syzbot


BUG: unable to handle kernel paging request in vga16fb_fillrect
Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+04168c8063cfdde1db5e@syzkaller.appspotmail.com
Fix commit: 8c28051cdcbe fbmem: don't allow too huge resolutions
First crash: 320d, last: 200d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: BUG: unable to handle kernel paging request in vga16fb_fillrect (log)
Repro: C syz .config
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: unable to handle kernel paging request in vga16fb_fillrect (2) C error 1 52d 263d 0/1 upstream: reported C repro on 2021/09/05 18:24
upstream BUG: unable to handle kernel paging request in vga16fb_fillrect (2) 4 185d 190d 0/22 auto-closed as invalid on 2022/02/20 19:10
linux-4.19 BUG: unable to handle kernel paging request in vga16fb_fillrect C error 3 87d 313d 0/1 upstream: reported C repro on 2021/07/17 15:13
linux-4.14 BUG: unable to handle kernel paging request in vga16fb_fillrect 1 891d 891d 0/1 auto-closed as invalid on 2020/04/15 20:20
Patch testing requests:
Created Duration User Patch Repo Result
2021/08/30 15:09 16m penguin-kernel@i-love.sakura.ne.jp patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v5.14 OK
2021/07/30 09:35 16m chouhan.shreyansh630@gmail.com upstream report log
2021/07/26 09:00 10m chouhan.shreyansh630@gmail.com upstream report log

Sample crash report:
BUG: unable to handle page fault for address: ffff888001000050
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD 10601067 P4D 10601067 PUD 10602067 PMD 80000000010001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8458 Comm: syz-executor826 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga16fb_fillrect+0x993/0x18d0 drivers/video/fbdev/vga16fb.c:923
Code: 68 fd 48 63 44 24 10 45 31 f6 48 89 04 24 e8 04 69 68 fd 31 ff 89 de 31 ed e8 39 70 68 fd 85 db 4d 89 ec 74 22 e8 ed 68 68 fd <45> 88 34 24 83 c5 01 89 df 49 83 c4 01 89 ee e8 09 71 68 fd 39 eb
RSP: 0018:ffffc9000172f848 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 000000000000001b RCX: 0000000000000000
RDX: ffff88802cf6d4c0 RSI: ffffffff840d4013 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff840d399d
R10: ffffffff840d4007 R11: 0000000000000000 R12: ffff888001000050
R13: ffff888001000050 R14: 0000000000000000 R15: 000000000ffeb7ff
FS:  0000000000b04300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000050 CR3: 0000000020439000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bit_clear_margins+0x3f6/0x4b0 drivers/video/fbdev/core/bitblit.c:224
 fbcon_clear_margins+0x1f1/0x280 drivers/video/fbdev/core/fbcon.c:1315
 fbcon_switch+0xa8c/0x1620 drivers/video/fbdev/core/fbcon.c:2146
 redraw_screen+0x2b9/0x740 drivers/tty/vt/vt.c:1021
 fbcon_modechanged+0x593/0x6d0 drivers/video/fbdev/core/fbcon.c:2651
 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:2696
 do_fb_ioctl+0x62e/0x690 drivers/video/fbdev/core/fbmem.c:1108
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1183
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:1069 [inline]
 __se_sys_ioctl fs/ioctl.c:1055 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:1055
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43efd9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff35bd6098 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043efd9
RDX: 0000000020000200 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 0000000000402fc0 R08: 0000000000000000 R09: 0000000000400488
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403050
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
Modules linked in:
CR2: ffff888001000050
---[ end trace e56988c1407c1ce2 ]---
RIP: 0010:writeb arch/x86/include/asm/io.h:65 [inline]
RIP: 0010:vga16fb_fillrect+0x993/0x18d0 drivers/video/fbdev/vga16fb.c:923
Code: 68 fd 48 63 44 24 10 45 31 f6 48 89 04 24 e8 04 69 68 fd 31 ff 89 de 31 ed e8 39 70 68 fd 85 db 4d 89 ec 74 22 e8 ed 68 68 fd <45> 88 34 24 83 c5 01 89 df 49 83 c4 01 89 ee e8 09 71 68 fd 39 eb
RSP: 0018:ffffc9000172f848 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 000000000000001b RCX: 0000000000000000
RDX: ffff88802cf6d4c0 RSI: ffffffff840d4013 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff840d399d
R10: ffffffff840d4007 R11: 0000000000000000 R12: ffff888001000050
R13: ffff888001000050 R14: 0000000000000000 R15: 000000000ffeb7ff
FS:  0000000000b04300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000050 CR3: 0000000020439000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	68 fd 48 63 44       	pushq  $0x446348fd
   5:	24 10                	and    $0x10,%al
   7:	45 31 f6             	xor    %r14d,%r14d
   a:	48 89 04 24          	mov    %rax,(%rsp)
   e:	e8 04 69 68 fd       	callq  0xfd686917
  13:	31 ff                	xor    %edi,%edi
  15:	89 de                	mov    %ebx,%esi
  17:	31 ed                	xor    %ebp,%ebp
  19:	e8 39 70 68 fd       	callq  0xfd687057
  1e:	85 db                	test   %ebx,%ebx
  20:	4d 89 ec             	mov    %r13,%r12
  23:	74 22                	je     0x47
  25:	e8 ed 68 68 fd       	callq  0xfd686917
* 2a:	45 88 34 24          	mov    %r14b,(%r12) <-- trapping instruction
  2e:	83 c5 01             	add    $0x1,%ebp
  31:	89 df                	mov    %ebx,%edi
  33:	49 83 c4 01          	add    $0x1,%r12
  37:	89 ee                	mov    %ebp,%esi
  39:	e8 09 71 68 fd       	callq  0xfd687147
  3e:	39 eb                	cmp    %ebp,%ebx

Crashes (14):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/08/20 23:42 upstream d992fe5318d8 b599f2fc .config log report syz C BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce 2021/07/10 05:27 upstream 3dbdb38e2869 8f5a7b8c .config log report syz C BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-386 2021/08/30 19:14 upstream 7d2a07b76933 8f58a0ef .config log report syz C BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-selinux-root 2021/11/07 11:29 upstream 512b7931ad05 4c1be0be .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-smack-root 2021/11/06 23:05 upstream 512b7931ad05 4c1be0be .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-smack-root 2021/11/05 15:15 upstream d4439a1189f9 4c1be0be .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-smack-root 2021/11/03 10:48 upstream dcd68326d29b 17f3edd2 .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-smack-root 2021/11/03 07:53 upstream bfc484fe6abb 17f3edd2 .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-root 2021/08/20 02:18 upstream d992fe5318d8 b599f2fc .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-root 2021/08/20 00:45 upstream d992fe5318d8 b599f2fc .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-smack-root 2021/07/18 02:01 upstream d980cc0620ae f115ae98 .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce 2021/07/10 05:11 upstream 3dbdb38e2869 8f5a7b8c .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-kasan-gce-386 2021/11/04 11:00 upstream ce840177930f 4c1be0be .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect
ci-upstream-linux-next-kasan-gce-root 2021/10/22 13:58 linux-next 3196a52aff93 55f90bc6 .config log report info BUG: unable to handle kernel paging request in vga16fb_fillrect