lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200824150650.GD21321@char.us.oracle.com>
Date:   Mon, 24 Aug 2020 11:06:51 -0400
From:   Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>
To:     syzbot <syzbot+3f86afd0b1e4bf1cb64c@...kaller.appspotmail.com>,
        thomas.tai@...cle.com, airlied@...hat.com, kraxel@...hat.com,
        virtualization@...ts.linux-foundation.org,
        dri-devel@...ts.freedesktop.org
Cc:     hch@....de, iommu@...ts.linux-foundation.org,
        linux-kernel@...r.kernel.org, m.szyprowski@...sung.com,
        robin.murphy@....com, syzkaller-bugs@...glegroups.com
Subject: Is: virtio_gpu_object_shmem_init  issues? Was:Re: upstream boot
 error: general protection fault in swiotlb_map

On Thu, Aug 06, 2020 at 03:46:23AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16fe1dea900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f86afd0b1e4bf1cb64c
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f86afd0b1e4bf1cb64c@...kaller.appspotmail.com
> 
> ceph: loaded (mds proto 32)
> NET: Registered protocol family 38
> async_tx: api initialized (async)
> Key type asymmetric registered
> Asymmetric key parser 'x509' registered
> Asymmetric key parser 'pkcs8' registered
> Key type pkcs7_test registered
> Asymmetric key parser 'tpm_parser' registered
> Block layer SCSI generic (bsg) driver version 0.4 loaded (major 243)
> io scheduler mq-deadline registered
> io scheduler kyber registered
> io scheduler bfq registered
> hgafb: HGA card not detected.
> hgafb: probe of hgafb.0 failed with error -22
> usbcore: registered new interface driver udlfb
> uvesafb: failed to execute /sbin/v86d
> uvesafb: make sure that the v86d helper is installed and executable
> uvesafb: Getting VBE info block failed (eax=0x4f00, err=-2)
> uvesafb: vbe_init() failed with -22
> uvesafb: probe of uvesafb.0 failed with error -22
> vga16fb: mapped to 0x000000008aac772d
> Console: switching to colour frame buffer device 80x30
> fb0: VGA16 VGA frame buffer device
> input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
> ACPI: Power Button [PWRF]
> ioatdma: Intel(R) QuickData Technology Driver 5.00
> PCI Interrupt Link [GSIF] enabled at IRQ 21
> PCI Interrupt Link [GSIG] enabled at IRQ 22
> PCI Interrupt Link [GSIH] enabled at IRQ 23
> N_HDLC line discipline registered with maxframe=4096
> Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
> 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
> Cyclades driver 2.6
> Initializing Nozomi driver 2.1d
> RocketPort device driver module, version 2.09, 12-June-2003
> No rocketport ports found; unloading driver
> Non-volatile memory driver v1.3
> Linux agpgart interface v0.103
> [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
> [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
> usbcore: registered new interface driver udl
> [drm] pci: virtio-vga detected at 0000:00:01.0
> fb0: switching to virtiodrmfb from VGA16 VGA
> Console: switching to colour VGA+ 80x25
> virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
> Console: switching to colour dummy device 80x25
> [drm] features: -virgl +edid
> [drm] number of scanouts: 1
> [drm] number of cap sets: 0
> [drm] Initialized virtio_gpu 0.1.0 0 for virtio0 on minor 2
> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
> RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
> RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
> FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  dma_direct_map_page include/linux/dma-direct.h:170 [inline]
>  dma_direct_map_sg+0x3bb/0x670 kernel/dma/direct.c:368
>  dma_map_sg_attrs+0xd0/0x160 kernel/dma/mapping.c:183
>  drm_gem_shmem_get_pages_sgt drivers/gpu/drm/drm_gem_shmem_helper.c:700 [inline]
>  drm_gem_shmem_get_pages_sgt+0x1fc/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:679
>  virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:153 [inline]
>  virtio_gpu_object_create+0x2fd/0xa70 drivers/gpu/drm/virtio/virtgpu_object.c:232
>  virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:45 [inline]
>  virtio_gpu_mode_dumb_create+0x298/0x530 drivers/gpu/drm/virtio/virtgpu_gem.c:85
>  drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>  drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
>  drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
>  drm_fb_helper_generic_probe+0x1e5/0x810 drivers/gpu/drm/drm_fb_helper.c:2086
>  drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1635 [inline]
>  __drm_fb_helper_initial_config_and_unlock+0xbc6/0x12d0 drivers/gpu/drm/drm_fb_helper.c:1793
>  drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1888 [inline]
>  drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1880 [inline]
>  drm_fbdev_client_hotplug+0x2d4/0x580 drivers/gpu/drm/drm_fb_helper.c:2180
>  drm_fbdev_generic_setup+0x1c8/0x450 drivers/gpu/drm/drm_fb_helper.c:2262
>  virtio_gpu_probe+0x28f/0x2e0 drivers/gpu/drm/virtio/virtgpu_drv.c:127
>  virtio_dev_probe+0x445/0x6f0 drivers/virtio/virtio.c:248
>  really_probe+0x282/0x9f0 drivers/base/dd.c:553
>  driver_probe_device+0xfe/0x1d0 drivers/base/dd.c:738
>  device_driver_attach+0x228/0x290 drivers/base/dd.c:1013
>  __driver_attach drivers/base/dd.c:1090 [inline]
>  __driver_attach+0xda/0x240 drivers/base/dd.c:1044
>  bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:305
>  bus_add_driver+0x348/0x5a0 drivers/base/bus.c:622
>  driver_register+0x220/0x3a0 drivers/base/driver.c:171
>  do_one_initcall+0x10a/0x7b0 init/main.c:1201
>  do_initcall_level init/main.c:1274 [inline]
>  do_initcalls init/main.c:1290 [inline]
>  do_basic_setup init/main.c:1310 [inline]
>  kernel_init_freeable+0x589/0x638 init/main.c:1505
>  kernel_init+0xd/0x1c0 init/main.c:1399
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> Modules linked in:
> ---[ end trace 11a290451cfd19ed ]---
> RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
> RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
> RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
> FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

So it fails at

683                 dev_WARN_ONCE(dev, 1,                                           
684                         "swiotlb addr %pad+%zu overflow (mask %llx, bus limit %llx).\n",
685                         &dma_addr, size, *dev->dma_mask, dev->bus_dma_limit);   


which makes no sense to me as `dev` surely exists. I can see in the console log:

virtio-pci 0000:00:01.0: vgaarb: deactivate vga console

So what gives?

Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
is
All code
========
   0:   28 04 00                sub    %al,(%rax,%rax,1)
   3:   00 48 c1                add    %cl,-0x3f(%rax)
   6:   ea                      (bad)
   7:   03 80 3c 02 00 0f       add    0xf00023c(%rax),%eax
   d:   85 4d 01                test   %ecx,0x1(%rbp)
  10:   00 00                   add    %al,(%rax)
  12:   4c 8b a5 18 04 00 00    mov    0x418(%rbp),%r12
  19:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  20:   fc ff df
  23:   4c 89 e2                mov    %r12,%rdx
  26:   48 c1 ea 03             shr    $0x3,%rdx
  2a:*  80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)               <-- trapping instruction
  2e:   0f 85 1e 01 00 00       jne    0x152
  34:   48 8d 7d 50             lea    0x50(%rbp),%rdi
  38:   4d 8b 24 24             mov    (%r12),%r12
  3c:   48                      rex.W
  3d:   b8                      .byte 0xb8

So %r12 was expected to have something valid, put in %rdx, and shifted by three (line 26). Then
we fetch from
base =  0000000000000000 (%rdx) + 0xdffffc0000000000(%rax)* scale 1.

and compare against 0 (if I am reading this right).

No clue here. 

I tried compiling the upstream kernel with the .config mentioned at the top
but sadly I can't find anything that similar to this code to figure out
what exactly it is trying to access and crash.

CC-ing a fellow engineer who is debugging this, but it looks to be related to VirtIO DRM.

> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ