lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YUiy6zyQ/7uccnV3@zn.tnic>
Date:   Mon, 20 Sep 2021 18:12:27 +0200
From:   Borislav Petkov <bp@...en8.de>
To:     Hao Sun <sunhao.th@...il.com>
Cc:     hpa@...or.com, mingo@...hat.com, tglx@...utronix.de,
        x86@...nel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
        Maxime Ripard <mripard@...nel.org>,
        Thomas Zimmermann <tzimmermann@...e.de>,
        David Airlie <airlied@...ux.ie>,
        Daniel Vetter <daniel@...ll.ch>,
        dri-devel@...ts.freedesktop.org
Subject: Re: BUG: unable to handle kernel paging request in
 drm_fb_helper_damage_work

On Mon, Sep 20, 2021 at 08:55:28PM +0800, Hao Sun wrote:
> Hello,
> 
> When using Healer to fuzz the latest Linux kernel, the following crash

Your Healer thing - or whatever that next automated thing is which is
trying to be smart - is not CCing the proper people:

$ ./scripts/get_maintainer.pl -f drivers/gpu/drm/drm_fb_helper.c --no-rolestats
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>
Maxime Ripard <mripard@...nel.org>
Thomas Zimmermann <tzimmermann@...e.de>
David Airlie <airlied@...ux.ie>
Daniel Vetter <daniel@...ll.ch>
dri-devel@...ts.freedesktop.org
linux-kernel@...r.kernel.org

I'll Cc them now but you should fix it.

The syzcaller mails at least Cc more people and I'm sure you can figure
out how to do that when you have the stack trace and get_maintainer.pl.

> was triggered.
> 
> HEAD commit: 4357f03d6611 Merge tag 'pm-5.15-rc2
> git tree: upstream
> console output:
> https://drive.google.com/file/d/13NUxvBLIswpoS8NOOAaq9PjOKgTYN19K/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1HKZtF_s3l6PL3OoQbNq_ei9CdBus-Tz0/view?usp=sharing
> 
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@...il.com>
> 
> BUG: unable to handle page fault for address: ffffc90003d79000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 8c00067 P4D 8c00067 PUD 8d63067 PMD 104409067 PTE 0
> Oops: 0000 [#1] PREEMPT SMP
> CPU: 2 PID: 3032 Comm: kworker/2:2 Not tainted 5.15.0-rc1+ #19
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Workqueue: events drm_fb_helper_damage_work
> RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
> RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
> Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
> 02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
> 41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
> RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
> RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
> RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
> RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
> R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
> R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
> FS:  0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
>  dma_buf_map_memcpy_to include/linux/dma-buf-map.h:245 [inline]
>  drm_fb_helper_damage_blit_real drivers/gpu/drm/drm_fb_helper.c:388 [inline]
>  drm_fb_helper_damage_blit drivers/gpu/drm/drm_fb_helper.c:419 [inline]
>  drm_fb_helper_damage_work+0x30e/0x380 drivers/gpu/drm/drm_fb_helper.c:450
>  process_one_work+0x359/0x850 kernel/workqueue.c:2297
>  worker_thread+0x41/0x4d0 kernel/workqueue.c:2444
>  kthread+0x178/0x1b0 kernel/kthread.c:319
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> Modules linked in:
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> CR2: ffffc90003d79000
> ---[ end trace e1f0ecb0884517c4 ]---
> RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
> RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
> Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
> 02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
> 41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
> RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
> RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
> RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
> RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
> R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
> R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
> FS:  0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> ----------------
> Code disassembly (best guess):
>    0:   01 75 41                add    %esi,0x41(%rbp)
>    3:   e8 4a 0d 04 ff          callq  0xff040d52
>    8:   49 83 fc 01             cmp    $0x1,%r12
>    c:   76 0a                   jbe    0x18
>    e:   e8 3f 0d 04 ff          callq  0xff040d52
>   13:   f6 c3 02                test   $0x2,%bl
>   16:   75 44                   jne    0x5c
>   18:   e8 35 0d 04 ff          callq  0xff040d52
>   1d:   4c 89 e1                mov    %r12,%rcx
>   20:   48 89 df                mov    %rbx,%rdi
>   23:   48 89 ee                mov    %rbp,%rsi
>   26:   48 c1 e9 02             shr    $0x2,%rcx
> * 2a:   f3 a5                   rep movsl %ds:(%rsi),%es:(%rdi) <--
> trapping instruction
>   2c:   41 f6 c4 02             test   $0x2,%r12b
>   30:   74 02                   je     0x34
>   32:   66 a5                   movsw  %ds:(%rsi),%es:(%rdi)
>   34:   41 f6 c4 01             test   $0x1,%r12b
>   38:   74 01                   je     0x3b
>   3a:   a4                      movsb  %ds:(%rsi),%es:(%rdi)
>   3b:   5b                      pop    %rbx
>   3c:   5d                      pop    %rbp
>   3d:   41 5c                   pop    %r12
>   3f:   e9                      .byte 0xe9

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ