Hello,
syzbot found the following issue on:
HEAD commit: 6dd65e60 Add linux-next specific files for 20201110 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=1276af62500000 kernel config: https://syzkaller.appspot.com/x/.config?x=4fab43daf5c54712 dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20 compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 4e683067 P4D 4e683067 PUD 14850067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 0 PID: 9433 Comm: syz-executor.5 Not tainted 5.10.0-rc3-next-20201110-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000bca7858 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000 RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387 R10: 0000000000000003 R11: 0000000000000000 R12: ffff888144509000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720 FS: 00007f5822bee700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000004e973000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1346 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907 redraw_screen+0x5ed/0x790 drivers/tty/vt/vt.c:1012 vc_do_resize+0xed3/0x1150 drivers/tty/vt/vt.c:1326 fbcon_set_disp+0x831/0xda0 drivers/video/fbdev/core/fbcon.c:1413 con2fb_init_display drivers/video/fbdev/core/fbcon.c:816 [inline] set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:887 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3072 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f5822bedc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000000e2c0 RCX: 000000000045deb9 RDX: 00000000200000c0 RSI: 0000000000004610 RDI: 0000000000000006 RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffe024fb66f R14: 00007f5822bee9c0 R15: 000000000118bf2c Modules linked in: CR2: 0000000000000000 BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 4e683067 P4D 4e683067 PUD 14850067 PMD 0 Oops: 0010 [#2] PREEMPT SMP KASAN CPU: 0 PID: 9433 Comm: syz-executor.5 Not tainted 5.10.0-rc3-next-20201110-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000bca7278 EFLAGS: 00010086 RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007 RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000 RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387 R10: 0000000000000003 R11: 0000000000000001 R12: ffff888144509000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720 FS: 00007f5822bee700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000004e973000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1346 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907 redraw_screen+0x5ed/0x790 drivers/tty/vt/vt.c:1012 fbcon_blank+0x8c5/0xc30 drivers/video/fbdev/core/fbcon.c:2248 do_unblank_screen+0x25b/0x470 drivers/tty/vt/vt.c:4406 bust_spinlocks+0x5b/0xe0 lib/bust_spinlocks.c:26 oops_end+0x2b/0xe0 arch/x86/kernel/dumpstack.c:346 no_context+0x5f2/0xa20 arch/x86/mm/fault.c:752 __bad_area_nosemaphore+0xa9/0x400 arch/x86/mm/fault.c:840 do_user_addr_fault+0x7d7/0xba0 arch/x86/mm/fault.c:1340 handle_page_fault arch/x86/mm/fault.c:1434 [inline] exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1490 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000bca7858 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000 RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387 R10: 0000000000000003 R11: 0000000000000000 R12: ffff888144509000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720 Modules linked in: CR2: 0000000000000000 ---[ end trace 8931af4863156cb4 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000bca7858 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: ffff888144509000 RDI: ffff888010079000 RBP: ffff888010079000 R08: 0000000000000000 R09: ffffffff8cecc387 R10: 0000000000000003 R11: 0000000000000000 R12: ffff888144509000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720 FS: 00007f5822bee700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000004e973000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
--- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot has found a reproducer for the following issue on:
HEAD commit: b3a3cbde Add linux-next specific files for 20210115 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=164096d7500000 kernel config: https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20 compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17af5258d00000
IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com
BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 12267067 P4D 12267067 PUD 11841067 PMD 0 Oops: 0010 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8463 Comm: syz-executor088 Not tainted 5.11.0-rc3-next-20210115-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000132f850 EFLAGS: 00010292 RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007 RDX: 0000000000000002 RSI: ffff88814394b000 RDI: ffff888010071000 RBP: ffff888010071000 R08: 0000000000000000 R09: ffffffff83ed87ea R10: 0000000000000003 R11: 0000000000000018 R12: ffff88814394b000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720 FS: 0000000000db8880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000020cd8000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: fbcon_cursor+0x50e/0x620 drivers/video/fbdev/core/fbcon.c:1336 hide_cursor+0x85/0x280 drivers/tty/vt/vt.c:907 redraw_screen+0x5b4/0x740 drivers/tty/vt/vt.c:1012 vc_do_resize+0xed8/0x1150 drivers/tty/vt/vt.c:1325 fbcon_set_disp+0x7a8/0xe10 drivers/video/fbdev/core/fbcon.c:1402 con2fb_init_display drivers/video/fbdev/core/fbcon.c:808 [inline] set_con2fb_map+0x7a6/0xf80 drivers/video/fbdev/core/fbcon.c:879 fbcon_set_con2fb_map_ioctl+0x165/0x220 drivers/video/fbdev/core/fbcon.c:3010 do_fb_ioctl+0x5b6/0x690 drivers/video/fbdev/core/fbmem.c:1156 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1185 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4402b9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffffae24f88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 RDX: 0000000020000080 RSI: 0000000000004610 RDI: 0000000000000004 RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401ac0 R13: 0000000000401b50 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: CR2: 0000000000000000 ---[ end trace 5adb9f198fe5efa6 ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffffc9000132f850 EFLAGS: 00010292 RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000007 RDX: 0000000000000002 RSI: ffff88814394b000 RDI: ffff888010071000 RBP: ffff888010071000 R08: 0000000000000000 R09: ffffffff83ed87ea R10: 0000000000000003 R11: 0000000000000018 R12: ffff88814394b000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000720 FS: 0000000000db8880(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000020cd8000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
syzbot has bisected this issue to:
commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2 Author: Daniel Vetter daniel.vetter@ffwll.ch Date: Fri Oct 9 23:21:56 2020 +0000
drm/vkms: fbdev emulation support
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148e2748d00000 start commit: b3a3cbde Add linux-next specific files for 20210115 git tree: linux-next final oops: https://syzkaller.appspot.com/x/report.txt?x=168e2748d00000 console output: https://syzkaller.appspot.com/x/log.txt?x=128e2748d00000 kernel config: https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17af5258d00000
Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
On Sun, Jan 17, 2021 at 03:29:05AM -0800, syzbot wrote:
syzbot has bisected this issue to:
commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2 Author: Daniel Vetter daniel.vetter@ffwll.ch Date: Fri Oct 9 23:21:56 2020 +0000
drm/vkms: fbdev emulation support
Not sure you want to annotate this, but this just makes the bug reproducible on vkms. It's a preexisting issue (probably a few decades old) of the fbcon code afaict. It might also be that you can only repro this when you have multiple fbcon drivers (vkms plus whatever your virtual machine has I guess). -Daniel
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148e2748d00000 start commit: b3a3cbde Add linux-next specific files for 20210115 git tree: linux-next final oops: https://syzkaller.appspot.com/x/report.txt?x=168e2748d00000 console output: https://syzkaller.appspot.com/x/log.txt?x=128e2748d00000 kernel config: https://syzkaller.appspot.com/x/.config?x=6ea08dae6aab586f dashboard link: https://syzkaller.appspot.com/bug?extid=b67aaae8d3a927f68d20 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15cd8fe0d00000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17af5258d00000
Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
dri-devel@lists.freedesktop.org
-
Daniel Vetter -
syzbot