All of lore.kernel.org
 help / color / mirror / Atom feed
* BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
@ 2013-02-19 17:33 ` Tommi Rantala
  0 siblings, 0 replies; 63+ messages in thread
From: Tommi Rantala @ 2013-02-19 17:33 UTC (permalink / raw)
  To: David Airlie, dri-devel, Florian Tobias Schandinat, linux-fbdev
  Cc: Dave Jones, Sasha Levin, LKML

Hello,

Hit the following oops while fuzzing the kernel with Trinity in a qemu
virtual machine:

[ 2143.140647] BUG: unable to handle kernel paging request at ffffc90000669000
[ 2143.140652] IP: [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.140654] PGD 3e073067 PUD 3e074067 PMD 3ca84067 PTE 0
[ 2143.140656] Oops: 0002 [#1] SMP
[ 2143.140660] CPU 0
[ 2143.140660] Pid: 2894, comm: trinity-child0 Not tainted 3.8.0-rc7+
#86 Bochs Bochs
[ 2143.140662] RIP: 0010:[<ffffffff8139d84a>]  [<ffffffff8139d84a>]
bitfill_unaligned+0x10a/0x1a0
[ 2143.140663] RSP: 0018:ffff88003a967888  EFLAGS: 00010246
[ 2143.140664] RAX: 0000000003fffe1f RBX: 0000000000000000 RCX: 0000000000000008
[ 2143.140664] RDX: 0000000003f87fff RSI: ffffc900002a9f08 RDI: 0000000000000000
[ 2143.140665] RBP: ffff88003a9678a8 R08: 0000000000000008 R09: 0000000000000010
[ 2143.140666] R10: ffffc90000668fe8 R11: 0000000000000000 R12: 00000000ffff8800
[ 2143.140666] R13: 00000000ffffffc0 R14: ffffffffffffffff R15: 0000000000000018
[ 2143.140668] FS:  00007f965fc5e700(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[ 2143.140668] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2143.140669] CR2: ffffc90000669000 CR3: 0000000039c50000 CR4: 00000000000006f0
[ 2143.140675] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2143.140678] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2143.140679] Process trinity-child0 (pid: 2894, threadinfo
ffff88003a966000, task ffff88003b0c0000)
[ 2143.140679] Stack:
[ 2143.140682]  ffff88003ca8d800 0000000000000000 ffffc900002a9f00
0000000000000000
[ 2143.140683]  ffff88003a967938 ffffffff8139debf ffffffffffff8800
ffff880000000040
[ 2143.140685]  ffffffff8225f1a0 ffff000000000000 ffff88003a9678e8
ffffffff810f5aed
[ 2143.140685] Call Trace:
[ 2143.140688]  [<ffffffff8139debf>] sys_fillrect+0x34f/0x370
[ 2143.140692]  [<ffffffff810f5aed>] ? trace_hardirqs_on+0xd/0x10
[ 2143.140693]  [<ffffffff8139d740>] ? bitfill_aligned+0x120/0x120
[ 2143.140696]  [<ffffffff814bbcef>] cirrus_fillrect+0x1f/0x40
[ 2143.140697]  [<ffffffff8139aaba>] bit_clear_margins+0x12a/0x170
[ 2143.140701]  [<ffffffff81395641>] fbcon_clear_margins+0x71/0x80
[ 2143.140702]  [<ffffffff813998a9>] fbcon_switch+0x479/0x540
[ 2143.140705]  [<ffffffff814166c1>] redraw_screen+0x131/0x250
[ 2143.140707]  [<ffffffff81396c1c>] fbcon_modechanged+0x18c/0x210
[ 2143.140709]  [<ffffffff81397739>] fbcon_event_notify+0x1f9/0x850
[ 2143.140712]  [<ffffffff810c671d>] notifier_call_chain+0xbd/0xf0
[ 2143.140714]  [<ffffffff810c6c08>] __blocking_notifier_call_chain+0x98/0xc0
[ 2143.140716]  [<ffffffff810c6c41>] blocking_notifier_call_chain+0x11/0x20
[ 2143.140718]  [<ffffffff81389146>] fb_notifier_call_chain+0x16/0x20
[ 2143.140720]  [<ffffffff8138ae19>] fb_set_var+0x439/0x480
[ 2143.140721]  [<ffffffff8138b089>] do_fb_ioctl+0x189/0x5d0
[ 2143.140723]  [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[ 2143.140724]  [<ffffffff810d552a>] ? local_clock+0x4a/0x70
[ 2143.140726]  [<ffffffff810f1e98>] ? lock_release_holdtime+0x28/0x170
[ 2143.140728]  [<ffffffff8138b90a>] fb_ioctl+0x3a/0x40
[ 2143.140731]  [<ffffffff811b5ff2>] do_vfs_ioctl+0x532/0x580
[ 2143.140735]  [<ffffffff812fc7d3>] ? file_has_perm+0x83/0xa0
[ 2143.140737]  [<ffffffff811b609d>] sys_ioctl+0x5d/0xa0
[ 2143.140739]  [<ffffffff813571de>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 2143.140741]  [<ffffffff81ca06e9>] system_call_fastpath+0x16/0x1b
[ 2143.140758] Code: 89 7a 08 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48
09 df 48 89 fb 49 89 7a 10 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48 09
df 48 89 fb <49> 89 7a 18 49 83 c2 20 48 d3 e3 44 89 c9 48 d3 ef 48 09
df 83
[ 2143.140760] RIP  [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.140760]  RSP <ffff88003a967888>
[ 2143.140761] CR2: ffffc90000669000
[ 2143.146366] BUG: unable to handle kernel paging request at ffffc90000669000
[ 2143.146369] IP: [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.146371] PGD 3e073067 PUD 3e074067 PMD 3ca84067 PTE 0
[ 2143.146372] Oops: 0002 [#2] SMP
[ 2143.146375] CPU 0
[ 2143.146375] Pid: 2894, comm: trinity-child0 Not tainted 3.8.0-rc7+
#86 Bochs Bochs
[ 2143.146377] RIP: 0010:[<ffffffff8139d84a>]  [<ffffffff8139d84a>]
bitfill_unaligned+0x10a/0x1a0
[ 2143.146378] RSP: 0018:ffff88003a967218  EFLAGS: 00010246
[ 2143.146378] RAX: 0000000003fffe1f RBX: 0000000000000000 RCX: 0000000000000008
[ 2143.146379] RDX: 0000000003f87fff RSI: ffffc900002a9f08 RDI: 0000000000000000
[ 2143.146380] RBP: ffff88003a967238 R08: 0000000000000008 R09: 0000000000000010
[ 2143.146380] R10: ffffc90000668fe8 R11: 0000000000000000 R12: 00000000ffff8800
[ 2143.146381] R13: 00000000ffffffc0 R14: ffffffffffffffff R15: 0000000000000018
[ 2143.146382] FS:  00007f965fc5e700(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[ 2143.146383] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2143.146383] CR2: ffffc90000669000 CR3: 0000000039c50000 CR4: 00000000000006f0
[ 2143.146388] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2143.146391] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2143.146391] Process trinity-child0 (pid: 2894, threadinfo
ffff88003a966000, task ffff88003b0c0000)
[ 2143.146392] Stack:
[ 2143.146394]  ffff88003ca8d800 0000000000000000 ffffc900002a9f00
0000000000000000
[ 2143.146395]  ffff88003a9672c8 ffffffff8139debf ffffffffffff8800
ffff880000000040
[ 2143.146397]  ffffffff8225f1a0 ffff000000000000 ffff88003a967278
ffffffff810f5aed
[ 2143.146397] Call Trace:
[ 2143.146399]  [<ffffffff8139debf>] sys_fillrect+0x34f/0x370
[ 2143.146402]  [<ffffffff810f5aed>] ? trace_hardirqs_on+0xd/0x10
[ 2143.146403]  [<ffffffff8139d740>] ? bitfill_aligned+0x120/0x120
[ 2143.146405]  [<ffffffff814bbcef>] cirrus_fillrect+0x1f/0x40
[ 2143.146406]  [<ffffffff8139aaba>] bit_clear_margins+0x12a/0x170
[ 2143.146408]  [<ffffffff81395641>] fbcon_clear_margins+0x71/0x80
[ 2143.146410]  [<ffffffff813998a9>] fbcon_switch+0x479/0x540
[ 2143.146412]  [<ffffffff814166c1>] redraw_screen+0x131/0x250
[ 2143.146414]  [<ffffffff81397f9a>] fbcon_blank+0x20a/0x2d0
[ 2143.146417]  [<ffffffff81c9effc>] ? _raw_spin_lock_irqsave+0x7c/0x90
[ 2143.146420]  [<ffffffff810a8ee3>] ? lock_timer_base.isra.25+0x33/0x70
[ 2143.146422]  [<ffffffff810f5b18>] ? trace_hardirqs_off_caller+0x28/0xd0
[ 2143.146423]  [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[ 2143.146425]  [<ffffffff81c9f174>] ? _raw_spin_unlock_irqrestore+0x44/0x70
[ 2143.146427]  [<ffffffff810aa17b>] ? mod_timer+0x1ab/0x200
[ 2143.146429]  [<ffffffff814180f8>] do_unblank_screen+0xf8/0x1d0
[ 2143.146430]  [<ffffffff814181db>] unblank_screen+0xb/0x10
[ 2143.146432]  [<ffffffff81358239>] bust_spinlocks+0x19/0x30
[ 2143.146435]  [<ffffffff8105cde2>] oops_end+0x42/0xe0
[ 2143.146438]  [<ffffffff81c89d82>] no_context+0x253/0x27e
[ 2143.146439]  [<ffffffff81c89f73>] __bad_area_nosemaphore+0x1c6/0x1e5
[ 2143.146442]  [<ffffffff81091681>] ? kmemcheck_pte_lookup+0x11/0x40
[ 2143.146444]  [<ffffffff81c89fa0>] bad_area_nosemaphore+0xe/0x10
[ 2143.146445]  [<ffffffff8108a35e>] __do_page_fault+0x43e/0x4d0
[ 2143.146447]  [<ffffffff810f58d3>] ? mark_held_locks+0x123/0x140
[ 2143.146449]  [<ffffffff81c9fdb3>] ? retint_restore_args+0x13/0x13
[ 2143.146451]  [<ffffffff810f58d3>] ? mark_held_locks+0x123/0x140
[ 2143.146452]  [<ffffffff8135721d>] ? trace_hardirqs_off_thunk+0x3a/0x3c
[ 2143.146454]  [<ffffffff8108a419>] do_page_fault+0x9/0x10
[ 2143.146456]  [<ffffffff8108492c>] do_async_page_fault+0x4c/0xa0
[ 2143.146458]  [<ffffffff81ca00b8>] async_page_fault+0x28/0x30
[ 2143.146459]  [<ffffffff8139d84a>] ? bitfill_unaligned+0x10a/0x1a0
[ 2143.146460]  [<ffffffff8139debf>] sys_fillrect+0x34f/0x370
[ 2143.146462]  [<ffffffff810f5aed>] ? trace_hardirqs_on+0xd/0x10
[ 2143.146464]  [<ffffffff8139d740>] ? bitfill_aligned+0x120/0x120
[ 2143.146465]  [<ffffffff814bbcef>] cirrus_fillrect+0x1f/0x40
[ 2143.146466]  [<ffffffff8139aaba>] bit_clear_margins+0x12a/0x170
[ 2143.146468]  [<ffffffff81395641>] fbcon_clear_margins+0x71/0x80
[ 2143.146470]  [<ffffffff813998a9>] fbcon_switch+0x479/0x540
[ 2143.146472]  [<ffffffff814166c1>] redraw_screen+0x131/0x250
[ 2143.146473]  [<ffffffff81396c1c>] fbcon_modechanged+0x18c/0x210
[ 2143.146475]  [<ffffffff81397739>] fbcon_event_notify+0x1f9/0x850
[ 2143.146477]  [<ffffffff810c671d>] notifier_call_chain+0xbd/0xf0
[ 2143.146479]  [<ffffffff810c6c08>] __blocking_notifier_call_chain+0x98/0xc0
[ 2143.146481]  [<ffffffff810c6c41>] blocking_notifier_call_chain+0x11/0x20
[ 2143.146483]  [<ffffffff81389146>] fb_notifier_call_chain+0x16/0x20
[ 2143.146484]  [<ffffffff8138ae19>] fb_set_var+0x439/0x480
[ 2143.146486]  [<ffffffff8138b089>] do_fb_ioctl+0x189/0x5d0
[ 2143.146487]  [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[ 2143.146488]  [<ffffffff810d552a>] ? local_clock+0x4a/0x70
[ 2143.146490]  [<ffffffff810f1e98>] ? lock_release_holdtime+0x28/0x170
[ 2143.146492]  [<ffffffff8138b90a>] fb_ioctl+0x3a/0x40
[ 2143.146494]  [<ffffffff811b5ff2>] do_vfs_ioctl+0x532/0x580
[ 2143.146496]  [<ffffffff812fc7d3>] ? file_has_perm+0x83/0xa0
[ 2143.146498]  [<ffffffff811b609d>] sys_ioctl+0x5d/0xa0
[ 2143.146499]  [<ffffffff813571de>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 2143.146501]  [<ffffffff81ca06e9>] system_call_fastpath+0x16/0x1b
[ 2143.146518] Code: 89 7a 08 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48
09 df 48 89 fb 49 89 7a 10 48 d3 e3 44 89 c9 48 d3 ef 44 89 c1 48 09
df 48 89 fb <49> 89 7a 18 49 83 c2 20 48 d3 e3 44 89 c9 48 d3 ef 48 09
df 83
[ 2143.146519] RIP  [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0
[ 2143.146520]  RSP <ffff88003a967218>
[ 2143.146520] CR2: ffffc90000669000
[ 2143.146522] ---[ end trace bc6146191d8a6170 ]---

Tommi

^ permalink raw reply	[flat|nested] 63+ messages in thread
* BUG: unable to handle kernel paging request in sys_imageblit
  2013-02-19 17:33 ` BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
  (?)
@ 2019-12-10 16:38 ` syzbot
  -1 siblings, 0 replies; 63+ messages in thread
From: syzbot @ 2019-12-10 16:38 UTC (permalink / raw)
  To: b.zolnierkie, dri-devel, linux-fbdev, linux-kernel, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    6794862a Merge tag 'for-5.5-rc1-kconfig-tag' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1574aaeae00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=79f79de2a27d3e3d
dashboard link: https://syzkaller.appspot.com/bug?extid=33f89a9a6b6acd893b11
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+33f89a9a6b6acd893b11@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: fffff5200124c3fc
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 7ffcd067 P4D 7ffcd067 PUD 2cd1c067 PMD 299b2067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 9109 Comm: syz-executor.2 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x61c/0x1240  
drivers/video/fbdev/core/sysimgblt.c:275
Code: 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 57 0b 00 00 48 b9 00 00 00 00 00  
fc ff df 4c 89 fa 8b 45 b0 23 07 4d 8d 77 04 48 c1 ea 03 <0f> b6 0c 0a 4c  
89 fa 83 e2 07 33 45 c4 83 c2 03 38 ca 7c 08 84 c9
RSP: 0018:ffffc900042c7168 EFLAGS: 00010a06
RAX: 0000000000000000 RBX: ffff888076970800 RCX: dffffc0000000000
RDX: 1ffff9200124c3fc RSI: ffffffff83b4fada RDI: ffffffff887498e0
RBP: ffffc900042c7230 R08: ffff88805d278e40 R09: 000000000000007f
R10: fffffbfff14f3347 R11: ffffffff8a799a3b R12: 0000000000000007
R13: 0000000000000007 R14: ffffc90009261fe4 R15: ffffc90009261fe0
FS:  00007f0af02fc700(0000) GS:ffff88802d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5200124c3fc CR3: 00000000278c2000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  drm_fb_helper_sys_imageblit+0x21/0x180 drivers/gpu/drm/drm_fb_helper.c:768
  bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
  bit_putcs+0x9a3/0xf10 drivers/video/fbdev/core/bitblit.c:188
  fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353
  do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677
  invert_screen+0x2da/0x650 drivers/tty/vt/vt.c:794
  highlight drivers/tty/vt/selection.c:53 [inline]
  clear_selection drivers/tty/vt/selection.c:81 [inline]
  clear_selection+0x59/0x70 drivers/tty/vt/selection.c:77
  vc_do_resize+0x1163/0x1460 drivers/tty/vt/vt.c:1200
  vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304
  fbcon_do_set_font+0x4a6/0x960 drivers/video/fbdev/core/fbcon.c:2599
  fbcon_set_font+0x72e/0x860 drivers/video/fbdev/core/fbcon.c:2696
  con_font_set drivers/tty/vt/vt.c:4538 [inline]
  con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4603
  vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913
  tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
  vfs_ioctl fs/ioctl.c:47 [inline]
  file_ioctl fs/ioctl.c:545 [inline]
  do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
  ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
  __do_sys_ioctl fs/ioctl.c:756 [inline]
  __se_sys_ioctl fs/ioctl.c:754 [inline]
  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a7c9
Code: bd b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 8b b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0af02fbc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000072bf00 RCX: 000000000045a7c9
RDX: 0000000020000000 RSI: 0000000000004b61 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0af02fc6d4
R13: 00000000004ab60f R14: 00000000006ede60 R15: 00000000ffffffff
Modules linked in:
CR2: fffff5200124c3fc
---[ end trace 7698227ca2d5f789 ]---
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x61c/0x1240  
drivers/video/fbdev/core/sysimgblt.c:275
Code: 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 57 0b 00 00 48 b9 00 00 00 00 00  
fc ff df 4c 89 fa 8b 45 b0 23 07 4d 8d 77 04 48 c1 ea 03 <0f> b6 0c 0a 4c  
89 fa 83 e2 07 33 45 c4 83 c2 03 38 ca 7c 08 84 c9
RSP: 0018:ffffc900042c7168 EFLAGS: 00010a06
RAX: 0000000000000000 RBX: ffff888076970800 RCX: dffffc0000000000
RDX: 1ffff9200124c3fc RSI: ffffffff83b4fada RDI: ffffffff887498e0
RBP: ffffc900042c7230 R08: ffff88805d278e40 R09: 000000000000007f
R10: fffffbfff14f3347 R11: ffffffff8a799a3b R12: 0000000000000007
R13: 0000000000000007 R14: ffffc90009261fe4 R15: ffffc90009261fe0
FS:  00007f0af02fc700(0000) GS:ffff88802d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff5200124c3fc CR3: 00000000278c2000 CR4: 0000000000340ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] 63+ messages in thread
* BUG: unable to handle kernel paging request in vga16fb_imageblit
  2013-02-19 17:33 ` BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
  (?)
@ 2019-12-27  7:13 ` syzbot
  -1 siblings, 0 replies; 63+ messages in thread
From: syzbot @ 2019-12-27  7:13 UTC (permalink / raw)
  To: b.zolnierkie, dri-devel, linux-fbdev, linux-kernel, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    46cf053e Linux 5.5-rc3
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e35351e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ed9d672709340e35
dashboard link: https://syzkaller.appspot.com/bug?extid=83449358d6355b0b9728
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+83449358d6355b0b9728@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff8880ffff7900
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD c201067 P4D c201067 PUD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 31197 Comm: syz-executor.4 Not tainted 5.5.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa52/0x2200 drivers/video/fbdev/vga16fb.c:1260
Code: df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0  
7c 09 84 d2 74 05 e8 16 9f f9 fd 41 8b 45 14 48 8b 4d c8 <88> 01 0f ae e8  
8a 01 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 d8
RSP: 0018:ffffc90004e57450 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffff8880ffff7900
RDX: 0000000000000000 RSI: ffffffff83b944b6 RDI: ffffc90004e5760c
RBP: ffffc90004e574e8 R08: ffff88804b708240 R09: 0000000000000000
R10: ffffed10432d371b R11: ffff88821969b8df R12: ffffc90004e575fc
R13: ffffc90004e575f8 R14: ffff8880a3f140c0 R15: 0000000000000001
FS:  00007f4674e1a700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffff7900 CR3: 000000004de7b000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
  bit_putcs+0x9a3/0xf10 drivers/video/fbdev/core/bitblit.c:188
  fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353
  fbcon_redraw_move.isra.0+0x258/0x2a0 drivers/video/fbdev/core/fbcon.c:1733
  ypan_down_redraw drivers/video/fbdev/core/fbcon.c:1598 [inline]
  fbcon_scroll+0x2e07/0x35b0 drivers/video/fbdev/core/fbcon.c:2048
  con_scroll+0x3fd/0x650 drivers/tty/vt/vt.c:631
  csi_L drivers/tty/vt/vt.c:1974 [inline]
  do_con_trol+0x5317/0x61b0 drivers/tty/vt/vt.c:2373
  do_con_write.part.0+0xfd9/0x1ef0 drivers/tty/vt/vt.c:2797
  do_con_write drivers/tty/vt/vt.c:2565 [inline]
  con_write+0x46/0xd0 drivers/tty/vt/vt.c:3135
  process_output_block drivers/tty/n_tty.c:595 [inline]
  n_tty_write+0x40e/0x1080 drivers/tty/n_tty.c:2333
  do_tty_write drivers/tty/tty_io.c:962 [inline]
  tty_write+0x496/0x7f0 drivers/tty/tty_io.c:1046
  __vfs_write+0x8a/0x110 fs/read_write.c:494
  vfs_write+0x268/0x5d0 fs/read_write.c:558
  ksys_write+0x14f/0x290 fs/read_write.c:611
  __do_sys_write fs/read_write.c:623 [inline]
  __se_sys_write fs/read_write.c:620 [inline]
  __x64_sys_write+0x73/0xb0 fs/read_write.c:620
  do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45a919
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4674e19c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919
RDX: 00000000000002c1 RSI: 0000000020000880 RDI: 0000000000000009
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4674e1a6d4
R13: 00000000004cbd7a R14: 00000000004e5b48 R15: 00000000ffffffff
Modules linked in:
CR2: ffff8880ffff7900
---[ end trace 80930dfe0366796b ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa52/0x2200 drivers/video/fbdev/vga16fb.c:1260
Code: df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0  
7c 09 84 d2 74 05 e8 16 9f f9 fd 41 8b 45 14 48 8b 4d c8 <88> 01 0f ae e8  
8a 01 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 d8
RSP: 0018:ffffc90004e57450 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffff8880ffff7900
RDX: 0000000000000000 RSI: ffffffff83b944b6 RDI: ffffc90004e5760c
RBP: ffffc90004e574e8 R08: ffff88804b708240 R09: 0000000000000000
R10: ffffed10432d371b R11: ffff88821969b8df R12: ffffc90004e575fc
R13: ffffc90004e575f8 R14: ffff8880a3f140c0 R15: 0000000000000001
FS:  00007f4674e1a700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffff7900 CR3: 000000004de7b000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] 63+ messages in thread
* BUG: unable to handle kernel paging request in vga16fb_imageblit (2)
  2013-02-19 17:33 ` BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
  (?)
@ 2020-05-08  7:07 ` syzbot
  -1 siblings, 0 replies; 63+ messages in thread
From: syzbot @ 2020-05-08  7:07 UTC (permalink / raw)
  To: b.zolnierkie, daniel.vetter, dri-devel, jani.nikula, linux-fbdev,
	linux-kernel, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    262f7a6b Merge tag 'for-5.7-rc3-tag' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12786888100000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5b075813ec8b93cd
dashboard link: https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1f29e126cf461c4de3b3@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff8880ffca0e80
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD d401067 P4D d401067 PUD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 710 Comm: syz-executor.5 Not tainted 5.7.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa5b/0x2210 drivers/video/fbdev/vga16fb.c:1260
Code: 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 ee 59 ed fd 41 8b 47 14 48 8b 74 24 08 <88> 06 0f ae e8 8a 06 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 18
RSP: 0000:ffffc90002ea71f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffffc90014391000
RDX: 0000000000000000 RSI: ffff8880ffca0e80 RDI: ffffc90002ea739c
RBP: ffffc90002ea738c R08: ffff8880922ac200 R09: 0000000000000000
R10: ffffffff8a895007 R11: fffffbfff1512a00 R12: 0000000000000000
R13: ffff888218de5140 R14: 0000000000000001 R15: ffffc90002ea7388
FS:  00007fbeeb282700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffca0e80 CR3: 000000008e9c5000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x910/0xe10 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x345/0x3f0 drivers/video/fbdev/core/fbcon.c:1362
 con_flush drivers/tty/vt/vt.c:2569 [inline]
 do_con_write.part.0+0x7d1/0x1dc0 drivers/tty/vt/vt.c:2772
 do_con_write drivers/tty/vt/vt.c:2588 [inline]
 con_write+0x41/0xe0 drivers/tty/vt/vt.c:3154
 process_output_block drivers/tty/n_tty.c:595 [inline]
 n_tty_write+0x3f0/0xf90 drivers/tty/n_tty.c:2333
 do_tty_write drivers/tty/tty_io.c:962 [inline]
 tty_write+0x495/0x800 drivers/tty/tty_io.c:1046
 __vfs_write+0x76/0x100 fs/read_write.c:495
 __kernel_write+0x11c/0x3a0 fs/read_write.c:516
 write_pipe_buf+0x153/0x1e0 fs/splice.c:809
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x3e6/0x7b0 fs/splice.c:636
 splice_from_pipe+0xd9/0x140 fs/splice.c:671
 default_file_splice_write+0x37/0x90 fs/splice.c:821
 do_splice_from fs/splice.c:863 [inline]
 direct_splice_actor+0x115/0x160 fs/splice.c:1037
 splice_direct_to_actor+0x38c/0x980 fs/splice.c:992
 do_splice_direct+0x1b4/0x280 fs/splice.c:1080
 do_sendfile+0x555/0xc50 fs/read_write.c:1521
 __do_sys_sendfile64 fs/read_write.c:1582 [inline]
 __se_sys_sendfile64 fs/read_write.c:1568 [inline]
 __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1568
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbeeb281c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000004fc0c0 RCX: 000000000045c829
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0800000080004103 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000008d6 R14: 00000000004cb7a1 R15: 00007fbeeb2826d4
Modules linked in:
CR2: ffff8880ffca0e80
---[ end trace 5bb103c4fc7bf525 ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1168 [inline]
RIP: 0010:vga16fb_imageblit+0xa5b/0x2210 drivers/video/fbdev/vga16fb.c:1260
Code: 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 ee 59 ed fd 41 8b 47 14 48 8b 74 24 08 <88> 06 0f ae e8 8a 06 b8 05 00 00 00 ba ce 03 00 00 ee 48 c7 c2 18
RSP: 0000:ffffc90002ea71f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000007 RCX: ffffc90014391000
RDX: 0000000000000000 RSI: ffff8880ffca0e80 RDI: ffffc90002ea739c
RBP: ffffc90002ea738c R08: ffff8880922ac200 R09: 0000000000000000
R10: ffffffff8a895007 R11: fffffbfff1512a00 R12: 0000000000000000
R13: ffff888218de5140 R14: 0000000000000001 R15: ffffc90002ea7388
FS:  00007fbeeb282700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880ffca0e80 CR3: 000000008e9c5000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] 63+ messages in thread
* BUG: unable to handle kernel paging request in bitfill_aligned
  2013-02-19 17:33 ` BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
  (?)
@ 2020-05-12  6:55 ` syzbot
  -1 siblings, 0 replies; 63+ messages in thread
From: syzbot @ 2020-05-12  6:55 UTC (permalink / raw)
  To: b.zolnierkie, dri-devel, linux-fbdev, linux-kernel, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    1d3962ae Merge tag 'io_uring-5.7-2020-05-08' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14874258100000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b0212dbee046bc1f
dashboard link: https://syzkaller.appspot.com/bug?extid=00ed1cf405874e141432
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+00ed1cf405874e141432@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff888000cf5080
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD d401067 P4D d401067 PUD d402067 PMD cf4063 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 30473 Comm: syz-executor.4 Not tainted 5.7.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline]
RIP: 0010:bitfill_aligned drivers/video/fbdev/core/cfbfillrect.c:64 [inline]
RIP: 0010:bitfill_aligned+0xfc/0x200 drivers/video/fbdev/core/cfbfillrect.c:35
Code: fd 44 89 e0 31 d2 bf 07 00 00 00 f7 f5 41 89 c4 89 c6 89 c5 e8 c5 ab b3 fd 41 83 fc 07 76 62 45 89 e7 4c 89 ed e8 44 aa b3 fd <48> 89 5d 00 48 89 5d 08 48 89 5d 10 48 89 5d 18 48 89 5d 20 48 89
RSP: 0018:ffffc90001c474e0 EFLAGS: 00010246
RAX: 0000000000040000 RBX: 0000000000000000 RCX: ffffc90012324000
RDX: 0000000000040000 RSI: ffffffff83bf846c RDI: 0000000000000005
RBP: ffff888000cf5080 R08: ffff888056a6a340 R09: 0000000000000040
R10: ffff888218d3331f R11: ffffed10431a6663 R12: 0000000000000030
R13: ffff888000cf5080 R14: 0000000000000000 R15: 0000000000000030
FS:  00007fe0d9986700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888000cf5080 CR3: 000000008ea77000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 cfb_fillrect+0x418/0x7a0 drivers/video/fbdev/core/cfbfillrect.c:327
 vga16fb_fillrect+0x68f/0x1960 drivers/video/fbdev/vga16fb.c:951
 bit_clear_margins+0x2d5/0x4a0 drivers/video/fbdev/core/bitblit.c:232
 fbcon_clear_margins+0x1de/0x240 drivers/video/fbdev/core/fbcon.c:1381
 fbcon_switch+0xcde/0x16f0 drivers/video/fbdev/core/fbcon.c:2363
 redraw_screen+0x2ae/0x770 drivers/tty/vt/vt.c:1015
 fbcon_modechanged+0x581/0x720 drivers/video/fbdev/core/fbcon.c:3000
 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:3047
 fb_set_var+0xad0/0xd40 drivers/video/fbdev/core/fbmem.c:1056
 do_fb_ioctl+0x390/0x6e0 drivers/video/fbdev/core/fbmem.c:1109
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:771
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl fs/ioctl.c:778 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe0d9985c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e4860 RCX: 000000000045c829
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000002f2 R14: 00000000004c54c8 R15: 00007fe0d99866d4
Modules linked in:
CR2: ffff888000cf5080

======================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] 63+ messages in thread
* BUG: unable to handle kernel paging request in cfb_imageblit
  2013-02-19 17:33 ` BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
  (?)
@ 2020-10-06  8:18 ` syzbot
  -1 siblings, 0 replies; 63+ messages in thread
From: syzbot @ 2020-10-06  8:18 UTC (permalink / raw)
  To: b.zolnierkie, dri-devel, linux-fbdev, linux-kernel, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    22fbc037 Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133731eb900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4e672827d2ffab1f
dashboard link: https://syzkaller.appspot.com/bug?extid=dfd0b1c6705301cc4847
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ba9a5d900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17cfd4af900000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1536a750500000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1736a750500000
console output: https://syzkaller.appspot.com/x/log.txt?x=1336a750500000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dfd0b1c6705301cc4847@syzkaller.appspotmail.com

BUG: unable to handle page fault for address: ffff888001000018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD c801067 P4D c801067 PUD c802067 PMD 80000000010001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8241 Comm: syz-executor265 Not tainted 5.9.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline]
RIP: 0010:slow_imageblit drivers/video/fbdev/core/cfbimgblt.c:178 [inline]
RIP: 0010:cfb_imageblit+0xb15/0x11e0 drivers/video/fbdev/core/cfbimgblt.c:302
Code: 89 e6 89 e9 41 d3 e6 41 09 de 89 ef 8b 5c 24 28 89 de e8 0e db 81 fd 39 dd 73 0a e8 65 d9 81 fd eb 42 0f 1f 00 48 8b 44 24 30 <44> 89 30 48 83 c0 04 48 89 44 24 30 89 ef 89 de e8 e6 da 81 fd 39
RSP: 0018:ffffc9000a037558 EFLAGS: 00010246
RAX: ffff888001000018 RBX: 000000000000001c RCX: 000000000000001c
RDX: ffff8880a79880c0 RSI: 000000000000001c RDI: 000000000000001c
RBP: 000000000000001c R08: ffffffff83f32412 R09: ffffffff83f31b7c
R10: 0000000000000002 R11: ffff8880a79880c0 R12: 0000000000000000
R13: ffff888218a81f72 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f8534532700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000018 CR3: 00000000a80b4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 soft_cursor+0xb44/0xdb0 drivers/video/fbdev/core/softcursor.c:74
 bit_cursor+0x1753/0x2110 drivers/video/fbdev/core/bitblit.c:377
 set_cursor drivers/tty/vt/vt.c:919 [inline]
 con_flush_chars+0x4e1/0x640 drivers/tty/vt/vt.c:3330
 con_write+0x2a/0x40 drivers/tty/vt/vt.c:3251
 do_output_char+0x63b/0x940 drivers/tty/n_tty.c:447
 __process_echoes+0x2a3/0x930 drivers/tty/n_tty.c:739
 flush_echoes drivers/tty/n_tty.c:829 [inline]
 __receive_buf drivers/tty/n_tty.c:1648 [inline]
 n_tty_receive_buf_common+0x29fa/0x3100 drivers/tty/n_tty.c:1742
 paste_selection+0x32c/0x450 drivers/tty/vt/selection.c:408
 vt_ioctl+0x105a/0x3d70 drivers/tty/vt/vt_ioctl.c:862
 tty_ioctl+0xee4/0x15c0 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x449809
Code: e8 8c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8534531db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dec68 RCX: 0000000000449809
RDX: 0000000020000080 RSI: 000000000000541c RDI: 0000000000000007
RBP: 00000000006dec60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec6c
R13: 00007ffe8074321f R14: 00007f85345329c0 R15: 0000000000000064
Modules linked in:
CR2: ffff888001000018
---[ end trace 4ec628432d38a26a ]---
RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline]
RIP: 0010:slow_imageblit drivers/video/fbdev/core/cfbimgblt.c:178 [inline]
RIP: 0010:cfb_imageblit+0xb15/0x11e0 drivers/video/fbdev/core/cfbimgblt.c:302
Code: 89 e6 89 e9 41 d3 e6 41 09 de 89 ef 8b 5c 24 28 89 de e8 0e db 81 fd 39 dd 73 0a e8 65 d9 81 fd eb 42 0f 1f 00 48 8b 44 24 30 <44> 89 30 48 83 c0 04 48 89 44 24 30 89 ef 89 de e8 e6 da 81 fd 39
RSP: 0018:ffffc9000a037558 EFLAGS: 00010246
RAX: ffff888001000018 RBX: 000000000000001c RCX: 000000000000001c
RDX: ffff8880a79880c0 RSI: 000000000000001c RDI: 000000000000001c
RBP: 000000000000001c R08: ffffffff83f32412 R09: ffffffff83f31b7c
R10: 0000000000000002 R11: ffff8880a79880c0 R12: 0000000000000000
R13: ffff888218a81f72 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f8534532700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000018 CR3: 00000000a80b4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 63+ messages in thread
end of thread, other threads:[~2021-05-17 13:13 UTC | newest]

Thread overview: 63+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-19 17:33 BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_unaligned+0x10a/0x1a0 Tommi Rantala
2013-02-19 17:33 ` BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala
2019-12-10 16:38 BUG: unable to handle kernel paging request in sys_imageblit syzbot
2019-12-10 16:38 ` syzbot
2019-12-10 16:38 ` syzbot
2020-06-19  4:56 ` syzbot
2020-06-19  4:56   ` syzbot
2020-06-19  4:56   ` syzbot
2019-12-27  7:13 BUG: unable to handle kernel paging request in vga16fb_imageblit syzbot
2019-12-27  7:13 ` syzbot
2019-12-27  7:13 ` syzbot
2020-05-08  7:07 BUG: unable to handle kernel paging request in vga16fb_imageblit (2) syzbot
2020-05-08  7:07 ` syzbot
2020-05-08  7:07 ` syzbot
2021-05-01 20:31 ` [syzbot] " syzbot
2021-05-01 20:31   ` syzbot
2021-05-02  1:53 ` syzbot
2021-05-02  1:53   ` syzbot
2021-05-03 13:41   ` Tetsuo Handa
2021-05-03 13:41     ` Tetsuo Handa
2021-05-07 11:09     ` Tetsuo Handa
2021-05-14 16:19       ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Tetsuo Handa
2021-05-14 16:19         ` Tetsuo Handa
2021-05-14 17:29         ` Linus Torvalds
2021-05-14 17:29           ` Linus Torvalds
2021-05-14 17:37           ` Linus Torvalds
2021-05-14 17:37             ` Linus Torvalds
2021-05-14 18:23             ` Linus Torvalds
2021-05-14 18:23               ` Linus Torvalds
2021-05-14 20:25           ` Maciej W. Rozycki
2021-05-14 20:25             ` Maciej W. Rozycki
2021-05-14 20:32             ` Linus Torvalds
2021-05-14 20:32               ` Linus Torvalds
2021-05-14 21:10               ` Linus Torvalds
2021-05-14 21:10                 ` Linus Torvalds
2021-05-15  7:43                 ` [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback Tetsuo Handa
2021-05-15  7:43                   ` Tetsuo Handa
2021-05-15 16:21                   ` Maciej W. Rozycki
2021-05-15 16:21                     ` Maciej W. Rozycki
2021-05-15 16:32                     ` Maciej W. Rozycki
2021-05-15 16:32                       ` Maciej W. Rozycki
2021-05-15 16:41                       ` Linus Torvalds
2021-05-15 16:41                         ` Linus Torvalds
2021-05-17 13:13                         ` Daniel Vetter
2021-05-17 13:13                           ` Daniel Vetter
2021-05-15 16:11               ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Maciej W. Rozycki
2021-05-15 16:11                 ` Maciej W. Rozycki
2021-05-17 13:07               ` Daniel Vetter
2021-05-17 13:07                 ` Daniel Vetter
2021-05-17 13:10                 ` Daniel Vetter
2021-05-17 13:10                   ` Daniel Vetter
2021-05-15  0:45             ` Tetsuo Handa
2021-05-15  0:45               ` Tetsuo Handa
2020-05-12  6:55 BUG: unable to handle kernel paging request in bitfill_aligned syzbot
2020-05-12  6:55 ` syzbot
2020-05-12  6:55 ` syzbot
2020-10-06  8:18 BUG: unable to handle kernel paging request in cfb_imageblit syzbot
2020-10-06  8:18 ` syzbot
2020-10-06  8:18 ` syzbot
2020-12-18 15:26 ` syzbot
2020-12-18 15:26   ` syzbot
2020-12-18 15:27   ` Dmitry Vyukov
2020-12-18 15:27     ` Dmitry Vyukov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.