Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4376150ybp; Mon, 14 Oct 2019 03:46:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqyEFdiIkemTOoayCZMHgj4Vhs4DXZ1UIvtHsAtSkYlvRvuj5RZONVHkqsb60iEYtpzAdAI2 X-Received: by 2002:aa7:d748:: with SMTP id a8mr26964160eds.269.1571049965205; Mon, 14 Oct 2019 03:46:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571049965; cv=none; d=google.com; s=arc-20160816; b=y2hkbm7RatkjRu0vRfLakV/e53BRIFHuSfSwMyXF2Bh6M6QZT4GvIscwasOJ8vvJjM w5P1YKZih14z+yZJtn1Mlcfbc+phx2yct6KBeouGlFFR6vxqyoaji/3IMLtt4jjh/ptU kTCvc6TFYP9YxrFOGKr2ewGOpacxwOFpW8TbeDmZOLpmzf7L3jXjsNQqBR+t8a6x35S5 Us6nn+Sm7+jy0KRSsVrf1wmcreawO3topxthJQ2IaiDWAHUYfWFPJzc+fVSGrzbM0zmW Klcb4HhjCu6PJ++c1TrAjun7HT+YcsP/UKSGqMANeBS715xIQqxkQx6c9NG3OiqPXa/n 0ArA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=hZ6xMa94AS5QlI8ci1K/Yz8o4zIwG3w9pkZ7+6EtReM=; b=IzfYsuVara0O0/cIRmwno2yvuz4HM6a55v09QvoqGOEbTQztnLiV5h7T9BfAUkmaC2 lbBUfbOnQObBCMyPQ4OgZURUjVn9DcEBE05KcYNIOd+ODhsBktSbM6RuDOj6T14iuoJT Mn7pSQhtJRaHNI5pYJSz3oP9nG+Ch/eJRYwyeXevpbSc1xyRrO+i3cqyvqvOkEWYSLlq ESLam4VEIIZvM+pXoz7FYDR/XtFox+KM80hZQwpGFDdBzF+pHo7/LLvFO9mDC3VDU3g3 c9kDLeMLmVlim0ytftgGfBFQ8yKmpmDb4xV6jrlRNTeW0cYURgKN/h9IlyI89WWIIRWD E3KA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sB3rDE7S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f30si13532064ede.435.2019.10.14.03.45.40; Mon, 14 Oct 2019 03:46:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sB3rDE7S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731546AbfJNKoG (ORCPT + 99 others); Mon, 14 Oct 2019 06:44:06 -0400 Received: from mail-qk1-f196.google.com ([209.85.222.196]:36432 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731305AbfJNKoG (ORCPT ); Mon, 14 Oct 2019 06:44:06 -0400 Received: by mail-qk1-f196.google.com with SMTP id y189so15448384qkc.3 for ; Mon, 14 Oct 2019 03:44:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hZ6xMa94AS5QlI8ci1K/Yz8o4zIwG3w9pkZ7+6EtReM=; b=sB3rDE7Swl2hX5dz5I/j7rX6iaUWYtlql5y6kZf1gn6zgUFovOlSnnriP+bxGOD/nM dhe0IUzKxAf5ay7lUcV/EDw4tsklCpEKNJKCfYm42HuK/mQuFp0gYIz+WZBTjHsHpjMh DDyPeR+fFdSyccAMn2mDcYYIqKhTUVFlhTxSapHDBWspZr9lfunoc0+03EEPlFviBwYP BlXCiJOzp0v3jvjzNcDoYpSwunohhzmE5BDgWSyxyG/UMrYSjDDwrZrHdc1HD3cGINZY gd8LNMShYyp2UNUBnaQSgdRTDWkf1DRCa+lPZyqKUUa6nAlbIJOkwqqaisy2Owliaws1 E5sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hZ6xMa94AS5QlI8ci1K/Yz8o4zIwG3w9pkZ7+6EtReM=; b=tMg4/wLfZFu5Rog3qiE7BtWEF8jhqpjwt/URz5SrNRGecfGuQQmfAdooyczBwtJ5g2 gVuTj99GZoWonNrI3j44/t9uyN24mXHtWcTS4MtBoMRxhTdEEnAqQ+DWAhGOPMqcy/zA myjLMHFuqKMARwQf2dC1Ryuj2phBDp9K9j6M3z9YTyz98BTCKtGB6uS0pD/9A5+w3xHb RuPVhTK2PJ4etV+9lUN2VejE38XFtaKo5IMf8Gwt327jo8qEJ+pkmZ614+p8GYJl/f1o 2nhzpZl3c45AU03yY5q2+Ta5ijVIok/9NB0ZRiaClJRBUYcXdtm1hIc5BRQPJnAafXw4 nttQ== X-Gm-Message-State: APjAAAX3utcrbHpkBRnsaWw+yif57hnSDngiBovD7nelSPF2g/yH+pqX nm67alX1ed3ac07VTJFehlZGYh3fKvb3MN48u3VAmQ== X-Received: by 2002:a05:620a:2158:: with SMTP id m24mr29467199qkm.250.1571049844763; Mon, 14 Oct 2019 03:44:04 -0700 (PDT) MIME-Version: 1.0 References: <000000000000b2de3a0594d8b4ca@google.com> <20191014091635.GI11828@phenom.ffwll.local> <67fb1a91-7ef3-9036-2d1b-877e394bcab2@linux.intel.com> In-Reply-To: <67fb1a91-7ef3-9036-2d1b-877e394bcab2@linux.intel.com> From: Dmitry Vyukov Date: Mon, 14 Oct 2019 12:43:53 +0200 Message-ID: Subject: Re: WARNING in drm_mode_createblob_ioctl To: syzbot Cc: David Airlie , DRI , LKML , mripard@kernel.org, sean@poorly.run, syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 14, 2019 at 11:39 AM syzbot wrote: > > Op 14-10-2019 om 11:16 schreef Daniel Vetter: > > On Sun, Oct 13, 2019 at 11:09:09PM -0700, syzbot wrote: > >> Hello, > >> > >> syzbot found the following crash on: > >> > >> HEAD commit: 8ada228a Add linux-next specific files for 20191011 > >> git tree: linux-next > >> console output: https://syzkaller.appspot.com/x/log.txt?x=1423a87f600000 > >> kernel config: https://syzkaller.appspot.com/x/.config?x=7cf4eed5fe42c31a > >> dashboard link: https://syzkaller.appspot.com/bug?extid=fb77e97ebf0612ee6914 > >> compiler: gcc (GCC) 9.0.0 20181231 (experimental) > >> > >> Unfortunately, I don't have any reproducer for this crash yet. > > Hm only thing that could go wrong is how we allocate the target for the > > user_copy, which is an argument directly from the ioctl parameter struct. > > Does syzbot not track that? We use the standard linux ioctl struct > > encoding in drm. > > > > Otherwise I have no idea why it can't create a reliable reproducer for > > this ... I'm also not seeing the bug, all the input validation we have > > seems correct :-/ > > I would like to see the entire dmesg? > > in particular because it's likely WARN(1, "Buffer overflow detected (%d < %lu)!\n", size, count), > > so I'd like to see the size it thinks for both.. And who are "you"? :) The email as if comes from syzbot: From: syzbot But it is clearly not generated by syzbot code. Or is it some kind of a glitch?... Anyway, full console output is always referenced on every syzbot bug report as "console output:" link. > > -Daniel > >> IMPORTANT: if you fix the bug, please add the following tag to the commit: > >> Reported-by: syzbot+fb77e97ebf0612ee6914@syzkaller.appspotmail.com > >> > >> ------------[ cut here ]------------ > >> WARNING: CPU: 1 PID: 30449 at include/linux/thread_info.h:150 > >> check_copy_size include/linux/thread_info.h:150 [inline] > >> WARNING: CPU: 1 PID: 30449 at include/linux/thread_info.h:150 copy_from_user > >> include/linux/uaccess.h:143 [inline] > >> WARNING: CPU: 1 PID: 30449 at include/linux/thread_info.h:150 > >> drm_mode_createblob_ioctl+0x398/0x490 drivers/gpu/drm/drm_property.c:800 > >> Kernel panic - not syncing: panic_on_warn set ... > >> CPU: 1 PID: 30449 Comm: syz-executor.5 Not tainted 5.4.0-rc2-next-20191011 > >> #0 > >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > >> Google 01/01/2011 > >> Call Trace: > >> __dump_stack lib/dump_stack.c:77 [inline] > >> dump_stack+0x172/0x1f0 lib/dump_stack.c:113 > >> panic+0x2e3/0x75c kernel/panic.c:221 > >> __warn.cold+0x2f/0x35 kernel/panic.c:582 > >> report_bug+0x289/0x300 lib/bug.c:195 > >> fixup_bug arch/x86/kernel/traps.c:174 [inline] > >> fixup_bug arch/x86/kernel/traps.c:169 [inline] > >> do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:267 > >> do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:286 > >> invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 > >> RIP: 0010:check_copy_size include/linux/thread_info.h:150 [inline] > >> RIP: 0010:copy_from_user include/linux/uaccess.h:143 [inline] > >> RIP: 0010:drm_mode_createblob_ioctl+0x398/0x490 > >> drivers/gpu/drm/drm_property.c:800 > >> Code: c1 ea 03 80 3c 02 00 0f 85 ed 00 00 00 49 89 5d 00 e8 3c 28 cb fd 4c > >> 89 f7 e8 64 92 9e 03 31 c0 e9 75 fd ff ff e8 28 28 cb fd <0f> 0b e8 21 28 cb > >> fd 4d 85 e4 b8 f2 ff ff ff 0f 84 5b fd ff ff 89 > >> RSP: 0018:ffff8880584efaa8 EFLAGS: 00010246 > >> RAX: 0000000000040000 RBX: ffff8880a3a90000 RCX: ffffc900109da000 > >> RDX: 0000000000040000 RSI: ffffffff83a7eaf8 RDI: 0000000000000007 > >> RBP: ffff8880584efae8 R08: ffff888096c40080 R09: ffffed1014752110 > >> R10: ffffed101475210f R11: ffff8880a3a9087f R12: ffffc90014907000 > >> R13: ffff888028aa0000 R14: 000000009a6c7969 R15: ffffc90014907058 > >> > >> > >> --- > >> This bug is generated by a bot. It may contain errors. > >> See https://goo.gl/tpsmEJ for more information about syzbot. > >> syzbot engineers can be reached at syzkaller@googlegroups.com. > >> > >> syzbot will keep track of this bug report. See: > >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/67fb1a91-7ef3-9036-2d1b-877e394bcab2%40linux.intel.com.