https://bugs.freedesktop.org/show_bug.cgi?id=98372
Bug ID: 98372 Summary: UBSAN in ../drivers/gpu/drm/drm_modes.c:325:49 Product: DRI Version: unspecified Hardware: Other OS: All Status: NEW Severity: normal Priority: medium Component: DRM/other Assignee: dri-devel@lists.freedesktop.org Reporter: marxin.liska@gmail.com
Running $uname -a Linux linux-h8g6 4.9.0-rc1-2-syzkaller #1 SMP PREEMPT Mon Oct 17 19:37:55 UTC 2016 (55c3dd5) x86_64 x86_64 x86_64 GNU/Linux
with enabled UBSAN (built by GCC 7.0) in qemu, I reached following error:
[ 48.723720] UBSAN: Undefined behaviour in ../drivers/gpu/drm/drm_modes.c:325:49 [ 48.726943] signed integer overflow: [ 48.728503] 2240 * 1000000 cannot be represented in type 'int'
https://bugs.freedesktop.org/show_bug.cgi?id=98372
--- Comment #1 from Martin Liška marxin.liska@gmail.com --- Backtrace:
[ 48.730135] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014 [ 48.730138] ffff88005cb3edb8 ffffffff83f982ea 0000000041b58ab3 ffffffff853754ab [ 48.730144] ffffffff83f981de ffff88005cb3ede0 ffff88005cb3ed80 0000000000000000 [ 48.730149] ffffffffc12855e0 ffff88005cb3eeb8 00000000000f4240 ffff88005cb30001 [ 48.730154] Call Trace: [ 48.730161] [<ffffffff83f982ea>] dump_stack+0x10c/0x192 [ 48.730165] [<ffffffff83f981de>] ? _atomic_dec_and_lock+0x12e/0x12e [ 48.730173] [<ffffffff8407262a>] ubsan_epilogue+0x12/0x8f [ 48.730177] [<ffffffff84074165>] handle_overflow+0x23d/0x297 [ 48.730182] [<ffffffff84073f28>] ? __ubsan_handle_negate_overflow+0x1bd/0x1bd [ 48.730187] [<ffffffff84d666ce>] ? mutex_unlock+0xe/0x10 [ 48.730207] [<ffffffffc11e34f8>] ? drm_mode_object_get_reg+0x1b8/0x240 [drm] [ 48.730221] [<ffffffffc11e3340>] ? drm_mode_object_unreference+0x1a0/0x1a0 [drm] [ 48.730226] [<ffffffff83832ff9>] ? kmem_cache_alloc_trace+0x149/0x4b0 [ 48.730231] [<ffffffff8407424b>] __ubsan_handle_mul_overflow+0x2a/0x3f [ 48.730245] [<ffffffffc11a22c0>] drm_cvt_mode+0xa50/0x1090 [drm] [ 48.730254] [<ffffffffc15ed8b3>] qxl_conn_get_modes+0x343/0xce0 [qxl] [ 48.730261] [<ffffffffc15ed570>] ? qxl_crtc_cursor_move+0x5d0/0x5d0 [qxl] [ 48.730265] [<ffffffff844e2116>] ? driver_register+0x1d6/0x410 [ 48.730271] [<ffffffffc110808d>] ? qxl_init+0x8d/0x1000 [qxl] [ 48.730275] [<ffffffff83002327>] ? do_one_initcall+0xc7/0x2d0 [ 48.730284] [<ffffffffc151a89a>] ? drm_kms_helper_poll_enable_locked+0x28a/0x450 [drm_kms_helper] [ 48.730292] [<ffffffffc151b791>] drm_helper_probe_single_connector_modes+0xa71/0x1560 [drm_kms_helper] [ 48.730301] [<ffffffffc155c6f3>] drm_fb_helper_initial_config+0x2e3/0x1700 [drm_kms_helper] [ 48.730306] [<ffffffff84d664d0>] ? __mutex_unlock_slowpath+0x240/0x430 [ 48.730314] [<ffffffffc155c410>] ? drm_fb_helper_set_par+0x160/0x160 [drm_kms_helper] [ 48.730322] [<ffffffffc1557f87>] ? drm_fb_helper_add_one_connector+0x237/0x4b0 [drm_kms_helper] [ 48.730330] [<ffffffffc155826f>] ? drm_fb_helper_single_add_all_connectors+0x6f/0x4c0 [drm_kms_helper] [ 48.730337] [<ffffffffc15fc523>] qxl_fbdev_init+0x273/0x320 [qxl] [ 48.730343] [<ffffffffc15fc2b0>] ? qxl_get_handle_for_primary_fb+0xf0/0xf0 [qxl] [ 48.730346] [<ffffffff84d666ce>] ? mutex_unlock+0xe/0x10 [ 48.730361] [<ffffffffc11dcbc2>] ? drm_connector_register+0x72/0x220 [drm] [ 48.730367] [<ffffffffc15f718a>] qxl_modeset_init+0x66a/0x970 [qxl] [ 48.730373] [<ffffffffc15ebcf0>] ? qxl_driver_unload+0x440/0x440 [qxl] [ 48.730379] [<ffffffffc15ebdfe>] qxl_driver_load+0x10e/0x1b0 [qxl] [ 48.730392] [<ffffffffc118033d>] drm_dev_register+0x12d/0x230 [drm] [ 48.730405] [<ffffffffc1189485>] drm_get_pci_dev+0x235/0x9d0 [drm] [ 48.730419] [<ffffffffc1189250>] ? drm_pci_agp_destroy+0x120/0x120 [drm] [ 48.730424] [<ffffffff833558ea>] ? trace_hardirqs_on_caller+0x3da/0x6c0 [ 48.730428] [<ffffffff83355bdd>] ? trace_hardirqs_on+0xd/0x10 [ 48.730434] [<ffffffffc15e8860>] ? qxl_pm_suspend+0x90/0x90 [qxl] [ 48.730439] [<ffffffffc15e88ba>] qxl_pci_probe+0x5a/0xb0 [qxl] [ 48.730444] [<ffffffff840e59cc>] local_pci_probe+0xfc/0x1f0 [ 48.730448] [<ffffffff840ea8e5>] pci_device_probe+0x215/0x3a0 [ 48.730453] [<ffffffff840ea6d0>] ? pci_device_remove+0x2f0/0x2f0 [ 48.730458] [<ffffffff844dce13>] ? driver_sysfs_add+0x133/0x310 [ 48.730462] [<ffffffff840ea6d0>] ? pci_device_remove+0x2f0/0x2f0 [ 48.730466] [<ffffffff844dea08>] driver_probe_device+0x288/0xfa0 [ 48.730469] [<ffffffff844df720>] ? driver_probe_device+0xfa0/0xfa0 [ 48.730473] [<ffffffff844df893>] __driver_attach+0x173/0x280 [ 48.730477] [<ffffffff844d757a>] bus_for_each_dev+0x15a/0x1f0 [ 48.730481] [<ffffffff844d7420>] ? subsys_dev_iter_init+0x110/0x110 [ 48.730486] [<ffffffff844dd347>] driver_attach+0x47/0x70 [ 48.730491] [<ffffffff844dbeb7>] bus_add_driver+0x547/0x890 [ 48.730495] [<ffffffff844e2116>] driver_register+0x1d6/0x410 [ 48.730498] [<ffffffff83366092>] ? __raw_spin_lock_init+0x32/0x120 [ 48.730503] [<ffffffff840e4576>] __pci_register_driver+0x1a6/0x250 [ 48.730507] [<ffffffff840e43d0>] ? pci_pm_runtime_idle+0x1b0/0x1b0 [ 48.730511] [<ffffffff830021de>] ? initcall_blacklisted+0x14e/0x1d0 [ 48.730515] [<ffffffff83002090>] ? try_to_run_init_process+0x50/0x50 [ 48.730518] [<ffffffffc1108000>] ? 0xffffffffc1108000 [ 48.730531] [<ffffffffc118a07e>] drm_pci_init+0x45e/0x5d0 [drm] [ 48.730536] [<ffffffff84d6fb39>] ? retint_kernel+0x2d/0x2d [ 48.730549] [<ffffffffc1189c20>] ? drm_get_pci_dev+0x9d0/0x9d0 [drm] [ 48.730553] [<ffffffff8300501a>] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 48.730556] [<ffffffffc1108000>] ? 0xffffffffc1108000 [ 48.730561] [<ffffffffc110808d>] qxl_init+0x8d/0x1000 [qxl] [ 48.730565] [<ffffffff83002327>] do_one_initcall+0xc7/0x2d0 [ 48.730569] [<ffffffff83002260>] ? initcall_blacklisted+0x1d0/0x1d0 [ 48.730573] [<ffffffff83fdce8b>] ? memset_erms+0xb/0x10 [ 48.730578] [<ffffffff8383ba05>] ? kasan_unpoison_shadow+0x35/0x50 [ 48.730582] [<ffffffff8383ba9f>] ? __asan_register_globals+0x7f/0xa0 [ 48.730587] [<ffffffff836a54f3>] do_init_module+0x272/0x64d [ 48.730591] [<ffffffff836a5281>] ? kzalloc.constprop.34+0x10/0x10 [ 48.730596] [<ffffffff83457848>] load_module+0x3528/0x5ae0 [ 48.730600] [<ffffffff83449820>] ? m_show+0x540/0x540 [ 48.730607] [<ffffffff83454320>] ? layout_and_allocate+0x48e0/0x48e0 [ 48.730612] [<ffffffff838da9e0>] ? read_code+0x50/0x50 [ 48.730616] [<ffffffff8393be3c>] ? __fget_light+0x18c/0x270 [ 48.730621] [<ffffffff838db436>] ? kernel_read_file_from_fd+0x76/0x90 [ 48.730625] [<ffffffff8345a18b>] SYSC_finit_module+0x18b/0x1b0 [ 48.730629] [<ffffffff8345a000>] ? SYSC_init_module+0x200/0x200 [ 48.730633] [<ffffffff834dc1ce>] ? __audit_syscall_entry+0x34e/0x5d0 [ 48.730638] [<ffffffff83009e76>] ? do_syscall_64+0x56/0x520 [ 48.730642] [<ffffffff8345a1c0>] ? SyS_init_module+0x10/0x10 [ 48.730646] [<ffffffff8345a1ce>] SyS_finit_module+0xe/0x10 [ 48.730650] [<ffffffff83009fce>] do_syscall_64+0x1ae/0x520 [ 48.730654] [<ffffffff84d6f1cd>] entry_SYSCALL64_slow_path+0x25/0x25 [ 48.730657] ================================================================================
https://bugs.freedesktop.org/show_bug.cgi?id=98372
Chris Wilson chris@chris-wilson.co.uk changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #2 from Chris Wilson chris@chris-wilson.co.uk --- commit 8a5bbf327aa16025c78491266a6425807c7fbee0 Author: Chris Wilson chris@chris-wilson.co.uk Date: Fri Oct 21 15:15:40 2016 +0100
drm: Use u64 for intermediate dotclock calculations
We have reached the era where monitor bandwidths now exceed 31bits in frequency calculations, though as we stored them in kHz units we are safe from overflow in the modelines for some time.
[ 48.723720] UBSAN: Undefined behaviour in ../drivers/gpu/drm/drm_modes.c:325:49 [ 48.726943] signed integer overflow: [ 48.728503] 2240 * 1000000 cannot be represented in type 'int'
Reported-by: Martin Liška marxin.liska@gmail.com Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98372 Signed-off-by: Chris Wilson chris@chris-wilson.co.uk Reviewed-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: http://patchwork.freedesktop.org/patch/msgid/20161021141540.26837-1-chris@ch...
dri-devel@lists.freedesktop.org
-
bugzilla-daemon@freedesktop.org