syzbot


BUG: unable to handle kernel paging request in cfb_imageblit

Status: fixed on 2020/12/23 11:40
Reported-by: syzbot+dfd0b1c6705301cc4847@syzkaller.appspotmail.com
Fix commit: a49145acfb97 fbmem: add margin check to fb_check_caps()
First crash: 727d, last: 681d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit a49145acfb975d921464b84fe00279f99827d816
Author: George Kennedy <george.kennedy@oracle.com>
Date: Tue Jul 7 19:26:03 2020 +0000

  fbmem: add margin check to fb_check_caps()

similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 BUG: unable to handle kernel paging request in cfb_imageblit C inconclusive 47 81d 700d 0/1 upstream: reported C repro on 2020/10/30 06:53
linux-4.19 BUG: unable to handle kernel paging request in cfb_imageblit C error 367 19d 753d 0/1 upstream: reported C repro on 2020/09/06 22:24
upstream BUG: unable to handle kernel paging request in cfb_imageblit (2) 1 383d 379d 0/24 auto-closed as invalid on 2022/01/10 12:19

Sample crash report:
BUG: unable to handle page fault for address: ffff888001000018
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD c801067 P4D c801067 PUD c802067 PMD 80000000010001e1 
Oops: 0003 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8241 Comm: syz-executor265 Not tainted 5.9.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline]
RIP: 0010:slow_imageblit drivers/video/fbdev/core/cfbimgblt.c:178 [inline]
RIP: 0010:cfb_imageblit+0xb15/0x11e0 drivers/video/fbdev/core/cfbimgblt.c:302
Code: 89 e6 89 e9 41 d3 e6 41 09 de 89 ef 8b 5c 24 28 89 de e8 0e db 81 fd 39 dd 73 0a e8 65 d9 81 fd eb 42 0f 1f 00 48 8b 44 24 30 <44> 89 30 48 83 c0 04 48 89 44 24 30 89 ef 89 de e8 e6 da 81 fd 39
RSP: 0018:ffffc9000a037558 EFLAGS: 00010246
RAX: ffff888001000018 RBX: 000000000000001c RCX: 000000000000001c
RDX: ffff8880a79880c0 RSI: 000000000000001c RDI: 000000000000001c
RBP: 000000000000001c R08: ffffffff83f32412 R09: ffffffff83f31b7c
R10: 0000000000000002 R11: ffff8880a79880c0 R12: 0000000000000000
R13: ffff888218a81f72 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f8534532700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000018 CR3: 00000000a80b4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 soft_cursor+0xb44/0xdb0 drivers/video/fbdev/core/softcursor.c:74
 bit_cursor+0x1753/0x2110 drivers/video/fbdev/core/bitblit.c:377
 set_cursor drivers/tty/vt/vt.c:919 [inline]
 con_flush_chars+0x4e1/0x640 drivers/tty/vt/vt.c:3330
 con_write+0x2a/0x40 drivers/tty/vt/vt.c:3251
 do_output_char+0x63b/0x940 drivers/tty/n_tty.c:447
 __process_echoes+0x2a3/0x930 drivers/tty/n_tty.c:739
 flush_echoes drivers/tty/n_tty.c:829 [inline]
 __receive_buf drivers/tty/n_tty.c:1648 [inline]
 n_tty_receive_buf_common+0x29fa/0x3100 drivers/tty/n_tty.c:1742
 paste_selection+0x32c/0x450 drivers/tty/vt/selection.c:408
 vt_ioctl+0x105a/0x3d70 drivers/tty/vt/vt_ioctl.c:862
 tty_ioctl+0xee4/0x15c0 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x449809
Code: e8 8c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8534531db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dec68 RCX: 0000000000449809
RDX: 0000000020000080 RSI: 000000000000541c RDI: 0000000000000007
RBP: 00000000006dec60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec6c
R13: 00007ffe8074321f R14: 00007f85345329c0 R15: 0000000000000064
Modules linked in:
CR2: ffff888001000018
---[ end trace 4ec628432d38a26a ]---
RIP: 0010:__writel arch/x86/include/asm/io.h:71 [inline]
RIP: 0010:slow_imageblit drivers/video/fbdev/core/cfbimgblt.c:178 [inline]
RIP: 0010:cfb_imageblit+0xb15/0x11e0 drivers/video/fbdev/core/cfbimgblt.c:302
Code: 89 e6 89 e9 41 d3 e6 41 09 de 89 ef 8b 5c 24 28 89 de e8 0e db 81 fd 39 dd 73 0a e8 65 d9 81 fd eb 42 0f 1f 00 48 8b 44 24 30 <44> 89 30 48 83 c0 04 48 89 44 24 30 89 ef 89 de e8 e6 da 81 fd 39
RSP: 0018:ffffc9000a037558 EFLAGS: 00010246
RAX: ffff888001000018 RBX: 000000000000001c RCX: 000000000000001c
RDX: ffff8880a79880c0 RSI: 000000000000001c RDI: 000000000000001c
RBP: 000000000000001c R08: ffffffff83f32412 R09: ffffffff83f31b7c
R10: 0000000000000002 R11: ffff8880a79880c0 R12: 0000000000000000
R13: ffff888218a81f72 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f8534532700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888001000018 CR3: 00000000a80b4000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (30):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2020/10/04 08:41 upstream 22fbc037cd32 1a3f9408 .config log report syz C
ci-upstream-kasan-gce-root 2020/10/12 18:05 upstream bbf5c979011a d32b0bbf .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/11 23:37 upstream 3dd0130f2430 4a77ae0b .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/11 22:51 upstream 3dd0130f2430 4a77ae0b .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/11 01:45 upstream da690031a5d6 4a77ae0b .config log report info
ci-upstream-kasan-gce-root 2020/10/10 05:57 upstream 6f2f486d57c4 93817d89 .config log report info
ci-upstream-kasan-gce-root 2020/10/10 04:51 upstream 6f2f486d57c4 93817d89 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/10/10 04:50 upstream 6f2f486d57c4 93817d89 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/10 04:20 upstream 6f2f486d57c4 93817d89 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/10 03:25 upstream 6f2f486d57c4 93817d89 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/09 12:57 upstream 583090b1b823 d81b165e .config log report info
ci-upstream-kasan-gce 2020/10/08 22:35 upstream 3d006ee42dde 92390980 .config log report info
ci-upstream-kasan-gce 2020/10/08 22:29 upstream 3d006ee42dde 92390980 .config log report info
ci-upstream-kasan-gce 2020/10/08 21:40 upstream 3d006ee42dde 92390980 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/08 14:36 upstream c85fb28b6f99 92390980 .config log report info
ci-upstream-kasan-gce 2020/10/07 09:15 upstream c85fb28b6f99 1880b4a9 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/06 03:21 upstream 7575fdda569b 1880b4a9 .config log report info
ci-upstream-kasan-gce 2020/10/06 02:41 upstream 7575fdda569b 1880b4a9 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/05 03:03 upstream 549738f15da0 5ef9c291 .config log report info
ci-upstream-kasan-gce-root 2020/10/04 12:29 upstream 22fbc037cd32 5ef9c291 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/04 12:04 upstream 22fbc037cd32 5ef9c291 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/03 23:45 upstream 22fbc037cd32 1a3f9408 .config log report info
ci-upstream-kasan-gce 2020/10/03 14:17 upstream d3d45f8220d6 2653fa43 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/02 17:57 upstream 472e5b056f00 4969d6ca .config log report info
ci-upstream-kasan-gce-root 2020/10/02 17:41 upstream 472e5b056f00 4969d6ca .config log report info
ci-upstream-kasan-gce-selinux-root 2020/10/02 17:38 upstream 472e5b056f00 4969d6ca .config log report info
ci-upstream-kasan-gce-386 2020/11/18 11:15 upstream 0fa8ee0d9ab9 09323409 .config log report info
ci-upstream-kasan-gce-386 2020/10/11 05:02 upstream da690031a5d6 4a77ae0b .config log report info
ci-upstream-kasan-gce-386 2020/10/03 17:07 upstream d3d45f8220d6 2653fa43 .config log report info
ci-upstream-kasan-gce-386 2020/10/02 18:21 upstream 472e5b056f00 4969d6ca .config log report info
* Struck through repros no longer work on HEAD.