Harshit Mogalapalli
unread,Dec 8, 2023, 4:54:38āÆAM12/8/23Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Ziqi Zhao, air...@gmail.com, dan...@ffwll.ch, dri-...@lists.freedesktop.org, ivan.or...@gmail.com, maarten....@linux.intel.com, mri...@kernel.org, sk...@linuxfoundation.org, tzimm...@suse.de, syzkall...@googlegroups.com, linux-...@vger.kernel.org, christia...@amd.com, linaro...@lists.linaro.org, gli...@google.com, syzbot+4fad2e...@syzkaller.appspotmail.com, sumit....@linaro.org, linux...@vger.kernel.org, Dan Carpenter, Vegard Nossum, Darren Kenny
Hello,
On 21/07/23 9:44 pm, Ziqi Zhao wrote:
> The connector_set contains uninitialized values when allocated with
> kmalloc_array. However, in the "out" branch, the logic assumes that any
> element in connector_set would be equal to NULL if failed to
> initialize, which causes the bug reported by Syzbot. The fix is to use
> an extra variable to keep track of how many connectors are initialized
> indeed, and use that variable to decrease any refcounts in the "out"
> branch.
>
This bug is reproducible on 6.7-rc3 on KASAN enabled kernel as wild
memory access.
[ 424.699429] general protection fault, probably for non-canonical
address 0xfbf7c8b63d84d2a6: 0000 [#1] PREEMPT SMP KASAN PTI
[ 424.727952] KASAN: maybe wild-memory-access in range
[0xdfbe65b1ec269530-0xdfbe65b1ec269537]
[ 424.743794] CPU: 3 PID: 9040 Comm: r Not tainted 6.7.0-rc3+ #1
[ 424.758855] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.11.0-2.el7 04/01/2014
[ 424.774845] RIP: 0010:drm_mode_object_put+0x27/0x50
[ 424.782854] Code: 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd e8
ae 92 0b fd 48 8d 7d 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea
03 <80> 3c 02 00 75 1a 48 83 7d 18 00 74 0d e8 87 92 0b fd 48 89 ef e8
[ 424.816805] RSP: 0018:ffff8881199b7ad0 EFLAGS: 00010a06
[ 424.830847] RAX: dffffc0000000000 RBX: ffffed1023336fc3 RCX:
0000000000000000
[ 424.844180] RDX: 1bf7ccb63d84d2a6 RSI: 0000000000000000 RDI:
dfbe65b1ec269530
[ 424.854860] RBP: dfbe65b1ec269518 R08: 0000000000000000 R09:
0000000000000000
[ 424.870833] R10: 0000000000000000 R11: 0000000000000000 R12:
dfbe65b1ec2694d8
[ 424.886846] R13: dffffc0000000000 R14: ffff8881060731c0 R15:
0000000000000001
[ 424.901889] FS: 00007fecfc1ec740(0000) GS:ffff8881f3f80000(0000)
knlGS:0000000000000000
[ 424.910833] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 424.918929] CR2: 0000000000000000 CR3: 0000000117e7c000 CR4:
00000000000006f0
[ 424.936058] Call Trace:
[ 424.936058] <TASK>
[ 424.936058] ? show_regs+0x9b/0xb0
[ 424.950853] ? die_addr+0x55/0xe0
[ 424.950853] ? exc_general_protection+0x1a4/0x320
[ 424.965905] ? asm_exc_general_protection+0x26/0x30
[ 424.974878] ? drm_mode_object_put+0x27/0x50
[ 424.982866] drm_mode_setcrtc+0x7ec/0x1630
[ 424.990875] ? __pfx_drm_mode_setcrtc+0x10/0x10
[ 424.998877] ? ww_mutex_lock+0x9a/0x1c0
[ 425.006852] ? __pfx_ww_mutex_lock+0x10/0x10
[ 425.014875] ? __drm_dev_dbg+0xbd/0x1a0
[ 425.014875] ? __pfx___drm_dev_dbg+0x10/0x10
[ 425.030321] ? drm_lease_owner+0x44/0x60
[ 425.030981] drm_ioctl_kernel+0x2a0/0x500
[ 425.040058] ? __pfx_drm_mode_setcrtc+0x10/0x10
[ 425.048128] ? __pfx_drm_ioctl_kernel+0x10/0x10
[ 425.055809] drm_ioctl+0x58a/0xb60
[ 425.062876] ? __pfx_drm_mode_setcrtc+0x10/0x10
[ 425.070875] ? __pfx_drm_ioctl+0x10/0x10
[ 425.078875] ? __pfx_do_sys_openat2+0x10/0x10
[ 425.086875] ? selinux_file_ioctl+0x184/0x270
[ 425.099093] ? selinux_file_ioctl+0xba/0x270
[ 425.102865] ? __pfx_drm_ioctl+0x10/0x10
[ 425.111092] __x64_sys_ioctl+0x1b1/0x220
[ 425.119055] do_syscall_64+0x45/0x100
[ 425.127106] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 425.135102] RIP: 0033:0x7fecfb6f8289
After applying this patch, the bug is not reproducible.
Thanks,
Harshit