syzbot

 sign-in | mailing list | source | docs
🐞 Open [1429]
Subsystems
🐞 Fixed [5832]
🐞 Invalid [14241]
Missing Backports [92]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: vmalloc-out-of-bounds Write in bitfill_aligned

Status: fixed on 2020/09/21 20:54
Subsystems: fbdev
[Documentation on labels]
Reported-by: syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com
Fix commit: 033724d68642 fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
First crash: 1815d, last: 1580d
Duplicate bugs (9)
duplicates (9):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
INFO: task hung in console_callback serial 7 1599d 1766d 0/28 closed as dup on 2020/08/16 15:22
INFO: task hung in fb_open C done 552 1562d 1816d 0/28 closed as dup on 2020/07/27 23:07
INFO: task can't die in fb_open fbdev 3 1562d 1580d 0/28 closed as dup on 2020/07/27 05:19
INFO: task hung in vcs_open serial 32 1540d 1673d 0/28 closed as dup on 2020/08/05 10:53
INFO: task hung in fb_release fbdev C done 64 1562d 1797d 0/28 closed as dup on 2020/07/27 23:00
INFO: task hung in con_install serial 6 1599d 1781d 0/28 closed as dup on 2020/08/16 15:20
INFO: task hung in con_set_cmap serial 1 1602d 1597d 0/28 closed as dup on 2020/07/26 05:18
INFO: task hung in do_fb_ioctl fbdev 47 1569d 1776d 0/28 closed as dup on 2020/07/27 22:56
BUG: unable to handle kernel paging request in bitfill_aligned fbdev 1 1658d 1655d 0/28 closed as dup on 2020/08/16 15:35
Discussions (20)
Title Replies (including bot) Last reply
[PATCH 4.19] fbmem: add margin check to fb_check_caps() 3 (3) 2021/09/04 02:12
[PATCH 4.9 00/16] 4.9.282-rc1 review 23 (23) 2021/09/03 16:02
[PATCH 4.19] fbmem: add margin check to fb_check_caps() 4 (4) 2021/09/03 01:09
[PATCH 4.19 00/33] 4.19.206-rc1 review 40 (40) 2021/09/02 21:50
[PATCH 4.14 00/23] 4.14.246-rc1 review 27 (27) 2021/09/02 21:50
[PATCH 4.4 00/10] 4.4.283-rc1 review 15 (15) 2021/09/02 21:49
[PATCH 4.4 000/149] 4.4.233-rc1 review 163 (163) 2020/10/31 20:04
[PATCH 5.9 000/757] 5.9.2-rc1 review 766 (766) 2020/10/30 08:32
[PATCH 5.8 000/633] 5.8.17-rc1 review 638 (638) 2020/10/28 22:08
[PATCH 5.4 000/408] 5.4.73-rc1 review 410 (410) 2020/10/28 06:53
[PATCH AUTOSEL 5.9 001/111] md/bitmap: fix memory leak of temporary bitmap 126 (126) 2020/10/25 23:48
[PATCH AUTOSEL 5.4 01/80] md/bitmap: fix memory leak of temporary bitmap 80 (80) 2020/10/18 19:22
[PATCH AUTOSEL 5.8 001/101] md/bitmap: fix memory leak of temporary bitmap 101 (101) 2020/10/18 19:20
[PATCH 4.9 000/212] 4.9.233-rc1 review 220 (220) 2020/08/21 09:40
[PATCH] vt: Reject zero-sized screen buffer size. 31 (31) 2020/08/19 22:07
[PATCH 5.7 000/179] 5.7.11-rc1 review 187 (187) 2020/07/29 08:22
[PATCH 4.19 00/86] 4.19.135-rc1 review 109 (109) 2020/07/28 21:18
[PATCH 5.4 000/138] 5.4.54-rc1 review 143 (143) 2020/07/28 18:23
[PATCH 4.14 00/64] 4.14.190-rc1 review 68 (68) 2020/07/28 18:22
KASAN: vmalloc-out-of-bounds Write in bitfill_aligned 1 (3) 2020/06/29 16:56
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: unable to handle kernel paging request in bitfill_aligned (2) fbdev C inconclusive done 26 1058d 1466d 20/28 fixed on 2022/05/13 11:13
Last patch testing requests (3)
Created Duration User Patch Repo Result
2020/07/14 13:05 27m penguin-kernel@i-love.sakura.ne.jp patch upstream OK
2020/07/14 12:42 20m penguin-kernel@i-love.sakura.ne.jp patch upstream report log
2020/07/14 10:42 26m penguin-kernel@i-love.sakura.ne.jp patch upstream error

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in bitfill_aligned drivers/video/fbdev/core/sysfillrect.c:54 [inline]
BUG: KASAN: vmalloc-out-of-bounds in bitfill_aligned+0x34a/0x400 drivers/video/fbdev/core/sysfillrect.c:25
Write of size 8 at addr ffffc90009a91000 by task syz-executor080/9273

CPU: 3 PID: 9273 Comm: syz-executor080 Not tainted 5.8.0-rc6-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 bitfill_aligned drivers/video/fbdev/core/sysfillrect.c:54 [inline]
 bitfill_aligned+0x34a/0x400 drivers/video/fbdev/core/sysfillrect.c:25
 sys_fillrect+0x408/0x7a0 drivers/video/fbdev/core/sysfillrect.c:291
 drm_fb_helper_sys_fillrect+0x1e/0x190 drivers/gpu/drm/drm_fb_helper.c:731
 bit_clear_margins+0x2d5/0x4a0 drivers/video/fbdev/core/bitblit.c:232
 fbcon_clear_margins+0x1d5/0x230 drivers/video/fbdev/core/fbcon.c:1381
 fbcon_switch+0xb6e/0x16c0 drivers/video/fbdev/core/fbcon.c:2363
 redraw_screen+0x2ae/0x770 drivers/tty/vt/vt.c:1015
 fbcon_modechanged+0x575/0x710 drivers/video/fbdev/core/fbcon.c:3001
 fbcon_update_vcs+0x3a/0x50 drivers/video/fbdev/core/fbcon.c:3048
 fb_set_var+0xae8/0xd60 drivers/video/fbdev/core/fbmem.c:1056
 do_fb_ioctl+0x33f/0x6c0 drivers/video/fbdev/core/fbmem.c:1109
 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1185
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x433d79
Code: c4 18 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb da fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc03901138 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000433d79
RDX: 0000000020000000 RSI: 0000000000004601 RDI: 0000000000000003
RBP: 00000000006b2018 R08: 0000000000000000 R09: 00000000004002e0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401c10
R13: 0000000000401ca0 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc90009a90f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90009a90f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90009a91000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
                   ^
 ffffc90009a91080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
 ffffc90009a91100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
==================================================================

Crashes (475):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/26 07:57 upstream 04300d66f0a0 1f7cc1ca .config console log report syz C ci-qemu-upstream
2020/06/10 11:27 upstream 435faf5c218a 860c4de9 .config console log report syz C ci-qemu-upstream
2020/03/17 09:33 upstream fb33c6510d55 749688d2 .config console log report syz C ci-qemu-upstream
2020/06/18 07:30 upstream 435faf5c218a d45a4d69 .config console log report syz C ci-qemu-upstream-386
2020/07/26 04:20 upstream 04300d66f0a0 1f7cc1ca .config console log report ci-qemu-upstream
2020/07/26 00:50 upstream 23ee3e4e5bd2 1f7cc1ca .config console log report ci-qemu-upstream
2020/07/22 11:41 upstream 4fa640dc5230 128cd85f .config console log report ci-qemu-upstream
2020/07/20 21:02 upstream 5714ee50bb43 8caeeeb7 .config console log report ci-qemu-upstream
2020/07/20 17:50 upstream 5714ee50bb43 8caeeeb7 .config console log report ci-qemu-upstream
2020/07/20 17:28 upstream 5714ee50bb43 8caeeeb7 .config console log report ci-qemu-upstream
2020/07/20 07:10 upstream 92188b41f139 9c812472 .config console log report ci-qemu-upstream
2020/07/20 00:48 upstream 92188b41f139 9c812472 .config console log report ci-qemu-upstream
2020/07/20 00:47 upstream 92188b41f139 9c812472 .config console log report ci-qemu-upstream
2020/07/19 22:50 upstream 92188b41f139 9c812472 .config console log report ci-qemu-upstream
2020/07/19 18:30 upstream f932d58abc38 9c812472 .config console log report ci-qemu-upstream
2020/07/19 17:16 upstream f932d58abc38 9c812472 .config console log report ci-qemu-upstream
2020/07/19 04:25 upstream 6cf7ccba29dc 9c812472 .config console log report ci-qemu-upstream
2020/07/18 20:07 upstream 6cf7ccba29dc 9c812472 .config console log report ci-qemu-upstream
2020/07/18 17:34 upstream 6a70f89cc58f 9c812472 .config console log report ci-qemu-upstream
2020/07/18 17:24 upstream 6a70f89cc58f 9c812472 .config console log report ci-qemu-upstream
2020/07/18 13:29 upstream 6a70f89cc58f 9c812472 .config console log report ci-qemu-upstream
2020/07/17 10:29 upstream 07a56bb875af 54b3c45e .config console log report ci-qemu-upstream
2020/07/17 04:36 upstream 07a56bb875af 54b3c45e .config console log report ci-qemu-upstream
2020/07/15 19:00 upstream e9919e11e219 ada108d0 .config console log report ci-qemu-upstream
2020/07/15 09:49 upstream e9919e11e219 ada108d0 .config console log report ci-qemu-upstream
2020/07/13 16:40 upstream 11ba468877bb f90ec899 .config console log report ci-qemu-upstream
2020/07/13 15:40 upstream 11ba468877bb f90ec899 .config console log report ci-qemu-upstream
2020/07/12 12:23 upstream 0aea6d5c5be3 115e1930 .config console log report ci-qemu-upstream
2020/07/12 10:39 upstream 0aea6d5c5be3 115e1930 .config console log report ci-qemu-upstream
2019/12/04 18:08 upstream 63de37476ebd b2088328 .config console log report ci-qemu-upstream
2020/07/26 13:17 upstream 04300d66f0a0 51265195 .config console log report ci-qemu-upstream-386
2020/07/26 07:28 upstream 04300d66f0a0 1f7cc1ca .config console log report ci-qemu-upstream-386
2020/07/26 05:54 upstream 04300d66f0a0 1f7cc1ca .config console log report ci-qemu-upstream-386
2020/07/25 19:47 upstream 23ee3e4e5bd2 1f7cc1ca .config console log report ci-qemu-upstream-386
2020/07/25 10:20 upstream 68845a55c31b 0a13649c .config console log report ci-qemu-upstream-386
2020/07/25 05:30 upstream 68845a55c31b 0a13649c .config console log report ci-qemu-upstream-386
2020/07/25 05:24 upstream 68845a55c31b 0a13649c .config console log report ci-qemu-upstream-386
2020/07/24 06:21 upstream f37e99aca03f 70c104a1 .config console log report ci-qemu-upstream-386
2020/07/23 10:00 upstream 8c26c87b0532 340ea530 .config console log report ci-qemu-upstream-386
2020/07/23 03:51 upstream 8c26c87b0532 340ea530 .config console log report ci-qemu-upstream-386
2020/07/22 15:12 upstream 4fa640dc5230 128cd85f .config console log report ci-qemu-upstream-386
2020/07/22 02:45 upstream 4fa640dc5230 21f1765e .config console log report ci-qemu-upstream-386
2020/07/21 12:43 upstream 4fa640dc5230 328906f3 .config console log report ci-qemu-upstream-386
2020/07/19 12:31 upstream f932d58abc38 9c812472 .config console log report ci-qemu-upstream-386
2020/07/19 06:48 upstream 6cf7ccba29dc 9c812472 .config console log report ci-qemu-upstream-386
2020/07/16 20:51 upstream f8456690ba8e b090c643 .config console log report ci-qemu-upstream-386
2020/07/16 19:41 upstream f8456690ba8e b090c643 .config console log report ci-qemu-upstream-386
2020/07/15 12:31 upstream e9919e11e219 ada108d0 .config console log report ci-qemu-upstream-386
2020/07/15 08:44 upstream e9919e11e219 ada108d0 .config console log report ci-qemu-upstream-386
2020/07/15 06:27 upstream e9919e11e219 ada108d0 .config console log report ci-qemu-upstream-386
2020/07/15 03:54 upstream e9919e11e219 ada108d0 .config console log report ci-qemu-upstream-386
2020/07/13 18:12 upstream 11ba468877bb f90ec899 .config console log report ci-qemu-upstream-386
2020/07/13 04:06 upstream 9901a6bd1577 9ebcc5b1 .config console log report ci-qemu-upstream-386
2020/07/12 15:19 upstream 0aea6d5c5be3 115e1930 .config console log report ci-qemu-upstream-386
* Struck through repros no longer work on HEAD.