Linux-fbdev Archive on lore.kernel.org
 help / color / Atom feed
* BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
@ 2020-11-16  8:36 syzbot
  2021-01-17  8:53 ` syzbot
  2021-01-17 11:29 ` syzbot
  0 siblings, 2 replies; 4+ messages in thread
From: syzbot @ 2020-11-16  8:36 UTC (permalink / raw)
  To: b.zolnierkie, daniel.vetter, dri-devel, george.kennedy, gregkh,
	jirislaby, linux-fbdev, linux-kernel, natechancellor,
	syzkaller-bugs, yepeilin.cs

Hello,

syzbot found the following issue on:

HEAD commit:    6dd65e60 Add linux-next specific files for 20201110
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1276af62500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4fab43daf5c54712
dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20
compiler:       gcc (GCC) 10.1.0-syz 20200507

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 4e683067 P4D 4e683067 PUD 14850067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9433 Comm: syz-executor.5 Not tainted 5.10.0-rc3-next-20201110-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc9000bca7858 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000
RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387
R10: 0000000000000003 R11: 0000000000000000 R12: ffff888144509000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  00007f5822bee700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000004e973000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1346
 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907
 redraw_screen+0x5ed/0x790 drivers/tty/vt/vt.c:1012
 vc_do_resize+0xed3/0x1150 drivers/tty/vt/vt.c:1326
 fbcon_set_disp+0x831/0xda0 drivers/video/fbdev/core/fbcon.c:1413
 con2fb_init_display drivers/video/fbdev/core/fbcon.c:816 [inline]
 set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:887
 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3072
 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45deb9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5822bedc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000000e2c0 RCX: 000000000045deb9
RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000006
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffe024fb66f R14: 00007f5822bee9c0 R15: 000000000118bf2c
Modules linked in:
CR2: 0000000000000000
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 4e683067 P4D 4e683067 PUD 14850067 PMD 0 
Oops: 0010 [#2] PREEMPT SMP KASAN
CPU: 0 PID: 9433 Comm: syz-executor.5 Not tainted 5.10.0-rc3-next-20201110-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc9000bca7278 EFLAGS: 00010086
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000
RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387
R10: 0000000000000003 R11: 0000000000000001 R12: ffff888144509000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  00007f5822bee700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000004e973000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1346
 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907
 redraw_screen+0x5ed/0x790 drivers/tty/vt/vt.c:1012
 fbcon_blank+0x8c5/0xc30 drivers/video/fbdev/core/fbcon.c:2248
 do_unblank_screen+0x25b/0x470 drivers/tty/vt/vt.c:4406
 bust_spinlocks+0x5b/0xe0 lib/bust_spinlocks.c:26
 oops_end+0x2b/0xe0 arch/x86/kernel/dumpstack.c:346
 no_context+0x5f2/0xa20 arch/x86/mm/fault.c:752
 __bad_area_nosemaphore+0xa9/0x400 arch/x86/mm/fault.c:840
 do_user_addr_fault+0x7d7/0xba0 arch/x86/mm/fault.c:1340
 handle_page_fault arch/x86/mm/fault.c:1434 [inline]
 exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1490
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc9000bca7858 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000
RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387
R10: 0000000000000003 R11: 0000000000000000 R12: ffff888144509000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
Modules linked in:
CR2: 0000000000000000
---[ end trace 8931af4863156cb4 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc9000bca7858 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000
RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387
R10: 0000000000000003 R11: 0000000000000000 R12: ffff888144509000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  00007f5822bee700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000004e973000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
  2020-11-16  8:36 BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor syzbot
@ 2021-01-17  8:53 ` syzbot
  2021-01-17 11:29 ` syzbot
  1 sibling, 0 replies; 4+ messages in thread
From: syzbot @ 2021-01-17  8:53 UTC (permalink / raw)
  To: b.zolnierkie, daniel.vetter, dri-devel, george.kennedy, gregkh,
	jirislaby, linux-fbdev, linux-kernel, natechancellor, sam,
	syzkaller-bugs, yepeilin.cs

syzbot has found a reproducer for the following issue on:

HEAD commit:    b3a3cbde Add linux-next specific files for 20210115
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=164096d7500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f
dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17af5258d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 12267067 P4D 12267067 PUD 11841067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8463 Comm: syz-executor088 Not tainted 5.11.0-rc3-next-20210115-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc9000132f850 EFLAGS: 00010292
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000002 RSI: ffff88814394b000 RDI: ffff888010071000
RBP: ffff888010071000 R08: 0000000000000000 R09: ffffffff83ed87ea
R10: 0000000000000003 R11: 0000000000000018 R12: ffff88814394b000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  0000000000db8880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000020cd8000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1336
 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907
 redraw_screen+0x5b4/0x740 drivers/tty/vt/vt.c:1012
 vc_do_resize+0xed8/0x1150 drivers/tty/vt/vt.c:1325
 fbcon_set_disp+0x7a8/0xe10 drivers/video/fbdev/core/fbcon.c:1402
 con2fb_init_display drivers/video/fbdev/core/fbcon.c:808 [inline]
 set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:879
 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3010
 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4402b9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffffae24f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9
RDX: 0000000020000080 RSI: 0000000000004610 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ac0
R13: 0000000000401b50 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
CR2: 0000000000000000
---[ end trace 5adb9f198fe5efa6 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc9000132f850 EFLAGS: 00010292
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000002 RSI: ffff88814394b000 RDI: ffff888010071000
RBP: ffff888010071000 R08: 0000000000000000 R09: ffffffff83ed87ea
R10: 0000000000000003 R11: 0000000000000018 R12: ffff88814394b000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  0000000000db8880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 0000000020cd8000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
  2020-11-16  8:36 BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor syzbot
  2021-01-17  8:53 ` syzbot
@ 2021-01-17 11:29 ` syzbot
  2021-01-18  9:29   ` Daniel Vetter
  1 sibling, 1 reply; 4+ messages in thread
From: syzbot @ 2021-01-17 11:29 UTC (permalink / raw)
  To: b.zolnierkie, daniel.vetter, daniel.vetter, dri-devel,
	george.kennedy, gregkh, jirislaby, linux-fbdev, linux-kernel,
	melissa.srw, natechancellor, sam, syzkaller-bugs, tzimmermann,
	yepeilin.cs

syzbot has bisected this issue to:

commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Fri Oct 9 23:21:56 2020 +0000

    drm/vkms: fbdev emulation support

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=148e2748d00000
start commit:   b3a3cbde Add linux-next specific files for 20210115
git tree:       linux-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=168e2748d00000
console output: https://syzkaller.appspot.com/x/log.txt?x=128e2748d00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f
dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17af5258d00000

Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
  2021-01-17 11:29 ` syzbot
@ 2021-01-18  9:29   ` Daniel Vetter
  0 siblings, 0 replies; 4+ messages in thread
From: Daniel Vetter @ 2021-01-18  9:29 UTC (permalink / raw)
  To: syzbot
  Cc: b.zolnierkie, daniel.vetter, daniel.vetter, dri-devel,
	george.kennedy, gregkh, jirislaby, linux-fbdev, linux-kernel,
	melissa.srw, natechancellor, sam, syzkaller-bugs, tzimmermann,
	yepeilin.cs

On Sun, Jan 17, 2021 at 03:29:05AM -0800, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
> Author: Daniel Vetter <daniel.vetter@ffwll.ch>
> Date:   Fri Oct 9 23:21:56 2020 +0000
> 
>     drm/vkms: fbdev emulation support

Not sure you want to annotate this, but this just makes the bug
reproducible on vkms. It's a preexisting issue (probably a few decades
old) of the fbcon code afaict. It might also be that you can only repro
this when you have multiple fbcon drivers (vkms plus whatever your virtual
machine has I guess).
-Daniel

> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=148e2748d00000
> start commit:   b3a3cbde Add linux-next specific files for 20210115
> git tree:       linux-next
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=168e2748d00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=128e2748d00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f
> dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17af5258d00000
> 
> Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-16  8:36 BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor syzbot
2021-01-17  8:53 ` syzbot
2021-01-17 11:29 ` syzbot
2021-01-18  9:29   ` Daniel Vetter

Linux-fbdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-fbdev/0 linux-fbdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fbdev linux-fbdev/ https://lore.kernel.org/linux-fbdev \
		linux-fbdev@vger.kernel.org
	public-inbox-index linux-fbdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fbdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git