* drm: NULL pointer dereference in drm_mode_object_find()
@ 2016-08-19 17:10 Alexander Potapenko
2016-09-05 8:30 ` Dmitry Vyukov
2016-09-21 7:44 ` David Herrmann
0 siblings, 2 replies; 7+ messages in thread
From: Alexander Potapenko @ 2016-08-19 17:10 UTC (permalink / raw)
To: daniel.vetter, airlied, robdclark
Cc: LKML, syzkaller, Dmitriy Vyukov, Kostya Serebryany, Guenter Roeck
Hello,
the program below triggers a NULL deref in DRM code when ran on QEMU:
===================================================
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< inline >] __list_add ./include/linux/list.h:44
IP: [< inline >] list_add_tail ./include/linux/list.h:77
IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
IP: [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
kernel/locking/mutex.c:824
PGD 1c555067 PUD 1c554067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88001c40a700 task.stack: ffff88001c984000
RIP: 0010:[<ffffffff818e850f>] [<ffffffff818e850f>]
__mutex_lock_slowpath+0x6f/0x100
RSP: 0018:ffff88001c987cb0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88001d5212a0 RCX: 00000000c0000100
RDX: 0000000000000001 RSI: ffff88001c40a700 RDI: ffff88001d5212a4
RBP: ffff88001c987cf8 R08: ffff88001c984000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88001c40a700
R13: ffff88001d5212a4 R14: 00000000ffffffff R15: ffff88001d5212a8
FS: 0000000000dc9880(0000) GS:ffff88001f000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001c8a9000 CR4: 00000000000406f0
Stack:
ffff88001d5212a8 0000000000000000 0000000000000000 ffffffff811a398f
ffff88001d5212a0 ffff88001d5212a0 0000000000000000 00000000cccccccc
ffffffff81a6eb20 ffff88001c987d10 ffffffff818e85ba ffff88001d521000
Call Trace:
[< inline >] __mutex_fastpath_lock ./arch/x86/include/asm/mutex_64.h:28
[<ffffffff818e85ba>] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
[<ffffffff8142dd23>] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
[< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
[< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
[<ffffffff8143502e>] drm_mode_page_flip_ioctl+0x4e/0x300
drivers/gpu/drm/drm_crtc.c:5414
[<ffffffff81426bb2>] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff8119700d>] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[<ffffffff81197574>] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
[<ffffffff818ea9db>] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.S:207
Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
RIP [< inline >] __list_add ./include/linux/list.h:44
RIP [< inline >] list_add_tail ./include/linux/list.h:77
RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
RIP [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
kernel/locking/mutex.c:824
RSP <ffff88001c987cb0>
CR2: 0000000000000000
---[ end trace 3cef4eb618ac6bb6 ]---
===================================================
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <stdint.h>
#include <string.h>
#include <unistd.h>
int main()
{
int fd = open("/dev/dri/card0", 0);
mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
memcpy((void*)0x20036ad7,
"\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
"\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
"\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
"\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
"\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
"\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
"\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
"\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
"\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
"\x1c\x17\x03\x60\x7b\x31\x1f\x66",
143);
ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
return 0;
}
I build the ToT kernel (commit
952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
CONFIG_DRM_VGEM=y.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: drm: NULL pointer dereference in drm_mode_object_find()
2016-08-19 17:10 drm: NULL pointer dereference in drm_mode_object_find() Alexander Potapenko
@ 2016-09-05 8:30 ` Dmitry Vyukov
2016-09-20 9:21 ` David Herrmann
2016-09-21 7:44 ` David Herrmann
1 sibling, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2016-09-05 8:30 UTC (permalink / raw)
To: dri-devel, Dave Airlie
Cc: Daniel Vetter, robdclark, LKML, syzkaller, Kostya Serebryany,
Guenter Roeck, Alexander Potapenko
On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko <glider@google.com> wrote:
> Hello,
>
> the program below triggers a NULL deref in DRM code when ran on QEMU:
>
> ===================================================
> BUG: unable to handle kernel NULL pointer dereference at (null)
> IP: [< inline >] __list_add ./include/linux/list.h:44
> IP: [< inline >] list_add_tail ./include/linux/list.h:77
> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> IP: [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> PGD 1c555067 PUD 1c554067 PMD 0
> Oops: 0002 [#1] SMP
> Modules linked in:
> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88001c40a700 task.stack: ffff88001c984000
> RIP: 0010:[<ffffffff818e850f>] [<ffffffff818e850f>]
> __mutex_lock_slowpath+0x6f/0x100
> RSP: 0018:ffff88001c987cb0 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: ffff88001d5212a0 RCX: 00000000c0000100
> RDX: 0000000000000001 RSI: ffff88001c40a700 RDI: ffff88001d5212a4
> RBP: ffff88001c987cf8 R08: ffff88001c984000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88001c40a700
> R13: ffff88001d5212a4 R14: 00000000ffffffff R15: ffff88001d5212a8
> FS: 0000000000dc9880(0000) GS:ffff88001f000000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 000000001c8a9000 CR4: 00000000000406f0
> Stack:
> ffff88001d5212a8 0000000000000000 0000000000000000 ffffffff811a398f
> ffff88001d5212a0 ffff88001d5212a0 0000000000000000 00000000cccccccc
> ffffffff81a6eb20 ffff88001c987d10 ffffffff818e85ba ffff88001d521000
> Call Trace:
> [< inline >] __mutex_fastpath_lock ./arch/x86/include/asm/mutex_64.h:28
> [<ffffffff818e85ba>] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
> [<ffffffff8142dd23>] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
> [<ffffffff8143502e>] drm_mode_page_flip_ioctl+0x4e/0x300
> drivers/gpu/drm/drm_crtc.c:5414
> [<ffffffff81426bb2>] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
> [< inline >] vfs_ioctl fs/ioctl.c:43
> [<ffffffff8119700d>] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
> [< inline >] SYSC_ioctl fs/ioctl.c:690
> [<ffffffff81197574>] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
> [<ffffffff818ea9db>] entry_SYSCALL_64_fastpath+0x13/0x8f
> arch/x86/entry/entry_64.S:207
> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
> RIP [< inline >] __list_add ./include/linux/list.h:44
> RIP [< inline >] list_add_tail ./include/linux/list.h:77
> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> RIP [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> RSP <ffff88001c987cb0>
> CR2: 0000000000000000
> ---[ end trace 3cef4eb618ac6bb6 ]---
> ===================================================
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <stdint.h>
> #include <string.h>
> #include <unistd.h>
>
> int main()
> {
> int fd = open("/dev/dri/card0", 0);
> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
> memcpy((void*)0x20036ad7,
> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
> 143);
> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
> return 0;
> }
>
> I build the ToT kernel (commit
> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
> CONFIG_DRM_VGEM=y.
+dri-devel
I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
linux-next.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: drm: NULL pointer dereference in drm_mode_object_find()
2016-09-05 8:30 ` Dmitry Vyukov
@ 2016-09-20 9:21 ` David Herrmann
2016-09-20 9:25 ` Alexander Potapenko
0 siblings, 1 reply; 7+ messages in thread
From: David Herrmann @ 2016-09-20 9:21 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: dri-devel, Dave Airlie, Daniel Vetter, Rob Clark, LKML,
syzkaller, Kostya Serebryany, Guenter Roeck, Alexander Potapenko
Hi
On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko <glider@google.com> wrote:
>> Hello,
>>
>> the program below triggers a NULL deref in DRM code when ran on QEMU:
>>
>> ===================================================
>> BUG: unable to handle kernel NULL pointer dereference at (null)
>> IP: [< inline >] __list_add ./include/linux/list.h:44
>> IP: [< inline >] list_add_tail ./include/linux/list.h:77
>> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>> IP: [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>> kernel/locking/mutex.c:824
>> PGD 1c555067 PUD 1c554067 PMD 0
>> Oops: 0002 [#1] SMP
>> Modules linked in:
>> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff88001c40a700 task.stack: ffff88001c984000
>> RIP: 0010:[<ffffffff818e850f>] [<ffffffff818e850f>]
>> __mutex_lock_slowpath+0x6f/0x100
>> RSP: 0018:ffff88001c987cb0 EFLAGS: 00010282
>> RAX: 0000000000000000 RBX: ffff88001d5212a0 RCX: 00000000c0000100
>> RDX: 0000000000000001 RSI: ffff88001c40a700 RDI: ffff88001d5212a4
>> RBP: ffff88001c987cf8 R08: ffff88001c984000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88001c40a700
>> R13: ffff88001d5212a4 R14: 00000000ffffffff R15: ffff88001d5212a8
>> FS: 0000000000dc9880(0000) GS:ffff88001f000000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000000000000 CR3: 000000001c8a9000 CR4: 00000000000406f0
>> Stack:
>> ffff88001d5212a8 0000000000000000 0000000000000000 ffffffff811a398f
>> ffff88001d5212a0 ffff88001d5212a0 0000000000000000 00000000cccccccc
>> ffffffff81a6eb20 ffff88001c987d10 ffffffff818e85ba ffff88001d521000
>> Call Trace:
>> [< inline >] __mutex_fastpath_lock ./arch/x86/include/asm/mutex_64.h:28
>> [<ffffffff818e85ba>] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
>> [<ffffffff8142dd23>] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
>> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
>> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
>> [<ffffffff8143502e>] drm_mode_page_flip_ioctl+0x4e/0x300
>> drivers/gpu/drm/drm_crtc.c:5414
>> [<ffffffff81426bb2>] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
>> [< inline >] vfs_ioctl fs/ioctl.c:43
>> [<ffffffff8119700d>] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
>> [< inline >] SYSC_ioctl fs/ioctl.c:690
>> [<ffffffff81197574>] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
>> [<ffffffff818ea9db>] entry_SYSCALL_64_fastpath+0x13/0x8f
>> arch/x86/entry/entry_64.S:207
>> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
>> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
>> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
>> RIP [< inline >] __list_add ./include/linux/list.h:44
>> RIP [< inline >] list_add_tail ./include/linux/list.h:77
>> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>> RIP [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>> kernel/locking/mutex.c:824
>> RSP <ffff88001c987cb0>
>> CR2: 0000000000000000
>> ---[ end trace 3cef4eb618ac6bb6 ]---
>> ===================================================
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <stdint.h>
>> #include <string.h>
>> #include <unistd.h>
>>
>> int main()
>> {
>> int fd = open("/dev/dri/card0", 0);
>> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
>> memcpy((void*)0x20036ad7,
>> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
>> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
>> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
>> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
>> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
>> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
>> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
>> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
>> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
>> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
>> 143);
>> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
>> return 0;
>> }
>>
>> I build the ToT kernel (commit
>> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
>> CONFIG_DRM_VGEM=y.
>
> +dri-devel
>
> I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
> linux-next.
Can you tell us which DRM driver this is? vgem does not specify
DRIVER_MODESET, so the page-flip ioctl should not be hooked up. Also,
the mmap() operation should fail on any GEM driver. *confused*
Thanks
David
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: drm: NULL pointer dereference in drm_mode_object_find()
2016-09-20 9:21 ` David Herrmann
@ 2016-09-20 9:25 ` Alexander Potapenko
2016-09-20 9:28 ` Guenter Roeck
2016-09-21 7:37 ` David Herrmann
0 siblings, 2 replies; 7+ messages in thread
From: Alexander Potapenko @ 2016-09-20 9:25 UTC (permalink / raw)
To: syzkaller
Cc: Dmitry Vyukov, dri-devel, Dave Airlie, Daniel Vetter, Rob Clark,
LKML, Kostya Serebryany, Guenter Roeck
On Tue, Sep 20, 2016 at 11:21 AM, David Herrmann <dh.herrmann@gmail.com> wrote:
> Hi
>
> On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko <glider@google.com> wrote:
>>> Hello,
>>>
>>> the program below triggers a NULL deref in DRM code when ran on QEMU:
>>>
>>> ===================================================
>>> BUG: unable to handle kernel NULL pointer dereference at (null)
>>> IP: [< inline >] __list_add ./include/linux/list.h:44
>>> IP: [< inline >] list_add_tail ./include/linux/list.h:77
>>> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>> IP: [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>>> kernel/locking/mutex.c:824
>>> PGD 1c555067 PUD 1c554067 PMD 0
>>> Oops: 0002 [#1] SMP
>>> Modules linked in:
>>> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> task: ffff88001c40a700 task.stack: ffff88001c984000
>>> RIP: 0010:[<ffffffff818e850f>] [<ffffffff818e850f>]
>>> __mutex_lock_slowpath+0x6f/0x100
>>> RSP: 0018:ffff88001c987cb0 EFLAGS: 00010282
>>> RAX: 0000000000000000 RBX: ffff88001d5212a0 RCX: 00000000c0000100
>>> RDX: 0000000000000001 RSI: ffff88001c40a700 RDI: ffff88001d5212a4
>>> RBP: ffff88001c987cf8 R08: ffff88001c984000 R09: 0000000000000000
>>> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88001c40a700
>>> R13: ffff88001d5212a4 R14: 00000000ffffffff R15: ffff88001d5212a8
>>> FS: 0000000000dc9880(0000) GS:ffff88001f000000(0000) knlGS:0000000000000000
>>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> CR2: 0000000000000000 CR3: 000000001c8a9000 CR4: 00000000000406f0
>>> Stack:
>>> ffff88001d5212a8 0000000000000000 0000000000000000 ffffffff811a398f
>>> ffff88001d5212a0 ffff88001d5212a0 0000000000000000 00000000cccccccc
>>> ffffffff81a6eb20 ffff88001c987d10 ffffffff818e85ba ffff88001d521000
>>> Call Trace:
>>> [< inline >] __mutex_fastpath_lock ./arch/x86/include/asm/mutex_64.h:28
>>> [<ffffffff818e85ba>] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
>>> [<ffffffff8142dd23>] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
>>> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
>>> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
>>> [<ffffffff8143502e>] drm_mode_page_flip_ioctl+0x4e/0x300
>>> drivers/gpu/drm/drm_crtc.c:5414
>>> [<ffffffff81426bb2>] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
>>> [< inline >] vfs_ioctl fs/ioctl.c:43
>>> [<ffffffff8119700d>] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
>>> [< inline >] SYSC_ioctl fs/ioctl.c:690
>>> [<ffffffff81197574>] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
>>> [<ffffffff818ea9db>] entry_SYSCALL_64_fastpath+0x13/0x8f
>>> arch/x86/entry/entry_64.S:207
>>> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
>>> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
>>> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
>>> RIP [< inline >] __list_add ./include/linux/list.h:44
>>> RIP [< inline >] list_add_tail ./include/linux/list.h:77
>>> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>> RIP [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>>> kernel/locking/mutex.c:824
>>> RSP <ffff88001c987cb0>
>>> CR2: 0000000000000000
>>> ---[ end trace 3cef4eb618ac6bb6 ]---
>>> ===================================================
>>>
>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>> #include <stdint.h>
>>> #include <string.h>
>>> #include <unistd.h>
>>>
>>> int main()
>>> {
>>> int fd = open("/dev/dri/card0", 0);
>>> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
>>> memcpy((void*)0x20036ad7,
>>> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
>>> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
>>> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
>>> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
>>> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
>>> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
>>> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
>>> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
>>> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
>>> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
>>> 143);
>>> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
>>> return 0;
>>> }
>>>
>>> I build the ToT kernel (commit
>>> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
>>> CONFIG_DRM_VGEM=y.
>>
>> +dri-devel
>>
>> I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
>> linux-next.
>
> Can you tell us which DRM driver this is? vgem does not specify
> DRIVER_MODESET, so the page-flip ioctl should not be hooked up. Also,
> the mmap() operation should fail on any GEM driver. *confused*
How do I check that?
> Thanks
> David
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: drm: NULL pointer dereference in drm_mode_object_find()
2016-09-20 9:25 ` Alexander Potapenko
@ 2016-09-20 9:28 ` Guenter Roeck
2016-09-21 7:37 ` David Herrmann
1 sibling, 0 replies; 7+ messages in thread
From: Guenter Roeck @ 2016-09-20 9:28 UTC (permalink / raw)
To: Alexander Potapenko
Cc: syzkaller, Dmitry Vyukov, dri-devel, Dave Airlie, Daniel Vetter,
Rob Clark, LKML, Kostya Serebryany
AFAICS the only drm driver built with "make defconfig" is i915.
CONFIG_DRM=y
CONFIG_DRM_MIPI_DSI=y
CONFIG_DRM_KMS_HELPER=y
CONFIG_DRM_KMS_FB_HELPER=y
CONFIG_DRM_FBDEV_EMULATION=y
CONFIG_DRM_I915=y
CONFIG_DRM_I915_USERPTR=y
CONFIG_DRM_PANEL=y
CONFIG_DRM_BRIDGE=y
Guenter
On Tue, Sep 20, 2016 at 2:25 AM, Alexander Potapenko <glider@google.com> wrote:
> On Tue, Sep 20, 2016 at 11:21 AM, David Herrmann <dh.herrmann@gmail.com> wrote:
>> Hi
>>
>> On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko <glider@google.com> wrote:
>>>> Hello,
>>>>
>>>> the program below triggers a NULL deref in DRM code when ran on QEMU:
>>>>
>>>> ===================================================
>>>> BUG: unable to handle kernel NULL pointer dereference at (null)
>>>> IP: [< inline >] __list_add ./include/linux/list.h:44
>>>> IP: [< inline >] list_add_tail ./include/linux/list.h:77
>>>> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>>> IP: [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>>>> kernel/locking/mutex.c:824
>>>> PGD 1c555067 PUD 1c554067 PMD 0
>>>> Oops: 0002 [#1] SMP
>>>> Modules linked in:
>>>> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> task: ffff88001c40a700 task.stack: ffff88001c984000
>>>> RIP: 0010:[<ffffffff818e850f>] [<ffffffff818e850f>]
>>>> __mutex_lock_slowpath+0x6f/0x100
>>>> RSP: 0018:ffff88001c987cb0 EFLAGS: 00010282
>>>> RAX: 0000000000000000 RBX: ffff88001d5212a0 RCX: 00000000c0000100
>>>> RDX: 0000000000000001 RSI: ffff88001c40a700 RDI: ffff88001d5212a4
>>>> RBP: ffff88001c987cf8 R08: ffff88001c984000 R09: 0000000000000000
>>>> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88001c40a700
>>>> R13: ffff88001d5212a4 R14: 00000000ffffffff R15: ffff88001d5212a8
>>>> FS: 0000000000dc9880(0000) GS:ffff88001f000000(0000) knlGS:0000000000000000
>>>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> CR2: 0000000000000000 CR3: 000000001c8a9000 CR4: 00000000000406f0
>>>> Stack:
>>>> ffff88001d5212a8 0000000000000000 0000000000000000 ffffffff811a398f
>>>> ffff88001d5212a0 ffff88001d5212a0 0000000000000000 00000000cccccccc
>>>> ffffffff81a6eb20 ffff88001c987d10 ffffffff818e85ba ffff88001d521000
>>>> Call Trace:
>>>> [< inline >] __mutex_fastpath_lock ./arch/x86/include/asm/mutex_64.h:28
>>>> [<ffffffff818e85ba>] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
>>>> [<ffffffff8142dd23>] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
>>>> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
>>>> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
>>>> [<ffffffff8143502e>] drm_mode_page_flip_ioctl+0x4e/0x300
>>>> drivers/gpu/drm/drm_crtc.c:5414
>>>> [<ffffffff81426bb2>] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
>>>> [< inline >] vfs_ioctl fs/ioctl.c:43
>>>> [<ffffffff8119700d>] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
>>>> [< inline >] SYSC_ioctl fs/ioctl.c:690
>>>> [<ffffffff81197574>] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
>>>> [<ffffffff818ea9db>] entry_SYSCALL_64_fastpath+0x13/0x8f
>>>> arch/x86/entry/entry_64.S:207
>>>> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
>>>> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
>>>> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
>>>> RIP [< inline >] __list_add ./include/linux/list.h:44
>>>> RIP [< inline >] list_add_tail ./include/linux/list.h:77
>>>> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>>> RIP [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>>>> kernel/locking/mutex.c:824
>>>> RSP <ffff88001c987cb0>
>>>> CR2: 0000000000000000
>>>> ---[ end trace 3cef4eb618ac6bb6 ]---
>>>> ===================================================
>>>>
>>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>>> #include <stdint.h>
>>>> #include <string.h>
>>>> #include <unistd.h>
>>>>
>>>> int main()
>>>> {
>>>> int fd = open("/dev/dri/card0", 0);
>>>> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
>>>> memcpy((void*)0x20036ad7,
>>>> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
>>>> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
>>>> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
>>>> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
>>>> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
>>>> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
>>>> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
>>>> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
>>>> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
>>>> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
>>>> 143);
>>>> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
>>>> return 0;
>>>> }
>>>>
>>>> I build the ToT kernel (commit
>>>> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
>>>> CONFIG_DRM_VGEM=y.
>>>
>>> +dri-devel
>>>
>>> I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
>>> linux-next.
>>
>> Can you tell us which DRM driver this is? vgem does not specify
>> DRIVER_MODESET, so the page-flip ioctl should not be hooked up. Also,
>> the mmap() operation should fail on any GEM driver. *confused*
> How do I check that?
>> Thanks
>> David
>>
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: drm: NULL pointer dereference in drm_mode_object_find()
2016-09-20 9:25 ` Alexander Potapenko
2016-09-20 9:28 ` Guenter Roeck
@ 2016-09-21 7:37 ` David Herrmann
1 sibling, 0 replies; 7+ messages in thread
From: David Herrmann @ 2016-09-21 7:37 UTC (permalink / raw)
To: Alexander Potapenko
Cc: syzkaller, Dmitry Vyukov, dri-devel, Dave Airlie, Daniel Vetter,
Rob Clark, LKML, Kostya Serebryany, Guenter Roeck
Hi
On Tue, Sep 20, 2016 at 11:25 AM, Alexander Potapenko <glider@google.com> wrote:
> On Tue, Sep 20, 2016 at 11:21 AM, David Herrmann <dh.herrmann@gmail.com> wrote:
>> Hi
>>
>> On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko <glider@google.com> wrote:
>>>> Hello,
>>>>
>>>> the program below triggers a NULL deref in DRM code when ran on QEMU:
>>>>
>>>> ===================================================
>>>> BUG: unable to handle kernel NULL pointer dereference at (null)
>>>> IP: [< inline >] __list_add ./include/linux/list.h:44
>>>> IP: [< inline >] list_add_tail ./include/linux/list.h:77
>>>> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>>> IP: [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>>>> kernel/locking/mutex.c:824
>>>> PGD 1c555067 PUD 1c554067 PMD 0
>>>> Oops: 0002 [#1] SMP
>>>> Modules linked in:
>>>> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> task: ffff88001c40a700 task.stack: ffff88001c984000
>>>> RIP: 0010:[<ffffffff818e850f>] [<ffffffff818e850f>]
>>>> __mutex_lock_slowpath+0x6f/0x100
>>>> RSP: 0018:ffff88001c987cb0 EFLAGS: 00010282
>>>> RAX: 0000000000000000 RBX: ffff88001d5212a0 RCX: 00000000c0000100
>>>> RDX: 0000000000000001 RSI: ffff88001c40a700 RDI: ffff88001d5212a4
>>>> RBP: ffff88001c987cf8 R08: ffff88001c984000 R09: 0000000000000000
>>>> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88001c40a700
>>>> R13: ffff88001d5212a4 R14: 00000000ffffffff R15: ffff88001d5212a8
>>>> FS: 0000000000dc9880(0000) GS:ffff88001f000000(0000) knlGS:0000000000000000
>>>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> CR2: 0000000000000000 CR3: 000000001c8a9000 CR4: 00000000000406f0
>>>> Stack:
>>>> ffff88001d5212a8 0000000000000000 0000000000000000 ffffffff811a398f
>>>> ffff88001d5212a0 ffff88001d5212a0 0000000000000000 00000000cccccccc
>>>> ffffffff81a6eb20 ffff88001c987d10 ffffffff818e85ba ffff88001d521000
>>>> Call Trace:
>>>> [< inline >] __mutex_fastpath_lock ./arch/x86/include/asm/mutex_64.h:28
>>>> [<ffffffff818e85ba>] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
>>>> [<ffffffff8142dd23>] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
>>>> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
>>>> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
>>>> [<ffffffff8143502e>] drm_mode_page_flip_ioctl+0x4e/0x300
>>>> drivers/gpu/drm/drm_crtc.c:5414
>>>> [<ffffffff81426bb2>] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
>>>> [< inline >] vfs_ioctl fs/ioctl.c:43
>>>> [<ffffffff8119700d>] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
>>>> [< inline >] SYSC_ioctl fs/ioctl.c:690
>>>> [<ffffffff81197574>] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
>>>> [<ffffffff818ea9db>] entry_SYSCALL_64_fastpath+0x13/0x8f
>>>> arch/x86/entry/entry_64.S:207
>>>> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
>>>> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
>>>> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
>>>> RIP [< inline >] __list_add ./include/linux/list.h:44
>>>> RIP [< inline >] list_add_tail ./include/linux/list.h:77
>>>> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>>> RIP [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
>>>> kernel/locking/mutex.c:824
>>>> RSP <ffff88001c987cb0>
>>>> CR2: 0000000000000000
>>>> ---[ end trace 3cef4eb618ac6bb6 ]---
>>>> ===================================================
>>>>
>>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>>> #include <stdint.h>
>>>> #include <string.h>
>>>> #include <unistd.h>
>>>>
>>>> int main()
>>>> {
>>>> int fd = open("/dev/dri/card0", 0);
>>>> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
>>>> memcpy((void*)0x20036ad7,
>>>> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
>>>> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
>>>> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
>>>> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
>>>> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
>>>> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
>>>> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
>>>> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
>>>> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
>>>> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
>>>> 143);
>>>> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
>>>> return 0;
>>>> }
>>>>
>>>> I build the ToT kernel (commit
>>>> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
>>>> CONFIG_DRM_VGEM=y.
>>>
>>> +dri-devel
>>>
>>> I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
>>> linux-next.
>>
>> Can you tell us which DRM driver this is? vgem does not specify
>> DRIVER_MODESET, so the page-flip ioctl should not be hooked up. Also,
>> the mmap() operation should fail on any GEM driver. *confused*
> How do I check that?
Something like this:
readlink /sys/class/drm/card0/device/driver
Or grep dmesg for 'DRM'.
Thanks
David
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: drm: NULL pointer dereference in drm_mode_object_find()
2016-08-19 17:10 drm: NULL pointer dereference in drm_mode_object_find() Alexander Potapenko
2016-09-05 8:30 ` Dmitry Vyukov
@ 2016-09-21 7:44 ` David Herrmann
1 sibling, 0 replies; 7+ messages in thread
From: David Herrmann @ 2016-09-21 7:44 UTC (permalink / raw)
To: Alexander Potapenko
Cc: Daniel Vetter, Dave Airlie, Rob Clark, LKML, syzkaller,
Dmitriy Vyukov, Kostya Serebryany, Guenter Roeck
Hi
On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko <glider@google.com> wrote:
> Hello,
>
> the program below triggers a NULL deref in DRM code when ran on QEMU:
>
> ===================================================
> BUG: unable to handle kernel NULL pointer dereference at (null)
> IP: [< inline >] __list_add ./include/linux/list.h:44
> IP: [< inline >] list_add_tail ./include/linux/list.h:77
> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> IP: [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> PGD 1c555067 PUD 1c554067 PMD 0
> Oops: 0002 [#1] SMP
> Modules linked in:
> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88001c40a700 task.stack: ffff88001c984000
> RIP: 0010:[<ffffffff818e850f>] [<ffffffff818e850f>]
> __mutex_lock_slowpath+0x6f/0x100
> RSP: 0018:ffff88001c987cb0 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: ffff88001d5212a0 RCX: 00000000c0000100
> RDX: 0000000000000001 RSI: ffff88001c40a700 RDI: ffff88001d5212a4
> RBP: ffff88001c987cf8 R08: ffff88001c984000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88001c40a700
> R13: ffff88001d5212a4 R14: 00000000ffffffff R15: ffff88001d5212a8
> FS: 0000000000dc9880(0000) GS:ffff88001f000000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 000000001c8a9000 CR4: 00000000000406f0
> Stack:
> ffff88001d5212a8 0000000000000000 0000000000000000 ffffffff811a398f
> ffff88001d5212a0 ffff88001d5212a0 0000000000000000 00000000cccccccc
> ffffffff81a6eb20 ffff88001c987d10 ffffffff818e85ba ffff88001d521000
> Call Trace:
> [< inline >] __mutex_fastpath_lock ./arch/x86/include/asm/mutex_64.h:28
> [<ffffffff818e85ba>] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
> [<ffffffff8142dd23>] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
> [<ffffffff8143502e>] drm_mode_page_flip_ioctl+0x4e/0x300
> drivers/gpu/drm/drm_crtc.c:5414
> [<ffffffff81426bb2>] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
> [< inline >] vfs_ioctl fs/ioctl.c:43
> [<ffffffff8119700d>] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
> [< inline >] SYSC_ioctl fs/ioctl.c:690
> [<ffffffff81197574>] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
> [<ffffffff818ea9db>] entry_SYSCALL_64_fastpath+0x13/0x8f
> arch/x86/entry/entry_64.S:207
> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
> RIP [< inline >] __list_add ./include/linux/list.h:44
> RIP [< inline >] list_add_tail ./include/linux/list.h:77
> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> RIP [<ffffffff818e850f>] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> RSP <ffff88001c987cb0>
> CR2: 0000000000000000
> ---[ end trace 3cef4eb618ac6bb6 ]---
> ===================================================
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <stdint.h>
> #include <string.h>
> #include <unistd.h>
>
> int main()
> {
> int fd = open("/dev/dri/card0", 0);
> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
> memcpy((void*)0x20036ad7,
> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
> 143);
> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
> return 0;
> }
>
> I build the ToT kernel (commit
> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
> CONFIG_DRM_VGEM=y.
Can you make sure you have this commit:
commit 6f00975c619064a18c23fd3aced325ae165a73b9
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Sat Aug 20 12:22:11 2016 +0200
drm: Reject page_flip for !DRIVER_MODESET
Thanks
David
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-09-21 7:44 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-19 17:10 drm: NULL pointer dereference in drm_mode_object_find() Alexander Potapenko
2016-09-05 8:30 ` Dmitry Vyukov
2016-09-20 9:21 ` David Herrmann
2016-09-20 9:25 ` Alexander Potapenko
2016-09-20 9:28 ` Guenter Roeck
2016-09-21 7:37 ` David Herrmann
2016-09-21 7:44 ` David Herrmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).