BUG: unable to handle kernel paging request in drm_fb_helper_damage_work

From: Hao Sun
Date: Mon Sep 20 2021 - 08:55:24 EST

Next message: David Wysochanski: "Re: [RFC PATCH 0/8] fscache: Replace and remove old I/O API"
Previous message: Bayduraev, Alexey V: "Re: [PATCH v11 09/24] perf record: Introduce bytes written stats to support --max-size option"
Next in thread: Borislav Petkov: "Re: BUG: unable to handle kernel paging request in drm_fb_helper_damage_work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 4357f03d6611 Merge tag 'pm-5.15-rc2
git tree: upstream
console output:
https://drive.google.com/file/d/13NUxvBLIswpoS8NOOAaq9PjOKgTYN19K/view?usp=sharing
kernel config: https://drive.google.com/file/d/1HKZtF_s3l6PL3OoQbNq_ei9CdBus-Tz0/view?usp=sharing

Sorry, I don't have a reproducer for this crash, hope the symbolized
report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@xxxxxxxxx>

BUG: unable to handle page fault for address: ffffc90003d79000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 8c00067 P4D 8c00067 PUD 8d63067 PMD 104409067 PTE 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 2 PID: 3032 Comm: kworker/2:2 Not tainted 5.15.0-rc1+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Workqueue: events drm_fb_helper_damage_work
RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
FS: 0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
dma_buf_map_memcpy_to include/linux/dma-buf-map.h:245 [inline]
drm_fb_helper_damage_blit_real drivers/gpu/drm/drm_fb_helper.c:388 [inline]
drm_fb_helper_damage_blit drivers/gpu/drm/drm_fb_helper.c:419 [inline]
drm_fb_helper_damage_work+0x30e/0x380 drivers/gpu/drm/drm_fb_helper.c:450
process_one_work+0x359/0x850 kernel/workqueue.c:2297
worker_thread+0x41/0x4d0 kernel/workqueue.c:2444
kthread+0x178/0x1b0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: ffffc90003d79000
---[ end trace e1f0ecb0884517c4 ]---
RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
FS: 0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 01 75 41 add %esi,0x41(%rbp)
3: e8 4a 0d 04 ff callq 0xff040d52
8: 49 83 fc 01 cmp $0x1,%r12
c: 76 0a jbe 0x18
e: e8 3f 0d 04 ff callq 0xff040d52
13: f6 c3 02 test $0x2,%bl
16: 75 44 jne 0x5c
18: e8 35 0d 04 ff callq 0xff040d52
1d: 4c 89 e1 mov %r12,%rcx
20: 48 89 df mov %rbx,%rdi
23: 48 89 ee mov %rbp,%rsi
26: 48 c1 e9 02 shr $0x2,%rcx
* 2a: f3 a5 rep movsl %ds:(%rsi),%es:(%rdi) <--
trapping instruction
2c: 41 f6 c4 02 test $0x2,%r12b
30: 74 02 je 0x34
32: 66 a5 movsw %ds:(%rsi),%es:(%rdi)
34: 41 f6 c4 01 test $0x1,%r12b
38: 74 01 je 0x3b
3a: a4 movsb %ds:(%rsi),%es:(%rdi)
3b: 5b pop %rbx
3c: 5d pop %rbp
3d: 41 5c pop %r12
3f: e9 .byte 0xe9

Next message: David Wysochanski: "Re: [RFC PATCH 0/8] fscache: Replace and remove old I/O API"
Previous message: Bayduraev, Alexey V: "Re: [PATCH v11 09/24] perf record: Introduce bytes written stats to support --max-size option"
Next in thread: Borislav Petkov: "Re: BUG: unable to handle kernel paging request in drm_fb_helper_damage_work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]