syzbot


upstream boot error: KASAN: slab-out-of-bounds Write in virtio_gpu_object_create

Status: fixed on 2020/06/28 13:52
Subsystems: dri virt
[Documentation on labels]
Reported-by: syzbot+d3a7951ed361037407db@syzkaller.appspotmail.com
Fix commit: b513b0d4563a drm/virtio: fix OOB in virtio_gpu_object_create
First crash: 1515d, last: 1506d
Discussions (1)
Title Replies (including bot) Last reply
upstream boot error: KASAN: slab-out-of-bounds Write in virtio_gpu_object_create 5 (6) 2020/04/07 09:57

Sample crash report:
NET: Registered protocol family 38
async_tx: api initialized (async)
Key type asymmetric registered
Asymmetric key parser 'x509' registered
Asymmetric key parser 'pkcs8' registered
Key type pkcs7_test registered
Asymmetric key parser 'tpm_parser' registered
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 243)
io scheduler mq-deadline registered
io scheduler kyber registered
io scheduler bfq registered
hgafb: HGA card not detected.
hgafb: probe of hgafb.0 failed with error -22
usbcore: registered new interface driver udlfb
uvesafb: failed to execute /sbin/v86d
uvesafb: make sure that the v86d helper is installed and executable
uvesafb: Getting VBE info block failed (eax=0x4f00, err=-2)
uvesafb: vbe_init() failed with -22
uvesafb: probe of uvesafb.0 failed with error -22
vga16fb: mapped to 0x00000000d87bb980
Console: switching to colour frame buffer device 80x30
fb0: VGA16 VGA frame buffer device
input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
ACPI: Power Button [PWRF]
ioatdma: Intel(R) QuickData Technology Driver 5.00
PCI Interrupt Link [GSIF] enabled at IRQ 21
PCI Interrupt Link [GSIH] enabled at IRQ 23
N_HDLC line discipline registered with maxframe=4096
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
Cyclades driver 2.6
Initializing Nozomi driver 2.1d
RocketPort device driver module, version 2.09, 12-June-2003
No rocketport ports found; unloading driver
Non-volatile memory driver v1.3
Linux agpgart interface v0.103
[drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
usbcore: registered new interface driver udl
[drm] pci: virtio-vga detected at 0000:00:01.0
fb0: switching to virtiodrmfb from VGA16 VGA
Console: switching to colour VGA+ 80x25
virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
Console: switching to colour dummy device 80x25
[drm] features: -virgl +edid
[drm] number of scanouts: 1
[drm] number of cap sets: 0
[drm] Initialized virtio_gpu 0.1.0 0 for virtio0 on minor 2
==================================================================
BUG: KASAN: slab-out-of-bounds in virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:151 [inline]
BUG: KASAN: slab-out-of-bounds in virtio_gpu_object_create+0x9f3/0xaa0 drivers/gpu/drm/virtio/virtgpu_object.c:230
Write of size 8 at addr ffff888029a5c388 by task swapper/0/1

CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.6.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:503
 kasan_report+0x33/0x50 mm/kasan/common.c:648
 virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:151 [inline]
 virtio_gpu_object_create+0x9f3/0xaa0 drivers/gpu/drm/virtio/virtgpu_object.c:230
 virtio_gpu_gem_create+0xaa/0x1d0 drivers/gpu/drm/virtio/virtgpu_gem.c:42
 virtio_gpu_mode_dumb_create+0x21e/0x360 drivers/gpu/drm/virtio/virtgpu_gem.c:82
 drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
 drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
 drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
 drm_fb_helper_generic_probe+0x1e4/0x810 drivers/gpu/drm/drm_fb_helper.c:2039
 drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1588 [inline]
 __drm_fb_helper_initial_config_and_unlock+0xb56/0x11e0 drivers/gpu/drm/drm_fb_helper.c:1746
 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1841 [inline]
 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1833 [inline]
 drm_fbdev_client_hotplug+0x30f/0x580 drivers/gpu/drm/drm_fb_helper.c:2133
 drm_fbdev_generic_setup drivers/gpu/drm/drm_fb_helper.c:2212 [inline]
 drm_fbdev_generic_setup+0x18b/0x295 drivers/gpu/drm/drm_fb_helper.c:2185
 virtio_gpu_probe+0x28f/0x2de drivers/gpu/drm/virtio/virtgpu_drv.c:127
 virtio_dev_probe+0x463/0x710 drivers/virtio/virtio.c:248
 really_probe+0x281/0x6d0 drivers/base/dd.c:527
 driver_probe_device+0x104/0x210 drivers/base/dd.c:701
 device_driver_attach+0x108/0x140 drivers/base/dd.c:975
 __driver_attach+0xda/0x240 drivers/base/dd.c:1052
 bus_for_each_dev+0x14b/0x1d0 drivers/base/bus.c:305
 bus_add_driver+0x4a2/0x5a0 drivers/base/bus.c:622
 driver_register+0x1c4/0x330 drivers/base/driver.c:171
 do_one_initcall+0x10a/0x7d0 init/main.c:1158
 do_initcall_level init/main.c:1231 [inline]
 do_initcalls init/main.c:1247 [inline]
 do_basic_setup init/main.c:1267 [inline]
 kernel_init_freeable+0x501/0x5ae init/main.c:1451
 kernel_init+0xd/0x1bb init/main.c:1358
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 1:
 save_stack+0x1b/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:518 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:491
 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 virtio_gpu_create_object+0x3c/0xe0 drivers/gpu/drm/virtio/virtgpu_object.c:128
 drm_gem_shmem_create+0x83/0x330 drivers/gpu/drm/drm_gem_shmem_helper.c:58
 virtio_gpu_object_create+0xa5/0xaa0 drivers/gpu/drm/virtio/virtgpu_object.c:199
 virtio_gpu_gem_create+0xaa/0x1d0 drivers/gpu/drm/virtio/virtgpu_gem.c:42
 virtio_gpu_mode_dumb_create+0x21e/0x360 drivers/gpu/drm/virtio/virtgpu_gem.c:82
 drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
 drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
 drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
 drm_fb_helper_generic_probe+0x1e4/0x810 drivers/gpu/drm/drm_fb_helper.c:2039
 drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1588 [inline]
 __drm_fb_helper_initial_config_and_unlock+0xb56/0x11e0 drivers/gpu/drm/drm_fb_helper.c:1746
 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1841 [inline]
 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1833 [inline]
 drm_fbdev_client_hotplug+0x30f/0x580 drivers/gpu/drm/drm_fb_helper.c:2133
 drm_fbdev_generic_setup drivers/gpu/drm/drm_fb_helper.c:2212 [inline]
 drm_fbdev_generic_setup+0x18b/0x295 drivers/gpu/drm/drm_fb_helper.c:2185
 virtio_gpu_probe+0x28f/0x2de drivers/gpu/drm/virtio/virtgpu_drv.c:127
 virtio_dev_probe+0x463/0x710 drivers/virtio/virtio.c:248
 really_probe+0x281/0x6d0 drivers/base/dd.c:527
 driver_probe_device+0x104/0x210 drivers/base/dd.c:701
 device_driver_attach+0x108/0x140 drivers/base/dd.c:975
 __driver_attach+0xda/0x240 drivers/base/dd.c:1052
 bus_for_each_dev+0x14b/0x1d0 drivers/base/bus.c:305
 bus_add_driver+0x4a2/0x5a0 drivers/base/bus.c:622
 driver_register+0x1c4/0x330 drivers/base/driver.c:171
 do_one_initcall+0x10a/0x7d0 init/main.c:1158
 do_initcall_level init/main.c:1231 [inline]
 do_initcalls init/main.c:1247 [inline]
 do_basic_setup init/main.c:1267 [inline]
 kernel_init_freeable+0x501/0x5ae init/main.c:1451
 kernel_init+0xd/0x1bb init/main.c:1358
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888029a5c000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 904 bytes inside of
 1024-byte region [ffff888029a5c000, ffff888029a5c400)
The buggy address belongs to the page:
page:ffffea0000a69700 refcount:1 mapcount:0 mapping:000000006e055252 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00009f8888 ffff88802c801850 ffff88802c800c40
raw: 0000000000000000 ffff888029a5c000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888029a5c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888029a5c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888029a5c380: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff888029a5c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888029a5c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/04/15 02:18 upstream b6ff10700d1b 831e9a81 .config console log report ci-qemu-upstream
2020/04/15 02:18 upstream b6ff10700d1b 831e9a81 .config console log report ci-qemu-upstream
2020/04/15 02:18 upstream b6ff10700d1b 831e9a81 .config console log report ci-qemu-upstream
2020/04/05 23:07 upstream ffc1c20c46f7 831e9a81 .config console log report ci-qemu-upstream
2020/04/05 23:07 upstream ffc1c20c46f7 831e9a81 .config console log report ci-qemu-upstream
2020/04/05 23:07 upstream ffc1c20c46f7 831e9a81 .config console log report ci-qemu-upstream
* Struck through repros no longer work on HEAD.