Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4813637imm; Mon, 14 May 2018 13:38:05 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp+wY7IEmwg4KVlxZZ3BwpdB+8HafI2h8Tz7W3o4P/+VJP4LBvn8ttNMJNfZAr86jGZkaUG X-Received: by 2002:a63:b602:: with SMTP id j2-v6mr9757145pgf.335.1526330285191; Mon, 14 May 2018 13:38:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526330285; cv=none; d=google.com; s=arc-20160816; b=GFT5wTL7YEuxAGqIw0l7EakXKHjrZGA6rSrtWhZ5V/twhGjyQF1zOCHRvrpTyzqJP0 D2PNhSCn0PcqeYWW8K9tW8Ke64BGHp2sGZHY8h38LGiLwBAVKlQoSyWoWZe+X1I3/rGn xhKigebf9pD/unjNQE5bryKtOmEtfIEHrQxlZiXKLitmR5iZrLIr2Y4dVE9hVUe7wB9W LM+4FfWbh8+BMdHwwn4i337vYBitC53WgnYLtxtfDiO9e3yAAKhFewM8zEbj79U7qncc MbzCBXyyzC8plDFR5nB55hxQowDjkoVf3QgSXRrqeG76r+81K31PCnkhharB2LVJkvvD o7HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=Wcw7EPXhpQiTos3Aze8yXgFbL8D69GYCo5aR1RSVqD0=; b=BuERT6sa86GtOd76AxD60KVwjq7sh52S8+uI7vUWr0x609DLTNMqPx1rO3b+qdUeuK ZGxek5z+dyrXW5SyEpbrHx6cjaWb2tp7ofqNxzzPtRvkuvAD/021Nua2XzaycSRt06VR PX7/R2TBRC42fa5BKA7JD4M4NLZpBObLwmhaCnZSMDOA38h2fSurtgF4gIWs8cU0n+Cm shvPhaGaWIIlo40MtuNociAigQVZDS3NxwXaJzPQG8f4vzwBNhnScuLzC54dOuhIAAvj Bgygmv4PpLnQz9GYYnMpvM0dkySvT/6XQCd0mCIGWZvEt+4RR9axW01YA1joFeF6Rjp/ bjpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3-v6si9663948plp.594.2018.05.14.13.37.50; Mon, 14 May 2018 13:38:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752090AbeENUhG (ORCPT + 99 others); Mon, 14 May 2018 16:37:06 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:45536 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751498AbeENUhE (ORCPT ); Mon, 14 May 2018 16:37:04 -0400 Received: by mail-oi0-f65.google.com with SMTP id b130-v6so11921944oif.12 for ; Mon, 14 May 2018 13:37:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Wcw7EPXhpQiTos3Aze8yXgFbL8D69GYCo5aR1RSVqD0=; b=e4Pn38jF/PwZPdWGUFNZegZdBHTw3R6hJDkrTjiptBZo34JUiakl+9kMQd9Zuq2DEg g3JGl4wx//McrCWlaU/XfqRdEcjPzUOv1AVTdng2XlHqrM2CidHiO5tNCJBcIR6P4kIA Fz5QmwNmHbqsTwDtsyDyLcT831RQP4Bcoxs/DvFNzYlnFrWlnS6rgMEYRXCuU9faruM7 l5GnlH+elj5A++6eMeflF3cK4Ns94TtNKySCZLFa4WJY7vL+bWu/+4bj7IIpO/u1GZVu tICc2VbhjMajbC+nBQIEQLpBGdHzpG7KCqd9vJlts2lmGBboKn6WZx4iV4aIqHCbAJV5 3Vbg== X-Gm-Message-State: ALKqPwdT3clgp4PgQeuWkfe/EOY7MroXs8AYUQ5Oa/eXTNldVOa9p5Ri 6S6wb8WaiVlFVgHbr6fpW9oKSQ== X-Received: by 2002:aca:e3cf:: with SMTP id a198-v6mr7329610oih.283.1526330223754; Mon, 14 May 2018 13:37:03 -0700 (PDT) Received: from ?IPv6:2601:602:9802:a8dc::d2dd? ([2601:602:9802:a8dc::d2dd]) by smtp.gmail.com with ESMTPSA id x35-v6sm6594593oth.27.2018.05.14.13.37.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 May 2018 13:37:02 -0700 (PDT) Subject: Re: WARNING in ion_buffer_destroy To: Dmitry Vyukov Cc: syzbot , =?UTF-8?Q?Arve_Hj=c3=b8nnev=c3=a5g?= , "open list:ANDROID DRIVERS" , Greg Kroah-Hartman , LKML , Martijn Coenen , Sumit Semwal , syzkaller-bugs , Todd Kjos References: <001a1144928eca24f605625fd8f9@google.com> From: Laura Abbott Message-ID: <70de9c10-d7ce-a95b-1bf1-724f9dacaa8c@redhat.com> Date: Mon, 14 May 2018 13:37:00 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/09/2018 11:59 PM, Dmitry Vyukov wrote: > On Wed, Jan 10, 2018 at 7:14 PM, Laura Abbott wrote: >> On 01/09/2018 02:58 PM, syzbot wrote: >>> >>> Hello, >>> >>> syzkaller hit the following crash on >>> 06d41862286aa7bc634a1dd9e6e7e96f925ef30a >>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >>> compiler: gcc (GCC) 7.1.1 20170620 >>> .config is attached >>> Raw console output is attached. >>> C reproducer is attached >>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >>> for information about syzkaller reproducers >>> >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com >>> It will help syzbot understand when the bug is fixed. See footer for >>> details. >>> If you forward the report, please keep this part and the footer. >>> >>> audit: type=1400 audit(1515538424.230:7): avc: denied { map } for >>> pid=3499 comm="syzkaller239906" path="/root/syzkaller239906633" dev="sda1" >>> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 >>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 >>> WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122 >>> ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122 >>> Kernel panic - not syncing: panic_on_warn set ... >>> >>> CPU: 0 PID: 1467 Comm: ion_system_heap Not tainted >>> 4.15.0-rc7-next-20180109+ #92 >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >>> Google 01/01/2011 >>> Call Trace: >>> __dump_stack lib/dump_stack.c:17 [inline] >>> dump_stack+0x194/0x257 lib/dump_stack.c:53 >>> panic+0x1e4/0x41c kernel/panic.c:183 >>> __warn+0x1dc/0x200 kernel/panic.c:547 >>> report_bug+0x211/0x2d0 lib/bug.c:184 >>> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 >>> fixup_bug arch/x86/kernel/traps.c:247 [inline] >>> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 >>> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 >>> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1079 >>> RIP: 0010:ion_buffer_destroy+0xd4/0x190 >>> drivers/staging/android/ion/ion.c:122 >>> RSP: 0018:ffff8801d3a9fd28 EFLAGS: 00010293 >>> RAX: ffff8801d39ee700 RBX: ffff8801c00e57c0 RCX: ffffffff8415d2a4 >>> RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801d5ada5b8 >>> RBP: ffff8801d3a9fd50 R08: 0000000000000000 R09: 1ffff1003a753f8a >>> R10: ffff8801d3a9fc18 R11: 0000000000000000 R12: ffffffff86e4c980 >>> R13: ffff8801d5ada580 R14: ffff8801c00e57e0 R15: 0000000000000001 >>> ion_heap_deferred_free+0x290/0x650 >>> drivers/staging/android/ion/ion_heap.c:236 >>> kthread+0x33c/0x400 kernel/kthread.c:238 >>> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524 >>> Dumping ftrace buffer: >>> (ftrace buffer empty) >>> Kernel Offset: disabled >>> Rebooting in 86400 seconds.. >> >> >> This is catching that a buffer was freed with an existing kernel >> map still present. The problem is this can easily be triggered from >> userspace by calling DMA_BUF_SYNC_START without calling >> DMA_BUF_SYNC_END. It's clearly not appropriate for userspace to >> be able to trigger a warning so I'll see about switching this to >> a pr_warn_once. > > Hi Laura, > > Any updates on this? > I thought I had sent a fix for this but I guess not. I'll see about getting one out. Thanks, Laura