Subject: Re: WARNING in ion_buffer_destroy
To: syzbot <syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com>,
        arve@android.com, devel@driverdev.osuosl.org,
        gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
        maco@android.com, sumit.semwal@linaro.org,
        syzkaller-bugs@googlegroups.com, tkjos@android.com
References: <001a1144928eca24f605625fd8f9@google.com>
From: Laura Abbott <labbott@redhat.com>
Message-ID: <ee1d01fc-a6a4-9480-9755-b6f25304d08b@redhat.com>
Date: Wed, 10 Jan 2018 10:14:23 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <001a1144928eca24f605625fd8f9@google.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org

On 01/09/2018 02:58 PM, syzbot wrote:
> Hello,
> 
> syzkaller hit the following crash on 06d41862286aa7bc634a1dd9e6e7e96f925ef30a
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
> 
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for details.
> If you forward the report, please keep this part and the footer.
> 
> audit: type=1400 audit(1515538424.230:7): avc:  denied  { map } for  pid=3499 comm="syzkaller239906" path="/root/syzkaller239906633" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122 ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
> Kernel panic - not syncing: panic_on_warn set ...
> 
> CPU: 0 PID: 1467 Comm: ion_system_heap Not tainted 4.15.0-rc7-next-20180109+ #92
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:17 [inline]
>   dump_stack+0x194/0x257 lib/dump_stack.c:53
>   panic+0x1e4/0x41c kernel/panic.c:183
>   __warn+0x1dc/0x200 kernel/panic.c:547
>   report_bug+0x211/0x2d0 lib/bug.c:184
>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>   invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1079
> RIP: 0010:ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
> RSP: 0018:ffff8801d3a9fd28 EFLAGS: 00010293
> RAX: ffff8801d39ee700 RBX: ffff8801c00e57c0 RCX: ffffffff8415d2a4
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801d5ada5b8
> RBP: ffff8801d3a9fd50 R08: 0000000000000000 R09: 1ffff1003a753f8a
> R10: ffff8801d3a9fc18 R11: 0000000000000000 R12: ffffffff86e4c980
> R13: ffff8801d5ada580 R14: ffff8801c00e57e0 R15: 0000000000000001
>   ion_heap_deferred_free+0x290/0x650 drivers/staging/android/ion/ion_heap.c:236
>   kthread+0x33c/0x400 kernel/kthread.c:238
>   ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
> Dumping ftrace buffer:
>     (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..

This is catching that a buffer was freed with an existing kernel
map still present. The problem is this can easily be triggered from
userspace by calling DMA_BUF_SYNC_START without calling
DMA_BUF_SYNC_END. It's clearly not appropriate for userspace to
be able to trigger a warning so I'll see about switching this to
a pr_warn_once.

Thanks,
Laura