syzbot


BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
Fix commit: 01faae5193d6 drivers: video: fbcon: fix NULL dereference in fbcon_cursor()
First crash: 684d, last: 547d

Cause bisection: introduced by (bisect log) :
commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Fri Oct 9 23:21:56 2020 +0000

  drm/vkms: fbdev emulation support

Crash: BUG: unable to handle kernel NULL pointer dereference in hide_cursor (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2021/03/31 06:44 0m hassan@shahbazi.fi patch upstream error
2021/03/12 15:14 14m ducheng2@gmail.com patch upstream OK
2021/03/12 14:56 9m ducheng2@gmail.com patch upstream report log
2021/03/12 14:51 14m ducheng2@gmail.com patch upstream OK
2021/03/12 14:50 14m ducheng2@gmail.com patch upstream OK
2021/03/12 14:35 9m ducheng2@gmail.com patch upstream report log
2021/03/12 14:33 15m ducheng2@gmail.com patch upstream OK
2021/03/10 17:39 9m ducheng2@gmail.com upstream report log

Sample crash report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 139e9067 P4D 139e9067 PUD 18ec0067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8419 Comm: syz-executor302 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc90000eef850 EFLAGS: 00010292
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000002 RSI: ffff8880194cf000 RDI: ffff888010879000
RBP: ffff888010879000 R08: 0000000000000000 R09: ffffffff83f62fda
R10: 0000000000000003 R11: 0000000000000018 R12: ffff8880194cf000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  0000000000e36300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000155e5000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1336
 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907
 redraw_screen+0x5b4/0x740 drivers/tty/vt/vt.c:1012
 vc_do_resize+0xed8/0x1150 drivers/tty/vt/vt.c:1325
 fbcon_set_disp+0x7a8/0xe10 drivers/video/fbdev/core/fbcon.c:1402
 con2fb_init_display drivers/video/fbdev/core/fbcon.c:808 [inline]
 set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:879
 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3010
 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156
 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43eed9
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff742ea708 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043eed9
RDX: 0000000020000040 RSI: 0000000000004610 RDI: 0000000000000004
RBP: 0000000000402ec0 R08: 0000000000400488 R09: 0000000000400488
R10: 0000000000400488 R11: 0000000000000246 R12: 0000000000402f50
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
Modules linked in:
CR2: 0000000000000000
---[ end trace a82c7f1a7531a47d ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffffc90000eef850 EFLAGS: 00010292
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007
RDX: 0000000000000002 RSI: ffff8880194cf000 RDI: ffff888010879000
RBP: ffff888010879000 R08: 0000000000000000 R09: ffffffff83f62fda
R10: 0000000000000003 R11: 0000000000000018 R12: ffff8880194cf000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720
FS:  0000000000e36300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000000155e5000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/03/25 16:19 upstream 4ee998b0ef8b 607e3baf .config log report syz C BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce 2021/03/25 15:38 upstream 4ee998b0ef8b 607e3baf .config log report syz C BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-386 2021/03/28 14:51 upstream 0f4498cef9f5 a8529b82 .config log report syz C BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-386 2021/03/28 08:37 upstream 0f4498cef9f5 a8529b82 .config log report syz C BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce 2021/01/17 09:22 upstream 0da0a8a0a0e1 65a7a854 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2021/01/17 08:53 linux-next b3a3cbdec55b 65a7a854 .config log report syz C
ci-upstream-kasan-gce 2021/03/29 00:00 upstream 81b1d39fd39a a8529b82 .config log report info BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce 2021/03/05 14:23 upstream 280d542f6ffa 9d751681 .config log report info BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce 2021/02/28 08:27 upstream 5695e5161974 4c37c133 .config log report info BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-selinux-root 2021/02/16 14:40 upstream f40ddce88593 98682e5e .config log report info BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce 2021/01/25 03:13 upstream e68061375f79 52e37319 .config log report info BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce-selinux-root 2021/01/19 16:13 upstream 1e2a199f6ccd 63631df1 .config log report info BUG: unable to handle kernel NULL pointer dereference in fbcon_cursor
ci-upstream-kasan-gce 2021/01/17 08:24 upstream 0da0a8a0a0e1 65a7a854 .config log report info
ci-upstream-kasan-gce 2021/01/15 14:42 upstream 146620506274 65a7a854 .config log report info
ci-upstream-kasan-gce-root 2021/01/14 23:27 upstream 65f0d2414b70 65a7a854 .config log report info
ci-upstream-kasan-gce-root 2021/01/13 10:17 upstream e609571b5ffa 0cdd6185 .config log report info
ci-upstream-kasan-gce-386 2021/01/02 03:11 upstream eda809aef534 79264ae3 .config log report info
ci-upstream-linux-next-kasan-gce-root 2021/01/17 08:02 linux-next b3a3cbdec55b 65a7a854 .config log report info
ci-upstream-linux-next-kasan-gce-root 2021/01/06 03:47 linux-next 83dadd4cfb0c b1c228e1 .config log report info
ci-upstream-linux-next-kasan-gce-root 2021/01/05 13:52 linux-next 83dadd4cfb0c a0234d98 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/11/11 17:04 linux-next 6dd65e60af98 cca87986 .config log report info
* Struck through repros no longer work on HEAD.