LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* BUG: unable to handle kernel paging request in drm_fb_helper_damage_work
@ 2021-10-06  9:11 Hao Sun
  0 siblings, 0 replies; 3+ messages in thread
From: Hao Sun @ 2021-10-06  9:11 UTC (permalink / raw)
  To: maarten.lankhorst, mripard, tzimmermann, airlied, daniel, dri-devel
  Cc: Linux Kernel Mailing List

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 42d43c92fc57  Merge branch 'for-linus'
git tree: upstream
console output:
https://drive.google.com/file/d/1TXbZJ5Reefwpvr_wk3N1rGVKIMnF6fbP/view?usp=sharing
kernel config: https://drive.google.com/file/d/15vWoQRbJuuMu4ovWhUm1h4SrHyNwK8im/view?usp=sharing

Sorry, I don't have a reproducer for this crash, hope the symbolized
report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@gmail.com>

BUG: unable to handle page fault for address: ffffc900085e8070
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 10c00067 P4D 10c00067 PUD 10dbc067 PMD 1c94d067 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 3 PID: 33 Comm: kworker/3:0 Not tainted 5.15.0-rc3+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events drm_fb_helper_damage_work
RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
RIP: 0010:memcpy_toio+0x83/0xe0 arch/x86/lib/iomem.c:57
Code: 7a fd 49 89 dd 31 ff 41 83 e5 02 4c 89 ee e8 44 73 7a fd 4d 85
ed 75 2e e8 ba 71 7a fd 48 89 e9 48 89 df 4c 89 e6 48 c1 e9 02 <f3> a5
40 f6 c5 02 74 02 66 a5 40 f6 c5 01 74 01 a4 5b 5d 41 5c 41
RSP: 0018:ffffc90000887be0 EFLAGS: 00010212
RAX: 0000000000000000 RBX: ffffc900085e8070 RCX: 000000000000094c
RDX: 0000000000000000 RSI: ffffc90006599070 RDI: ffffc900085e8070
RBP: 0000000000002530 R08: ffffffff83fbd9c6 R09: 0000000000000000
R10: 0000000000000007 R11: fffff52000110f56 R12: ffffc90006599070
R13: 0000000000000000 R14: ffff888019db0140 R15: ffffc90006599070
FS:  0000000000000000(0000) GS:ffff888135d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc900085e8070 CR3: 000000001d3fd000 CR4: 0000000000350ee0
Call Trace:
 dma_buf_map_memcpy_to ./include/linux/dma-buf-map.h:245 [inline]
 drm_fb_helper_damage_blit_real drivers/gpu/drm/drm_fb_helper.c:388 [inline]
 drm_fb_helper_damage_blit drivers/gpu/drm/drm_fb_helper.c:419 [inline]
 drm_fb_helper_damage_work+0x76d/0xb00 drivers/gpu/drm/drm_fb_helper.c:450
 process_one_work+0x9df/0x16d0 kernel/workqueue.c:2297
 worker_thread+0x90/0xed0 kernel/workqueue.c:2444
 kthread+0x3e5/0x4d0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: ffffc900085e8070
---[ end trace 000e7483a76d6bd7 ]---
RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
RIP: 0010:memcpy_toio+0x83/0xe0 arch/x86/lib/iomem.c:57
Code: 7a fd 49 89 dd 31 ff 41 83 e5 02 4c 89 ee e8 44 73 7a fd 4d 85
ed 75 2e e8 ba 71 7a fd 48 89 e9 48 89 df 4c 89 e6 48 c1 e9 02 <f3> a5
40 f6 c5 02 74 02 66 a5 40 f6 c5 01 74 01 a4 5b 5d 41 5c 41
RSP: 0018:ffffc90000887be0 EFLAGS: 00010212
RAX: 0000000000000000 RBX: ffffc900085e8070 RCX: 000000000000094c
RDX: 0000000000000000 RSI: ffffc90006599070 RDI: ffffc900085e8070
RBP: 0000000000002530 R08: ffffffff83fbd9c6 R09: 0000000000000000
R10: 0000000000000007 R11: fffff52000110f56 R12: ffffc90006599070
R13: 0000000000000000 R14: ffff888019db0140 R15: ffffc90006599070
FS:  0000000000000000(0000) GS:ffff888135d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc900085e8070 CR3: 000000001d3fd000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0: 7a fd                jp     0xffffffff
   2: 49 89 dd              mov    %rbx,%r13
   5: 31 ff                xor    %edi,%edi
   7: 41 83 e5 02          and    $0x2,%r13d
   b: 4c 89 ee              mov    %r13,%rsi
   e: e8 44 73 7a fd        callq  0xfd7a7357
  13: 4d 85 ed              test   %r13,%r13
  16: 75 2e                jne    0x46
  18: e8 ba 71 7a fd        callq  0xfd7a71d7
  1d: 48 89 e9              mov    %rbp,%rcx
  20: 48 89 df              mov    %rbx,%rdi
  23: 4c 89 e6              mov    %r12,%rsi
  26: 48 c1 e9 02          shr    $0x2,%rcx
* 2a: f3 a5                rep movsl %ds:(%rsi),%es:(%rdi) <--
trapping instruction
  2c: 40 f6 c5 02          test   $0x2,%bpl
  30: 74 02                je     0x34
  32: 66 a5                movsw  %ds:(%rsi),%es:(%rdi)
  34: 40 f6 c5 01          test   $0x1,%bpl
  38: 74 01                je     0x3b
  3a: a4                    movsb  %ds:(%rsi),%es:(%rdi)
  3b: 5b                    pop    %rbx
  3c: 5d                    pop    %rbp
  3d: 41 5c                pop    %r12
  3f: 41                    rex.B

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: BUG: unable to handle kernel paging request in drm_fb_helper_damage_work
  2021-09-20 12:55 Hao Sun
@ 2021-09-20 16:12 ` Borislav Petkov
  0 siblings, 0 replies; 3+ messages in thread
From: Borislav Petkov @ 2021-09-20 16:12 UTC (permalink / raw)
  To: Hao Sun
  Cc: hpa, mingo, tglx, x86, Linux Kernel Mailing List,
	Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann,
	David Airlie, Daniel Vetter, dri-devel

On Mon, Sep 20, 2021 at 08:55:28PM +0800, Hao Sun wrote:
> Hello,
> 
> When using Healer to fuzz the latest Linux kernel, the following crash

Your Healer thing - or whatever that next automated thing is which is
trying to be smart - is not CCing the proper people:

$ ./scripts/get_maintainer.pl -f drivers/gpu/drm/drm_fb_helper.c --no-rolestats
Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Maxime Ripard <mripard@kernel.org>
Thomas Zimmermann <tzimmermann@suse.de>
David Airlie <airlied@linux.ie>
Daniel Vetter <daniel@ffwll.ch>
dri-devel@lists.freedesktop.org
linux-kernel@vger.kernel.org

I'll Cc them now but you should fix it.

The syzcaller mails at least Cc more people and I'm sure you can figure
out how to do that when you have the stack trace and get_maintainer.pl.

> was triggered.
> 
> HEAD commit: 4357f03d6611 Merge tag 'pm-5.15-rc2
> git tree: upstream
> console output:
> https://drive.google.com/file/d/13NUxvBLIswpoS8NOOAaq9PjOKgTYN19K/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1HKZtF_s3l6PL3OoQbNq_ei9CdBus-Tz0/view?usp=sharing
> 
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@gmail.com>
> 
> BUG: unable to handle page fault for address: ffffc90003d79000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 8c00067 P4D 8c00067 PUD 8d63067 PMD 104409067 PTE 0
> Oops: 0000 [#1] PREEMPT SMP
> CPU: 2 PID: 3032 Comm: kworker/2:2 Not tainted 5.15.0-rc1+ #19
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Workqueue: events drm_fb_helper_damage_work
> RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
> RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
> Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
> 02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
> 41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
> RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
> RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
> RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
> RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
> R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
> R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
> FS:  0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
>  dma_buf_map_memcpy_to include/linux/dma-buf-map.h:245 [inline]
>  drm_fb_helper_damage_blit_real drivers/gpu/drm/drm_fb_helper.c:388 [inline]
>  drm_fb_helper_damage_blit drivers/gpu/drm/drm_fb_helper.c:419 [inline]
>  drm_fb_helper_damage_work+0x30e/0x380 drivers/gpu/drm/drm_fb_helper.c:450
>  process_one_work+0x359/0x850 kernel/workqueue.c:2297
>  worker_thread+0x41/0x4d0 kernel/workqueue.c:2444
>  kthread+0x178/0x1b0 kernel/kthread.c:319
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> Modules linked in:
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> CR2: ffffc90003d79000
> ---[ end trace e1f0ecb0884517c4 ]---
> RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
> RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
> Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
> 02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
> 41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
> RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
> RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
> RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
> RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
> R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
> R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
> FS:  0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> ----------------
> Code disassembly (best guess):
>    0:   01 75 41                add    %esi,0x41(%rbp)
>    3:   e8 4a 0d 04 ff          callq  0xff040d52
>    8:   49 83 fc 01             cmp    $0x1,%r12
>    c:   76 0a                   jbe    0x18
>    e:   e8 3f 0d 04 ff          callq  0xff040d52
>   13:   f6 c3 02                test   $0x2,%bl
>   16:   75 44                   jne    0x5c
>   18:   e8 35 0d 04 ff          callq  0xff040d52
>   1d:   4c 89 e1                mov    %r12,%rcx
>   20:   48 89 df                mov    %rbx,%rdi
>   23:   48 89 ee                mov    %rbp,%rsi
>   26:   48 c1 e9 02             shr    $0x2,%rcx
> * 2a:   f3 a5                   rep movsl %ds:(%rsi),%es:(%rdi) <--
> trapping instruction
>   2c:   41 f6 c4 02             test   $0x2,%r12b
>   30:   74 02                   je     0x34
>   32:   66 a5                   movsw  %ds:(%rsi),%es:(%rdi)
>   34:   41 f6 c4 01             test   $0x1,%r12b
>   38:   74 01                   je     0x3b
>   3a:   a4                      movsb  %ds:(%rsi),%es:(%rdi)
>   3b:   5b                      pop    %rbx
>   3c:   5d                      pop    %rbp
>   3d:   41 5c                   pop    %r12
>   3f:   e9                      .byte 0xe9

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

^ permalink raw reply	[flat|nested] 3+ messages in thread

* BUG: unable to handle kernel paging request in drm_fb_helper_damage_work
@ 2021-09-20 12:55 Hao Sun
  2021-09-20 16:12 ` Borislav Petkov
  0 siblings, 1 reply; 3+ messages in thread
From: Hao Sun @ 2021-09-20 12:55 UTC (permalink / raw)
  To: bp, hpa, mingo, tglx, x86; +Cc: Linux Kernel Mailing List

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 4357f03d6611 Merge tag 'pm-5.15-rc2
git tree: upstream
console output:
https://drive.google.com/file/d/13NUxvBLIswpoS8NOOAaq9PjOKgTYN19K/view?usp=sharing
kernel config: https://drive.google.com/file/d/1HKZtF_s3l6PL3OoQbNq_ei9CdBus-Tz0/view?usp=sharing

Sorry, I don't have a reproducer for this crash, hope the symbolized
report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@gmail.com>

BUG: unable to handle page fault for address: ffffc90003d79000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 8c00067 P4D 8c00067 PUD 8d63067 PMD 104409067 PTE 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 2 PID: 3032 Comm: kworker/2:2 Not tainted 5.15.0-rc1+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Workqueue: events drm_fb_helper_damage_work
RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
FS:  0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 dma_buf_map_memcpy_to include/linux/dma-buf-map.h:245 [inline]
 drm_fb_helper_damage_blit_real drivers/gpu/drm/drm_fb_helper.c:388 [inline]
 drm_fb_helper_damage_blit drivers/gpu/drm/drm_fb_helper.c:419 [inline]
 drm_fb_helper_damage_work+0x30e/0x380 drivers/gpu/drm/drm_fb_helper.c:450
 process_one_work+0x359/0x850 kernel/workqueue.c:2297
 worker_thread+0x41/0x4d0 kernel/workqueue.c:2444
 kthread+0x178/0x1b0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: ffffc90003d79000
---[ end trace e1f0ecb0884517c4 ]---
RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
FS:  0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:   01 75 41                add    %esi,0x41(%rbp)
   3:   e8 4a 0d 04 ff          callq  0xff040d52
   8:   49 83 fc 01             cmp    $0x1,%r12
   c:   76 0a                   jbe    0x18
   e:   e8 3f 0d 04 ff          callq  0xff040d52
  13:   f6 c3 02                test   $0x2,%bl
  16:   75 44                   jne    0x5c
  18:   e8 35 0d 04 ff          callq  0xff040d52
  1d:   4c 89 e1                mov    %r12,%rcx
  20:   48 89 df                mov    %rbx,%rdi
  23:   48 89 ee                mov    %rbp,%rsi
  26:   48 c1 e9 02             shr    $0x2,%rcx
* 2a:   f3 a5                   rep movsl %ds:(%rsi),%es:(%rdi) <--
trapping instruction
  2c:   41 f6 c4 02             test   $0x2,%r12b
  30:   74 02                   je     0x34
  32:   66 a5                   movsw  %ds:(%rsi),%es:(%rdi)
  34:   41 f6 c4 01             test   $0x1,%r12b
  38:   74 01                   je     0x3b
  3a:   a4                      movsb  %ds:(%rsi),%es:(%rdi)
  3b:   5b                      pop    %rbx
  3c:   5d                      pop    %rbp
  3d:   41 5c                   pop    %r12
  3f:   e9                      .byte 0xe9

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-10-06  9:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-06  9:11 BUG: unable to handle kernel paging request in drm_fb_helper_damage_work Hao Sun
  -- strict thread matches above, loose matches on Subject: below --
2021-09-20 12:55 Hao Sun
2021-09-20 16:12 ` Borislav Petkov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).