syzbot


KASAN: use-after-free Read in vkms_dumb_create

Status: fixed on 2020/07/17 17:58
Subsystems: dri
[Documentation on labels]
Reported-by: syzbot+e3372a2afe1e7ef04bc7@syzkaller.appspotmail.com
Fix commit: 0ea2ea42b31a drm/vkms: Hold gem object while still in-use
First crash: 1624d, last: 1624d
Cause bisection: the cause commit could be any of (bisect log):
  85b5bafb86e6 drm/cma-helper: Remove drm_fb_cma_fbdev_init_with_funcs()
  dff1c7032ffe drm/tinydrm: Use drm_fbdev_generic_setup()
  23167fa9a519 drm/panel: simple: Add support for Rocktech RK070ER9427 LCD panel
  9060d7f49376 drm/fb-helper: Finish the generic fbdev emulation
  2230ca12cca1 dt-bindings: display: Document the EDT et* displays in one file.
  e896c132eb2c drm/debugfs: Add internal client debugfs file
  894a677f4b3e drm/cma-helper: Use the generic fbdev emulation
  aa7e6455e1ef drm/panel: Add support for the EDT ETM0700G0BDH6
  244007ecb6bb drm/pl111: Set .gem_prime_vmap and .gem_prime_mmap
  aad34de22e63 drm/panel: Add support for the EDT ETM0700G0EDH6
  7a6aca49358a dt-bindings: Add vendor prefix for DLC Display Co., Ltd.
  d536540f304c drm/fb-helper: Add generic fbdev emulation .fb_probe function
  0ca0c827efdf drm/panel: simple: Add DLC DLC0700YZG-1 panel
  c76f0f7cb546 drm: Begin an API for in-kernel clients
  5ba57babcb40 drm: vkms: select DRM_KMS_HELPER
  5fa8e4a22182 drm/panel: Make of_drm_find_panel() return an ERR_PTR() instead of NULL
  008095e065a8 drm/vc4: Add support for the transposer block
  c59eb3cfde1f drm/panel: Let of_drm_find_panel() return -ENODEV when the panel is disabled
  1ebe99a75eed drm/vc4: Call drm_atomic_helper_fake_vblank() in the commit path
  2e64a174179a drm/of: Make drm_of_find_panel_or_bridge() fail when the device is disabled
  1b9883eae822 drm/vc4: Support the case where the DSI device is disabled
  6fb42b6682f0 drm/atomic: Call fake_vblank() from the generic commit_tail() helpers
  b0b7aa407e92 dt-bindings: display: Add DT bindings for BOE HV070WSA-100 panel
  b25c60af7a87 drm/crtc: Add a generic infrastructure to fake VBLANK events
  184d3cf4f738 drm/vc4: Use wait_for_flip_done() instead of wait_for_vblanks()
  ae8cf41b6a5e drm/panel: simple: Add support for BOE HV070WSA-100 panel to simple-panel
  814bde99ee80 drm/connector: Make ->atomic_commit() optional
  955f60db0f2b drm: Add support for extracting sync signal drive edge from videomode
  3b39ad7a553f drm/panel: simple: Add newhaven, nhd-4.3-480272ef-atxl LCD
  425132fdb169 drm/connector: Pass a drm_connector_state to ->atomic_commit()
  a5d2ade627dc drm/panel: simple: Add support for Innolux G070Y2-L01
  b82c1f8f78b4 drm/atomic: Avoid connector to writeback_connector casts
  03fa9aa38494 dt-bindings: Add DataImage, Inc. vendor prefix
  73915b2b1f25 drm/writeback: Fix the "overview" section of the doc
  97ceb1fb08b6 drm/panel: simple: Add support for DataImage SCF0700C48GGU18
  e22e953189f7 Merge drm-upstream/drm-next into drm-misc-next
  3d5664f95ebe drm/panel: ili9881c: Fix missing assignment to error return ret
  a012024571d9 drm/crc: Only report a single overflow when a CRC fd is opened
  7ad4e4636c54 drm/panel: p079zca: Refactor panel driver to support multiple panels
  8adbbb2e7871 drm/stm: ltdc: rework reset sequence
  48bd379aa23d drm/panel: p079zca: Add variable unprepare_delay properties
  7868e5079228 drm/stm: ltdc: filter mode pixel clock vs pad constraint
  731edd4ce5d3 dt-bindings: Add Innolux P097PFG panel bindings
  f8878bb2f867 drm: print plane state normalized zpos value
  ca52bea9fa80 drm/atomic-helper: Use bitwise or for filling a bitmask
  de04a462fdce drm/panel: p079zca: Support Innolux P097PFG panel
  2bb7a39c1581 dt-bindings: Add vendor prefix for kingdisplay
  a65020d0a65d drm/v3d: Fix a grammar nit in the scheduler docs.
  2dd4f211e707 drm/v3d: Add missing v3d documentation structure.
  ebc950fdff6d dt-bindings: Add KINGDISPLAY KD097D04 panel bindings
  cd0e0ca69109 drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
  e0d018119ae8 drm/v3d: Remove unnecessary dma_fence_ops.
  624bb0c08b82 drm/v3d: Delay the scheduler timeout if we're still making progress.
  b6d83fccd877 drm/panel: p079zca: Use of_device_get_match_data()
  408633d2e740 drm/v3d: use new return type vm_fault_t in v3d_gem_fault
  decac6b00542 dt-bindings: display: sun4i-drm: Add R40 display engine compatible
  0b7510d15e14 drm/tilcdc: Use drm_connector_has_possible_encoder()
  d978a94b0a9e drm/sun4i: Add R40 display engine compatible
  af11942ee44e drm/sun4i: tcon-top: Cleanup clock handling
  f8222409d1ac drm/msm: Use drm_connector_has_possible_encoder()
  38cb8d96933e drm: Add drm_connector_has_possible_encoder()
  da82107ecf32 drm/sun4i: tcon: Release node when traversing of graph
  7a6677753413 dt-bindings: display: sun4i-drm: Add R40 TV TCON description
  7b71ca249b26 drm/radeon: Use drm_connector_for_each_possible_encoder()
  4a068c5c17e8 drm/sun4i: DW HDMI: Release nodes if error happens during CRTC search
  ddba766dd07e drm/nouveau: Use drm_connector_for_each_possible_encoder()
  98c0e348c095 drm/amdgpu: Use drm_connector_for_each_possible_encoder()
  e0f56782bc2d drm/sun4i: mixer: Order includes alphabetically
  05db311a792d drm/sun4i: tcon-top: Add helpers for mux switching
  83aefbb887b5 drm: Add drm_connector_for_each_possible_encoder()
  20431c05ae68 drm/i915: Nuke intel_mst_best_encoder()
  5e4965667a6e drm/sun4i: tcon-top: Remove mux configuration at probe time
  0d9988910989 drm/fb-helper: Eliminate the .best_encoder() usage
  ac1fe1322530 dt-bindings: display: sun4i-drm: Fix order of DW HDMI PHY compatibles
  03e3ec9ad1ee drm/panel: simple: Add Sharp LQ035Q7DB03 panel support
  c91b007ed137 drm/vkms: Add extra information about vkms
  5685ca0ca292 drm/tinydrm: Fix doc build warnings
  854502fa0a38 drm/vkms: Add basic CRTC initialization
  ae61f61fa802 drm/client: Fix: drm_client_new: Don't require DRM to be registered
  c04372ea4abd drm/vkms: Add mode_config initialization
  41111ce17ee7 drm/vkms: vkms_driver can be static
  559e50fd34d1 drm/vkms: Add dumb operations
  1c7c5fd916a0 drm/vkms: Introduce basic VKMS driver
  657cd71e8eb3 drm: gma500: Changed __attribute__((packed)) to __packed
  d16489307a52 drm/vkms: Add connectors helpers
  
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 5.4 000/134] 5.4.47-rc1 review 141 (141) 2021/01/28 17:06
[PATCH 4.19 000/267] 4.19.129-rc1 review 280 (280) 2020/06/30 01:36
[PATCH AUTOSEL 5.7 001/274] drm/amdgpu: fix and cleanup amdgpu_gem_object_close v4 281 (281) 2020/06/17 17:29
[PATCH 5.6 000/161] 5.6.19-rc1 review 164 (164) 2020/06/16 17:11
[PATCH 5.7 000/163] 5.7.3-rc1 review 164 (164) 2020/06/16 15:35
[PATCH AUTOSEL 5.4 001/175] drm/amdgpu: fix and cleanup amdgpu_gem_object_close v4 175 (175) 2020/06/08 23:18
[PATCH] drm/vkms: Hold gem object while still in-use 3 (3) 2020/05/07 01:55
KASAN: use-after-free Read in vkms_dumb_create 4 (7) 2020/04/28 18:27
Last patch testing requests (2)
Created Duration User Patch Repo Result
2020/04/27 15:24 16m ezequiel@vanguardiasur.com.ar patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git c578ddb3 OK
2020/04/27 14:27 0m ezequiel@vanguardiasur.com.ar patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git c578ddb3 error

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
Read of size 8 at addr ffff88809e537110 by task syz-executor.0/9558

CPU: 0 PID: 9558 Comm: syz-executor.0 Not tainted 5.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 vkms_dumb_create+0x286/0x290 drivers/gpu/drm/vkms/vkms_gem.c:142
 drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
 drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
 drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c829
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f19a3e30c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e2d80 RCX: 000000000045c829
RDX: 0000000020000080 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000028b R14: 00000000004d3188 R15: 00007f19a3e316d4

Allocated by task 9558:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
 __vkms_gem_create+0x44/0xf0 include/linux/slab.h:555
 vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:111 [inline]
 vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
 vkms_dumb_create+0x110/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
 drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
 drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
 drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 9558:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x109/0x2b0 mm/slab.c:3757
 drm_gem_object_free+0xf0/0x1f0 drivers/gpu/drm/drm_gem.c:983
 kref_put include/linux/kref.h:65 [inline]
 drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline]
 drm_gem_object_put_unlocked+0x190/0x1c0 drivers/gpu/drm/drm_gem.c:1002
 vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:116 [inline]
 vkms_gem_create drivers/gpu/drm/vkms/vkms_gem.c:100 [inline]
 vkms_dumb_create+0x14d/0x290 drivers/gpu/drm/vkms/vkms_gem.c:138
 drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
 drm_ioctl_kernel+0x220/0x2f0 drivers/gpu/drm/drm_ioctl.c:787
 drm_ioctl+0x4c9/0x980 drivers/gpu/drm/drm_ioctl.c:887
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:770
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff88809e537000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 272 bytes inside of
 1024-byte region [ffff88809e537000, ffff88809e537400)
The buggy address belongs to the page:
page:ffffea0002794dc0 refcount:1 mapcount:0 mapping:00000000e8234a18 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027a3608 ffffea0002749008 ffff8880aa000c40
raw: 0000000000000000 ffff88809e537000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809e537000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809e537080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809e537100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88809e537180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809e537200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/04/23 05:46 upstream c578ddb39e56 2e44d63e .config console log report syz ci-upstream-kasan-gce-root
2020/04/23 03:44 upstream c578ddb39e56 2e44d63e .config console log report ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.