New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 648217 link

Starred by 1 user
Status: Archived
Owner: ----
Closed: Jan 10
Cc:
dvyukov@chromium.org
bleung@chromium.org
vishwath@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: Bug



Sign in to add a comment

Warning in idr_remove() on Pixel C

Project Member Reported by glider@chromium.org, Sep 19 2016 
The following program:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <stdint.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <unistd.h>

int main()
{
  syscall(__NR_mmap, 0x20000000ul, 0xc000ul, 0x3ul,
                         0x32ul, -1, 0x0ul, 0, 0, 0);
  int fd = open("/dev/dri/card0", 0x101102ul, 0);
  *(uint32_t*)0x2000b000 = (uint32_t)0x2;
  *(uint64_t*)0x2000b008 = (uint64_t)0x2000b000;
  syscall(__NR_ioctl, fd, 0xc0106426ul, 0x2000b000ul);
  int res = *(uint32_t*)0x2000b000;
  *(uint32_t*)0x2000bff8 = res;
  *(uint32_t*)0x2000bffc = (uint32_t)0x2;
  syscall(__NR_ioctl, fd, 0xc0086421ul, 0x2000bff8ul);
  return 0;
}

triggers this warning on Pixel C:

------------[ cut here ]------------
WARNING: CPU: 3 PID: 5382 at lib/idr.c:506 idr_remove+0x84/0x3c0()
idr_remove called for id=1 which is not allocated.
CPU: 3 PID: 5382 Comm: warning-idr_rem Tainted: G     U  W      3.18.0-g56d9ed7 #1
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c arch/arm64/kernel/traps.c:90
[<ffffffc00020aec0>] show_stack+0x18/0x24 arch/arm64/kernel/traps.c:172
[<     inline     >] __dump_stack lib/dump_stack.c:15
[<ffffffc001156f34>] dump_stack+0x94/0x100 lib/dump_stack.c:50
[<ffffffc00022bf04>] warn_slowpath_common+0xbc/0xec kernel/panic.c:441
[<ffffffc00022bfdc>] warn_slowpath_fmt+0x70/0x80 kernel/panic.c:452
[<     inline     >] idr_remove_warning lib/idr.c:506
[<ffffffc0006551a4>] idr_remove+0x80/0x3c0 lib/idr.c:560
[<ffffffc000794c54>] drm_legacy_ctxbitmap_free+0x34/0x50 drivers/gpu/drm/drm_context.c:57
[<ffffffc000795730>] drm_legacy_rmctx+0xb8/0x1bc drivers/gpu/drm/drm_context.c:449
[<ffffffc00079a0fc>] drm_ioctl+0x608/0x6cc drivers/gpu/drm/drm_ioctl.c:758
[<ffffffc0008e2fa8>] nouveau_drm_ioctl+0xac/0x10c drivers/gpu/drm/nouveau/nouveau_drm.c:1004
[<     inline     >] vfs_ioctl fs/ioctl.c:43
[<ffffffc0003ecc40>] do_vfs_ioctl+0x818/0x854 fs/ioctl.c:598
[<     inline     >] SYSC_ioctl fs/ioctl.c:613
[<ffffffc0003ecce8>] SyS_ioctl+0x6c/0xb0 fs/ioctl.c:604
---[ end trace ac081ac87c6191e8 ]---

According to https://groups.google.com/forum/#!topic/syzkaller/wOfaszMuYSQ this has been already fixed in linux-next.

Comment 1 by benhenry@google.com, Jan 10

Status: Archived (was: Untriaged)
Archiving P3s older than 1 year with no owner or component.

Sign in to add a comment