syzbot


KASAN: vmalloc-out-of-bounds Write in imageblit (2)
Status: upstream: reported C repro on 2021/11/19 09:18
Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
First crash: 193d, last: 59m

Cause bisection: introduced by (bisect log) :
commit 0499f419b76f94ede08304aad5851144813ac55c
Author: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon Jan 10 09:56:25 2022 +0000

  video: vga16fb: Only probe for EGA and VGA 16 color graphic cards

Crash: KASAN: stack-out-of-bounds Write in imageblit (log)
Repro: C syz .config
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Write in imageblit C 104 213d 506d 22/22 fixed on 2021/11/10 00:50

Sample crash report:
BUG: unable to handle page fault for address: fffff520008da208
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffed067 P4D 23ffed067 PUD 10db6067 PMD 1af36067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3586 Comm: syz-executor500 Not tainted 5.18.0-rc4-syzkaller-00064-g8f4dd16603ce #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
RIP: 0010:sys_imageblit+0x148f/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
Code: ea 03 42 0f b6 0c 3a 48 89 fa 83 e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 a1 09 00 00 8b 8c 84 d8 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 14 38 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc900032ff2a8 EFLAGS: 00010212
RAX: 1ffff920008da208 RBX: ffffc900046d1040 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff84342bd7 RDI: ffffc900032ff380
RBP: ffff88801b6187e0 R08: 0000000000000007 R09: ffffffff84342a13
R10: ffffffff84342bb3 R11: 0000000000000001 R12: 0000000000000001
R13: 00000000000003f0 R14: ffffc900032ff380 R15: dffffc0000000000
FS:  000055555714d300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff520008da208 CR3: 000000001cf7e000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 drm_fb_helper_sys_imageblit drivers/gpu/drm/drm_fb_helper.c:826 [inline]
 drm_fbdev_fb_imageblit+0x15c/0x350 drivers/gpu/drm/drm_fb_helper.c:2327
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x6e1/0xd20 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x353/0x440 drivers/video/fbdev/core/fbcon.c:1296
 do_update_region+0x399/0x630 drivers/tty/vt/vt.c:676
 invert_screen+0x1d4/0x600 drivers/tty/vt/vt.c:800
 highlight drivers/tty/vt/selection.c:57 [inline]
 clear_selection drivers/tty/vt/selection.c:84 [inline]
 clear_selection+0x55/0x70 drivers/tty/vt/selection.c:80
 vc_do_resize+0xe61/0x1170 drivers/tty/vt/vt.c:1257
 fbcon_do_set_font+0x47a/0x760 drivers/video/fbdev/core/fbcon.c:2442
 fbcon_set_font+0x816/0xa00 drivers/video/fbdev/core/fbcon.c:2528
 con_font_set drivers/tty/vt/vt.c:4666 [inline]
 con_font_op+0x73a/0xc90 drivers/tty/vt/vt.c:4710
 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]
 vt_ioctl+0x1efa/0x2b20 drivers/tty/vt/vt_ioctl.c:752
 tty_ioctl+0xbbd/0x15e0 drivers/tty/tty_io.c:2778
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f811fa1d349
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc50d82298 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f811fa1d349
RDX: 0000000020000000 RSI: 0000000000004b72 RDI: 0000000000000004
RBP: 00007f811f9e11d0 R08: 000000000000000d R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f811f9e1260
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
CR2: fffff520008da208
---[ end trace 0000000000000000 ]---
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:257 [inline]
RIP: 0010:sys_imageblit+0x148f/0x2240 drivers/video/fbdev/core/sysimgblt.c:323
Code: ea 03 42 0f b6 0c 3a 48 89 fa 83 e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 a1 09 00 00 8b 8c 84 d8 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 14 38 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc900032ff2a8 EFLAGS: 00010212
RAX: 1ffff920008da208 RBX: ffffc900046d1040 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffffffff84342bd7 RDI: ffffc900032ff380
RBP: ffff88801b6187e0 R08: 0000000000000007 R09: ffffffff84342a13
R10: ffffffff84342bb3 R11: 0000000000000001 R12: 0000000000000001
R13: 00000000000003f0 R14: ffffc900032ff380 R15: dffffc0000000000
FS:  000055555714d300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffff520008da208 CR3: 000000001cf7e000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	03 42 0f             	add    0xf(%rdx),%eax
   3:	b6 0c                	mov    $0xc,%dh
   5:	3a 48 89             	cmp    -0x77(%rax),%cl
   8:	fa                   	cli
   9:	83 e2 07             	and    $0x7,%edx
   c:	83 c2 03             	add    $0x3,%edx
   f:	38 ca                	cmp    %cl,%dl
  11:	7c 08                	jl     0x1b
  13:	84 c9                	test   %cl,%cl
  15:	0f 85 a1 09 00 00    	jne    0x9bc
  1b:	8b 8c 84 d8 00 00 00 	mov    0xd8(%rsp,%rax,4),%ecx
  22:	48 89 d8             	mov    %rbx,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	42 0f b6 14 38       	movzbl (%rax,%r15,1),%edx <-- trapping instruction
  2e:	48 89 d8             	mov    %rbx,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 03             	add    $0x3,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 08                	jl     0x43
  3b:	84 d2                	test   %dl,%dl
  3d:	0f                   	.byte 0xf
  3e:	85                   	.byte 0x85

Crashes (481):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2022/04/28 04:16 upstream 8f4dd16603ce 8a1f1f07 .config log report syz C BUG: unable to handle kernel paging request in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/01/20 22:57 linux-next 7fc5253f5a13 b838eb76 .config log report syz C BUG: unable to handle kernel paging request in imageblit
ci-qemu-upstream 2022/05/27 21:17 upstream 8291eaafed36 a46af346 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/27 17:10 upstream 7e284070abe5 116e7a7b .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/27 10:37 upstream 7e284070abe5 116e7a7b .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/27 07:44 upstream 7e284070abe5 3037caa9 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/05/26 21:11 upstream babf0bb978e3 3037caa9 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/26 16:26 upstream babf0bb978e3 3037caa9 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/25 00:56 upstream aa051d36ce4a 647c0e27 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/23 23:45 upstream 1e57930e9f40 e7f9308d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce 2022/05/23 20:33 upstream 4b0986a3613c 4c7657cb .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/23 03:47 upstream 4b0986a3613c 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/22 13:47 upstream eaea45fc0e7b 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/22 09:15 upstream eaea45fc0e7b 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/05/22 06:53 upstream eaea45fc0e7b 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/21 17:36 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/21 07:09 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/21 06:02 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/05/20 18:33 upstream 3d7285a335ed bd37ad7e .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/05/20 13:17 upstream 3d7285a335ed cb1ac2e7 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/20 04:39 upstream b015dcd62b86 cb1ac2e7 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/05/20 02:20 upstream b015dcd62b86 cb1ac2e7 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/05/20 00:03 upstream b015dcd62b86 cb1ac2e7 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/19 18:02 upstream f993aed406ea 50c53f39 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/05/19 06:59 upstream f993aed406ea 50c53f39 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/18 17:36 upstream ef1302160bfb 50c53f39 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/18 15:14 upstream 210e04ff7681 50c53f39 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/18 03:16 upstream 210e04ff7681 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream 2022/05/18 01:22 upstream 210e04ff7681 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/18 00:15 upstream 210e04ff7681 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/05/17 12:38 upstream 42226c989789 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/05/17 09:31 upstream 42226c989789 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/05/16 02:04 upstream bc403203d65a 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/05/15 20:18 upstream bc403203d65a 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/13 09:09 upstream f3f19f939c11 9ad6612a .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-root 2022/05/13 01:05 upstream 0ac824f379fb 9ad6612a .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/05/11 15:20 upstream feb9c5e19e91 beb0b407 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/10 20:32 upstream feb9c5e19e91 8b277b8e .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/05/27 06:11 upstream 7e284070abe5 3037caa9 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/05/23 21:56 upstream 5dc921868c50 e7f9308d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/05/21 16:22 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/05/21 14:32 upstream 3b5e1590a267 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2022/05/10 22:44 upstream feb9c5e19e91 8d7b3b67 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-386 2022/02/14 00:25 upstream 42964a18f81c 8b9ca619 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-qemu-upstream-386 2021/11/15 01:57 upstream fa55b7dcdc43 83f5c9b5 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/05/27 20:22 linux-next d3fde8ff50ab a46af346 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/05/25 13:09 linux-next 8cb8311e95e3 647c0e27 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/05/24 10:36 linux-next 09ce5091ff97 e7f9308d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/05/24 02:48 linux-next cc63e8e92cb8 e7f9308d .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/05/20 15:26 linux-next 18ecd30af1a8 cb1ac2e7 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/05/19 12:56 linux-next 3f7bdc402fb0 50c53f39 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-linux-next-kasan-gce-root 2022/05/17 10:56 linux-next 3f7bdc402fb0 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-selinux-root 2022/05/14 12:38 upstream ec7f49619d8e 744a39e2 .config log report info KASAN: stack-out-of-bounds Write in imageblit
ci-upstream-kasan-gce-smack-root 2022/03/25 18:07 upstream 34af78c4e616 89bc8608 .config log report info KASAN: slab-out-of-bounds Read in imageblit
ci-qemu2-arm32 2022/04/01 04:36 upstream 478f74a3d808 68fc921a .config log report info BUG: unable to handle kernel paging request in imageblit