Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: BUG: unable to handle kernel paging request in imageblit affected file: drivers/gpu/drm/drm_fb_helper.c kernel version: 5.4.206 kernel commit: 6584107915561f860b7b05dcca5c903dd62a308d git tree: upstream kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1aab6d4187ddf667 crash reproducer: attached ====================================================== Crash log: ====================================================== BUG: unable to handle page fault for address: ffffc90000c19000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 119554067 P4D 119554067 PUD 119555067 PMD 10be9f067 PTE 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 0 PID: 27220 Comm: syz-executor.4 Tainted: G OE 5.4.206+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] RIP: 0010:sys_imageblit+0x1137/0x16f0 drivers/video/fbdev/core/sysimgblt.c:275 Code: 24 18 23 18 4c 89 f0 48 c1 e8 03 33 5c 24 60 0f b6 14 30 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 56 03 00 00 31 ff <41> 89 5f fc 44 89 e6 e8 0d 6f b2 fd 45 85 e4 75 0f e8 93 6d b2 fd RSP: 0018:ffff8880824df250 EFLAGS: 00010246 RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 RBP: ffff88810f56c213 R08: ffff8880922f82c0 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000007 R13: 0000000000000002 R14: ffffc90000c19000 R15: ffffc90000c19004 FS: 00007f9076748700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90000c19000 CR3: 0000000090190001 CR4: 0000000000162ef0 Call Trace: drm_fb_helper_sys_imageblit+0x1c/0x130 drivers/gpu/drm/drm_fb_helper.c:809 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline] bit_putcs+0x904/0xd90 drivers/video/fbdev/core/bitblit.c:188 fbcon_putcs+0x39c/0x4c0 drivers/video/fbdev/core/fbcon.c:1302 fbcon_putc+0x86/0xb0 drivers/video/fbdev/core/fbcon.c:1312 complement_pos+0x360/0x720 drivers/tty/vt/vt.c:817 highlight_pointer drivers/tty/vt/selection.c:63 [inline] clear_selection+0x17/0x70 drivers/tty/vt/selection.c:83 vc_do_resize+0x1026/0x13a0 drivers/tty/vt/vt.c:1253 fbcon_do_set_font+0x579/0x9f0 drivers/video/fbdev/core/fbcon.c:2442 fbcon_set_font+0xa43/0xda0 drivers/video/fbdev/core/fbcon.c:2542 con_font_set drivers/tty/vt/vt.c:4591 [inline] con_font_op+0x75b/0xcc0 drivers/tty/vt/vt.c:4635 vt_ioctl+0x1663/0x2580 drivers/tty/vt/vt_ioctl.c:898 tty_ioctl+0xda5/0x14c0 drivers/tty/tty_io.c:2657 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:510 [inline] do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714 __do_sys_ioctl fs/ioctl.c:721 [inline] __se_sys_ioctl fs/ioctl.c:719 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f90787974ed Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9076747be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f90788b5f60 RCX: 00007f90787974ed RDX: 0000000020000480 RSI: 0000000000004b72 RDI: 0000000000000003 RBP: 00007f90788032e1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffed03d269f R14: 00007f90788b5f60 R15: 00007f9076747d80 Modules linked in: uio_ivshmem(OE) uio(E) CR2: ffffc90000c19000 ---[ end trace af2a9beecf656bf6 ]--- RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline] RIP: 0010:sys_imageblit+0x1137/0x16f0 drivers/video/fbdev/core/sysimgblt.c:275 Code: 24 18 23 18 4c 89 f0 48 c1 e8 03 33 5c 24 60 0f b6 14 30 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 56 03 00 00 31 ff <41> 89 5f fc 44 89 e6 e8 0d 6f b2 fd 45 85 e4 75 0f e8 93 6d b2 fd RSP: 0018:ffff8880824df250 EFLAGS: 00010246 RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 RBP: ffff88810f56c213 R08: ffff8880922f82c0 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000007 R13: 0000000000000002 R14: ffffc90000c19000 R15: ffffc90000c19004 FS: 00007f9076748700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc90000c19000 CR3: 0000000090190001 CR4: 0000000000162ef0 ---------------- Code disassembly (best guess): 0: 24 18 and $0x18,%al 2: 23 18 and (%rax),%ebx 4: 4c 89 f0 mov %r14,%rax 7: 48 c1 e8 03 shr $0x3,%rax b: 33 5c 24 60 xor 0x60(%rsp),%ebx f: 0f b6 14 30 movzbl (%rax,%rsi,1),%edx 13: 4c 89 f0 mov %r14,%rax 16: 83 e0 07 and $0x7,%eax 19: 83 c0 03 add $0x3,%eax 1c: 38 d0 cmp %dl,%al 1e: 7c 08 jl 0x28 20: 84 d2 test %dl,%dl 22: 0f 85 56 03 00 00 jne 0x37e 28: 31 ff xor %edi,%edi * 2a: 41 89 5f fc mov %ebx,-0x4(%r15) <-- trapping instruction 2e: 44 89 e6 mov %r12d,%esi 31: e8 0d 6f b2 fd callq 0xfdb26f43 36: 45 85 e4 test %r12d,%r12d 39: 75 0f jne 0x4a 3b: e8 93 6d b2 fd callq 0xfdb26dd3 -- Thanks and Regards, Dipanjan
// autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include <endian.h> #include <fcntl.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf) - 1); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; res = -1; res = syz_open_dev(0xc, 4, 1); if (res != -1) r[0] = res; *(uint8_t*)0x20000000 = 2; *(uint8_t*)0x20000001 = 2; *(uint16_t*)0x20000002 = 0; *(uint16_t*)0x20000004 = 0; *(uint16_t*)0x20000006 = 0; *(uint16_t*)0x20000008 = 0x300; *(uint16_t*)0x2000000a = 0; syscall(__NR_ioctl, r[0], 0x541c, 0x20000000ul); res = -1; res = syz_open_dev(0xc, 4, 1); if (res != -1) r[1] = res; *(uint32_t*)0x20000480 = 0; *(uint32_t*)0x20000484 = 0; *(uint32_t*)0x20000488 = 3; *(uint32_t*)0x2000048c = 0x1b; *(uint32_t*)0x20000490 = 0x200; *(uint64_t*)0x20000498 = 0x20000040; memcpy((void*)0x20000040, "\x11\x6a\x9c\xaf\xf7\x3a\x85\x29\x62\x2e\x69\x8f\x1e\xf3\xfa\x4e\x3b\xb4\x95\x29\x22\x28\x7b\xf4\xd4\xdb\x58\x01\x0b\x0c\x93\x12\x7b\xd5\xa1\x8d\xbd\x09\xe7\xdf\x91\x90\xc1\x72\x96\x29\xd0\x0f\x2d\xc5\xc8\x4f\x82\xea\xec\xd3\x50\xc6\xca\x4e\x70\x46\x88\x19\xde\x14\xe3\xd0\xe4\x91\x5c\x5d\x8d\x6a\xbf\x71\xee\xd2\xd4\x06\x95\xc5\x5c\x78\x1d\xca\xf8\x0a\x4a\x26\x9e\x1c\x43\xc7\xed\x9e\xd5\xe5\xe3\x86\xa2\x90\x24\x2a\x8b\x00\x70\xa7\xc0\x09\x23\x41\x0a\xe2\xf9\x51\xad\x46\x59\x3b\xe8\xb5\x03\x00\x00\x00\xaf\xa7\xcd\x0f\xc2\xea\x46\xb4\x21\xa4\xaa\x74\x1c\x80\x85\xfd\x17\xd5\xd9\x9c\x82\x92\x59\x18\x29\x39\x01\x46\x1b\xf7\x08\x9c\x38\x0e\x12\x7f\x8d\xe6\x87\x58\x11\x32\xc7\x30\xde\xf2\x66\x54\x4b\xbb\xc6\x0d\x21\xe8\x9d\x64\x79\x5d\xe7\x9b\x55\xbb\x1e\xd9\xd8\x7a\xa9\xf3\xa3\xd5\x01\x05\x91\xf8\x6f\x6a\x52\x50\x38\xee\x6c\xd8\xe6\x92\x0c\x3f\x6e\xdb\xc4\x04\x16\xe0\x45\x35\xdb\x71\x88\x2a\xa5\x82\xde\x9f\x25\x5e\xaf\x5e\xc5\x74\xe4\x63\x3c\x8d\x41\x97\x17\x8d\xa4\x9d\xb2\xab\xb0\xc4\x39\x98\x31\x6b\xbf\x1d\xc6\x9a\x79\x0c\xc9\x5a\x93\x7e\x09\x78\xc5\x38\x29\x17\x04\xdf\x87\x69\xce\xe5\xb1\xf3\x02\x41\x92\x0a\x72\xef\xbc\xcc\xeb\x61\x30\xfa\x88\xdb\x0e\x50\x1e\x3f\x58\x87\x45\x9d\xb4\xb7\x7c\x15\x81\xf6\xd5\x8a\x3a\x1e\x47\x00\x18\x8a\x88\x47\x52\xb2\xaf\xc2\xc8\x0e\x7b\xc3\xc3\xfc\xe7\x84\xf6\x70\xaa\x01\x33\x1e\xee\x95\x4d\x0c\x93\xbb\x66\x45\xff\xf3\xe3\xfa\xfb\xd8\x28\xaa\x12\xb7\xe4\x96\xa5\xac\x39\x47\xa3\xee\xec\x9c\x74\xa0\x4a\x14\x34\x0c\x8a\xb6\x7c\x14\xab\x34\x40\x20\x99\x6f\x21\x13\x6b\x46\x9b\x8b\xe0\x95\x8d\x7e\x8b\xcc\x32\x49\x0b\x70\x74\xc5\xe3\x44\xe0\x0b\x6e\xd2\xe2\xeb\xf4\xc9\xa3\xac\x9b\x6f\x74\xd3\xd7\xe7\xd3\xef\x76\xc7\xa7\x89\xa9\x2d\xde\xed\x72\x19\xf0\xbf\xac\x7c\x7a\xce\x85\x8e\xc5\x43\x11\xce\x32\x0f\x12\x61\x5a\xcb\x40\x8d\x58\xc6\x2e\xa3\x63\x94\xdd\xf2\x1f\x0d\x47\xe0\x6e\x88\x15\x4b\xa2\x63\xd2\xa9\x50\xc1\x88\xc9\xcb\x99\xdd\x95\x05\xfa\x7d\xfa\xe0\x8e\xd8\xf6\x8f\xb8\x2e\x94\xcb\x8d\x2f\x1a\x36\xef\x6c\x3c\x9c\x5d\x22\x01\xfe\x53\x8b\x4e\x01\x30\x30\xd2\xf2\x87\x1a\xbb\x04\xd6\xc6\x71\xcb\x37\x8f\xd0\xda\x22\x03\x4f\x28\x0f\xa8\x15\xde\x50\xc4\x2f\x25\xc3\x93\xbc\xdc\xf7\x51\x70\xc7\xa0\xdd\x2b\x9b\x22\xa7\xea\xdf\xbb\x9b\x5e\xa2\xd3\x58\x84\x38\x5e\x20\x45\xbf\xe9\xf3\x88\x03\xda\xf1\x6f\x33\x71\xb3\x8a\xc1\x09\xf0\x8c\x49\x58\x24\x2a\x9d\x21\xa9\xe0\xc1\x2c\xaf\xb3\x5f\xd7\xf4\x39\xc1\xd0\xac\xbe\xc0\x37\xe8\x38\xcc\x3f\x67\x46\x13\xb7\x5f\xb3\x78\xd7\x9c\x5e\x76\x30\x6b\x5e\x7f\x84\x1d\x46\x28\x64\x68\x46\x9d\x0d\x05\x1f\x4a\x3b\xd5\x5b\x6f\x1e\xe3\xc1\x77\xcc\xa1\x56\x21\xc7\x1e\x06\x8b\x1d\xa2\x69\x3d\x28\x00\x2b\x00\xe3\x85\x02\x6f\x6b\x9a\x0d\x5b\x55\xcd\x0e\xb7\x1e\x1d\x5c\x37\x3e\x14\x54\x8b\x69\x25\x4d\xe6\xc5\xbc\xd9\x5b\xff\x09\x29\xd9\x34\x44\xc5\xb9\xa7\xf6\x0c\x8c\x04\x01\xc6\xf8\xd6\xf8\xbc\x3f\x8f\xdb\xf0\x44\x68\x6c\x5b\x74\xa9\xca\xb3\x5f\x56\x3a\x9e\x61\xca\x72\x01\x96\x7c\x08\x39\x86\x5c\xe5\x8b\x38\x79\x49\x30\x95\x54\xc2\x2a\xb5\x51\x0b\xa0\xb9\x13\xac\xcf\x7d\xec\x3e\x88\x0a\x22\x7a\x02\xf8\xf7\x64\xb1\x93\x11\x4a\x88\xad\xf4\xc6\x30\x60\x51\xe6\x74\xd9\xd4\x6b\x35\x80\x8b\x39\x12\xa7\x13\x63\xf8\x02\xd1\x79\x80\x0f\x4f\x91\x8c\x7f\xec\x20\x2c\x35\x54\x7f\xea\xea\x7d\xca\xc7\xee\xb6\xca\x6e\x23\xc8\x99\x95\xc1\x6d\xef\xc0\xda\x19\xf0\x15\x1a\x07\xfa\x8d\x7d\xec\xfa\x09\x39\x66\xd7\x6f\x64\x7e\x93\xfc\xb6\x47\x14\x99\x0a\xe1\x79\x16\xce\xe2\xd0\x79\xfe\xa6\x6c\x2d\x1a\x8a\xf0\x3b\xb8\x42\xbe\x5b\x8b\x72\xf1\xe9\x4c\x91\x42\xb4\x56\x87\x6b\x26\xca\x89\x91\x7c\xb6\xd6\xb7\x2c\x7e\x3c\xce\x64\x93\x00\x40\x6a\x44\x28\x23\x6e\xa0\x12\x8f\x8f\x35\xe4\x30\x53\xa8\xce\x08\x8d\xfa\x59\x8b\xf3\x9b\xc8\xa6\x28\x5f\x2c\x83\x1e\x6b\xa2\xbe\xf3\x91\xc6\x3c\xe9\x69\x56\xb2\x89\x72\x52\x95\x34\xc4\x38\x79\x15\xd0\x1e\x51\xb5\x92\xad\x8e\xc8\x5d\x6a\x5d\x02\xe9\xd8\x75\xb8\x08\x4d\x0b\xbc\xcc\x3f\xf9\x05\x01\x01\xde\x57\x7d\x9e\x3d\x9b\xb8\xc6\x4b\xa4\xb4\xe5\x73\x6c\x5d\x89\xa3\x10\xfc\xce\x1e\xe9\x6f\x1f\xdd\x0a\xd4\xf8\xc5\x5c\xb1\xcd\x10\x0d\x8c\x77\x12\x95\xb7\x12\x29\x18\xd5\x43\xea\xbd\xf6\x78\x98\xa3\x36\x23\x23\xed\x8c\xad\xdd\x4f\x7b\x19\x5b\xb3\x5b\xe1\x09\x4e\xf2\x6e\xbe\x0b", 1024); syscall(__NR_ioctl, r[1], 0x4b72, 0x20000480ul); return 0; }
Attachment:
repro.syz
Description: Binary data