Re: drm: NULL pointer dereference in drm_mode_object_find()
Hi
On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko wrote:
> Hello,
>
> the program below triggers a NULL deref in DRM code when ran on QEMU:
>
> ===
> BUG: unable to handle kernel NULL pointer dereference at (null)
> IP: [< inline >] __list_add ./include/linux/list.h:44
> IP: [< inline >] list_add_tail ./include/linux/list.h:77
> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> IP: [] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> PGD 1c555067 PUD 1c554067 PMD 0
> Oops: 0002 [#1] SMP
> Modules linked in:
> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: 88001c40a700 task.stack: 88001c984000
> RIP: 0010:[] []
> __mutex_lock_slowpath+0x6f/0x100
> RSP: 0018:88001c987cb0 EFLAGS: 00010282
> RAX: RBX: 88001d5212a0 RCX: c100
> RDX: 0001 RSI: 88001c40a700 RDI: 88001d5212a4
> RBP: 88001c987cf8 R08: 88001c984000 R09:
> R10: R11: R12: 88001c40a700
> R13: 88001d5212a4 R14: R15: 88001d5212a8
> FS: 00dc9880() GS:88001f00() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: CR3: 1c8a9000 CR4: 000406f0
> Stack:
> 88001d5212a8 811a398f
> 88001d5212a0 88001d5212a0
> 81a6eb20 88001c987d10 818e85ba 88001d521000
> Call Trace:
> [< inline >] __mutex_fastpath_lock
> ./arch/x86/include/asm/mutex_64.h:28
> [] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
> [] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
> [] drm_mode_page_flip_ioctl+0x4e/0x300
> drivers/gpu/drm/drm_crtc.c:5414
> [] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
> [< inline >] vfs_ioctl fs/ioctl.c:43
> [] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
> [< inline >] SYSC_ioctl fs/ioctl.c:690
> [] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
> [] entry_SYSCALL_64_fastpath+0x13/0x8f
> arch/x86/entry/entry_64.S:207
> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
> RIP [< inline >] __list_add ./include/linux/list.h:44
> RIP [< inline >] list_add_tail ./include/linux/list.h:77
> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> RIP [] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> RSP
> CR2:
> ---[ end trace 3cef4eb618ac6bb6 ]---
> ===
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include
> #include
> #include
>
> int main()
> {
> int fd = open("/dev/dri/card0", 0);
> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xul, 0x0ul);
> memcpy((void*)0x20036ad7,
> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
> 143);
> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
> return 0;
> }
>
> I build the ToT kernel (commit
> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
> CONFIG_DRM_VGEM=y.
Can you make sure you have this commit:
commit 6f00975c619064a18c23fd3aced325ae165a73b9
Author: Daniel Vetter
Date: Sat Aug 20 12:22:11 2016 +0200
drm: Reject page_flip for !DRIVER_MODESET
Thanks
David
Re: drm: NULL pointer dereference in drm_mode_object_find()
Hi
On Tue, Sep 20, 2016 at 11:25 AM, Alexander Potapenko wrote:
> On Tue, Sep 20, 2016 at 11:21 AM, David Herrmann
> wrote:
>> Hi
>>
>> On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov wrote:
>>> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko
>>> wrote:
Hello,
the program below triggers a NULL deref in DRM code when ran on QEMU:
===
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< inline >] __list_add ./include/linux/list.h:44
IP: [< inline >] list_add_tail ./include/linux/list.h:77
IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
IP: [] __mutex_lock_slowpath+0x6f/0x100
kernel/locking/mutex.c:824
PGD 1c555067 PUD 1c554067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
task: 88001c40a700 task.stack: 88001c984000
RIP: 0010:[] []
__mutex_lock_slowpath+0x6f/0x100
RSP: 0018:88001c987cb0 EFLAGS: 00010282
RAX: RBX: 88001d5212a0 RCX: c100
RDX: 0001 RSI: 88001c40a700 RDI: 88001d5212a4
RBP: 88001c987cf8 R08: 88001c984000 R09:
R10: R11: R12: 88001c40a700
R13: 88001d5212a4 R14: R15: 88001d5212a8
FS: 00dc9880() GS:88001f00()
knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: CR3: 1c8a9000 CR4: 000406f0
Stack:
88001d5212a8 811a398f
88001d5212a0 88001d5212a0
81a6eb20 88001c987d10 818e85ba 88001d521000
Call Trace:
[< inline >] __mutex_fastpath_lock
./arch/x86/include/asm/mutex_64.h:28
[] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
[] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
[< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
[< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
[] drm_mode_page_flip_ioctl+0x4e/0x300
drivers/gpu/drm/drm_crtc.c:5414
[] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
[< inline >] vfs_ioctl fs/ioctl.c:43
[] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
[] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.S:207
Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
RIP [< inline >] __list_add ./include/linux/list.h:44
RIP [< inline >] list_add_tail ./include/linux/list.h:77
RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
RIP [] __mutex_lock_slowpath+0x6f/0x100
kernel/locking/mutex.c:824
RSP
CR2:
---[ end trace 3cef4eb618ac6bb6 ]---
===
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include
#include
#include
int main()
{
int fd = open("/dev/dri/card0", 0);
mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xul, 0x0ul);
memcpy((void*)0x20036ad7,
"\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
"\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
"\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
"\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
"\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
"\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
"\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
"\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
"\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
"\x1c\x17\x03\x60\x7b\x31\x1f\x66",
143);
ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
return 0;
}
I build the ToT kernel (commit
952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
CONFIG_DRM_VGEM=y.
>>>
>>> +dri-devel
>>>
>>> I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
>>> linux-next.
>>
>> Can you tell us which DRM driver this is? vgem does not specify
>> DRIVER_MODESET, so the page-flip ioctl should not be hooked up. Also,
>> the
Re: drm: NULL pointer dereference in drm_mode_object_find()
AFAICS the only drm driver built with "make defconfig" is i915.
CONFIG_DRM=y
CONFIG_DRM_MIPI_DSI=y
CONFIG_DRM_KMS_HELPER=y
CONFIG_DRM_KMS_FB_HELPER=y
CONFIG_DRM_FBDEV_EMULATION=y
CONFIG_DRM_I915=y
CONFIG_DRM_I915_USERPTR=y
CONFIG_DRM_PANEL=y
CONFIG_DRM_BRIDGE=y
Guenter
On Tue, Sep 20, 2016 at 2:25 AM, Alexander Potapenko wrote:
> On Tue, Sep 20, 2016 at 11:21 AM, David Herrmann
> wrote:
>> Hi
>>
>> On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov wrote:
>>> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko
>>> wrote:
Hello,
the program below triggers a NULL deref in DRM code when ran on QEMU:
===
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [< inline >] __list_add ./include/linux/list.h:44
IP: [< inline >] list_add_tail ./include/linux/list.h:77
IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
IP: [] __mutex_lock_slowpath+0x6f/0x100
kernel/locking/mutex.c:824
PGD 1c555067 PUD 1c554067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
task: 88001c40a700 task.stack: 88001c984000
RIP: 0010:[] []
__mutex_lock_slowpath+0x6f/0x100
RSP: 0018:88001c987cb0 EFLAGS: 00010282
RAX: RBX: 88001d5212a0 RCX: c100
RDX: 0001 RSI: 88001c40a700 RDI: 88001d5212a4
RBP: 88001c987cf8 R08: 88001c984000 R09:
R10: R11: R12: 88001c40a700
R13: 88001d5212a4 R14: R15: 88001d5212a8
FS: 00dc9880() GS:88001f00()
knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: CR3: 1c8a9000 CR4: 000406f0
Stack:
88001d5212a8 811a398f
88001d5212a0 88001d5212a0
81a6eb20 88001c987d10 818e85ba 88001d521000
Call Trace:
[< inline >] __mutex_fastpath_lock
./arch/x86/include/asm/mutex_64.h:28
[] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
[] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
[< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
[< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
[] drm_mode_page_flip_ioctl+0x4e/0x300
drivers/gpu/drm/drm_crtc.c:5414
[] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
[< inline >] vfs_ioctl fs/ioctl.c:43
[] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
[] entry_SYSCALL_64_fastpath+0x13/0x8f
arch/x86/entry/entry_64.S:207
Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
RIP [< inline >] __list_add ./include/linux/list.h:44
RIP [< inline >] list_add_tail ./include/linux/list.h:77
RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
RIP [] __mutex_lock_slowpath+0x6f/0x100
kernel/locking/mutex.c:824
RSP
CR2:
---[ end trace 3cef4eb618ac6bb6 ]---
===
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include
#include
#include
int main()
{
int fd = open("/dev/dri/card0", 0);
mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xul, 0x0ul);
memcpy((void*)0x20036ad7,
"\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
"\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
"\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
"\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
"\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
"\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
"\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
"\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
"\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
"\x1c\x17\x03\x60\x7b\x31\x1f\x66",
143);
ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
return 0;
}
I build the ToT kernel (commit
952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
CONFIG_DRM_VGE
Re: drm: NULL pointer dereference in drm_mode_object_find()
On Tue, Sep 20, 2016 at 11:21 AM, David Herrmann wrote:
> Hi
>
> On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov wrote:
>> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko
>> wrote:
>>> Hello,
>>>
>>> the program below triggers a NULL deref in DRM code when ran on QEMU:
>>>
>>> ===
>>> BUG: unable to handle kernel NULL pointer dereference at (null)
>>> IP: [< inline >] __list_add ./include/linux/list.h:44
>>> IP: [< inline >] list_add_tail ./include/linux/list.h:77
>>> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>> IP: [] __mutex_lock_slowpath+0x6f/0x100
>>> kernel/locking/mutex.c:824
>>> PGD 1c555067 PUD 1c554067 PMD 0
>>> Oops: 0002 [#1] SMP
>>> Modules linked in:
>>> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> task: 88001c40a700 task.stack: 88001c984000
>>> RIP: 0010:[] []
>>> __mutex_lock_slowpath+0x6f/0x100
>>> RSP: 0018:88001c987cb0 EFLAGS: 00010282
>>> RAX: RBX: 88001d5212a0 RCX: c100
>>> RDX: 0001 RSI: 88001c40a700 RDI: 88001d5212a4
>>> RBP: 88001c987cf8 R08: 88001c984000 R09:
>>> R10: R11: R12: 88001c40a700
>>> R13: 88001d5212a4 R14: R15: 88001d5212a8
>>> FS: 00dc9880() GS:88001f00() knlGS:
>>> CS: 0010 DS: ES: CR0: 80050033
>>> CR2: CR3: 1c8a9000 CR4: 000406f0
>>> Stack:
>>> 88001d5212a8 811a398f
>>> 88001d5212a0 88001d5212a0
>>> 81a6eb20 88001c987d10 818e85ba 88001d521000
>>> Call Trace:
>>> [< inline >] __mutex_fastpath_lock
>>> ./arch/x86/include/asm/mutex_64.h:28
>>> [] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
>>> [] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
>>> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
>>> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
>>> [] drm_mode_page_flip_ioctl+0x4e/0x300
>>> drivers/gpu/drm/drm_crtc.c:5414
>>> [] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
>>> [< inline >] vfs_ioctl fs/ioctl.c:43
>>> [] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
>>> [< inline >] SYSC_ioctl fs/ioctl.c:690
>>> [] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
>>> [] entry_SYSCALL_64_fastpath+0x13/0x8f
>>> arch/x86/entry/entry_64.S:207
>>> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
>>> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
>>> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
>>> RIP [< inline >] __list_add ./include/linux/list.h:44
>>> RIP [< inline >] list_add_tail ./include/linux/list.h:77
>>> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>>> RIP [] __mutex_lock_slowpath+0x6f/0x100
>>> kernel/locking/mutex.c:824
>>> RSP
>>> CR2:
>>> ---[ end trace 3cef4eb618ac6bb6 ]---
>>> ===
>>>
>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>> #include
>>> #include
>>> #include
>>>
>>> int main()
>>> {
>>> int fd = open("/dev/dri/card0", 0);
>>> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xul, 0x0ul);
>>> memcpy((void*)0x20036ad7,
>>> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
>>> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
>>> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
>>> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
>>> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
>>> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
>>> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
>>> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
>>> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
>>> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
>>> 143);
>>> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
>>> return 0;
>>> }
>>>
>>> I build the ToT kernel (commit
>>> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
>>> CONFIG_DRM_VGEM=y.
>>
>> +dri-devel
>>
>> I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
>> linux-next.
>
> Can you tell us which DRM driver this is? vgem does not specify
> DRIVER_MODESET, so the page-flip ioctl should not be hooked up. Also,
> the mmap() operation should fail on any GEM driver. *confused*
How do I check that?
> Thanks
> David
>
> --
> You received this message because you are subscribed to the Google Groups
> "sy
Re: drm: NULL pointer dereference in drm_mode_object_find()
Hi
On Mon, Sep 5, 2016 at 10:30 AM, Dmitry Vyukov wrote:
> On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko
> wrote:
>> Hello,
>>
>> the program below triggers a NULL deref in DRM code when ran on QEMU:
>>
>> ===
>> BUG: unable to handle kernel NULL pointer dereference at (null)
>> IP: [< inline >] __list_add ./include/linux/list.h:44
>> IP: [< inline >] list_add_tail ./include/linux/list.h:77
>> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>> IP: [] __mutex_lock_slowpath+0x6f/0x100
>> kernel/locking/mutex.c:824
>> PGD 1c555067 PUD 1c554067 PMD 0
>> Oops: 0002 [#1] SMP
>> Modules linked in:
>> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: 88001c40a700 task.stack: 88001c984000
>> RIP: 0010:[] []
>> __mutex_lock_slowpath+0x6f/0x100
>> RSP: 0018:88001c987cb0 EFLAGS: 00010282
>> RAX: RBX: 88001d5212a0 RCX: c100
>> RDX: 0001 RSI: 88001c40a700 RDI: 88001d5212a4
>> RBP: 88001c987cf8 R08: 88001c984000 R09:
>> R10: R11: R12: 88001c40a700
>> R13: 88001d5212a4 R14: R15: 88001d5212a8
>> FS: 00dc9880() GS:88001f00() knlGS:
>> CS: 0010 DS: ES: CR0: 80050033
>> CR2: CR3: 1c8a9000 CR4: 000406f0
>> Stack:
>> 88001d5212a8 811a398f
>> 88001d5212a0 88001d5212a0
>> 81a6eb20 88001c987d10 818e85ba 88001d521000
>> Call Trace:
>> [< inline >] __mutex_fastpath_lock
>> ./arch/x86/include/asm/mutex_64.h:28
>> [] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
>> [] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
>> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
>> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
>> [] drm_mode_page_flip_ioctl+0x4e/0x300
>> drivers/gpu/drm/drm_crtc.c:5414
>> [] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
>> [< inline >] vfs_ioctl fs/ioctl.c:43
>> [] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
>> [< inline >] SYSC_ioctl fs/ioctl.c:690
>> [] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
>> [] entry_SYSCALL_64_fastpath+0x13/0x8f
>> arch/x86/entry/entry_64.S:207
>> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
>> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
>> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
>> RIP [< inline >] __list_add ./include/linux/list.h:44
>> RIP [< inline >] list_add_tail ./include/linux/list.h:77
>> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
>> RIP [] __mutex_lock_slowpath+0x6f/0x100
>> kernel/locking/mutex.c:824
>> RSP
>> CR2:
>> ---[ end trace 3cef4eb618ac6bb6 ]---
>> ===
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include
>> #include
>> #include
>>
>> int main()
>> {
>> int fd = open("/dev/dri/card0", 0);
>> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xul, 0x0ul);
>> memcpy((void*)0x20036ad7,
>> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
>> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
>> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
>> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
>> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
>> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
>> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
>> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
>> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
>> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
>> 143);
>> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
>> return 0;
>> }
>>
>> I build the ToT kernel (commit
>> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
>> CONFIG_DRM_VGEM=y.
>
> +dri-devel
>
> I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
> linux-next.
Can you tell us which DRM driver this is? vgem does not specify
DRIVER_MODESET, so the page-flip ioctl should not be hooked up. Also,
the mmap() operation should fail on any GEM driver. *confused*
Thanks
David
Re: drm: NULL pointer dereference in drm_mode_object_find()
On Fri, Aug 19, 2016 at 7:10 PM, Alexander Potapenko wrote:
> Hello,
>
> the program below triggers a NULL deref in DRM code when ran on QEMU:
>
> ===
> BUG: unable to handle kernel NULL pointer dereference at (null)
> IP: [< inline >] __list_add ./include/linux/list.h:44
> IP: [< inline >] list_add_tail ./include/linux/list.h:77
> IP: [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> IP: [] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> PGD 1c555067 PUD 1c554067 PMD 0
> Oops: 0002 [#1] SMP
> Modules linked in:
> CPU: 0 PID: 2517 Comm: crash_drm_mode_ Not tainted 4.8.0-rc2+ #1157
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: 88001c40a700 task.stack: 88001c984000
> RIP: 0010:[] []
> __mutex_lock_slowpath+0x6f/0x100
> RSP: 0018:88001c987cb0 EFLAGS: 00010282
> RAX: RBX: 88001d5212a0 RCX: c100
> RDX: 0001 RSI: 88001c40a700 RDI: 88001d5212a4
> RBP: 88001c987cf8 R08: 88001c984000 R09:
> R10: R11: R12: 88001c40a700
> R13: 88001d5212a4 R14: R15: 88001d5212a8
> FS: 00dc9880() GS:88001f00() knlGS:
> CS: 0010 DS: ES: CR0: 80050033
> CR2: CR3: 1c8a9000 CR4: 000406f0
> Stack:
> 88001d5212a8 811a398f
> 88001d5212a0 88001d5212a0
> 81a6eb20 88001c987d10 818e85ba 88001d521000
> Call Trace:
> [< inline >] __mutex_fastpath_lock
> ./arch/x86/include/asm/mutex_64.h:28
> [] mutex_lock+0x1a/0x30 kernel/locking/mutex.c:102
> [] _object_find+0x23/0xc0 drivers/gpu/drm/drm_crtc.c:329
> [< inline >] drm_mode_object_find drivers/gpu/drm/drm_crtc.c:360
> [< inline >] drm_crtc_find ./include/drm/drm_crtc.h:2999
> [] drm_mode_page_flip_ioctl+0x4e/0x300
> drivers/gpu/drm/drm_crtc.c:5414
> [] drm_ioctl+0x2a2/0x460 drivers/gpu/drm/drm_ioctl.c:721
> [< inline >] vfs_ioctl fs/ioctl.c:43
> [] do_vfs_ioctl+0x8d/0x580 fs/ioctl.c:675
> [< inline >] SYSC_ioctl fs/ioctl.c:690
> [] SyS_ioctl+0x74/0x80 fs/ioctl.c:681
> [] entry_SYSCALL_64_fastpath+0x13/0x8f
> arch/x86/entry/entry_64.S:207
> Code: e8 37 23 00 00 8b 03 83 f8 01 0f 84 95 00 00 00 48 8b 43 10 4c
> 8d 7b 08 48 89 63 10 41 be ff ff ff ff 4c 89 3c 24 48 89 44 24 08 <48>
> 89 20 4c 89 64 24 10 eb 19 49 c7 04 24 02 00 00 00 c6 43 04
> RIP [< inline >] __list_add ./include/linux/list.h:44
> RIP [< inline >] list_add_tail ./include/linux/list.h:77
> RIP [< inline >] __mutex_lock_common kernel/locking/mutex.c:543
> RIP [] __mutex_lock_slowpath+0x6f/0x100
> kernel/locking/mutex.c:824
> RSP
> CR2:
> ---[ end trace 3cef4eb618ac6bb6 ]---
> ===
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include
> #include
> #include
>
> int main()
> {
> int fd = open("/dev/dri/card0", 0);
> mmap(0x20036000ul, 0x1000ul, 0x3ul, 0x32ul, 0xul, 0x0ul);
> memcpy((void*)0x20036ad7,
> "\x1e\xa4\x45\xdc\xca\x11\xff\x25\x72\x65\x7e\x4a\x56\x54\x35"
> "\x67\xe3\x8b\x41\x5c\x6d\x69\xa5\xf9\x88\x29\xb8\xc9\x6a\x45"
> "\x76\xa9\xe7\x14\xd1\xf6\xa3\x59\x07\x4d\xe5\xc8\x39\xbf\x33"
> "\xb9\x3d\x21\xd1\xaf\x16\x4d\xbc\xbf\xb1\x0a\x92\x97\xd9\x91"
> "\x4d\xd8\xf8\xa1\xa6\xa3\x20\x02\x2c\x5e\x8f\x87\x05\x8b\xeb"
> "\x9a\xb9\xbc\xa6\x60\x45\x8d\x19\x01\x7d\xb7\xef\x64\x62\x2e"
> "\x5e\x3d\xfe\x65\xbf\xe2\x80\x89\x36\x48\x73\xc6\xa2\x6e\xe2"
> "\x1a\x8f\x1b\x11\x6f\x49\x20\xeb\x74\x2d\x41\xb9\x8b\xb4\x8e"
> "\x8b\xf5\x6d\xb7\xb1\xa3\xcb\xc4\xc2\x7f\x6d\xef\x32\xef\xa7"
> "\x1c\x17\x03\x60\x7b\x31\x1f\x66",
> 143);
> ioctl(fd, 0xbb0ul, 0x20036ad7ul, 0, 0, 0);
> return 0;
> }
>
> I build the ToT kernel (commit
> 952b159f2919a8d514f13999f9f463bddcc1dae7, Aug 18) with defconfig and
> CONFIG_DRM_VGEM=y.
+dri-devel
I am also hitting this on 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of
linux-next.
