Kernel WARNING via bochsdrmfb mmap

Takashi Iwai <tiwai@xxxxxxx> · Mon, 07 Mar 2016 15:30:15 +0100

Hi,

Jiri Slaby reported a kernel WARNING triggered by syzkaller.  It can
be reliably reproduced via fbdev mmap access on bochs drm.  The
warning looks like below:

WARNING: CPU: 3 PID: 29356 at ../drivers/gpu/drm/ttm/ttm_bo_vm.c:265 ttm_bo_vm_open+0x11a/0x180 [ttm]()
Modules linked in: ...
Supported: Yes
CPU: 3 PID: 29356 Comm: syz-executor Tainted: G            E      4.4.3-0-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
 0000000000000003 ffff880036cbfb50 ffffffff819eae91 0000000000000000
 ffff880035294000 ffffffffa0a46d60 0000000000000009 ffff880036cbfb90
 ffffffff8116face ffffffffa0a34e5a ffffffffa0a46d60 0000000000000109
Call Trace:
 [<ffffffff819eae91>] ? dump_stack+0xb3/0x112
 [<ffffffff8116face>] ? warn_slowpath_common+0xde/0x140
 [<ffffffffa0a34e5a>] ? ttm_bo_vm_open+0x11a/0x180 [ttm]
 [<ffffffffa0a34d40>] ? ttm_bo_vm_fault+0xe70/0xe70 [ttm]
 [<ffffffff8116fcfe>] ? warn_slowpath_null+0x2e/0x40
 [<ffffffffa0a34e5a>] ? ttm_bo_vm_open+0x11a/0x180 [ttm]
 [<ffffffff815833bd>] ? __split_vma.isra.30+0x3ed/0x7f0
 [<ffffffff815877e4>] ? do_munmap+0xd14/0x1010
 [<ffffffff81276d6d>] ? __lock_acquire+0xb3d/0x49d0
 [<ffffffff81588ab5>] ? mmap_region+0x1d5/0x11d0
 [<ffffffff81825ea6>] ? cap_mmap_addr+0x46/0x110
 [<ffffffff8158a208>] ? do_mmap+0x758/0x990
 [<ffffffff815401f4>] ? vm_mmap_pgoff+0x164/0x1b0
 [<ffffffff81540090>] ? task_of_stack+0x240/0x240
 [<ffffffff8158454d>] ? SyS_mmap_pgoff+0xcd/0x590
 [<ffffffff81584480>] ? vm_stat_account+0x130/0x130
 [<ffffffff818316d1>] ? security_file_ioctl+0x91/0xc0
 [<ffffffff81005044>] ? lockdep_sys_exit_thunk+0x12/0x14
 [<ffffffff81053b6b>] ? SyS_mmap+0x1b/0x30
 [<ffffffff823f7972>] ? entry_SYSCALL_64_fastpath+0x12/0x76

The bug was confirmed to happen on the latest vanilla 4.5-rc6, too.
The reproducer code is attached below.

Judging from the code, it comes from the fact that
vma->vm_file->f_mapping via fbdev access isn't changed to bodev's
one.  In the case of /dev/dri/*, f_mapping is replaced in drm_open().
But, fbdev open doesn't change f_mapping, and its callback doesn't
take the file pointer, so there is no way to fiddle with it there,
either.

What's the preferred way to fix this?  I can think of several ways,
e.g.
- adding f_mapping pointer field in struct fb_info
- passing the file pointer in fbdev open callback so that f_mapping
  can be corrected
- adjusting f_mapping in vm_open dynamically (is it safe?)
or
- drop WARN_ON() :)

thanks,

Takashi

---
#include <err.h>
#include <fcntl.h>
#include <stdint.h>
#include <unistd.h>

#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(void)
{
	void *addr;

	int fd = open("/dev/fb0", O_RDONLY);
	if (fd < 0)
		err(1, "open");

	addr = mmap(0, 8192, PROT_READ, MAP_SHARED, fd, 0);
	if (addr == MAP_FAILED)
		err(1, "1st mmap");

	if (mmap(addr, 4096, PROT_READ, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0) == MAP_FAILED)
		err(1, "2nd mmap");

	return 0;
}
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel