Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp814528imi; Fri, 22 Jul 2022 10:02:47 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uceRKD2Dfi0AcPdOJmph3w1Y6KLWTer6jZxoGJWxnPAo/Qjf654McmCTpTivKepoQ5BI3R X-Received: by 2002:a17:906:93e8:b0:72b:6923:a0b9 with SMTP id yl8-20020a17090693e800b0072b6923a0b9mr638692ejb.244.1658509367189; Fri, 22 Jul 2022 10:02:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658509367; cv=none; d=google.com; s=arc-20160816; b=Ft2nRZ4FOtYTscP5MFUr8wOu3OXhv7xpEH+E9e6adHZUCYcnWMTVDInyMpKMDXSRWH SZmBoMleESFVr5kizL4gbZuBY5pDyv2wzOLGBoTpKAr7rMcUvEbsM9oWYD8qqb+YCpG3 NOYMYscFKVyvC7opiuXuw3Au0HM28EH333F5iPUsmF/rVLnnAW8C9Qthsepdj34NMOVc wTIhn02hBuxZBVfUJf3elOfjH/i6M4C+eqzNHvrPN6FqQebbRZ13BMz7pY+fjDnhJL9R q8csdMIrY/ZPkdRPg9aeT3cKmW/iAeJXB6gbyZx827oU4YwffGjG2SQXnPrlpgYhBh0E 6eRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=Ys+hi8PB64gYVcU3Rir+4zRigotybpzIBXkZ6P6FTTw=; b=sf//fFHiEgCxC+cTW14cw5N/dNTag2+yGwZ7Mmg/jicOyU/MQa6OlndkfbOU4JlTFf SKFJSP2L8Z8ldZp/u+nLkFCLI80TCaLWwk9k4/aM/n47FTqrYh3+nNMo4ZaaiJUhsx7w KD48r0WE7WQo98QK2Kqlr6u8nlHi3g6VE4anGe4ciJwJZXNaq+yf67H2+uJV0kcveptz boHLHPatmuVUmfjTqfkNjujw/pVx+z6KAQeGHfnc5o1lE5R970Q591oZGgLWNIXcbYBN bZEAm/7F8GknWLr9seI+rHI4J0750KPqC0UXDm2uGe7SVRejLI3lN8FGJ6bFBtgA1Ji3 W/fw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VpAHXWLS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id tc3-20020a1709078d0300b0072b4addd854si6917149ejc.292.2022.07.22.10.02.19; Fri, 22 Jul 2022 10:02:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VpAHXWLS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233965AbiGVQXc (ORCPT + 99 others); Fri, 22 Jul 2022 12:23:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229850AbiGVQX3 (ORCPT ); Fri, 22 Jul 2022 12:23:29 -0400 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E03B089A9B for ; Fri, 22 Jul 2022 09:23:27 -0700 (PDT) Received: by mail-ej1-x634.google.com with SMTP id sz17so9422017ejc.9 for ; Fri, 22 Jul 2022 09:23:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=Ys+hi8PB64gYVcU3Rir+4zRigotybpzIBXkZ6P6FTTw=; b=VpAHXWLShO7dnzUSMFXwgTudZAcdkY4sYsE0F9+jg77TUbdrLcwF2EjlUdTViOjuQb l6D541zrfsK5XA97PNPxHHs8EdmZFJr19V2aWbyN3ZlQcHaUUjsGnojV6f7A2uigK3S0 12m6aPprjSUl8sIwCS1X2mqDXy25we2fM8PmaCXl4cj3qYtVbbB+s6WFJwW51Ma3PDc/ hIN87r5fOUxwyGVhG83MvoH1m5qtBB2tXn8EXip3xaY2AXQM8K/6OWTyEi8XoqPHh76Q PGvO3sNP4BUlcuRV2eLh03SG63OldfJuwgkY6ek35BU4I6l+h0SGeBx/0xk8KCtb5wK3 M55A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=Ys+hi8PB64gYVcU3Rir+4zRigotybpzIBXkZ6P6FTTw=; b=vxmJn77jROMc8VPwYynz309GP4s0191HYl+sbfvavFqwrTRSMKGuAYRg2Uhlrti8+C AqVii/jTPm57ynZAW1uo518NvflQW3uBmPBftz2n/p0q+fsfq3Mxbbhvtp7NZfBpCuML hqHShjHDr0+s/aspg//R0cz46g/u8r1V2p0CLw7RHokeh/IvAWbjfzkxf24gS9Loozi/ zDRvAys3BDveArCq50i3r4mRstEp2y3woKXLrANpxTSclF/LN33FMCerO7xJ1tmXxWHu 1J2mMfWRXVeAv86hUjaya4Oa3X1QCXRqtO9mOHNHfURR5bjtcnE11Nzm3bc9cpbHXJGb wBcQ== X-Gm-Message-State: AJIora8bcbxNKvO2CEH60E98106r0nfYSvAircswXYgDp2lflr6g/ywc NEl+KivahCnvkhGGamh5GUHDqugl0UkR8s1lcS0= X-Received: by 2002:a17:907:a056:b0:72b:1964:fbcc with SMTP id gz22-20020a170907a05600b0072b1964fbccmr509511ejc.489.1658507006072; Fri, 22 Jul 2022 09:23:26 -0700 (PDT) MIME-Version: 1.0 From: Dipanjan Das Date: Fri, 22 Jul 2022 09:23:14 -0700 Message-ID: Subject: KASAN: use-after-free Read in drm_gem_object_release To: maarten.lankhorst@linux.intel.com, mripard@kernel.org, sean@poorly.run, airlied@linux.ie, daniel@ffwll.ch, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Cc: syzkaller@googlegroups.com, fleischermarius@googlemail.com, its.priyanka.bose@gmail.com Content-Type: multipart/mixed; boundary="000000000000f4eb6805e467400c" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --000000000000f4eb6805e467400c Content-Type: text/plain; charset="UTF-8" Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: KASAN: use-after-free Read in drm_gem_object_release affected file: drivers/gpu/drm/drm_gem.c kernel version: 5.4.206 kernel commit: 981f87403bb9841f1e0b7953e12a51f09a47a4f0 git tree: upstream kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1aab6d4187ddf667 crash reproducer: attached ====================================================== Crash log: ====================================================== BUG: KASAN: use-after-free in drm_gem_object_release+0xf7/0x120 drivers/gpu/drm/drm_gem.c:952 Read of size 8 at addr ffff888069f2d110 by task syz-executor.2/9649 CPU: 0 PID: 9649 Comm: syz-executor.2 Tainted: G OE 5.4.206+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1a0/0x217 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x343 mm/kasan/report.c:374 __kasan_report.cold+0x75/0x8d mm/kasan/report.c:506 kasan_report+0x10/0x20 mm/kasan/common.c:645 drm_gem_object_release+0xf7/0x120 drivers/gpu/drm/drm_gem.c:952 drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:106 [inline] drm_gem_vram_create+0x180/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135 drm_gem_vram_fill_create_dumb+0x13b/0x2c0 drivers/gpu/drm/drm_gem_vram_helper.c:382 drm_gem_vram_driver_dumb_create+0x5e/0xe0 drivers/gpu/drm/drm_gem_vram_helper.c:509 drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787 drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:510 [inline] do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714 __do_sys_ioctl fs/ioctl.c:721 [inline] __se_sys_ioctl fs/ioctl.c:719 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f6b40bd24ed Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6b3eb82be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f6b40cf0f60 RCX: 00007f6b40bd24ed RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003 RBP: 00007f6b3eb82c40 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014 R13: 00007ffc4fb462af R14: 00007f6b40cf0f60 R15: 00007f6b3eb82d80 Allocated by task 9649: save_stack+0x1b/0x80 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc+0xd2/0xe0 mm/kasan/common.c:521 kmem_cache_alloc_trace+0x13a/0x4e0 mm/slab.c:3550 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] drm_gem_vram_create+0x53/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:131 drm_gem_vram_fill_create_dumb+0x13b/0x2c0 drivers/gpu/drm/drm_gem_vram_helper.c:382 drm_gem_vram_driver_dumb_create+0x5e/0xe0 drivers/gpu/drm/drm_gem_vram_helper.c:509 drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787 drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:510 [inline] do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714 __do_sys_ioctl fs/ioctl.c:721 [inline] __se_sys_ioctl fs/ioctl.c:719 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9649: save_stack+0x1b/0x80 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] kasan_set_free_info mm/kasan/common.c:334 [inline] __kasan_slab_free+0x103/0x150 mm/kasan/common.c:478 __cache_free mm/slab.c:3425 [inline] kfree+0x10b/0x330 mm/slab.c:3756 ttm_bo_release_list+0x335/0x4e0 drivers/gpu/drm/ttm/ttm_bo.c:166 kref_put include/linux/kref.h:65 [inline] kref_put include/linux/kref.h:62 [inline] ttm_bo_release+0x44c/0xf60 drivers/gpu/drm/ttm/ttm_bo.c:686 kref_put include/linux/kref.h:65 [inline] kref_put include/linux/kref.h:62 [inline] ttm_bo_put drivers/gpu/drm/ttm/ttm_bo.c:691 [inline] ttm_bo_init_reserved+0x8c1/0x10c0 drivers/gpu/drm/ttm/ttm_bo.c:1390 ttm_bo_init+0x10e/0x4a0 drivers/gpu/drm/ttm/ttm_bo.c:1419 drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:97 [inline] drm_gem_vram_create+0x15c/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135 drm_gem_vram_fill_create_dumb+0x13b/0x2c0 drivers/gpu/drm/drm_gem_vram_helper.c:382 drm_gem_vram_driver_dumb_create+0x5e/0xe0 drivers/gpu/drm/drm_gem_vram_helper.c:509 drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787 drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:510 [inline] do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714 __do_sys_ioctl fs/ioctl.c:721 [inline] __se_sys_ioctl fs/ioctl.c:719 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888069f2d000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 272 bytes inside of 1024-byte region [ffff888069f2d000, ffff888069f2d400) The buggy address belongs to the page: page:ffffea0001a7cb40 refcount:1 mapcount:0 mapping:ffff888119400c40 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002831748 ffffea00019062c8 ffff888119400c40 raw: 0000000000000000 ffff888069f2d000 0000000100000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888069f2d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888069f2d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888069f2d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888069f2d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888069f2d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: double-free or invalid-free in drm_gem_vram_create+0x1b7/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:142 CPU: 0 PID: 9649 Comm: syz-executor.2 Tainted: G B OE 5.4.206+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1a0/0x217 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x343 mm/kasan/report.c:374 kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:468 __kasan_slab_free+0x135/0x150 mm/kasan/common.c:457 __cache_free mm/slab.c:3425 [inline] kfree+0x10b/0x330 mm/slab.c:3756 drm_gem_vram_create+0x1b7/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:142 drm_gem_vram_fill_create_dumb+0x13b/0x2c0 drivers/gpu/drm/drm_gem_vram_helper.c:382 drm_gem_vram_driver_dumb_create+0x5e/0xe0 drivers/gpu/drm/drm_gem_vram_helper.c:509 drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787 drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:510 [inline] do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714 __do_sys_ioctl fs/ioctl.c:721 [inline] __se_sys_ioctl fs/ioctl.c:719 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f6b40bd24ed Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6b3eb82be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f6b40cf0f60 RCX: 00007f6b40bd24ed RDX: 0000000020000180 RSI: 00000000c02064b2 RDI: 0000000000000003 RBP: 00007f6b3eb82c40 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000014 R13: 00007ffc4fb462af R14: 00007f6b40cf0f60 R15: 00007f6b3eb82d80 Allocated by task 9649: save_stack+0x1b/0x80 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc+0xd2/0xe0 mm/kasan/common.c:521 kmem_cache_alloc_trace+0x13a/0x4e0 mm/slab.c:3550 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] drm_gem_vram_create+0x53/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:131 drm_gem_vram_fill_create_dumb+0x13b/0x2c0 drivers/gpu/drm/drm_gem_vram_helper.c:382 drm_gem_vram_driver_dumb_create+0x5e/0xe0 drivers/gpu/drm/drm_gem_vram_helper.c:509 drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787 drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:510 [inline] do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714 __do_sys_ioctl fs/ioctl.c:721 [inline] __se_sys_ioctl fs/ioctl.c:719 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9649: save_stack+0x1b/0x80 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] kasan_set_free_info mm/kasan/common.c:334 [inline] __kasan_slab_free+0x103/0x150 mm/kasan/common.c:478 __cache_free mm/slab.c:3425 [inline] kfree+0x10b/0x330 mm/slab.c:3756 ttm_bo_release_list+0x335/0x4e0 drivers/gpu/drm/ttm/ttm_bo.c:166 kref_put include/linux/kref.h:65 [inline] kref_put include/linux/kref.h:62 [inline] ttm_bo_release+0x44c/0xf60 drivers/gpu/drm/ttm/ttm_bo.c:686 kref_put include/linux/kref.h:65 [inline] kref_put include/linux/kref.h:62 [inline] ttm_bo_put drivers/gpu/drm/ttm/ttm_bo.c:691 [inline] ttm_bo_init_reserved+0x8c1/0x10c0 drivers/gpu/drm/ttm/ttm_bo.c:1390 ttm_bo_init+0x10e/0x4a0 drivers/gpu/drm/ttm/ttm_bo.c:1419 drm_gem_vram_init drivers/gpu/drm/drm_gem_vram_helper.c:97 [inline] drm_gem_vram_create+0x15c/0x1f0 drivers/gpu/drm/drm_gem_vram_helper.c:135 drm_gem_vram_fill_create_dumb+0x13b/0x2c0 drivers/gpu/drm/drm_gem_vram_helper.c:382 drm_gem_vram_driver_dumb_create+0x5e/0xe0 drivers/gpu/drm/drm_gem_vram_helper.c:509 drm_mode_create_dumb+0x2a0/0x330 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_ioctl_kernel+0x21a/0x2e0 drivers/gpu/drm/drm_ioctl.c:787 drm_ioctl+0x52f/0xa70 drivers/gpu/drm/drm_ioctl.c:890 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:510 [inline] do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714 __do_sys_ioctl fs/ioctl.c:721 [inline] __se_sys_ioctl fs/ioctl.c:719 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888069f2d000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 0 bytes inside of 1024-byte region [ffff888069f2d000, ffff888069f2d400) The buggy address belongs to the page: page:ffffea0001a7cb40 refcount:1 mapcount:0 mapping:ffff888119400c40 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002831748 ffffea00019062c8 ffff888119400c40 raw: 0000000000000000 ffff888069f2d000 0000000100000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888069f2cf00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ffff888069f2cf80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc >ffff888069f2d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888069f2d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888069f2d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== -- Thanks and Regards, Dipanjan --000000000000f4eb6805e467400c Content-Type: application/octet-stream; name="repro.syz" Content-Disposition: attachment; filename="repro.syz" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l5wo5z7p1 cjAgPSBzeXpfb3Blbl9kZXYkZHJpKCYoMHg3ZjAwMDAwMDA1NDApLCAweDIwMDAwMDAwMDAwMDAw MDAsIDB4MCkKaW9jdGwkRFJNX0lPQ1RMX01PREVfQ1JFQVRFX0RVTUIocjAsIDB4YzAyMDY0YjIs ICYoMHg3ZjAwMDAwMDAxODApPXsweDcsIDB4ZmMwMDAsIDB4YzM5fSkgKGZhaWxfbnRoOiAyMCkK --000000000000f4eb6805e467400c Content-Type: text/x-csrc; charset="US-ASCII"; name="repro.c" Content-Disposition: attachment; filename="repro.c" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l5wo5z710 Ly8gYXV0b2dlbmVyYXRlZCBieSBzeXprYWxsZXIgKGh0dHBzOi8vZ2l0aHViLmNvbS9nb29nbGUv c3l6a2FsbGVyKQoKI2RlZmluZSBfR05VX1NPVVJDRSAKCiNpbmNsdWRlIDxlbmRpYW4uaD4KI2lu Y2x1ZGUgPGVycm5vLmg+CiNpbmNsdWRlIDxmY250bC5oPgojaW5jbHVkZSA8c2NoZWQuaD4KI2lu Y2x1ZGUgPHN0ZGFyZy5oPgojaW5jbHVkZSA8c3RkYm9vbC5oPgojaW5jbHVkZSA8c3RkaW50Lmg+ CiNpbmNsdWRlIDxzdGRpby5oPgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlIDxzdHJpbmcu aD4KI2luY2x1ZGUgPHN5cy9tb3VudC5oPgojaW5jbHVkZSA8c3lzL3ByY3RsLmg+CiNpbmNsdWRl IDxzeXMvcmVzb3VyY2UuaD4KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDxzeXMvc3lz Y2FsbC5oPgojaW5jbHVkZSA8c3lzL3RpbWUuaD4KI2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5j bHVkZSA8c3lzL3dhaXQuaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgoKI2luY2x1ZGUgPGxpbnV4L2Nh cGFiaWxpdHkuaD4KCnN0YXRpYyBib29sIHdyaXRlX2ZpbGUoY29uc3QgY2hhciogZmlsZSwgY29u c3QgY2hhciogd2hhdCwgLi4uKQp7CgljaGFyIGJ1ZlsxMDI0XTsKCXZhX2xpc3QgYXJnczsKCXZh X3N0YXJ0KGFyZ3MsIHdoYXQpOwoJdnNucHJpbnRmKGJ1Ziwgc2l6ZW9mKGJ1ZiksIHdoYXQsIGFy Z3MpOwoJdmFfZW5kKGFyZ3MpOwoJYnVmW3NpemVvZihidWYpIC0gMV0gPSAwOwoJaW50IGxlbiA9 IHN0cmxlbihidWYpOwoJaW50IGZkID0gb3BlbihmaWxlLCBPX1dST05MWSB8IE9fQ0xPRVhFQyk7 CglpZiAoZmQgPT0gLTEpCgkJcmV0dXJuIGZhbHNlOwoJaWYgKHdyaXRlKGZkLCBidWYsIGxlbikg IT0gbGVuKSB7CgkJaW50IGVyciA9IGVycm5vOwoJCWNsb3NlKGZkKTsKCQllcnJubyA9IGVycjsK CQlyZXR1cm4gZmFsc2U7Cgl9CgljbG9zZShmZCk7CglyZXR1cm4gdHJ1ZTsKfQoKc3RhdGljIGxv bmcgc3l6X29wZW5fZGV2KHZvbGF0aWxlIGxvbmcgYTAsIHZvbGF0aWxlIGxvbmcgYTEsIHZvbGF0 aWxlIGxvbmcgYTIpCnsKCWlmIChhMCA9PSAweGMgfHwgYTAgPT0gMHhiKSB7CgkJY2hhciBidWZb MTI4XTsKCQlzcHJpbnRmKGJ1ZiwgIi9kZXYvJXMvJWQ6JWQiLCBhMCA9PSAweGMgPyAiY2hhciIg OiAiYmxvY2siLCAodWludDhfdClhMSwgKHVpbnQ4X3QpYTIpOwoJCXJldHVybiBvcGVuKGJ1Ziwg T19SRFdSLCAwKTsKCX0gZWxzZSB7CgkJY2hhciBidWZbMTAyNF07CgkJY2hhciogaGFzaDsKCQlz dHJuY3B5KGJ1ZiwgKGNoYXIqKWEwLCBzaXplb2YoYnVmKSAtIDEpOwoJCWJ1ZltzaXplb2YoYnVm KSAtIDFdID0gMDsKCQl3aGlsZSAoKGhhc2ggPSBzdHJjaHIoYnVmLCAnIycpKSkgewoJCQkqaGFz aCA9ICcwJyArIChjaGFyKShhMSAlIDEwKTsKCQkJYTEgLz0gMTA7CgkJfQoJCXJldHVybiBvcGVu KGJ1ZiwgYTIsIDApOwoJfQp9CgpzdGF0aWMgdm9pZCBzZXR1cF9jb21tb24oKQp7CglpZiAobW91 bnQoMCwgIi9zeXMvZnMvZnVzZS9jb25uZWN0aW9ucyIsICJmdXNlY3RsIiwgMCwgMCkpIHsKCX0K fQoKc3RhdGljIHZvaWQgc2V0dXBfYmluZGVyZnMoKQp7CglpZiAobWtkaXIoIi9kZXYvYmluZGVy ZnMiLCAwNzc3KSkgewoJfQoJaWYgKG1vdW50KCJiaW5kZXIiLCAiL2Rldi9iaW5kZXJmcyIsICJi aW5kZXIiLCAwLCBOVUxMKSkgewoJfQoJaWYgKHN5bWxpbmsoIi9kZXYvYmluZGVyZnMiLCAiLi9i aW5kZXJmcyIpKSB7Cgl9Cn0KCnN0YXRpYyB2b2lkIGxvb3AoKTsKCnN0YXRpYyB2b2lkIHNhbmRi b3hfY29tbW9uKCkKewoJcHJjdGwoUFJfU0VUX1BERUFUSFNJRywgU0lHS0lMTCwgMCwgMCwgMCk7 CglzZXRzaWQoKTsKCXN0cnVjdCBybGltaXQgcmxpbTsKCXJsaW0ucmxpbV9jdXIgPSBybGltLnJs aW1fbWF4ID0gKDIwMCA8PCAyMCk7CglzZXRybGltaXQoUkxJTUlUX0FTLCAmcmxpbSk7CglybGlt LnJsaW1fY3VyID0gcmxpbS5ybGltX21heCA9IDMyIDw8IDIwOwoJc2V0cmxpbWl0KFJMSU1JVF9N RU1MT0NLLCAmcmxpbSk7CglybGltLnJsaW1fY3VyID0gcmxpbS5ybGltX21heCA9IDEzNiA8PCAy MDsKCXNldHJsaW1pdChSTElNSVRfRlNJWkUsICZybGltKTsKCXJsaW0ucmxpbV9jdXIgPSBybGlt LnJsaW1fbWF4ID0gMSA8PCAyMDsKCXNldHJsaW1pdChSTElNSVRfU1RBQ0ssICZybGltKTsKCXJs aW0ucmxpbV9jdXIgPSBybGltLnJsaW1fbWF4ID0gMDsKCXNldHJsaW1pdChSTElNSVRfQ09SRSwg JnJsaW0pOwoJcmxpbS5ybGltX2N1ciA9IHJsaW0ucmxpbV9tYXggPSAyNTY7CglzZXRybGltaXQo UkxJTUlUX05PRklMRSwgJnJsaW0pOwoJaWYgKHVuc2hhcmUoQ0xPTkVfTkVXTlMpKSB7Cgl9Cglp ZiAobW91bnQoTlVMTCwgIi8iLCBOVUxMLCBNU19SRUMgfCBNU19QUklWQVRFLCBOVUxMKSkgewoJ fQoJaWYgKHVuc2hhcmUoQ0xPTkVfTkVXSVBDKSkgewoJfQoJaWYgKHVuc2hhcmUoMHgwMjAwMDAw MCkpIHsKCX0KCWlmICh1bnNoYXJlKENMT05FX05FV1VUUykpIHsKCX0KCWlmICh1bnNoYXJlKENM T05FX1NZU1ZTRU0pKSB7Cgl9Cgl0eXBlZGVmIHN0cnVjdCB7CgkJY29uc3QgY2hhciogbmFtZTsK CQljb25zdCBjaGFyKiB2YWx1ZTsKCX0gc3lzY3RsX3Q7CglzdGF0aWMgY29uc3Qgc3lzY3RsX3Qg c3lzY3Rsc1tdID0gewoJCXsiL3Byb2Mvc3lzL2tlcm5lbC9zaG1tYXgiLCAiMTY3NzcyMTYifSwK CQl7Ii9wcm9jL3N5cy9rZXJuZWwvc2htYWxsIiwgIjUzNjg3MDkxMiJ9LAoJCXsiL3Byb2Mvc3lz L2tlcm5lbC9zaG1tbmkiLCAiMTAyNCJ9LAoJCXsiL3Byb2Mvc3lzL2tlcm5lbC9tc2dtYXgiLCAi ODE5MiJ9LAoJCXsiL3Byb2Mvc3lzL2tlcm5lbC9tc2dtbmkiLCAiMTAyNCJ9LAoJCXsiL3Byb2Mv c3lzL2tlcm5lbC9tc2dtbmIiLCAiMTAyNCJ9LAoJCXsiL3Byb2Mvc3lzL2tlcm5lbC9zZW0iLCAi MTAyNCAxMDQ4NTc2IDUwMCAxMDI0In0sCgl9OwoJdW5zaWduZWQgaTsKCWZvciAoaSA9IDA7IGkg PCBzaXplb2Yoc3lzY3RscykgLyBzaXplb2Yoc3lzY3Rsc1swXSk7IGkrKykKCQl3cml0ZV9maWxl KHN5c2N0bHNbaV0ubmFtZSwgc3lzY3Rsc1tpXS52YWx1ZSk7Cn0KCnN0YXRpYyBpbnQgd2FpdF9m b3JfbG9vcChpbnQgcGlkKQp7CglpZiAocGlkIDwgMCkKCQlleGl0KDEpOwoJaW50IHN0YXR1cyA9 IDA7Cgl3aGlsZSAod2FpdHBpZCgtMSwgJnN0YXR1cywgX19XQUxMKSAhPSBwaWQpIHsKCX0KCXJl dHVybiBXRVhJVFNUQVRVUyhzdGF0dXMpOwp9CgpzdGF0aWMgdm9pZCBkcm9wX2NhcHModm9pZCkK ewoJc3RydWN0IF9fdXNlcl9jYXBfaGVhZGVyX3N0cnVjdCBjYXBfaGRyID0ge307CglzdHJ1Y3Qg X191c2VyX2NhcF9kYXRhX3N0cnVjdCBjYXBfZGF0YVsyXSA9IHt9OwoJY2FwX2hkci52ZXJzaW9u ID0gX0xJTlVYX0NBUEFCSUxJVFlfVkVSU0lPTl8zOwoJY2FwX2hkci5waWQgPSBnZXRwaWQoKTsK CWlmIChzeXNjYWxsKFNZU19jYXBnZXQsICZjYXBfaGRyLCAmY2FwX2RhdGEpKQoJCWV4aXQoMSk7 Cgljb25zdCBpbnQgZHJvcCA9ICgxIDw8IENBUF9TWVNfUFRSQUNFKSB8ICgxIDw8IENBUF9TWVNf TklDRSk7CgljYXBfZGF0YVswXS5lZmZlY3RpdmUgJj0gfmRyb3A7CgljYXBfZGF0YVswXS5wZXJt aXR0ZWQgJj0gfmRyb3A7CgljYXBfZGF0YVswXS5pbmhlcml0YWJsZSAmPSB+ZHJvcDsKCWlmIChz eXNjYWxsKFNZU19jYXBzZXQsICZjYXBfaGRyLCAmY2FwX2RhdGEpKQoJCWV4aXQoMSk7Cn0KCnN0 YXRpYyBpbnQgZG9fc2FuZGJveF9ub25lKHZvaWQpCnsKCWlmICh1bnNoYXJlKENMT05FX05FV1BJ RCkpIHsKCX0KCWludCBwaWQgPSBmb3JrKCk7CglpZiAocGlkICE9IDApCgkJcmV0dXJuIHdhaXRf Zm9yX2xvb3AocGlkKTsKCXNldHVwX2NvbW1vbigpOwoJc2FuZGJveF9jb21tb24oKTsKCWRyb3Bf Y2FwcygpOwoJaWYgKHVuc2hhcmUoQ0xPTkVfTkVXTkVUKSkgewoJfQoJc2V0dXBfYmluZGVyZnMo KTsKCWxvb3AoKTsKCWV4aXQoMSk7Cn0KCnN0YXRpYyBpbnQgaW5qZWN0X2ZhdWx0KGludCBudGgp CnsKCWludCBmZDsKCWZkID0gb3BlbigiL3Byb2MvdGhyZWFkLXNlbGYvZmFpbC1udGgiLCBPX1JE V1IpOwoJaWYgKGZkID09IC0xKQoJCWV4aXQoMSk7CgljaGFyIGJ1ZlsxNl07CglzcHJpbnRmKGJ1 ZiwgIiVkIiwgbnRoKTsKCWlmICh3cml0ZShmZCwgYnVmLCBzdHJsZW4oYnVmKSkgIT0gKHNzaXpl X3Qpc3RybGVuKGJ1ZikpCgkJZXhpdCgxKTsKCXJldHVybiBmZDsKfQoKc3RhdGljIHZvaWQgc2V0 dXBfZmF1bHQoKQp7CglzdGF0aWMgc3RydWN0IHsKCQljb25zdCBjaGFyKiBmaWxlOwoJCWNvbnN0 IGNoYXIqIHZhbDsKCQlib29sIGZhdGFsOwoJfSBmaWxlc1tdID0gewoJCXsiL3N5cy9rZXJuZWwv ZGVidWcvZmFpbHNsYWIvaWdub3JlLWdmcC13YWl0IiwgIk4iLCB0cnVlfSwKCQl7Ii9zeXMva2Vy bmVsL2RlYnVnL2ZhaWxfZnV0ZXgvaWdub3JlLXByaXZhdGUiLCAiTiIsIGZhbHNlfSwKCQl7Ii9z eXMva2VybmVsL2RlYnVnL2ZhaWxfcGFnZV9hbGxvYy9pZ25vcmUtZ2ZwLWhpZ2htZW0iLCAiTiIs IGZhbHNlfSwKCQl7Ii9zeXMva2VybmVsL2RlYnVnL2ZhaWxfcGFnZV9hbGxvYy9pZ25vcmUtZ2Zw LXdhaXQiLCAiTiIsIGZhbHNlfSwKCQl7Ii9zeXMva2VybmVsL2RlYnVnL2ZhaWxfcGFnZV9hbGxv Yy9taW4tb3JkZXIiLCAiMCIsIGZhbHNlfSwKCX07Cgl1bnNpZ25lZCBpOwoJZm9yIChpID0gMDsg aSA8IHNpemVvZihmaWxlcykgLyBzaXplb2YoZmlsZXNbMF0pOyBpKyspIHsKCQlpZiAoIXdyaXRl X2ZpbGUoZmlsZXNbaV0uZmlsZSwgZmlsZXNbaV0udmFsKSkgewoJCQlpZiAoZmlsZXNbaV0uZmF0 YWwpCgkJCQlleGl0KDEpOwoJCX0KCX0KfQoKdWludDY0X3QgclsxXSA9IHsweGZmZmZmZmZmZmZm ZmZmZmZ9OwoKdm9pZCBsb29wKHZvaWQpCnsKCWludHB0cl90IHJlcyA9IDA7CgltZW1jcHkoKHZv aWQqKTB4MjAwMDA1NDAsICIvZGV2L2RyaS9jYXJkI1wwMDAiLCAxNSk7CglyZXMgPSAtMTsKCXJl cyA9IHN5el9vcGVuX2RldigweDIwMDAwNTQwLCAweDIwMDAwMDAwMDAwMDAwMDAsIDApOwoJaWYg KHJlcyAhPSAtMSkKCQlyWzBdID0gcmVzOwoJKih1aW50MzJfdCopMHgyMDAwMDE4MCA9IDc7Cgkq KHVpbnQzMl90KikweDIwMDAwMTg0ID0gMHhmYzAwMDsKCSoodWludDMyX3QqKTB4MjAwMDAxODgg PSAweGMzOTsKCSoodWludDMyX3QqKTB4MjAwMDAxOGMgPSAwOwoJaW5qZWN0X2ZhdWx0KDIwKTsK CXN5c2NhbGwoX19OUl9pb2N0bCwgclswXSwgMHhjMDIwNjRiMiwgMHgyMDAwMDE4MHVsKTsKCn0K aW50IG1haW4odm9pZCkKewoJc3lzY2FsbChfX05SX21tYXAsIDB4MWZmZmYwMDB1bCwgMHgxMDAw dWwsIDB1bCwgMHgzMnVsLCAtMSwgMHVsKTsKCXN5c2NhbGwoX19OUl9tbWFwLCAweDIwMDAwMDAw dWwsIDB4MTAwMDAwMHVsLCA3dWwsIDB4MzJ1bCwgLTEsIDB1bCk7CglzeXNjYWxsKF9fTlJfbW1h cCwgMHgyMTAwMDAwMHVsLCAweDEwMDB1bCwgMHVsLCAweDMydWwsIC0xLCAwdWwpOwoJc2V0dXBf ZmF1bHQoKTsKCWRvX3NhbmRib3hfbm9uZSgpOwoJcmV0dXJuIDA7Cn0K --000000000000f4eb6805e467400c--