Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp785070imu; Tue, 20 Nov 2018 06:59:26 -0800 (PST) X-Google-Smtp-Source: AFSGD/W5b5LLbN7ScTAsLsOql1S/ZOt7r0ZNvmvZQifdDYNr9yndclePIISpfXvcB0sLD8W6xJNo X-Received: by 2002:a63:1412:: with SMTP id u18mr2141697pgl.247.1542725966494; Tue, 20 Nov 2018 06:59:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542725966; cv=none; d=google.com; s=arc-20160816; b=Om3Dwwg6W7cLmhGVzkNz7mGol+0c49+S64XDNcbk7I509qrmERvjroU4Pdj/8E6a46 c1+ZBpwmLtvdS6OzjL4Rt41HEBtWtvICtLUYPeBOxcZNFYAIm30CMX5/+1tu7x0d/PSI ImfWeqaoDMfJso1AuGEnKQsXazqDM89tCeYd7t2zTTD10L3AvVyuWrX5NPSahEuvfu3x DSPcjoi4InvdPS1GScFx7oOpWNcyyt7s34SLW7w1zVhWYlfrN2aCSDy3+ruhtf+cRhwN fW7jZxQFPKYzAghL+h640ID7AAEYPVzTen/sfq5a7DQLheTWI08+ITk3SgFuPcu07SuW qaxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=hRRfFhQYsufkek91ut1rCbs1nKF3pGlQqRjtcE+djQM=; b=jZDC5EDjwfR/Xr4noHfYHnYyX9Sh1r8Sv2nbZUzsmztVZrWzvelltUt3LpQLzz3d/p gQ4a0zDZTkMpk/MnZiH1b2cjO2Q0+skZpaxHUhk2yubP9CLYuvUc6SMhHE88WGGlED4V ULoeFkShMSwQtsADw/2HAZHIeFYKGdcwaoWGt34tonAhSC0M8RKnXLr/QfkHILZuVWQH xo1avlN4d/lRroR9fBK2ENI5cOH/hlmGyA3AFt8q0CECgldxSyS9+Yy6uWdUOPdgmTER mixnTkXHXCkjWtKRTI5JyR7BYlKDPu4gTePl5kw3gIuYqjaDe3h4kB/O3XuO9a8Lf4p9 mNJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x9si41747223pgh.12.2018.11.20.06.59.11; Tue, 20 Nov 2018 06:59:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727647AbeKUADB (ORCPT + 99 others); Tue, 20 Nov 2018 19:03:01 -0500 Received: from mail-qk1-f194.google.com ([209.85.222.194]:35710 "EHLO mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727313AbeKUADA (ORCPT ); Tue, 20 Nov 2018 19:03:00 -0500 Received: by mail-qk1-f194.google.com with SMTP id w204so2822944qka.2 for ; Tue, 20 Nov 2018 05:33:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hRRfFhQYsufkek91ut1rCbs1nKF3pGlQqRjtcE+djQM=; b=o9GPmUd+Gp9HqGy8WOZCbsUJ6jqLhLn52jj3iIPDpAYQyqcMIpYU6lB3MCmT4Sz992 1UXVcfeJd7qKDtIbMUqwlExMebxKqA7fpKnCTNuy9VwKdEemoJzBdCKwBE9/1mD8C+k4 jDYCGiPNwl5mT5nPhrfJvg39xxuFFluh294vwT73gGEoOoGlHRTZLqppdCXtMyK/SXMQ O51G08jiPgsbE1ojg7mwHApXYK+jxX0AOB4LWz0MA0Y7ABD0cIqIMs5HvCskuDAlSNoy VKfNEcZOBeAKlW3cJrikoARq+qS/qziKka2rlZDwPQ3K5tDdkShKY85+NomYg96nK5xc ErHQ== X-Gm-Message-State: AGRZ1gLEB69Q/NcZesj4GhAKSNurKvkNEVujWIZSIPpg2rBo+SFk2LBh Xjl5s00CIVZgKCUmAShKgHoVnCDHvbyAPCyoXMWfCSib X-Received: by 2002:ac8:4141:: with SMTP id e1mr1817989qtm.96.1542720829050; Tue, 20 Nov 2018 05:33:49 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Arnd Bergmann Date: Tue, 20 Nov 2018 14:33:32 +0100 Message-ID: Subject: Re: BUG: unable to handle kernel NULL pointer dereference in write_port To: kt0755@gmail.com Cc: gregkh , lifeasageek@gmail.com, threeearcat@gmail.com, syzkaller@googlegroups.com, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 13, 2018 at 9:24 AM Kyungtae Kim wrote: > > We report a bug in v4.19-rc8 (4.20-rc1 as well): > > kernel config: https://kt0755.github.io/etc/config-4.19-rc2.kmsan > repro: https://kt0755.github.io/etc/repro.e3752.c > > This happens during data transition from user-supplied buffer to port > (using outb) pointed by ppos. (driver/mem/char.c:640) > Although there is a strict bound 65536 (driver/mem/char.c:632), user > buffer copy still causes crashes within the strict bound. > (In the experiment, the crash arose when loop count is beyond 0x7f ) > To stop it, it probably needs a little tight bound check. > > I think this is a little bit related to the crash I reported before > (https://lkml.org/lkml/2018/5/12/91) > > Crash log > ========================================= > BUG: unable to handle kernel NULL pointer dereference at 00000000000000af The first thing that comes to mind is that this would be qemu specific. Note that writing arbitrary data into arbitrary I/O ports is likely to crash any x86 PC, but it's possible that qemu reports a different set of exceptions. Looking in /proc/ioports for a real PC, I find 0080-008f : dma page reg 00a0-00a1 : pic2 00c0-00df : dma2 00f0-00ff : fpu so it appears that you have just written into the interrupt controller here. Arnd