYi5jOjEwNzMg W2lubGluZV0KICBmYl9hZGRfdmlkZW9tb2RlKzB4MmZiLzB4NjEwIGRyaXZlcnMvdmlkZW8vZmJk ZXYvY29yZS9tb2RlZGIuYzoxMDU3CiAgZmJfc2V0X3ZhcisweDVlZi8weGRkMCBkcml2ZXJzL3Zp ZGVvL2ZiZGV2L2NvcmUvZmJtZW0uYzoxMDQxCiAgZG9fZmJfaW9jdGwrMHgzOTAvMHg3ZDAgZHJp dmVycy92aWRlby9mYmRldi9jb3JlL2ZibWVtLmM6MTEwNAogIGZiX2lvY3RsKzB4ZTYvMHgxMzAg ZHJpdmVycy92aWRlby9mYmRldi9jb3JlL2ZibWVtLmM6MTE4MAogIHZmc19pb2N0bCBmcy9pb2N0 bC5jOjQ3IFtpbmxpbmVdCiAgZmlsZV9pb2N0bCBmcy9pb2N0bC5jOjU0NSBbaW5saW5lXQogIGRv X3Zmc19pb2N0bCsweDk3Ny8weDE0ZTAgZnMvaW9jdGwuYzo3MzIKICBrc3lzX2lvY3RsKzB4YWIv MHhkMCBmcy9pb2N0bC5jOjc0OQogIF9fZG9fc3lzX2lvY3RsIGZzL2lvY3RsLmM6NzU2IFtpbmxp bmVdCiAgX19zZV9zeXNfaW9jdGwgZnMvaW9jdGwuYzo3NTQgW2lubGluZV0KICBfX3g2NF9zeXNf aW9jdGwrMHg3My8weGIwIGZzL2lvY3RsLmM6NzU0CiAgZG9fc3lzY2FsbF82NCsweGZhLzB4Nzkw IGFyY2gveDg2L2VudHJ5L2NvbW1vbi5jOjI5NAogIGVudHJ5X1NZU0NBTExfNjRfYWZ0ZXJfaHdm cmFtZSsweDQ5LzB4YmUKCkZyZWVkIGJ5IHRhc2sgMzIyNzY6CiAgc2F2ZV9zdGFjaysweDIzLzB4 OTAgbW0va2FzYW4vY29tbW9uLmM6NzIKICBzZXRfdHJhY2sgbW0va2FzYW4vY29tbW9uLmM6ODAg W2lubGluZV0KICBrYXNhbl9zZXRfZnJlZV9pbmZvIG1tL2thc2FuL2NvbW1vbi5jOjMzNSBbaW5s aW5lXQogIF9fa2FzYW5fc2xhYl9mcmVlKzB4MTAyLzB4MTUwIG1tL2thc2FuL2NvbW1vbi5jOjQ3 NAogIGthc2FuX3NsYWJfZnJlZSsweGUvMHgxMCBtbS9rYXNhbi9jb21tb24uYzo0ODMKICBfX2Nh Y2hlX2ZyZWUgbW0vc2xhYi5jOjM0MjYgW2lubGluZV0KICBrZnJlZSsweDEwYS8weDJjMCBtbS9z bGFiLmM6Mzc1NwogIGZiX2RlbGV0ZV92aWRlb21vZGUrMHgzZmEvMHg1NDAgZHJpdmVycy92aWRl by9mYmRldi9jb3JlL21vZGVkYi5jOjExMDQKICBmYl9zZXRfdmFyKzB4YWM4LzB4ZGQwIGRyaXZl cnMvdmlkZW8vZmJkZXYvY29yZS9mYm1lbS5jOjk3NAogIGRvX2ZiX2lvY3RsKzB4MzkwLzB4N2Qw IGRyaXZlcnMvdmlkZW8vZmJkZXYvY29yZS9mYm1lbS5jOjExMDQKICBmYl9pb2N0bCsweGU2LzB4 MTMwIGRyaXZlcnMvdmlkZW8vZmJkZXYvY29yZS9mYm1lbS5jOjExODAKICB2ZnNfaW9jdGwgZnMv aW9jdGwuYzo0NyBbaW5saW5lXQogIGZpbGVfaW9jdGwgZnMvaW9jdGwuYzo1NDUgW2lubGluZV0K ICBkb192ZnNfaW9jdGwrMHg5NzcvMHgxNGUwIGZzL2lvY3RsLmM6NzMyCiAga3N5c19pb2N0bCsw eGFiLzB4ZDAgZnMvaW9jdGwuYzo3NDkKICBfX2RvX3N5c19pb2N0bCBmcy9pb2N0bC5jOjc1NiBb aW5saW5lXQogIF9fc2Vfc3lzX2lvY3RsIGZzL2lvY3RsLmM6NzU0IFtpbmxpbmVdCiAgX194NjRf c3lzX2lvY3RsKzB4NzMvMHhiMCBmcy9pb2N0bC5jOjc1NAogIGRvX3N5c2NhbGxfNjQrMHhmYS8w eDc5MCBhcmNoL3g4Ni9lbnRyeS9jb21tb24uYzoyOTQKICBlbnRyeV9TWVNDQUxMXzY0X2FmdGVy X2h3ZnJhbWUrMHg0OS8weGJlCgpUaGUgYnVnZ3kgYWRkcmVzcyBiZWxvbmdzIHRvIHRoZSBvYmpl Y3QgYXQgZmZmZjg4ODA5OTJkNWQ4MAogIHdoaWNoIGJlbG9uZ3MgdG8gdGhlIGNhY2hlIGttYWxs b2MtOTYgb2Ygc2l6ZSA5NgpUaGUgYnVnZ3kgYWRkcmVzcyBpcyBsb2NhdGVkIDI4IGJ5dGVzIGlu c2lkZSBvZgogIDk2LWJ5dGUgcmVnaW9uIFtmZmZmODg4MDk5MmQ1ZDgwLCBmZmZmODg4MDk5MmQ1 ZGUwKQpUaGUgYnVnZ3kgYWRkcmVzcyBiZWxvbmdzIHRvIHRoZSBwYWdlOgpwYWdlOmZmZmZlYTAw MDI2NGI1NDAgcmVmY291bnQ6MSBtYXBjb3VudDowIG1hcHBpbmc6ZmZmZjg4ODBhYTQwMDU0MCAg CmluZGV4OjB4MApyYXc6IDAwZmZmZTAwMDAwMDAyMDAgZmZmZmVhMDAwMjU0NzBjOCBmZmZmZWEw MDAyOTkyNTA4IGZmZmY4ODgwYWE0MDA1NDAKcmF3OiAwMDAwMDAwMDAwMDAwMDAwIGZmZmY4ODgw OTkyZDUwMDAgMDAwMDAwMDEwMDAwMDAyMCAwMDAwMDAwMDAwMDAwMDAwCnBhZ2UgZHVtcGVkIGJl Y2F1c2U6IGthc2FuOiBiYWQgYWNjZXNzIGRldGVjdGVkCgpNZW1vcnkgc3RhdGUgYXJvdW5kIHRo ZSBidWdneSBhZGRyZXNzOgogIGZmZmY4ODgwOTkyZDVjODA6IDAwIDAwIDAwIDAwIDAwIDAwIDAw IDAwIDAwIDAwIDAwIGZjIGZjIGZjIGZjIGZjCiAgZmZmZjg4ODA5OTJkNWQwMDogMDAgMDAgMDAg MDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgZmMgZmMgZmMgZmMKPiBmZmZmODg4MDk5MmQ1ZDgw OiBmYiBmYiBmYiBmYiBmYiBmYiBmYiBmYiBmYiBmYiBmYiBmYiBmYyBmYyBmYyBmYwogICAgICAg ICAgICAgICAgICAgICAgICAgICAgIF4KICBmZmZmODg4MDk5MmQ1ZTAwOiAwMCAwMCAwMCAwMCAw MCAwMCAwMCAwMCAwMCAwMCBmYyBmYyBmYyBmYyBmYyBmYwogIGZmZmY4ODgwOTkyZDVlODA6IDAw IDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIGZjIGZjIGZjIGZjIGZjIGZjCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoK Ci0tLQpUaGlzIGJ1ZyBpcyBnZW5lcmF0ZWQgYnkgYSBib3QuIEl0IG1heSBjb250YWluIGVycm9y cy4KU2VlIGh0dHBzOi8vZ29vLmdsL3Rwc21FSiBmb3IgbW9yZSBpbmZvcm1hdGlvbiBhYm91dCBz eXpib3QuCnN5emJvdCBlbmdpbmVlcnMgY2FuIGJlIHJlYWNoZWQgYXQgc3l6a2FsbGVyQGdvb2ds ZWdyb3Vwcy5jb20uCgpzeXpib3Qgd2lsbCBrZWVwIHRyYWNrIG9mIHRoaXMgYnVnIHJlcG9ydC4g U2VlOgpodHRwczovL2dvby5nbC90cHNtRUojc3RhdHVzIGZvciBob3cgdG8gY29tbXVuaWNhdGUg d2l0aCBzeXpib3QuCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fCmRyaS1kZXZlbCBtYWlsaW5nIGxpc3QKZHJpLWRldmVsQGxpc3RzLmZyZWVkZXNrdG9wLm9y ZwpodHRwczovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZl bA==