* KASAN: use-after-free Read in vkms_dumb_create
@ 2020-04-27 3:48 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2020-04-27 3:48 UTC (permalink / raw)
To: airlied, daniel, dri-devel, hamohammed.sa, linaro-mm-sig,
linux-kernel, linux-media, rodrigosiqueiramelo, sumit.semwal,
syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
Bisection is inconclusive: the first bad commit could be any of:
85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
e896c132 drm/debugfs: Add internal client debugfs file
894a677f drm/cma-helper: Use the generic fbdev emulation
aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
c76f0f7c drm: Begin an API for in-kernel clients
5ba57bab drm: vkms: select DRM_KMS_HELPER
5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
008095e0 drm/vc4: Add support for the transposer block
c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
1b9883ea drm/vc4: Support the case where the DSI device is disabled
6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
814bde99 drm/connector: Make ->atomic_commit() optional
955f60db drm: Add support for extracting sync signal drive edge from videomode
3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
73915b2b drm/writeback: Fix the "overview" section of the doc
97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
e22e9531 Merge drm-upstream/drm-next into drm-misc-next
3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
8adbbb2e drm/stm: ltdc: rework reset sequence
48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
731edd4c dt-bindings: Add Innolux P097PFG panel bindings
f8878bb2 drm: print plane state normalized zpos value
ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
2dd4f211 drm/v3d: Add missing v3d documentation structure.
ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
d978a94b drm/sun4i: Add R40 display engine compatible
af11942e drm/sun4i: tcon-top: Cleanup clock handling
f8222409 drm/msm: Use drm_connector_has_possible_encoder()
38cb8d96 drm: Add drm_connector_has_possible_encoder()
da82107e drm/sun4i: tcon: Release node when traversing of graph
7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
e0f56782 drm/sun4i: mixer: Order includes alphabetically
05db311a drm/sun4i: tcon-top: Add helpers for mux switching
83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
20431c05 drm/i915: Nuke intel_mst_best_encoder()
5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
c91b007e drm/vkms: Add extra information about vkms
5685ca0c drm/tinydrm: Fix doc build warnings
854502fa drm/vkms: Add basic CRTC initialization
ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
c04372ea drm/vkms: Add mode_config initialization
41111ce1 drm/vkms: vkms_driver can be static
559e50fd drm/vkms: Add dumb operations
1c7c5fd9 drm/vkms: Introduce basic VKMS driver
657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
d1648930 drm/vkms: Add connectors helpers
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
__kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
kasan_report+0x33/0x50 mm/kasan/common.c:625
vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
Allocated by task 9558:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:495 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
__vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Freed by task 9558:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:317 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
kref_put include/linux/kref.h:65 [inline]
drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
The buggy address belongs to the object at ffff88809e537000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 272 bytes inside of
1024-byte region [ffff88809e537000, ffff88809e537400)
The buggy address belongs to the page:
page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 13+ messages in thread
* KASAN: use-after-free Read in vkms_dumb_create
@ 2020-04-27 3:48 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2020-04-27 3:48 UTC (permalink / raw)
To: airlied, daniel, dri-devel, hamohammed.sa, linaro-mm-sig,
linux-kernel, linux-media, rodrigosiqueiramelo, sumit.semwal,
syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
Bisection is inconclusive: the first bad commit could be any of:
85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
e896c132 drm/debugfs: Add internal client debugfs file
894a677f drm/cma-helper: Use the generic fbdev emulation
aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
c76f0f7c drm: Begin an API for in-kernel clients
5ba57bab drm: vkms: select DRM_KMS_HELPER
5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
008095e0 drm/vc4: Add support for the transposer block
c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
1b9883ea drm/vc4: Support the case where the DSI device is disabled
6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
814bde99 drm/connector: Make ->atomic_commit() optional
955f60db drm: Add support for extracting sync signal drive edge from videomode
3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
73915b2b drm/writeback: Fix the "overview" section of the doc
97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
e22e9531 Merge drm-upstream/drm-next into drm-misc-next
3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
8adbbb2e drm/stm: ltdc: rework reset sequence
48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
731edd4c dt-bindings: Add Innolux P097PFG panel bindings
f8878bb2 drm: print plane state normalized zpos value
ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
2dd4f211 drm/v3d: Add missing v3d documentation structure.
ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
d978a94b drm/sun4i: Add R40 display engine compatible
af11942e drm/sun4i: tcon-top: Cleanup clock handling
f8222409 drm/msm: Use drm_connector_has_possible_encoder()
38cb8d96 drm: Add drm_connector_has_possible_encoder()
da82107e drm/sun4i: tcon: Release node when traversing of graph
7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
e0f56782 drm/sun4i: mixer: Order includes alphabetically
05db311a drm/sun4i: tcon-top: Add helpers for mux switching
83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
20431c05 drm/i915: Nuke intel_mst_best_encoder()
5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
c91b007e drm/vkms: Add extra information about vkms
5685ca0c drm/tinydrm: Fix doc build warnings
854502fa drm/vkms: Add basic CRTC initialization
ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
c04372ea drm/vkms: Add mode_config initialization
41111ce1 drm/vkms: vkms_driver can be static
559e50fd drm/vkms: Add dumb operations
1c7c5fd9 drm/vkms: Introduce basic VKMS driver
657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
d1648930 drm/vkms: Add connectors helpers
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
__kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
kasan_report+0x33/0x50 mm/kasan/common.c:625
vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
Allocated by task 9558:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:495 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
__vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Freed by task 9558:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:317 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
kref_put include/linux/kref.h:65 [inline]
drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
vfs_ioctl fs/ioctl.c:47 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
__do_sys_ioctl fs/ioctl.c:772 [inline]
__se_sys_ioctl fs/ioctl.c:770 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
The buggy address belongs to the object at ffff88809e537000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 272 bytes inside of
1024-byte region [ffff88809e537000, ffff88809e537400)
The buggy address belongs to the page:
page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
2020-04-27 3:48 ` syzbot
(?)
@ 2020-04-27 13:15 ` Hillf Danton
2020-04-28 18:27 ` Ezequiel Garcia
-1 siblings, 1 reply; 13+ messages in thread
From: Hillf Danton @ 2020-04-27 13:15 UTC (permalink / raw)
To: syzbot
Cc: hamohammed.sa, rodrigosiqueiramelo, airlied, syzkaller-bugs,
linux-kernel, dri-devel, linaro-mm-sig, linux-media
Sun, 26 Apr 2020 20:48:12 -0700
> syzbot found the following crash on:
>
> HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
>
> Bisection is inconclusive: the first bad commit could be any of:
>
> 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
> dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
> 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
> 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
> 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
> e896c132 drm/debugfs: Add internal client debugfs file
> 894a677f drm/cma-helper: Use the generic fbdev emulation
> aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
> 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
> aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
> 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
> d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
> 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
> c76f0f7c drm: Begin an API for in-kernel clients
> 5ba57bab drm: vkms: select DRM_KMS_HELPER
> 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
> 008095e0 drm/vc4: Add support for the transposer block
> c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
> 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
> 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
> 1b9883ea drm/vc4: Support the case where the DSI device is disabled
> 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
> b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
> b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
> 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
> ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
> 814bde99 drm/connector: Make ->atomic_commit() optional
> 955f60db drm: Add support for extracting sync signal drive edge from videomode
> 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
> 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
> a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
> b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
> 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
> 73915b2b drm/writeback: Fix the "overview" section of the doc
> 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
> e22e9531 Merge drm-upstream/drm-next into drm-misc-next
> 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
> a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
> 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
> 8adbbb2e drm/stm: ltdc: rework reset sequence
> 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
> 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
> 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
> f8878bb2 drm: print plane state normalized zpos value
> ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
> de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
> 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
> a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
> 2dd4f211 drm/v3d: Add missing v3d documentation structure.
> ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
> cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
> e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
> 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
> b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
> 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
> decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
> 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
> d978a94b drm/sun4i: Add R40 display engine compatible
> af11942e drm/sun4i: tcon-top: Cleanup clock handling
> f8222409 drm/msm: Use drm_connector_has_possible_encoder()
> 38cb8d96 drm: Add drm_connector_has_possible_encoder()
> da82107e drm/sun4i: tcon: Release node when traversing of graph
> 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
> 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
> 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
> ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
> 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
> e0f56782 drm/sun4i: mixer: Order includes alphabetically
> 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
> 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
> 20431c05 drm/i915: Nuke intel_mst_best_encoder()
> 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
> 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
> ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
> 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
> c91b007e drm/vkms: Add extra information about vkms
> 5685ca0c drm/tinydrm: Fix doc build warnings
> 854502fa drm/vkms: Add basic CRTC initialization
> ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
> c04372ea drm/vkms: Add mode_config initialization
> 41111ce1 drm/vkms: vkms_driver can be static
> 559e50fd drm/vkms: Add dumb operations
> 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
> 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
> d1648930 drm/vkms: Add connectors helpers
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
>
> CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x188/0x20d lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
> __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
> kasan_report+0x33/0x50 mm/kasan/common.c:625
> vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
> RIP: 0033:0x45c829
> Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
> RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
> RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
>
> Allocated by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> __kasan_kmalloc mm/kasan/common.c:495 [inline]
> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
> __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> Freed by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> kasan_set_free_info mm/kasan/common.c:317 [inline]
> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
> __cache_free mm/slab.c:3426 [inline]
> kfree+0x109/0x2b0 mm/slab.c:3757
> drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
> kref_put include/linux/kref.h:65 [inline]
> drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
> drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> The buggy address belongs to the object at ffff88809e537000
> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 272 bytes inside of
> 1024-byte region [ffff88809e537000, ffff88809e537400)
> The buggy address belongs to the page:
> page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
> flags: 0xfffe0000000200(slab)
> raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
> raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
Nothing to do if we're allowed to do nothing in the error case.
--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(s
return ERR_CAST(obj);
ret = drm_gem_handle_create(file, &obj->gem, handle);
- drm_gem_object_put_unlocked(&obj->gem);
if (ret)
return ERR_PTR(ret);
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
2020-04-27 3:48 ` syzbot
@ 2020-04-27 13:17 ` Ezequiel Garcia
-1 siblings, 0 replies; 13+ messages in thread
From: Ezequiel Garcia @ 2020-04-27 13:17 UTC (permalink / raw)
To: syzbot
Cc: David Airlie, Daniel Vetter, dri-devel, hamohammed.sa,
linaro-mm-sig, Linux Kernel Mailing List, linux-media,
rodrigosiqueiramelo, sumit.semwal, syzkaller-bugs
On Mon, 27 Apr 2020 at 00:48, syzbot
<syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
>
> Bisection is inconclusive: the first bad commit could be any of:
>
> 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
> dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
> 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
> 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
> 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
> e896c132 drm/debugfs: Add internal client debugfs file
> 894a677f drm/cma-helper: Use the generic fbdev emulation
> aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
> 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
> aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
> 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
> d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
> 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
> c76f0f7c drm: Begin an API for in-kernel clients
> 5ba57bab drm: vkms: select DRM_KMS_HELPER
> 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
> 008095e0 drm/vc4: Add support for the transposer block
> c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
> 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
> 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
> 1b9883ea drm/vc4: Support the case where the DSI device is disabled
> 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
> b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
> b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
> 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
> ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
> 814bde99 drm/connector: Make ->atomic_commit() optional
> 955f60db drm: Add support for extracting sync signal drive edge from videomode
> 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
> 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
> a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
> b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
> 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
> 73915b2b drm/writeback: Fix the "overview" section of the doc
> 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
> e22e9531 Merge drm-upstream/drm-next into drm-misc-next
> 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
> a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
> 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
> 8adbbb2e drm/stm: ltdc: rework reset sequence
> 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
> 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
> 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
> f8878bb2 drm: print plane state normalized zpos value
> ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
> de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
> 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
> a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
> 2dd4f211 drm/v3d: Add missing v3d documentation structure.
> ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
> cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
> e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
> 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
> b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
> 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
> decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
> 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
> d978a94b drm/sun4i: Add R40 display engine compatible
> af11942e drm/sun4i: tcon-top: Cleanup clock handling
> f8222409 drm/msm: Use drm_connector_has_possible_encoder()
> 38cb8d96 drm: Add drm_connector_has_possible_encoder()
> da82107e drm/sun4i: tcon: Release node when traversing of graph
> 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
> 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
> 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
> ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
> 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
> e0f56782 drm/sun4i: mixer: Order includes alphabetically
> 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
> 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
> 20431c05 drm/i915: Nuke intel_mst_best_encoder()
> 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
> 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
> ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
> 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
> c91b007e drm/vkms: Add extra information about vkms
> 5685ca0c drm/tinydrm: Fix doc build warnings
> 854502fa drm/vkms: Add basic CRTC initialization
> ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
> c04372ea drm/vkms: Add mode_config initialization
> 41111ce1 drm/vkms: vkms_driver can be static
> 559e50fd drm/vkms: Add dumb operations
> 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
> 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
> d1648930 drm/vkms: Add connectors helpers
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
>
> CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x188/0x20d lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
> __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
> kasan_report+0x33/0x50 mm/kasan/common.c:625
> vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
> RIP: 0033:0x45c829
> Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
> RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
> RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
>
> Allocated by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> __kasan_kmalloc mm/kasan/common.c:495 [inline]
> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
> __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> Freed by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> kasan_set_free_info mm/kasan/common.c:317 [inline]
> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
> __cache_free mm/slab.c:3426 [inline]
> kfree+0x109/0x2b0 mm/slab.c:3757
> drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
> kref_put include/linux/kref.h:65 [inline]
> drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
> drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> The buggy address belongs to the object at ffff88809e537000
> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 272 bytes inside of
> 1024-byte region [ffff88809e537000, ffff88809e537400)
> The buggy address belongs to the page:
> page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
> flags: 0xfffe0000000200(slab)
> raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
> raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Let's see if this works...
#syz test: upstream c578ddb3
From 58035231aa036d5710286e242ec9b6d1f2995c85 Mon Sep 17 00:00:00 2001
From: Ezequiel Garcia <ezequiel@collabora.com>
Date: Mon, 27 Apr 2020 10:15:06 -0300
Subject: [PATCH] vkms: Hold gem object while in use
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
---
drivers/gpu/drm/vkms/vkms_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
index 2e01186fb943..023e6a45fbf8 100644
--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(struct
drm_device *dev,
return ERR_CAST(obj);
ret = drm_gem_handle_create(file, &obj->gem, handle);
- drm_gem_object_put_unlocked(&obj->gem);
if (ret)
return ERR_PTR(ret);
@@ -142,6 +141,8 @@ int vkms_dumb_create(struct drm_file *file, struct
drm_device *dev,
args->size = gem_obj->size;
args->pitch = pitch;
+ drm_gem_object_put_unlocked(gem_obj);
+
DRM_DEBUG_DRIVER("Created object of size %lld\n", size);
return 0;
--
2.26.0.rc2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
@ 2020-04-27 13:17 ` Ezequiel Garcia
0 siblings, 0 replies; 13+ messages in thread
From: Ezequiel Garcia @ 2020-04-27 13:17 UTC (permalink / raw)
To: syzbot
Cc: hamohammed.sa, rodrigosiqueiramelo, David Airlie, syzkaller-bugs,
Linux Kernel Mailing List, dri-devel, linaro-mm-sig, linux-media
On Mon, 27 Apr 2020 at 00:48, syzbot
<syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
>
> Bisection is inconclusive: the first bad commit could be any of:
>
> 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
> dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
> 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
> 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
> 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
> e896c132 drm/debugfs: Add internal client debugfs file
> 894a677f drm/cma-helper: Use the generic fbdev emulation
> aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
> 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
> aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
> 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
> d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
> 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
> c76f0f7c drm: Begin an API for in-kernel clients
> 5ba57bab drm: vkms: select DRM_KMS_HELPER
> 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
> 008095e0 drm/vc4: Add support for the transposer block
> c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
> 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
> 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
> 1b9883ea drm/vc4: Support the case where the DSI device is disabled
> 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
> b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
> b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
> 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
> ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
> 814bde99 drm/connector: Make ->atomic_commit() optional
> 955f60db drm: Add support for extracting sync signal drive edge from videomode
> 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
> 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
> a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
> b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
> 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
> 73915b2b drm/writeback: Fix the "overview" section of the doc
> 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
> e22e9531 Merge drm-upstream/drm-next into drm-misc-next
> 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
> a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
> 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
> 8adbbb2e drm/stm: ltdc: rework reset sequence
> 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
> 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
> 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
> f8878bb2 drm: print plane state normalized zpos value
> ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
> de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
> 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
> a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
> 2dd4f211 drm/v3d: Add missing v3d documentation structure.
> ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
> cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
> e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
> 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
> b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
> 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
> decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
> 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
> d978a94b drm/sun4i: Add R40 display engine compatible
> af11942e drm/sun4i: tcon-top: Cleanup clock handling
> f8222409 drm/msm: Use drm_connector_has_possible_encoder()
> 38cb8d96 drm: Add drm_connector_has_possible_encoder()
> da82107e drm/sun4i: tcon: Release node when traversing of graph
> 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
> 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
> 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
> ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
> 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
> e0f56782 drm/sun4i: mixer: Order includes alphabetically
> 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
> 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
> 20431c05 drm/i915: Nuke intel_mst_best_encoder()
> 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
> 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
> ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
> 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
> c91b007e drm/vkms: Add extra information about vkms
> 5685ca0c drm/tinydrm: Fix doc build warnings
> 854502fa drm/vkms: Add basic CRTC initialization
> ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
> c04372ea drm/vkms: Add mode_config initialization
> 41111ce1 drm/vkms: vkms_driver can be static
> 559e50fd drm/vkms: Add dumb operations
> 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
> 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
> d1648930 drm/vkms: Add connectors helpers
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
>
> CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x188/0x20d lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
> __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
> kasan_report+0x33/0x50 mm/kasan/common.c:625
> vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
> RIP: 0033:0x45c829
> Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
> RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
> RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
>
> Allocated by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> __kasan_kmalloc mm/kasan/common.c:495 [inline]
> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
> __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> Freed by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> kasan_set_free_info mm/kasan/common.c:317 [inline]
> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
> __cache_free mm/slab.c:3426 [inline]
> kfree+0x109/0x2b0 mm/slab.c:3757
> drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
> kref_put include/linux/kref.h:65 [inline]
> drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
> drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> The buggy address belongs to the object at ffff88809e537000
> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 272 bytes inside of
> 1024-byte region [ffff88809e537000, ffff88809e537400)
> The buggy address belongs to the page:
> page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
> flags: 0xfffe0000000200(slab)
> raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
> raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
Let's see if this works...
#syz test: upstream c578ddb3
From 58035231aa036d5710286e242ec9b6d1f2995c85 Mon Sep 17 00:00:00 2001
From: Ezequiel Garcia <ezequiel@collabora.com>
Date: Mon, 27 Apr 2020 10:15:06 -0300
Subject: [PATCH] vkms: Hold gem object while in use
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
---
drivers/gpu/drm/vkms/vkms_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
index 2e01186fb943..023e6a45fbf8 100644
--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(struct
drm_device *dev,
return ERR_CAST(obj);
ret = drm_gem_handle_create(file, &obj->gem, handle);
- drm_gem_object_put_unlocked(&obj->gem);
if (ret)
return ERR_PTR(ret);
@@ -142,6 +141,8 @@ int vkms_dumb_create(struct drm_file *file, struct
drm_device *dev,
args->size = gem_obj->size;
args->pitch = pitch;
+ drm_gem_object_put_unlocked(gem_obj);
+
DRM_DEBUG_DRIVER("Created object of size %lld\n", size);
return 0;
--
2.26.0.rc2
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: Re: KASAN: use-after-free Read in vkms_dumb_create
2020-04-27 13:17 ` Ezequiel Garcia
@ 2020-04-27 13:17 ` syzbot
-1 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2020-04-27 13:17 UTC (permalink / raw)
To: Ezequiel Garcia
Cc: airlied, daniel, dri-devel, ezequiel, hamohammed.sa,
linaro-mm-sig, linux-kernel, linux-media, rodrigosiqueiramelo,
sumit.semwal, syzkaller-bugs
> On Mon, 27 Apr 2020 at 00:48, syzbot
> <syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
>> dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
>> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
>>
>> Bisection is inconclusive: the first bad commit could be any of:
>>
>> 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
>> dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
>> 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
>> 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
>> 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
>> e896c132 drm/debugfs: Add internal client debugfs file
>> 894a677f drm/cma-helper: Use the generic fbdev emulation
>> aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
>> 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
>> aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
>> 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
>> d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
>> 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
>> c76f0f7c drm: Begin an API for in-kernel clients
>> 5ba57bab drm: vkms: select DRM_KMS_HELPER
>> 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
>> 008095e0 drm/vc4: Add support for the transposer block
>> c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
>> 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
>> 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
>> 1b9883ea drm/vc4: Support the case where the DSI device is disabled
>> 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
>> b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
>> b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
>> 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
>> ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
>> 814bde99 drm/connector: Make ->atomic_commit() optional
>> 955f60db drm: Add support for extracting sync signal drive edge from videomode
>> 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
>> 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
>> a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
>> b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
>> 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
>> 73915b2b drm/writeback: Fix the "overview" section of the doc
>> 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
>> e22e9531 Merge drm-upstream/drm-next into drm-misc-next
>> 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
>> a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
>> 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
>> 8adbbb2e drm/stm: ltdc: rework reset sequence
>> 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
>> 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
>> 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
>> f8878bb2 drm: print plane state normalized zpos value
>> ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
>> de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
>> 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
>> a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
>> 2dd4f211 drm/v3d: Add missing v3d documentation structure.
>> ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
>> cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
>> e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
>> 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
>> b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
>> 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
>> decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
>> 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
>> d978a94b drm/sun4i: Add R40 display engine compatible
>> af11942e drm/sun4i: tcon-top: Cleanup clock handling
>> f8222409 drm/msm: Use drm_connector_has_possible_encoder()
>> 38cb8d96 drm: Add drm_connector_has_possible_encoder()
>> da82107e drm/sun4i: tcon: Release node when traversing of graph
>> 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
>> 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
>> 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
>> ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
>> 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
>> e0f56782 drm/sun4i: mixer: Order includes alphabetically
>> 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
>> 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
>> 20431c05 drm/i915: Nuke intel_mst_best_encoder()
>> 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
>> 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
>> ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
>> 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
>> c91b007e drm/vkms: Add extra information about vkms
>> 5685ca0c drm/tinydrm: Fix doc build warnings
>> 854502fa drm/vkms: Add basic CRTC initialization
>> ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
>> c04372ea drm/vkms: Add mode_config initialization
>> 41111ce1 drm/vkms: vkms_driver can be static
>> 559e50fd drm/vkms: Add dumb operations
>> 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
>> 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
>> d1648930 drm/vkms: Add connectors helpers
>>
>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
>> Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
>>
>> CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x188/0x20d lib/dump_stack.c:118
>> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
>> __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
>> kasan_report+0x33/0x50 mm/kasan/common.c:625
>> vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
>> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
>> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
>> vfs_ioctl fs/ioctl.c:47 [inline]
>> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
>> __do_sys_ioctl fs/ioctl.c:772 [inline]
>> __se_sys_ioctl fs/ioctl.c:770 [inline]
>> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
>> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
>> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>> RIP: 0033:0x45c829
>> Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
>> RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
>> RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
>> RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
>> RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
>> R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
>>
>> Allocated by task 9558:
>> save_stack+0x1b/0x40 mm/kasan/common.c:49
>> set_track mm/kasan/common.c:57 [inline]
>> __kasan_kmalloc mm/kasan/common.c:495 [inline]
>> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
>> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
>> __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
>> vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
>> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
>> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
>> vfs_ioctl fs/ioctl.c:47 [inline]
>> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
>> __do_sys_ioctl fs/ioctl.c:772 [inline]
>> __se_sys_ioctl fs/ioctl.c:770 [inline]
>> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
>> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
>> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>>
>> Freed by task 9558:
>> save_stack+0x1b/0x40 mm/kasan/common.c:49
>> set_track mm/kasan/common.c:57 [inline]
>> kasan_set_free_info mm/kasan/common.c:317 [inline]
>> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
>> __cache_free mm/slab.c:3426 [inline]
>> kfree+0x109/0x2b0 mm/slab.c:3757
>> drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
>> kref_put include/linux/kref.h:65 [inline]
>> drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
>> drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
>> vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
>> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
>> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
>> vfs_ioctl fs/ioctl.c:47 [inline]
>> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
>> __do_sys_ioctl fs/ioctl.c:772 [inline]
>> __se_sys_ioctl fs/ioctl.c:770 [inline]
>> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
>> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
>> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>>
>> The buggy address belongs to the object at ffff88809e537000
>> which belongs to the cache kmalloc-1k of size 1024
>> The buggy address is located 272 bytes inside of
>> 1024-byte region [ffff88809e537000, ffff88809e537400)
>> The buggy address belongs to the page:
>> page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
>> flags: 0xfffe0000000200(slab)
>> raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
>> raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>
> Let's see if this works...
>
> #syz test: upstream c578ddb3
"upstream" does not look like a valid git repo address.
>
> From 58035231aa036d5710286e242ec9b6d1f2995c85 Mon Sep 17 00:00:00 2001
> From: Ezequiel Garcia <ezequiel@collabora.com>
> Date: Mon, 27 Apr 2020 10:15:06 -0300
> Subject: [PATCH] vkms: Hold gem object while in use
>
> Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
> ---
> drivers/gpu/drm/vkms/vkms_gem.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
> index 2e01186fb943..023e6a45fbf8 100644
> --- a/drivers/gpu/drm/vkms/vkms_gem.c
> +++ b/drivers/gpu/drm/vkms/vkms_gem.c
> @@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(struct
> drm_device *dev,
> return ERR_CAST(obj);
>
> ret = drm_gem_handle_create(file, &obj->gem, handle);
> - drm_gem_object_put_unlocked(&obj->gem);
> if (ret)
> return ERR_PTR(ret);
>
> @@ -142,6 +141,8 @@ int vkms_dumb_create(struct drm_file *file, struct
> drm_device *dev,
> args->size = gem_obj->size;
> args->pitch = pitch;
>
> + drm_gem_object_put_unlocked(gem_obj);
> +
> DRM_DEBUG_DRIVER("Created object of size %lld\n", size);
>
> return 0;
> --
> 2.26.0.rc2
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Re: KASAN: use-after-free Read in vkms_dumb_create
@ 2020-04-27 13:17 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2020-04-27 13:17 UTC (permalink / raw)
To: Ezequiel Garcia
Cc: hamohammed.sa, rodrigosiqueiramelo, airlied, syzkaller-bugs,
linux-kernel, dri-devel, linaro-mm-sig, ezequiel, linux-media
> On Mon, 27 Apr 2020 at 00:48, syzbot
> <syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
>> dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
>> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
>>
>> Bisection is inconclusive: the first bad commit could be any of:
>>
>> 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
>> dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
>> 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
>> 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
>> 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
>> e896c132 drm/debugfs: Add internal client debugfs file
>> 894a677f drm/cma-helper: Use the generic fbdev emulation
>> aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
>> 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
>> aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
>> 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
>> d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
>> 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
>> c76f0f7c drm: Begin an API for in-kernel clients
>> 5ba57bab drm: vkms: select DRM_KMS_HELPER
>> 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
>> 008095e0 drm/vc4: Add support for the transposer block
>> c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
>> 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
>> 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
>> 1b9883ea drm/vc4: Support the case where the DSI device is disabled
>> 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
>> b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
>> b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
>> 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
>> ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
>> 814bde99 drm/connector: Make ->atomic_commit() optional
>> 955f60db drm: Add support for extracting sync signal drive edge from videomode
>> 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
>> 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
>> a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
>> b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
>> 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
>> 73915b2b drm/writeback: Fix the "overview" section of the doc
>> 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
>> e22e9531 Merge drm-upstream/drm-next into drm-misc-next
>> 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
>> a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
>> 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
>> 8adbbb2e drm/stm: ltdc: rework reset sequence
>> 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
>> 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
>> 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
>> f8878bb2 drm: print plane state normalized zpos value
>> ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
>> de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
>> 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
>> a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
>> 2dd4f211 drm/v3d: Add missing v3d documentation structure.
>> ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
>> cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
>> e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
>> 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
>> b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
>> 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
>> decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
>> 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
>> d978a94b drm/sun4i: Add R40 display engine compatible
>> af11942e drm/sun4i: tcon-top: Cleanup clock handling
>> f8222409 drm/msm: Use drm_connector_has_possible_encoder()
>> 38cb8d96 drm: Add drm_connector_has_possible_encoder()
>> da82107e drm/sun4i: tcon: Release node when traversing of graph
>> 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
>> 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
>> 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
>> ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
>> 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
>> e0f56782 drm/sun4i: mixer: Order includes alphabetically
>> 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
>> 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
>> 20431c05 drm/i915: Nuke intel_mst_best_encoder()
>> 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
>> 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
>> ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
>> 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
>> c91b007e drm/vkms: Add extra information about vkms
>> 5685ca0c drm/tinydrm: Fix doc build warnings
>> 854502fa drm/vkms: Add basic CRTC initialization
>> ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
>> c04372ea drm/vkms: Add mode_config initialization
>> 41111ce1 drm/vkms: vkms_driver can be static
>> 559e50fd drm/vkms: Add dumb operations
>> 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
>> 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
>> d1648930 drm/vkms: Add connectors helpers
>>
>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
>> Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
>>
>> CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x188/0x20d lib/dump_stack.c:118
>> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
>> __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
>> kasan_report+0x33/0x50 mm/kasan/common.c:625
>> vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
>> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
>> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
>> vfs_ioctl fs/ioctl.c:47 [inline]
>> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
>> __do_sys_ioctl fs/ioctl.c:772 [inline]
>> __se_sys_ioctl fs/ioctl.c:770 [inline]
>> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
>> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
>> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>> RIP: 0033:0x45c829
>> Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
>> RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
>> RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
>> RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
>> RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
>> R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
>>
>> Allocated by task 9558:
>> save_stack+0x1b/0x40 mm/kasan/common.c:49
>> set_track mm/kasan/common.c:57 [inline]
>> __kasan_kmalloc mm/kasan/common.c:495 [inline]
>> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
>> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
>> __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
>> vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
>> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
>> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
>> vfs_ioctl fs/ioctl.c:47 [inline]
>> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
>> __do_sys_ioctl fs/ioctl.c:772 [inline]
>> __se_sys_ioctl fs/ioctl.c:770 [inline]
>> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
>> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
>> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>>
>> Freed by task 9558:
>> save_stack+0x1b/0x40 mm/kasan/common.c:49
>> set_track mm/kasan/common.c:57 [inline]
>> kasan_set_free_info mm/kasan/common.c:317 [inline]
>> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
>> __cache_free mm/slab.c:3426 [inline]
>> kfree+0x109/0x2b0 mm/slab.c:3757
>> drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
>> kref_put include/linux/kref.h:65 [inline]
>> drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
>> drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
>> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
>> vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
>> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
>> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
>> vfs_ioctl fs/ioctl.c:47 [inline]
>> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
>> __do_sys_ioctl fs/ioctl.c:772 [inline]
>> __se_sys_ioctl fs/ioctl.c:770 [inline]
>> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
>> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
>> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>>
>> The buggy address belongs to the object at ffff88809e537000
>> which belongs to the cache kmalloc-1k of size 1024
>> The buggy address is located 272 bytes inside of
>> 1024-byte region [ffff88809e537000, ffff88809e537400)
>> The buggy address belongs to the page:
>> page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
>> flags: 0xfffe0000000200(slab)
>> raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
>> raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>
> Let's see if this works...
>
> #syz test: upstream c578ddb3
"upstream" does not look like a valid git repo address.
>
> From 58035231aa036d5710286e242ec9b6d1f2995c85 Mon Sep 17 00:00:00 2001
> From: Ezequiel Garcia <ezequiel@collabora.com>
> Date: Mon, 27 Apr 2020 10:15:06 -0300
> Subject: [PATCH] vkms: Hold gem object while in use
>
> Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
> ---
> drivers/gpu/drm/vkms/vkms_gem.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
> index 2e01186fb943..023e6a45fbf8 100644
> --- a/drivers/gpu/drm/vkms/vkms_gem.c
> +++ b/drivers/gpu/drm/vkms/vkms_gem.c
> @@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(struct
> drm_device *dev,
> return ERR_CAST(obj);
>
> ret = drm_gem_handle_create(file, &obj->gem, handle);
> - drm_gem_object_put_unlocked(&obj->gem);
> if (ret)
> return ERR_PTR(ret);
>
> @@ -142,6 +141,8 @@ int vkms_dumb_create(struct drm_file *file, struct
> drm_device *dev,
> args->size = gem_obj->size;
> args->pitch = pitch;
>
> + drm_gem_object_put_unlocked(gem_obj);
> +
> DRM_DEBUG_DRIVER("Created object of size %lld\n", size);
>
> return 0;
> --
> 2.26.0.rc2
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
2020-04-27 3:48 ` syzbot
@ 2020-04-27 14:26 ` Ezequiel Garcia
-1 siblings, 0 replies; 13+ messages in thread
From: Ezequiel Garcia @ 2020-04-27 14:26 UTC (permalink / raw)
To: syzbot
Cc: David Airlie, Daniel Vetter, dri-devel, hamohammed.sa,
linaro-mm-sig, Linux Kernel Mailing List, linux-media,
rodrigosiqueiramelo, Sumit Semwal, syzkaller-bugs
On Mon, 27 Apr 2020 at 00:48, syzbot
<syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
>
> Bisection is inconclusive: the first bad commit could be any of:
>
> 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
> dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
> 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
> 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
> 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
> e896c132 drm/debugfs: Add internal client debugfs file
> 894a677f drm/cma-helper: Use the generic fbdev emulation
> aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
> 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
> aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
> 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
> d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
> 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
> c76f0f7c drm: Begin an API for in-kernel clients
> 5ba57bab drm: vkms: select DRM_KMS_HELPER
> 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
> 008095e0 drm/vc4: Add support for the transposer block
> c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
> 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
> 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
> 1b9883ea drm/vc4: Support the case where the DSI device is disabled
> 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
> b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
> b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
> 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
> ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
> 814bde99 drm/connector: Make ->atomic_commit() optional
> 955f60db drm: Add support for extracting sync signal drive edge from videomode
> 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
> 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
> a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
> b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
> 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
> 73915b2b drm/writeback: Fix the "overview" section of the doc
> 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
> e22e9531 Merge drm-upstream/drm-next into drm-misc-next
> 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
> a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
> 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
> 8adbbb2e drm/stm: ltdc: rework reset sequence
> 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
> 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
> 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
> f8878bb2 drm: print plane state normalized zpos value
> ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
> de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
> 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
> a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
> 2dd4f211 drm/v3d: Add missing v3d documentation structure.
> ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
> cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
> e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
> 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
> b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
> 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
> decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
> 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
> d978a94b drm/sun4i: Add R40 display engine compatible
> af11942e drm/sun4i: tcon-top: Cleanup clock handling
> f8222409 drm/msm: Use drm_connector_has_possible_encoder()
> 38cb8d96 drm: Add drm_connector_has_possible_encoder()
> da82107e drm/sun4i: tcon: Release node when traversing of graph
> 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
> 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
> 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
> ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
> 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
> e0f56782 drm/sun4i: mixer: Order includes alphabetically
> 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
> 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
> 20431c05 drm/i915: Nuke intel_mst_best_encoder()
> 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
> 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
> ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
> 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
> c91b007e drm/vkms: Add extra information about vkms
> 5685ca0c drm/tinydrm: Fix doc build warnings
> 854502fa drm/vkms: Add basic CRTC initialization
> ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
> c04372ea drm/vkms: Add mode_config initialization
> 41111ce1 drm/vkms: vkms_driver can be static
> 559e50fd drm/vkms: Add dumb operations
> 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
> 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
> d1648930 drm/vkms: Add connectors helpers
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
>
> CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x188/0x20d lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
> __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
> kasan_report+0x33/0x50 mm/kasan/common.c:625
> vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
> RIP: 0033:0x45c829
> Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
> RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
> RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
>
> Allocated by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> __kasan_kmalloc mm/kasan/common.c:495 [inline]
> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
> __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> Freed by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> kasan_set_free_info mm/kasan/common.c:317 [inline]
> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
> __cache_free mm/slab.c:3426 [inline]
> kfree+0x109/0x2b0 mm/slab.c:3757
> drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
> kref_put include/linux/kref.h:65 [inline]
> drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
> drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> The buggy address belongs to the object at ffff88809e537000
> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 272 bytes inside of
> 1024-byte region [ffff88809e537000, ffff88809e537400)
> The buggy address belongs to the page:
> page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
> flags: 0xfffe0000000200(slab)
> raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
> raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
c578ddb3
From 58035231aa036d5710286e242ec9b6d1f2995c85 Mon Sep 17 00:00:00 2001
From: Ezequiel Garcia <ezequiel@collabora.com>
Date: Mon, 27 Apr 2020 10:15:06 -0300
Subject: [PATCH] vkms: Hold gem object while in use
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
---
drivers/gpu/drm/vkms/vkms_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
index 2e01186fb943..023e6a45fbf8 100644
--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(struct
drm_device *dev,
return ERR_CAST(obj);
ret = drm_gem_handle_create(file, &obj->gem, handle);
- drm_gem_object_put_unlocked(&obj->gem);
if (ret)
return ERR_PTR(ret);
@@ -142,6 +141,8 @@ int vkms_dumb_create(struct drm_file *file, struct
drm_device *dev,
args->size = gem_obj->size;
args->pitch = pitch;
+ drm_gem_object_put_unlocked(gem_obj);
+
DRM_DEBUG_DRIVER("Created object of size %lld\n", size);
return 0;
--
2.26.0.rc2
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
@ 2020-04-27 14:26 ` Ezequiel Garcia
0 siblings, 0 replies; 13+ messages in thread
From: Ezequiel Garcia @ 2020-04-27 14:26 UTC (permalink / raw)
To: syzbot
Cc: hamohammed.sa, rodrigosiqueiramelo, David Airlie, syzkaller-bugs,
Linux Kernel Mailing List, dri-devel, linaro-mm-sig, linux-media
On Mon, 27 Apr 2020 at 00:48, syzbot
<syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
>
> Bisection is inconclusive: the first bad commit could be any of:
>
> 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
> dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
> 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
> 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
> 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
> e896c132 drm/debugfs: Add internal client debugfs file
> 894a677f drm/cma-helper: Use the generic fbdev emulation
> aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
> 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
> aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
> 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
> d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
> 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
> c76f0f7c drm: Begin an API for in-kernel clients
> 5ba57bab drm: vkms: select DRM_KMS_HELPER
> 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
> 008095e0 drm/vc4: Add support for the transposer block
> c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
> 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
> 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
> 1b9883ea drm/vc4: Support the case where the DSI device is disabled
> 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
> b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
> b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
> 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
> ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
> 814bde99 drm/connector: Make ->atomic_commit() optional
> 955f60db drm: Add support for extracting sync signal drive edge from videomode
> 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
> 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
> a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
> b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
> 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
> 73915b2b drm/writeback: Fix the "overview" section of the doc
> 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
> e22e9531 Merge drm-upstream/drm-next into drm-misc-next
> 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
> a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
> 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
> 8adbbb2e drm/stm: ltdc: rework reset sequence
> 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
> 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
> 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
> f8878bb2 drm: print plane state normalized zpos value
> ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
> de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
> 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
> a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
> 2dd4f211 drm/v3d: Add missing v3d documentation structure.
> ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
> cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
> e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
> 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
> b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
> 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
> decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
> 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
> d978a94b drm/sun4i: Add R40 display engine compatible
> af11942e drm/sun4i: tcon-top: Cleanup clock handling
> f8222409 drm/msm: Use drm_connector_has_possible_encoder()
> 38cb8d96 drm: Add drm_connector_has_possible_encoder()
> da82107e drm/sun4i: tcon: Release node when traversing of graph
> 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
> 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
> 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
> ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
> 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
> e0f56782 drm/sun4i: mixer: Order includes alphabetically
> 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
> 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
> 20431c05 drm/i915: Nuke intel_mst_best_encoder()
> 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
> 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
> ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
> 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
> c91b007e drm/vkms: Add extra information about vkms
> 5685ca0c drm/tinydrm: Fix doc build warnings
> 854502fa drm/vkms: Add basic CRTC initialization
> ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
> c04372ea drm/vkms: Add mode_config initialization
> 41111ce1 drm/vkms: vkms_driver can be static
> 559e50fd drm/vkms: Add dumb operations
> 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
> 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
> d1648930 drm/vkms: Add connectors helpers
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
>
> CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x188/0x20d lib/dump_stack.c:118
> print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
> __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
> kasan_report+0x33/0x50 mm/kasan/common.c:625
> vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
> RIP: 0033:0x45c829
> Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
> RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
> RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
>
> Allocated by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> __kasan_kmalloc mm/kasan/common.c:495 [inline]
> __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
> kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
> __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> Freed by task 9558:
> save_stack+0x1b/0x40 mm/kasan/common.c:49
> set_track mm/kasan/common.c:57 [inline]
> kasan_set_free_info mm/kasan/common.c:317 [inline]
> __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
> __cache_free mm/slab.c:3426 [inline]
> kfree+0x109/0x2b0 mm/slab.c:3757
> drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
> kref_put include/linux/kref.h:65 [inline]
> drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
> drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
> vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> vfs_ioctl fs/ioctl.c:47 [inline]
> ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> __do_sys_ioctl fs/ioctl.c:772 [inline]
> __se_sys_ioctl fs/ioctl.c:770 [inline]
> __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
>
> The buggy address belongs to the object at ffff88809e537000
> which belongs to the cache kmalloc-1k of size 1024
> The buggy address is located 272 bytes inside of
> 1024-byte region [ffff88809e537000, ffff88809e537400)
> The buggy address belongs to the page:
> page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
> flags: 0xfffe0000000200(slab)
> raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
> raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
c578ddb3
From 58035231aa036d5710286e242ec9b6d1f2995c85 Mon Sep 17 00:00:00 2001
From: Ezequiel Garcia <ezequiel@collabora.com>
Date: Mon, 27 Apr 2020 10:15:06 -0300
Subject: [PATCH] vkms: Hold gem object while in use
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
---
drivers/gpu/drm/vkms/vkms_gem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vkms/vkms_gem.c b/drivers/gpu/drm/vkms/vkms_gem.c
index 2e01186fb943..023e6a45fbf8 100644
--- a/drivers/gpu/drm/vkms/vkms_gem.c
+++ b/drivers/gpu/drm/vkms/vkms_gem.c
@@ -113,7 +113,6 @@ struct drm_gem_object *vkms_gem_create(struct
drm_device *dev,
return ERR_CAST(obj);
ret = drm_gem_handle_create(file, &obj->gem, handle);
- drm_gem_object_put_unlocked(&obj->gem);
if (ret)
return ERR_PTR(ret);
@@ -142,6 +141,8 @@ int vkms_dumb_create(struct drm_file *file, struct
drm_device *dev,
args->size = gem_obj->size;
args->pitch = pitch;
+ drm_gem_object_put_unlocked(gem_obj);
+
DRM_DEBUG_DRIVER("Created object of size %lld\n", size);
return 0;
--
2.26.0.rc2
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
2020-04-27 14:26 ` Ezequiel Garcia
@ 2020-04-27 15:02 ` syzbot
-1 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2020-04-27 15:02 UTC (permalink / raw)
To: airlied, daniel, dri-devel, ezequiel, hamohammed.sa,
linaro-mm-sig, linux-kernel, linux-media, rodrigosiqueiramelo,
sumit.semwal, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but build/boot failed:
failed to apply patch:
checking file drivers/gpu/drm/vkms/vkms_gem.c
patch: **** unexpected end of file in patch
Tested on:
commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=165806efe00000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
@ 2020-04-27 15:02 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2020-04-27 15:02 UTC (permalink / raw)
To: airlied, daniel, dri-devel, ezequiel, hamohammed.sa,
linaro-mm-sig, linux-kernel, linux-media, rodrigosiqueiramelo,
sumit.semwal, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but build/boot failed:
failed to apply patch:
checking file drivers/gpu/drm/vkms/vkms_gem.c
patch: **** unexpected end of file in patch
Tested on:
commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
patch: https://syzkaller.appspot.com/x/patch.diff?x=165806efe00000
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
2020-04-27 13:15 ` Hillf Danton
@ 2020-04-28 18:27 ` Ezequiel Garcia
0 siblings, 0 replies; 13+ messages in thread
From: Ezequiel Garcia @ 2020-04-28 18:27 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, hamohammed.sa, rodrigosiqueiramelo, David Airlie,
syzkaller-bugs, Linux Kernel Mailing List, dri-devel,
linaro-mm-sig, linux-media
On Tue, 28 Apr 2020 at 09:47, Hillf Danton <hdanton@sina.com> wrote:
>
>
> Sun, 26 Apr 2020 20:48:12 -0700
> > syzbot found the following crash on:
> >
> > HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
> >
> > Bisection is inconclusive: the first bad commit could be any of:
> >
> > 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
> > dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
> > 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
> > 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
> > 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
> > e896c132 drm/debugfs: Add internal client debugfs file
> > 894a677f drm/cma-helper: Use the generic fbdev emulation
> > aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
> > 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
> > aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
> > 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
> > d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
> > 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
> > c76f0f7c drm: Begin an API for in-kernel clients
> > 5ba57bab drm: vkms: select DRM_KMS_HELPER
> > 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
> > 008095e0 drm/vc4: Add support for the transposer block
> > c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
> > 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
> > 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
> > 1b9883ea drm/vc4: Support the case where the DSI device is disabled
> > 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
> > b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
> > b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
> > 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
> > ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
> > 814bde99 drm/connector: Make ->atomic_commit() optional
> > 955f60db drm: Add support for extracting sync signal drive edge from videomode
> > 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
> > 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
> > a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
> > b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
> > 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
> > 73915b2b drm/writeback: Fix the "overview" section of the doc
> > 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
> > e22e9531 Merge drm-upstream/drm-next into drm-misc-next
> > 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
> > a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
> > 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
> > 8adbbb2e drm/stm: ltdc: rework reset sequence
> > 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
> > 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
> > 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
> > f8878bb2 drm: print plane state normalized zpos value
> > ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
> > de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
> > 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
> > a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
> > 2dd4f211 drm/v3d: Add missing v3d documentation structure.
> > ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
> > cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
> > e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
> > 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
> > b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
> > 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
> > decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
> > 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
> > d978a94b drm/sun4i: Add R40 display engine compatible
> > af11942e drm/sun4i: tcon-top: Cleanup clock handling
> > f8222409 drm/msm: Use drm_connector_has_possible_encoder()
> > 38cb8d96 drm: Add drm_connector_has_possible_encoder()
> > da82107e drm/sun4i: tcon: Release node when traversing of graph
> > 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
> > 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
> > 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
> > ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
> > 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
> > e0f56782 drm/sun4i: mixer: Order includes alphabetically
> > 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
> > 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
> > 20431c05 drm/i915: Nuke intel_mst_best_encoder()
> > 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
> > 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
> > ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
> > 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
> > c91b007e drm/vkms: Add extra information about vkms
> > 5685ca0c drm/tinydrm: Fix doc build warnings
> > 854502fa drm/vkms: Add basic CRTC initialization
> > ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
> > c04372ea drm/vkms: Add mode_config initialization
> > 41111ce1 drm/vkms: vkms_driver can be static
> > 559e50fd drm/vkms: Add dumb operations
> > 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
> > 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
> > d1648930 drm/vkms: Add connectors helpers
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> > Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
> >
> > CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x188/0x20d lib/dump_stack.c:118
> > print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
> > __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
> > kasan_report+0x33/0x50 mm/kasan/common.c:625
> > vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> > vfs_ioctl fs/ioctl.c:47 [inline]
> > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> > __do_sys_ioctl fs/ioctl.c:772 [inline]
> > __se_sys_ioctl fs/ioctl.c:770 [inline]
> > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> > entry_SYSCALL_64_after_hwframe+0x49/0xb3
> > RIP: 0033:0x45c829
> > Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> > RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
> > RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
> > RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> > R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
> >
> > Allocated by task 9558:
> > save_stack+0x1b/0x40 mm/kasan/common.c:49
> > set_track mm/kasan/common.c:57 [inline]
> > __kasan_kmalloc mm/kasan/common.c:495 [inline]
> > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
> > kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
> > __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> > vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> > vfs_ioctl fs/ioctl.c:47 [inline]
> > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> > __do_sys_ioctl fs/ioctl.c:772 [inline]
> > __se_sys_ioctl fs/ioctl.c:770 [inline]
> > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> > entry_SYSCALL_64_after_hwframe+0x49/0xb3
> >
> > Freed by task 9558:
> > save_stack+0x1b/0x40 mm/kasan/common.c:49
> > set_track mm/kasan/common.c:57 [inline]
> > kasan_set_free_info mm/kasan/common.c:317 [inline]
> > __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
> > __cache_free mm/slab.c:3426 [inline]
> > kfree+0x109/0x2b0 mm/slab.c:3757
> > drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
> > kref_put include/linux/kref.h:65 [inline]
> > drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
> > drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> > vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> > vfs_ioctl fs/ioctl.c:47 [inline]
> > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> > __do_sys_ioctl fs/ioctl.c:772 [inline]
> > __se_sys_ioctl fs/ioctl.c:770 [inline]
> > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> > entry_SYSCALL_64_after_hwframe+0x49/0xb3
> >
> > The buggy address belongs to the object at ffff88809e537000
> > which belongs to the cache kmalloc-1k of size 1024
> > The buggy address is located 272 bytes inside of
> > 1024-byte region [ffff88809e537000, ffff88809e537400)
> > The buggy address belongs to the page:
> > page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
> > flags: 0xfffe0000000200(slab)
> > raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
> > raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> > ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ^
> > ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
>
> Nothing to do if we're allowed to do nothing in the error case.
>
I submitted the fix after getting a confirmation from syzbot
that the bad refcounting seemed to be causing this race.
Please see https://patchwork.kernel.org/patch/11514431/
Thanks,
Ezequiel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: KASAN: use-after-free Read in vkms_dumb_create
@ 2020-04-28 18:27 ` Ezequiel Garcia
0 siblings, 0 replies; 13+ messages in thread
From: Ezequiel Garcia @ 2020-04-28 18:27 UTC (permalink / raw)
To: Hillf Danton
Cc: hamohammed.sa, syzbot, rodrigosiqueiramelo, David Airlie,
syzkaller-bugs, Linux Kernel Mailing List, dri-devel,
linaro-mm-sig, linux-media
On Tue, 28 Apr 2020 at 09:47, Hillf Danton <hdanton@sina.com> wrote:
>
>
> Sun, 26 Apr 2020 20:48:12 -0700
> > syzbot found the following crash on:
> >
> > HEAD commit: c578ddb3 Merge tag 'linux-kselftest-5.7-rc3' of git://git...
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10fbf0d8100000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=b7a70e992f2f9b68
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e3372a2afe1e7ef04bc7
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15438330100000
> >
> > Bisection is inconclusive: the first bad commit could be any of:
> >
> > 85b5bafb drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
> > dff1c703 drm/tinydrm: Use drm_fbdev_generic_setup()
> > 23167fa9 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
> > 9060d7f4 drm/fb-helper: Finish the generic fbdev emulation
> > 2230ca12 dt-bindings: display: Document the EDT et* displays in one file.
> > e896c132 drm/debugfs: Add internal client debugfs file
> > 894a677f drm/cma-helper: Use the generic fbdev emulation
> > aa7e6455 drm/panel: Add support for the EDT ETM0700G0BDH6
> > 244007ec drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
> > aad34de2 drm/panel: Add support for the EDT ETM0700G0EDH6
> > 7a6aca49 dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
> > d536540f drm/fb-helper: Add generic fbdev emulation .fb_probe function
> > 0ca0c827 drm/panel: simple: Add DLC DLC0700YZG-1 panel
> > c76f0f7c drm: Begin an API for in-kernel clients
> > 5ba57bab drm: vkms: select DRM_KMS_HELPER
> > 5fa8e4a2 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
> > 008095e0 drm/vc4: Add support for the transposer block
> > c59eb3cf drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
> > 1ebe99a7 drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
> > 2e64a174 drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
> > 1b9883ea drm/vc4: Support the case where the DSI device is disabled
> > 6fb42b66 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
> > b0b7aa40 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
> > b25c60af drm/crtc: Add a generic infrastructure to fake VBLANK events
> > 184d3cf4 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
> > ae8cf41b drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
> > 814bde99 drm/connector: Make ->atomic_commit() optional
> > 955f60db drm: Add support for extracting sync signal drive edge from videomode
> > 3b39ad7a drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
> > 425132fd drm/connector: Pass a drm_connector_state to ->atomic_commit()
> > a5d2ade6 drm/panel: simple: Add support for Innolux G070Y2-L01
> > b82c1f8f drm/atomic: Avoid connector to writeback_connector casts
> > 03fa9aa3 dt-bindings: Add DataImage, Inc. vendor prefix
> > 73915b2b drm/writeback: Fix the "overview" section of the doc
> > 97ceb1fb drm/panel: simple: Add support for DataImage SCF0700C48GGU18
> > e22e9531 Merge drm-upstream/drm-next into drm-misc-next
> > 3d5664f9 drm/panel: ili9881c: Fix missing assignment to error return ret
> > a0120245 drm/crc: Only report a single overflow when a CRC fd is opened
> > 7ad4e463 drm/panel: p079zca: Refactor panel driver to support multiple panels
> > 8adbbb2e drm/stm: ltdc: rework reset sequence
> > 48bd379a drm/panel: p079zca: Add variable unprepare_delay properties
> > 7868e507 drm/stm: ltdc: filter mode pixel clock vs pad constraint
> > 731edd4c dt-bindings: Add Innolux P097PFG panel bindings
> > f8878bb2 drm: print plane state normalized zpos value
> > ca52bea9 drm/atomic-helper: Use bitwise or for filling a bitmask
> > de04a462 drm/panel: p079zca: Support Innolux P097PFG panel
> > 2bb7a39c dt-bindings: Add vendor prefix for kingdisplay
> > a65020d0 drm/v3d: Fix a grammar nit in the scheduler docs.
> > 2dd4f211 drm/v3d: Add missing v3d documentation structure.
> > ebc950fd dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
> > cd0e0ca6 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
> > e0d01811 drm/v3d: Remove unnecessary dma_fence_ops.
> > 624bb0c0 drm/v3d: Delay the scheduler timeout if we're still making progress.
> > b6d83fcc drm/panel: p079zca: Use of_device_get_match_data()
> > 408633d2 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
> > decac6b0 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
> > 0b7510d1 drm/tilcdc: Use drm_connector_has_possible_encoder()
> > d978a94b drm/sun4i: Add R40 display engine compatible
> > af11942e drm/sun4i: tcon-top: Cleanup clock handling
> > f8222409 drm/msm: Use drm_connector_has_possible_encoder()
> > 38cb8d96 drm: Add drm_connector_has_possible_encoder()
> > da82107e drm/sun4i: tcon: Release node when traversing of graph
> > 7a667775 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
> > 7b71ca24 drm/radeon: Use drm_connector_for_each_possible_encoder()
> > 4a068c5c drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
> > ddba766d drm/nouveau: Use drm_connector_for_each_possible_encoder()
> > 98c0e348 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
> > e0f56782 drm/sun4i: mixer: Order includes alphabetically
> > 05db311a drm/sun4i: tcon-top: Add helpers for mux switching
> > 83aefbb8 drm: Add drm_connector_for_each_possible_encoder()
> > 20431c05 drm/i915: Nuke intel_mst_best_encoder()
> > 5e496566 drm/sun4i: tcon-top: Remove mux configuration at probe time
> > 0d998891 drm/fb-helper: Eliminate the .best_encoder() usage
> > ac1fe132 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
> > 03e3ec9a drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
> > c91b007e drm/vkms: Add extra information about vkms
> > 5685ca0c drm/tinydrm: Fix doc build warnings
> > 854502fa drm/vkms: Add basic CRTC initialization
> > ae61f61f drm/client: Fix: drm_client_new: Don't require DRM to be registered
> > c04372ea drm/vkms: Add mode_config initialization
> > 41111ce1 drm/vkms: vkms_driver can be static
> > 559e50fd drm/vkms: Add dumb operations
> > 1c7c5fd9 drm/vkms: Introduce basic VKMS driver
> > 657cd71e drm: gma500: Changed __attribute__((packed)) to __packed
> > d1648930 drm/vkms: Add connectors helpers
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b65cdfe00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> > Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558
> >
> > CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> > __dump_stack lib/dump_stack.c:77 [inline]
> > dump_stack+0x188/0x20d lib/dump_stack.c:118
> > print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
> > __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
> > kasan_report+0x33/0x50 mm/kasan/common.c:625
> > vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
> > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> > vfs_ioctl fs/ioctl.c:47 [inline]
> > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> > __do_sys_ioctl fs/ioctl.c:772 [inline]
> > __se_sys_ioctl fs/ioctl.c:770 [inline]
> > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> > entry_SYSCALL_64_after_hwframe+0x49/0xb3
> > RIP: 0033:0x45c829
> > Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> > RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
> > RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
> > RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
> > R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4
> >
> > Allocated by task 9558:
> > save_stack+0x1b/0x40 mm/kasan/common.c:49
> > set_track mm/kasan/common.c:57 [inline]
> > __kasan_kmalloc mm/kasan/common.c:495 [inline]
> > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
> > kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
> > __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> > vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> > vfs_ioctl fs/ioctl.c:47 [inline]
> > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> > __do_sys_ioctl fs/ioctl.c:772 [inline]
> > __se_sys_ioctl fs/ioctl.c:770 [inline]
> > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> > entry_SYSCALL_64_after_hwframe+0x49/0xb3
> >
> > Freed by task 9558:
> > save_stack+0x1b/0x40 mm/kasan/common.c:49
> > set_track mm/kasan/common.c:57 [inline]
> > kasan_set_free_info mm/kasan/common.c:317 [inline]
> > __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
> > __cache_free mm/slab.c:3426 [inline]
> > kfree+0x109/0x2b0 mm/slab.c:3757
> > drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
> > kref_put include/linux/kref.h:65 [inline]
> > drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
> > drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
> > vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
> > vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
> > drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> > drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
> > drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
> > vfs_ioctl fs/ioctl.c:47 [inline]
> > ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
> > __do_sys_ioctl fs/ioctl.c:772 [inline]
> > __se_sys_ioctl fs/ioctl.c:770 [inline]
> > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
> > do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
> > entry_SYSCALL_64_after_hwframe+0x49/0xb3
> >
> > The buggy address belongs to the object at ffff88809e537000
> > which belongs to the cache kmalloc-1k of size 1024
> > The buggy address is located 272 bytes inside of
> > 1024-byte region [ffff88809e537000, ffff88809e537400)
> > The buggy address belongs to the page:
> > page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
> > flags: 0xfffe0000000200(slab)
> > raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
> > raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
> > page dumped because: kasan: bad access detected
> >
> > Memory state around the buggy address:
> > ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > >ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ^
> > ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
>
> Nothing to do if we're allowed to do nothing in the error case.
>
I submitted the fix after getting a confirmation from syzbot
that the bad refcounting seemed to be causing this race.
Please see https://patchwork.kernel.org/patch/11514431/
Thanks,
Ezequiel
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2020-04-28 19:00 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-27 3:48 KASAN: use-after-free Read in vkms_dumb_create syzbot
2020-04-27 3:48 ` syzbot
2020-04-27 13:15 ` Hillf Danton
2020-04-28 18:27 ` Ezequiel Garcia
2020-04-28 18:27 ` Ezequiel Garcia
2020-04-27 13:17 ` Ezequiel Garcia
2020-04-27 13:17 ` Ezequiel Garcia
2020-04-27 13:17 ` syzbot
2020-04-27 13:17 ` syzbot
2020-04-27 14:26 ` Ezequiel Garcia
2020-04-27 14:26 ` Ezequiel Garcia
2020-04-27 15:02 ` syzbot
2020-04-27 15:02 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.