New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 635531 link

Starred by 1 user
Status: Untriaged
Owner: ----
Cc:
dvyukov@chromium.org
djkurtz@chromium.org
tfiga@chromium.org
jlarimer@google.com
infe...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: Bug



Sign in to add a comment

KASAN reports a NULL deref in drm_context_switch_complete() on Pixel C

Project Member Reported by glider@chromium.org, Aug 8 2016 
Dmitry found the following bug with KASAN while fuzzing a Pixel C kernel with syzkaller:

==================================================================
init: Untracked pid 22528 exited with status 0
BUG: KASAN: null-ptr-deref on address           (null)
Read of size 4 by task syz-executor/22534
CPU: 3 PID: 22534 Comm: syz-executor Tainted: G     U         3.18.0 #78
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) 
Call trace:
[<ffffffc000209c8c>] dump_backtrace+0x0/0x148 arch/arm64/kernel/traps.c:91
[<ffffffc000209de4>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:172
[<     inline     >] __dump_stack lib/dump_stack.c:15
[<ffffffc00107f0a4>] dump_stack+0x94/0x100 lib/dump_stack.c:50
[<     inline     >] kasan_report_error mm/kasan/report.c:270
[<ffffffc0003930ec>] kasan_report+0x110/0x554 mm/kasan/report.c:300
[<     inline     >] check_memory_region_inline mm/kasan/kasan.c:292
[<ffffffc000392cc0>] __asan_load4+0x78/0x84 mm/kasan/kasan.c:729
[<     inline     >] drm_context_switch_complete drivers/gpu/drm/drm_context.c:280
[<ffffffc000734f04>] drm_legacy_newctx+0x94/0xe0 drivers/gpu/drm/drm_context.c:424
[<ffffffc00073970c>] drm_ioctl+0x5b8/0x678 drivers/gpu/drm/drm_ioctl.c:755
[<ffffffc00087d5a4>] nouveau_drm_ioctl+0xac/0x10c drivers/gpu/drm/nouveau/nouveau_drm.c:1015
[<     inline     >] vfs_ioctl fs/ioctl.c:43
[<ffffffc0003b641c>] do_vfs_ioctl+0x800/0x83c fs/ioctl.c:598
[<     inline     >] SYSC_ioctl fs/ioctl.c:613
[<ffffffc0003b64c4>] SyS_ioctl+0x6c/0xb0 fs/ioctl.c:604
==================================================================

Comment 1 by quanto@google.com, Aug 8 2016 

Logging b/30731231 for Android to track this.

Comment 2 by glider@chromium.org, Sep 2 2016 

Reproducer follows:

$ cat null-drm_legacy_newctx.c 
// autogenerated by syzkaller (http://github.com/google/syzkaller)

#include <fcntl.h>
#include <sys/syscall.h>
#include <unistd.h>

#ifndef __NR_ioctl
#define __NR_ioctl 16
#endif

#define DRM_IOCTL_NEW_CTX 0x40086425ul

int main()
{
  int r;
  mmap(0x20000000, 0x42000ul, 0x3, 0x32, -1, 0);
  r = open("/dev/dri/card0", O_RDWR|O_TRUNC|O_APPEND|O_NOATIME|O_CLOEXEC);
  syscall(__NR_ioctl, r, DRM_IOCTL_NEW_CTX, 0x2002a000ul,
                         0, 0, 0, 0, 0, 0);
  return 0;
}

Comment 3 by dtapu...@chromium.org, Jan 8 2018

Components: OS>Kernel

Sign in to add a comment