subject:"KASAN\: use\-after\-free Read in drm_gem_object

KASAN: use-after-free Read in drm_gem_object_release

2018-10-25 Thread syzbot


Hello,

syzbot found the following crash on:

HEAD commit:bd6bf7c10484 Merge tag 'pci-v4.20-changes' of git://git.ke..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1448a68340
kernel config:  https://syzkaller.appspot.com/x/.config?x=2dd8629d56664133
dashboard link: https://syzkaller.appspot.com/bug?extid=e73f2fb5ed5a5df36d33
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=11331de540
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1334e64d40

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e73f2fb5ed5a5df36...@syzkaller.appspotmail.com

 drm_mode_create_dumb+0x28d/0x310 drivers/gpu/drm/drm_dumb_buffers.c:92
 drm_mode_create_dumb_ioctl+0x25/0x30 drivers/gpu/drm/drm_dumb_buffers.c:98
 drm_ioctl_kernel+0x245/0x2f0 drivers/gpu/drm/drm_ioctl.c:751
 drm_ioctl+0x57a/0xb20 drivers/gpu/drm/drm_ioctl.c:847
==
BUG: KASAN: use-after-free in drm_gem_object_release+0xf1/0x110  
drivers/gpu/drm/drm_gem.c:813

Read of size 8 at addr 8801d83d3410 by task syz-executor977/6742

 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
 __do_sys_ioctl fs/ioctl.c:709 [inline]
 __se_sys_ioctl fs/ioctl.c:707 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445989
Code: e8 4c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 6b c8 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7ffcf076f4e8 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 7ffcf076f500 RCX: 00445989
RDX: 2000 RSI: ffb2 RDI: 0003
RBP: 0004 R08: 0001 R09: 0100
R10:  R11: 0246 R12: 
R13:  R14:  R15: 
CPU: 0 PID: 6742 Comm: syz-executor977 Not tainted 4.19.0+ #80
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 drm_gem_object_release+0xf1/0x110 drivers/gpu/drm/drm_gem.c:813
 __vgem_gem_destroy drivers/gpu/drm/vgem/vgem_drv.c:175 [inline]
 vgem_gem_create drivers/gpu/drm/vgem/vgem_drv.c:199 [inline]
 vgem_gem_dumb_create+0x1f8/0x260 drivers/gpu/drm/vgem/vgem_drv.c:214
 drm_mode_create_dumb+0x28d/0x310 drivers/gpu/drm/drm_dumb_buffers.c:92
 drm_mode_create_dumb_ioctl+0x25/0x30 drivers/gpu/drm/drm_dumb_buffers.c:98
 drm_ioctl_kernel+0x245/0x2f0 drivers/gpu/drm/drm_ioctl.c:751
 drm_ioctl+0x57a/0xb20 drivers/gpu/drm/drm_ioctl.c:847
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
 __do_sys_ioctl fs/ioctl.c:709 [inline]
 __se_sys_ioctl fs/ioctl.c:707 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445989
Code: e8 4c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 6b c8 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7ffcf076f4e8 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 7ffcf076f500 RCX: 00445989
RDX: 2000 RSI: ffb2 RDI: 0003
RBP: 0004 R08: 0001 R09: 0100
R10:  R11: 0246 R12: 
R13:  R14:  R15: 

Allocated by task 6742:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 __vgem_gem_create+0x4c/0x100 drivers/gpu/drm/vgem/vgem_drv.c:158
 vgem_gem_create drivers/gpu/drm/vgem/vgem_drv.c:187 [inline]
 vgem_gem_dumb_create+0xce/0x260 drivers/gpu/drm/vgem/vgem_drv.c:214
 drm_mode_create_dumb+0x28d/0x310 drivers/gpu/drm/drm_dumb_buffers.c:92
 drm_mode_create_dumb_ioctl+0x25/0x30 drivers/gpu/drm/drm_dumb_buffers.c:98
 drm_ioctl_kernel+0x245/0x2f0 drivers/gpu/drm/drm_ioctl.c:751
 drm_ioctl+0x57a/0xb20 drivers/gpu/drm/drm_ioctl.c:847
 vfs_ioctl

KASAN: use-after-free Read in drm_gem_object_release

2018-10-25 Thread syzbot


Hello,

syzbot found the following crash on:

HEAD commit:bd6bf7c10484 Merge tag 'pci-v4.20-changes' of git://git.ke..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1448a68340
kernel config:  https://syzkaller.appspot.com/x/.config?x=2dd8629d56664133
dashboard link: https://syzkaller.appspot.com/bug?extid=e73f2fb5ed5a5df36d33
compiler:   gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=11331de540
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1334e64d40

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e73f2fb5ed5a5df36...@syzkaller.appspotmail.com

 drm_mode_create_dumb+0x28d/0x310 drivers/gpu/drm/drm_dumb_buffers.c:92
 drm_mode_create_dumb_ioctl+0x25/0x30 drivers/gpu/drm/drm_dumb_buffers.c:98
 drm_ioctl_kernel+0x245/0x2f0 drivers/gpu/drm/drm_ioctl.c:751
 drm_ioctl+0x57a/0xb20 drivers/gpu/drm/drm_ioctl.c:847
==
BUG: KASAN: use-after-free in drm_gem_object_release+0xf1/0x110  
drivers/gpu/drm/drm_gem.c:813

Read of size 8 at addr 8801d83d3410 by task syz-executor977/6742

 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
 __do_sys_ioctl fs/ioctl.c:709 [inline]
 __se_sys_ioctl fs/ioctl.c:707 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445989
Code: e8 4c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 6b c8 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7ffcf076f4e8 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 7ffcf076f500 RCX: 00445989
RDX: 2000 RSI: ffb2 RDI: 0003
RBP: 0004 R08: 0001 R09: 0100
R10:  R11: 0246 R12: 
R13:  R14:  R15: 
CPU: 0 PID: 6742 Comm: syz-executor977 Not tainted 4.19.0+ #80
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011

Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 drm_gem_object_release+0xf1/0x110 drivers/gpu/drm/drm_gem.c:813
 __vgem_gem_destroy drivers/gpu/drm/vgem/vgem_drv.c:175 [inline]
 vgem_gem_create drivers/gpu/drm/vgem/vgem_drv.c:199 [inline]
 vgem_gem_dumb_create+0x1f8/0x260 drivers/gpu/drm/vgem/vgem_drv.c:214
 drm_mode_create_dumb+0x28d/0x310 drivers/gpu/drm/drm_dumb_buffers.c:92
 drm_mode_create_dumb_ioctl+0x25/0x30 drivers/gpu/drm/drm_dumb_buffers.c:98
 drm_ioctl_kernel+0x245/0x2f0 drivers/gpu/drm/drm_ioctl.c:751
 drm_ioctl+0x57a/0xb20 drivers/gpu/drm/drm_ioctl.c:847
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
 __do_sys_ioctl fs/ioctl.c:709 [inline]
 __se_sys_ioctl fs/ioctl.c:707 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445989
Code: e8 4c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 6b c8 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:7ffcf076f4e8 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 7ffcf076f500 RCX: 00445989
RDX: 2000 RSI: ffb2 RDI: 0003
RBP: 0004 R08: 0001 R09: 0100
R10:  R11: 0246 R12: 
R13:  R14:  R15: 

Allocated by task 6742:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 __vgem_gem_create+0x4c/0x100 drivers/gpu/drm/vgem/vgem_drv.c:158
 vgem_gem_create drivers/gpu/drm/vgem/vgem_drv.c:187 [inline]
 vgem_gem_dumb_create+0xce/0x260 drivers/gpu/drm/vgem/vgem_drv.c:214
 drm_mode_create_dumb+0x28d/0x310 drivers/gpu/drm/drm_dumb_buffers.c:92
 drm_mode_create_dumb_ioctl+0x25/0x30 drivers/gpu/drm/drm_dumb_buffers.c:98
 drm_ioctl_kernel+0x245/0x2f0 drivers/gpu/drm/drm_ioctl.c:751
 drm_ioctl+0x57a/0xb20 drivers/gpu/drm/drm_ioctl.c:847
 vfs_ioctl

KASAN: use-after-free Read in drm_gem_object_release

KASAN: use-after-free Read in drm_gem_object_release

2 matches

Site Navigation

Mail list logo

Footer information