Re: BUG: unable to handle kernel paging request in drm_fb_helper_damage_work
From: Borislav Petkov
Date: Mon Sep 20 2021 - 12:13:16 EST
On Mon, Sep 20, 2021 at 08:55:28PM +0800, Hao Sun wrote:
> Hello,
>
> When using Healer to fuzz the latest Linux kernel, the following crash
Your Healer thing - or whatever that next automated thing is which is
trying to be smart - is not CCing the proper people:
$ ./scripts/get_maintainer.pl -f drivers/gpu/drm/drm_fb_helper.c --no-rolestats
Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
Maxime Ripard <mripard@xxxxxxxxxx>
Thomas Zimmermann <tzimmermann@xxxxxxx>
David Airlie <airlied@xxxxxxxx>
Daniel Vetter <daniel@xxxxxxxx>
dri-devel@xxxxxxxxxxxxxxxxxxxxx
linux-kernel@xxxxxxxxxxxxxxx
I'll Cc them now but you should fix it.
The syzcaller mails at least Cc more people and I'm sure you can figure
out how to do that when you have the stack trace and get_maintainer.pl.
> was triggered.
>
> HEAD commit: 4357f03d6611 Merge tag 'pm-5.15-rc2
> git tree: upstream
> console output:
> https://drive.google.com/file/d/13NUxvBLIswpoS8NOOAaq9PjOKgTYN19K/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1HKZtF_s3l6PL3OoQbNq_ei9CdBus-Tz0/view?usp=sharing
>
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@xxxxxxxxx>
>
> BUG: unable to handle page fault for address: ffffc90003d79000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 8c00067 P4D 8c00067 PUD 8d63067 PMD 104409067 PTE 0
> Oops: 0000 [#1] PREEMPT SMP
> CPU: 2 PID: 3032 Comm: kworker/2:2 Not tainted 5.15.0-rc1+ #19
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Workqueue: events drm_fb_helper_damage_work
> RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
> RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
> Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
> 02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
> 41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
> RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
> RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
> RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
> RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
> R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
> R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
> FS: 0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> dma_buf_map_memcpy_to include/linux/dma-buf-map.h:245 [inline]
> drm_fb_helper_damage_blit_real drivers/gpu/drm/drm_fb_helper.c:388 [inline]
> drm_fb_helper_damage_blit drivers/gpu/drm/drm_fb_helper.c:419 [inline]
> drm_fb_helper_damage_work+0x30e/0x380 drivers/gpu/drm/drm_fb_helper.c:450
> process_one_work+0x359/0x850 kernel/workqueue.c:2297
> worker_thread+0x41/0x4d0 kernel/workqueue.c:2444
> kthread+0x178/0x1b0 kernel/kthread.c:319
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> CR2: ffffc90003d79000
> ---[ end trace e1f0ecb0884517c4 ]---
> RIP: 0010:rep_movs arch/x86/lib/iomem.c:12 [inline]
> RIP: 0010:memcpy_toio+0x48/0xa0 arch/x86/lib/iomem.c:57
> Code: 01 75 41 e8 4a 0d 04 ff 49 83 fc 01 76 0a e8 3f 0d 04 ff f6 c3
> 02 75 44 e8 35 0d 04 ff 4c 89 e1 48 89 df 48 89 ee 48 c1 e9 02 <f3> a5
> 41 f6 c4 02 74 02 66 a5 41 f6 c4 01 74 01 a4 5b 5d 41 5c e9
> RSP: 0018:ffffc9000088fda8 EFLAGS: 00010206
> RAX: 0000000000000000 RBX: ffffc90005aff000 RCX: 0000000000000100
> RDX: ffff88800f132240 RSI: ffffc90003d79000 RDI: ffffc90005b00000
> RBP: ffffc90003d78000 R08: 0000000000000001 R09: 0000000000000000
> R10: ffffc9000088fdc8 R11: 0000000000000004 R12: 0000000000001400
> R13: ffff888101fc7000 R14: 00000000000002ff R15: ffffc90003d78000
> FS: 0000000000000000(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90003d79000 CR3: 000000010ea77000 CR4: 0000000000750ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> ----------------
> Code disassembly (best guess):
> 0: 01 75 41 add %esi,0x41(%rbp)
> 3: e8 4a 0d 04 ff callq 0xff040d52
> 8: 49 83 fc 01 cmp $0x1,%r12
> c: 76 0a jbe 0x18
> e: e8 3f 0d 04 ff callq 0xff040d52
> 13: f6 c3 02 test $0x2,%bl
> 16: 75 44 jne 0x5c
> 18: e8 35 0d 04 ff callq 0xff040d52
> 1d: 4c 89 e1 mov %r12,%rcx
> 20: 48 89 df mov %rbx,%rdi
> 23: 48 89 ee mov %rbp,%rsi
> 26: 48 c1 e9 02 shr $0x2,%rcx
> * 2a: f3 a5 rep movsl %ds:(%rsi),%es:(%rdi) <--
> trapping instruction
> 2c: 41 f6 c4 02 test $0x2,%r12b
> 30: 74 02 je 0x34
> 32: 66 a5 movsw %ds:(%rsi),%es:(%rdi)
> 34: 41 f6 c4 01 test $0x1,%r12b
> 38: 74 01 je 0x3b
> 3a: a4 movsb %ds:(%rsi),%es:(%rdi)
> 3b: 5b pop %rbx
> 3c: 5d pop %rbp
> 3d: 41 5c pop %r12
> 3f: e9 .byte 0xe9
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette