Re: [syzbot] general protection fault in drm_client_buffer_vunmap
syzbot suspects this issue was fixed by commit: commit 874a52f9b693ed8bf7a92b3592a547ce8a684e6f Author: Tong Zhang Date: Sun Feb 28 04:46:25 2021 + drm/fb-helper: only unmap if buffer not null bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10c27b7ed0 start commit: c03c21ba Merge tag 'keys-misc-20210126' of git://git.kerne.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=ec4c85e44cc3172e dashboard link: https://syzkaller.appspot.com/bug?extid=10328e8428a896b65119 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d95d7ad0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=148da9ccd0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: drm/fb-helper: only unmap if buffer not null For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [syzbot] BUG: unable to handle kernel paging request in vga16fb_imageblit (2)
syzbot has bisected this issue to: commit 988d0763361bb65690d60e2bc53a6b72777040c3 Author: Tetsuo Handa Date: Sun Sep 27 11:46:30 2020 + vt_ioctl: make VT_RESIZEX behave like VT_RESIZE bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15633759d0 start commit: d2b6f8a1 Merge tag 'xfs-5.13-merge-3' of git://git.kernel... git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=17633759d0 console output: https://syzkaller.appspot.com/x/log.txt?x=13633759d0 kernel config: https://syzkaller.appspot.com/x/.config?x=53fdf14defd48c56 dashboard link: https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d9ff43d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10981693d0 Reported-by: syzbot+1f29e126cf461c4de...@syzkaller.appspotmail.com Fixes: 988d0763361b ("vt_ioctl: make VT_RESIZEX behave like VT_RESIZE") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [syzbot] BUG: unable to handle kernel paging request in vga16fb_imageblit (2)
syzbot has found a reproducer for the following issue on: HEAD commit:d2b6f8a1 Merge tag 'xfs-5.13-merge-3' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11d80be1d0 kernel config: https://syzkaller.appspot.com/x/.config?x=53fdf14defd48c56 dashboard link: https://syzkaller.appspot.com/bug?extid=1f29e126cf461c4de3b3 compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16d9ff43d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10981693d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+1f29e126cf461c4de...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: 88800140 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 11201067 P4D 11201067 PUD 11202067 PMD 810001e1 Oops: 0003 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8403 Comm: syz-executor112 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline] RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline] RIP: 0010:vga16fb_imageblit+0xcee/0x1cb0 drivers/video/fbdev/vga16fb.c:1260 Code: 66 66 2e 0f 1f 84 00 00 00 00 00 90 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 75 1b 41 0f b6 04 24 <41> 88 06 85 ed 74 2b 49 ff c4 49 ff c6 e8 80 ae 43 fd ff cd eb cc RSP: 0018:c9000163f0a0 EFLAGS: 00010246 RAX: RBX: 88800140 RCX: dc00 RDX: 888022ad54c0 RSI: 0002 RDI: RBP: 0001 R08: 843b289b R09: R10: 0002 R11: 888022ad54c0 R12: 8880181bcea8 R13: c9000163f2cc R14: 88800140 R15: 0004 FS: 01207300() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800140 CR3: 28d32000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: bit_putcs+0x18e8/0x1de0 drivers/video/fbdev/core/bitblit.c:105 fbcon_putcs+0x2ae/0x430 drivers/video/fbdev/core/fbcon.c:1296 do_update_region+0x4d6/0x6a0 drivers/tty/vt/vt.c:676 redraw_screen+0x8f6/0x1270 drivers/tty/vt/vt.c:1035 fbcon_blank+0x556/0xa50 drivers/video/fbdev/core/fbcon.c:2207 do_unblank_screen+0x27e/0xb20 drivers/tty/vt/vt.c:4406 vt_kdsetmode drivers/tty/vt/vt_ioctl.c:276 [inline] vt_k_ioctl drivers/tty/vt/vt_ioctl.c:381 [inline] vt_ioctl+0x2a82/0x3180 drivers/tty/vt/vt_ioctl.c:713 tty_ioctl+0xf51/0x1720 drivers/tty/tty_io.c:2805 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:1069 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43fef9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffc931a4c48 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 00013f84 RCX: 0043fef9 RDX: RSI: 4b3a RDI: 0003 RBP: R08: 000d R09: 7ffc931a4de8 R10: R11: 0246 R12: 7ffc931a4c5c R13: 431bde82d7b634db R14: 004ae018 R15: 00400488 Modules linked in: CR2: 88800140 ---[ end trace 96734cf7ef5cce91 ]--- RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline] RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1176 [inline] RIP: 0010:vga16fb_imageblit+0xcee/0x1cb0 drivers/video/fbdev/vga16fb.c:1260 Code: 66 66 2e 0f 1f 84 00 00 00 00 00 90 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 75 1b 41 0f b6 04 24 <41> 88 06 85 ed 74 2b 49 ff c4 49 ff c6 e8 80 ae 43 fd ff cd eb cc RSP: 0018:c9000163f0a0 EFLAGS: 00010246 RAX: RBX: 88800140 RCX: dc00 RDX: 888022ad54c0 RSI: 0002 RDI: RBP: 0001 R08: 843b289b R09: R10: 0002 R11: 888022ad54c0 R12: 8880181bcea8 R13: c9000163f2cc R14: 88800140 R15: 0004 FS: 01207300() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800140 CR3: 28d32000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
[syzbot] general protection fault in udmabuf_create
Hello, syzbot found the following issue on: HEAD commit:7999516e20bd Add linux-next specific files for 20210806 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=10f15f8e30 kernel config: https://syzkaller.appspot.com/x/.config?x=2f518e910b029c31 dashboard link: https://syzkaller.appspot.com/bug?extid=e9cd3122a37c5d6c51e8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1181099a30 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b6fce930 The issue was bisected to: commit 16c243e99d335e1ef3059871897119affc98b493 Author: Vivek Kasireddy Date: Wed Jun 9 18:29:15 2021 + udmabuf: Add support for mapping hugepages (v4) bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12f73dc930 final oops: https://syzkaller.appspot.com/x/report.txt?x=11f73dc930 console output: https://syzkaller.appspot.com/x/log.txt?x=16f73dc930 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e9cd3122a37c5d6c5...@syzkaller.appspotmail.com Fixes: 16c243e99d33 ("udmabuf: Add support for mapping hugepages (v4)") general protection fault, probably for non-canonical address 0xdc01: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0008-0x000f] CPU: 0 PID: 6603 Comm: syz-executor127 Not tainted 5.14.0-rc4-next-20210806-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:_compound_head include/linux/page-flags.h:187 [inline] RIP: 0010:get_page include/linux/mm.h:1203 [inline] RIP: 0010:udmabuf_create+0x664/0x16f0 drivers/dma-buf/udmabuf.c:236 Code: 03 48 89 84 24 90 00 00 00 e9 38 01 00 00 e8 23 7a f7 fc 4d 89 f4 49 c1 e4 06 4c 03 24 24 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 d3 0d 00 00 4d 8b 6c 24 08 31 ff 4c 89 eb 83 RSP: 0018:c90002d7fc70 EFLAGS: 00010202 RAX: 0001 RBX: RCX: RDX: 888023f69c80 RSI: 847e4f3d RDI: 0008 RBP: R08: f000 R09: R10: 847e50f5 R11: R12: R13: R14: R15: dc00 FS: 00935300() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 220c CR3: 18d16000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: udmabuf_ioctl_create drivers/dma-buf/udmabuf.c:305 [inline] udmabuf_ioctl+0x152/0x2c0 drivers/dma-buf/udmabuf.c:336 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43eed9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fff10c6b558 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 00400488 RCX: 0043eed9 RDX: 2180 RSI: 40187542 RDI: 0003 RBP: 00402ec0 R08: 00400488 R09: 00400488 R10: 00400488 R11: 0246 R12: 00402f50 R13: R14: 004ac018 R15: 00400488 Modules linked in: ---[ end trace e38355abd6102561 ]--- RIP: 0010:_compound_head include/linux/page-flags.h:187 [inline] RIP: 0010:get_page include/linux/mm.h:1203 [inline] RIP: 0010:udmabuf_create+0x664/0x16f0 drivers/dma-buf/udmabuf.c:236 Code: 03 48 89 84 24 90 00 00 00 e9 38 01 00 00 e8 23 7a f7 fc 4d 89 f4 49 c1 e4 06 4c 03 24 24 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 d3 0d 00 00 4d 8b 6c 24 08 31 ff 4c 89 eb 83 RSP: 0018:c90002d7fc70 EFLAGS: 00010202 RAX: 0001 RBX: RCX: RDX: 888023f69c80 RSI: 847e4f3d RDI: 0008 RBP: R08: f000 R09: R10: 847e50f5 R11: R12: R13: R14: R15: dc00 FS: 00935300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fff86ca0778 CR3: 18d16000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot. It may contain errors. See ht
[syzbot] WARNING in drm_gem_shmem_vm_open
Hello, syzbot found the following issue on: HEAD commit:614cb2751d31 Merge tag 'trace-v5.14-rc6' of git://git.kern.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1462cb6130 kernel config: https://syzkaller.appspot.com/x/.config?x=96f0602203250753 dashboard link: https://syzkaller.appspot.com/bug?extid=91525b2bd4b5dff71619 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122bce0e30 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+91525b2bd4b5dff71...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 0 PID: 11697 at drivers/gpu/drm/drm_gem_shmem_helper.c:562 drm_gem_shmem_vm_open+0x96/0xb0 drivers/gpu/drm/drm_gem_shmem_helper.c:562 Modules linked in: CPU: 0 PID: 11697 Comm: syz-executor.3 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:drm_gem_shmem_vm_open+0x96/0xb0 drivers/gpu/drm/drm_gem_shmem_helper.c:562 Code: 89 c6 e8 7d ec 23 fd 85 db 75 1a e8 34 e5 23 fd 48 89 ef 5b 5d 41 5c e9 e8 61 f5 ff e8 23 e5 23 fd 0f 0b eb ca e8 1a e5 23 fd <0f> 0b eb dd e8 b1 1f 6a fd eb 89 e8 aa 1f 6a fd eb a8 0f 1f 84 00 RSP: 0018:c9000b3cfb90 EFLAGS: 00010293 RAX: RBX: fffc RCX: RDX: 8880364eb880 RSI: 8451c3e6 RDI: 0003 RBP: 888033c70948 R08: R09: R10: 8451c3c3 R11: 0001 R12: 888146490800 R13: 888033c70a50 R14: 20166000 R15: 888033c709d8 FS: 7fbe43056700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 005422b8 CR3: 36274000 CR4: 00350ef0 Call Trace: __split_vma+0x23c/0x550 mm/mmap.c:2764 __do_munmap+0x32a/0x11c0 mm/mmap.c:2868 do_munmap mm/mmap.c:2922 [inline] munmap_vma_range mm/mmap.c:604 [inline] mmap_region+0x85a/0x1760 mm/mmap.c:1753 do_mmap+0x86e/0x1180 mm/mmap.c:1584 vm_mmap_pgoff+0x1b7/0x290 mm/util.c:519 ksys_mmap_pgoff+0x4a8/0x620 mm/mmap.c:1635 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fbe43056188 EFLAGS: 0246 ORIG_RAX: 0009 RAX: ffda RBX: 0056bf80 RCX: 004665e9 RDX: RSI: 2000 RDI: 20166000 RBP: 004bfcc4 R08: 0004 R09: R10: 0013 R11: 0246 R12: 0056bf80 R13: 7fffb615701f R14: 7fbe43056300 R15: 00022000 Code disassembly (best guess): 0: 89 c6 mov%eax,%esi 2: e8 7d ec 23 fd callq 0xfd23ec84 7: 85 db test %ebx,%ebx 9: 75 1a jne0x25 b: e8 34 e5 23 fd callq 0xfd23e544 10: 48 89 efmov%rbp,%rdi 13: 5b pop%rbx 14: 5d pop%rbp 15: 41 5c pop%r12 17: e9 e8 61 f5 ff jmpq 0xfff56204 1c: e8 23 e5 23 fd callq 0xfd23e544 21: 0f 0b ud2 23: eb ca jmp0xffef 25: e8 1a e5 23 fd callq 0xfd23e544 2a: 0f 0b ud2 <-- trapping instruction 2c: eb dd jmp0xb 2e: e8 b1 1f 6a fd callq 0xfd6a1fe4 33: eb 89 jmp0xffbe 35: e8 aa 1f 6a fd callq 0xfd6a1fe4 3a: eb a8 jmp0xffe4 3c: 0f .byte 0xf 3d: 1f (bad) 3e: 84 00 test %al,(%rax) --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: [syzbot] WARNING in drm_gem_shmem_vm_open
syzbot has bisected this issue to: commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2 Author: Daniel Vetter Date: Fri Oct 9 23:21:56 2020 + drm/vkms: fbdev emulation support bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11c31d5530 start commit: 614cb2751d31 Merge tag 'trace-v5.14-rc6' of git://git.kern.. git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=13c31d5530 console output: https://syzkaller.appspot.com/x/log.txt?x=15c31d5530 kernel config: https://syzkaller.appspot.com/x/.config?x=96f0602203250753 dashboard link: https://syzkaller.appspot.com/bug?extid=91525b2bd4b5dff71619 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122bce0e30 Reported-by: syzbot+91525b2bd4b5dff71...@syzkaller.appspotmail.com Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support") For information about bisection process see: https://goo.gl/tpsmEJ#bisection
memory leak in fbcon_set_font
Hello, syzbot found the following issue on: HEAD commit:e609571b Merge tag 'nfs-for-5.11-2' of git://git.linux-nfs.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=165261e0d0 kernel config: https://syzkaller.appspot.com/x/.config?x=850b6de5f8959443 dashboard link: https://syzkaller.appspot.com/bug?extid=2f2c18881a450f22d1bf compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16ab20c750 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1008b770d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2f2c18881a450f22d...@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0x88811813ea00 (size 512): comm "syz-executor939", pid 10246, jiffies 4294971847 (age 34.510s) hex dump (first 32 bytes): b0 55 1f 9b 00 00 00 00 00 01 00 00 06 00 00 00 .U.. 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<062fad90>] kmalloc include/linux/slab.h:557 [inline] [<062fad90>] fbcon_set_font+0x128/0x370 drivers/video/fbdev/core/fbcon.c:2454 [<ed2d1b1e>] con_font_set drivers/tty/vt/vt.c:4667 [inline] [<ed2d1b1e>] con_font_op+0x497/0x740 drivers/tty/vt/vt.c:4711 [<fd6b18ad>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:596 [inline] [<fd6b18ad>] vt_ioctl+0xeab/0x19d0 drivers/tty/vt/vt_ioctl.c:817 [<369331c6>] tty_ioctl+0x6c3/0xc40 drivers/tty/tty_io.c:2658 [<a092c047>] vfs_ioctl fs/ioctl.c:48 [inline] [<a092c047>] __do_sys_ioctl fs/ioctl.c:753 [inline] [<a092c047>] __se_sys_ioctl fs/ioctl.c:739 [inline] [<a092c047>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739 [<705a3959>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<f35163f9>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x88811813ea00 (size 512): comm "syz-executor939", pid 10246, jiffies 4294971847 (age 36.030s) hex dump (first 32 bytes): b0 55 1f 9b 00 00 00 00 00 01 00 00 06 00 00 00 .U.. 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<062fad90>] kmalloc include/linux/slab.h:557 [inline] [<062fad90>] fbcon_set_font+0x128/0x370 drivers/video/fbdev/core/fbcon.c:2454 [<ed2d1b1e>] con_font_set drivers/tty/vt/vt.c:4667 [inline] [<ed2d1b1e>] con_font_op+0x497/0x740 drivers/tty/vt/vt.c:4711 [<fd6b18ad>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:596 [inline] [<fd6b18ad>] vt_ioctl+0xeab/0x19d0 drivers/tty/vt/vt_ioctl.c:817 [<369331c6>] tty_ioctl+0x6c3/0xc40 drivers/tty/tty_io.c:2658 [<a092c047>] vfs_ioctl fs/ioctl.c:48 [inline] [<a092c047>] __do_sys_ioctl fs/ioctl.c:753 [inline] [<a092c047>] __se_sys_ioctl fs/ioctl.c:739 [inline] [<a092c047>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739 [<705a3959>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<f35163f9>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x88811813ea00 (size 512): comm "syz-executor939", pid 10246, jiffies 4294971847 (age 37.550s) hex dump (first 32 bytes): b0 55 1f 9b 00 00 00 00 00 01 00 00 06 00 00 00 .U.. 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<062fad90>] kmalloc include/linux/slab.h:557 [inline] [<062fad90>] fbcon_set_font+0x128/0x370 drivers/video/fbdev/core/fbcon.c:2454 [<ed2d1b1e>] con_font_set drivers/tty/vt/vt.c:4667 [inline] [<ed2d1b1e>] con_font_op+0x497/0x740 drivers/tty/vt/vt.c:4711 [<fd6b18ad>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:596 [inline] [<fd6b18ad>] vt_ioctl+0xeab/0x19d0 drivers/tty/vt/vt_ioctl.c:817 [<369331c6>] tty_ioctl+0x6c3/0xc40 drivers/tty/tty_io.c:2658 [<a092c047>] vfs_ioctl fs/ioctl.c:48 [inline] [<a092c047>] __do_sys_ioctl fs/ioctl.c:753 [inline] [<a092c047>] __se_sys_ioctl fs/ioctl.c:739 [inline] [<a092c047>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739 [<705a3959>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<f35163f9>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x88811813ea00 (size 512): comm "syz-executor939", pid 10246, jiffies 4294971847 (age 37.630s) hex dump (first 32 bytes): b0 55 1f 9b 00 00 00 00 00 01 00 00 06 00 00 00 .U.. 11 00 00 00 00
Re: BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
syzbot has bisected this issue to: commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2 Author: Daniel Vetter Date: Fri Oct 9 23:21:56 2020 + drm/vkms: fbdev emulation support bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148e2748d0 start commit: b3a3cbde Add linux-next specific files for 20210115 git tree: linux-next final oops: https://syzkaller.appspot.com/x/report.txt?x=168e2748d0 console output: https://syzkaller.appspot.com/x/log.txt?x=128e2748d0 kernel config: https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17af5258d0 Reported-by: syzbot+b67aaae8d3a927f68...@syzkaller.appspotmail.com Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
syzbot has found a reproducer for the following issue on: HEAD commit:b3a3cbde Add linux-next specific files for 20210115 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=164096d750 kernel config: https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17af5258d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b67aaae8d3a927f68...@syzkaller.appspotmail.com BUG: kernel NULL pointer dereference, address: #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 12267067 P4D 12267067 PUD 11841067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8463 Comm: syz-executor088 Not tainted 5.11.0-rc3-next-20210115-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c9000132f850 EFLAGS: 00010292 RAX: 0007 RBX: RCX: 0007 RDX: 0002 RSI: 88814394b000 RDI: 888010071000 RBP: 888010071000 R08: R09: 83ed87ea R10: 0003 R11: 0018 R12: 88814394b000 R13: R14: R15: 0720 FS: 00db8880() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 20cd8000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1336 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907 redraw_screen+0x5b4/0x740 drivers/tty/vt/vt.c:1012 vc_do_resize+0xed8/0x1150 drivers/tty/vt/vt.c:1325 fbcon_set_disp+0x7a8/0xe10 drivers/video/fbdev/core/fbcon.c:1402 con2fb_init_display drivers/video/fbdev/core/fbcon.c:808 [inline] set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:879 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3010 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4402b9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ae24f88 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 004002c8 RCX: 004402b9 RDX: 2080 RSI: 4610 RDI: 0004 RBP: 006ca018 R08: 004002c8 R09: 004002c8 R10: 004002c8 R11: 0246 R12: 00401ac0 R13: 00401b50 R14: R15: Modules linked in: CR2: ---[ end trace 5adb9f198fe5efa6 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c9000132f850 EFLAGS: 00010292 RAX: 0007 RBX: RCX: 0007 RDX: 0002 RSI: 88814394b000 RDI: 888010071000 RBP: 888010071000 R08: R09: 83ed87ea R10: 0003 R11: 0018 R12: 88814394b000 R13: R14: R15: 0720 FS: 00db8880() GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 20cd8000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
KMSAN: kernel-infoleak in fb_cmap_to_user
Hello, syzbot found the following issue on: HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=1001ac60d0 kernel config: https://syzkaller.appspot.com/x/.config?x=c8e3b38ca92283e dashboard link: https://syzkaller.appspot.com/bug?extid=47fa9c9c648b765305b9 compiler: Debian clang version 11.0.1-2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ffe738d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11ca2914d0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+47fa9c9c648b76530...@syzkaller.appspotmail.com = BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 CPU: 1 PID: 8225 Comm: syz-executor269 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:120 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 kmsan_internal_check_memory+0x484/0x520 mm/kmsan/kmsan.c:437 kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 instrument_copy_to_user include/linux/instrumented.h:121 [inline] _copy_to_user+0x1ac/0x270 lib/usercopy.c:33 copy_to_user include/linux/uaccess.h:209 [inline] fb_cmap_to_user+0x40a/0x990 drivers/video/fbdev/core/fbcmap.c:208 do_fb_ioctl+0xc53/0x1090 drivers/video/fbdev/core/fbmem.c:1136 fb_ioctl+0x1e4/0x210 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0x311/0x4d0 fs/ioctl.c:739 __x64_sys_ioctl+0x4a/0x70 fs/ioctl.c:739 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x43fbd9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffc68acbf98 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 00400488 RCX: 0043fbd9 RDX: 20007400 RSI: 4604 RDI: 0003 RBP: R08: 7ffc68acc138 R09: 7ffc68acc138 R10: 7ffc68acba10 R11: 0246 R12: 00403460 R13: 431bde82d7b634db R14: 004ad018 R15: 00400488 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2916 [inline] __kmalloc+0x378/0x560 mm/slub.c:3998 kmalloc include/linux/slab.h:557 [inline] fb_alloc_cmap_gfp+0x39b/0xa70 drivers/video/fbdev/core/fbcmap.c:104 fb_alloc_cmap+0x95/0xb0 drivers/video/fbdev/core/fbcmap.c:135 drm_fb_helper_alloc_fbi+0x106/0x3f0 drivers/gpu/drm/drm_fb_helper.c:563 drm_fb_helper_generic_probe+0x4f3/0xc70 drivers/gpu/drm/drm_fb_helper.c:2320 drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1658 [inline] __drm_fb_helper_initial_config_and_unlock+0x1cac/0x26c0 drivers/gpu/drm/drm_fb_helper.c:1816 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1911 [inline] drm_fbdev_client_hotplug+0xbb8/0xd70 drivers/gpu/drm/drm_fb_helper.c:2413 drm_fbdev_generic_setup+0x39d/0xa00 drivers/gpu/drm/drm_fb_helper.c:2495 vkms_init+0x880/0xa02 drivers/gpu/drm/vkms/vkms_drv.c:168 do_one_initcall+0x362/0x8d0 init/main.c:1226 do_initcall_level+0x1e7/0x35a init/main.c:1299 do_initcalls+0x127/0x1cb init/main.c:1315 do_basic_setup+0x33/0x36 init/main.c:1335 kernel_init_freeable+0x23d/0x390 init/main.c:1536 kernel_init+0x1f/0x840 init/main.c:1424 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Bytes 0-1 of 2 are uninitialized Memory access of size 2 starts at 8881455651c0 Data copied to user address 20007300 = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: KASAN: vmalloc-out-of-bounds Write in imageblit
syzbot has found a reproducer for the following issue on: HEAD commit:f40ddce8 Linux 5.11 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14216df4d0 kernel config: https://syzkaller.appspot.com/x/.config?x=51ab7ccac30c dashboard link: https://syzkaller.appspot.com/bug?extid=858dc7a2f7ef07c2c219 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f53924d0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=138b494cd0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+858dc7a2f7ef07c2c...@syzkaller.appspotmail.com == BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x12f4/0x1430 drivers/video/fbdev/core/sysimgblt.c:275 Write of size 4 at addr c9000bc91000 by task syz-executor566/8649 CPU: 3 PID: 8649 Comm: syz-executor566 Not tainted 5.11.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5/0x2c6 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] sys_imageblit+0x12f4/0x1430 drivers/video/fbdev/core/sysimgblt.c:275 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:794 [inline] drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2266 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline] bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:188 fbcon_putcs+0x35a/0x450 drivers/video/fbdev/core/fbcon.c:1304 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676 redraw_screen+0x658/0x790 drivers/tty/vt/vt.c:1035 fbcon_modechanged+0x593/0x6d0 drivers/video/fbdev/core/fbcon.c:2656 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:2701 do_fb_ioctl+0x62e/0x690 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x43fd49 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fff0eaf1448 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 00019c10 RCX: 0043fd49 RDX: 2080 RSI: 4601 RDI: 0003 RBP: R08: 7fff0eaf15e8 R09: 7fff0eaf15e8 R10: 7fff0eaf0ec0 R11: 0246 R12: 7fff0eaf145c R13: 431bde82d7b634db R14: 004ae018 R15: 00400488 Memory state around the buggy address: c9000bc90f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c9000bc90f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >c9000bc91000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ c9000bc91080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c9000bc91100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 == ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
KMSAN: kernel-infoleak in compat_drm_wait_vblank
Hello, syzbot found the following issue on: HEAD commit:29ad81a1 arch/x86: add missing include to sparsemem.h git tree: https://github.com/google/kmsan.git master console output: https://syzkaller.appspot.com/x/log.txt?x=111e6312d0 kernel config: https://syzkaller.appspot.com/x/.config?x=c8e3b38ca92283e dashboard link: https://syzkaller.appspot.com/bug?extid=620cf21140fc7e772a5d compiler: Debian clang version 11.0.1-2 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+620cf21140fc7e772...@syzkaller.appspotmail.com = BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 CPU: 1 PID: 26999 Comm: syz-executor.2 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:120 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 kmsan_internal_check_memory+0x484/0x520 mm/kmsan/kmsan.c:437 kmsan_copy_to_user+0x9c/0xb0 mm/kmsan/kmsan_hooks.c:249 instrument_copy_to_user include/linux/instrumented.h:121 [inline] _copy_to_user+0x1ac/0x270 lib/usercopy.c:33 copy_to_user include/linux/uaccess.h:209 [inline] compat_drm_wait_vblank+0x36f/0x450 drivers/gpu/drm/drm_ioc32.c:866 drm_compat_ioctl+0x3f6/0x590 drivers/gpu/drm/drm_ioc32.c:995 __do_compat_sys_ioctl fs/ioctl.c:842 [inline] __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793 __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793 do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7f47549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:f55415fc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0003 RCX: c018643a RDX: 2100 RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289 __msan_chain_origin+0x57/0xa0 mm/kmsan/kmsan_instr.c:147 compat_drm_wait_vblank+0x43c/0x450 drivers/gpu/drm/drm_ioc32.c:865 drm_compat_ioctl+0x3f6/0x590 drivers/gpu/drm/drm_ioc32.c:995 __do_compat_sys_ioctl fs/ioctl.c:842 [inline] __se_compat_sys_ioctl+0x53d/0x1100 fs/ioctl.c:793 __ia32_compat_sys_ioctl+0x4a/0x70 fs/ioctl.c:793 do_syscall_32_irqs_on arch/x86/entry/common.c:79 [inline] __do_fast_syscall_32+0x102/0x160 arch/x86/entry/common.c:141 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:166 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:209 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c Local variable req@compat_drm_wait_vblank created at: compat_drm_wait_vblank+0x7b/0x450 drivers/gpu/drm/drm_ioc32.c:849 compat_drm_wait_vblank+0x7b/0x450 drivers/gpu/drm/drm_ioc32.c:849 Bytes 12-15 of 16 are uninitialized Memory access of size 16 starts at 88814ffe3c98 Data copied to user address 2100 = --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
[syzbot] WARNING in __hrtimer_run_queues
Hello, syzbot found the following issue on: HEAD commit:144c79ef Merge tag 'perf-tools-fixes-for-v5.12-2020-03-07'.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16972ea2d0 kernel config: https://syzkaller.appspot.com/x/.config?x=9008fb06fa15d749 dashboard link: https://syzkaller.appspot.com/bug?extid=b0b2da1e0f732c818975 compiler: Debian clang version 11.0.1-2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b0b2da1e0f732c818...@syzkaller.appspotmail.com [ cut here ] raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 1 PID: 10032 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x1f/0x30 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 1 PID: 10032 Comm: syz-executor.2 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:warn_bogus_irq_restore+0x1f/0x30 kernel/locking/irqflag-debug.c:10 Code: cc cc cc cc cc cc cc cc cc cc cc 80 3d 73 49 54 04 00 74 01 c3 c6 05 69 49 54 04 01 48 c7 c7 60 5d ae 89 31 c0 e8 41 1f fa f7 <0f> 0b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 41 56 53 48 83 [ cut here ] WARNING: CPU: 1 PID: 10032 at drivers/gpu/drm/vkms/vkms_crtc.c:21 vkms_vblank_simulate+0x2c1/0x320 drivers/gpu/drm/vkms/vkms_crtc.c:21 Modules linked in: CPU: 1 PID: 10032 Comm: syz-executor.2 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:vkms_vblank_simulate+0x2c1/0x320 drivers/gpu/drm/vkms/vkms_crtc.c:21 Code: 00 00 00 48 c7 c6 a0 28 28 8a 31 c0 e8 18 71 ef ff b8 01 00 00 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 df e0 13 fd <0f> 0b e9 e8 fd ff ff 89 d9 80 e1 07 38 c1 0f 8c 5c fe ff ff 48 89 RSP: 0018:c9dc04a8 EFLAGS: 00010046 RAX: 8464ccc1 RBX: 0002 RCX: 8880155bb780 RDX: 00010103 RSI: 0002 RDI: 0001 RBP: 8880b9d26260 R08: 8464caa1 R09: fbfff1b6a1e6 R10: fbfff1b6a1e6 R11: R12: dc00 R13: 1110033593d2 R14: 00fe4c00 R15: 888019ac8d30 FS: 01b6c400() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 02e97708 CR3: 1ba55000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x4c9/0xa00 kernel/time/hrtimer.c:1583 hrtimer_interrupt+0x393/0xf70 kernel/time/hrtimer.c:1645 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1089 [inline] __sysvec_apic_timer_interrupt+0xf9/0x270 arch/x86/kernel/apic/apic.c:1106 sysvec_apic_timer_interrupt+0x3e/0xb0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:console_unlock+0xaab/0xe00 kernel/printk/printk.c:2586 Code: 84 5a f7 ff ff eb 29 e8 73 53 18 00 e8 2e 68 ed 07 4d 85 f6 74 df 66 0f 1f 84 00 00 00 00 00 e8 5b 53 18 00 fb f6 44 24 0f 01 <0f> 84 2f f7 ff ff e8 4a 53 18 00 48 c7 c7 b4 4d 6f 8b be 1b 0a 00 RSP: 0018:c9dc0800 EFLAGS: 0246 RAX: 81605a45 RBX: RCX: 8880155bb780 RDX: 0103 RSI: RDI: RBP: c9dc0918 R08: 81605a02 R09: fbfff1f27aa9 R10: fbfff1f27aa9 R11: R12: dc00 R13: 119ed295 R14: 0200 R15: 119ed28e vprintk_emit+0x1ab/0x270 kernel/printk/printk.c:2098 printk+0x62/0x83 kernel/printk/printk.c:2146 show_opcodes+0xc1/0xe0 arch/x86/kernel/dumpstack.c:129 show_ip arch/x86/kernel/dumpstack.c:150 [inline] show_iret_regs+0x2f/0x60 arch/x86/kernel/dumpstack.c:155 __show_regs+0x29/0x580 arch/x86/kernel/process_64.c:73 show_regs+0x35/0x60 arch/x86/kernel/dumpstack.c:469 __warn+0x12f/0x270 kernel/panic.c:595 report_bug+0x1b1/0x2e0 lib/bug.c:195 handle_bug+0x3d/0x70 arch/x86/kernel/traps.c:239 exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:259 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:575 RIP: 0010:warn_bogus_irq_restore+0x1f/0x30 kernel/locking/irqflag-debug.c:10 Code: cc cc cc cc cc cc cc cc cc cc cc 80 3d 73 49 54 04 00 74 01 c3 c6 05 69 49 54 04 01 48 c7 c7 60 5d ae 89 31 c0 e8 41 1f fa f7 <0f> 0b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 41 56 53 48 83 RSP: 0018:c9dc0c78 EFLAGS: 00010246 RAX: 74fd7735e664bd00 RBX: 888019090088 RCX: 8880155bb780 RDX: 0102 RSI: 0102 RDI: RBP: 1920001b8190 R08: 81605e52 R09: ed10173a3f1c R10: ed10173a3f1c R11: R12:
[syzbot] upstream boot error: WARNING in vkms_vblank_simulate
Hello, syzbot found the following issue on: HEAD commit:f78d76e7 Merge tag 'drm-fixes-2021-03-12-1' of git://anong.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11c16ba2d0 kernel config: https://syzkaller.appspot.com/x/.config?x=dc02c6afcb046874 dashboard link: https://syzkaller.appspot.com/bug?extid=333bd014262fd5d0a418 userspace arch: arm IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+333bd014262fd5d0a...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 0 PID: 0 at drivers/gpu/drm/vkms/vkms_crtc.c:21 vkms_vblank_simulate+0x26c/0x2f4 drivers/gpu/drm/vkms/vkms_crtc.c:41 Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc2-syzkaller-00338-gf78d76e72a46 #0 Hardware name: linux,dummy-virt (DT) pstate: 2085 (nzCv daIf -PAN -UAO -TCO BTYPE=--) pc : vkms_vblank_simulate+0x26c/0x2f4 drivers/gpu/drm/vkms/vkms_crtc.c:21 lr : hrtimer_forward_now include/linux/hrtimer.h:510 [inline] lr : vkms_vblank_simulate+0x90/0x2f4 drivers/gpu/drm/vkms/vkms_crtc.c:19 sp : 6a693cd0 x29: 6a693cd0 x28: 0c9d1e58 x27: dfff8000 x26: 6a67f540 x25: 1fffed4cfeb1 x24: 1fffed4cfeaa x23: 0c9d0d30 x22: 00fe4c00 x21: 6a67f540 x20: 0c9d0e58 x19: 0c9d1e58 x18: 6a6a1b48 x17: 1fffe1952345 x16: x15: 8000197bf810 x14: 1fffed4d2750 x13: 0001 x12: 0033 x11: 12fb4936 x10: 0007 x9 : 12fb4943 x8 : 800017d14c00 x7 : f1f1f1f1 x6 : dfff8000 x5 : 7fff x4 : 0008e44f6b90 x3 : 0008e54db790 x2 : 0008e44f6b90 x1 : 0008e54db790 x0 : 0002 Call trace: vkms_vblank_simulate+0x26c/0x2f4 drivers/gpu/drm/vkms/vkms_crtc.c:41 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x590/0xe40 kernel/time/hrtimer.c:1583 hrtimer_interrupt+0x2d4/0x810 kernel/time/hrtimer.c:1645 timer_handler drivers/clocksource/arm_arch_timer.c:647 [inline] arch_timer_handler_phys+0x4c/0x70 drivers/clocksource/arm_arch_timer.c:665 handle_percpu_devid_irq+0x19c/0x330 kernel/irq/chip.c:930 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] generic_handle_irq kernel/irq/irqdesc.c:652 [inline] __handle_domain_irq+0x11c/0x1f0 kernel/irq/irqdesc.c:689 handle_domain_irq include/linux/irqdesc.h:176 [inline] gic_handle_irq+0x5c/0x1b0 drivers/irqchip/irq-gic.c:370 el1_irq+0xb4/0x180 arch/arm64/kernel/entry.S:669 arch_local_irq_restore arch/arm64/include/asm/irqflags.h:124 [inline] queue_work_on+0x74/0x110 kernel/workqueue.c:1528 queue_work include/linux/workqueue.h:507 [inline] cursor_timer_handler+0x64/0x100 drivers/video/fbdev/core/fbcon.c:397 call_timer_fn+0x1d4/0x9c4 kernel/time/timer.c:1431 expire_timers kernel/time/timer.c:1476 [inline] __run_timers.part.0+0x530/0xa00 kernel/time/timer.c:1745 __run_timers kernel/time/timer.c:1726 [inline] run_timer_softirq+0xa4/0x1a0 kernel/time/timer.c:1758 _stext+0x2b4/0x1084 do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] invoke_softirq kernel/softirq.c:228 [inline] __irq_exit_rcu+0x46c/0x510 kernel/softirq.c:422 irq_exit+0x14/0x84 kernel/softirq.c:446 __handle_domain_irq+0x120/0x1f0 kernel/irq/irqdesc.c:692 handle_domain_irq include/linux/irqdesc.h:176 [inline] gic_handle_irq+0x5c/0x1b0 drivers/irqchip/irq-gic.c:370 el1_irq+0xb4/0x180 arch/arm64/kernel/entry.S:669 arch_local_irq_enable+0xc/0x14 arch/arm64/include/asm/irqflags.h:37 default_idle_call+0x64/0xf4 kernel/sched/idle.c:112 cpuidle_idle_call kernel/sched/idle.c:194 [inline] do_idle+0x38c/0x4ec kernel/sched/idle.c:300 cpu_startup_entry+0x28/0x80 kernel/sched/idle.c:397 rest_init+0x1d0/0x2cc init/main.c:721 arch_call_rest_init+0x10/0x1c start_kernel+0x3b0/0x3e8 init/main.c:1064 0x0 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
[syzbot] WARNING in drm_wait_one_vblank
Hello, syzbot found the following issue on: HEAD commit:d2b6f8a1 Merge tag 'xfs-5.13-merge-3' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12c5b2c3d0 kernel config: https://syzkaller.appspot.com/x/.config?x=65c207250bba4efe dashboard link: https://syzkaller.appspot.com/bug?extid=6f7fe2dbc479dca0ed17 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+6f7fe2dbc479dca0e...@syzkaller.appspotmail.com [ cut here ] platform vkms: vblank wait timed out on crtc 0 WARNING: CPU: 0 PID: 11785 at drivers/gpu/drm/drm_vblank.c:1269 drm_wait_one_vblank+0x2be/0x500 drivers/gpu/drm/drm_vblank.c:1269 Modules linked in: CPU: 0 PID: 11785 Comm: syz-executor.0 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:drm_wait_one_vblank+0x2be/0x500 drivers/gpu/drm/drm_vblank.c:1269 Code: 85 f6 0f 84 a3 01 00 00 e8 6f f0 32 fd 4c 89 ef e8 97 68 13 00 44 89 e1 4c 89 f2 48 c7 c7 e0 eb d6 89 48 89 c6 e8 57 35 86 04 <0f> 0b e9 87 fe ff ff e8 46 f0 32 fd 31 ff 4c 89 ee e8 5c f8 32 fd RSP: 0018:c90008f7fb40 EFLAGS: 00010282 RAX: RBX: 38f8 RCX: RDX: 0004 RSI: 815c7bd5 RDI: f520011eff5a RBP: 8881437b R08: R09: R10: 815c1a3e R11: R12: R13: 88801a1c4010 R14: 8880161746b8 R15: 888142ddc830 FS: 7f8eba6e2700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 014a53ad CR3: 21583000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: drm_fb_helper_ioctl+0x159/0x1a0 drivers/gpu/drm/drm_fb_helper.c:1197 do_fb_ioctl+0x1d5/0x690 drivers/video/fbdev/core/fbmem.c:1171 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:1069 [inline] __se_sys_ioctl fs/ioctl.c:1055 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:1055 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f8eba6e2188 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0056bf60 RCX: 004665f9 RDX: RSI: 40044620 RDI: 0006 RBP: 004bfce1 R08: R09: R10: R11: 0246 R12: 0056bf60 R13: 00a9fb1f R14: 7f8eba6e2300 R15: 00022000 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
general protection fault in drm_client_buffer_vunmap
Hello, syzbot found the following issue on: HEAD commit:6147c83f Add linux-next specific files for 20201126 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=109130a550 kernel config: https://syzkaller.appspot.com/x/.config?x=9b91566da897c24f dashboard link: https://syzkaller.appspot.com/bug?extid=10328e8428a896b65119 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1254136950 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1365c66350 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+10328e8428a896b65...@syzkaller.appspotmail.com [drm] Initialized udl on minor 2 [drm:udl_get_edid_block] *ERROR* Read EDID byte 0 failed err ffb9 udl 1-1:0.0: [drm] Cannot find any crtc or sizes usb 1-1: USB disconnect, device number 2 general protection fault, probably for non-canonical address 0xdc02: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0010-0x0017] CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.10.0-rc5-next-20201126-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event RIP: 0010:drm_client_buffer_vunmap+0x26/0x50 drivers/gpu/drm/drm_client.c:347 Code: 00 00 00 00 53 48 89 fb 48 83 ec 08 e8 83 8b 3f fd 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 8d 73 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 0e 48 8b 7b 10 48 83 c4 08 5b e9 56 61 f7 ff 48 89 RSP: 0018:c9cc7710 EFLAGS: 00010202 RAX: dc00 RBX: RCX: 815524de RDX: 0002 RSI: 0018 RDI: 0010 RBP: 88801db748c8 R08: R09: 88801db74a17 R10: ed1003b6e942 R11: R12: R13: 88801db748d8 R14: 88801db74810 R15: dead0100 FS: () GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 55f43f9d79e0 CR3: 0b08e000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: drm_fbdev_cleanup+0x380/0x440 drivers/gpu/drm/drm_fb_helper.c:2042 drm_fbdev_release drivers/gpu/drm/drm_fb_helper.c:2049 [inline] drm_fbdev_client_unregister+0x61/0x80 drivers/gpu/drm/drm_fb_helper.c:2376 drm_client_dev_unregister+0x239/0x3b0 drivers/gpu/drm/drm_client.c:175 drm_dev_unregister+0xe9/0x2b0 drivers/gpu/drm/drm_drv.c:942 usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458 __device_release_driver+0x3bd/0x6f0 drivers/base/dd.c:1154 device_release_driver_internal drivers/base/dd.c:1185 [inline] device_release_driver+0x26/0x40 drivers/base/dd.c:1208 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:533 device_del+0x502/0xec0 drivers/base/core.c:3113 usb_disable_device+0x35b/0x7b0 drivers/usb/core/message.c:1417 usb_disconnect.cold+0x27d/0x780 drivers/usb/core/hub.c:2218 hub_port_connect drivers/usb/core/hub.c:5074 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0x1c8a/0x42d0 drivers/usb/core/hub.c:5591 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2272 process_scheduled_works kernel/workqueue.c:2334 [inline] worker_thread+0x82b/0x1120 kernel/workqueue.c:2420 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: ---[ end trace 5e45793b7de819bc ]--- RIP: 0010:drm_client_buffer_vunmap+0x26/0x50 drivers/gpu/drm/drm_client.c:347 Code: 00 00 00 00 53 48 89 fb 48 83 ec 08 e8 83 8b 3f fd 48 8d 7b 10 48 b8 00 00 00 00 00 fc ff df 48 8d 73 18 48 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
[syzbot] BUG: unable to handle kernel paging request in vga16fb_fillrect
Hello, syzbot found the following issue on: HEAD commit:3dbdb38e Merge branch 'for-5.14' of git://git.kernel.org/p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1323c40230 kernel config: https://syzkaller.appspot.com/x/.config?x=a1fcf15a09815757 dashboard link: https://syzkaller.appspot.com/bug?extid=04168c8063cfdde1db5e syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11f0e77230 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1114b9b030 Bisection is inconclusive: the issue happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10fa45d830 final oops: https://syzkaller.appspot.com/x/report.txt?x=12fa45d830 console output: https://syzkaller.appspot.com/x/log.txt?x=14fa45d830 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+04168c8063cfdde1d...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: 88800150 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 10e01067 P4D 10e01067 PUD 10e02067 PMD 810001e1 Oops: 0003 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8433 Comm: syz-executor067 Tainted: GW 5.13.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline] RIP: 0010:vga16fb_fillrect+0x993/0x18d0 drivers/video/fbdev/vga16fb.c:923 Code: 6c fd 48 63 44 24 10 45 31 f6 48 89 04 24 e8 44 a6 6c fd 31 ff 89 de 31 ed e8 79 ad 6c fd 85 db 4d 89 ec 74 22 e8 2d a6 6c fd <45> 88 34 24 83 c5 01 89 df 49 83 c4 01 89 ee e8 49 ae 6c fd 39 eb RSP: 0018:c9eff848 EFLAGS: 00010293 RAX: RBX: 001b RCX: RDX: 88802d949c40 RSI: 8408e403 RDI: 0003 RBP: R08: R09: 8408dd8d R10: 8408e3f7 R11: R12: 88800150 R13: 88800150 R14: R15: 0ffeb7ff FS: 01aa2300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800150 CR3: 346fb000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: bit_clear_margins+0x3f6/0x4b0 drivers/video/fbdev/core/bitblit.c:224 fbcon_clear_margins+0x1f1/0x280 drivers/video/fbdev/core/fbcon.c:1315 fbcon_switch+0xa8c/0x1620 drivers/video/fbdev/core/fbcon.c:2146 redraw_screen+0x2b9/0x740 drivers/tty/vt/vt.c:1021 fbcon_modechanged+0x593/0x6d0 drivers/video/fbdev/core/fbcon.c:2651 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:2696 do_fb_ioctl+0x62e/0x690 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:1069 [inline] __se_sys_ioctl fs/ioctl.c:1055 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:1055 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43efd9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffc362df848 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 00400488 RCX: 0043efd9 RDX: 2200 RSI: 4601 RDI: 0003 RBP: 00402fc0 R08: R09: 00400488 R10: R11: 0246 R12: 00403050 R13: R14: 004ac018 R15: 00400488 Modules linked in: CR2: 88800150 ---[ end trace 39dce64bc5621bd3 ]--- RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline] RIP: 0010:vga16fb_fillrect+0x993/0x18d0 drivers/video/fbdev/vga16fb.c:923 Code: 6c fd 48 63 44 24 10 45 31 f6 48 89 04 24 e8 44 a6 6c fd 31 ff 89 de 31 ed e8 79 ad 6c fd 85 db 4d 89 ec 74 22 e8 2d a6 6c fd <45> 88 34 24 83 c5 01 89 df 49 83 c4 01 89 ee e8 49 ae 6c fd 39 eb RSP: 0018:c9eff848 EFLAGS: 00010293 RAX: RBX: 001b RCX: RDX: 88802d949c40 RSI: 8408e403 RDI: 0003 RBP: R08: R09: 8408dd8d R10: 8408e3f7 R11: R12: 88800150 R13: 88800150 R14: R15: 0ffeb7ff FS: 01aa2300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800150 CR3: 346fb000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: ff
BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
Hello, syzbot found the following issue on: HEAD commit:6dd65e60 Add linux-next specific files for 20201110 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1276af6250 kernel config: https://syzkaller.appspot.com/x/.config?x=4fab43daf5c54712 dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20 compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b67aaae8d3a927f68...@syzkaller.appspotmail.com BUG: kernel NULL pointer dereference, address: #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 4e683067 P4D 4e683067 PUD 14850067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9433 Comm: syz-executor.5 Not tainted 5.10.0-rc3-next-20201110-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c9000bca7858 EFLAGS: 00010286 RAX: RBX: RCX: RDX: 0002 RSI: 888144509000 RDI: 888010079000 RBP: 888010079000 R08: R09: 8cecc387 R10: 0003 R11: R12: 888144509000 R13: R14: R15: 0720 FS: 7f5822bee700() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 4e973000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1346 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907 redraw_screen+0x5ed/0x790 drivers/tty/vt/vt.c:1012 vc_do_resize+0xed3/0x1150 drivers/tty/vt/vt.c:1326 fbcon_set_disp+0x831/0xda0 drivers/video/fbdev/core/fbcon.c:1413 con2fb_init_display drivers/video/fbdev/core/fbcon.c:816 [inline] set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:887 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3072 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f5822bedc78 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: e2c0 RCX: 0045deb9 RDX: 20c0 RSI: 4610 RDI: 0006 RBP: 0118bf60 R08: R09: R10: R11: 0246 R12: 0118bf2c R13: 7ffe024fb66f R14: 7f5822bee9c0 R15: 0118bf2c Modules linked in: CR2: BUG: kernel NULL pointer dereference, address: #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 4e683067 P4D 4e683067 PUD 14850067 PMD 0 Oops: 0010 [#2] PREEMPT SMP KASAN CPU: 0 PID: 9433 Comm: syz-executor.5 Not tainted 5.10.0-rc3-next-20201110-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffd6. RSP: 0018:c9000bca7278 EFLAGS: 00010086 RAX: 0007 RBX: RCX: 0007 RDX: 0002 RSI: 888144509000 RDI: 888010079000 RBP: 888010079000 R08: R09: 8cecc387 R10: 0003 R11: 0001 R12: 888144509000 R13: R14: R15: 0720 FS: 7f5822bee700() GS:8880b9e0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ffd6 CR3: 4e973000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1346 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907 redraw_screen+0x5ed/0x790 drivers/tty/vt/vt.c:1012 fbcon_blank+0x8c5/0xc30 drivers/video/fbdev/core/fbcon.c:2248 do_unblank_screen+0x25b/0x470 drivers/tty/vt/vt.c:4406 bust_spinlocks+0x5b/0xe0 lib/bust_spinlocks.c:26 oops_end+0x2b/0xe0 arch/x86/kernel/dumpstack.c:346 no_context+0x5f2/0xa20 arch/x86/mm/
BUG: unable to handle kernel paging request in bitfill_aligned (2)
Hello, syzbot found the following issue on: HEAD commit:0062442e Merge tag 'for-linus' of git://git.kernel.org/pub.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16584b8150 kernel config: https://syzkaller.appspot.com/x/.config?x=f9aa2432c01bcb1f dashboard link: https://syzkaller.appspot.com/bug?extid=a4edd73d589b0b7efbeb compiler: gcc (GCC) 10.1.0-syz 20200507 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+a4edd73d589b0b7ef...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: 88800100 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD fc01067 P4D fc01067 PUD fc02067 PMD 810001e1 Oops: 0003 [#1] PREEMPT SMP KASAN CPU: 0 PID: 12457 Comm: syz-executor.5 Not tainted 5.10.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline] RIP: 0010:bitfill_aligned drivers/video/fbdev/core/cfbfillrect.c:70 [inline] RIP: 0010:bitfill_aligned+0x11d/0x200 drivers/video/fbdev/core/cfbfillrect.c:35 Code: 41 83 fc 07 76 5f 4c 89 ed e8 bf 28 8a fd 48 89 5d 00 48 89 5d 08 48 89 5d 10 48 89 5d 18 48 89 5d 20 48 89 5d 28 48 8d 45 38 <48> 89 5d 30 48 83 c5 40 48 89 18 41 83 ef 08 bf 07 00 00 00 44 89 RSP: 0018:c900082176d0 EFLAGS: 00010246 RAX: 88800108 RBX: RCX: c90013da2000 RDX: 0004 RSI: 83e60721 RDI: 0005 RBP: 888000d0 R08: 1380 R09: 0040 R10: 0007 R11: R12: 004e R13: 88800010 R14: R15: 0036 FS: () GS:8880b9e0(0063) knlGS:f5542b40 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: 88800100 CR3: 1c7d6000 CR4: 001526f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: cfb_fillrect+0x40b/0x7b0 drivers/video/fbdev/core/cfbfillrect.c:327 vga16fb_fillrect+0x683/0x1940 drivers/video/fbdev/vga16fb.c:951 bit_clear_margins+0x3f6/0x4b0 drivers/video/fbdev/core/bitblit.c:224 fbcon_clear_margins+0x1f1/0x280 drivers/video/fbdev/core/fbcon.c:1325 fbcon_switch+0xafe/0x16b0 drivers/video/fbdev/core/fbcon.c:2187 redraw_screen+0x2b9/0x790 drivers/tty/vt/vt.c:1021 vc_do_resize+0xed8/0x1150 drivers/tty/vt/vt.c:1326 vt_resize+0xa3/0xe0 drivers/tty/vt/vt.c:1367 tiocswinsz drivers/tty/tty_io.c:2278 [inline] tty_ioctl+0x11a2/0x1600 drivers/tty/tty_io.c:2576 tty_compat_ioctl+0x295/0x410 drivers/tty/tty_io.c:2818 __do_compat_sys_ioctl+0x1d3/0x230 fs/ioctl.c:842 do_syscall_32_irqs_on arch/x86/entry/common.c:78 [inline] __do_fast_syscall_32+0x56/0x80 arch/x86/entry/common.c:137 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:160 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7f48549 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:f55420cc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0003 RCX: 5414 RDX: 2040 RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Modules linked in: CR2: 88800100 ---[ end trace 7c559c247d0f5502 ]--- RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline] RIP: 0010:bitfill_aligned drivers/video/fbdev/core/cfbfillrect.c:70 [inline] RIP: 0010:bitfill_aligned+0x11d/0x200 drivers/video/fbdev/core/cfbfillrect.c:35 Code: 41 83 fc 07 76 5f 4c 89 ed e8 bf 28 8a fd 48 89 5d 00 48 89 5d 08 48 89 5d 10 48 89 5d 18 48 89 5d 20 48 89 5d 28 48 8d 45 38 <48> 89 5d 30 48 83 c5 40 48 89 18 41 83 ef 08 bf 07 00 00 00 44 89 RSP: 0018:c900082176d0 EFLAGS: 00010246 RAX: 88800108 RBX: RCX: c90013da2000 RDX: 0004 RSI: 83e60721 RDI: 0005 RBP: 888000d0 R08: 1380 R09: 0040 R10: 0007 R11: R12: 004e R13: 88800010 R14: R15: 0036 FS: () GS:8880b9e0(0063) knlGS:f5542b40 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: 88800100 CR3: 1c7d6000 CR4: 001526f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This report is generated by a bot.
general protection fault in drm_atomic_set_crtc_for_connector
Hello, syzbot found the following issue on: HEAD commit:03430750 Add linux-next specific files for 20201116 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=123c946a50 kernel config: https://syzkaller.appspot.com/x/.config?x=a1c4c3f27041fdb8 dashboard link: https://syzkaller.appspot.com/bug?extid=1aec08e752387f55c449 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1521398150 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1659041650 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+1aec08e752387f55c...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc00: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x-0x0007] CPU: 1 PID: 8503 Comm: syz-executor619 Not tainted 5.10.0-rc3-next-20201116-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:drm_atomic_set_crtc_for_connector+0x426/0x5f0 drivers/gpu/drm/drm_atomic_uapi.c:342 Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e a6 00 00 00 48 b8 00 00 00 00 00 fc ff df 41 8b 4d 28 <80> 38 00 0f 85 83 01 00 00 48 8b 2c 25 00 00 00 00 48 b8 00 00 00 RSP: 0018:c900018bf938 EFLAGS: 00010246 RAX: dc00 RBX: 8880116b0100 RCX: 0022 RDX: 111003019a66 RSI: 84302d10 RDI: 8880180cd330 RBP: R08: 888018051900 R09: 8880180cd343 R10: R11: R12: 88801a024800 R13: 8880180cd308 R14: 8880116b0108 R15: 88801cd1b700 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 006cf0a0 CR3: 0b08e000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: update_output_state drivers/gpu/drm/drm_atomic.c:1454 [inline] __drm_atomic_helper_set_config+0x72a/0xe80 drivers/gpu/drm/drm_atomic.c:1568 drm_client_modeset_commit_atomic+0x527/0x7c0 drivers/gpu/drm/drm_client_modeset.c:1023 drm_client_modeset_commit_locked+0x145/0x580 drivers/gpu/drm/drm_client_modeset.c:1145 drm_client_modeset_commit+0x4d/0x80 drivers/gpu/drm/drm_client_modeset.c:1171 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:252 [inline] __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:231 [inline] drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:279 [inline] drm_fb_helper_lastclose drivers/gpu/drm/drm_fb_helper.c:1942 [inline] drm_fbdev_client_restore+0xe3/0x1a0 drivers/gpu/drm/drm_fb_helper.c:2334 drm_client_dev_restore+0x17f/0x270 drivers/gpu/drm/drm_client.c:226 drm_lastclose drivers/gpu/drm/drm_file.c:468 [inline] drm_release+0x441/0x530 drivers/gpu/drm/drm_file.c:499 __fput+0x283/0x920 fs/file_table.c:280 task_work_run+0xdd/0x190 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xb9b/0x29f0 kernel/exit.c:823 do_group_exit+0x125/0x310 kernel/exit.c:920 __do_sys_exit_group kernel/exit.c:931 [inline] __se_sys_exit_group kernel/exit.c:929 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:929 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x443b18 Code: Unable to access opcode bytes at RIP 0x443aee. RSP: 002b:7fff6ec2d738 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: RCX: 00443b18 RDX: RSI: 003c RDI: RBP: 004c34f0 R08: 00e7 R09: ffd0 R10: R11: 0246 R12: 0001 R13: 006d5180 R14: R15: Modules linked in: ---[ end trace f24317b9689e8a7a ]--- RIP: 0010:drm_atomic_set_crtc_for_connector+0x426/0x5f0 drivers/gpu/drm/drm_atomic_uapi.c:342 Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e a6 00 00 00 48 b8 00 00 00 00 00 fc ff df 41 8b 4d 28 <80> 38 00 0f 85 83 01 00 00 48 8b 2c 25 00 00 00 00 48 b8 00 00 00 RSP: 0018:c900018bf938 EFLAGS: 00010246 RAX: dc00 RBX: 8880116b0100 RCX: 0022 RDX: 111003019a66 RSI: 84302d10 RDI: 8880180cd330 RBP: R08: 888018051900 R09: 8880180cd343 R10: R11: R12: 88801a024800 R13: 8880180cd308 R14: 8880116b0108 R15: 88801cd1b700 FS: () GS:8880b9f0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 55ee32e491f8 CR3: 18634000 CR4: 001506e0 DR0: DR1: DR2:
[syzbot] WARNING in drm_prime_destroy_file_private
Hello, syzbot found the following issue on: HEAD commit:ea4424be1688 Merge tag 'mtd/fixes-for-5.17-rc8' of git://g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14095f9e70 kernel config: https://syzkaller.appspot.com/x/.config?x=aba0ab2928a512c2 dashboard link: https://syzkaller.appspot.com/bug?extid=2448673875b4e20db46a compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2448673875b4e20db...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 16791 at drivers/gpu/drm/drm_prime.c:228 drm_prime_destroy_file_private+0x3e/0x50 drivers/gpu/drm/drm_prime.c:228 Modules linked in: CPU: 1 PID: 16791 Comm: syz-executor.5 Not tainted 5.17.0-rc7-syzkaller-00020-gea4424be1688 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:drm_prime_destroy_file_private+0x3e/0x50 drivers/gpu/drm/drm_prime.c:228 Code: 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 1f 48 8b 83 90 00 00 00 48 85 c0 75 06 5b e9 e7 6c 1d fd e8 e2 6c 1d fd <0f> 0b 5b e9 da 6c 1d fd e8 05 5a 64 fd eb da 0f 1f 00 41 55 49 89 RSP: 0018:c90002af79e0 EFLAGS: 00010293 RAX: RBX: 888025e72370 RCX: RDX: 8880727aa1c0 RSI: 845a788e RDI: 888025e72400 RBP: 8881471d4068 R08: 0001 R09: 0001 R10: 817e23e8 R11: 00088078 R12: 888025e72000 R13: 888025e722b8 R14: 8881471d4098 R15: FS: () GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffea39ef0d8 CR3: 791d8000 CR4: 003506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: drm_file_free.part.0+0x6e5/0xb80 drivers/gpu/drm/drm_file.c:291 drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drm_close_helper.isra.0+0x17d/0x1f0 drivers/gpu/drm/drm_file.c:308 drm_release+0x1e6/0x530 drivers/gpu/drm/drm_file.c:495 __fput+0x286/0x9f0 fs/file_table.c:317 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x45a/0x2490 kernel/signal.c:2863 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288 RIP: 0033:0x7f836c6a0471 Code: Unable to access opcode bytes at RIP 0x7f836c6a0447. RSP: 002b:7f836afd22f0 EFLAGS: 0206 ORIG_RAX: 0038 RAX: RBX: 7f836afd2700 RCX: 7f836c6a0471 RDX: 7f836afd29d0 RSI: 7f836afd22f0 RDI: 003d0f00 RBP: 7ffed5e285a0 R08: 7f836afd2700 R09: 7f836afd2700 R10: 7f836afd29d0 R11: 0206 R12: 7ffed5e2840e R13: 7ffed5e2840f R14: 7f836afd2300 R15: 00022000 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] general protection fault in dma_fence_array_first
Hello, syzbot found the following issue on: HEAD commit:8515d05bf6bc Add linux-next specific files for 20220328 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1694e21b70 kernel config: https://syzkaller.appspot.com/x/.config?x=530c68bef4e2b8a8 dashboard link: https://syzkaller.appspot.com/bug?extid=5c943fe38e86d615cac2 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1467313b70 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=121b7cb970 The issue was bisected to: commit 519f490db07e1a539490612f376487f61e48e39c Author: Christian König Date: Fri Mar 11 09:32:26 2022 + dma-buf/sync-file: fix warning about fence containers bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1058277d70 final oops: https://syzkaller.appspot.com/x/report.txt?x=1258277d70 console output: https://syzkaller.appspot.com/x/log.txt?x=1458277d70 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+5c943fe38e86d615c...@syzkaller.appspotmail.com Fixes: 519f490db07e ("dma-buf/sync-file: fix warning about fence containers") general protection fault, probably for non-canonical address 0xdc02: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0010-0x0017] CPU: 1 PID: 3595 Comm: syz-executor814 Not tainted 5.17.0-next-20220328-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:dma_fence_array_first+0x78/0xb0 drivers/dma-buf/dma-fence-array.c:234 Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 43 48 8b 9b 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 75 1b 4c 8b 23 e8 fa a9 e0 fc 4c 89 e0 5b 41 5c c3 45 RSP: 0018:c90003a4fd48 EFLAGS: 00010202 RAX: dc00 RBX: 0010 RCX: RDX: 0002 RSI: 84980052 RDI: 888015c76388 RBP: 888015c76300 R08: R09: 888015c7633b R10: 8498f6ba R11: R12: 888015c76300 R13: 888015c76690 R14: c0383e04 R15: 20001840 FS: 56872300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20001528 CR3: 1e82f000 CR4: 003506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __dma_fence_unwrap_array include/linux/dma-fence-unwrap.h:42 [inline] dma_fence_unwrap_first include/linux/dma-fence-unwrap.h:57 [inline] sync_file_ioctl_fence_info drivers/dma-buf/sync_file.c:414 [inline] sync_file_ioctl+0x248/0x22c0 drivers/dma-buf/sync_file.c:477 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f6aae8951b9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffedd290238 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: RCX: 7f6aae8951b9 RDX: 20001840 RSI: c0383e04 RDI: 0007 RBP: 7f6aae8591a0 R08: R09: R10: R11: 0246 R12: 7f6aae859230 R13: R14: R15: Modules linked in: ---[ end trace ]--- RIP: 0010:dma_fence_array_first+0x78/0xb0 drivers/dma-buf/dma-fence-array.c:234 Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 43 48 8b 9b 88 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 75 1b 4c 8b 23 e8 fa a9 e0 fc 4c 89 e0 5b 41 5c c3 45 RSP: 0018:c90003a4fd48 EFLAGS: 00010202 RAX: dc00 RBX: 0010 RCX: RDX: 0002 RSI: 84980052 RDI: 888015c76388 RBP: 888015c76300 R08: R09: 888015c7633b R10: 8498f6ba R11: R12: 888015c76300 R13: 888015c76690 R14: c0383e04 R15: 20001840 FS: 56872300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20001528 CR3: 1e82f000 CR4: 003506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Code disassembly (best guess), 4 bytes skipped: 0: df 48 89fi
Re: [syzbot] general protection fault in dma_fence_array_first
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+5c943fe38e86d615c...@syzkaller.appspotmail.com Tested on: commit: c2528a0c Add linux-next specific files for 20220329 git tree: linux-next kernel config: https://syzkaller.appspot.com/x/.config?x=88d1370cc1f241e6 dashboard link: https://syzkaller.appspot.com/bug?extid=5c943fe38e86d615cac2 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=128372e770 Note: testing is done by a robot and is best-effort only.
[syzbot] BUG: unable to handle kernel paging request in cfb_imageblit (2)
Hello, syzbot found the following issue on: HEAD commit:78e709522d2c Merge tag 'for_linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16029aed30 kernel config: https://syzkaller.appspot.com/x/.config?x=2150ebd7e72fa695 dashboard link: https://syzkaller.appspot.com/bug?extid=219cc51510158a7d8290 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+219cc51510158a7d8...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: 88800010f038 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 10801067 P4D 10801067 PUD 10802067 PMD 10803067 PTE 8010f161 Oops: 0003 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7973 Comm: kworker/0:4 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_power_efficient fb_flashcursor RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline] RIP: 0010:fast_imageblit drivers/video/fbdev/core/cfbimgblt.c:257 [inline] RIP: 0010:cfb_imageblit+0x648/0x1240 drivers/video/fbdev/core/cfbimgblt.c:300 Code: 42 0f b6 0c 3a 48 89 c2 83 e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 1f 0b 00 00 8b 7c 24 18 49 8d 5e 04 23 38 8b 44 24 10 31 f8 <41> 89 06 31 ff 44 89 e6 e8 ab 85 69 fd 45 85 e4 75 0f e8 61 7e 69 RSP: 0018:c900171af970 EFLAGS: 00010246 RAX: RBX: 88800010f03c RCX: RDX: 0003 RSI: 840c8e86 RDI: RBP: 8880180a5359 R08: 001f R09: 840c8d14 R10: 840c8e77 R11: 0008 R12: 0004 R13: 0001 R14: 88800010f038 R15: dc00 FS: () GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800010f038 CR3: 1e6a CR4: 00350ef0 Call Trace: vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1207 [inline] vga16fb_imageblit+0x681/0x2200 drivers/video/fbdev/vga16fb.c:1260 soft_cursor+0x514/0xa30 drivers/video/fbdev/core/softcursor.c:74 bit_cursor+0xd07/0x1740 drivers/video/fbdev/core/bitblit.c:377 fb_flashcursor+0x38b/0x430 drivers/video/fbdev/core/fbcon.c:387 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Modules linked in: CR2: 88800010f038 ---[ end trace 3e2fb001e55b5406 ]--- RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline] RIP: 0010:fast_imageblit drivers/video/fbdev/core/cfbimgblt.c:257 [inline] RIP: 0010:cfb_imageblit+0x648/0x1240 drivers/video/fbdev/core/cfbimgblt.c:300 Code: 42 0f b6 0c 3a 48 89 c2 83 e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 1f 0b 00 00 8b 7c 24 18 49 8d 5e 04 23 38 8b 44 24 10 31 f8 <41> 89 06 31 ff 44 89 e6 e8 ab 85 69 fd 45 85 e4 75 0f e8 61 7e 69 RSP: 0018:c900171af970 EFLAGS: 00010246 RAX: RBX: 88800010f03c RCX: RDX: 0003 RSI: 840c8e86 RDI: RBP: 8880180a5359 R08: 001f R09: 840c8d14 R10: 840c8e77 R11: 0008 R12: 0004 R13: 0001 R14: 88800010f038 R15: dc00 FS: () GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800010f038 CR3: 1e6a CR4: 00350ef0 Code disassembly (best guess): 0: 42 0f b6 0c 3a movzbl (%rdx,%r15,1),%ecx 5: 48 89 c2mov%rax,%rdx 8: 83 e2 07and$0x7,%edx b: 83 c2 03add$0x3,%edx e: 38 ca cmp%cl,%dl 10: 7c 08 jl 0x1a 12: 84 c9 test %cl,%cl 14: 0f 85 1f 0b 00 00 jne0xb39 1a: 8b 7c 24 18 mov0x18(%rsp),%edi 1e: 49 8d 5e 04 lea0x4(%r14),%rbx 22: 23 38 and(%rax),%edi 24: 8b 44 24 10 mov0x10(%rsp),%eax 28: 31 f8 xor%edi,%eax * 2a: 41 89 06mov%eax,(%r14) <-- trapping instruction 2d: 31 ff xor%edi,%edi 2f: 44 89 e6mov%r12d,%esi 32: e8 ab 85 69 fd callq 0xfd6985e2 37: 45 85 e4test %r12d,%r12d 3a: 75 0f jne0x4b 3c: e8 .byte 0xe8 3d: 61 (bad) 3e: 7e 69 jle0xa9 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for
[syzbot] kernel BUG in vmf_insert_pfn_prot
Hello, syzbot found the following issue on: HEAD commit:9004fd387338 Add linux-next specific files for 20210917 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=17ecf0ad30 kernel config: https://syzkaller.appspot.com/x/.config?x=45d5ac72f31f29f3 dashboard link: https://syzkaller.appspot.com/bug?extid=2d4f8693f438d2bd4bdb compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2d4f8693f438d2bd4...@syzkaller.appspotmail.com [ cut here ] kernel BUG at mm/memory.c:2103! invalid opcode: [#1] PREEMPT SMP KASAN CPU: 0 PID: 8279 Comm: syz-executor.0 Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:vmf_insert_pfn_prot+0x248/0x450 mm/memory.c:2103 Code: 0f 0b e8 6b d0 ca ff 4d 89 f7 bf 20 00 00 00 41 83 e7 28 4c 89 fe e8 b7 d5 ca ff 49 83 ff 20 0f 85 a5 fe ff ff e8 48 d0 ca ff <0f> 0b 49 be ff ff ff ff ff ff 0f 00 e8 37 d0 ca ff 4d 21 ee 4c 89 RSP: :c90005f47bd0 EFLAGS: 00010293 RAX: RBX: 192000be8f7c RCX: RDX: 888050adb900 RSI: 81ab3e18 RDI: 0003 RBP: 88807e3bcc60 R08: 0020 R09: c90005f47bb7 R10: 81ab3e09 R11: 11ebb3fc R12: 2001d000 R13: 00145dc3 R14: 08140476 R15: 0020 FS: 55f1e400() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 5608abbf4250 CR3: 6e072000 CR4: 001506f0 Call Trace: drm_gem_shmem_fault+0x1e3/0x290 drivers/gpu/drm/drm_gem_shmem_helper.c:564 __do_fault+0x10d/0x4d0 mm/memory.c:3848 do_cow_fault mm/memory.c:4184 [inline] do_fault mm/memory.c:4285 [inline] handle_pte_fault mm/memory.c:4541 [inline] __handle_mm_fault+0x370e/0x5120 mm/memory.c:4676 handle_mm_fault+0x1c8/0x790 mm/memory.c:4774 do_user_addr_fault+0x48b/0x11c0 arch/x86/mm/fault.c:1390 handle_page_fault arch/x86/mm/fault.c:1475 [inline] exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1531 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568 RIP: 0033:0x7f1096c04d5a Code: 30 48 8b 34 24 48 85 f6 74 17 8b 44 24 18 0f c8 89 c0 48 89 44 24 18 48 83 fe 01 0f 85 a1 01 00 00 48 8b 44 24 10 8b 74 24 18 <89> 30 e9 d2 fc ff ff 48 8b 44 24 10 8b 10 48 8b 04 24 48 85 c0 0f RSP: 002b:7ffd0b939970 EFLAGS: 00010246 RAX: 2001d000 RBX: 7f109716c000 RCX: RDX: 182c4ff2a4394aee RSI: 0001 RDI: 55f1e2f0 RBP: 7ffd0b939a68 R08: R09: R10: 0004 R11: e900f6d2 R12: 001760c0 R13: 03e8 R14: 7f1096d67f80 R15: 00176064 Modules linked in: ---[ end trace 1a78047d43092735 ]--- RIP: 0010:vmf_insert_pfn_prot+0x248/0x450 mm/memory.c:2103 Code: 0f 0b e8 6b d0 ca ff 4d 89 f7 bf 20 00 00 00 41 83 e7 28 4c 89 fe e8 b7 d5 ca ff 49 83 ff 20 0f 85 a5 fe ff ff e8 48 d0 ca ff <0f> 0b 49 be ff ff ff ff ff ff 0f 00 e8 37 d0 ca ff 4d 21 ee 4c 89 RSP: :c90005f47bd0 EFLAGS: 00010293 RAX: RBX: 192000be8f7c RCX: RDX: 888050adb900 RSI: 81ab3e18 RDI: 0003 RBP: 88807e3bcc60 R08: 0020 R09: c90005f47bb7 R10: 81ab3e09 R11: 11ebb3fc R12: 2001d000 R13: 00145dc3 R14: 08140476 R15: 0020 FS: 55f1e400() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7ffb730a0718 CR3: 6e072000 CR4: 001506e0 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] general protection fault in sg_alloc_append_table_from_pages
Hello, syzbot found the following issue on: HEAD commit:717478d89fe2 Merge tag 'riscv-for-linus-5.15-rc5' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12489abf30 kernel config: https://syzkaller.appspot.com/x/.config?x=32e6048063923b7b dashboard link: https://syzkaller.appspot.com/bug?extid=2c56b725ec547fa9cb29 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167b9e4f30 The issue was bisected to: commit 284562e1f34874e267d4f499362c3816f8f6bc3f Author: Gurchetan Singh Date: Tue Dec 3 01:36:27 2019 + udmabuf: implement begin_cpu_access/end_cpu_access hooks bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12d6844730 final oops: https://syzkaller.appspot.com/x/report.txt?x=11d6844730 console output: https://syzkaller.appspot.com/x/log.txt?x=16d6844730 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2c56b725ec547fa9c...@syzkaller.appspotmail.com Fixes: 284562e1f348 ("udmabuf: implement begin_cpu_access/end_cpu_access hooks") general protection fault, probably for non-canonical address 0xdc02: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0010-0x0017] CPU: 1 PID: 7990 Comm: syz-executor.0 Not tainted 5.15.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:sg_alloc_append_table_from_pages+0x821/0xdb0 lib/scatterlist.c:525 Code: 0c 24 48 8b 4c 24 48 48 39 c8 48 0f 46 c8 89 f0 4c 8d 3c c7 48 89 4c 24 30 48 b9 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 24 05 00 00 4d 8b 3f 4c 89 e0 31 ff 83 e0 03 48 RSP: 0018:c90006087c48 EFLAGS: 00010212 RAX: 0002 RBX: 0001 RCX: dc00 RDX: 888074588000 RSI: RDI: 0010 RBP: f000 R08: f000 R09: 88801afe1940 R10: 83d737d0 R11: R12: 0002 R13: 88801afe1940 R14: R15: 0010 FS: 7fd273545700() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fd273545718 CR3: 1a51c000 CR4: 00350ee0 Call Trace: sg_alloc_table_from_pages_segment+0xc9/0x260 lib/scatterlist.c:573 sg_alloc_table_from_pages include/linux/scatterlist.h:331 [inline] get_sg_table.isra.0+0xbb/0x160 drivers/dma-buf/udmabuf.c:67 begin_cpu_udmabuf+0x130/0x1d0 drivers/dma-buf/udmabuf.c:126 dma_buf_begin_cpu_access+0xfd/0x1d0 drivers/dma-buf/dma-buf.c:1204 dma_buf_ioctl+0x29a/0x380 drivers/dma-buf/dma-buf.c:403 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd273e108d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fd273545188 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7fd273f150e0 RCX: 7fd273e108d9 RDX: 2000 RSI: 40086200 RDI: 0004 RBP: 7fd273e6acb4 R08: R09: R10: R11: 0246 R12: R13: 7ffd358e3ccf R14: 7fd273545300 R15: 00022000 Modules linked in: ---[ end trace 225c119d3f055d42 ]--- RIP: 0010:sg_alloc_append_table_from_pages+0x821/0xdb0 lib/scatterlist.c:525 Code: 0c 24 48 8b 4c 24 48 48 39 c8 48 0f 46 c8 89 f0 4c 8d 3c c7 48 89 4c 24 30 48 b9 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 24 05 00 00 4d 8b 3f 4c 89 e0 31 ff 83 e0 03 48 RSP: 0018:c90006087c48 EFLAGS: 00010212 RAX: 0002 RBX: 0001 RCX: dc00 RDX: 888074588000 RSI: RDI: 0010 RBP: f000 R08: f000 R09: 88801afe1940 R10: 83d737d0 R11: R12: 0002 R13: 88801afe1940 R14: R15: 0010 FS: 7fd273545700() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fd273545718 CR3: 1a51c000 CR4: 00350ee0 Code disassembly (best guess): 0: 0c 24 or $0x24,%al 2: 48 8b 4c 24 48 mov0x48(%rsp),%rcx 7: 48 39 c8cmp%rcx,%rax a: 48 0f 46 c8 cmovbe %rax,%rcx e: 89 f0 mov%esi,%eax 10: 4c 8d 3c c7 lea
Re: [syzbot] kernel BUG in vmf_insert_pfn_prot
syzbot has bisected this issue to: commit 8b93d1d7dbd578fd296e70008b29c0f62d09d7cb Author: Daniel Vetter Date: Thu Aug 12 13:14:10 2021 + drm/shmem-helper: Switch to vmf_insert_pfn bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1277054f30 start commit: 9004fd387338 Add linux-next specific files for 20210917 git tree: linux-next final oops: https://syzkaller.appspot.com/x/report.txt?x=1177054f30 console output: https://syzkaller.appspot.com/x/log.txt?x=1677054f30 kernel config: https://syzkaller.appspot.com/x/.config?x=45d5ac72f31f29f3 dashboard link: https://syzkaller.appspot.com/bug?extid=2d4f8693f438d2bd4bdb syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ad552730 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13beef7730 Reported-by: syzbot+2d4f8693f438d2bd4...@syzkaller.appspotmail.com Fixes: 8b93d1d7dbd5 ("drm/shmem-helper: Switch to vmf_insert_pfn") For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: [syzbot] kernel BUG in vmf_insert_pfn_prot
syzbot has found a reproducer for the following issue on: HEAD commit:9004fd387338 Add linux-next specific files for 20210917 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=11e1691d30 kernel config: https://syzkaller.appspot.com/x/.config?x=45d5ac72f31f29f3 dashboard link: https://syzkaller.appspot.com/bug?extid=2d4f8693f438d2bd4bdb compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ad552730 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13beef7730 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2d4f8693f438d2bd4...@syzkaller.appspotmail.com [ cut here ] kernel BUG at mm/memory.c:2103! invalid opcode: [#1] PREEMPT SMP KASAN CPU: 1 PID: 6537 Comm: syz-executor894 Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:vmf_insert_pfn_prot+0x248/0x450 mm/memory.c:2103 Code: 0f 0b e8 6b d0 ca ff 4d 89 f7 bf 20 00 00 00 41 83 e7 28 4c 89 fe e8 b7 d5 ca ff 49 83 ff 20 0f 85 a5 fe ff ff e8 48 d0 ca ff <0f> 0b 49 be ff ff ff ff ff ff 0f 00 e8 37 d0 ca ff 4d 21 ee 4c 89 RSP: :c90002c5fbd0 EFLAGS: 00010293 RAX: RBX: 19200058bf7c RCX: RDX: 888014d81c80 RSI: 81ab3e18 RDI: 0003 RBP: 88806ec18318 R08: 0020 R09: c90002c5fbb7 R10: 81ab3e09 R11: R12: 2000 R13: 0001a305 R14: 08140476 R15: 0020 FS: 7fd624da5700() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 2600 CR3: 6e41e000 CR4: 001506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: drm_gem_shmem_fault+0x1e3/0x290 drivers/gpu/drm/drm_gem_shmem_helper.c:564 __do_fault+0x10d/0x4d0 mm/memory.c:3848 do_cow_fault mm/memory.c:4184 [inline] do_fault mm/memory.c:4285 [inline] handle_pte_fault mm/memory.c:4541 [inline] __handle_mm_fault+0x370e/0x5120 mm/memory.c:4676 handle_mm_fault+0x1c8/0x790 mm/memory.c:4774 do_user_addr_fault+0x48b/0x11c0 arch/x86/mm/fault.c:1390 handle_page_fault arch/x86/mm/fault.c:1475 [inline] exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1531 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568 RIP: 0033:0x7fd624db0238 Code: c0 75 63 48 8d 75 0c b9 40 42 0f 00 ba 81 00 00 00 c7 45 0c 01 00 00 00 bf ca 00 00 00 31 c0 e8 0e 2a 04 00 eb 85 0f 1f 40 00 <4c> 89 24 25 00 06 00 20 45 31 c0 31 c9 31 c0 c6 04 25 08 06 00 20 RSP: 002b:7fd624da5320 EFLAGS: 00010246 RAX: RBX: 7fd624e7b3e8 RCX: 7fd624df2c59 RDX: RSI: 0080 RDI: 7fd624e7b3e8 RBP: 7fd624e7b3e0 R08: R09: R10: R11: 0246 R12: 3162662f7665642f R13: 7ffe82f363ff R14: 7fd624da5400 R15: 00022000 Modules linked in: ---[ end trace 0e8bfa618299b282 ]--- RIP: 0010:vmf_insert_pfn_prot+0x248/0x450 mm/memory.c:2103 Code: 0f 0b e8 6b d0 ca ff 4d 89 f7 bf 20 00 00 00 41 83 e7 28 4c 89 fe e8 b7 d5 ca ff 49 83 ff 20 0f 85 a5 fe ff ff e8 48 d0 ca ff <0f> 0b 49 be ff ff ff ff ff ff 0f 00 e8 37 d0 ca ff 4d 21 ee 4c 89 RSP: :c90002c5fbd0 EFLAGS: 00010293 RAX: RBX: 19200058bf7c RCX: RDX: 888014d81c80 RSI: 81ab3e18 RDI: 0003 RBP: 88806ec18318 R08: 0020 R09: c90002c5fbb7 R10: 81ab3e09 R11: R12: 2000 R13: 0001a305 R14: 08140476 R15: 0020 FS: 7fd624da5700() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f27acc516c0 CR3: 6e41e000 CR4: 001506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400
[syzbot] WARNING in component_del
Hello, syzbot found the following issue on: HEAD commit:a33f5c380c4b Merge tag 'xfs-5.17-merge-3' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17c4eb7fb0 kernel config: https://syzkaller.appspot.com/x/.config?x=dc846445c1d2060e dashboard link: https://syzkaller.appspot.com/bug?extid=60df062e1c41940cae0f compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+60df062e1c41940ca...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 11050 at drivers/base/component.c:767 component_del+0xe2/0x480 drivers/base/component.c:765 Modules linked in: CPU: 1 PID: 11050 Comm: syz-executor.5 Not tainted 5.16.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:component_del+0xe2/0x480 drivers/base/component.c:767 Code: 03 fd 48 8b 6d 00 4c 39 ed 74 07 e8 88 bc b7 fc eb 86 e8 81 bc b7 fc eb 05 e8 7a bc b7 fc 48 c7 c7 20 16 29 8d e8 be b5 47 05 <0f> 0b 31 ed 48 89 ef 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 RSP: 0018:c90004a97550 EFLAGS: 00010246 RAX: c095017d97055900 RBX: 888023b8b6b0 RCX: 8d291620 RDX: 0001 RSI: 0008 RDI: c90004a974c0 RBP: 8d291720 R08: dc00 R09: f52000952e99 R10: f52000952e99 R11: R12: dc00 R13: 8d291720 R14: 8b27aea0 R15: 88807ac5a008 FS: 7f5f620ee700() GS:8880b9b0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 001b2eb22000 CR3: 7da2d000 CR4: 003526e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: usb_hub_remove_port_device+0x1bf/0x2d0 drivers/usb/core/port.c:653 hub_disconnect+0x171/0x480 drivers/usb/core/hub.c:1737 usb_unbind_interface+0x1f2/0x860 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1206 [inline] device_release_driver_internal+0x523/0x7b0 drivers/base/dd.c:1237 proc_ioctl+0x53c/0x640 drivers/usb/core/devio.c:2332 proc_ioctl_default drivers/usb/core/devio.c:2375 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2731 [inline] usbdev_ioctl+0x3f4a/0x6d00 drivers/usb/core/devio.c:2791 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f5f637dbfe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f5f620ee168 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f5f638ef1d0 RCX: 7f5f637dbfe9 RDX: 2380 RSI: c0105512 RDI: 0005 RBP: 7f5f6383608d R08: R09: R10: R11: 0246 R12: R13: 7ffef2b2329f R14: 7f5f620ee300 R15: 00022000 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)
syzbot has found a reproducer for the following issue on: HEAD commit:7fc5253f5a13 Add linux-next specific files for 20220120 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1638527070 kernel config: https://syzkaller.appspot.com/x/.config?x=94e8da4df9ab6319 dashboard link: https://syzkaller.appspot.com/bug?extid=14b0e8f3fd1612e35350 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=155dde3db0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125298e070 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+14b0e8f3fd1612e35...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: f520008b2208 #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD 23ffed067 P4D 23ffed067 PUD 10db4067 PMD 1470c4067 PTE 0 Oops: [#1] PREEMPT SMP KASAN CPU: 0 PID: 3595 Comm: syz-executor362 Not tainted 5.16.0-next-20220120-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] RIP: 0010:sys_imageblit+0x656/0x1430 drivers/video/fbdev/core/sysimgblt.c:275 Code: 14 38 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 b6 0c 00 00 8b 44 24 20 23 03 8b 5c 24 18 31 c3 48 89 e8 48 c1 e8 03 <42> 0f b6 14 38 48 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:c90002a1f368 EFLAGS: 00010a02 RAX: 1920008b2208 RBX: RCX: 0007 RDX: RSI: 84257bf0 RDI: 0003 RBP: c90004591040 R08: 001f R09: 84257a74 R10: 84257be1 R11: 0020 R12: 0007 R13: 03ef R14: 888146efc7e0 R15: dc00 FS: 55c5d300() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: f520008b2208 CR3: 23b12000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:794 [inline] drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2288 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:124 [inline] bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:173 fbcon_putcs+0x353/0x440 drivers/video/fbdev/core/fbcon.c:1277 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676 invert_screen+0x1d4/0x600 drivers/tty/vt/vt.c:800 highlight drivers/tty/vt/selection.c:57 [inline] clear_selection drivers/tty/vt/selection.c:84 [inline] clear_selection+0x55/0x70 drivers/tty/vt/selection.c:80 vc_do_resize+0xe6e/0x1180 drivers/tty/vt/vt.c:1257 fbcon_do_set_font+0x47a/0x760 drivers/video/fbdev/core/fbcon.c:1928 fbcon_set_font+0x817/0xa00 drivers/video/fbdev/core/fbcon.c:2014 con_font_set drivers/tty/vt/vt.c:4666 [inline] con_font_op+0x73a/0xc90 drivers/tty/vt/vt.c:4710 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x1e26/0x2b10 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0xbbd/0x1660 drivers/tty/tty_io.c:2778 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f3bac0e1349 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7160a718 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: RCX: 7f3bac0e1349 RDX: 2000 RSI: 4b72 RDI: 0004 RBP: 7f3bac0a51d0 R08: 000d R09: R10: R11: 0246 R12: 7f3bac0a5260 R13: R14: R15: Modules linked in: CR2: f520008b2208 ---[ end trace ]--- RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] RIP: 0010:sys_imageblit+0x656/0x1430 drivers/video/fbdev/core/sysimgblt.c:275 Code: 14 38 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 b6 0c 00 00 8b 44 24 20 23 03 8b 5c 24 18 31 c3 48 89 e8 48 c1 e8 03 <42> 0f b6 14 38 48 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:c90002a1f368 EFLAGS: 00010a02 RAX: 1920008b2208 RBX: RCX: 0007 RDX: RSI: 84257bf0 RDI: 0003 RBP: c90004591040 R08: 001f R09: 84257a74 R10: 84257be1 R11: 0020 R12: 00
Re: [syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)
syzbot has bisected this issue to: commit 0499f419b76f94ede08304aad5851144813ac55c Author: Javier Martinez Canillas Date: Mon Jan 10 09:56:25 2022 + video: vga16fb: Only probe for EGA and VGA 16 color graphic cards bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14c71e37b0 start commit: 7fc5253f5a13 Add linux-next specific files for 20220120 git tree: linux-next final oops: https://syzkaller.appspot.com/x/report.txt?x=16c71e37b0 console output: https://syzkaller.appspot.com/x/log.txt?x=12c71e37b0 kernel config: https://syzkaller.appspot.com/x/.config?x=94e8da4df9ab6319 dashboard link: https://syzkaller.appspot.com/bug?extid=14b0e8f3fd1612e35350 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=155dde3db0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125298e070 Reported-by: syzbot+14b0e8f3fd1612e35...@syzkaller.appspotmail.com Fixes: 0499f419b76f ("video: vga16fb: Only probe for EGA and VGA 16 color graphic cards") For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] WARNING in dma_map_sgtable
Hello, syzbot found the following issue on: HEAD commit:e3a8b6a1e70c Merge tag 'slab-for-5.17-part2' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1507e01fb0 kernel config: https://syzkaller.appspot.com/x/.config?x=73c17fd2d4a060fe dashboard link: https://syzkaller.appspot.com/bug?extid=d03b64357793677f0080 compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+d03b64357793677f0...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 21150 at kernel/dma/mapping.c:188 __dma_map_sg_attrs kernel/dma/mapping.c:188 [inline] WARNING: CPU: 1 PID: 21150 at kernel/dma/mapping.c:188 dma_map_sgtable+0x203/0x260 kernel/dma/mapping.c:264 Modules linked in: CPU: 1 PID: 21150 Comm: syz-executor.5 Not tainted 5.16.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dma_map_sg_attrs kernel/dma/mapping.c:188 [inline] RIP: 0010:dma_map_sgtable+0x203/0x260 kernel/dma/mapping.c:264 Code: 75 15 e8 50 b2 13 00 eb cb e8 49 b2 13 00 eb c4 e8 42 b2 13 00 eb bd e8 3b b2 13 00 0f 0b bd fb ff ff ff eb af e8 2d b2 13 00 <0f> 0b 31 ed 48 bb 00 00 00 00 00 fc ff df e9 7b ff ff ff 89 e9 80 RSP: 0018:c9000969fd20 EFLAGS: 00010287 RAX: 8171ee13 RBX: dc00 RCX: 0004 RDX: c900056f9000 RSI: 079b RDI: 079c RBP: 888147437408 R08: 8171ece3 R09: ed100d4e6956 R10: ed100d4e6956 R11: R12: 888147437000 R13: 88806a734aa0 R14: R15: 0002 FS: 7f009bbc7700() GS:8880b9b0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 5641b108 CR3: 1901b000 CR4: 003506e0 DR0: 2100 DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0600 Call Trace: get_sg_table+0xfc/0x150 drivers/dma-buf/udmabuf.c:72 begin_cpu_udmabuf+0xf5/0x160 drivers/dma-buf/udmabuf.c:126 dma_buf_begin_cpu_access+0xd8/0x170 drivers/dma-buf/dma-buf.c:1164 dma_buf_ioctl+0x2a0/0x2f0 drivers/dma-buf/dma-buf.c:363 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f009d251fe9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f009bbc7168 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f009d364f60 RCX: 7f009d251fe9 RDX: 2040 RSI: 40086200 RDI: 000b RBP: 7f009d2ac08d R08: R09: R10: R11: 0246 R12: R13: 7ffc7751fd4f R14: 7f009bbc7300 R15: 00022000 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] inconsistent lock state in sync_info_debugfs_show
Hello, syzbot found the following issue on: HEAD commit:1c52283265a4 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1224663fb0 kernel config: https://syzkaller.appspot.com/x/.config?x=75bc179af0ff0457 dashboard link: https://syzkaller.appspot.com/bug?extid=007bfe0f3330f6e1e7d1 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+007bfe0f3330f6e1e...@syzkaller.appspotmail.com WARNING: inconsistent lock state 5.16.0-syzkaller #0 Not tainted inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. syz-executor.2/18360 [HC0[0]:SC0[0]:HE0:SE1] takes: 8c712cf8 (sync_timeline_list_lock){?...}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:374 [inline] 8c712cf8 (sync_timeline_list_lock){?...}-{2:2}, at: sync_info_debugfs_show+0x2d/0x200 drivers/dma-buf/sync_debug.c:147 {IN-HARDIRQ-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5639 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 sync_timeline_debug_remove+0x25/0x190 drivers/dma-buf/sync_debug.c:31 sync_timeline_free drivers/dma-buf/sw_sync.c:104 [inline] kref_put include/linux/kref.h:65 [inline] sync_timeline_put drivers/dma-buf/sw_sync.c:116 [inline] timeline_fence_release+0x263/0x340 drivers/dma-buf/sw_sync.c:144 dma_fence_release+0x2ee/0x590 drivers/dma-buf/dma-fence.c:549 kref_put include/linux/kref.h:65 [inline] dma_fence_put include/linux/dma-fence.h:276 [inline] dma_fence_array_release+0x1e4/0x2b0 drivers/dma-buf/dma-fence-array.c:120 dma_fence_release+0x2ee/0x590 drivers/dma-buf/dma-fence.c:549 kref_put include/linux/kref.h:65 [inline] dma_fence_put include/linux/dma-fence.h:276 [inline] irq_dma_fence_array_work+0xa5/0xd0 drivers/dma-buf/dma-fence-array.c:52 irq_work_single+0x120/0x270 kernel/irq_work.c:211 irq_work_run_list+0x91/0xc0 kernel/irq_work.c:242 irq_work_run+0x54/0xd0 kernel/irq_work.c:251 __sysvec_irq_work+0x95/0x3d0 arch/x86/kernel/irq_work.c:22 sysvec_irq_work+0x8e/0xc0 arch/x86/kernel/irq_work.c:17 asm_sysvec_irq_work+0x12/0x20 arch/x86/include/asm/idtentry.h:664 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irq+0x25/0x40 kernel/locking/spinlock.c:202 spin_unlock_irq include/linux/spinlock.h:399 [inline] sw_sync_debugfs_release+0x160/0x240 drivers/dma-buf/sw_sync.c:321 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 ret_from_fork+0x15/0x30 arch/x86/entry/entry_64.S:288 irq event stamp: 124 hardirqs last enabled at (123): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (123): [] _raw_spin_unlock_irqrestore+0x50/0x70 kernel/locking/spinlock.c:194 hardirqs last disabled at (124): [] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:117 [inline] hardirqs last disabled at (124): [] _raw_spin_lock_irq+0x41/0x50 kernel/locking/spinlock.c:170 softirqs last enabled at (116): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (116): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 softirqs last disabled at (97): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (97): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(sync_timeline_list_lock); lock(sync_timeline_list_lock); *** DEADLOCK *** 3 locks held by syz-executor.2/18360: #0: 88801e30c0f0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:1034 #1: 88807a26dd58 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xdf/0x1280 fs/seq_file.c:182 #2: 8c712cf8 (sync_timeline_list_lock){?...}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:374 [inline] #2: 8c712cf8 (sync_timeline_list_lock){?...}-{2:2}, at: sync_info_debugfs_show+0x2d/0x200 drivers/dma-buf/sync_debu
Re: [syzbot] WARNING in drm_gem_shmem_vm_open
syzbot suspects this issue was fixed by commit: commit 0499f419b76f94ede08304aad5851144813ac55c Author: Javier Martinez Canillas Date: Mon Jan 10 09:56:25 2022 + video: vga16fb: Only probe for EGA and VGA 16 color graphic cards bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=126571e070 start commit: 5d6ab0bb408f Merge tag 'xtensa-20211008' of git://github.c.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=32e6048063923b7b dashboard link: https://syzkaller.appspot.com/bug?extid=91525b2bd4b5dff71619 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11073300b0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: video: vga16fb: Only probe for EGA and VGA 16 color graphic cards For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: [syzbot] BUG: unable to handle kernel paging request in bitfill_aligned (2)
syzbot suspects this issue was fixed by commit: commit 0499f419b76f94ede08304aad5851144813ac55c Author: Javier Martinez Canillas Date: Mon Jan 10 09:56:25 2022 + video: vga16fb: Only probe for EGA and VGA 16 color graphic cards bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1752f5c070 start commit: 2a987e65025e Merge tag 'perf-tools-fixes-for-v5.16-2021-12.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=7d5e878e3399b6cc dashboard link: https://syzkaller.appspot.com/bug?extid=a4edd73d589b0b7efbeb syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16671badb0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122beabdb0 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: video: vga16fb: Only probe for EGA and VGA 16 color graphic cards For information about bisection process see: https://goo.gl/tpsmEJ#bisection
[syzbot] general protection fault in virtio_gpu_poll
Hello, syzbot found the following issue on: HEAD commit:fe91c4725aee Merge tag 'scsi-misc' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=173a8aeab0 kernel config: https://syzkaller.appspot.com/x/.config?x=7d0e8aeec50207a6 dashboard link: https://syzkaller.appspot.com/bug?extid=4af2eec0d32a135ba67e compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+4af2eec0d32a135ba...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc03: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0018-0x001f] CPU: 0 PID: 27453 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:virtio_gpu_poll+0x7c/0x440 drivers/gpu/drm/virtio/virtgpu_drv.c:169 Code: 48 c1 ea 03 80 3c 02 00 0f 85 2b 03 00 00 4c 8b ab b0 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 19 03 00 00 4d 8b 6d 18 31 ff 4c 89 ee e8 8c 50 RSP: 0018:c90024f0f708 EFLAGS: 00010206 RAX: dc00 RBX: 888078deb000 RCX: c9002783b000 RDX: 0003 RSI: 8462b2d5 RDI: 0018 RBP: 88801f33ba80 R08: R09: R10: 81cd631d R11: R12: c90024f0f898 R13: R14: 0010 R15: 0004 FS: 7f5ce5906700() GS:88802ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f5ce84009e8 CR3: 6c1f7000 CR4: 00150ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: vfs_poll include/linux/poll.h:90 [inline] do_select+0x8cb/0x16a0 fs/select.c:534 core_sys_select+0x3c2/0x9c0 fs/select.c:677 do_pselect.constprop.0+0x17b/0x1c0 fs/select.c:759 __do_sys_pselect6 fs/select.c:800 [inline] __se_sys_pselect6 fs/select.c:791 [inline] __x64_sys_pselect6+0x1c5/0x2b0 fs/select.c:791 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f5ce8390ae9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f5ce5906188 EFLAGS: 0246 ORIG_RAX: 010e RAX: ffda RBX: 7f5ce84a3f60 RCX: 7f5ce8390ae9 RDX: RSI: 21c0 RDI: 0040 RBP: 7f5ce83eaf25 R08: 2380 R09: R10: 2140 R11: 0246 R12: R13: 7ffd10da36cf R14: 7f5ce5906300 R15: 00022000 Modules linked in: ---[ end trace 1158e6efaa79 ]--- RIP: 0010:virtio_gpu_poll+0x7c/0x440 drivers/gpu/drm/virtio/virtgpu_drv.c:169 Code: 48 c1 ea 03 80 3c 02 00 0f 85 2b 03 00 00 4c 8b ab b0 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7d 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 19 03 00 00 4d 8b 6d 18 31 ff 4c 89 ee e8 8c 50 RSP: 0018:c90024f0f708 EFLAGS: 00010206 RAX: dc00 RBX: 888078deb000 RCX: c9002783b000 RDX: 0003 RSI: 8462b2d5 RDI: 0018 RBP: 88801f33ba80 R08: R09: R10: 81cd631d R11: R12: c90024f0f898 R13: R14: 0010 R15: 0004 FS: 7f5ce5906700() GS:88802ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f5ce84009e8 CR3: 6c1f7000 CR4: 00150ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Code disassembly (best guess): 0: 48 c1 ea 03 shr$0x3,%rdx 4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 8: 0f 85 2b 03 00 00 jne0x339 e: 4c 8b ab b0 01 00 00mov0x1b0(%rbx),%r13 15: 48 b8 00 00 00 00 00movabs $0xdc00,%rax 1c: fc ff df 1f: 49 8d 7d 18 lea0x18(%r13),%rdi 23: 48 89 famov%rdi,%rdx 26: 48 c1 ea 03 shr$0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 19 03 00 00 jne0x34d 34: 4d 8b 6d 18 mov0x18(%r13),%r13 38: 31 ff xor%edi,%edi 3a: 4c 89 eemov%r13,%rsi 3d: e8 .byte 0xe8 3e: 8c
[syzbot] KASAN: use-after-free Read in drm_gem_object_release_handle
Hello, syzbot found the following issue on: HEAD commit:8ab774587903 Merge tag 'trace-v5.16-5' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1174ace6b0 kernel config: https://syzkaller.appspot.com/x/.config?x=6d3b8fd1977c1e73 dashboard link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c8ae65286134dd1b8...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 Read of size 8 at addr 888028419a28 by task syz-executor.2/10905 CPU: 0 PID: 10905 Comm: syz-executor.2 Not tainted 5.16.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 idr_for_each+0x113/0x220 lib/idr.c:208 drm_gem_release+0x22/0x30 drivers/gpu/drm/drm_gem.c:930 drm_file_free.part.0+0x805/0xb80 drivers/gpu/drm/drm_file.c:281 drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drm_close_helper.isra.0+0x17d/0x1f0 drivers/gpu/drm/drm_file.c:308 drm_release+0x1e6/0x530 drivers/gpu/drm/drm_file.c:495 __fput+0x286/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 __do_fast_syscall_32+0x72/0xf0 arch/x86/entry/common.c:181 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf6f4e549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:ff954ef0 EFLAGS: 0282 ORIG_RAX: 0006 RAX: RBX: 0003 RCX: 0002 RDX: RSI: f7084000 RDI: f70aafac RBP: f7084000 R08: R09: R10: R11: R12: R13: R14: R15: Allocated by task 10906: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] kasan_kmalloc mm/kasan/common.c:513 [inline] kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:590 [inline] kzalloc include/linux/slab.h:724 [inline] __drm_gem_shmem_create+0x3d8/0x470 drivers/gpu/drm/drm_gem_shmem_helper.c:56 drm_gem_shmem_create drivers/gpu/drm/drm_gem_shmem_helper.c:116 [inline] drm_gem_shmem_create_with_handle+0x26/0x100 drivers/gpu/drm/drm_gem_shmem_helper.c:422 drm_gem_shmem_dumb_create+0x13f/0x290 drivers/gpu/drm/drm_gem_shmem_helper.c:538 drm_mode_create_dumb+0x26c/0x2f0 drivers/gpu/drm/drm_dumb_buffers.c:96 drm_ioctl_kernel+0x27d/0x4e0 drivers/gpu/drm/drm_ioctl.c:782 drm_ioctl+0x51e/0x9d0 drivers/gpu/drm/drm_ioctl.c:885 drm_compat_ioctl+0x270/0x330 drivers/gpu/drm/drm_ioc32.c:987 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c Freed by task 10906: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 kasan_slab_free mm/kasan/common.c:366 [inline] kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749 slab_free mm/slub.c:3513 [inline] kfree+0xf6/0x560 mm/slub.c:4561 drm_gem_object_free+0x58/0x80 drivers/gpu/drm/drm_gem.c:972 kref_put include/linux/kref.h:65 [inline] __drm_gem_object_put include/drm/drm_gem.h:371 [inline] drm_gem_object_put include/drm/
[syzbot] KASAN: vmalloc-out-of-bounds Write in imageblit (2)
Hello, syzbot found the following issue on: HEAD commit:fa55b7dcdc43 Linux 5.16-rc1 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15fe2569b0 kernel config: https://syzkaller.appspot.com/x/.config?x=6d3b8fd1977c1e73 dashboard link: https://syzkaller.appspot.com/bug?extid=14b0e8f3fd1612e35350 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+14b0e8f3fd1612e35...@syzkaller.appspotmail.com 524155 pages RAM 0 pages HighMem/MovableOnly 163742 pages reserved 0 pages cma reserved == BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x12f4/0x1430 drivers/video/fbdev/core/sysimgblt.c:275 Write of size 4 at addr c90004631000 by task syz-executor.0/7913 CPU: 0 PID: 7913 Comm: syz-executor.0 Not tainted 5.16.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] sys_imageblit+0x12f4/0x1430 drivers/video/fbdev/core/sysimgblt.c:275 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:794 [inline] drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2282 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:124 [inline] bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:173 fbcon_putcs+0x353/0x440 drivers/video/fbdev/core/fbcon.c:1277 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676 redraw_screen+0x61f/0x740 drivers/tty/vt/vt.c:1035 fbcon_modechanged+0x58c/0x6c0 drivers/video/fbdev/core/fbcon.c:2182 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:2227 do_fb_ioctl+0x62e/0x690 drivers/video/fbdev/core/fbmem.c:1114 fb_compat_ioctl+0x17e/0x610 drivers/video/fbdev/core/fbmem.c:1313 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf6e67549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:f44615fc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0005 RCX: 4601 RDX: 2000 RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Memory state around the buggy address: c90004630f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c90004630f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >c90004631000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ c90004631080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c90004631100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 == Code disassembly (best guess): 0: 03 74 c0 01 add0x1(%rax,%rax,8),%esi 4: 10 05 03 74 b8 01 adc%al,0x1b87403(%rip)# 0x1b8740d a: 10 06 adc%al,(%rsi) c: 03 74 b4 01 add0x1(%rsp,%rsi,4),%esi 10: 10 07 adc%al,(%rdi) 12: 03 74 b0 01 add0x1(%rax,%rsi,4),%esi 16: 10 08 adc%cl,(%rax) 18: 03 74 d8 01 add0x1(%rax,%rbx,8),%esi 1c: 00 00 add%al,(%rax) 1e: 00 00 add%al,(%rax) 20: 00 51 52add%dl,0x52(%rcx) 23: 55 push %rbp 24: 89 e5 mov%esp,%ebp 26: 0f 34 sysenter 28: cd 80 int$0x80 * 2a: 5d pop%rbp <-- trapping instruction 2b: 5a pop%rdx 2c: 59 pop%rcx 2d: c3 retq 2e: 90 nop 2f: 90 nop 30: 90 nop 31: 90 nop 32: 8d b4 26 00 00 00 00lea0x0(
[syzbot] WARNING in __dma_map_sg_attrs
Hello, syzbot found the following issue on: HEAD commit:c5c17547b778 Merge tag 'net-5.16-rc3' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13a73609b0 kernel config: https://syzkaller.appspot.com/x/.config?x=bf85c53718a1e697 dashboard link: https://syzkaller.appspot.com/bug?extid=10e27961f4da37c443b2 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+10e27961f4da37c44...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 2 PID: 17169 at kernel/dma/mapping.c:188 __dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Modules linked in: CPU: 0 PID: 17169 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 71 4c 8b 3d 70 6d b1 0d e9 db fe ff ff e8 86 ff 12 00 0f 0b e8 7f ff 12 00 <0f> 0b 45 31 e4 e9 54 ff ff ff e8 70 ff 12 00 49 8d 7f 50 48 b8 00 RSP: 0018:c90002c0fb20 EFLAGS: 00010216 RAX: 00013018 RBX: 0020 RCX: c900037d4000 RDX: 0004 RSI: 8163d361 RDI: 8880182ae4d0 RBP: 8880182ae088 R08: 0002 R09: 888017ba054f R10: 8163d242 R11: 0008808a R12: R13: 888024ca5700 R14: 0001 R15: FS: 7fa269e34700() GS:88802cb0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0040c120 CR3: 6c77c000 CR4: 00150ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: dma_map_sgtable+0x70/0xf0 kernel/dma/mapping.c:264 drm_gem_map_dma_buf+0x12a/0x1e0 drivers/gpu/drm/drm_prime.c:633 __map_dma_buf drivers/dma-buf/dma-buf.c:675 [inline] dma_buf_map_attachment+0x39a/0x5b0 drivers/dma-buf/dma-buf.c:954 drm_gem_prime_import_dev.part.0+0x85/0x220 drivers/gpu/drm/drm_prime.c:939 drm_gem_prime_import_dev drivers/gpu/drm/drm_prime.c:982 [inline] drm_gem_prime_import+0xc8/0x200 drivers/gpu/drm/drm_prime.c:982 virtgpu_gem_prime_import+0x49/0x150 drivers/gpu/drm/virtio/virtgpu_prime.c:166 drm_gem_prime_fd_to_handle+0x21d/0x550 drivers/gpu/drm/drm_prime.c:318 drm_prime_fd_to_handle_ioctl+0x9b/0xd0 drivers/gpu/drm/drm_prime.c:374 drm_ioctl_kernel+0x27d/0x4e0 drivers/gpu/drm/drm_ioctl.c:782 drm_ioctl+0x51e/0x9d0 drivers/gpu/drm/drm_ioctl.c:885 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa26c8beae9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fa269e34188 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7fa26c9d1f60 RCX: 7fa26c8beae9 RDX: 24c0 RSI: c00c642e RDI: 0005 RBP: 7fa26c918f6d R08: R09: R10: R11: 0246 R12: R13: 7ffc0019c51f R14: 7fa269e34300 R15: 00022000 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
[syzbot] KASAN: out-of-bounds Write in virtio_gpu_cmd_transfer_to_host_2d
Hello, syzbot found the following issue on: HEAD commit:e66435936756 mm: fix mismerge of folio page flag manipulat.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14c79e0eb0 kernel config: https://syzkaller.appspot.com/x/.config?x=ca1c2027dfeaf335 dashboard link: https://syzkaller.appspot.com/bug?extid=f01248cf57e6929868e4 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f01248cf57e692986...@syzkaller.appspotmail.com R13: 7ffe6190e50f R14: 7f51be874300 R15: 00022000 == BUG: KASAN: out-of-bounds in memset include/linux/fortify-string.h:175 [inline] BUG: KASAN: out-of-bounds in virtio_gpu_cmd_transfer_to_host_2d+0x160/0x4a0 drivers/gpu/drm/virtio/virtgpu_vq.c:618 Write of size 56 at addr fff4 by task syz-executor.1/13670 CPU: 2 PID: 13670 Comm: syz-executor.1 Not tainted 5.15.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xf/0x2d6 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memset+0x20/0x40 mm/kasan/shadow.c:44 memset include/linux/fortify-string.h:175 [inline] virtio_gpu_cmd_transfer_to_host_2d+0x160/0x4a0 drivers/gpu/drm/virtio/virtgpu_vq.c:618 virtio_gpu_update_dumb_bo drivers/gpu/drm/virtio/virtgpu_plane.c:128 [inline] virtio_gpu_primary_plane_update+0xfcb/0x1650 drivers/gpu/drm/virtio/virtgpu_plane.c:199 drm_atomic_helper_commit_planes+0x332/0xb60 drivers/gpu/drm/drm_atomic_helper.c:2552 drm_atomic_helper_commit_tail+0x62/0xf0 drivers/gpu/drm/drm_atomic_helper.c:1582 commit_tail+0x32d/0x420 drivers/gpu/drm/drm_atomic_helper.c:1667 drm_atomic_helper_commit drivers/gpu/drm/drm_atomic_helper.c:1884 [inline] drm_atomic_helper_commit+0x2eb/0x370 drivers/gpu/drm/drm_atomic_helper.c:1817 drm_atomic_commit+0xd8/0x110 drivers/gpu/drm/drm_atomic.c:1412 drm_client_modeset_commit_atomic+0x685/0x7c0 drivers/gpu/drm/drm_client_modeset.c:1043 drm_client_modeset_commit_locked+0x145/0x580 drivers/gpu/drm/drm_client_modeset.c:1146 drm_client_modeset_commit+0x4d/0x80 drivers/gpu/drm/drm_client_modeset.c:1172 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:252 [inline] __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:231 [inline] drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:279 [inline] drm_fb_helper_lastclose drivers/gpu/drm/drm_fb_helper.c:1997 [inline] drm_fbdev_client_restore+0xe3/0x1a0 drivers/gpu/drm/drm_fb_helper.c:2397 drm_client_dev_restore+0x184/0x290 drivers/gpu/drm/drm_client.c:226 drm_lastclose drivers/gpu/drm/drm_file.c:467 [inline] drm_release+0x441/0x530 drivers/gpu/drm/drm_file.c:498 __fput+0x286/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f51c12b1a04 Code: 84 00 00 00 00 00 44 89 54 24 0c e8 96 f9 ff ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 c8 f9 ff ff 8b 44 RSP: 002b:7f51be873cc0 EFLAGS: 0293 ORIG_RAX: 0101 RAX: ffea RBX: 6667 RCX: 7f51c12b1a04 RDX: ff00 RSI: 7f51be873d60 RDI: ff9c RBP: 7f51be873d60 R08: R09: R10: R11: 0293 R12: ff00 R13: 7ffe6190e50f R14: 7f51be874300 R15: 00022000 Memory state around the buggy address: fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 general protection fault, maybe for address 0xc9000422f80c: [#1] PREEMPT SMP KASAN CPU: 2 PID: 13670 Comm: syz-executor.1 Not tainted 5.15.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:memcpy_erms+0x6/0x10 arch/x86/lib/memcpy_64.S:55 Code: cc cc cc cc eb 1e 0f 1f 00 48 89
[syzbot] general protection fault in virtio_gpu_array_put_free
Hello, syzbot found the following issue on: HEAD commit:d58071a8a76d Linux 5.16-rc3 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11f773f6b0 kernel config: https://syzkaller.appspot.com/x/.config?x=171728a464c05f2b dashboard link: https://syzkaller.appspot.com/bug?extid=e9072e90624a31dfa85f compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e9072e90624a31dfa...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc0e: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0070-0x0077] CPU: 0 PID: 20114 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:virtio_gpu_array_put_free+0x2f/0x190 drivers/gpu/drm/virtio/virtgpu_gem.c:251 Code: 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 5a dd 09 fd 49 8d 45 70 48 89 c2 48 89 04 24 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 21 01 00 00 41 8b 5d 70 31 ff RSP: 0018:c90005a9fa90 EFLAGS: 00010202 RAX: dc00 RBX: RCX: c900262ce000 RDX: 000e RSI: 846cf6e6 RDI: RBP: 88801882b800 R08: R09: c90005a9f9ef R10: 846dcc29 R11: R12: c90005a9fbd0 R13: R14: 888045f6 R15: fff4 FS: 7f4ad9393700() GS:88802ca0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f561e680558 CR3: 50bde000 CR4: 00150ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0600 Call Trace: virtio_gpu_object_create+0x5c7/0xd90 drivers/gpu/drm/virtio/virtgpu_object.c:251 virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:42 [inline] virtio_gpu_mode_dumb_create+0x319/0x5c0 drivers/gpu/drm/virtio/virtgpu_gem.c:90 drm_mode_create_dumb+0x26c/0x2f0 drivers/gpu/drm/drm_dumb_buffers.c:96 drm_ioctl_kernel+0x27d/0x4e0 drivers/gpu/drm/drm_ioctl.c:782 drm_ioctl+0x51e/0x9d0 drivers/gpu/drm/drm_ioctl.c:885 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f4adbe1dae9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f4ad9393188 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f4adbf30f60 RCX: 7f4adbe1dae9 RDX: 2040 RSI: c02064b2 RDI: 0003 RBP: 7f4ad93931d0 R08: R09: R10: R11: 0246 R12: 0002 R13: 7ffccb96db4f R14: 7f4ad9393300 R15: 00022000 Modules linked in: ---[ end trace 8191b5e5ff4f69ef ]--- RIP: 0010:virtio_gpu_array_put_free+0x2f/0x190 drivers/gpu/drm/virtio/virtgpu_gem.c:251 Code: 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 5a dd 09 fd 49 8d 45 70 48 89 c2 48 89 04 24 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 21 01 00 00 41 8b 5d 70 31 ff RSP: 0018:c90005a9fa90 EFLAGS: 00010202 RAX: dc00 RBX: RCX: c900262ce000 RDX: 000e RSI: 846cf6e6 RDI: RBP: 88801882b800 R08: R09: c90005a9f9ef R10: 846dcc29 R11: R12: c90005a9fbd0 R13: R14: 888045f6 R15: fff4 FS: 7f4ad9393700() GS:88802cb0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0065f4d7 CR3: 50bde000 CR4: 00150ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Code disassembly (best guess): 0: 55 push %rbp 1: 49 89 fdmov%rdi,%r13 4: 41 54 push %r12 6: 55 push %rbp 7: 53 push %rbx 8: 48 83 ec 08 sub$0x8,%rsp c: e8 5a dd 09 fd callq 0xfd09dd6b 11: 49 8d 45 70 lea0x70(%r13),%rax 15: 48 89 c2mov%rax,%rdx 18: 48 89 04 24 mov%rax,(%rsp) 1c: 48 b8 00 00 00 00 00movabs $0xdc0
[syzbot] general protection fault in virtio_gpu_object_create
Hello, syzbot found the following issue on: HEAD commit:136057256686 Linux 5.16-rc2 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14029126b0 kernel config: https://syzkaller.appspot.com/x/.config?x=bf85c53718a1e697 dashboard link: https://syzkaller.appspot.com/bug?extid=62d1cf88cc39247b2e23 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+62d1cf88cc39247b2...@syzkaller.appspotmail.com RBP: 7f96f6d2a1d0 R08: R09: R10: R11: 0246 R12: 0002 R13: 7ffde5383b0f R14: 7f96f6d2a300 R15: 00022000 general protection fault, probably for non-canonical address 0xdc00: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x-0x0007] CPU: 3 PID: 32308 Comm: syz-executor.2 Not tainted 5.16.0-rc2-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:183 [inline] RIP: 0010:virtio_gpu_object_create+0x29b/0xd90 drivers/gpu/drm/virtio/virtgpu_object.c:249 Code: 89 de e8 38 11 09 fd 48 85 db 0f 85 9f 03 00 00 e8 9a 0e 09 fd 49 8d 7f 0c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82 RSP: 0018:c90002fafad0 EFLAGS: 00010246 RAX: dc00 RBX: RCX: c900242c8000 RDX: RSI: 846dc446 RDI: RBP: 8880257af000 R08: R09: 8bcca173 R10: 846dc438 R11: R12: c90002fafbd0 R13: 8880430e0010 R14: 8880430e R15: fff4 FS: 7f96f6d2a700() GS:88802cd0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 009af988 CR3: 53153000 CR4: 00150ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:42 [inline] virtio_gpu_mode_dumb_create+0x319/0x5c0 drivers/gpu/drm/virtio/virtgpu_gem.c:90 drm_mode_create_dumb+0x26c/0x2f0 drivers/gpu/drm/drm_dumb_buffers.c:96 drm_ioctl_kernel+0x27d/0x4e0 drivers/gpu/drm/drm_ioctl.c:782 drm_ioctl+0x51e/0x9d0 drivers/gpu/drm/drm_ioctl.c:885 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f96f97b4ae9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f96f6d2a188 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f96f98c7f60 RCX: 7f96f97b4ae9 RDX: 2040 RSI: c02064b2 RDI: 0003 RBP: 7f96f6d2a1d0 R08: R09: R10: R11: 0246 R12: 0002 R13: 7ffde5383b0f R14: 7f96f6d2a300 R15: 00022000 Modules linked in: ---[ end trace 7991b533e1b66750 ]--- RIP: 0010:virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:183 [inline] RIP: 0010:virtio_gpu_object_create+0x29b/0xd90 drivers/gpu/drm/virtio/virtgpu_object.c:249 Code: 89 de e8 38 11 09 fd 48 85 db 0f 85 9f 03 00 00 e8 9a 0e 09 fd 49 8d 7f 0c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82 RSP: 0018:c90002fafad0 EFLAGS: 00010246 RAX: dc00 RBX: RCX: c900242c8000 RDX: RSI: 846dc446 RDI: RBP: 8880257af000 R08: R09: 8bcca173 R10: 846dc438 R11: R12: c90002fafbd0 R13: 8880430e0010 R14: 8880430e R15: fff4 FS: 7f96f6d2a700() GS:88802cd0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 009af988 CR3: 53153000 CR4: 00150ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Code disassembly (best guess): 0: 89 de mov%ebx,%esi 2: e8 38 11 09 fd callq 0xfd09113f 7: 48 85 dbtest %rbx,%rbx a: 0f 85 9f 03 00 00 jne0x3af 10: e8 9a 0e 09 fd callq
Re: [syzbot] BUG: unable to handle kernel paging request in bitfill_aligned (2)
syzbot has found a reproducer for the following issue on: HEAD commit:2a987e65025e Merge tag 'perf-tools-fixes-for-v5.16-2021-12.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12f8fdc5b0 kernel config: https://syzkaller.appspot.com/x/.config?x=7d5e878e3399b6cc dashboard link: https://syzkaller.appspot.com/bug?extid=a4edd73d589b0b7efbeb compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16671badb0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=122beabdb0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+a4edd73d589b0b7ef...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: 88800130 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 11201067 P4D 11201067 PUD 11202067 PMD 810001e1 Oops: 0003 [#1] PREEMPT SMP KASAN CPU: 0 PID: 6524 Comm: syz-executor260 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline] RIP: 0010:bitfill_aligned+0x1d2/0x270 drivers/video/fbdev/core/cfbfillrect.c:75 Code: 39 1b fd eb 09 e8 3e 39 1b fd 48 83 c3 40 31 ff 89 ee e8 41 3d 1b fd 85 ed 74 2c 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ff cd <4c> 89 33 85 ed 74 0b 48 83 c3 08 e8 0e 39 1b fd eb ec e8 07 39 1b RSP: 0018:c90002b4ee38 EFLAGS: 00010202 RAX: RBX: 88800130 RCX: 888020209d00 RDX: 888020209d00 RSI: 0002 RDI: RBP: 0001 R08: 84695e4f R09: 0040 R10: 0002 R11: 888020209d00 R12: R13: 0080 R14: R15: FS: 55c14300() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800130 CR3: 708fb000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: cfb_fillrect+0x5d8/0x800 drivers/video/fbdev/core/cfbfillrect.c:327 bit_clear_margins+0x2d7/0x6e0 drivers/video/fbdev/core/bitblit.c:209 fbcon_clear_margins drivers/video/fbdev/core/fbcon.c:1296 [inline] fbcon_switch+0x1569/0x21f0 drivers/video/fbdev/core/fbcon.c:1677 redraw_screen+0x53d/0x1280 drivers/tty/vt/vt.c:1021 vc_do_resize+0x1361/0x1930 drivers/tty/vt/vt.c:1342 fbcon_do_set_font+0x9ef/0x10d0 drivers/video/fbdev/core/fbcon.c:1928 fbcon_set_font+0x9f9/0xc80 drivers/video/fbdev/core/fbcon.c:2014 con_font_set drivers/tty/vt/vt.c:4666 [inline] con_font_op+0xbcd/0x1080 drivers/tty/vt/vt.c:4710 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x1838/0x3860 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0xfb2/0x17d0 drivers/tty/tty_io.c:2805 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f44f1232229 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fffb8c823a8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: RCX: 7f44f1232229 RDX: 2400 RSI: 4b72 RDI: 0004 RBP: R08: 000d R09: 7fffb8c82548 R10: R11: 0246 R12: 7f44f11f5820 R13: 431bde82d7b634db R14: R15: Modules linked in: CR2: 88800130 ---[ end trace 3cf2fa8eab0f5f7d ]--- RIP: 0010:__writeq arch/x86/include/asm/io.h:98 [inline] RIP: 0010:bitfill_aligned+0x1d2/0x270 drivers/video/fbdev/core/cfbfillrect.c:75 Code: 39 1b fd eb 09 e8 3e 39 1b fd 48 83 c3 40 31 ff 89 ee e8 41 3d 1b fd 85 ed 74 2c 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ff cd <4c> 89 33 85 ed 74 0b 48 83 c3 08 e8 0e 39 1b fd eb ec e8 07 39 1b RSP: 0018:c90002b4ee38 EFLAGS: 00010202 RAX: RBX: 88800130 RCX: 888020209d00 RDX: 888020209d00 RSI: 0002 RDI: RBP: 0001 R08: 84695e4f R09: 0040 R10: 0002 R11: 888020209d00 R12: R13: 0080 R14: R15: FS: 55c14300() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 88800130 CR3: 708fb000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR
Re: [syzbot] WARNING in drm_wait_one_vblank
syzbot has found a reproducer for the following issue on: HEAD commit:6f513529296f Merge tag 'for-5.16-rc4-tag' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16499fc5b0 kernel config: https://syzkaller.appspot.com/x/.config?x=221ffc09e39ebbd1 dashboard link: https://syzkaller.appspot.com/bug?extid=6f7fe2dbc479dca0ed17 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ab646db0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17767fc5b0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+6f7fe2dbc479dca0e...@syzkaller.appspotmail.com platform vkms: vblank wait timed out on crtc 0 WARNING: CPU: 1 PID: 3708 at drivers/gpu/drm/drm_vblank.c:1269 drm_wait_one_vblank+0x2bc/0x500 drivers/gpu/drm/drm_vblank.c:1269 Modules linked in: CPU: 1 PID: 3708 Comm: syz-executor955 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:drm_wait_one_vblank+0x2bc/0x500 drivers/gpu/drm/drm_vblank.c:1269 Code: 85 f6 0f 84 a3 01 00 00 e8 11 4c 1a fd 4c 89 ef e8 f9 34 13 00 44 89 e1 4c 89 f2 48 c7 c7 40 7d 1a 8a 48 89 c6 e8 7f 61 a3 04 <0f> 0b e9 87 fe ff ff e8 e8 4b 1a fd 31 ff 4c 89 ee e8 6e 4e 1a fd RSP: 0018:c9000298fb40 EFLAGS: 00010282 RAX: RBX: 0596 RCX: RDX: 8880766f3a00 RSI: 815f1e08 RDI: f52000531f5a RBP: 8881469f4000 R08: R09: R10: 815ebbae R11: R12: R13: 888146e02010 R14: 888146cc7500 R15: 888146e10030 FS: 572d9300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa33cdb0290 CR3: 79034000 CR4: 003506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: drm_fb_helper_ioctl+0x159/0x1a0 drivers/gpu/drm/drm_fb_helper.c:1197 do_fb_ioctl+0x1d5/0x690 drivers/video/fbdev/core/fbmem.c:1175 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1189 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa33cd3c1c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffc7e8b9d98 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 000f4240 RCX: 7fa33cd3c1c9 RDX: RSI: 40044620 RDI: 0004 RBP: R08: R09: R10: R11: 0246 R12: 00016e91 R13: 7ffc7e8b9dac R14: 7ffc7e8b9dd0 R15: 7ffc7e8b9dc0
memory leak in dlfb_usb_probe
Hello, syzbot found the following issue on: HEAD commit:a68a0262 mm/madvise: remove racy mm ownership check git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1538046b50 kernel config: https://syzkaller.appspot.com/x/.config?x=4305fa9ea70c7a9f dashboard link: https://syzkaller.appspot.com/bug?extid=c9e365d7f450e8aa615d compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1779cc1350 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1173d00f50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c9e365d7f450e8aa6...@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0x88810adde100 (size 32): comm "kworker/1:0", pid 17, jiffies 4294947788 (age 19.520s) hex dump (first 32 bytes): 10 30 c3 0d 81 88 ff ff c0 fa 63 12 81 88 ff ff .0c. 00 30 c3 0d 81 88 ff ff 80 d1 3a 08 81 88 ff ff .0:. backtrace: [<19512953>] kmalloc include/linux/slab.h:552 [inline] [<19512953>] kzalloc include/linux/slab.h:664 [inline] [<19512953>] dlfb_alloc_urb_list drivers/video/fbdev/udlfb.c:1892 [inline] [<19512953>] dlfb_usb_probe.cold+0x289/0x988 drivers/video/fbdev/udlfb.c:1704 [<72160152>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 [<de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<463fbcb4>] __device_attach+0x122/0x250 drivers/base/dd.c:912 [<b881a711>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<364bbda5>] device_add+0x5ac/0xc30 drivers/base/core.c:2936 [<eecca418>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159 [<edfeca2d>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<1830872b>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 [<de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 BUG: memory leak unreferenced object 0x8881083ad180 (size 192): comm "kworker/1:0", pid 17, jiffies 4294947788 (age 19.520s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 d1 3a 08 81 88 ff ff ..:. backtrace: [<a7783a78>] kmalloc include/linux/slab.h:557 [inline] [<a7783a78>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74 [<82822843>] dlfb_alloc_urb_list drivers/video/fbdev/udlfb.c:1897 [inline] [<82822843>] dlfb_usb_probe.cold+0x2aa/0x988 drivers/video/fbdev/udlfb.c:1704 [<72160152>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 [<de0a5a5c>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:431 [<463fbcb4>] __device_attach+0x122/0x250 drivers/base/dd.c:912 [<b881a711>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:491 [<364bbda5>] device_add+0x5ac/0xc30 drivers/base/core.c:2936 [<eecca418>] usb_set_configuration+0x9de/0xb90 drivers/usb/core/message.c:2159 [<edfeca2d>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<1830872b>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<a8d6726f>] really_probe+0x159/0x480 drivers/base/dd.c:554 [<c3ce4b0e>] driver_probe_device+0x84/0x100 drivers/base/dd.c:738 [<e942e01c>] __device_attach_driver+0xee/0x110 drivers/base/dd.c:844 BUG: memory leak unreferenced object 0x88811263fb20 (size 32): comm "kworker/1:0", pid 17, jiffies 4294947788 (age 19.530s) hex dump (first 32 bytes): 00 fb 63 12 81 88 ff ff 10 30 c3 0d 81 88 ff ff ..c..0.. 00 30 c3 0d 81 88 ff ff c0 53 c8 0b 81 88 ff ff .0...S.. backtrace: [<19512953>] kmalloc include/linux/slab.h:552 [inline] [<19512953>] kzalloc include/linux/slab.h:664 [inline]
KASAN: vmalloc-out-of-bounds Read in drm_fb_helper_dirty_work (2)
Hello, syzbot found the following issue on: HEAD commit:a2f5ea9e Merge tag 'arm-soc-fixes-v5.10-4b' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=167b497b50 kernel config: https://syzkaller.appspot.com/x/.config?x=868cd1c95c02180 dashboard link: https://syzkaller.appspot.com/bug?extid=cc9acdabdf6ea0c8dc0b compiler: gcc (GCC) 10.1.0-syz 20200507 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+cc9acdabdf6ea0c8d...@syzkaller.appspotmail.com == BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/string.h:399 [inline] BUG: KASAN: vmalloc-out-of-bounds in drm_fb_helper_dirty_blit_real drivers/gpu/drm/drm_fb_helper.c:403 [inline] BUG: KASAN: vmalloc-out-of-bounds in drm_fb_helper_dirty_work+0x42e/0x810 drivers/gpu/drm/drm_fb_helper.c:435 Read of size 3168 at addr c9000b8613a0 by task kworker/0:5/11875 CPU: 0 PID: 11875 Comm: kworker/0:5 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Workqueue: events drm_fb_helper_dirty_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x497 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:192 memcpy+0x20/0x60 mm/kasan/common.c:105 memcpy include/linux/string.h:399 [inline] drm_fb_helper_dirty_blit_real drivers/gpu/drm/drm_fb_helper.c:403 [inline] drm_fb_helper_dirty_work+0x42e/0x810 drivers/gpu/drm/drm_fb_helper.c:435 process_one_work+0x933/0x15a0 kernel/workqueue.c:2272 worker_thread+0x64c/0x1120 kernel/workqueue.c:2418 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Memory state around the buggy address: c9000b861280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c9000b861300: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >c9000b861380: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ c9000b861400: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c9000b861480: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: suspicious RCU usage in modeset_lock
Hello, syzbot found the following issue on: HEAD commit:94801e5c Merge tag 'pinctrl-v5.10-3' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=130558c550 kernel config: https://syzkaller.appspot.com/x/.config?x=ee8a1012a5314210 dashboard link: https://syzkaller.appspot.com/bug?extid=972b924c988834e868b2 compiler: gcc (GCC) 10.1.0-syz 20200507 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+972b924c988834e86...@syzkaller.appspotmail.com = WARNING: suspicious RCU usage 5.10.0-rc7-syzkaller #0 Not tainted - kernel/sched/core.c:7270 Illegal context switch in RCU-sched read-side critical section! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 0 7 locks held by syz-executor.1/9232: #0: 8b328c60 (console_lock){+.+.}-{0:0}, at: do_fb_ioctl+0x2e4/0x690 drivers/video/fbdev/core/fbmem.c:1106 #1: 888041bd4078 (&fb_info->lock){+.+.}-{3:3}, at: lock_fb_info include/linux/fb.h:636 [inline] #1: 888041bd4078 (&fb_info->lock){+.+.}-{3:3}, at: do_fb_ioctl+0x2ee/0x690 drivers/video/fbdev/core/fbmem.c:1107 #2: 888041adca78 (&helper->lock){+.+.}-{3:3}, at: drm_fb_helper_pan_display+0xce/0x970 drivers/gpu/drm/drm_fb_helper.c:1448 #3: 8880159f01b8 (&dev->master_mutex){+.+.}-{3:3}, at: drm_master_internal_acquire+0x1d/0x70 drivers/gpu/drm/drm_auth.c:407 #4: 888041adc898 (&client->modeset_mutex){+.+.}-{3:3}, at: drm_client_modeset_commit_locked+0x44/0x580 drivers/gpu/drm/drm_client_modeset.c:1143 #5: c90001c07730 (crtc_ww_class_acquire){+.+.}-{0:0}, at: drm_client_modeset_commit_atomic+0xb7/0x7c0 drivers/gpu/drm/drm_client_modeset.c:981 #6: 888015986108 (crtc_ww_class_mutex){+.+.}-{3:3}, at: ww_mutex_lock_slow include/linux/ww_mutex.h:287 [inline] #6: 888015986108 (crtc_ww_class_mutex){+.+.}-{3:3}, at: modeset_lock+0x31c/0x650 drivers/gpu/drm/drm_modeset_lock.c:260 stack backtrace: CPU: 1 PID: 9232 Comm: syz-executor.1 Not tainted 5.10.0-rc7-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 ___might_sleep+0x25d/0x2b0 kernel/sched/core.c:7270 __mutex_lock_common kernel/locking/mutex.c:935 [inline] __ww_mutex_lock.constprop.0+0xa9/0x2cc0 kernel/locking/mutex.c: ww_mutex_lock+0x3d/0x170 kernel/locking/mutex.c:1190 modeset_lock+0x392/0x650 drivers/gpu/drm/drm_modeset_lock.c:263 drm_modeset_lock drivers/gpu/drm/drm_modeset_lock.c:342 [inline] drm_modeset_lock+0x50/0x90 drivers/gpu/drm/drm_modeset_lock.c:338 drm_atomic_get_plane_state+0x19d/0x510 drivers/gpu/drm/drm_atomic.c:481 drm_client_modeset_commit_atomic+0x225/0x7c0 drivers/gpu/drm/drm_client_modeset.c:994 drm_client_modeset_commit_locked+0x145/0x580 drivers/gpu/drm/drm_client_modeset.c:1145 pan_display_atomic drivers/gpu/drm/drm_fb_helper.c:1395 [inline] drm_fb_helper_pan_display+0x28b/0x970 drivers/gpu/drm/drm_fb_helper.c:1455 fb_pan_display+0x2f7/0x6c0 drivers/video/fbdev/core/fbmem.c:925 fb_set_var+0x57f/0xda0 drivers/video/fbdev/core/fbmem.c:1043 do_fb_ioctl+0x2f9/0x690 drivers/video/fbdev/core/fbmem.c:1108 fb_compat_ioctl+0x17c/0xaf0 drivers/video/fbdev/core/fbmem.c:1315 __do_compat_sys_ioctl+0x1d3/0x230 fs/ioctl.c:842 do_syscall_32_irqs_on arch/x86/entry/common.c:78 [inline] __do_fast_syscall_32+0x56/0x80 arch/x86/entry/common.c:137 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:160 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7fd8549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:f55d20bc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0003 RCX: 4601 RDX: 2240 RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: detected fb_set_par error, error code: -16 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: BUG: unable to handle kernel paging request in cfb_imageblit
syzbot suspects this issue was fixed by commit: commit a49145acfb975d921464b84fe00279f99827d816 Author: George Kennedy Date: Tue Jul 7 19:26:03 2020 + fbmem: add margin check to fb_check_caps() bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1149f30f50 start commit: 22fbc037 Merge tag 'for-linus' of git://git.kernel.org/pub.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=4e672827d2ffab1f dashboard link: https://syzkaller.appspot.com/bug?extid=dfd0b1c6705301cc4847 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11ba9a5d90 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cfd4af90 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: fbmem: add margin check to fb_check_caps() For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: kernel BUG at drivers/dma-buf/dma-buf.c:LINE!
syzbot suspects this issue was fixed by commit: commit e722a295cf493388dae474745d30e91e1a2ec549 Author: Greg Kroah-Hartman Date: Thu Aug 27 12:36:27 2020 + staging: ion: remove from the tree bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17d4f13750 start commit: abb3438d Merge tag 'm68knommu-for-v5.9-rc3' of git://git.k.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=978db74cb30aa994 dashboard link: https://syzkaller.appspot.com/bug?extid=d6734079f30f7fc39021 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1742859690 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: staging: ion: remove from the tree For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
KASAN: vmalloc-out-of-bounds Write in imageblit
Hello, syzbot found the following issue on: HEAD commit:6207214a Merge tag 'afs-fixes-04012021' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17d0c7a8d0 kernel config: https://syzkaller.appspot.com/x/.config?x=104b0cac547b2149 dashboard link: https://syzkaller.appspot.com/bug?extid=858dc7a2f7ef07c2c219 compiler: gcc (GCC) 10.1.0-syz 20200507 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+858dc7a2f7ef07c2c...@syzkaller.appspotmail.com BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x117f/0x1290 drivers/video/fbdev/core/sysimgblt.c:275 Write of size 4 at addr c9000bc11000 by task syz-executor.1/10779 CPU: 0 PID: 10779 Comm: syz-executor.1 Not tainted 5.11.0-rc2-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5/0x2f8 mm/kasan/report.c:230 __kasan_report mm/kasan/report.c:396 [inline] kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] sys_imageblit+0x117f/0x1290 drivers/video/fbdev/core/sysimgblt.c:275 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:794 [inline] drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2266 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline] bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:188 fbcon_putcs+0x35a/0x450 drivers/video/fbdev/core/fbcon.c:1304 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676 redraw_screen+0x658/0x790 drivers/tty/vt/vt.c:1035 fbcon_modechanged+0x593/0x6d0 drivers/video/fbdev/core/fbcon.c:2656 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:2701 do_fb_ioctl+0x62e/0x690 drivers/video/fbdev/core/fbmem.c:1110 fb_compat_ioctl+0x17e/0x610 drivers/video/fbdev/core/fbmem.c:1309 __do_compat_sys_ioctl+0x1d3/0x230 fs/ioctl.c:842 do_syscall_32_irqs_on arch/x86/entry/common.c:78 [inline] __do_fast_syscall_32+0x56/0x80 arch/x86/entry/common.c:137 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:160 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7f12549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:f550c0bc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0003 RCX: 4601 RDX: 2100 RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Memory state around the buggy address: c9000bc10f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c9000bc10f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >c9000bc11000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ c9000bc11080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 c9000bc11100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 == --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: [syzbot] KASAN: use-after-free Read in drm_gem_object_release_handle
syzbot has found a reproducer for the following issue on: HEAD commit:fbf252e09678 Add linux-next specific files for 20211216 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=168bf493b0 kernel config: https://syzkaller.appspot.com/x/.config?x=7fcbb9aa19a433c8 dashboard link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144be7cbb0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e3193b0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c8ae65286134dd1b8...@syzkaller.appspotmail.com RBP: 7ffe623d1b90 R08: 0003 R09: 0001 R10: 0012 R11: 0246 R12: 0004 R13: R14: R15: == BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 drivers/gpu/drm/drm_gem.c:252 Read of size 8 at addr 8881473d3228 by task syz-executor513/3605 CPU: 1 PID: 3605 Comm: syz-executor513 Not tainted 5.16.0-rc5-next-20211216-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xa5/0x3ed mm/kasan/report.c:255 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] __kasan_report mm/kasan/report.c:442 [inline] mm/kasan/report.c:459 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 mm/kasan/report.c:459 drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 drivers/gpu/drm/drm_gem.c:252 idr_for_each+0x113/0x220 lib/idr.c:208 lib/idr.c:208 drm_gem_release+0x22/0x30 drivers/gpu/drm/drm_gem.c:930 drivers/gpu/drm/drm_gem.c:930 drm_file_free.part.0+0x805/0xb80 drivers/gpu/drm/drm_file.c:281 drivers/gpu/drm/drm_file.c:281 drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drivers/gpu/drm/drm_file.c:308 drm_close_helper.isra.0+0x17d/0x1f0 drivers/gpu/drm/drm_file.c:308 drivers/gpu/drm/drm_file.c:308 drm_release+0x1e6/0x530 drivers/gpu/drm/drm_file.c:495 drivers/gpu/drm/drm_file.c:495 __fput+0x286/0x9f0 fs/file_table.c:311 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] exit_task_work include/linux/task_work.h:32 [inline] kernel/exit.c:832 do_exit+0xc14/0x2c20 kernel/exit.c:832 kernel/exit.c:832 do_group_exit+0x125/0x310 kernel/exit.c:929 kernel/exit.c:929 __do_sys_exit_group kernel/exit.c:940 [inline] __se_sys_exit_group kernel/exit.c:938 [inline] __do_sys_exit_group kernel/exit.c:940 [inline] kernel/exit.c:938 __se_sys_exit_group kernel/exit.c:938 [inline] kernel/exit.c:938 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:938 kernel/exit.c:938 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_x64 arch/x86/entry/common.c:50 [inline] arch/x86/entry/common.c:80 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff6a71909f9 Code: Unable to access opcode bytes at RIP 0x7ff6a71909cf. RSP: 002b:7ffe623d1b68 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: 7ff6a72043f0 RCX: 7ff6a71909f9 RDX: 003c RSI: 00e7 RDI: RBP: R08: ffc0 R09: 0001 R10: 0012 R11: 0246 R12: 7ff6a72043f0 R13: 0001 R14: R15: 0001 Allocated by task 3605: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] kasan_kmalloc mm/kasan/common.c:515 [inline] kasan_kmalloc mm/kasan/common.c:474 [inline] kasan_set_track mm/kasan/common.c:45 [inline] mm/kasan/common.c:524 set_alloc_info mm/kasan/common.c:436 [inline] mm/kasan/common.c:524 kasan_kmalloc mm/kasan/common.c:515 [inline] mm/kasan/common.c:524 kasan_kmalloc mm/kasan/common.c:474 [inline] mm/kasan/common.c:524 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 mm/kasan/common.c:524 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:715 [inline] kmalloc include/linux/slab.h:581 [inline] drivers/gpu/drm/vgem/vgem_drv.c:98 kzalloc include/linux/slab.h:715 [inline] drivers/gpu/drm/vgem/vgem_drv.c:98 vgem_gem_create_object+0x38/0xb0 drivers/gpu/drm/vgem/vgem_drv.c:98 drivers/gpu/drm/vgem/vgem_drv.c:98
Re: [syzbot] KASAN: use-after-free Read in drm_gem_object_release_handle
syzbot has bisected this issue to: commit 45d9c8dde4cd8589f9180309ec60f0da2ce486e4 Author: Daniel Vetter Date: Thu Aug 12 13:14:12 2021 + drm/vgem: use shmem helpers bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=147953cbb0 start commit: 3f667b5d4053 Merge tag 'tty-5.16-rc6' of git://git.kernel... git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=167953cbb0 console output: https://syzkaller.appspot.com/x/log.txt?x=127953cbb0 kernel config: https://syzkaller.appspot.com/x/.config?x=fa556098924b78f0 dashboard link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16fd41ebb0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1483c7d5b0 Reported-by: syzbot+c8ae65286134dd1b8...@syzkaller.appspotmail.com Fixes: 45d9c8dde4cd ("drm/vgem: use shmem helpers") For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: [syzbot] general protection fault in sg_alloc_append_table_from_pages
syzbot has found a reproducer for the following issue on: HEAD commit:3f667b5d4053 Merge tag 'tty-5.16-rc6' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=174324a3b0 kernel config: https://syzkaller.appspot.com/x/.config?x=fa556098924b78f0 dashboard link: https://syzkaller.appspot.com/bug?extid=2c56b725ec547fa9cb29 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14df5c71b0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11d67495b0 The issue was bisected to: commit 284562e1f34874e267d4f499362c3816f8f6bc3f Author: Gurchetan Singh Date: Tue Dec 3 01:36:27 2019 + udmabuf: implement begin_cpu_access/end_cpu_access hooks bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12d6844730 final oops: https://syzkaller.appspot.com/x/report.txt?x=11d6844730 console output: https://syzkaller.appspot.com/x/log.txt?x=16d6844730 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2c56b725ec547fa9c...@syzkaller.appspotmail.com Fixes: 284562e1f348 ("udmabuf: implement begin_cpu_access/end_cpu_access hooks") general protection fault, probably for non-canonical address 0xdc02: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0010-0x0017] CPU: 1 PID: 3595 Comm: syz-executor559 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:sg_alloc_append_table_from_pages+0x821/0xdb0 lib/scatterlist.c:525 lib/scatterlist.c:525 Code: 0c 24 48 8b 4c 24 48 48 39 c8 48 0f 46 c8 89 f0 4c 8d 3c c7 48 89 4c 24 30 48 b9 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 24 05 00 00 4d 8b 3f 4c 89 e0 31 ff 83 e0 03 48 RSP: 0018:c90002d0fc48 EFLAGS: 00010212 RAX: 0002 RBX: 0001 RCX: dc00 RDX: 888021fd5700 RSI: RDI: 0010 RBP: f000 R08: f000 R09: 8880189ddb00 R10: 83d88b30 R11: R12: 0002 R13: 8880189ddb00 R14: R15: 0010 FS: 5652c300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20005b4c CR3: 176ae000 CR4: 00350ee0 Call Trace: sg_alloc_table_from_pages_segment+0xc9/0x260 lib/scatterlist.c:573 lib/scatterlist.c:573 sg_alloc_table_from_pages include/linux/scatterlist.h:331 [inline] sg_alloc_table_from_pages include/linux/scatterlist.h:331 [inline] drivers/dma-buf/udmabuf.c:67 get_sg_table.isra.0+0xbb/0x160 drivers/dma-buf/udmabuf.c:67 drivers/dma-buf/udmabuf.c:67 begin_cpu_udmabuf+0x130/0x1d0 drivers/dma-buf/udmabuf.c:126 drivers/dma-buf/udmabuf.c:126 dma_buf_begin_cpu_access+0xfd/0x1d0 drivers/dma-buf/dma-buf.c:1175 drivers/dma-buf/dma-buf.c:1175 dma_buf_ioctl+0x29a/0x380 drivers/dma-buf/dma-buf.c:374 drivers/dma-buf/dma-buf.c:374 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] vfs_ioctl fs/ioctl.c:51 [inline] fs/ioctl.c:860 __do_sys_ioctl fs/ioctl.c:874 [inline] fs/ioctl.c:860 __se_sys_ioctl fs/ioctl.c:860 [inline] fs/ioctl.c:860 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_x64 arch/x86/entry/common.c:50 [inline] arch/x86/entry/common.c:80 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f57966b60a9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffea34a0a78 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: RCX: 7f57966b60a9 RDX: 2000 RSI: 40086200 RDI: 0004 RBP: 7f579667a090 R08: R09: R10: R11: 0246 R12: 7f579667a120 R13: R14: R15: Modules linked in: ---[ end trace ed55bd5e5ccee2ad ]--- RIP: 0010:sg_alloc_append_table_from_pages+0x821/0xdb0 lib/scatterlist.c:525 lib/scatterlist.c:525 Code: 0c 24 48 8b 4c 24 48 48 39 c8 48 0f 46 c8 89 f0 4c 8d 3c c7 48 89 4c 24 30 48 b9 00 00 00 00 00 fc ff df 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 24 05 00 00 4d 8b 3f 4c 89 e0 31 ff 83 e0 03 48 RSP: 0018:c90002d0fc48 EFLAGS: 00010212 RAX: 0002 RBX: 0001 RCX: dc00 RDX: 888021fd5700 RSI: RDI: 0010 RBP: f000 R08: f000 R09:
Re: [syzbot] general protection fault in sg_alloc_append_table_from_pages
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+2c56b725ec547fa9c...@syzkaller.appspotmail.com Tested on: commit: eec4df26 Merge tag 's390-5.16-6' of git://git.kernel.o.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=1bce7595e2f1eaf8 dashboard link: https://syzkaller.appspot.com/bug?extid=2c56b725ec547fa9cb29 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=14fe2f47b0 Note: testing is done by a robot and is best-effort only.
[syzbot] WARNING in drm_atomic_helper_wait_for_vblanks
Hello, syzbot found the following issue on: HEAD commit:800829388818 mm: vmscan: reduce throttling due to a failur.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=158d5fc3b0 kernel config: https://syzkaller.appspot.com/x/.config?x=35d2332e44a37812 dashboard link: https://syzkaller.appspot.com/bug?extid=b7db9fbc95be52cf485d compiler: arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: arm Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b7db9fbc95be52cf4...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 13058 at drivers/gpu/drm/drm_atomic_helper.c:1514 drm_atomic_helper_wait_for_vblanks.part.0+0x2ac/0x2b8 drivers/gpu/drm/drm_atomic_helper.c:1514 [CRTC:32:crtc-0] vblank wait timed out Modules linked in: Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 13058 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: ARM-Versatile Express Backtrace: [<816bd724>] (dump_backtrace) from [<816bd910>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:237) r7:81d53678 r6:8be8 r5:6093 r4:81d60e84 [<816bd8f8>] (show_stack) from [<816c6398>] (__dump_stack lib/dump_stack.c:88 [inline]) [<816bd8f8>] (show_stack) from [<816c6398>] (dump_stack_lvl+0x48/0x54 lib/dump_stack.c:106) [<816c6350>] (dump_stack_lvl) from [<816c63bc>] (dump_stack+0x18/0x1c lib/dump_stack.c:113) r5: r4:8243cd18 [<816c63a4>] (dump_stack) from [<816be3f0>] (panic+0x104/0x32c kernel/panic.c:232) [<816be2ec>] (panic) from [<80241f08>] (__warn+0xa4/0x134 kernel/panic.c:603) r3:8220c488 r2: r1: r0:81d53678 r7:0009 [<80241e64>] (__warn) from [<816be6b4>] (warn_slowpath_fmt+0x9c/0xd4 kernel/panic.c:633) r7:809265bc r6:05ea r5:81dc58c0 r4:81dc5e60 [<816be61c>] (warn_slowpath_fmt) from [<809265bc>] (drm_atomic_helper_wait_for_vblanks.part.0+0x2ac/0x2b8 drivers/gpu/drm/drm_atomic_helper.c:1514) r8:161b r7: r6:850c0cc0 r5:840dc050 r4: [<80926310>] (drm_atomic_helper_wait_for_vblanks.part.0) from [<80927bf4>] (drm_atomic_helper_wait_for_vblanks drivers/gpu/drm/drm_atomic_helper.c:1490 [inline]) [<80926310>] (drm_atomic_helper_wait_for_vblanks.part.0) from [<80927bf4>] (drm_atomic_helper_commit_tail+0x80/0x90 drivers/gpu/drm/drm_atomic_helper.c:1590) r10:8421c15c r9:83f4c000 r8: r7:0168 r6:f8c64d30 r5:83f4c000 r4:850c0cc0 [<80927b74>] (drm_atomic_helper_commit_tail) from [<8092873c>] (commit_tail+0x164/0x188 drivers/gpu/drm/drm_atomic_helper.c:1667) r5: r4:850c0cc0 [<809285d8>] (commit_tail) from [<809290e8>] (drm_atomic_helper_commit drivers/gpu/drm/drm_atomic_helper.c:1884 [inline]) [<809285d8>] (commit_tail) from [<809290e8>] (drm_atomic_helper_commit+0x14c/0x170 drivers/gpu/drm/drm_atomic_helper.c:1817) r9:83f4c000 r8:850c0cec r7: r6:83f4c000 r5: r4:850c0cc0 [<80928f9c>] (drm_atomic_helper_commit) from [<80949588>] (drm_atomic_commit+0x4c/0x58 drivers/gpu/drm/drm_atomic.c:1412) r9:83f4c000 r8:840dc340 r7:0001 r6:83f4c000 r5:850c0cc0 r4: [<8094953c>] (drm_atomic_commit) from [<80960b8c>] (drm_client_modeset_commit_atomic+0x200/0x248 drivers/gpu/drm/drm_client_modeset.c:1043) r7:0001 r6:0001 r5:83f4c1ac r4:850c0cc0 [<8096098c>] (drm_client_modeset_commit_atomic) from [<80960cac>] (drm_client_modeset_commit_locked+0x64/0x18c drivers/gpu/drm/drm_client_modeset.c:1146) r10:8220c44c r9:83f4c094 r8:81dcd740 r7:8411f818 r6:8411f800 r5:83f4c000 r4:83f4c000 [<80960c48>] (drm_client_modeset_commit_locked) from [<80960e00>] (drm_client_modeset_commit+0x2c/0x48 drivers/gpu/drm/drm_client_modeset.c:1172) r9:83f4c094 r8:81dcd740 r7:8411f8b4 r6: r5:83f4c000 r4:8411f800 [<80960dd4>] (drm_client_modeset_commit) from [<80930dc4>] (__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:252 [inline]) [<80960dd4>] (drm_client_modeset_commit) from [<80930dc4>] (__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:231 [inline]) [<80960dd4>] (drm_client_modeset_commit) from [<80930dc4>] (drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:279 [inline]) [<80960dd4>] (drm_client_modeset_commit) from [<80930dc4>] (drm_fb_helper_lastclose drivers/gpu/drm/drm_fb_helper.c:2003 [inline]) [<80960dd4>] (drm_client_modeset_commit) from [<80930dc4>] (drm_fbdev_client_restore+0x5c/0x98 drivers/gpu/drm/drm_fb_helper.c:2403) r5:823487f8 r4:8411f800 [<80930d68>] (drm_fbdev_client_restore) from [<809605
KASAN: use-after-free Read in add_uevent_var
Hello, syzbot found the following crash on: HEAD commit:a4ccb5f9 Merge tag 'drm-fixes-2019-05-03' of git://anongit.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1205d570a0 kernel config: https://syzkaller.appspot.com/x/.config?x=2bd0da4b8de0b004 dashboard link: https://syzkaller.appspot.com/bug?extid=6da9575ba2db4da91831 compiler: gcc (GCC) 9.0.0 20181231 (experimental) userspace arch: i386 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1769f62ca0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=167ae984a0 The bug was bisected to: commit 0a1c7959acd9674a0e4e59f911f3e5fbf25fd693 Author: Wolfram Sang Date: Wed May 17 15:22:18 2017 + gpu: drm: tc35876x: move header file out of I2C realm bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=138fe12ca0 final crash:https://syzkaller.appspot.com/x/report.txt?x=104fe12ca0 console output: https://syzkaller.appspot.com/x/log.txt?x=178fe12ca0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6da9575ba2db4da91...@syzkaller.appspotmail.com Fixes: 0a1c7959acd9 ("gpu: drm: tc35876x: move header file out of I2C realm") RAX: ffda RBX: 0003 RCX: 5502 RDX: RSI: 080daf20 RDI: 080f0f84 RBP: R08: R09: R10: R11: R12: R13: R14: R15: == BUG: KASAN: use-after-free in string+0x208/0x230 lib/vsprintf.c:606 Read of size 1 at addr 8880a55aa200 by task syz-executor222/7839 CPU: 1 PID: 7839 Comm: syz-executor222 Not tainted 5.1.0-rc7+ #98 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:129 string+0x208/0x230 lib/vsprintf.c:606 vsnprintf+0xbfc/0x1af0 lib/vsprintf.c:2396 add_uevent_var+0x14d/0x310 lib/kobject_uevent.c:661 input_dev_uevent+0x163/0x890 drivers/input/input.c:1594 dev_uevent+0x312/0x580 drivers/base/core.c:1180 kobject_uevent_env+0x487/0x1030 lib/kobject_uevent.c:549 kobject_uevent+0x20/0x26 lib/kobject_uevent.c:638 kobject_cleanup lib/kobject.c:649 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:67 [inline] kobject_put.cold+0x177/0x2ec lib/kobject.c:708 put_device+0x20/0x30 drivers/base/core.c:2205 input_put_device include/linux/input.h:349 [inline] evdev_free+0x51/0x70 drivers/input/evdev.c:369 device_release+0x7d/0x210 drivers/base/core.c:1064 kobject_cleanup lib/kobject.c:662 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:67 [inline] kobject_put.cold+0x28f/0x2ec lib/kobject.c:708 cdev_default_release+0x41/0x50 fs/char_dev.c:607 kobject_cleanup lib/kobject.c:662 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:67 [inline] kobject_put.cold+0x28f/0x2ec lib/kobject.c:708 cdev_put.part.0+0x39/0x50 fs/char_dev.c:368 cdev_put+0x20/0x30 fs/char_dev.c:366 __fput+0x6df/0x8d0 fs/file_table.c:281 fput+0x16/0x20 fs/file_table.c:309 task_work_run+0x14a/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x90a/0x2fa0 kernel/exit.c:876 do_group_exit+0x135/0x370 kernel/exit.c:980 __do_sys_exit_group kernel/exit.c:991 [inline] __se_sys_exit_group kernel/exit.c:989 [inline] __ia32_sys_exit_group+0x44/0x50 kernel/exit.c:989 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x281/0xc98 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7ff7849 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:fff2db8c EFLAGS: 0292 ORIG_RAX: 00fc RAX: ffda RBX: RCX: 080f1298 RDX: RSI: 080daf1c RDI: 080f12a0 RBP: 0001 R08: R09: R10: R11: R12: R13: R14: R15: Allocated by task 7839: save_stack+0x45/0xd0 mm/kasan/common.c:75 set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc mm/kasan/common.c:497 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:511 __do_kmal
Re: WARNING: locking bug in inet_autobind
syzbot has bisected this bug to: commit c0d9271ecbd891cdeb0fad1edcdd99ee717a655f Author: Yong Zhao Date: Fri Feb 1 23:36:21 2019 + drm/amdgpu: Delete user queue doorbell variables bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1433ece4a0 start commit: f49aa1de Merge tag 'for-5.2-rc1-tag' of git://git.kernel.o.. git tree: net-next final crash:https://syzkaller.appspot.com/x/report.txt?x=1633ece4a0 console output: https://syzkaller.appspot.com/x/log.txt?x=1233ece4a0 kernel config: https://syzkaller.appspot.com/x/.config?x=fc045131472947d7 dashboard link: https://syzkaller.appspot.com/bug?extid=94cc2a66fc228b23f360 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163731f8a0 Reported-by: syzbot+94cc2a66fc228b23f...@syzkaller.appspotmail.com Fixes: c0d9271ecbd8 ("drm/amdgpu: Delete user queue doorbell variables") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
INFO: trying to register non-static key in __flush_work
Hello, syzbot found the following crash on: HEAD commit:5694cecdb092 Merge tag 'arm64-upstream' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=124eebc740 kernel config: https://syzkaller.appspot.com/x/.config?x=91a256823ef17263 dashboard link: https://syzkaller.appspot.com/bug?extid=12f1b031b6da017e34f8 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1174a1dd40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1336e38b40 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+12f1b031b6da017e3...@syzkaller.appspotmail.com INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 0 PID: 8039 Comm: syz-executor964 Not tainted 4.20.0+ #389 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113 assign_lock_key kernel/locking/lockdep.c:727 [inline] register_lock_class+0x21c5/0x29d0 kernel/locking/lockdep.c:753 __lock_acquire+0x184/0x4c20 kernel/locking/lockdep.c:3227 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 __flush_work+0x752/0x9b0 kernel/workqueue.c:2912 flush_work+0x17/0x20 kernel/workqueue.c:2938 vkms_atomic_crtc_destroy_state+0x2b/0x40 drivers/gpu/drm/vkms/vkms_crtc.c:139 drm_atomic_state_default_clear+0x37c/0xda0 drivers/gpu/drm/drm_atomic.c:171 drm_atomic_state_clear+0x9f/0xd0 drivers/gpu/drm/drm_atomic.c:240 __drm_atomic_state_free+0x3a/0xf0 drivers/gpu/drm/drm_atomic.c:256 kref_put include/linux/kref.h:70 [inline] drm_atomic_state_put include/drm/drm_atomic.h:385 [inline] drm_atomic_helper_set_config+0xe6/0x160 drivers/gpu/drm/drm_atomic_helper.c:2947 drm_mode_setcrtc+0x767/0x1890 drivers/gpu/drm/drm_crtc.c:748 drm_ioctl_kernel+0x278/0x330 drivers/gpu/drm/drm_ioctl.c:758 drm_ioctl+0x58f/0xb90 drivers/gpu/drm/drm_ioctl.c:858 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x1de/0x1790 fs/ioctl.c:696 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x443e59 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fff2bc037c8 EFLAGS: 0213 ORIG_RAX: 0010 RAX: ffda RBX: 004002e0 RCX: 00443e59 RDX: 2100 RSI: c06864a2 RDI: 0003 RBP: 006ce018 R08: R09: 004002e0 R10: 000f R11: 0213 R12: 00401b60 R13: 00401bf0 R14: R15: 0 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: lock held when returning to user space in set_property_atomic
Hello, syzbot found the following crash on: HEAD commit:903b77c63167 Merge tag 'linux-kselftest-4.21-rc1' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12d0f55340 kernel config: https://syzkaller.appspot.com/x/.config?x=53a2f2aa0b1f7606 dashboard link: https://syzkaller.appspot.com/bug?extid=6ea337c427f5083ebdf2 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120d906f40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1024673b40 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6ea337c427f5083eb...@syzkaller.appspotmail.com RBP: 7ffe369ca7a0 R08: 0001 R09: 004009ce R10: R11: 0246 R12: 0005 R13: R14: R15: WARNING: lock held when returning to user space! 4.20.0+ #174 Not tainted syz-executor556/8153 is leaving the kernel with locks still held! 1 lock held by syz-executor556/8153: #0: 5100c85c (crtc_ww_class_acquire){+.+.}, at: set_property_atomic+0xb3/0x330 drivers/gpu/drm/drm_mode_object.c:462 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING in __flush_work (2)
Hello, syzbot found the following crash on: HEAD commit:1fc1cd8399ab Merge branch 'for-5.1' of git://git.kernel.or.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10dab41b20 kernel config: https://syzkaller.appspot.com/x/.config?x=83f72881c3c30b7c dashboard link: https://syzkaller.appspot.com/bug?extid=03bd8ee354763fad396d compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1518635720 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1502c53320 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+03bd8ee354763fad3...@syzkaller.appspotmail.com kauditd_printk_skb: 3 callbacks suppressed audit: type=1400 audit(1552001909.747:35): avc: denied { map } for pid=8034 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 audit: type=1400 audit(1552001916.317:36): avc: denied { map } for pid=8046 comm="syz-executor642" path="/root/syz-executor642773801" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 WARNING: CPU: 0 PID: 8046 at kernel/workqueue.c:3020 __flush_work+0x74c/0x8a0 kernel/workqueue.c:3020 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 8046 Comm: syz-executor642 Not tainted 5.0.0+ #11 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 panic+0x2cb/0x65c kernel/panic.c:214 __warn.cold+0x20/0x45 kernel/panic.c:571 report_bug+0x263/0x2b0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:179 [inline] fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973 RIP: 0010:__flush_work+0x74c/0x8a0 kernel/workqueue.c:3020 Code: 74 58 e8 77 12 26 00 fb 66 0f 1f 44 00 00 45 31 e4 e9 86 fd ff ff e8 63 12 26 00 0f 0b 45 31 e4 e9 77 fd ff ff e8 54 12 26 00 <0f> 0b 45 31 e4 e9 68 fd ff ff e8 45 12 26 00 4c 89 ff 45 31 e4 e8 RSP: 0018:888087e6f608 EFLAGS: 00010293 RAX: 888098292340 RBX: 8880a623f000 RCX: 814a14cb RDX: RSI: 814a1b7c RDI: 0001 RBP: 888087e6f778 R08: 888098292340 R09: ed1010fcdedd R10: ed1010fcdedc R11: 0003 R12: dc00 R13: 888087e6f750 R14: R15: 0001 flush_work+0x18/0x20 kernel/workqueue.c:3050 vkms_atomic_crtc_destroy_state drivers/gpu/drm/vkms/vkms_crtc.c:133 [inline] vkms_atomic_crtc_destroy_state+0x2d/0x40 drivers/gpu/drm/vkms/vkms_crtc.c:125 drm_atomic_state_default_clear+0x37c/0xd60 drivers/gpu/drm/drm_atomic.c:171 drm_atomic_state_clear+0x9d/0xc0 drivers/gpu/drm/drm_atomic.c:240 __drm_atomic_state_free+0x3c/0xf0 drivers/gpu/drm/drm_atomic.c:256 kref_put include/linux/kref.h:67 [inline] drm_atomic_state_put include/drm/drm_atomic.h:385 [inline] drm_atomic_helper_set_config+0xe5/0x160 drivers/gpu/drm/drm_atomic_helper.c:2956 drm_mode_setcrtc+0x613/0x1490 drivers/gpu/drm/drm_crtc.c:748 drm_ioctl_kernel+0x23b/0x2e0 drivers/gpu/drm/drm_ioctl.c:758 drm_ioctl+0x545/0xa50 drivers/gpu/drm/drm_ioctl.c:858 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x443de9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffef4b0a4f8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 004002e0 RCX: 00443de9 RDX: 2000 RSI: c06864a2 RDI: 0003 RBP: 006ce018 R08: R09: 004002e0 R10: R11: 0246 R12: 00401af0 R13: 00401b80 R14: R15: Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can
WARNING in vkms_vblank_simulate
syzbot has bisected this bug to: commit 09ef09b4ab95dc405ad4171ec2cd8a4ff5227108 Author: Shayenne Moura Date: Wed Feb 6 20:08:13 2019 + drm/vkms: WARN when hrtimer_forward_now fails bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=128448cf20 start commit: 09ef09b4 drm/vkms: WARN when hrtimer_forward_now fails git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=118448cf20 console output: https://syzkaller.appspot.com/x/log.txt?x=168448cf20 kernel config: https://syzkaller.appspot.com/x/.config?x=c1e0e0ec44d1e5ff dashboard link: https://syzkaller.appspot.com/bug?extid=0871b14ca2e2fb64f6e3 userspace arch: amd64 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1787db8d20 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fc988320 Reported-by: syzbot+0871b14ca2e2fb64f...@syzkaller.appspotmail.com Fixes: 09ef09b4 ("drm/vkms: WARN when hrtimer_forward_now fails") ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING in vkms_vblank_simulate
syzbot has bisected this bug to: commit 09ef09b4ab95dc405ad4171ec2cd8a4ff5227108 Author: Shayenne Moura Date: Wed Feb 6 20:08:13 2019 + drm/vkms: WARN when hrtimer_forward_now fails bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=128448cf20 start commit: 09ef09b4 drm/vkms: WARN when hrtimer_forward_now fails git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=118448cf20 console output: https://syzkaller.appspot.com/x/log.txt?x=168448cf20 kernel config: https://syzkaller.appspot.com/x/.config?x=c1e0e0ec44d1e5ff dashboard link: https://syzkaller.appspot.com/bug?extid=0871b14ca2e2fb64f6e3 userspace arch: amd64 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1787db8d20 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fc988320 Reported-by: syzbot+0871b14ca2e2fb64f...@syzkaller.appspotmail.com Fixes: 09ef09b4 ("drm/vkms: WARN when hrtimer_forward_now fails") ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: INFO: rcu detected stall in sys_sendfile64 (2)
syzbot has bisected this bug to: commit 34e07e42c55aeaa78e93b057a6664e2ecde3fadb Author: Chris Wilson Date: Thu Feb 8 10:54:48 2018 + drm/i915: Add missing kerneldoc for 'ent' in i915_driver_init_early bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1322028320 start commit: 34e07e42 drm/i915: Add missing kerneldoc for 'ent' in i915.. git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=10a2028320 console output: https://syzkaller.appspot.com/x/log.txt?x=1722028320 kernel config: https://syzkaller.appspot.com/x/.config?x=abc3dc9b7a900258 dashboard link: https://syzkaller.appspot.com/bug?extid=1505c80c74256c6118a5 userspace arch: amd64 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c4dc28c0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15df4108c0 Reported-by: syzbot+1505c80c74256c611...@syzkaller.appspotmail.com Fixes: 34e07e42 ("drm/i915: Add missing kerneldoc for 'ent' in i915_driver_init_early") ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: WARNING in bpf_jit_free
syzbot has found a reproducer for the following crash on: HEAD commit:79c3ba32 Merge tag 'drm-fixes-2019-06-07-1' of git://anong.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1201b971a0 kernel config: https://syzkaller.appspot.com/x/.config?x=60564cb52ab29d5b dashboard link: https://syzkaller.appspot.com/bug?extid=2ff1e7cb738fd3c41113 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a3bf51a0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=120d19f2a0 The bug was bisected to: commit 0fff724a33917ac581b5825375d0b57affedee76 Author: Paul Kocialkowski Date: Fri Jan 18 14:51:13 2019 + drm/sun4i: backend: Use explicit fourcc helpers for packed YUV422 check bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1467550f20 final crash:https://syzkaller.appspot.com/x/report.txt?x=1667550f20 console output: https://syzkaller.appspot.com/x/log.txt?x=1267550f20 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+2ff1e7cb738fd3c41...@syzkaller.appspotmail.com Fixes: 0fff724a3391 ("drm/sun4i: backend: Use explicit fourcc helpers for packed YUV422 check") WARNING: CPU: 0 PID: 8951 at kernel/bpf/core.c:851 bpf_jit_free+0x157/0x1b0 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 8951 Comm: kworker/0:0 Not tainted 5.2.0-rc3+ #23 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events bpf_prog_free_deferred Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 panic+0x2cb/0x744 kernel/panic.c:219 __warn.cold+0x20/0x4d kernel/panic.c:576 report_bug+0x263/0x2b0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:179 [inline] fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:986 RIP: 0010:bpf_jit_free+0x157/0x1b0 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5d 48 b8 00 02 00 00 00 00 ad de 48 39 43 70 0f 84 05 ff ff ff e8 f9 b5 f4 ff <0f> 0b e9 f9 fe ff ff e8 bd 53 2d 00 e9 d9 fe ff ff 48 89 7d e0 e8 RSP: 0018:88808886fcb0 EFLAGS: 00010293 RAX: 88808cb6c480 RBX: 88809051d280 RCX: 817ae68d RDX: RSI: 817bf0f7 RDI: 88809051d2f0 RBP: 88808886fcd0 R08: 114ccaa8 R09: fbfff14ccaa9 R10: fbfff14ccaa8 R11: 8a665547 R12: c90001925000 R13: 88809051d2e8 R14: 8880a0e43900 R15: 8880ae834840 bpf_prog_free_deferred+0x27a/0x350 kernel/bpf/core.c:1984 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Kernel Offset: disabled Rebooting in 86400 seconds..
KASAN: use-after-free Read in brnf_exit_net
Hello, syzbot found the following crash on: HEAD commit:1c6b4050 Add linux-next specific files for 20190618 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=10126209a0 kernel config: https://syzkaller.appspot.com/x/.config?x=3c614278993de456 dashboard link: https://syzkaller.appspot.com/bug?extid=43a3fa52c0d9c5c94f41 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16291176a0 The bug was bisected to: commit b38d37a08ec4b19a9b9ec3a1ff5566781fcae1f1 Author: Stephen Rothwell Date: Tue Jun 18 04:19:55 2019 + Merge remote-tracking branch 'drm/drm-next' bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=146f914ea0 final crash:https://syzkaller.appspot.com/x/report.txt?x=166f914ea0 console output: https://syzkaller.appspot.com/x/log.txt?x=126f914ea0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+43a3fa52c0d9c5c94...@syzkaller.appspotmail.com Fixes: b38d37a08ec4 ("Merge remote-tracking branch 'drm/drm-next'") == BUG: KASAN: use-after-free in br_netfilter_sysctl_exit_net net/bridge/br_netfilter_hooks.c:1121 [inline] BUG: KASAN: use-after-free in brnf_exit_net+0x38c/0x3a0 net/bridge/br_netfilter_hooks.c:1141 Read of size 8 at addr 8880a4078d60 by task kworker/u4:4/8749 CPU: 0 PID: 8749 Comm: kworker/u4:4 Not tainted 5.2.0-rc5-next-20190618 #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0xd4/0x306 mm/kasan/report.c:351 __kasan_report.cold+0x1b/0x36 mm/kasan/report.c:482 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 br_netfilter_sysctl_exit_net net/bridge/br_netfilter_hooks.c:1121 [inline] brnf_exit_net+0x38c/0x3a0 net/bridge/br_netfilter_hooks.c:1141 ops_exit_list.isra.0+0xaa/0x150 net/core/net_namespace.c:154 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 11374: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 __do_kmalloc mm/slab.c:3645 [inline] __kmalloc+0x15c/0x740 mm/slab.c:3654 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:743 [inline] __register_sysctl_table+0xc7/0xef0 fs/proc/proc_sysctl.c:1327 register_net_sysctl+0x29/0x30 net/sysctl_net.c:121 br_netfilter_sysctl_init_net net/bridge/br_netfilter_hooks.c:1105 [inline] brnf_init_net+0x379/0x6a0 net/bridge/br_netfilter_hooks.c:1126 ops_init+0xb3/0x410 net/core/net_namespace.c:130 setup_net+0x2d3/0x740 net/core/net_namespace.c:316 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:103 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:202 ksys_unshare+0x444/0x980 kernel/fork.c:2822 __do_sys_unshare kernel/fork.c:2890 [inline] __se_sys_unshare kernel/fork.c:2888 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2888 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3417 [inline] kfree+0x10a/0x2c0 mm/slab.c:3746 __rcu_reclaim kernel/rcu/rcu.h:215 [inline] rcu_do_batch kernel/rcu/tree.c:2092 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline] rcu_core+0xcc7/0x1500 kernel/rcu/tree.c:2291 __do_softirq+0x25c/0x94c kernel/softirq.c:292 The buggy address belongs to the object at 8880a4078d40 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 32 bytes inside of 512-byte region [8880a4078d40, 8880a4078f40) The buggy address belongs to the page: page:ea0002901e00 refcount:1 mapcount:0 mapping:8880aa400a80 index:0x8880a40785c0 flags: 0x1fffc000200(slab) raw: 01fffc000200 ea0001d636c8 ea0001b07308 8880aa400a80 raw: 8880a40785c0 8880a40780c0 00010004 page dumped because: kasan: bad access detected Memory state around the buggy address: 8880a4078c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 8880a4078c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 8880a4078d00:
Re: WARNING in dma_buf_vunmap
syzbot has bisected this bug to: commit d5e73f7be850323ae3adbbe84ed37a38b0c31476 Author: Mahesh Bandewar Date: Wed Mar 8 18:55:51 2017 + bonding: restructure arp-monitor bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15e679f720 start commit: d5e73f7b bonding: restructure arp-monitor git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=17e679f720 console output: https://syzkaller.appspot.com/x/log.txt?x=13e679f720 kernel config: https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5 dashboard link: https://syzkaller.appspot.com/bug?extid=a9317fe7ad261fc76b88 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f7b6f540 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105a278340 Reported-by: syzbot+a9317fe7ad261fc76...@syzkaller.appspotmail.com Fixes: d5e73f7b ("bonding: restructure arp-monitor") ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: INFO: task hung in process_measurement
syzbot has bisected this bug to: commit 8fe5616b20e5742bb5fee0e77dffe2fc76ac92a0 Author: Jyri Sarha Date: Tue Jun 14 08:43:30 2016 + drm/tilcdc: Restore old dpms state in pm_resume() bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10daff1b20 start commit: 291d0e5d Merge tag 'for-linus-20180929' of git://git.kerne.. git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=12daff1b20 console output: https://syzkaller.appspot.com/x/log.txt?x=14daff1b20 kernel config: https://syzkaller.appspot.com/x/.config?x=a8212f992609a887 dashboard link: https://syzkaller.appspot.com/bug?extid=cdc562bc26a2b2b0a94f syz repro: https://syzkaller.appspot.com/x/repro.syz?x=140e285e40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1237fe8140 Reported-by: syzbot+cdc562bc26a2b2b0a...@syzkaller.appspotmail.com Fixes: 8fe5616b20e5 ("drm/tilcdc: Restore old dpms state in pm_resume()") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: WARNING in bpf_jit_free
syzbot has bisected this bug to: commit 0fff724a33917ac581b5825375d0b57affedee76 Author: Paul Kocialkowski Date: Fri Jan 18 14:51:13 2019 + drm/sun4i: backend: Use explicit fourcc helpers for packed YUV422 check bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1467550f20 start commit: 0e40da3e Merge tag 'kbuild-fixes-v5.1' of git://git.kernel.. git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=1667550f20 console output: https://syzkaller.appspot.com/x/log.txt?x=1267550f20 kernel config: https://syzkaller.appspot.com/x/.config?x=8dcdce25ea72bedf dashboard link: https://syzkaller.appspot.com/bug?extid=2ff1e7cb738fd3c41113 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1697365320 Reported-by: syzbot+2ff1e7cb738fd3c41...@syzkaller.appspotmail.com Fixes: 0fff724a3391 ("drm/sun4i: backend: Use explicit fourcc helpers for packed YUV422 check") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
kernel panic: stack is corrupted in pointer
Hello, syzbot found the following crash on: HEAD commit:1438cde7 Add linux-next specific files for 20190716 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1398805860 kernel config: https://syzkaller.appspot.com/x/.config?x=3430a151e1452331 dashboard link: https://syzkaller.appspot.com/bug?extid=79f5f028005a77ecb6bb compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111fc8afa0 The bug was bisected to: commit 96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf Author: Leo Liu Date: Fri Jul 13 15:26:28 2018 + drm/amdgpu: Make sure IB tests flushed after IP resume bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14a4620060 final crash:https://syzkaller.appspot.com/x/report.txt?x=16a4620060 console output: https://syzkaller.appspot.com/x/log.txt?x=12a4620060 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+79f5f028005a77ecb...@syzkaller.appspotmail.com Fixes: 96a5d8d4915f ("drm/amdgpu: Make sure IB tests flushed after IP resume") Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: pointer+0x702/0x750 lib/vsprintf.c:2187 Shutting down cpus with NMI Kernel Offset: disabled --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: Re: kernel panic: stack is corrupted in pointer
Dmitry Vyukov wrote: On Wed, Jul 17, 2019 at 10:58 AM syzbot wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit:1438cde7 Add linux-next specific files for 20190716 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=1398805860 > kernel config: https://syzkaller.appspot.com/x/.config?x=3430a151e1452331 > dashboard link: https://syzkaller.appspot.com/bug?extid=79f5f028005a77ecb6bb > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111fc8afa0 From the repro it looks like the same bpf stack overflow bug. +John We need to dup them onto some canonical report for this bug, or this becomes unmanageable. Fixes in bpf tree should fix this. Hopefully, we will squash this once fixes percolate up. #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git ">" does not look like a valid git branch or commit. #syz dup: kernel panic: corrupted stack end in dput > The bug was bisected to: > > commit 96a5d8d4915f3e241ebb48d5decdd110ab9c7dcf > Author: Leo Liu > Date: Fri Jul 13 15:26:28 2018 + > > drm/amdgpu: Make sure IB tests flushed after IP resume > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14a4620060 > final crash: https://syzkaller.appspot.com/x/report.txt?x=16a4620060 > console output: https://syzkaller.appspot.com/x/log.txt?x=12a4620060 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+79f5f028005a77ecb...@syzkaller.appspotmail.com > Fixes: 96a5d8d4915f ("drm/amdgpu: Make sure IB tests flushed after IP > resume") > > Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: > pointer+0x702/0x750 lib/vsprintf.c:2187 > Shutting down cpus with NMI > Kernel Offset: disabled > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkal...@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: kernel panic: stack is corrupted in pointer
Hello, syzbot has tested the proposed patch and the reproducer did not trigger crash: Reported-and-tested-by: syzbot+79f5f028005a77ecb...@syzkaller.appspotmail.com Tested on: commit: decb705e libbpf: fix using uninitialized ioctl results git tree: bpf kernel config: https://syzkaller.appspot.com/x/.config?x=87305c3ca9c25c70 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Note: testing is done by a robot and is best-effort only. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: memory leak in dma_buf_ioctl
syzbot has bisected this bug to: commit 04cf31a759ef575f750a63777cee95500e410994 Author: Michael Ellerman Date: Thu Mar 24 11:04:01 2016 + ftrace: Make ftrace_location_range() global bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=154293f460 start commit: abdfd52a Merge tag 'armsoc-defconfig' of git://git.kernel... git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=174293f460 console output: https://syzkaller.appspot.com/x/log.txt?x=134293f460 kernel config: https://syzkaller.appspot.com/x/.config?x=d31de3d88059b7fa dashboard link: https://syzkaller.appspot.com/bug?extid=b2098bc44728a4efb3e9 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12526e5860 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161784f060 Reported-by: syzbot+b2098bc44728a4efb...@syzkaller.appspotmail.com Fixes: 04cf31a759ef ("ftrace: Make ftrace_location_range() global") For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: [syzbot] WARNING in __dma_map_sg_attrs
syzbot has found a reproducer for the following issue on: HEAD commit:0457e5153e0e Merge tag 'for-linus' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11b2637c70 kernel config: https://syzkaller.appspot.com/x/.config?x=6f043113811433a5 dashboard link: https://syzkaller.appspot.com/bug?extid=10e27961f4da37c443b2 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c6554270 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1163f48070 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+10e27961f4da37c44...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 3595 at kernel/dma/mapping.c:188 __dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Modules linked in: CPU: 0 PID: 3595 Comm: syz-executor249 Not tainted 5.17.0-rc2-syzkaller-00316-g0457e5153e0e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dma_map_sg_attrs+0x181/0x1f0 kernel/dma/mapping.c:188 Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 71 4c 8b 3d c0 83 b5 0d e9 db fe ff ff e8 b6 0f 13 00 0f 0b e8 af 0f 13 00 <0f> 0b 45 31 e4 e9 54 ff ff ff e8 a0 0f 13 00 49 8d 7f 50 48 b8 00 RSP: 0018:c90002a07d68 EFLAGS: 00010293 RAX: RBX: RCX: RDX: 88807e25e2c0 RSI: 81649e91 RDI: 88801b848408 RBP: 88801b848000 R08: 0002 R09: 88801d86c74f R10: 81649d72 R11: 0001 R12: 0002 R13: 88801d86c680 R14: 0001 R15: FS: 56e30300() GS:8880b9d0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20cc CR3: 1d74a000 CR4: 003506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: dma_map_sgtable+0x70/0xf0 kernel/dma/mapping.c:264 get_sg_table.isra.0+0xe0/0x160 drivers/dma-buf/udmabuf.c:72 begin_cpu_udmabuf+0x130/0x1d0 drivers/dma-buf/udmabuf.c:126 dma_buf_begin_cpu_access+0xfd/0x1d0 drivers/dma-buf/dma-buf.c:1164 dma_buf_ioctl+0x259/0x2b0 drivers/dma-buf/dma-buf.c:363 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f62fcf530f9 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffe3edab9b8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: RCX: 7f62fcf530f9 RDX: 2200 RSI: 40086200 RDI: 0006 RBP: 7f62fcf170e0 R08: R09: R10: R11: 0246 R12: 7f62fcf17170 R13: R14: R15:
Re: [syzbot] WARNING in component_del
syzbot has found a reproducer for the following issue on: HEAD commit:555f3d7be91a Merge tag '5.17-rc3-ksmbd-server-fixes' of gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=130a0c2c70 kernel config: https://syzkaller.appspot.com/x/.config?x=266de9da75c71a45 dashboard link: https://syzkaller.appspot.com/bug?extid=60df062e1c41940cae0f compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15880d8470 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14de0c77b0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+60df062e1c41940ca...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 0 PID: 3598 at drivers/base/component.c:767 component_del+0x40c/0x540 drivers/base/component.c:765 Modules linked in: CPU: 0 PID: 3598 Comm: syz-executor255 Not tainted 5.17.0-rc3-syzkaller-00020-g555f3d7be91a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:component_del+0x40c/0x540 drivers/base/component.c:767 Code: 00 48 39 6b 20 75 82 e8 72 b1 07 fd 48 c7 43 20 00 00 00 00 e9 70 ff ff ff e8 60 b1 07 fd 48 c7 c7 20 aa 67 8c e8 84 d4 db 04 <0f> 0b 31 ed e8 4b b1 07 fd 48 89 ef 5b 5d 41 5c 41 5d 41 5e 41 5f RSP: 0018:c90001aafa68 EFLAGS: 00010286 RAX: RBX: dc00 RCX: 8880745c8000 RDX: RSI: 0008 RDI: c90001aaf9b0 RBP: 8c67a9e0 R08: 0001 R09: c90001aaf9b7 R10: f52000355f36 R11: 0001 R12: 88801dce5008 R13: 8a4c0dc0 R14: 88801dce5008 R15: 88801dce5000 FS: 56461300() GS:8880b9c0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fb3739a5130 CR3: 1996f000 CR4: 00350ef0 Call Trace: usb_hub_remove_port_device+0x272/0x370 drivers/usb/core/port.c:653 hub_disconnect+0x171/0x510 drivers/usb/core/hub.c:1737 usb_unbind_interface+0x1d8/0x8e0 drivers/usb/core/driver.c:458 __device_release_driver+0x5d7/0x700 drivers/base/dd.c:1206 device_release_driver_internal drivers/base/dd.c:1237 [inline] device_release_driver+0x26/0x40 drivers/base/dd.c:1260 usb_driver_release_interface+0x102/0x180 drivers/usb/core/driver.c:627 proc_ioctl.part.0+0x4d6/0x560 drivers/usb/core/devio.c:2332 proc_ioctl drivers/usb/core/devio.c:170 [inline] proc_ioctl_default drivers/usb/core/devio.c:2375 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2731 [inline] usbdev_ioctl+0x2b29/0x36c0 drivers/usb/core/devio.c:2791 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fb3739346f9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fff3db9d808 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7fb373978194 RCX: 7fb3739346f9 RDX: 2380 RSI: c0105512 RDI: 0003 RBP: R08: 7fff3db9d280 R09: 0001 R10: R11: 0246 R12: 7fff3db9d81c R13: 431bde82d7b634db R14: R15:
Re: [syzbot] WARNING in component_del
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+60df062e1c41940ca...@syzkaller.appspotmail.com Tested on: commit: 555f3d7b Merge tag '5.17-rc3-ksmbd-server-fixes' of gi.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=266de9da75c71a45 dashboard link: https://syzkaller.appspot.com/bug?extid=60df062e1c41940cae0f compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=111f742870 Note: testing is done by a robot and is best-effort only.
[syzbot] inconsistent lock state in sync_timeline_debug_remove
Hello, syzbot found the following issue on: HEAD commit:f4bc5bbb5fef Merge tag 'nfsd-5.17-2' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10fc74c270 kernel config: https://syzkaller.appspot.com/x/.config?x=266de9da75c71a45 dashboard link: https://syzkaller.appspot.com/bug?extid=7dcd254b8987a29f6450 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10c73c7470 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1440451c70 Bisection is inconclusive: the issue happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10a40d8470 final oops: https://syzkaller.appspot.com/x/report.txt?x=12a40d8470 console output: https://syzkaller.appspot.com/x/log.txt?x=14a40d8470 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+7dcd254b8987a29f6...@syzkaller.appspotmail.com WARNING: inconsistent lock state 5.17.0-rc3-syzkaller-00043-gf4bc5bbb5fef #0 Not tainted inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz-executor198/3596 [HC1[1]:SC0[0]:HE0:SE1] takes: 8c7096d8 (sync_timeline_list_lock){?.+.}-{2:2}, at: sync_timeline_debug_remove+0x25/0x190 drivers/dma-buf/sync_debug.c:31 {HARDIRQ-ON-W} state was registered at: __trace_hardirqs_on_caller kernel/locking/lockdep.c:4224 [inline] lockdep_hardirqs_on_prepare kernel/locking/lockdep.c:4292 [inline] lockdep_hardirqs_on_prepare+0x135/0x400 kernel/locking/lockdep.c:4244 trace_hardirqs_on+0x5b/0x1c0 kernel/trace/trace_preemptirq.c:49 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202 spin_unlock_irq include/linux/spinlock.h:399 [inline] sync_print_obj drivers/dma-buf/sync_debug.c:118 [inline] sync_info_debugfs_show+0xeb/0x200 drivers/dma-buf/sync_debug.c:153 seq_read_iter+0x4f5/0x1280 fs/seq_file.c:230 seq_read+0x3e8/0x5c0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae irq event stamp: 5708 hardirqs last enabled at (5707): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (5707): [] _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202 hardirqs last disabled at (5708): [] sysvec_irq_work+0xb/0xc0 arch/x86/kernel/irq_work.c:17 softirqs last enabled at (5570): [] spin_unlock_bh include/linux/spinlock.h:394 [inline] softirqs last enabled at (5570): [] __tun_set_ebpf+0xf6/0x1c0 drivers/net/tun.c:2245 softirqs last disabled at (5568): [] spin_lock_bh include/linux/spinlock.h:354 [inline] softirqs last disabled at (5568): [] __tun_set_ebpf+0xa3/0x1c0 drivers/net/tun.c:2241 other info that might help us debug this: Possible unsafe locking scenario: CPU0 lock(sync_timeline_list_lock); lock(sync_timeline_list_lock); *** DEADLOCK *** no locks held by syz-executor198/3596. stack backtrace: CPU: 0 PID: 3596 Comm: syz-executor198 Not tainted 5.17.0-rc3-syzkaller-00043-gf4bc5bbb5fef #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_usage_bug kernel/locking/lockdep.c:203 [inline] valid_state kernel/locking/lockdep.c:3945 [inline] mark_lock_irq kernel/locking/lockdep.c:4148 [inline] mark_lock.cold+0x61/0x8e kernel/locking/lockdep.c:4605 mark_usage kernel/locking/lockdep.c:4497 [inline] __lock_acquire+0x1499/0x5470 kernel/locking/lockdep.c:4981 lock_acquire kernel/locking/lockdep.c:5639 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 sync_timeline_debug_remove+0x25/0x190 drivers/dma-buf/sync_debug.c:31 sync_timeline_free drivers/dma-buf/sw_sync.c:104 [inline] kref_put include/linux/kref.h:65 [inline] sync_timeline_put drivers/dma-buf/sw_sync.c:116 [inline] timeline_fence_release+0x263/0x340 drivers/dma-buf/sw_sync.c:144 dma_fence_release+0x2ee/0x590 drivers/dma-buf/dma-fence.c:549 kref_put include/linux/kref.h:65 [inline] dma_fence_put include/linux/dma-fence.h:276 [inline] dma_fence_array_release+0x1e4/0x2b0 drivers/dma-buf/dma-fence-array.c:120 dma_fence_release+0x2ee/0x590 drivers/dma-buf/dma-fence.c:549 kref_put include/linux/kref.h:65 [inline] dma_fence_put include/linux/dma-fence.h:276 [inline] irq_dma_fence_array_work+0xa5/0xd0 drivers/dma-buf/dma-fence-array.c:52 irq_work_singl
Re: [syzbot] BUG: unable to handle kernel paging request in bitfill_aligned (3)
syzbot has found a reproducer for the following issue on: HEAD commit:7ebfc85e2cd7 Merge tag 'net-6.0-rc1' of git://git.kernel.o.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=179c3aa508 kernel config: https://syzkaller.appspot.com/x/.config?x=20bc0b329895d963 dashboard link: https://syzkaller.appspot.com/bug?extid=a168dbeaaa7778273c1b compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16e0ef4b08 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11a1183d08 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+a168dbeaaa7778273...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: c900043a1000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1267 P4D 1267 PUD 121c9067 PMD 14733a067 PTE 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 1 PID: 3633 Comm: syz-executor339 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:memset64 arch/x86/include/asm/string_64.h:49 [inline] RIP: 0010:memset_l include/linux/string.h:128 [inline] RIP: 0010:bitfill_aligned+0x1ad/0x270 drivers/video/fbdev/core/sysfillrect.c:53 Code: 08 49 31 ef eb 66 e8 52 38 03 fd 45 89 e6 4c 8b 64 24 10 44 89 f0 31 d2 f7 f3 89 c3 48 8b 6c 24 08 48 89 e8 4c 89 e7 48 89 d9 48 ab 31 ff 44 89 ee e8 46 3c 03 fd 4d 85 ed 74 5f 4d 8d 24 dc RSP: 0018:c90003a6f7e8 EFLAGS: 00010246 RAX: RBX: 0ffc RCX: 01fc RDX: RSI: RDI: c900043a1000 RBP: R08: 848659ae R09: 0040 R10: 0002 R11: 888021ffd880 R12: c9000439a000 R13: R14: 0003ff00 R15: FS: 56df7300() GS:8880b9b0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: c900043a1000 CR3: 72ba CR4: 003506e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sys_fillrect+0x5ce/0x7f0 drivers/video/fbdev/core/sysfillrect.c:281 drm_fb_helper_sys_fillrect drivers/gpu/drm/drm_fb_helper.c:807 [inline] drm_fbdev_fb_fillrect+0x163/0x300 drivers/gpu/drm/drm_fb_helper.c:2322 bit_clear_margins+0x3f1/0x6e0 drivers/video/fbdev/core/bitblit.c:232 fbcon_clear_margins drivers/video/fbdev/core/fbcon.c:1306 [inline] fbcon_do_set_font+0xd7c/0x1330 drivers/video/fbdev/core/fbcon.c:2431 fbcon_set_font+0xc29/0xf70 drivers/video/fbdev/core/fbcon.c:2519 con_font_set drivers/tty/vt/vt.c:4666 [inline] con_font_op+0xbe8/0x1070 drivers/tty/vt/vt.c:4710 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x172e/0x1d00 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x874/0xc60 drivers/tty/tty_io.c:2778 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7efe5924e239 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fffba970648 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0001 RCX: 7efe5924e239 RDX: 2000 RSI: 4b72 RDI: 0004 RBP: 7fffba970660 R08: 0001 R09: R10: R11: 0246 R12: 0005 R13: 7fffba97065c R14: 7fffba970680 R15: 7fffba970670 Modules linked in: CR2: c900043a1000 ---[ end trace ]--- RIP: 0010:memset64 arch/x86/include/asm/string_64.h:49 [inline] RIP: 0010:memset_l include/linux/string.h:128 [inline] RIP: 0010:bitfill_aligned+0x1ad/0x270 drivers/video/fbdev/core/sysfillrect.c:53 Code: 08 49 31 ef eb 66 e8 52 38 03 fd 45 89 e6 4c 8b 64 24 10 44 89 f0 31 d2 f7 f3 89 c3 48 8b 6c 24 08 48 89 e8 4c 89 e7 48 89 d9 48 ab 31 ff 44 89 ee e8 46 3c 03 fd 4d 85 ed 74 5f 4d 8d 24 dc RSP: 0018:c90003a6f7e8 EFLAGS: 00010246 RAX: RBX: 0ffc RCX: 01fc RDX: RSI: RDI: c900043a1000 RBP: R08: 848659ae R09: 0040 R10: 0002 R11: 888021ffd880 R12: c9000439a000 R13: R14: 0003ff00 R15: FS: 56df7300() GS:8880b9b0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2:
[syzbot] general protection fault in drm_gem_object_handle_put_unlocked
Hello, syzbot found the following issue on: HEAD commit:7ebfc85e2cd7 Merge tag 'net-6.0-rc1' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=143d292d08 kernel config: https://syzkaller.appspot.com/x/.config?x=924833c12349a8c0 dashboard link: https://syzkaller.appspot.com/bug?extid=87b9744712425638eaae compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+87b9744712425638e...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xf0cffc45c56c: [#1] PREEMPT SMP KASAN KASAN: maybe wild-memory-access in range [0x8680022e2b60-0x8680022e2b67] CPU: 1 PID: 7930 Comm: syz-executor.2 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline] RIP: 0010:__mutex_lock+0xec/0x1350 kernel/locking/mutex.c:747 Code: d0 7c 08 84 d2 0f 85 58 0f 00 00 8b 15 cd e2 99 07 85 d2 75 29 48 8d 7d 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 40 0f 00 00 48 3b 6d 60 0f 85 a5 08 00 00 bf 01 RSP: 0018:c90002dbfac8 EFLAGS: 00010217 RAX: dc00 RBX: RCX: 0001 RDX: 10d00045c56c RSI: RDI: 8680022e2b65 RBP: 8680022e2b05 R08: 846dcdd0 R09: R10: 8880 R11: 0008c07c R12: R13: dc00 R14: 8880 R15: 888020f75004 FS: 5631e400() GS:8880b9b0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 001b2f322000 CR3: 1cdc5000 CR4: 00350ee0 Call Trace: drm_gem_object_handle_put_unlocked+0x90/0x390 drivers/gpu/drm/drm_gem.c:231 drm_gem_object_release_handle+0xe3/0x110 drivers/gpu/drm/drm_gem.c:259 idr_for_each+0x113/0x220 lib/idr.c:208 drm_gem_release+0x22/0x30 drivers/gpu/drm/drm_gem.c:932 drm_file_free.part.0+0x805/0xb80 drivers/gpu/drm/drm_file.c:281 drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drm_close_helper.isra.0+0x17d/0x1f0 drivers/gpu/drm/drm_file.c:308 drm_release+0x1e6/0x530 drivers/gpu/drm/drm_file.c:495 __fput+0x277/0x9d0 fs/file_table.c:320 task_work_run+0xdd/0x1a0 kernel/task_work.c:177 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0de2a3bebb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:7ffe90db73b0 EFLAGS: 0293 ORIG_RAX: 0003 RAX: RBX: 0004 RCX: 7f0de2a3bebb RDX: 7f0de2ba0288 RSI: RDI: 0003 RBP: 7f0de2b9d980 R08: R09: 7f0de2ba0290 R10: 7ffe90db74b0 R11: 0293 R12: 00058518 R13: 7ffe90db74b0 R14: 7f0de2b9bf80 R15: 0032 Modules linked in: ---[ end trace ]--- RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:582 [inline] RIP: 0010:__mutex_lock+0xec/0x1350 kernel/locking/mutex.c:747 Code: d0 7c 08 84 d2 0f 85 58 0f 00 00 8b 15 cd e2 99 07 85 d2 75 29 48 8d 7d 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 40 0f 00 00 48 3b 6d 60 0f 85 a5 08 00 00 bf 01 RSP: 0018:c90002dbfac8 EFLAGS: 00010217 RAX: dc00 RBX: RCX: 0001 RDX: 10d00045c56c RSI: RDI: 8680022e2b65 RBP: 8680022e2b05 R08: 846dcdd0 R09: R10: 8880 R11: 0008c07c R12: R13: dc00 R14: 8880 R15: 888020f75004 FS: 5631e400() GS:8880b9b0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f1f7d27af80 CR3: 1cdc5000 CR4: 00350ee0 Code disassembly (best guess): 0: d0 7c 08 84 sarb -0x7c(%rax,%rcx,1) 4: d2 0f rorb %cl,(%rdi) 6: 85 58 0ftest %ebx,0xf(%rax) 9: 00 00 add%al,(%rax) b: 8b 15 cd e2 99 07 mov0x799e2cd(%rip),%edx# 0x799e2de 11: 85 d2 test %edx,%edx 13: 75 29
[syzbot] general protection fault in release_udmabuf
Hello, syzbot found the following issue on: HEAD commit:7ebfc85e2cd7 Merge tag 'net-6.0-rc1' of git://git.kernel.o.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=1331f44708 kernel config: https://syzkaller.appspot.com/x/.config?x=924833c12349a8c0 dashboard link: https://syzkaller.appspot.com/bug?extid=c80e9ef5d8bb45894db0 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1601336b08 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16d3292d08 Bisection is inconclusive: the issue happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16e01a3d08 final oops: https://syzkaller.appspot.com/x/report.txt?x=15e01a3d08 console output: https://syzkaller.appspot.com/x/log.txt?x=11e01a3d08 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c80e9ef5d8bb45894...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc00: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x-0x0007] CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c 8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2 RSP: 0018:c900037efd30 EFLAGS: 00010246 RAX: dc00 RBX: 8cb67800 RCX: RDX: RSI: 84ad27e0 RDI: RBP: fff4 R08: 0005 R09: R10: R11: 0008c07c R12: 88801fa05000 R13: 888073db07e8 R14: 888025c25440 R15: FS: 55fc4300() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fc1c0ce06e4 CR3: 715e6000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78 __dentry_kill+0x42b/0x640 fs/dcache.c:612 dentry_kill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 __fput+0x39c/0x9d0 fs/file_table.c:333 task_work_run+0xdd/0x1a0 kernel/task_work.c:177 ptrace_notify+0x114/0x140 kernel/signal.c:2353 ptrace_report_syscall include/linux/ptrace.h:420 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline] syscall_exit_work kernel/entry/common.c:249 [inline] syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276 __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline] syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fc1c0c35b6b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:7ffd78a06090 EFLAGS: 0293 ORIG_RAX: 0003 RAX: RBX: 0007 RCX: 7fc1c0c35b6b RDX: 2280 RSI: 40086200 RDI: 0006 RBP: 0007 R08: R09: R10: R11: 0293 R12: 000c R13: 0003 R14: 7fc1c0cfe4a0 R15: 7ffd78a06140 Modules linked in: ---[ end trace ]--- RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c 8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2 RSP: 0018:c900037efd30 EFLAGS: 00010246 RAX: dc00 RBX: 8cb67800 RCX: RDX: RSI: 84ad27e0 RDI: RBP: fff4 R08: 0005 R09: R10: R11: 0008c07c R12: 88801fa05000 R13: 888073db07e8 R14: 888025c25440 R15: FS: 55fc4300() GS:8880b9b0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 564b46eeb2c8 CR3: 715e60
[syzbot] KASAN: use-after-free Read in udl_get_urb_timeout
Hello, syzbot found the following issue on: HEAD commit:5b6a4bf680d6 Add linux-next specific files for 20220818 git tree: linux-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=12341a3d08 kernel config: https://syzkaller.appspot.com/x/.config?x=ead6107a3bbe3c62 dashboard link: https://syzkaller.appspot.com/bug?extid=f24934fe125a19d77eae compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1273186708 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165b64f308 The issue was bisected to: commit e25d5954264d1871ab2792c7ca2298b811462500 Author: Takashi Iwai Date: Thu Aug 4 07:58:25 2022 + drm/udl: Kill pending URBs at suspend and disconnect bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1393a8eb08 final oops: https://syzkaller.appspot.com/x/report.txt?x=1053a8eb08 console output: https://syzkaller.appspot.com/x/log.txt?x=1793a8eb08 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f24934fe125a19d77...@syzkaller.appspotmail.com Fixes: e25d5954264d ("drm/udl: Kill pending URBs at suspend and disconnect") [drm:udl_init.cold] *ERROR* Unrecognized vendor firmware descriptor [drm:udl_init] *ERROR* Selecting channel failed [drm] Initialized udl 0.0.1 20120220 for 1-1:0.0 on minor 2 [drm] Initialized udl on minor 2 [drm:udl_get_edid_block] *ERROR* Read EDID byte 0 failed err ffb9 udl 1-1:0.0: [drm] Cannot find any crtc or sizes usb 1-1: USB disconnect, device number 2 == BUG: KASAN: use-after-free in __list_add_valid+0x93/0xb0 lib/list_debug.c:27 Read of size 8 at addr 8880756fce88 by task kworker/0:2/146 CPU: 0 PID: 146 Comm: kworker/0:2 Not tainted 6.0.0-rc1-next-20220818-syzkaller #0 kworker/0:2[146] cmdline: ��a� Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:122 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:140 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __list_add_valid+0x93/0xb0 lib/list_debug.c:27 __list_add include/linux/list.h:69 [inline] list_add include/linux/list.h:88 [inline] list_move include/linux/list.h:218 [inline] udl_get_urb_timeout+0x20e/0x550 drivers/gpu/drm/udl/udl_main.c:250 udl_free_urb_list+0x15f/0x250 drivers/gpu/drm/udl/udl_main.c:156 udl_drop_usb+0xd0/0x160 drivers/gpu/drm/udl/udl_main.c:358 udl_usb_disconnect+0x3f/0x50 drivers/gpu/drm/udl/udl_drv.c:114 usb_unbind_interface+0x1d8/0x8e0 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:520 [inline] device_remove+0x11f/0x170 drivers/base/dd.c:512 __device_release_driver drivers/base/dd.c:1209 [inline] device_release_driver_internal+0x4a1/0x700 drivers/base/dd.c:1235 bus_remove_device+0x2e3/0x590 drivers/base/bus.c:529 device_del+0x4f3/0xc80 drivers/base/core.c:3704 usb_disable_device+0x356/0x7a0 drivers/usb/core/message.c:1419 usb_disconnect.cold+0x259/0x6ed drivers/usb/core/hub.c:2235 hub_port_connect drivers/usb/core/hub.c:5197 [inline] hub_port_connect_change drivers/usb/core/hub.c:5497 [inline] port_event drivers/usb/core/hub.c:5653 [inline] hub_event+0x1f86/0x4610 drivers/usb/core/hub.c:5735 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 process_scheduled_works kernel/workqueue.c:2352 [inline] worker_thread+0x854/0x1080 kernel/workqueue.c:2438 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Allocated by task 146: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] kasan_kmalloc mm/kasan/common.c:516 [inline] kasan_kmalloc mm/kasan/common.c:475 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525 kmalloc include/linux/slab.h:606 [inline] kzalloc include/linux/slab.h:739 [inline] udl_alloc_urb_list drivers/gpu/drm/udl/udl_main.c:190 [inline] udl_init+0x736/0xc80 drivers/gpu/drm/udl/udl_main.c:331 udl_driver_create drivers/gpu/drm/udl/udl_drv.c:79 [inline] udl_usb_probe+0x4f/0x100 drivers/gpu/drm/udl/udl_drv.c:94 usb_probe_interface+0x30b/0x7f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:530 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:609 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:748 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:778 __device_attach_driver+0x206/0x2e0 drivers/base/dd.c:901 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:973 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xbd5/0x1e90 drivers/base/core.c:3517 usb_set_configuration+0x1
[syzbot] WARNING in drm_atomic_helper_wait_for_vblanks (2)
Hello, syzbot found the following issue on: HEAD commit:9be9ed2612b5 Merge tag 'platform-drivers-x86-v5.18-4' of g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12dc2e49f0 kernel config: https://syzkaller.appspot.com/x/.config?x=6ab029f8aaef5349 dashboard link: https://syzkaller.appspot.com/bug?extid=f95421e61338eb84132a compiler: arm-linux-gnueabi-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: arm Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+f95421e61338eb841...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 1 PID: 11618 at drivers/gpu/drm/drm_atomic_helper.c:1529 drm_atomic_helper_wait_for_vblanks.part.0+0x2ac/0x2b8 drivers/gpu/drm/drm_atomic_helper.c:1529 [CRTC:33:crtc-0] vblank wait timed out Modules linked in: Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 11618 Comm: syz-executor.0 Not tainted 5.18.0-rc6-syzkaller #0 Hardware name: ARM-Versatile Express Backtrace: [<816dadf0>] (dump_backtrace) from [<816db120>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:253) r7:81d665f4 r6:8b64 r5:6093 r4:81d73dd4 [<816db108>] (show_stack) from [<816e3a20>] (__dump_stack lib/dump_stack.c:88 [inline]) [<816db108>] (show_stack) from [<816e3a20>] (dump_stack_lvl+0x48/0x54 lib/dump_stack.c:106) [<816e39d8>] (dump_stack_lvl) from [<816e3a44>] (dump_stack+0x18/0x1c lib/dump_stack.c:113) r5: r4:82442d14 [<816e3a2c>] (dump_stack) from [<816dbcbc>] (panic+0x11c/0x360 kernel/panic.c:250) [<816dbba0>] (panic) from [<80242928>] (__warn+0x98/0x198 kernel/panic.c:599) r3:0001 r2: r1: r0:81d665f4 r7:80913100 [<80242890>] (__warn) from [<816dbf9c>] (warn_slowpath_fmt+0x9c/0xd4 kernel/panic.c:629) r8:0009 r7:80913100 r6:05f9 r5:81dd6170 r4:81dd677c [<816dbf04>] (warn_slowpath_fmt) from [<80913100>] (drm_atomic_helper_wait_for_vblanks.part.0+0x2ac/0x2b8 drivers/gpu/drm/drm_atomic_helper.c:1529) r8:649a r7: r6:82a1d000 r5:829e0050 r4: [<80912e54>] (drm_atomic_helper_wait_for_vblanks.part.0) from [<80914620>] (drm_atomic_helper_wait_for_vblanks drivers/gpu/drm/drm_atomic_helper.c:1505 [inline]) [<80912e54>] (drm_atomic_helper_wait_for_vblanks.part.0) from [<80914620>] (drm_atomic_helper_commit_tail+0x84/0x94 drivers/gpu/drm/drm_atomic_helper.c:1605) r10:8425185c r9:83f0e800 r8: r7:0136 r6:739d46c0 r5:83f0e800 r4:82a1d000 [<8091459c>] (drm_atomic_helper_commit_tail) from [<80915170>] (commit_tail+0x164/0x18c drivers/gpu/drm/drm_atomic_helper.c:1682) r5: r4:82a1d000 [<8091500c>] (commit_tail) from [<80915d3c>] (drm_atomic_helper_commit drivers/gpu/drm/drm_atomic_helper.c:1900 [inline]) [<8091500c>] (commit_tail) from [<80915d3c>] (drm_atomic_helper_commit+0x14c/0x170 drivers/gpu/drm/drm_atomic_helper.c:1833) r9:83f0e800 r8:82a1d02c r7: r6:83f0e800 r5: r4:82a1d000 [<80915bf0>] (drm_atomic_helper_commit) from [<80934bb4>] (drm_atomic_commit+0x58/0x5c drivers/gpu/drm/drm_atomic.c:1434) r9:83f0e800 r8:829e0340 r7:0001 r6:0001 r5:83f0e800 r4:82a1d000 [<80934b5c>] (drm_atomic_commit) from [<8094c7bc>] (drm_client_modeset_commit_atomic+0x200/0x248 drivers/gpu/drm/drm_client_modeset.c:1044) r5:83f0e9ac r4:82a1d000 [<8094c5bc>] (drm_client_modeset_commit_atomic) from [<8094c8dc>] (drm_client_modeset_commit_locked+0x64/0x18c drivers/gpu/drm/drm_client_modeset.c:1147) r10:5ac3c35a r9:83f0e894 r8:81ddde34 r7:8417ea18 r6:8417ea00 r5:83f0e800 r4:83f0e800 [<8094c878>] (drm_client_modeset_commit_locked) from [<8094ca30>] (drm_client_modeset_commit+0x2c/0x48 drivers/gpu/drm/drm_client_modeset.c:1173) r9:83f0e894 r8:81ddde34 r7:8417eab4 r6: r5:83f0e800 r4:8417ea00 [<8094ca04>] (drm_client_modeset_commit) from [<8091db08>] (__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:252 [inline]) [<8094ca04>] (drm_client_modeset_commit) from [<8091db08>] (__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:231 [inline]) [<8094ca04>] (drm_client_modeset_commit) from [<8091db08>] (drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:279 [inline]) [<8094ca04>] (drm_client_modeset_commit) from [<8091db08>] (drm_fb_helper_lastclose drivers/gpu/drm/drm_fb_helper.c:2035 [inline]) [<8094ca04>] (drm_client_modeset_commit) from [<8091db08>] (drm_fbdev_client_restore+0x5c/0x98 drivers/gpu/drm/drm_fb_helper.c:2445) r5:82349ecc r4:8417ea00 [<8091daac>] (drm_fbdev_client_restore) from [<8094c21
[syzbot] WARNING in dma_map_sgtable (2)
Hello, syzbot found the following issue on: HEAD commit:7e062cda7d90 Merge tag 'net-next-5.19' of git://git.kernel.. git tree: upstream console+strace: https://syzkaller.appspot.com/x/log.txt?x=172151d3f0 kernel config: https://syzkaller.appspot.com/x/.config?x=e9d71d3c07c36588 dashboard link: https://syzkaller.appspot.com/bug?extid=3ba551855046ba3b3806 compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12918503f0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1386fa39f0 Bisection is inconclusive: the issue happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14107ee5f0 final oops: https://syzkaller.appspot.com/x/report.txt?x=16107ee5f0 console output: https://syzkaller.appspot.com/x/log.txt?x=12107ee5f0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+3ba551855046ba3b3...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 0 PID: 3610 at kernel/dma/mapping.c:188 dma_map_sgtable+0x203/0x260 kernel/dma/mapping.c:264 Modules linked in: CPU: 0 PID: 3610 Comm: syz-executor162 Not tainted 5.18.0-syzkaller-04943-g7e062cda7d90 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__dma_map_sg_attrs kernel/dma/mapping.c:188 [inline] RIP: 0010:dma_map_sgtable+0x203/0x260 kernel/dma/mapping.c:264 Code: 75 15 e8 50 5f 14 00 eb cb e8 49 5f 14 00 eb c4 e8 42 5f 14 00 eb bd e8 3b 5f 14 00 0f 0b bd fb ff ff ff eb af e8 2d 5f 14 00 <0f> 0b 31 ed 48 bb 00 00 00 00 00 fc ff df e9 7b ff ff ff 89 e9 80 RSP: 0018:c9000305fd40 EFLAGS: 00010293 RAX: 81723873 RBX: dc00 RCX: 88801fbb8000 RDX: RSI: 0001 RDI: 0002 RBP: 8881487e5408 R08: 81723743 R09: ed1003592c9e R10: ed1003592c9e R11: 111003592c9c R12: 8881487e5000 R13: 88801ac964e0 R14: R15: 0001 FS: 56c2a300() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 005d84c8 CR3: 1f1ef000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: get_sg_table+0xf9/0x150 drivers/dma-buf/udmabuf.c:72 begin_cpu_udmabuf+0xf5/0x160 drivers/dma-buf/udmabuf.c:126 dma_buf_begin_cpu_access+0xd8/0x170 drivers/dma-buf/dma-buf.c:1172 dma_buf_ioctl+0x2a0/0x2f0 drivers/dma-buf/dma-buf.c:363 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f8bf9c6dc19 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffd7cfae1d8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: RCX: 7f8bf9c6dc19 RDX: 2100 RSI: 40086200 RDI: 0006 RBP: 7f8bf9c31dc0 R08: R09: R10: R11: 0246 R12: 7f8bf9c31e50 R13: R14: R15: --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. For information about bisection process see: https://goo.gl/tpsmEJ#bisection syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
[syzbot] general protection fault in virtio_gpu_object_create (2)
Hello, syzbot found the following issue on: HEAD commit:089866061428 Merge tag 'libnvdimm-fixes-5.19-rc5' of git:/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15ce44ec08 kernel config: https://syzkaller.appspot.com/x/.config?x=3a010dbf6a7af480 dashboard link: https://syzkaller.appspot.com/bug?extid=2f09dba03ce3f3b0a2cf compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1365015008 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16687b6c08 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+2f09dba03ce3f3b0a...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc00: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x-0x0007] CPU: 0 PID: 3668 Comm: syz-executor918 Not tainted 5.19.0-rc4-syzkaller-00187-g089866061428 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 RIP: 0010:virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:183 [inline] RIP: 0010:virtio_gpu_object_create+0x29b/0xd90 drivers/gpu/drm/virtio/virtgpu_object.c:249 Code: 89 de e8 98 3c ed fc 48 85 db 0f 85 9f 03 00 00 e8 2a 40 ed fc 49 8d 7f 0c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82 RSP: 0018:c90002e5fad0 EFLAGS: 00010246 RAX: dc00 RBX: RCX: RDX: RSI: 848c5756 RDI: RBP: 88802286b800 R08: 0007 R09: R10: R11: 0001 R12: c90002e5fbd0 R13: 88801c4c0010 R14: 88801c4c R15: fff4 FS: 56654300() GS:88802c80() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa12e2a42a4 CR3: 15c4e000 CR4: 00150ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:42 [inline] virtio_gpu_mode_dumb_create+0x319/0x5c0 drivers/gpu/drm/virtio/virtgpu_gem.c:90 drm_mode_create_dumb+0x26c/0x2f0 drivers/gpu/drm/drm_dumb_buffers.c:96 drm_ioctl_kernel+0x27d/0x4e0 drivers/gpu/drm/drm_ioctl.c:782 drm_ioctl+0x51e/0x9d0 drivers/gpu/drm/drm_ioctl.c:885 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa12e24c699 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7fff25d83428 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0002 RCX: 7fa12e24c699 RDX: 2000 RSI: c02064b2 RDI: 0003 RBP: 7fff25d83440 R08: 0002 R09: 0001 R10: R11: 0246 R12: 0004 R13: 431bde82d7b634db R14: R15: Modules linked in: ---[ end trace ]--- RIP: 0010:virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:183 [inline] RIP: 0010:virtio_gpu_object_create+0x29b/0xd90 drivers/gpu/drm/virtio/virtgpu_object.c:249 Code: 89 de e8 98 3c ed fc 48 85 db 0f 85 9f 03 00 00 e8 2a 40 ed fc 49 8d 7f 0c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 82 RSP: 0018:c90002e5fad0 EFLAGS: 00010246 RAX: dc00 RBX: RCX: RDX: RSI: 848c5756 RDI: RBP: 88802286b800 R08: 0007 R09: R10: R11: 0001 R12: c90002e5fbd0 R13: 88801c4c0010 R14: 88801c4c R15: fff4 FS: 56654300() GS:88802c80() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa12e2a42a4 CR3: 15c4e000 CR4: 00150ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Code disassembly (best guess): 0: 89 de mov%ebx,%esi 2: e8 98 3c ed fc callq 0xfced3c9f 7: 48 85 dbtest %rbx,%rbx a: 0f 85 9f 03 00 00 jne0x3af 10: e8 2a 40 ed fc callq 0xfced403f 15: 49 8d 7f 0c lea0xc
[syzbot] BUG: unable to handle kernel paging request in bitfill_aligned (3)
Hello, syzbot found the following issue on: HEAD commit:e35e5b6f695d Merge tag 'xsa-5.19-tag' of git://git.kernel... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17f49bbc08 kernel config: https://syzkaller.appspot.com/x/.config?x=f3bf7765b1ebd721 dashboard link: https://syzkaller.appspot.com/bug?extid=a168dbeaaa7778273c1b compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+a168dbeaaa7778273...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: c90004331000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 11c00067 P4D 11c00067 PUD 11dc5067 PMD 1cffd067 PTE 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 0 PID: 11483 Comm: syz-executor.4 Not tainted 5.19.0-rc5-syzkaller-00056-ge35e5b6f695d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 RIP: 0010:memset64 arch/x86/include/asm/string_64.h:49 [inline] RIP: 0010:memset_l include/linux/string.h:128 [inline] RIP: 0010:bitfill_aligned+0x1ad/0x270 drivers/video/fbdev/core/sysfillrect.c:53 Code: 08 49 31 ef eb 66 e8 32 9c 05 fd 45 89 e6 4c 8b 64 24 10 44 89 f0 31 d2 f7 f3 89 c3 48 8b 6c 24 08 48 89 e8 4c 89 e7 48 89 d9 48 ab 31 ff 44 89 ee e8 26 a0 05 fd 4d 85 ed 74 5f 4d 8d 24 dc RSP: 0018:c9000ae3f7e8 EFLAGS: 00010246 RAX: RBX: 1800 RCX: 1200 RDX: RSI: 0bca RDI: c90004331000 RBP: R08: 8481e07e R09: 0040 R10: 0002 R11: 88803938d880 R12: c9000432e000 R13: R14: 0006 R15: FS: 7f8c16811700() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: c90004331000 CR3: 6dd66000 CR4: 003506f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sys_fillrect+0x5ce/0x7f0 drivers/video/fbdev/core/sysfillrect.c:281 drm_fb_helper_sys_fillrect drivers/gpu/drm/drm_fb_helper.c:795 [inline] drm_fbdev_fb_fillrect+0x163/0x300 drivers/gpu/drm/drm_fb_helper.c:2310 bit_clear_margins+0x3f1/0x6e0 drivers/video/fbdev/core/bitblit.c:232 fbcon_clear_margins drivers/video/fbdev/core/fbcon.c:1304 [inline] fbcon_do_set_font+0xd7c/0x1330 drivers/video/fbdev/core/fbcon.c:2434 fbcon_set_font+0xa9c/0xd80 drivers/video/fbdev/core/fbcon.c:2517 con_font_set drivers/tty/vt/vt.c:4666 [inline] con_font_op+0xbe8/0x1070 drivers/tty/vt/vt.c:4710 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x172e/0x1d00 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x874/0xc60 drivers/tty/tty_io.c:2778 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f8c15689109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f8c16811168 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 7f8c1579bf60 RCX: 7f8c15689109 RDX: 2040 RSI: 4b72 RDI: 0003 RBP: 7f8c156e305d R08: R09: R10: R11: 0246 R12: R13: 7ffdfe77e39f R14: 7f8c16811300 R15: 00022000 Modules linked in: CR2: c90004331000 ---[ end trace ]--- RIP: 0010:memset64 arch/x86/include/asm/string_64.h:49 [inline] RIP: 0010:memset_l include/linux/string.h:128 [inline] RIP: 0010:bitfill_aligned+0x1ad/0x270 drivers/video/fbdev/core/sysfillrect.c:53 Code: 08 49 31 ef eb 66 e8 32 9c 05 fd 45 89 e6 4c 8b 64 24 10 44 89 f0 31 d2 f7 f3 89 c3 48 8b 6c 24 08 48 89 e8 4c 89 e7 48 89 d9 48 ab 31 ff 44 89 ee e8 26 a0 05 fd 4d 85 ed 74 5f 4d 8d 24 dc RSP: 0018:c9000ae3f7e8 EFLAGS: 00010246 RAX: RBX: 1800 RCX: 1200 RDX: RSI: 0bca RDI: c90004331000 RBP: R08: 8481e07e R09: 0040 R10: 0002 R11: 88803938d880 R12: c9000432e000 R13: R14: 0006 R15: FS: 7f8c16811700() GS:8880b9a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: c90004331000 CR3: 6dd66000 CR4: 003506f0 DR0: DR1:
[syzbot] WARNING: refcount bug in drm_gem_object_handle_put_unlocked
Hello, syzbot found the following issue on: HEAD commit:a41a877bc12d Merge branch 'for-next/fixes' into for-kernelci git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci console output: https://syzkaller.appspot.com/x/log.txt?x=17ae17bd08 kernel config: https://syzkaller.appspot.com/x/.config?x=5cea15779c42821c dashboard link: https://syzkaller.appspot.com/bug?extid=c512687fff9d22327436 compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: arm64 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e8fee508 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16b6bf1308 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c512687fff9d22327...@syzkaller.appspotmail.com [ cut here ] refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 3029 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 3029 Comm: syz-executor717 Not tainted 6.0.0-rc2-syzkaller-16455-ga41a877bc12d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 pstate: 6045 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 lr : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 sp : 80001200baa0 x29: 80001200baa0 x28: 000a201d x27: 2000 x26: dead0100 x25: x24: 0001 x23: 0001 x22: x21: x20: 0003 x19: 8d937000 x18: 00c0 x17: 8dd7a698 x16: 8dbb8658 x15: c10a4f80 x14: x13: x12: c10a4f80 x11: ff80881c39dc x10: x9 : 9016e5cf66052a00 x8 : 9016e5cf66052a00 x7 : 88197c8c x6 : x5 : 0080 x4 : 0001 x3 : x2 : x1 : 0001 x0 : 0026 Call trace: refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] __drm_gem_object_put include/drm/drm_gem.h:381 [inline] drm_gem_object_put include/drm/drm_gem.h:394 [inline] drm_gem_object_handle_put_unlocked+0x178/0x190 drivers/gpu/drm/drm_gem.c:240 drm_gem_object_release_handle+0x90/0xa8 drivers/gpu/drm/drm_gem.c:259 idr_for_each+0xf0/0x174 lib/idr.c:208 drm_gem_release+0x30/0x48 drivers/gpu/drm/drm_gem.c:932 drm_file_free+0x220/0x2cc drivers/gpu/drm/drm_file.c:281 drm_close_helper drivers/gpu/drm/drm_file.c:308 [inline] drm_release+0x108/0x22c drivers/gpu/drm/drm_file.c:495 __fput+0x198/0x3bc fs/file_table.c:320 fput+0x20/0x30 fs/file_table.c:353 task_work_run+0xc4/0x208 kernel/task_work.c:177 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x26c/0xbb8 kernel/exit.c:795 do_group_exit+0x60/0xe8 kernel/exit.c:925 __do_sys_exit_group kernel/exit.c:936 [inline] __se_sys_exit_group kernel/exit.c:934 [inline] __wake_up_parent+0x0/0x40 kernel/exit.c:934 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x154 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642 el0t_64_sync+0x18c/0x190 irq event stamp: 12698 hardirqs last enabled at (12697): [] __up_console_sem+0xb0/0xfc kernel/printk/printk.c:264 hardirqs last disabled at (12698): [] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:395 softirqs last enabled at (12442): [] _stext+0x2e4/0x37c softirqs last disabled at (12417): [] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] softirqs last disabled at (12417): [] invoke_softirq+0x70/0xbc kernel/softirq.c:452 ---[ end trace ]--- --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches
[syzbot] KASAN: invalid-free in free_prealloced_shrinker
Hello, syzbot found the following issue on: HEAD commit:cb71b93c2dc3 Add linux-next specific files for 20220628 git tree: linux-next console+strace: https://syzkaller.appspot.com/x/log.txt?x=1362115208 kernel config: https://syzkaller.appspot.com/x/.config?x=badbc1adb2d582eb dashboard link: https://syzkaller.appspot.com/bug?extid=8b481578352d4637f510 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=150c25fc08 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1308956208 The issue was bisected to: commit bec0918551a79c3c6b63a493a80e35e8b402804f Author: Roman Gushchin Date: Wed Jun 1 03:22:24 2022 + mm: shrinkers: provide shrinkers with names bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17451fd008 final oops: https://syzkaller.appspot.com/x/report.txt?x=14c51fd008 console output: https://syzkaller.appspot.com/x/log.txt?x=10c51fd008 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8b481578352d4637f...@syzkaller.appspotmail.com Fixes: bec0918551a7 ("mm: shrinkers: provide shrinkers with names") == BUG: KASAN: double-free in slab_free mm/slub.c:3534 [inline] BUG: KASAN: double-free in kfree+0xe2/0x4d0 mm/slub.c:4562 CPU: 0 PID: 3647 Comm: syz-executor232 Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report_invalid_free+0x8f/0x1a0 mm/kasan/report.c:462 kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:355 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1754 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1780 slab_free mm/slub.c:3534 [inline] kfree+0xe2/0x4d0 mm/slub.c:4562 kfree_const+0x51/0x60 mm/util.c:41 free_prealloced_shrinker+0x32/0x160 mm/vmscan.c:658 destroy_unused_super.part.0+0x106/0x170 fs/super.c:185 destroy_unused_super fs/super.c:278 [inline] alloc_super+0x8bd/0xaa0 fs/super.c:277 sget_fc+0x13e/0x7c0 fs/super.c:530 vfs_get_super fs/super.c:1134 [inline] get_tree_nodev+0x24/0x1d0 fs/super.c:1169 vfs_get_tree+0x89/0x2f0 fs/super.c:1501 do_new_mount fs/namespace.c:3040 [inline] path_mount+0x1320/0x1fa0 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f84280f4ef9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7ffc55338338 EFLAGS: 0246 ORIG_RAX: 00a5 RAX: ffda RBX: 0003 RCX: 7f84280f4ef9 RDX: 20c0 RSI: 2080 RDI: RBP: 7ffc55338360 R08: R09: 7ffc55338370 R10: R11: 0246 R12: 0003 R13: 7ffc55338380 R14: 7ffc553383c0 R15: 0006 Allocated by task 143: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] kasan_kmalloc mm/kasan/common.c:515 [inline] kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:605 [inline] kzalloc include/linux/slab.h:733 [inline] rh_call_control drivers/usb/core/hcd.c:514 [inline] rh_urb_enqueue drivers/usb/core/hcd.c:848 [inline] usb_hcd_submit_urb+0x661/0x2220 drivers/usb/core/hcd.c:1551 usb_submit_urb+0x86d/0x1880 drivers/usb/core/urb.c:594 usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x31c/0x4a0 drivers/usb/core/message.c:153 get_port_status drivers/usb/core/hub.c:580 [inline] hub_ext_port_status+0x112/0x450 drivers/usb/core/hub.c:597 usb_hub_port_status drivers/usb/core/hub.c:619 [inline] hub_activate+0xa5c/0x1c90 drivers/usb/core/hub.c:1129 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 Freed by task 3647: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm
Re: WARNING in drm_mode_createblob_ioctl
syzbot has bisected this bug to: commit 9e5a64c71b2f70ba530f8156046dd7dfb8a7a0ba Author: Kees Cook Date: Mon Nov 4 22:57:23 2019 + uaccess: disallow > INT_MAX copy sizes bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=125fe6dce0 start commit: 51309b9d Add linux-next specific files for 20191105 git tree: linux-next final crash:https://syzkaller.appspot.com/x/report.txt?x=115fe6dce0 console output: https://syzkaller.appspot.com/x/log.txt?x=165fe6dce0 kernel config: https://syzkaller.appspot.com/x/.config?x=a9b1a641c1f1fc52 dashboard link: https://syzkaller.appspot.com/bug?extid=fb77e97ebf0612ee6914 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1212dc3ae0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=145f604ae0 Reported-by: syzbot+fb77e97ebf0612ee6...@syzkaller.appspotmail.com Fixes: 9e5a64c71b2f ("uaccess: disallow > INT_MAX copy sizes") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: WARNING in drm_mode_createblob_ioctl
syzbot has found a reproducer for the following crash on: HEAD commit:51309b9d Add linux-next specific files for 20191105 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=13f5c078e0 kernel config: https://syzkaller.appspot.com/x/.config?x=a9b1a641c1f1fc52 dashboard link: https://syzkaller.appspot.com/bug?extid=fb77e97ebf0612ee6914 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1212dc3ae0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=145f604ae0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+fb77e97ebf0612ee6...@syzkaller.appspotmail.com [ cut here ] WARNING: CPU: 0 PID: 8842 at include/linux/thread_info.h:150 check_copy_size include/linux/thread_info.h:150 [inline] WARNING: CPU: 0 PID: 8842 at include/linux/thread_info.h:150 copy_from_user include/linux/uaccess.h:143 [inline] WARNING: CPU: 0 PID: 8842 at include/linux/thread_info.h:150 drm_mode_createblob_ioctl+0x398/0x490 drivers/gpu/drm/drm_property.c:800 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 8842 Comm: syz-executor938 Not tainted 5.4.0-rc6-next-20191105 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 panic+0x2e3/0x75c kernel/panic.c:221 __warn.cold+0x2f/0x35 kernel/panic.c:582 report_bug+0x289/0x300 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:174 [inline] fixup_bug arch/x86/kernel/traps.c:169 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:check_copy_size include/linux/thread_info.h:150 [inline] RIP: 0010:copy_from_user include/linux/uaccess.h:143 [inline] RIP: 0010:drm_mode_createblob_ioctl+0x398/0x490 drivers/gpu/drm/drm_property.c:800 Code: c1 ea 03 80 3c 02 00 0f 85 ed 00 00 00 49 89 5d 00 e8 0c f2 c6 fd 4c 89 f7 e8 24 af aa 03 31 c0 e9 75 fd ff ff e8 f8 f1 c6 fd <0f> 0b e8 f1 f1 c6 fd 4d 85 e4 b8 f2 ff ff ff 0f 84 5b fd ff ff 89 RSP: 0018:8880a5e07aa8 EFLAGS: 00010293 RAX: 88809f3a0440 RBX: 8880a387c000 RCX: 83ac75e2 RDX: RSI: 83ac77a8 RDI: 0007 RBP: 8880a5e07ae8 R08: 88809f3a0440 R09: ed101470f910 R10: ed101470f90f R11: 8880a387c87f R12: c90005f5d000 R13: 8880a4d78000 R14: 96e170d0 R15: c90005f5d058 drm_ioctl_kernel+0x244/0x300 drivers/gpu/drm/drm_ioctl.c:786 drm_ioctl+0x54e/0xa60 drivers/gpu/drm/drm_ioctl.c:886 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x449659 Code: e8 fc b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab d6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f6951f91db8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 006dac38 RCX: 00449659 RDX: 2000 RSI: ffbd RDI: 0004 RBP: 006dac30 R08: 7f6951f92700 R09: R10: 7f6951f92700 R11: 0246 R12: 006dac3c R13: 7ffeae0e7e9f R14: 7f6951f929c0 R15: 20c49ba5e353f7cf Kernel Offset: disabled Rebooting in 86400 seconds.. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: WARNING in dma_buf_vunmap
syzbot suspects this bug was fixed by commit: commit 62dcb4f41836bd3c44b5b651bb6df07ea4cb1551 Author: Hans Verkuil Date: Thu Nov 8 12:23:37 2018 + media: vb2: check memory model for VIDIOC_CREATE_BUFS bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=116af11c60 start commit: d41217aa Merge tag 'pci-v4.20-fixes-1' of git://git.kernel.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5 dashboard link: https://syzkaller.appspot.com/bug?extid=a9317fe7ad261fc76b88 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16f7b6f540 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=105a278340 If the result looks correct, please mark the bug fixed by replying with: #syz fix: media: vb2: check memory model for VIDIOC_CREATE_BUFS For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
KASAN: vmalloc-out-of-bounds Write in sys_imageblit
Hello, syzbot found the following crash on: HEAD commit:6794862a Merge tag 'for-5.5-rc1-kconfig-tag' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17f407f2e0 kernel config: https://syzkaller.appspot.com/x/.config?x=79f79de2a27d3e3d dashboard link: https://syzkaller.appspot.com/bug?extid=26dc38a00dc05118a4e6 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+26dc38a00dc05118a...@syzkaller.appspotmail.com == BUG: KASAN: vmalloc-out-of-bounds in fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x117f/0x1240 drivers/video/fbdev/core/sysimgblt.c:275 Write of size 4 at addr c90008de1000 by task syz-executor.3/19698 CPU: 0 PID: 19698 Comm: syz-executor.3 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_store4_noabort+0x17/0x20 mm/kasan/generic_report.c:139 fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] sys_imageblit+0x117f/0x1240 drivers/video/fbdev/core/sysimgblt.c:275 drm_fb_helper_sys_imageblit+0x21/0x180 drivers/gpu/drm/drm_fb_helper.c:768 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline] bit_putcs+0x9a3/0xf10 drivers/video/fbdev/core/bitblit.c:188 fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353 do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677 invert_screen+0x2da/0x650 drivers/tty/vt/vt.c:794 highlight drivers/tty/vt/selection.c:53 [inline] clear_selection drivers/tty/vt/selection.c:81 [inline] clear_selection+0x59/0x70 drivers/tty/vt/selection.c:77 vc_do_resize+0x1163/0x1460 drivers/tty/vt/vt.c:1200 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 fbcon_do_set_font+0x4a6/0x960 drivers/video/fbdev/core/fbcon.c:2599 fbcon_set_font+0x72e/0x860 drivers/video/fbdev/core/fbcon.c:2696 con_font_set drivers/tty/vt/vt.c:4538 [inline] con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4603 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a7c9 Code: bd b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fcfa0ba6c88 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0072bf00 RCX: 0045a7c9 RDX: 2140 RSI: 4b61 RDI: 0003 RBP: 0003 R08: R09: R10: R11: 0246 R12: 7fcfa0ba76d4 R13: 004ab60f R14: 006ede60 R15: Memory state around the buggy address: c90008de0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c90008de0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c90008de1000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ^ c90008de1080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 c90008de1100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: KASAN: slab-out-of-bounds Read in bit_putcs
syzbot has bisected this bug to: commit 2de50e9674fc4ca3c6174b04477f69eb26b4ee31 Author: Russell Currey Date: Mon Feb 8 04:08:20 2016 + powerpc/powernv: Remove support for p5ioc2 bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16af042ae0 start commit: 9455d25f Merge tag 'ntb-5.5' of git://github.com/jonmason/.. git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=15af042ae0 console output: https://syzkaller.appspot.com/x/log.txt?x=11af042ae0 kernel config: https://syzkaller.appspot.com/x/.config?x=7a3b8f5088d4043a dashboard link: https://syzkaller.appspot.com/bug?extid=998dec6452146bd7a90c syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12fa5c2ee0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e327f2e0 Reported-by: syzbot+998dec6452146bd7a...@syzkaller.appspotmail.com Fixes: 2de50e9674fc ("powerpc/powernv: Remove support for p5ioc2") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
BUG: unable to handle kernel paging request in sys_imageblit
Hello, syzbot found the following crash on: HEAD commit:6794862a Merge tag 'for-5.5-rc1-kconfig-tag' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1574aaeae0 kernel config: https://syzkaller.appspot.com/x/.config?x=79f79de2a27d3e3d dashboard link: https://syzkaller.appspot.com/bug?extid=33f89a9a6b6acd893b11 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+33f89a9a6b6acd893...@syzkaller.appspotmail.com BUG: unable to handle page fault for address: f5200124c3fc #PF: supervisor read access in kernel mode #PF: error_code(0x) - not-present page PGD 7ffcd067 P4D 7ffcd067 PUD 2cd1c067 PMD 299b2067 PTE 0 Oops: [#1] PREEMPT SMP KASAN CPU: 2 PID: 9109 Comm: syz-executor.2 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] RIP: 0010:sys_imageblit+0x61c/0x1240 drivers/video/fbdev/core/sysimgblt.c:275 Code: 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 57 0b 00 00 48 b9 00 00 00 00 00 fc ff df 4c 89 fa 8b 45 b0 23 07 4d 8d 77 04 48 c1 ea 03 <0f> b6 0c 0a 4c 89 fa 83 e2 07 33 45 c4 83 c2 03 38 ca 7c 08 84 c9 RSP: 0018:c900042c7168 EFLAGS: 00010a06 RAX: RBX: 888076970800 RCX: dc00 RDX: 19200124c3fc RSI: 83b4fada RDI: 887498e0 RBP: c900042c7230 R08: 88805d278e40 R09: 007f R10: fbfff14f3347 R11: 8a799a3b R12: 0007 R13: 0007 R14: c90009261fe4 R15: c90009261fe0 FS: 7f0af02fc700() GS:88802d20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: f5200124c3fc CR3: 278c2000 CR4: 00340ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: drm_fb_helper_sys_imageblit+0x21/0x180 drivers/gpu/drm/drm_fb_helper.c:768 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline] bit_putcs+0x9a3/0xf10 drivers/video/fbdev/core/bitblit.c:188 fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353 do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677 invert_screen+0x2da/0x650 drivers/tty/vt/vt.c:794 highlight drivers/tty/vt/selection.c:53 [inline] clear_selection drivers/tty/vt/selection.c:81 [inline] clear_selection+0x59/0x70 drivers/tty/vt/selection.c:77 vc_do_resize+0x1163/0x1460 drivers/tty/vt/vt.c:1200 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 fbcon_do_set_font+0x4a6/0x960 drivers/video/fbdev/core/fbcon.c:2599 fbcon_set_font+0x72e/0x860 drivers/video/fbdev/core/fbcon.c:2696 con_font_set drivers/tty/vt/vt.c:4538 [inline] con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4603 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a7c9 Code: bd b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f0af02fbc88 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0072bf00 RCX: 0045a7c9 RDX: 2000 RSI: 4b61 RDI: 0003 RBP: 0003 R08: R09: R10: R11: 0246 R12: 7f0af02fc6d4 R13: 004ab60f R14: 006ede60 R15: Modules linked in: CR2: f5200124c3fc ---[ end trace 7698227ca2d5f789 ]--- RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] RIP: 0010:sys_imageblit+0x61c/0x1240 drivers/video/fbdev/core/sysimgblt.c:275 Code: 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 57 0b 00 00 48 b9 00 00 00 00 00 fc ff df 4c 89 fa 8b 45 b0 23 07 4d 8d 77 04 48 c1 ea 03 <0f> b6 0c 0a 4c 89 fa 83 e2 07 33 45 c4 83 c2 03 38 ca 7c 08 84 c9 RSP: 0018:c900042c7168 EFLAGS: 00010a06 RAX: RBX: 888076970800 RCX: dc00 RDX: 19200124c3fc RSI: 83b4fada RDI: 887498e0 RBP: c900042c7230 R08: 88805d278e40 R09: 007f R10: fbfff14f3347 R11: 8a799a3b R12: 0007 R13: 0007 R14: c90009261fe4 R15: c90009261fe0 FS: 7f0af02fc700() GS:88802d2
INFO: task hung in fb_compat_ioctl
Hello, syzbot found the following crash on: HEAD commit:687dec9b Merge tag 'erofs-for-5.5-rc2-fixes' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16979cfae0 kernel config: https://syzkaller.appspot.com/x/.config?x=79f79de2a27d3e3d dashboard link: https://syzkaller.appspot.com/bug?extid=061df5e46ec99b40552c compiler: gcc (GCC) 9.0.0 20181231 (experimental) userspace arch: i386 Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+061df5e46ec99b405...@syzkaller.appspotmail.com INFO: task syz-executor.2:25386 blocked for more than 143 seconds. Not tainted 5.5.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.2 D29712 25386 9095 0x20020004 Call Trace: context_switch kernel/sched/core.c:3385 [inline] __schedule+0x934/0x1f90 kernel/sched/core.c:4081 schedule+0xdc/0x2b0 kernel/sched/core.c:4155 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:4214 __mutex_lock_common kernel/locking/mutex.c:1036 [inline] __mutex_lock+0x7ab/0x13c0 kernel/locking/mutex.c:1106 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 lock_fb_info include/linux/fb.h:637 [inline] fb_get_fscreeninfo drivers/video/fbdev/core/fbmem.c:1283 [inline] fb_compat_ioctl+0x6ed/0xc50 drivers/video/fbdev/core/fbmem.c:1314 __do_compat_sys_ioctl fs/compat_ioctl.c:214 [inline] __se_compat_sys_ioctl fs/compat_ioctl.c:142 [inline] __ia32_compat_sys_ioctl+0x233/0x610 fs/compat_ioctl.c:142 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f41a39 Code: Bad RIP value. RSP: 002b:f5d1c0cc EFLAGS: 0296 ORIG_RAX: 0036 RAX: ffda RBX: 0005 RCX: 4602 RDX: 2080 RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: INFO: task syz-executor.2:25392 blocked for more than 143 seconds. Not tainted 5.5.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.2 D28520 25392 9095 0x20020004 Call Trace: context_switch kernel/sched/core.c:3385 [inline] __schedule+0x934/0x1f90 kernel/sched/core.c:4081 schedule+0xdc/0x2b0 kernel/sched/core.c:4155 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:4214 __mutex_lock_common kernel/locking/mutex.c:1036 [inline] __mutex_lock+0x7ab/0x13c0 kernel/locking/mutex.c:1106 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121 lock_fb_info include/linux/fb.h:637 [inline] fb_open+0xd7/0x450 drivers/video/fbdev/core/fbmem.c:1406 chrdev_open+0x245/0x6b0 fs/char_dev.c:414 do_dentry_open+0x4e6/0x1380 fs/open.c:797 vfs_open+0xa0/0xd0 fs/open.c:914 do_last fs/namei.c:3420 [inline] path_openat+0x10df/0x4500 fs/namei.c:3537 do_filp_open+0x1a1/0x280 fs/namei.c:3567 do_sys_open+0x3fe/0x5d0 fs/open.c:1097 __do_compat_sys_openat fs/open.c:1143 [inline] __se_compat_sys_openat fs/open.c:1141 [inline] __ia32_compat_sys_openat+0x98/0xf0 fs/open.c:1141 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f41a39 Code: Bad RIP value. RSP: 002b:f5cda0cc EFLAGS: 0296 ORIG_RAX: 0127 RAX: ffda RBX: ff9c RCX: 2180 RDX: RSI: RDI: RBP: R08: R09: R10: R11: R12: R13: R14: R15: Showing all locks held in the system: 1 lock held by khungtaskd/1113: #0: 899a56c0 (rcu_read_lock){}, at: debug_show_all_locks+0x5f/0x279 kernel/locking/lockdep.c:5334 1 lock held by rsyslogd/8960: #0: 88808c2640e0 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xee/0x110 fs/file.c:801 2 locks held by getty/9050: #0: 88809b3bf090 (&tty->ldisc_sem){}, at: ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 #1: c900017cb2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x220/0x1bf0 drivers/tty/n_tty.c:2156 2 locks held by getty/9051: #0: 888095020090 (&tty->ldisc_sem){}, at: ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 #1: c9000184b2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x220/0x1bf0 drivers/tty/n_tty.c:2156 2 locks held by getty/9052: #0: 8880a322a090 (&tty->ldisc_sem){}
KASAN: global-out-of-bounds Read in soft_cursor
Hello, syzbot found the following crash on: HEAD commit:687dec9b Merge tag 'erofs-for-5.5-rc2-fixes' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14e0acfae0 kernel config: https://syzkaller.appspot.com/x/.config?x=79f79de2a27d3e3d dashboard link: https://syzkaller.appspot.com/bug?extid=88dbe7c16ff8616b3720 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+88dbe7c16ff8616b3...@syzkaller.appspotmail.com == BUG: KASAN: global-out-of-bounds in memcpy include/linux/string.h:380 [inline] BUG: KASAN: global-out-of-bounds in soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70 Read of size 32 at addr 8872a360 by task syz-executor.2/24342 CPU: 0 PID: 24342 Comm: syz-executor.2 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memcpy+0x24/0x50 mm/kasan/common.c:125 memcpy include/linux/string.h:380 [inline] soft_cursor+0x439/0xa30 drivers/video/fbdev/core/softcursor.c:70 bit_cursor+0x12fc/0x1a60 drivers/video/fbdev/core/bitblit.c:386 fbcon_cursor+0x487/0x660 drivers/video/fbdev/core/fbcon.c:1402 hide_cursor+0x9d/0x2b0 drivers/tty/vt/vt.c:895 redraw_screen+0x60b/0x7d0 drivers/tty/vt/vt.c:988 fbcon_do_set_font+0x829/0x960 drivers/video/fbdev/core/fbcon.c:2605 fbcon_copy_font+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:2620 con_font_copy drivers/tty/vt/vt.c:4594 [inline] con_font_op+0x6b2/0x1270 drivers/tty/vt/vt.c:4609 vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a909 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f61bb330c78 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0003 RCX: 0045a909 RDX: 2040 RSI: 4b72 RDI: 0003 RBP: 0075bf20 R08: R09: R10: R11: 0246 R12: 7f61bb3316d4 R13: 004c3a41 R14: 004d8f78 R15: The buggy address belongs to the variable: oid_index+0x520/0xb80 Memory state around the buggy address: 8872a200: 00 07 fa fa fa fa fa fa 00 06 fa fa fa fa fa fa 8872a280: 06 fa fa fa fa fa fa fa 00 00 00 04 fa fa fa fa 8872a300: 00 00 fa fa fa fa fa fa 00 00 06 fa fa fa fa fa ^ 8872a380: 00 06 fa fa fa fa fa fa 00 00 00 00 fa fa fa fa 8872a400: 00 00 01 fa fa fa fa fa 06 fa fa fa fa fa fa fa == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
general protection fault in fbcon_cursor
Hello, syzbot found the following crash on: HEAD commit:ae4b064e Merge tag 'afs-fixes-20191211' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1218c1dee0 kernel config: https://syzkaller.appspot.com/x/.config?x=79f79de2a27d3e3d dashboard link: https://syzkaller.appspot.com/bug?extid=6acf28c23c81badd89a7 compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6acf28c23c81badd8...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] PREEMPT SMP KASAN CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events console_callback RIP: 0010:fbcon_cursor+0x114/0x660 drivers/video/fbdev/core/fbcon.c:1380 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 e6 04 00 00 4d 8b b4 24 a0 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 14 02 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ba RSP: 0018:c9d8fb00 EFLAGS: 00010206 RAX: dc00 RBX: 8880a4309400 RCX: 83e01590 RDX: 1fe7 RSI: 83b2804c RDI: 8880a282b3a0 RBP: c9d8fb40 R08: 8880a9a4a480 R09: ed10147a3e1c R10: ed10147a3e1b R11: 8880a3d1f0df R12: 8880a282b000 R13: 888218c76000 R14: ff3a R15: 888218c76468 FS: () GS:8880ae90() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004bf9b0 CR3: 8e75d000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: set_cursor drivers/tty/vt/vt.c:908 [inline] set_cursor+0x1fb/0x280 drivers/tty/vt/vt.c:899 redraw_screen+0x4e1/0x7d0 drivers/tty/vt/vt.c:1013 complete_change_console+0x105/0x3a0 drivers/tty/vt/vt_ioctl.c:1264 change_console+0x19b/0x2c0 drivers/tty/vt/vt_ioctl.c:1389 console_callback+0x3a1/0x400 drivers/tty/vt/vt.c:2824 process_one_work+0x9af/0x1740 kernel/workqueue.c:2264 worker_thread+0x98/0xe40 kernel/workqueue.c:2410 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Modules linked in: ---[ end trace a825343a1e8757e1 ]--- RIP: 0010:fbcon_cursor+0x114/0x660 drivers/video/fbdev/core/fbcon.c:1380 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 e6 04 00 00 4d 8b b4 24 a0 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 14 02 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ba RSP: 0018:c9d8fb00 EFLAGS: 00010206 RAX: dc00 RBX: 8880a4309400 RCX: 83e01590 RDX: 1fe7 RSI: 83b2804c RDI: 8880a282b3a0 RBP: c9d8fb40 R08: 8880a9a4a480 R09: ed10147a3e1c R10: ed10147a3e1b R11: 8880a3d1f0df R12: 8880a282b000 R13: 888218c76000 R14: ff3a R15: 888218c76468 FS: () GS:8880ae90() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004bf9b0 CR3: 8e75d000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
KASAN: use-after-free Read in fbcon_cursor
Hello, syzbot found the following crash on: HEAD commit:07c4b9e9 Merge tag 'scsi-fixes' of git://git.kernel.org/pu.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14b61f41e0 kernel config: https://syzkaller.appspot.com/x/.config?x=79f79de2a27d3e3d dashboard link: https://syzkaller.appspot.com/bug?extid=9116ecc1978ca3a12f43 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=119fa6b6e0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+9116ecc1978ca3a12...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in fbcon_cursor+0x4ef/0x660 drivers/video/fbdev/core/fbcon.c:1380 Read of size 2 at addr 8880959ff0cc by task syz-executor.0/10203 CPU: 1 PID: 10203 Comm: syz-executor.0 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:133 fbcon_cursor+0x4ef/0x660 drivers/video/fbdev/core/fbcon.c:1380 fbcon_scrolldelta+0x679/0x1220 drivers/video/fbdev/core/fbcon.c:2877 fbcon_set_origin+0x43/0x50 drivers/video/fbdev/core/fbcon.c:2928 set_origin+0xf3/0x400 drivers/tty/vt/vt.c:919 vc_do_resize+0xacc/0x1460 drivers/tty/vt/vt.c:1264 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 vt_ioctl+0x14bb/0x26d0 drivers/tty/vt/vt_ioctl.c:840 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a909 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f1a84ca0c78 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 0003 RCX: 0045a909 RDX: 2000 RSI: 5609 RDI: 0003 RBP: 0075bf20 R08: R09: R10: R11: 0246 R12: 7f1a84ca16d4 R13: 004c7009 R14: 004dd670 R15: Allocated by task 9734: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] kzalloc include/linux/slab.h:670 [inline] vc_do_resize+0x262/0x1460 drivers/tty/vt/vt.c:1187 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 vt_ioctl+0x14bb/0x26d0 drivers/tty/vt/vt_ioctl.c:840 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 10203: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 vc_do_resize+0xa69/0x1460 drivers/tty/vt/vt.c:1261 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 vt_ioctl+0x14bb/0x26d0 drivers/tty/vt/vt_ioctl.c:840 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at 8880959ff0c0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 12 bytes inside of 32-byte region [8880959ff0c0, 8880959ff0e0) The buggy address bel
Re: KASAN: global-out-of-bounds Read in bit_putcs
syzbot has found a reproducer for the following crash on: HEAD commit:b9c5ef25 Add linux-next specific files for 20191218 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=17d57b46e0 kernel config: https://syzkaller.appspot.com/x/.config?x=2eb13492323f151f dashboard link: https://syzkaller.appspot.com/bug?extid=38a3699c7eaf165b97a6 compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13ce1f2ee0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125727dee0 Bisection is inconclusive: the bug happens on the oldest tested release. bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12caa5b6e0 final crash:https://syzkaller.appspot.com/x/report.txt?x=11caa5b6e0 console output: https://syzkaller.appspot.com/x/log.txt?x=16caa5b6e0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+38a3699c7eaf165b9...@syzkaller.appspotmail.com == BUG: KASAN: global-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:654 [inline] BUG: KASAN: global-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] BUG: KASAN: global-out-of-bounds in bit_putcs+0xd5d/0xf10 drivers/video/fbdev/core/bitblit.c:185 Read of size 1 at addr 8872bb44 by task syz-executor093/14101 CPU: 1 PID: 14101 Comm: syz-executor093 Not tainted 5.5.0-rc2-next-20191218-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __fb_pad_aligned_buffer include/linux/fb.h:654 [inline] bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] bit_putcs+0xd5d/0xf10 drivers/video/fbdev/core/bitblit.c:185 fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353 do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677 redraw_screen+0x676/0x7d0 drivers/tty/vt/vt.c:1011 fbcon_do_set_font+0x829/0x960 drivers/video/fbdev/core/fbcon.c:2605 fbcon_copy_font+0x12c/0x190 drivers/video/fbdev/core/fbcon.c:2620 con_font_copy drivers/tty/vt/vt.c:4594 [inline] con_font_op+0x6b2/0x1270 drivers/tty/vt/vt.c:4609 vt_ioctl+0x181a/0x26d0 drivers/tty/vt/vt_ioctl.c:965 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x449c49 Code: e8 7c e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fa99f42ace8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 006e6a38 RCX: 00449c49 RDX: 2000 RSI: 4b72 RDI: 0004 RBP: 006e6a30 R08: 7fa99f42b700 R09: R10: 7fa99f42b700 R11: 0246 R12: 006e6a3c R13: 7ffe46ffe5df R14: 7fa99f42b9c0 R15: 20c49ba5e353f7cf The buggy address belongs to the variable: __func__.44397+0x104/0x1c0 Memory state around the buggy address: 8872ba00: 00 00 00 00 fa fa fa fa 00 03 fa fa fa fa fa fa 8872ba80: 00 01 fa fa fa fa fa fa 04 fa fa fa fa fa fa fa 8872bb00: 04 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa ^ 8872bb80: 04 fa fa fa fa fa fa fa 07 fa fa fa fa fa fa fa 8872bc00: 04 fa fa fa fa fa fa fa 00 00 01 fa fa fa fa fa == ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
INFO: task hung in fb_release
Hello, syzbot found the following crash on: HEAD commit:c6017471 Merge tag 'xfs-5.5-fixes-2' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=127d0799e0 kernel config: https://syzkaller.appspot.com/x/.config?x=7f6119e2e3675a73 dashboard link: https://syzkaller.appspot.com/bug?extid=d130c4a0890561cfac5b compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169b1925e0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b9623ee0 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+d130c4a0890561cfa...@syzkaller.appspotmail.com INFO: task syz-executor500:14993 blocked for more than 143 seconds. Not tainted 5.5.0-rc2-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor500 D28160 14993 9196 0x4004 Call Trace: context_switch kernel/sched/core.c:3385 [inline] __schedule+0x934/0x1f90 kernel/sched/core.c:4081 schedule+0xdc/0x2b0 kernel/sched/core.c:4155 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:4214 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x7ab/0x13c0 kernel/locking/mutex.c:1103 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1118 lock_fb_info include/linux/fb.h:637 [inline] fb_release+0x55/0x150 drivers/video/fbdev/core/fbmem.c:1435 __fput+0x2ff/0x890 fs/file_table.c:280 fput+0x16/0x20 fs/file_table.c:313 task_work_run+0x145/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x316/0x380 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:278 [inline] do_syscall_64+0x676/0x790 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4095e1 Code: Bad RIP value. RSP: 002b:7fff7e1c4910 EFLAGS: 0293 ORIG_RAX: 0003 RAX: RBX: 0004 RCX: 004095e1 RDX: RSI: RDI: 0003 RBP: 006e7a1c R08: 004b3370 R09: 004b3370 R10: 7fff7e1c4940 R11: 0293 R12: 006e7a10 R13: 0001 R14: 002d R15: 20c49ba5e353f7cf INFO: task syz-executor500:15000 blocked for more than 143 seconds. Not tainted 5.5.0-rc2-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor500 D28536 15000 9197 0x0004 Call Trace: context_switch kernel/sched/core.c:3385 [inline] __schedule+0x934/0x1f90 kernel/sched/core.c:4081 schedule+0xdc/0x2b0 kernel/sched/core.c:4155 schedule_timeout+0x717/0xc50 kernel/time/timer.c:1871 __down_common kernel/locking/semaphore.c:220 [inline] __down+0x176/0x2c0 kernel/locking/semaphore.c:237 down+0x64/0x90 kernel/locking/semaphore.c:61 console_lock+0x29/0x80 kernel/printk/printk.c:2289 do_fb_ioctl+0x335/0x7d0 drivers/video/fbdev/core/fbmem.c:1101 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x44aac9 Code: Bad RIP value. RSP: 002b:7f2e4eaddce8 EFLAGS: 0246 ORIG_RAX: 0010 RAX: ffda RBX: 006e7a08 RCX: 0044aac9 RDX: 2000 RSI: 4601 RDI: 0003 RBP: 006e7a00 R08: R09: R10: R11: 0246 R12: 006e7a0c R13: 7fff7e1c489f R14: 7f2e4eade9c0 R15: 20c49ba5e353f7cf INFO: task syz-executor500:15002 blocked for more than 143 seconds. Not tainted 5.5.0-rc2-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor500 D27856 15002 9200 0x0004 Call Trace: context_switch kernel/sched/core.c:3385 [inline] __schedule+0x934/0x1f90 kernel/sched/core.c:4081 schedule+0xdc/0x2b0 kernel/sched/core.c:4155 schedule_timeout+0x717/0xc50 kernel/time/timer.c:1871 __down_common kernel/locking/semaphore.c:220 [inline] __down+0x176/0x2c0 kernel/locking/semaphore.c:237 down+0x64/0x90 kernel/locking/semaphore.c:61 console_lock+0x29/0x80 kernel/printk/printk.c:2289 do_fb_ioctl+0x335/0x7d0 drivers/video/fbdev/core/fbmem.c:1101 fb_ioctl+0xe6/0x130 drivers/video/fbdev/core/fbmem.c:1180 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [
KASAN: vmalloc-out-of-bounds Read in drm_fb_helper_dirty_work
Hello, syzbot found the following crash on: HEAD commit:7e0165b2 Merge branch 'akpm' (patches from Andrew) git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1619eb1ee0 kernel config: https://syzkaller.appspot.com/x/.config?x=1b59a3066828ac4c dashboard link: https://syzkaller.appspot.com/bug?extid=5d11928e253121e6c196 compiler: gcc (GCC) 9.0.0 20181231 (experimental) userspace arch: i386 Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+5d11928e253121e6c...@syzkaller.appspotmail.com BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/string.h:380 [inline] BUG: KASAN: vmalloc-out-of-bounds in drm_fb_helper_dirty_blit_real drivers/gpu/drm/drm_fb_helper.c:399 [inline] BUG: KASAN: vmalloc-out-of-bounds in drm_fb_helper_dirty_work+0x44c/0x780 drivers/gpu/drm/drm_fb_helper.c:428 Read of size 4096 at addr c90008bc1000 by task kworker/1:3/17225 CPU: 1 PID: 17225 Comm: kworker/1:3 Not tainted 5.5.0-rc2-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Workqueue: events drm_fb_helper_dirty_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0x5/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192 memcpy+0x24/0x50 mm/kasan/common.c:125 memcpy include/linux/string.h:380 [inline] drm_fb_helper_dirty_blit_real drivers/gpu/drm/drm_fb_helper.c:399 [inline] drm_fb_helper_dirty_work+0x44c/0x780 drivers/gpu/drm/drm_fb_helper.c:428 process_one_work+0x9af/0x1740 kernel/workqueue.c:2264 worker_thread+0x98/0xe40 kernel/workqueue.c:2410 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Memory state around the buggy address: c90008bc0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c90008bc0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c90008bc1000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ^ c90008bc1080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 c90008bc1100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 == --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
Re: INFO: task hung in fb_release
syzbot has bisected this bug to: commit e3933f26b657c341055443103bad331f4537b113 Author: Rex Zhu Date: Tue Jan 16 10:35:15 2018 + drm/amd/pp: Add edit/commit/show OD clock/voltage support in sysfs bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12b5a799e0 start commit: c6017471 Merge tag 'xfs-5.5-fixes-2' of git://git.kernel.o.. git tree: upstream final crash:https://syzkaller.appspot.com/x/report.txt?x=11b5a799e0 console output: https://syzkaller.appspot.com/x/log.txt?x=16b5a799e0 kernel config: https://syzkaller.appspot.com/x/.config?x=7f6119e2e3675a73 dashboard link: https://syzkaller.appspot.com/bug?extid=d130c4a0890561cfac5b syz repro: https://syzkaller.appspot.com/x/repro.syz?x=169b1925e0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b9623ee0 Reported-by: syzbot+d130c4a0890561cfa...@syzkaller.appspotmail.com Fixes: e3933f26b657 ("drm/amd/pp: Add edit/commit/show OD clock/voltage support in sysfs") For information about bisection process see: https://goo.gl/tpsmEJ#bisection ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel