Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: BUG: unable to handle kernel paging request in imageblit
affected file: drivers/gpu/drm/drm_fb_helper.c
kernel version: 5.4.206
kernel commit: 6584107915561f860b7b05dcca5c903dd62a308d
git tree: upstream
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1aab6d4187ddf667
crash reproducer: attached
======================================================
Crash log:
======================================================
BUG: unable to handle page fault for address: ffffc90000c19000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 119554067 P4D 119554067 PUD 119555067 PMD 10be9f067 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 27220 Comm: syz-executor.4 Tainted: G OE 5.4.206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x1137/0x16f0 drivers/video/fbdev/core/sysimgblt.c:275
Code: 24 18 23 18 4c 89 f0 48 c1 e8 03 33 5c 24 60 0f b6 14 30 4c 89
f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 56 03 00 00 31 ff <41> 89
5f fc 44 89 e6 e8 0d 6f b2 fd 45 85 e4 75 0f e8 93 6d b2 fd
RSP: 0018:ffff8880824df250 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000
RBP: ffff88810f56c213 R08: ffff8880922f82c0 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000007
R13: 0000000000000002 R14: ffffc90000c19000 R15: ffffc90000c19004
FS: 00007f9076748700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000c19000 CR3: 0000000090190001 CR4: 0000000000162ef0
Call Trace:
drm_fb_helper_sys_imageblit+0x1c/0x130 drivers/gpu/drm/drm_fb_helper.c:809
bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
bit_putcs+0x904/0xd90 drivers/video/fbdev/core/bitblit.c:188
fbcon_putcs+0x39c/0x4c0 drivers/video/fbdev/core/fbcon.c:1302
fbcon_putc+0x86/0xb0 drivers/video/fbdev/core/fbcon.c:1312
complement_pos+0x360/0x720 drivers/tty/vt/vt.c:817
highlight_pointer drivers/tty/vt/selection.c:63 [inline]
clear_selection+0x17/0x70 drivers/tty/vt/selection.c:83
vc_do_resize+0x1026/0x13a0 drivers/tty/vt/vt.c:1253
fbcon_do_set_font+0x579/0x9f0 drivers/video/fbdev/core/fbcon.c:2442
fbcon_set_font+0xa43/0xda0 drivers/video/fbdev/core/fbcon.c:2542
con_font_set drivers/tty/vt/vt.c:4591 [inline]
con_font_op+0x75b/0xcc0 drivers/tty/vt/vt.c:4635
vt_ioctl+0x1663/0x2580 drivers/tty/vt/vt_ioctl.c:898
tty_ioctl+0xda5/0x14c0 drivers/tty/tty_io.c:2657
vfs_ioctl fs/ioctl.c:47 [inline]
file_ioctl fs/ioctl.c:510 [inline]
do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
__do_sys_ioctl fs/ioctl.c:721 [inline]
__se_sys_ioctl fs/ioctl.c:719 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f90787974ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9076747be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f90788b5f60 RCX: 00007f90787974ed
RDX: 0000000020000480 RSI: 0000000000004b72 RDI: 0000000000000003
RBP: 00007f90788032e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffed03d269f R14: 00007f90788b5f60 R15: 00007f9076747d80
Modules linked in: uio_ivshmem(OE) uio(E)
CR2: ffffc90000c19000
---[ end trace af2a9beecf656bf6 ]---
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x1137/0x16f0 drivers/video/fbdev/core/sysimgblt.c:275
Code: 24 18 23 18 4c 89 f0 48 c1 e8 03 33 5c 24 60 0f b6 14 30 4c 89
f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 56 03 00 00 31 ff <41> 89
5f fc 44 89 e6 e8 0d 6f b2 fd 45 85 e4 75 0f e8 93 6d b2 fd
RSP: 0018:ffff8880824df250 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000
RBP: ffff88810f56c213 R08: ffff8880922f82c0 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000007
R13: 0000000000000002 R14: ffffc90000c19000 R15: ffffc90000c19004
FS: 00007f9076748700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000c19000 CR3: 0000000090190001 CR4: 0000000000162ef0
----------------
Code disassembly (best guess):
0: 24 18 and $0x18,%al
2: 23 18 and (%rax),%ebx
4: 4c 89 f0 mov %r14,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 33 5c 24 60 xor 0x60(%rsp),%ebx
f: 0f b6 14 30 movzbl (%rax,%rsi,1),%edx
13: 4c 89 f0 mov %r14,%rax
16: 83 e0 07 and $0x7,%eax
19: 83 c0 03 add $0x3,%eax
1c: 38 d0 cmp %dl,%al
1e: 7c 08 jl 0x28
20: 84 d2 test %dl,%dl
22: 0f 85 56 03 00 00 jne 0x37e
28: 31 ff xor %edi,%edi
* 2a: 41 89 5f fc mov %ebx,-0x4(%r15) <-- trapping instruction
2e: 44 89 e6 mov %r12d,%esi
31: e8 0d 6f b2 fd callq 0xfdb26f43
36: 45 85 e4 test %r12d,%r12d
39: 75 0f jne 0x4a
3b: e8 93 6d b2 fd callq 0xfdb26dd3
--
Thanks and Regards,
Dipanjan