KASAN reports a NULL deref in drm_context_switch_complete() on Pixel C |
||
Issue descriptionDmitry found the following bug with KASAN while fuzzing a Pixel C kernel with syzkaller: ================================================================== init: Untracked pid 22528 exited with status 0 BUG: KASAN: null-ptr-deref on address (null) Read of size 4 by task syz-executor/22534 CPU: 3 PID: 22534 Comm: syz-executor Tainted: G U 3.18.0 #78 Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) Call trace: [<ffffffc000209c8c>] dump_backtrace+0x0/0x148 arch/arm64/kernel/traps.c:91 [<ffffffc000209de4>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:172 [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffc00107f0a4>] dump_stack+0x94/0x100 lib/dump_stack.c:50 [< inline >] kasan_report_error mm/kasan/report.c:270 [<ffffffc0003930ec>] kasan_report+0x110/0x554 mm/kasan/report.c:300 [< inline >] check_memory_region_inline mm/kasan/kasan.c:292 [<ffffffc000392cc0>] __asan_load4+0x78/0x84 mm/kasan/kasan.c:729 [< inline >] drm_context_switch_complete drivers/gpu/drm/drm_context.c:280 [<ffffffc000734f04>] drm_legacy_newctx+0x94/0xe0 drivers/gpu/drm/drm_context.c:424 [<ffffffc00073970c>] drm_ioctl+0x5b8/0x678 drivers/gpu/drm/drm_ioctl.c:755 [<ffffffc00087d5a4>] nouveau_drm_ioctl+0xac/0x10c drivers/gpu/drm/nouveau/nouveau_drm.c:1015 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffc0003b641c>] do_vfs_ioctl+0x800/0x83c fs/ioctl.c:598 [< inline >] SYSC_ioctl fs/ioctl.c:613 [<ffffffc0003b64c4>] SyS_ioctl+0x6c/0xb0 fs/ioctl.c:604 ==================================================================
,
Sep 2 2016
Reproducer follows: $ cat null-drm_legacy_newctx.c // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <fcntl.h> #include <sys/syscall.h> #include <unistd.h> #ifndef __NR_ioctl #define __NR_ioctl 16 #endif #define DRM_IOCTL_NEW_CTX 0x40086425ul int main() { int r; mmap(0x20000000, 0x42000ul, 0x3, 0x32, -1, 0); r = open("/dev/dri/card0", O_RDWR|O_TRUNC|O_APPEND|O_NOATIME|O_CLOEXEC); syscall(__NR_ioctl, r, DRM_IOCTL_NEW_CTX, 0x2002a000ul, 0, 0, 0, 0, 0, 0); return 0; }
,
Jan 8 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by quanto@google.com
, Aug 8 2016