[syzbot] [dri?] divide error in drm_mode_debug_printmodeline
46 views
Skip to first unread message
syzbot
Nov 15, 2023, 4:34:25 AM11/15/23
to air...@gmail.com, air...@linux.ie, daniel...@ffwll.ch, daniel...@intel.com, dan...@ffwll.ch, dri-...@lists.freedesktop.org, linux-...@vger.kernel.org, maarten....@linux.intel.com, melis...@gmail.com, mri...@kernel.org, syzkall...@googlegroups.com, tzimm...@suse.de
Hello,
syzbot found the following issue on:
HEAD commit: ac347a0655db Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=101ba588e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11252f97680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10fd2498e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8fcb90d89768/disk-ac347a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/360d9341a71c/vmlinux-ac347a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a370aa406c63/bzImage-ac347a06.xz
The issue was bisected to:
commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
Author: Daniel Vetter <daniel...@ffwll.ch>
Date: Fri Oct 9 23:21:56 2020 +0000
drm/vkms: fbdev emulation support
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1058223f680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1258223f680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1458223f680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f6c63dd6729
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcde0dd0e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcde0dd2b8 RCX: 00007f6c63dd6729
RDX: 0000000020000180 RSI: 00000000c06864a2 RDI: 0000000000000003
RBP: 00007f6c63e49610 R08: 00000000fffff4e6 R09: 00007ffcde0dd2b8
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffcde0dd2a8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000064392c CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 41 0f add %al,0xf(%rcx)
3: b7 07 mov $0x7,%bh
5: 66 83 f8 02 cmp $0x2,%ax
9: b9 01 00 00 00 mov $0x1,%ecx
e: 0f 43 c8 cmovae %eax,%ecx
11: 0f b7 c1 movzwl %cx,%eax
14: 0f af e8 imul %eax,%ebp
17: 44 89 f0 mov %r14d,%eax
1a: 48 69 c8 e8 03 00 00 imul $0x3e8,%rax,%rcx
21: 89 e8 mov %ebp,%eax
23: d1 e8 shr %eax
25: 48 01 c8 add %rcx,%rax
28: 31 d2 xor %edx,%edx
* 2a: 48 f7 f5 div %rbp <-- trapping instruction
2d: 49 89 c6 mov %rax,%r14
30: eb 0c jmp 0x3e
32: e8 fb 07 66 fc call 0xfc660832
37: eb 05 jmp 0x3e
39: e8 f4 07 66 fc call 0xfc660832
3e: 48 rex.W
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ac347a0655db Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=101ba588e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11252f97680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10fd2498e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8fcb90d89768/disk-ac347a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/360d9341a71c/vmlinux-ac347a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a370aa406c63/bzImage-ac347a06.xz
The issue was bisected to:
commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
Author: Daniel Vetter <daniel...@ffwll.ch>
Date: Fri Oct 9 23:21:56 2020 +0000
drm/vkms: fbdev emulation support
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1058223f680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1258223f680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1458223f680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f6c63dd6729
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcde0dd0e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcde0dd2b8 RCX: 00007f6c63dd6729
RDX: 0000000020000180 RSI: 00000000c06864a2 RDI: 0000000000000003
RBP: 00007f6c63e49610 R08: 00000000fffff4e6 R09: 00007ffcde0dd2b8
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffcde0dd2a8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000064392c CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 41 0f add %al,0xf(%rcx)
3: b7 07 mov $0x7,%bh
5: 66 83 f8 02 cmp $0x2,%ax
9: b9 01 00 00 00 mov $0x1,%ecx
e: 0f 43 c8 cmovae %eax,%ecx
11: 0f b7 c1 movzwl %cx,%eax
14: 0f af e8 imul %eax,%ebp
17: 44 89 f0 mov %r14d,%eax
1a: 48 69 c8 e8 03 00 00 imul $0x3e8,%rax,%rcx
21: 89 e8 mov %ebp,%eax
23: d1 e8 shr %eax
25: 48 01 c8 add %rcx,%rax
28: 31 d2 xor %edx,%edx
* 2a: 48 f7 f5 div %rbp <-- trapping instruction
2d: 49 89 c6 mov %rax,%r14
30: eb 0c jmp 0x3e
32: e8 fb 07 66 fc call 0xfc660832
37: eb 05 jmp 0x3e
39: e8 f4 07 66 fc call 0xfc660832
3e: 48 rex.W
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
Nov 15, 2023, 7:52:02 PM11/15/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/include/drm/drm_modes.h b/include/drm/drm_modes.h
index c613f0abe9dc..19e37e92dfaf 100644
--- a/include/drm/drm_modes.h
+++ b/include/drm/drm_modes.h
@@ -422,7 +422,7 @@ struct drm_display_mode {
/**
* DRM_MODE_FMT - printf string for &struct drm_display_mode
*/
-#define DRM_MODE_FMT "\"%s\": %d %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
+#define DRM_MODE_FMT "\"%s\": %llu %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
/**
* DRM_MODE_ARG - printf arguments for &struct drm_display_mode
@@ -526,7 +526,7 @@ static inline int of_get_drm_panel_display_mode(struct device_node *np,
#endif
void drm_mode_set_name(struct drm_display_mode *mode);
-int drm_mode_vrefresh(const struct drm_display_mode *mode);
+long drm_mode_vrefresh(const struct drm_display_mode *mode);
void drm_mode_get_hv_timing(const struct drm_display_mode *mode,
int *hdisplay, int *vdisplay);
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..6f376001728c 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1283,9 +1283,9 @@ EXPORT_SYMBOL(drm_mode_set_name);
* @modes's vrefresh rate in Hz, rounded to the nearest integer. Calculates the
* value first if it is not yet set.
*/
-int drm_mode_vrefresh(const struct drm_display_mode *mode)
+long drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned long num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
diff --git a/include/drm/drm_modes.h b/include/drm/drm_modes.h
index c613f0abe9dc..19e37e92dfaf 100644
--- a/include/drm/drm_modes.h
+++ b/include/drm/drm_modes.h
@@ -422,7 +422,7 @@ struct drm_display_mode {
/**
* DRM_MODE_FMT - printf string for &struct drm_display_mode
*/
-#define DRM_MODE_FMT "\"%s\": %d %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
+#define DRM_MODE_FMT "\"%s\": %llu %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
/**
* DRM_MODE_ARG - printf arguments for &struct drm_display_mode
@@ -526,7 +526,7 @@ static inline int of_get_drm_panel_display_mode(struct device_node *np,
#endif
void drm_mode_set_name(struct drm_display_mode *mode);
-int drm_mode_vrefresh(const struct drm_display_mode *mode);
+long drm_mode_vrefresh(const struct drm_display_mode *mode);
void drm_mode_get_hv_timing(const struct drm_display_mode *mode,
int *hdisplay, int *vdisplay);
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..6f376001728c 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1283,9 +1283,9 @@ EXPORT_SYMBOL(drm_mode_set_name);
* @modes's vrefresh rate in Hz, rounded to the nearest integer. Calculates the
* value first if it is not yet set.
*/
-int drm_mode_vrefresh(const struct drm_display_mode *mode)
+long drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned long num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
syzbot
Nov 15, 2023, 8:24:08 PM11/15/23
to linux-...@vger.kernel.org, lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
divide error in drm_mode_debug_printmodeline
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5480 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller-16039-gac347a0655db-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Code: 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 48 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 48 89 e8 48 d1 e8 48 01 c8 89 e9 31 d2 <48> f7 f1 49 89 c0 eb 0f e8 aa 07 66 fc eb 05 e8 a3 07 66 fc 45 31
RSP: 0018:ffffc9000566f8d0 EFLAGS: 00010246
RAX: 000000008001f400 RBX: ffff88802787f400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000100000000 R08: ffffffff8528ba49 R09: 0000000000000000
R10: ffffc9000566f8a0 R11: fffff52000acdf17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff88802787f416
FS: 00007f4ac5a236c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ac5a230c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4ac4d9bf80 RCX: 00007f4ac4c7cae9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4ac4d9bf80 R15: 00007ffc9a805758
Code: 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 48 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 48 89 e8 48 d1 e8 48 01 c8 89 e9 31 d2 <48> f7 f1 49 89 c0 eb 0f e8 aa 07 66 fc eb 05 e8 a3 07 66 fc 45 31
RSP: 0018:ffffc9000566f8d0 EFLAGS: 00010246
RAX: 000000008001f400 RBX: ffff88802787f400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000100000000 R08: ffffffff8528ba49 R09: 0000000000000000
R10: ffffc9000566f8a0 R11: fffff52000acdf17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff88802787f416
FS: 00007f4ac5a236c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
4: b9 01 00 00 00 mov $0x1,%ecx
9: 0f 43 c8 cmovae %eax,%ecx
c: 0f b7 c1 movzwl %cx,%eax
f: 48 0f af e8 imul %rax,%rbp
13: 44 89 f0 mov %r14d,%eax
16: 48 69 c8 e8 03 00 00 imul $0x3e8,%rax,%rcx
1d: 48 89 e8 mov %rbp,%rax
20: 48 d1 e8 shr %rax
23: 48 01 c8 add %rcx,%rax
26: 89 e9 mov %ebp,%ecx
2d: 49 89 c0 mov %rax,%r8
30: eb 0f jmp 0x41
32: e8 aa 07 66 fc call 0xfc6607e1
3e: 45 rex.RB
3f: 31 .byte 0x31
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=104993e0e80000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
divide error in drm_mode_debug_printmodeline
divide error: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x129/0x530 drivers/gpu/drm/drm_modes.c:60
Code: 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 48 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 48 89 e8 48 d1 e8 48 01 c8 89 e9 31 d2 <48> f7 f1 49 89 c0 eb 0f e8 aa 07 66 fc eb 05 e8 a3 07 66 fc 45 31
RSP: 0018:ffffc9000566f8d0 EFLAGS: 00010246
RAX: 000000008001f400 RBX: ffff88802787f400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000100000000 R08: ffffffff8528ba49 R09: 0000000000000000
R10: ffffc9000566f8a0 R11: fffff52000acdf17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff88802787f416
FS: 00007f4ac5a236c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4ac4d980c0 CR3: 0000000072607000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f4ac4c7cae9
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ac5a230c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4ac4d9bf80 RCX: 00007f4ac4c7cae9
RDX: 0000000020000180 RSI: 00000000c06864a2 RDI: 0000000000000003
RBP: 00007f4ac4cc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f4ac4d9bf80 R15: 00007ffc9a805758
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x129/0x530 drivers/gpu/drm/drm_modes.c:60
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
Code: 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 48 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 48 89 e8 48 d1 e8 48 01 c8 89 e9 31 d2 <48> f7 f1 49 89 c0 eb 0f e8 aa 07 66 fc eb 05 e8 a3 07 66 fc 45 31
RSP: 0018:ffffc9000566f8d0 EFLAGS: 00010246
RAX: 000000008001f400 RBX: ffff88802787f400 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000100000000 R08: ffffffff8528ba49 R09: 0000000000000000
R10: ffffc9000566f8a0 R11: fffff52000acdf17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff88802787f416
FS: 00007f4ac5a236c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd5ec1c008 CR3: 0000000072607000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 66 83 f8 02 cmp $0x2,%ax
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
4: b9 01 00 00 00 mov $0x1,%ecx
9: 0f 43 c8 cmovae %eax,%ecx
c: 0f b7 c1 movzwl %cx,%eax
f: 48 0f af e8 imul %rax,%rbp
13: 44 89 f0 mov %r14d,%eax
16: 48 69 c8 e8 03 00 00 imul $0x3e8,%rax,%rcx
1d: 48 89 e8 mov %rbp,%rax
20: 48 d1 e8 shr %rax
23: 48 01 c8 add %rcx,%rax
26: 89 e9 mov %ebp,%ecx
28: 31 d2 xor %edx,%edx
* 2a: 48 f7 f1 div %rcx <-- trapping instruction
2d: 49 89 c0 mov %rax,%r8
30: eb 0f jmp 0x41
32: e8 aa 07 66 fc call 0xfc6607e1
37: eb 05 jmp 0x3e
39: e8 a3 07 66 fc call 0xfc6607e1
3e: 45 rex.RB
3f: 31 .byte 0x31
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=104993e0e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=111d4b97680000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 15, 2023, 9:33:59 PM11/15/23
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject:
Author: mazinal...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject:
Author: mazinal...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
syzbot
Nov 15, 2023, 10:12:08 PM11/15/23
to linux-...@vger.kernel.org, mazinal...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
drivers/gpu/drm/drm_modes.c:1323:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1350:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1422:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1441:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1460:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1475:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1490:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1503:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1510:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1517:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1535:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1578:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1601:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1622:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1631:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1674:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1705:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1730:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1787:1: error: function definition is not allowed here
Tested on:
commit: c42d9eee Merge tag 'hardening-v6.7-rc2' of git://git.k..
git tree: upstream
syzbot tried to test the proposed patch but the build/boot failed:
drivers/gpu/drm/drm_modes.c:1323:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1350:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1422:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1441:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1460:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1475:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1490:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1503:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1510:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1517:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1535:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1578:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1601:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1622:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1631:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1674:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1705:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1730:1: error: function definition is not allowed here
drivers/gpu/drm/drm_modes.c:1787:1: error: function definition is not allowed here
Tested on:
commit: c42d9eee Merge tag 'hardening-v6.7-rc2' of git://git.k..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=104e9338e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 15, 2023, 10:29:40 PM11/15/23
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Nov 15, 2023, 11:02:06 PM11/15/23
to linux-...@vger.kernel.org, mazinal...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
gured (established 65536 bind 65536)
syzbot tried to test the proposed patch but the build/boot failed:
[ 4.698580][ T1] MPTCP token hash table entries: 8192 (order: 7, 720896 bytes, vmalloc)
[ 4.706186][ T1] UDP hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
[ 4.712412][ T1] UDP-Lite hash table entries: 4096 (order: 7, 655360 bytes, vmalloc)
[ 4.716658][ T1] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 4.722357][ T1] RPC: Registered named UNIX socket transport module.
[ 4.724212][ T1] RPC: Registered udp transport module.
[ 4.725069][ T1] RPC: Registered tcp transport module.
[ 4.727091][ T1] RPC: Registered tcp-with-tls transport module.
[ 4.729048][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 4.737515][ T1] NET: Registered PF_XDP protocol family
[ 4.739697][ T1] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 4.741876][ T1] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 4.743898][ T1] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 4.745227][ T1] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfefff window]
[ 4.748706][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 4.750117][ T1] PCI: CLS 0 bytes, default 64
[ 4.759463][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 4.761040][ T1] software IO TLB: mapped [mem 0x00000000b5800000-0x00000000b9800000] (64MB)
[ 4.762515][ T1] ACPI: bus type thunderbolt registered
[ 4.770381][ T60] kworker/u4:2 (60) used greatest stack depth: 26296 bytes left
[ 4.773156][ T1] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
[ 4.798952][ T1] kvm_amd: CPU 0 isn't AMD or Hygon
[ 4.800516][ T1] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1fb6cbb9648, max_idle_ns: 440795209148 ns
[ 4.802622][ T1] clocksource: Switched to clocksource tsc
[ 4.834894][ T74] kworker/u4:4 (74) used greatest stack depth: 25160 bytes left
[ 6.218409][ T1] Initialise system trusted keyrings
[ 6.225315][ T1] workingset: timestamp_bits=40 max_order=21 bucket_order=0
[ 6.234279][ T1] DLM installed
[ 6.238005][ T1] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 6.244851][ T1] NFS: Registering the id_resolver key type
[ 6.246129][ T1] Key type id_resolver registered
[ 6.247316][ T1] Key type id_legacy registered
[ 6.248729][ T1] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[ 6.250443][ T1] nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering...
[ 6.258315][ T1] Key type cifs.spnego registered
[ 6.259636][ T1] Key type cifs.idmap registered
[ 6.260830][ T1] ntfs: driver 2.1.32 [Flags: R/W].
[ 6.261994][ T1] ntfs3: Max link count 4000
[ 6.262684][ T1] ntfs3: Enabled Linux POSIX ACLs support
[ 6.263806][ T1] ntfs3: Read-only LZX/Xpress compression included
[ 6.265613][ T1] efs: 1.0a - http://aeschi.ch.eu.org/efs/
[ 6.268103][ T1] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 6.271702][ T1] romfs: ROMFS MTD (C) 2007 Red Hat, Inc.
[ 6.273229][ T1] QNX4 filesystem 0.2.3 registered.
[ 6.275322][ T1] qnx6: QNX6 filesystem 1.0.0 registered.
[ 6.277012][ T1] fuse: init (API version 7.39)
[ 6.281606][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 6.284051][ T1] orangefs_init: module version upstream loaded
[ 6.285490][ T1] JFS: nTxBlock = 8192, nTxLock = 65536
[ 6.313750][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 6.319015][ T1] 9p: Installing v9fs 9p2000 file system support
[ 6.320322][ T1] NILFS version 2 loaded
[ 6.321452][ T1] befs: version: 0.9.3
[ 6.322601][ T1] ocfs2: Registered cluster interface o2cb
[ 6.324174][ T1] ocfs2: Registered cluster interface user
[ 6.325892][ T1] OCFS2 User DLM kernel interface loaded
[ 6.341871][ T1] gfs2: GFS2 installed
[ 6.353461][ T1] ceph: loaded (mds proto 32)
[ 6.379550][ T1] NET: Registered PF_ALG protocol family
[ 6.381038][ T1] xor: automatically using best checksumming function avx
[ 6.382602][ T1] async_tx: api initialized (async)
[ 6.383352][ T1] Key type asymmetric registered
[ 6.384356][ T1] Asymmetric key parser 'x509' registered
[ 6.385383][ T1] Asymmetric key parser 'pkcs8' registered
[ 6.386451][ T1] Key type pkcs7_test registered
[ 6.387489][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 239)
[ 6.389957][ T1] io scheduler mq-deadline registered
[ 6.390822][ T1] io scheduler kyber registered
[ 6.391899][ T1] io scheduler bfq registered
[ 6.402210][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 6.416990][ T1] ACPI: button: Power Button [PWRF]
[ 6.420110][ T1] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input1
[ 6.423549][ T1] ACPI: button: Sleep Button [SLPF]
[ 6.437563][ T1] ioatdma: Intel(R) QuickData Technology Driver 5.00
[ 6.464441][ T1] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 6.467125][ T1] virtio-pci 0000:00:03.0: virtio_pci: leaving for legacy driver
[ 6.493366][ T1] ACPI: \_SB_.LNKD: Enabled at IRQ 10
[ 6.494395][ T1] virtio-pci 0000:00:04.0: virtio_pci: leaving for legacy driver
[ 6.520948][ T1] ACPI: \_SB_.LNKB: Enabled at IRQ 10
[ 6.522290][ T1] virtio-pci 0000:00:06.0: virtio_pci: leaving for legacy driver
[ 6.542518][ T1] virtio-pci 0000:00:07.0: virtio_pci: leaving for legacy driver
[ 6.681895][ T276] kworker/u4:4 (276) used greatest stack depth: 25000 bytes left
[ 7.183861][ T1] N_HDLC line discipline registered with maxframe=4096
[ 7.185565][ T1] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[ 7.191098][ T1] 00:03: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 7.206122][ T1] 00:04: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
[ 7.222125][ T1] 00:05: ttyS2 at I/O 0x3e8 (irq = 6, base_baud = 115200) is a 16550A
[ 7.234572][ T1] 00:06: ttyS3 at I/O 0x2e8 (irq = 7, base_baud = 115200) is a 16550A
[ 7.262180][ T1] Non-volatile memory driver v1.3
[ 7.282424][ T1] Linux agpgart interface v0.103
[ 7.296450][ T1] ACPI: bus type drm_connector registered
[ 7.307285][ T1] [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[ 7.319716][ T1] [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
[ 7.323524][ T1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
[ 7.325256][ T1] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 7.325646][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc1-syzkaller-00019-gc42d9eeef8e5-dirty #0
[ 7.325646][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
[ 7.325646][ T1] RIP: 0010:drm_mode_vrefresh+0x9e/0x360
[ 7.325646][ T1] Code: e8 d7 d9 65 fc 45 85 f6 74 73 4c 89 e0 48 c1 e8 03 42 0f b6 04 28 84 c0 0f 85 f8 01 00 00 41 8b 04 24 89 44 24 04 44 0f af f5 <41> 0f b6 45 00 84 c0 0f 85 fd 01 00 00 44 89 34 25 00 00 00 00 4d
[ 7.325646][ T1] RSP: 0000:ffffc90000067050 EFLAGS: 00010202
[ 7.325646][ T1] RAX: 0000000000007b0c RBX: 0000000000000000 RCX: ffff888141668000
[ 7.325646][ T1] RDX: ffff888141668000 RSI: 00000000000001bd RDI: 0000000000000000
[ 7.325646][ T1] RBP: 0000000000000340 R08: ffffffff8528eb99 R09: 0000000000000000
[ 7.325646][ T1] R10: ffffc90000067060 R11: fffff5200000ce0f R12: ffffffff8bce3120
[ 7.325646][ T1] R13: dffffc0000000000 R14: 000000000005a640 R15: ffffffff8bce312e
[ 7.325646][ T1] FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
[ 7.325646][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.325646][ T1] CR2: ffff88823ffff000 CR3: 000000000d730000 CR4: 00000000003506f0
[ 7.325646][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7.325646][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 7.325646][ T1] Call Trace:
[ 7.325646][ T1] <TASK>
[ 7.325646][ T1] ? __die_body+0x8b/0xe0
[ 7.325646][ T1] ? die_addr+0xc9/0x100
[ 7.325646][ T1] ? exc_general_protection+0x3c2/0x5b0
[ 7.325646][ T1] ? asm_exc_general_protection+0x26/0x30
[ 7.325646][ T1] ? drm_mode_vrefresh+0x79/0x360
[ 7.325646][ T1] ? drm_mode_vrefresh+0x9e/0x360
[ 7.325646][ T1] drm_add_modes_noedid+0xb5/0x230
[ 7.325646][ T1] vkms_conn_get_modes+0x20/0x40
[ 7.325646][ T1] drm_helper_probe_single_connector_modes+0x7d9/0x11f0
[ 7.325646][ T1] ? drm_helper_probe_detect+0x4e0/0x4e0
[ 7.325646][ T1] ? drm_client_modeset_probe+0x32c/0x4790
[ 7.325646][ T1] ? rcu_is_watching+0x15/0xb0
[ 7.325646][ T1] ? __kmalloc+0xe6/0x230
[ 7.325646][ T1] ? drm_connector_list_iter_end+0xb5/0xd0
[ 7.325646][ T1] drm_client_modeset_probe+0x433/0x4790
[ 7.325646][ T1] ? verify_lock_unused+0x140/0x140
[ 7.325646][ T1] ? _raw_spin_unlock_irqrestore+0x8f/0x140
[ 7.325646][ T1] ? lockdep_hardirqs_on+0x98/0x140
[ 7.325646][ T1] ? drm_client_modeset_release+0x300/0x300
[ 7.325646][ T1] ? __mutex_trylock_common+0x182/0x2e0
[ 7.325646][ T1] ? __might_sleep+0xc0/0xc0
[ 7.325646][ T1] ? trace_raw_output_contention_end+0xd0/0xd0
[ 7.325646][ T1] ? __mutex_trylock_common+0x182/0x2e0
[ 7.325646][ T1] __drm_fb_helper_initial_config_and_unlock+0x112/0x1e20
[ 7.325646][ T1] ? __mutex_lock+0x2ee/0xd60
[ 7.325646][ T1] ? rcu_is_watching+0x15/0xb0
[ 7.325646][ T1] ? trace_contention_end+0x3c/0xf0
[ 7.325646][ T1] ? __mutex_lock+0x2ee/0xd60
[ 7.325646][ T1] ? drm_fb_helper_initial_config+0x35/0x50
[ 7.325646][ T1] ? drm_fb_helper_initial_config+0x50/0x50
[ 7.325646][ T1] ? drm_client_register+0x4e/0x210
[ 7.325646][ T1] ? mutex_lock_nested+0x20/0x20
[ 7.325646][ T1] ? drm_prime_init_file_private+0x39/0x40
[ 7.325646][ T1] drm_fbdev_generic_client_hotplug+0x166/0x210
[ 7.325646][ T1] drm_client_register+0x17e/0x210
[ 7.325646][ T1] vkms_init+0x5f1/0x730
[ 7.325646][ T1] ? vgem_init+0x290/0x290
[ 7.325646][ T1] ? vgem_init+0x290/0x290
[ 7.325646][ T1] do_one_initcall+0x234/0x800
[ 7.325646][ T1] ? vgem_init+0x290/0x290
[ 7.325646][ T1] ? IS_ERR_OR_NULL+0x20/0x20
[ 7.325646][ T1] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0
[ 7.325646][ T1] ? parameq+0x220/0x220
[ 7.325646][ T1] ? slab_post_alloc_hook+0x6c/0x3c0
[ 7.325646][ T1] ? do_initcalls+0x1c/0x80
[ 7.325646][ T1] ? rcu_is_watching+0x15/0xb0
[ 7.325646][ T1] do_initcall_level+0x157/0x210
[ 7.325646][ T1] do_initcalls+0x3f/0x80
[ 7.325646][ T1] kernel_init_freeable+0x429/0x5c0
[ 7.325646][ T1] ? obsolete_checksetup+0x200/0x200
[ 7.325646][ T1] ? print_irqtrace_events+0x220/0x220
[ 7.325646][ T1] ? rest_init+0x300/0x300
[ 7.325646][ T1] ? rest_init+0x300/0x300
[ 7.325646][ T1] ? rest_init+0x300/0x300
[ 7.325646][ T1] kernel_init+0x1d/0x2a0
[ 7.325646][ T1] ret_from_fork+0x48/0x80
[ 7.325646][ T1] ? rest_init+0x300/0x300
[ 7.325646][ T1] ret_from_fork_asm+0x11/0x20
[ 7.325646][ T1] </TASK>
[ 7.325646][ T1] Modules linked in:
[ 7.439276][ T1] ---[ end trace 0000000000000000 ]---
[ 7.440497][ T1] RIP: 0010:drm_mode_vrefresh+0x9e/0x360
[ 7.441446][ T1] Code: e8 d7 d9 65 fc 45 85 f6 74 73 4c 89 e0 48 c1 e8 03 42 0f b6 04 28 84 c0 0f 85 f8 01 00 00 41 8b 04 24 89 44 24 04 44 0f af f5 <41> 0f b6 45 00 84 c0 0f 85 fd 01 00 00 44 89 34 25 00 00 00 00 4d
[ 7.444309][ T1] RSP: 0000:ffffc90000067050 EFLAGS: 00010202
[ 7.445225][ T1] RAX: 0000000000007b0c RBX: 0000000000000000 RCX: ffff888141668000
[ 7.446748][ T1] RDX: ffff888141668000 RSI: 00000000000001bd RDI: 0000000000000000
[ 7.448285][ T1] RBP: 0000000000000340 R08: ffffffff8528eb99 R09: 0000000000000000
[ 7.450542][ T1] R10: ffffc90000067060 R11: fffff5200000ce0f R12: ffffffff8bce3120
[ 7.451988][ T1] R13: dffffc0000000000 R14: 000000000005a640 R15: ffffffff8bce312e
[ 7.453626][ T1] FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
[ 7.454940][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.456230][ T1] CR2: ffff88823ffff000 CR3: 000000000d730000 CR4: 00000000003506f0
[ 7.457734][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7.459189][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 7.460386][ T1] Kernel panic - not syncing: Fatal exception
[ 7.461513][ T1] Kernel Offset: disabled
[ 7.462264][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build76428843=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 6d6dbf8ab
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6d6dbf8ab21a52df701946afac2a86f93a88fdc8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231111-003831'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6d6dbf8ab21a52df701946afac2a86f93a88fdc8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231111-003831'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6d6dbf8ab21a52df701946afac2a86f93a88fdc8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231111-003831'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6d6dbf8ab21a52df701946afac2a86f93a88fdc8\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1266c2b8e80000
Tested on:
commit: c42d9eee Merge tag 'hardening-v6.7-rc2' of git://git.k..
git tree: upstream
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1459d067680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 17, 2023, 10:43:03 PM11/17/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 888cf78c29e2
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..e3f05539f704 100644
if (mode->vscan > 1)
den *= mode->vscan;
+ printk("mode: %p, ht: %llu, vt: %llu, c: %llu, vsc: %llu, den: %llu, num: %llu, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, __func__);
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
EXPORT_SYMBOL(drm_mode_vrefresh);
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 888cf78c29e2
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..e3f05539f704 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1283,9 +1283,9 @@ EXPORT_SYMBOL(drm_mode_set_name);
* @modes's vrefresh rate in Hz, rounded to the nearest integer. Calculates the
* value first if it is not yet set.
*/
-int drm_mode_vrefresh(const struct drm_display_mode *mode)
+long drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned long num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1300,6 +1300,8 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1283,9 +1283,9 @@ EXPORT_SYMBOL(drm_mode_set_name);
* @modes's vrefresh rate in Hz, rounded to the nearest integer. Calculates the
* value first if it is not yet set.
*/
-int drm_mode_vrefresh(const struct drm_display_mode *mode)
+long drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned long num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
if (mode->vscan > 1)
den *= mode->vscan;
+ printk("mode: %p, ht: %llu, vt: %llu, c: %llu, vsc: %llu, den: %llu, num: %llu, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, __func__);
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
EXPORT_SYMBOL(drm_mode_vrefresh);
syzbot
Nov 18, 2023, 12:13:07 AM11/18/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
divide error in drm_mode_debug_printmodeline
mode: ffff888140bc9490, ht: 1344, vt: 806, c: 65000, vsc: 0, den: 1083264, num: 65000, drm_mode_vrefresh
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
divide error in drm_mode_debug_printmodeline
mode: ffff88807c374000, ht: 128, vt: 32768, c: 128, vsc: 1024, den: 4294967296, num: 128, drm_mode_vrefresh
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5448 Comm: syz-executor.0 Not tainted 6.6.0-rc7-syzkaller-00142-g888cf78c29e2-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1305 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x308/0x5d0 drivers/gpu/drm/drm_modes.c:60
Code: b4 8c 4c 8b 7c 24 30 41 57 55 e8 53 c9 e7 05 48 83 c4 18 44 89 f8 48 69 c8 e8 03 00 00 48 89 e8 48 d1 e8 48 01 c8 89 e9 31 d2 <48> f7 f1 49 89 c0 e9 81 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c
RSP: 0018:ffffc90004e1f8d0 EFLAGS: 00010246
RAX: 000000008001f400 RBX: ffff88807c374000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000100000000 R08: ffffffff81711cfc R09: 1ffff920009c3e6c
R10: dffffc0000000000 R11: fffff520009c3e6d R12: dffffc0000000000
R13: 0000000000000080 R14: 1ffff1100f86e801 R15: 0000000000000080
FS: 00007fb08687c6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb085b980c0 CR3: 000000007eb58000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x349/0x4f0 drivers/gpu/drm/drm_ioctl.c:789
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:892
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb085a7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb08687c0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb085b9bf80 RCX: 00007fb085a7cae9
RDX: 0000000020000180 RSI: 00000000c06864a2 RDI: 0000000000000003
RBP: 00007fb085ac847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fb085b9bf80 R15: 00007ffe452acab8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1305 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x308/0x5d0 drivers/gpu/drm/drm_modes.c:60
Code: b4 8c 4c 8b 7c 24 30 41 57 55 e8 53 c9 e7 05 48 83 c4 18 44 89 f8 48 69 c8 e8 03 00 00 48 89 e8 48 d1 e8 48 01 c8 89 e9 31 d2 <48> f7 f1 49 89 c0 e9 81 fd ff ff 89 e9 80 e1 07 fe c1 38 c1 0f 8c
RSP: 0018:ffffc90004e1f8d0 EFLAGS: 00010246
RAX: 000000008001f400 RBX: ffff88807c374000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000100000000 R08: ffffffff81711cfc R09: 1ffff920009c3e6c
R10: dffffc0000000000 R11: fffff520009c3e6d R12: dffffc0000000000
R13: 0000000000000080 R14: 1ffff1100f86e801 R15: 0000000000000080
FS: 00007fb08687c6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc82ccfc378 CR3: 000000007eb58000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: b4 8c mov $0x8c,%ah
Code disassembly (best guess):
2: 4c 8b 7c 24 30 mov 0x30(%rsp),%r15
7: 41 57 push %r15
9: 55 push %rbp
a: e8 53 c9 e7 05 call 0x5e7c962
f: 48 83 c4 18 add $0x18,%rsp
13: 44 89 f8 mov %r15d,%eax
16: 48 69 c8 e8 03 00 00 imul $0x3e8,%rax,%rcx
1d: 48 89 e8 mov %rbp,%rax
20: 48 d1 e8 shr %rax
23: 48 01 c8 add %rcx,%rax
26: 89 e9 mov %ebp,%ecx
28: 31 d2 xor %edx,%edx
* 2a: 48 f7 f1 div %rcx <-- trapping instruction
2d: 49 89 c0 mov %rax,%r8
30: e9 81 fd ff ff jmp 0xfffffdb6
1d: 48 89 e8 mov %rbp,%rax
20: 48 d1 e8 shr %rax
23: 48 01 c8 add %rcx,%rax
26: 89 e9 mov %ebp,%ecx
28: 31 d2 xor %edx,%edx
* 2a: 48 f7 f1 div %rcx <-- trapping instruction
2d: 49 89 c0 mov %rax,%r8
35: 89 e9 mov %ebp,%ecx
37: 80 e1 07 and $0x7,%cl
3a: fe c1 inc %cl
3c: 38 c1 cmp %al,%cl
3e: 0f .byte 0xf
3f: 8c .byte 0x8c
Tested on:
commit: 888cf78c Merge tag 'iommu-fix-v6.6-rc7' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=146669b8e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f0d47f0e0359e88e
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10890c77680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 18, 2023, 1:44:40 AM11/18/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..0b0dd1c7b217 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1285,7 +1285,7 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
- unsigned int num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ n1k = mul_u32_u32(num, 1000);
+ if (den < n1k)
+ den *= mode->vscan;
+ }
+ printk("mode: %p, ht: %d, vt: %d, c: %d, vsc: %d, den: %ld, num: %ld, n1k: %ld, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, n1k, __func__);
syzbot
Nov 18, 2023, 2:18:07 AM11/18/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10163458e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
console output: https://syzkaller.appspot.com/x/log.txt?x=10163458e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11b06fb7680000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
Edward Adam Davis
Nov 18, 2023, 5:30:00 AM11/18/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..ca481c7f23e1 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1285,7 +1285,8 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
+ int ret;
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ n1k = mul_u32_u32(num, 1000);
+ if (den < n1k)
+ den *= mode->vscan;
+ }
+ ret = DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ n1k = mul_u32_u32(num, 1000);
+ if (den < n1k)
+ den *= mode->vscan;
+ }
+ printk("mode: %p, ht: %d, vt: %d, c: %d, vsc: %d, den: %ld, num: %ld, n1k: %ld, %d, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, n1k, ret, __func__);
syzbot
Nov 18, 2023, 6:02:06 AM11/18/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16548fb7680000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=146fe350e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 18, 2023, 6:59:33 AM11/18/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..539aa26cfc72 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1285,7 +1285,8 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
+ int ret;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1297,9 +1298,17 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1285,7 +1285,8 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
+ int ret;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ n1k = mul_u32_u32(num, 1000);
+ if (mode->vscan > 1) {
+ if (den < n1k)
+ den *= mode->vscan;
+ }
+ if (den < n1k)
+ den = n1k + 1;
+ den *= mode->vscan;
+ }
+ if (den < n1k)
syzbot
Nov 18, 2023, 7:23:07 AM11/18/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17f6c268e80000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16363458e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 18, 2023, 8:31:30 PM11/18/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..1a3e8f3c1ece 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/log2.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,12 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ printk("%d, %d, %s\n", ilog2(den), ilog2(mode->vscan), __func__);
+ if (ilog2(den) + ilog2(mode->vscan) >= 32)
+ return -EINVAL;
den *= mode->vscan;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
+ }
}
syzbot
Nov 18, 2023, 8:59:04 PM11/18/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14b3cdd4e80000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1529b384e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 18, 2023, 9:24:29 PM11/18/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, air...@gmail.com, air...@linux.ie, daniel...@ffwll.ch, daniel...@intel.com, dan...@ffwll.ch, dri-...@lists.freedesktop.org, linux-...@vger.kernel.org, maarten....@linux.intel.com, melis...@gmail.com, mri...@kernel.org, syzkall...@googlegroups.com, tzimm...@suse.de
[Syz Log]
[Analysis]
When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
there is a probability of unsigned integer overflow.
[Fix]
Before multiplying by vscan, first determine their ilog2. When their total
exceeds 32, return -EINVAL and exit the subsequent calculation.
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
---
drivers/gpu/drm/drm_modes.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..c7ec1ab041f8 100644
2.25.1
When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
there is a probability of unsigned integer overflow.
[Fix]
Before multiplying by vscan, first determine their ilog2. When their total
exceeds 32, return -EINVAL and exit the subsequent calculation.
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
drivers/gpu/drm/drm_modes.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..c7ec1ab041f8 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/log2.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/log2.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ if (ilog2(den) + ilog2(mode->vscan) >= 32)
+ return -EINVAL;
den *= mode->vscan;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
--
+ return -EINVAL;
den *= mode->vscan;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
2.25.1
Jani Nikula
Nov 20, 2023, 6:31:14 AM11/20/23
to Edward Adam Davis, syzbot+2e93e6...@syzkaller.appspotmail.com, tzimm...@suse.de, air...@linux.ie, daniel...@ffwll.ch, linux-...@vger.kernel.org, dri-...@lists.freedesktop.org, melis...@gmail.com, mri...@kernel.org, daniel...@intel.com, syzkall...@googlegroups.com
> + return -EINVAL;
Just so there's no confusion: NAK.
I'd be surprised if there were even a single place in the kernel where
someone checks drm_mode_vrefresh() for a negative error return.
This function must succeed.
Please change the types as needed instead.
BR,
Jani.
> den *= mode->vscan;
> + }
>
> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> }
--
Edward Adam Davis
Nov 20, 2023, 7:00:22 AM11/20/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
index ac9a406250c5..117ee4e41c63 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ return 0;
Edward Adam Davis
Nov 20, 2023, 7:22:09 AM11/20/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..7c6d0229630d 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1285,7 +1286,7 @@ EXPORT_SYMBOL(drm_mode_set_name);
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, x;
- unsigned int num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &x)))
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
Edward Adam Davis
Nov 20, 2023, 8:30:41 AM11/20/23
to syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..60739d861da2 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
+ return 0;
syzbot
Nov 20, 2023, 9:00:12 AM11/20/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16b7cdd4e80000
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1001c400e80000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 20, 2023, 9:20:09 AM11/20/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in vkms_get_vblank_timestamp
------------[ cut here ]------------
WARNING: CPU: 0 PID: 25460 at drivers/gpu/drm/vkms/vkms_crtc.c:103 vkms_get_vblank_timestamp+0x1cd/0x210
Modules linked in:
CPU: 0 PID: 25460 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller-16039-gac347a0655db-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:vkms_get_vblank_timestamp+0x1cd/0x210 drivers/gpu/drm/vkms/vkms_crtc.c:103
Code: 03 42 80 3c 28 00 74 08 48 89 ef e8 bd 71 3f fc 48 89 5d 00 b0 01 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 33 4f e3 fb <0f> 0b eb e6 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 7a fe ff ff 48 89
RSP: 0018:ffffc90003cc77c0 EFLAGS: 00010293
RAX: ffffffff85ab731d RBX: 00000042dda43dc6 RCX: ffff88807a465940
RDX: 0000000000000000 RSI: 00000042dda43dc6 RDI: 00000042dda43dc6
RBP: ffffc90003cc7960 R08: ffffffff85ab7289 R09: 0000000000000000
R10: ffffc900044e2000 R11: 0000000000000000 R12: 00000042dda43dc6
R13: 1ffff92000798f2c R14: 0000000000000000 R15: ffff88801c7d4000
FS: 00005555566d3480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
drm_crtc_next_vblank_start+0x229/0x460 drivers/gpu/drm/drm_vblank.c:1012
set_fence_deadline drivers/gpu/drm/drm_atomic_helper.c:1555 [inline]
drm_atomic_helper_wait_for_fences+0x277/0x8d0 drivers/gpu/drm/drm_atomic_helper.c:1602
drm_atomic_helper_commit+0x627/0xbc0 drivers/gpu/drm/drm_atomic_helper.c:2031
drm_atomic_commit+0x279/0x2c0 drivers/gpu/drm/drm_atomic.c:1513
drm_client_modeset_commit_atomic+0x676/0x7d0 drivers/gpu/drm/drm_client_modeset.c:1051
drm_client_modeset_commit_locked+0xe0/0x510 drivers/gpu/drm/drm_client_modeset.c:1154
drm_client_modeset_commit+0x4a/0x70 drivers/gpu/drm/drm_client_modeset.c:1180
__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:251 [inline]
drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:278 [inline]
drm_fb_helper_lastclose+0xb7/0x170 drivers/gpu/drm/drm_fb_helper.c:2005
drm_fbdev_generic_client_restore+0x34/0x40 drivers/gpu/drm/drm_fbdev_generic.c:258
drm_client_dev_restore+0x131/0x260 drivers/gpu/drm/drm_client.c:257
drm_lastclose drivers/gpu/drm/drm_file.c:466 [inline]
drm_release+0x4b2/0x660 drivers/gpu/drm/drm_file.c:497
__fput+0x3cc/0xa10 fs/file_table.c:394
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close+0x15f/0x220 fs/open.c:1575
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007ffc140485c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f8d9987b9da
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000032 R08: 0000001b2e560000 R09: 00007f8d9999bf8c
R10: 00007ffc14048710 R11: 0000000000000293 R12: 00007f8d99400c20
R13: ffffffffffffffff R14: 00007f8d99400000 R15: 00000000000461cf
</TASK>
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1691a6f0e80000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 25460 at drivers/gpu/drm/vkms/vkms_crtc.c:103 vkms_get_vblank_timestamp+0x1cd/0x210
Modules linked in:
CPU: 0 PID: 25460 Comm: syz-executor.0 Not tainted 6.6.0-syzkaller-16039-gac347a0655db-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:vkms_get_vblank_timestamp+0x1cd/0x210 drivers/gpu/drm/vkms/vkms_crtc.c:103
Code: 03 42 80 3c 28 00 74 08 48 89 ef e8 bd 71 3f fc 48 89 5d 00 b0 01 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 33 4f e3 fb <0f> 0b eb e6 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c 7a fe ff ff 48 89
RSP: 0018:ffffc90003cc77c0 EFLAGS: 00010293
RAX: ffffffff85ab731d RBX: 00000042dda43dc6 RCX: ffff88807a465940
RDX: 0000000000000000 RSI: 00000042dda43dc6 RDI: 00000042dda43dc6
RBP: ffffc90003cc7960 R08: ffffffff85ab7289 R09: 0000000000000000
R10: ffffc900044e2000 R11: 0000000000000000 R12: 00000042dda43dc6
R13: 1ffff92000798f2c R14: 0000000000000000 R15: ffff88801c7d4000
FS: 00005555566d3480(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8d999980c0 CR3: 0000000015f23000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_crtc_get_last_vbltimestamp drivers/gpu/drm/drm_vblank.c:877 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_crtc_next_vblank_start+0x229/0x460 drivers/gpu/drm/drm_vblank.c:1012
set_fence_deadline drivers/gpu/drm/drm_atomic_helper.c:1555 [inline]
drm_atomic_helper_wait_for_fences+0x277/0x8d0 drivers/gpu/drm/drm_atomic_helper.c:1602
drm_atomic_helper_commit+0x627/0xbc0 drivers/gpu/drm/drm_atomic_helper.c:2031
drm_atomic_commit+0x279/0x2c0 drivers/gpu/drm/drm_atomic.c:1513
drm_client_modeset_commit_atomic+0x676/0x7d0 drivers/gpu/drm/drm_client_modeset.c:1051
drm_client_modeset_commit_locked+0xe0/0x510 drivers/gpu/drm/drm_client_modeset.c:1154
drm_client_modeset_commit+0x4a/0x70 drivers/gpu/drm/drm_client_modeset.c:1180
__drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:251 [inline]
drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:278 [inline]
drm_fb_helper_lastclose+0xb7/0x170 drivers/gpu/drm/drm_fb_helper.c:2005
drm_fbdev_generic_client_restore+0x34/0x40 drivers/gpu/drm/drm_fbdev_generic.c:258
drm_client_dev_restore+0x131/0x260 drivers/gpu/drm/drm_client.c:257
drm_lastclose drivers/gpu/drm/drm_file.c:466 [inline]
drm_release+0x4b2/0x660 drivers/gpu/drm/drm_file.c:497
__fput+0x3cc/0xa10 fs/file_table.c:394
__do_sys_close fs/open.c:1590 [inline]
__se_sys_close+0x15f/0x220 fs/open.c:1575
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f8d9987b9da
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007ffc140485c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f8d9987b9da
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000032 R08: 0000001b2e560000 R09: 00007f8d9999bf8c
R10: 00007ffc14048710 R11: 0000000000000293 R12: 00007f8d99400c20
R13: ffffffffffffffff R14: 00007f8d99400000 R15: 00000000000461cf
</TASK>
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=137920af680000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Nov 20, 2023, 9:41:07 AM11/20/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Tested on:
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=134d89b8e80000
commit: ac347a06 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=150dd4af680000
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Edward Adam Davis
Nov 20, 2023, 9:41:39 AM11/20/23
to jani....@linux.intel.com, air...@linux.ie, daniel...@ffwll.ch, daniel...@intel.com, dri-...@lists.freedesktop.org, ead...@qq.com, linux-...@vger.kernel.org, melis...@gmail.com, mri...@kernel.org, syzbot+2e93e6...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, tzimm...@suse.de
If overflow occurs, return 0 and exit the subsequent process.
Reported-and-tested-by: syzbot+2e93e6...@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
1 file changed, 5 insertions(+), 2 deletion(-)
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..60739d861da2 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
+ return 0;
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
+ return 0;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
--
2.25.1
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
--
Ville Syrjälä
Nov 20, 2023, 10:14:31 AM11/20/23
to Edward Adam Davis, jani....@linux.intel.com, air...@linux.ie, daniel...@ffwll.ch, linux-...@vger.kernel.org, dri-...@lists.freedesktop.org, melis...@gmail.com, mri...@kernel.org, tzimm...@suse.de, daniel...@intel.com, syzkall...@googlegroups.com, syzbot+2e93e6...@syzkaller.appspotmail.com, Karol Herbst, Lyude Paul, Danilo Krummrich, nou...@lists.freedesktop.org
nouveau has some code for it, but doesn't look like it does
anything sensible. All other drivers for sure should be
rejecting vscan>1 outright. Which driver is this?
Is there an actual usecase where nouveau needs this (and does
it even work?) or could we just rip out the whole thing and
reject vscan>1 globally?
>
> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> }
> --
> 2.25.1
Ville Syrjälä
Intel
Jani Nikula
Nov 21, 2023, 4:21:03 AM11/21/23
to Ville Syrjälä, Edward Adam Davis, air...@linux.ie, daniel...@ffwll.ch, linux-...@vger.kernel.org, dri-...@lists.freedesktop.org, melis...@gmail.com, mri...@kernel.org, tzimm...@suse.de, daniel...@intel.com, syzkall...@googlegroups.com, syzbot+2e93e6...@syzkaller.appspotmail.com, Karol Herbst, Lyude Paul, Danilo Krummrich, nou...@lists.freedesktop.org
BR,
Jani.
[1] https://lore.kernel.org/r/20230802174746....@yahoo.com
>
>>
>> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
>> }
>> --
>> 2.25.1
--
Reply all
Reply to author
Forward
0 new messages