[media?] BUG: unable to handle kernel paging request in tpg_fill_plane_buffer (2)
8 views
Skip to first unread message
syzbot
Apr 14, 2023, 8:55:43 AM4/14/23
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 09a9639e56c0 Linux 6.3-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11ee6673c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c21559e740385326
dashboard link: https://syzkaller.appspot.com/bug?extid=89849bf07037525120b8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [linux-...@vger.kernel.org linux...@vger.kernel.org mch...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/03ba292eaed8/disk-09a9639e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/49adcba6a4a4/vmlinux-09a9639e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d78790c761ce/bzImage-09a9639e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+89849b...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: ffffc9000368d000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 12400067 P4D 12400067 PUD 16621067 PMD 1cc4c067 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 24753 Comm: vivid-000-vid-c Not tainted 6.3.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
RIP: 0010:memcpy_erms+0xa/0x10 arch/x86/lib/memcpy_64.S:56
Code: f3 0f 1e fa eb 1a 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 90 66 0f 1f 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 00 66 0f 1f 00 48 89 f8 48 83 fa 20 0f 82 86 00 00
RSP: 0018:ffffc900036df910 EFLAGS: 00010293
RAX: ffffc9000368cea0 RBX: ffffc900075b9000 RCX: 0000000000000008
RDX: 0000000000000168 RSI: ffffc900075b9160 RDI: ffffc9000368d000
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc900075b9000 R14: ffff888022f17b00 R15: 0000000000000168
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000368d000 CR3: 000000000c571000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2582 [inline]
tpg_fill_plane_buffer+0x1afe/0x3e00 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2670
vivid_fillbuff+0x1aa8/0x41f0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470
vivid_thread_vid_cap_tick+0x832/0x2370 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729
vivid_thread_vid_cap+0x631/0xc30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:872
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
CR2: ffffc9000368d000
---[ end trace 0000000000000000 ]---
RIP: 0010:memcpy_erms+0xa/0x10 arch/x86/lib/memcpy_64.S:56
Code: f3 0f 1e fa eb 1a 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 90 66 0f 1f 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 00 66 0f 1f 00 48 89 f8 48 83 fa 20 0f 82 86 00 00
RSP: 0018:ffffc900036df910 EFLAGS: 00010293
RAX: ffffc9000368cea0 RBX: ffffc900075b9000 RCX: 0000000000000008
RDX: 0000000000000168 RSI: ffffc900075b9160 RDI: ffffc9000368d000
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc900075b9000 R14: ffff888022f17b00 R15: 0000000000000168
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000368d000 CR3: 000000000c571000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: f3 0f 1e fa endbr64
4: eb 1a jmp 0x20
6: 0f 1f 00 nopl (%rax)
9: 48 89 f8 mov %rdi,%rax
c: 48 89 d1 mov %rdx,%rcx
f: 48 c1 e9 03 shr $0x3,%rcx
13: 83 e2 07 and $0x7,%edx
16: f3 48 a5 rep movsq %ds:(%rsi),%es:(%rdi)
19: 89 d1 mov %edx,%ecx
1b: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
1d: c3 retq
1e: 66 90 xchg %ax,%ax
20: 66 0f 1f 00 nopw (%rax)
24: 48 89 f8 mov %rdi,%rax
27: 48 89 d1 mov %rdx,%rcx
* 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2c: c3 retq
2d: 0f 1f 00 nopl (%rax)
30: 66 0f 1f 00 nopw (%rax)
34: 48 89 f8 mov %rdi,%rax
37: 48 83 fa 20 cmp $0x20,%rdx
3b: 0f .byte 0xf
3c: 82 (bad)
3d: 86 00 xchg %al,(%rax)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 09a9639e56c0 Linux 6.3-rc6
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11ee6673c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=c21559e740385326
dashboard link: https://syzkaller.appspot.com/bug?extid=89849bf07037525120b8
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
CC: [linux-...@vger.kernel.org linux...@vger.kernel.org mch...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/03ba292eaed8/disk-09a9639e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/49adcba6a4a4/vmlinux-09a9639e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d78790c761ce/bzImage-09a9639e.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+89849b...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: ffffc9000368d000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 12400067 P4D 12400067 PUD 16621067 PMD 1cc4c067 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 24753 Comm: vivid-000-vid-c Not tainted 6.3.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
RIP: 0010:memcpy_erms+0xa/0x10 arch/x86/lib/memcpy_64.S:56
Code: f3 0f 1e fa eb 1a 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 90 66 0f 1f 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 00 66 0f 1f 00 48 89 f8 48 83 fa 20 0f 82 86 00 00
RSP: 0018:ffffc900036df910 EFLAGS: 00010293
RAX: ffffc9000368cea0 RBX: ffffc900075b9000 RCX: 0000000000000008
RDX: 0000000000000168 RSI: ffffc900075b9160 RDI: ffffc9000368d000
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc900075b9000 R14: ffff888022f17b00 R15: 0000000000000168
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000368d000 CR3: 000000000c571000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2582 [inline]
tpg_fill_plane_buffer+0x1afe/0x3e00 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2670
vivid_fillbuff+0x1aa8/0x41f0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470
vivid_thread_vid_cap_tick+0x832/0x2370 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:729
vivid_thread_vid_cap+0x631/0xc30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:872
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
CR2: ffffc9000368d000
---[ end trace 0000000000000000 ]---
RIP: 0010:memcpy_erms+0xa/0x10 arch/x86/lib/memcpy_64.S:56
Code: f3 0f 1e fa eb 1a 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 90 66 0f 1f 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 00 66 0f 1f 00 48 89 f8 48 83 fa 20 0f 82 86 00 00
RSP: 0018:ffffc900036df910 EFLAGS: 00010293
RAX: ffffc9000368cea0 RBX: ffffc900075b9000 RCX: 0000000000000008
RDX: 0000000000000168 RSI: ffffc900075b9160 RDI: ffffc9000368d000
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc900075b9000 R14: ffff888022f17b00 R15: 0000000000000168
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000368d000 CR3: 000000000c571000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: f3 0f 1e fa endbr64
4: eb 1a jmp 0x20
6: 0f 1f 00 nopl (%rax)
9: 48 89 f8 mov %rdi,%rax
c: 48 89 d1 mov %rdx,%rcx
f: 48 c1 e9 03 shr $0x3,%rcx
13: 83 e2 07 and $0x7,%edx
16: f3 48 a5 rep movsq %ds:(%rsi),%es:(%rdi)
19: 89 d1 mov %edx,%ecx
1b: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
1d: c3 retq
1e: 66 90 xchg %ax,%ax
20: 66 0f 1f 00 nopw (%rax)
24: 48 89 f8 mov %rdi,%rax
27: 48 89 d1 mov %rdx,%rcx
* 2a: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2c: c3 retq
2d: 0f 1f 00 nopl (%rax)
30: 66 0f 1f 00 nopw (%rax)
34: 48 89 f8 mov %rdi,%rax
37: 48 83 fa 20 cmp $0x20,%rdx
3b: 0f .byte 0xf
3c: 82 (bad)
3d: 86 00 xchg %al,(%rax)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 9, 2023, 8:46:42 AM7/9/23
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages