LKML Archive on
help / color / mirror / Atom feed
From: Eric Biggers <>
To: Dmitry Vyukov <>
Cc: Thomas Gleixner <>,
	Borislav Petkov <>, "H. Peter Anvin" <>,
	LKML <>,
	Andrew Lutomirski <>,
	Ingo Molnar <>, X86 ML <>,
	Jann Horn <>,
	syzkaller-bugs <>
Subject: Re: general protection fault in syscall_return_slowpath
Date: Mon, 9 Mar 2020 11:26:08 -0700	[thread overview]
Message-ID: <20200309182608.GC1073@sol.localdomain> (raw)
In-Reply-To: <>

On Mon, Mar 09, 2020 at 09:34:25AM +0100, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> I see the repro opens /dev/fb0, so this may be related to the exact
> type of framebuffer on the machine. That's what Jann tried to figure
> out.
> There is a plenty of open bugs on dashboard related to fb/tty, just
> doing a quick grep based on titles:
> BUG: unable to handle kernel paging request in
> drm_fb_helper_dirty_work 7 4d20h 90d
> BUG: unable to handle kernel paging request in vga16fb_imageblit 1 74d 73d
> divide error in fbcon_switch C cause 141 3d15h 96d
> general protection fault in fbcon_cursor C cause 12 13h48m 87d
> general protection fault in fbcon_fb_blanked 3 88d 90d
> general protection fault in fbcon_invert_region 1 49d 48d
> general protection fault in fbcon_modechanged 3 89d 90d
> INFO: task hung in do_fb_ioctl 6 36d 57d
> INFO: task hung in fb_compat_ioctl 1 87d 87d
> INFO: task hung in fb_open C cause 171 1h06m 96d
> INFO: task hung in fb_release C cause 23 2d12h 77d
> INFO: task hung in release_tty 3 6d16h 62d
> INFO: task hung in tty_ldisc_hangup C cause 15 17d 92d
> INFO: trying to register non-static key in hci_uart_tty_receive (2) 1 103d 99d
> KASAN: global-out-of-bounds Read in fbcon_get_font C cause 19 7d06h 90d
> KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer C cause 5 4d22h 92d
> KASAN: global-out-of-bounds Read in vga16fb_imageblit C cause 225 1d11h 96d
> KASAN: slab-out-of-bounds Read in fbcon_get_font C cause 42 5d04h 96d
> KASAN: slab-out-of-bounds Read in fb_pad_aligned_buffer 4 9d00h 48d
> KASAN: slab-out-of-bounds Write in fbcon_scroll 1 75d 73d
> KASAN: use-after-free Read in fbcon_cursor syz cause 3 41d 84d
> KASAN: use-after-free Read in fb_mode_is_equal syz cause 70 5h49m 92d
> KASAN: use-after-free Read in tty_open C cause 7 42d 96d
> KASAN: use-after-free Write in release_tty C cause 544 4h01m 96d
> KASAN: vmalloc-out-of-bounds Read in drm_fb_helper_dirty_work 1 80d 80d
> KASAN: vmalloc-out-of-bounds Write in drm_fb_helper_dirty_work 2 64d 76d
> KCSAN: data-race in echo_char / n_tty_receive_buf_common 11 21d 125d
> KMSAN: kernel-infoleak in tty_compat_ioctl C 81 2h17m 14d
> memory leak in tty_init_dev C 3 121d 192d
> possible deadlock in n_tty_receive_buf_common C cause 585 1h18m 23d
> possible deadlock in tty_port_close_start C cause 4 9d18h 25d
> WARNING in dlfb_submit_urb/usb_submit_urb C 190 8d23h 251d
> So if you don't see something obvious here, it may be not worth
> spending more time until these, more obvious ones are fixed. This may
> be a previous silent memory corruption that wasn't caught by KASAN.

Yesterday I was looking at a similar bug
"general protection fault in do_con_write"

It has a simple single-threaded reproducer at that just:

	1. Calls FBIOPUT_VSCREENINFO on /dev/fb0
	2. Opens /dev/tty20 and writes something to it

Presumably, to reproduce this you at least need some graphics hardware with a
corresponding framebuffer driver (to get /dev/fb0), as well as
CONFIG_FRAMEBUFFER_CONSOLE=y (so that the virtual console /dev/tty20 uses a
framebuffer console and not something else like a VGA text mode console).

However, when I tried to reproduce this locally in QEMU with the same kconfig
( and
with graphics enabled (-vga std), it didn't work.

I then tried to reproduce on a Google Compute Engine VM with the exact same
kconfig, and it worked.  I think the framebuffer driver in use was vga16fb.c.
It's odd because the same driver seems to be used in the QEMU case, and in both
cases the virtual consoles were bound to the framebuffer console.

I need to double-check all this though.

And yes, probably many of the above bugs have the same cause.

- Eric

  reply	other threads:[~2020-03-09 18:26 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-08  7:45 general protection fault in syscall_return_slowpath syzbot
2020-03-08 16:13 ` Andy Lutomirski
2020-03-08 16:37   ` Borislav Petkov
2020-03-08 18:26   ` Thomas Gleixner
2020-03-09  8:34     ` Dmitry Vyukov
2020-03-09 18:26       ` Eric Biggers [this message]
2020-03-10  5:41         ` Dmitry Vyukov
2020-03-09  8:42     ` Dmitry Vyukov
2020-03-08 16:29 ` Andy Lutomirski
2020-03-12 13:34   ` Dan Carpenter
2020-03-08 17:20 ` Jann Horn
2020-03-08 18:00   ` syzbot
2020-03-08 18:35 ` Jann Horn
2020-03-08 21:57   ` syzbot
2020-03-09  8:20   ` Dmitry Vyukov
2020-03-10  6:15     ` Nathan Chancellor
2020-03-10  8:10       ` Dmitry Vyukov
2020-06-14  8:03         ` Dmitry Vyukov
2020-06-15  7:57           ` Jann Horn
2020-08-15 10:18 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200309182608.GC1073@sol.localdomain \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).