2022-05-14 02:54:45

by kernel test robot

[permalink] [raw]
Subject: [drm/edid] 79f006f54e: BUG:KASAN:slab-out-of-bounds_in_drm_do_get_edid



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: 79f006f54ebc731ff94815818a0c105f00dda9e2 ("drm/edid: add HF-EEODB support to EDID read and allocation")
git://people.freedesktop.org/~jani/drm edid-hfeeodb-2022-05-06

in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:

runtime: 300s
group: group-02

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>



[ 22.512401][ T287] [drm] Found bochs VGA, ID 0xb0c5.
[ 22.513222][ T287] [drm] Framebuffer size 16384 kB @ 0xfd000000, mmio @ 0xfebf0000.
[ 22.544214][ T287] ==================================================================
[ 22.545294][ T287] BUG: KASAN: slab-out-of-bounds in _drm_do_get_edid+0x772/0x800 [drm]
[ 22.546388][ T287] Read of size 1 at addr ffff88817ea50f00 by task modprobe/287
[ 22.547338][ T287]
[ 22.547694][ T287] CPU: 0 PID: 287 Comm: modprobe Not tainted 5.18.0-rc5-01322-g79f006f54ebc #1
[ 22.548946][ T287] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 22.550241][ T287] Call Trace:
[ 22.550669][ T287] <TASK>
[ 22.551059][ T287] ? _drm_do_get_edid+0x772/0x800 [drm]
[ 22.551805][ T287] dump_stack_lvl+0x34/0x44
[ 22.552362][ T287] print_address_description+0x1f/0x200
[ 22.553190][ T287] ? _drm_do_get_edid+0x772/0x800 [drm]
[ 22.553932][ T287] print_report.cold+0x55/0x22c
[ 22.554552][ T287] ? bochs_get_edid_block+0x5c/0xc0 [bochs]
[ 22.555354][ T287] ? _raw_spin_lock_irqsave+0x87/0x100
[ 22.556089][ T287] kasan_report+0xab/0x140
[ 22.556694][ T287] ? _drm_do_get_edid+0x772/0x800 [drm]
[ 22.557461][ T287] _drm_do_get_edid+0x772/0x800 [drm]
[ 22.558212][ T287] ? 0xffffffffc057d000
[ 22.558692][ T287] ? drm_parse_cea_ext+0x1340/0x1340 [drm]
[ 22.559433][ T287] ? __drmm_add_action+0x19e/0x280 [drm]
[ 22.560217][ T287] ? drm_mode_config_cleanup+0x840/0x840 [drm]
[ 22.561108][ T287] bochs_pci_probe+0x5fc/0x900 [bochs]
[ 22.561798][ T287] ? _raw_spin_lock_irqsave+0x87/0x100
[ 22.562448][ T287] ? bochs_hw_init+0x480/0x480 [bochs]
[ 22.563165][ T287] ? bochs_hw_init+0x480/0x480 [bochs]
[ 22.563912][ T287] local_pci_probe+0xdf/0x180
[ 22.564496][ T287] pci_call_probe+0x15f/0x500
[ 22.565125][ T287] ? _raw_spin_lock+0x81/0x100
[ 22.565750][ T287] ? pci_pm_suspend_noirq+0x980/0x980
[ 22.566445][ T287] ? pci_assign_irq+0x81/0x280
[ 22.567030][ T287] ? pci_match_device+0x351/0x6c0
[ 22.567669][ T287] ? kernfs_put+0x18/0x40
[ 22.568202][ T287] pci_device_probe+0xee/0x240
[ 22.568806][ T287] ? pci_dma_configure+0x57/0x100
[ 22.569466][ T287] really_probe+0x3d7/0xa40
[ 22.570059][ T287] __driver_probe_device+0x2ab/0x480
[ 22.570740][ T287] driver_probe_device+0x49/0x140
[ 22.571407][ T287] __driver_attach+0x1bd/0x440
[ 22.572069][ T287] ? __device_attach_driver+0x240/0x240
[ 22.572803][ T287] bus_for_each_dev+0x11e/0x1c0
[ 22.573549][ T287] ? subsys_dev_iter_exit+0x40/0x40
[ 22.574234][ T287] ? klist_add_tail+0x132/0x280
[ 22.574900][ T287] bus_add_driver+0x39c/0x580
[ 22.575515][ T287] driver_register+0x20f/0x3c0
[ 22.576135][ T287] ? 0xffffffffc0417000
[ 22.576686][ T287] do_one_initcall+0x8a/0x300
[ 22.577330][ T287] ? trace_event_raw_event_initcall_level+0x1c0/0x1c0
[ 22.578212][ T287] ? kasan_unpoison+0x23/0x80
[ 22.578785][ T287] ? kasan_unpoison+0x23/0x80
[ 22.579404][ T287] do_init_module+0x190/0x700
[ 22.580032][ T287] __do_sys_init_module+0x19c/0x280
[ 22.580724][ T287] ? load_module+0x21c0/0x21c0
[ 22.581337][ T287] ? ksys_write+0xed/0x1c0
[ 22.581912][ T287] ? __ia32_sys_read+0xc0/0xc0
[ 22.582570][ T287] ? up_read+0x15/0xc0
[ 22.583108][ T287] ? do_user_addr_fault+0x320/0xd80
[ 22.583780][ T287] __do_fast_syscall_32+0x6b/0x100
[ 22.584455][ T287] do_fast_syscall_32+0x2f/0x80
[ 22.585110][ T287] entry_SYSENTER_compat_after_hwframe+0x4d/0x5f
[ 22.585935][ T287] RIP: 0023:0xf7f02549
[ 22.586468][ T287] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
[ 22.589058][ T287] RSP: 002b:00000000fffbe910 EFLAGS: 00000206 ORIG_RAX: 0000000000000080
[ 22.590113][ T287] RAX: ffffffffffffffda RBX: 00000000f7d31000 RCX: 0000000000021411
[ 22.591159][ T287] RDX: 000000000971ea58 RSI: 0000000000000008 RDI: 000000000971ecc0
[ 22.592236][ T287] RBP: 00000000fffbeaa4 R08: 0000000000000000 R09: 0000000000000000
[ 22.593301][ T287] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 22.594323][ T287] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 22.595350][ T287] </TASK>
[ 22.595748][ T287]
[ 22.596053][ T287] Allocated by task 0:
[ 22.596589][ T287] (stack is not available)
[ 22.597200][ T287]
[ 22.597511][ T287] The buggy address belongs to the object at ffff88817ea50e00
[ 22.597511][ T287] which belongs to the cache kmalloc-256 of size 256
[ 22.599347][ T287] The buggy address is located 0 bytes to the right of
[ 22.599347][ T287] 256-byte region [ffff88817ea50e00, ffff88817ea50f00)
[ 22.601138][ T287]
[ 22.601429][ T287] The buggy address belongs to the physical page:
[ 22.602194][ T287] page:0000000022c9ca38 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17ea50
[ 22.603431][ T287] head:0000000022c9ca38 order:1 compound_mapcount:0 compound_pincount:0
[ 22.604485][ T287] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 22.605560][ T287] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ffff888100041b40
[ 22.606673][ T287] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 22.607800][ T287] page dumped because: kasan: bad access detected
[ 22.608608][ T287] page_owner tracks the page as allocated
[ 22.609343][ T287] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 287, tgid 287 (modprobe), ts 22419443559, free_ts 22411920920
[ 22.611966][ T287] get_page_from_freelist+0x6bd/0xc80
[ 22.612689][ T287] __alloc_pages+0x1bb/0x440
[ 22.613508][ T287] allocate_slab+0x332/0x440
[ 22.614026][ T287] ___slab_alloc+0x439/0x500
[ 22.614543][ T287] kmem_cache_alloc_trace+0x291/0x300
[ 22.615208][ T287] device_add+0x65b/0x1540
[ 22.615779][ T287] device_create_groups_vargs+0x1c9/0x240
[ 22.616534][ T287] device_create_with_groups+0x9c/0x100
[ 22.617295][ T287] do_register_con_driver+0x328/0x540
[ 22.618030][ T287] do_take_over_console+0x1d/0x40
[ 22.618706][ T287] vga_remove_vgacon.cold+0x41/0x67
[ 22.619383][ T287] bochs_pci_probe+0xdd/0x900 [bochs]
[ 22.620095][ T287] local_pci_probe+0xdf/0x180
[ 22.620717][ T287] pci_call_probe+0x15f/0x500
[ 22.621471][ T287] pci_device_probe+0xee/0x240
[ 22.622277][ T287] really_probe+0x3d7/0xa40
[ 22.623053][ T287] page last free stack trace:
[ 22.623801][ T287] free_pcp_prepare+0x2db/0x7c0
[ 22.624468][ T287] free_unref_page+0x4a/0x300
[ 22.625129][ T287] __mmdrop+0xbe/0x380
[ 22.625853][ T287] finish_task_switch+0x4e9/0x740
[ 22.626811][ T287] __schedule+0x621/0x1480
[ 22.627532][ T287] schedule+0xea/0x240
[ 22.628143][ T287] exit_to_user_mode_loop+0x69/0x140
[ 22.628845][ T287] exit_to_user_mode_prepare+0x89/0x100
[ 22.629517][ T287] syscall_exit_to_user_mode+0x12/0x40
[ 22.630237][ T287] __do_fast_syscall_32+0x78/0x100
[ 22.630889][ T287] do_fast_syscall_32+0x2f/0x80
[ 22.631506][ T287] entry_SYSENTER_compat_after_hwframe+0x4d/0x5f
[ 22.632350][ T287]
[ 22.632671][ T287] Memory state around the buggy address:
[ 22.633471][ T287] ffff88817ea50e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 22.634481][ T287] ffff88817ea50e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 22.635456][ T287] >ffff88817ea50f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 22.636499][ T287] ^
[ 22.637060][ T287] ffff88817ea50f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 22.638095][ T287] ffff88817ea51000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 22.639114][ T287] ==================================================================
[ 22.640207][ T287] Disabling lock debugging due to kernel taint
[ 22.641050][ T287] [drm] Found EDID data blob.
[ 22.645383][ T287] [drm] Initialized bochs-drm 1.0.0 20130925 for 0000:00:02.0 on minor 0



To reproduce:

# build kernel
cd linux
cp config-5.18.0-rc5-01322-g79f006f54ebc .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp



Attachments:
(No filename) (9.77 kB)
config-5.18.0-rc5-01322-g79f006f54ebc (168.70 kB)
job-script (4.44 kB)
dmesg.xz (14.36 kB)
Download all attachments