From mboxrd@z Thu Jan 1 00:00:00 1970 From: syzbot Date: Thu, 05 Dec 2019 16:46:08 +0000 Subject: KASAN: slab-out-of-bounds Read in bit_putcs Message-Id: <0000000000007f075c0598f7aa38@google.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable To: b.zolnierkie@samsung.com, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Hello, syzbot found the following crash on: HEAD commit: 282ffdf3 Add linux-next specific files for 20191205 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=165627f2e00000 kernel config: https://syzkaller.appspot.com/x/.config?x)372c0243b4b980 dashboard link: https://syzkaller.appspot.com/bug?extid=998dec6452146bd7a90c compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+998dec6452146bd7a90c@syzkaller.appspotmail.com =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: slab-out-of-bounds in __fb_pad_aligned_buffer =20 include/linux/fb.h:655 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs_aligned =20 drivers/video/fbdev/core/bitblit.c:96 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xd5d/0xf10 =20 drivers/video/fbdev/core/bitblit.c:185 Read of size 1 at addr ffff88809f4ed8fe by task syz-executor.1/22264 CPU: 0 PID: 22264 Comm: syz-executor.1 Not tainted =20 5.4.0-next-20191205-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS =20 Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:3= 74 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __fb_pad_aligned_buffer include/linux/fb.h:655 [inline] bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] bit_putcs+0xd5d/0xf10 drivers/video/fbdev/core/bitblit.c:185 fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353 do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677 redraw_screen+0x676/0x7d0 drivers/tty/vt/vt.c:1011 vc_do_resize+0x10c9/0x1460 drivers/tty/vt/vt.c:1284 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 vt_ioctl+0x2076/0x26d0 drivers/tty/vt/vt_ioctl.c:887 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 = =20 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff = ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fce593a0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce593a16d4 R13: 00000000004c6ce2 R14: 00000000004dd2d0 R15: 00000000ffffffff Allocated by task 18936: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 con_font_set drivers/tty/vt/vt.c:4538 [inline] con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4603 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 18502: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 free_event_rcu+0x5e/0x70 kernel/events/core.c:4372 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2183 [inline] rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417 __do_softirq+0x262/0x98c kernel/softirq.c:292 The buggy address belongs to the object at ffff88809f4ed000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 254 bytes to the right of 2048-byte region [ffff88809f4ed000, ffff88809f4ed800) The buggy address belongs to the page: page:ffffea00027d3b40 refcount:1 mapcount:0 mapping:ffff8880aa400e00 =20 index:0x0 raw: 00fffe0000000200 ffffea00029bc9c8 ffffea00024ae408 ffff8880aa400e00 raw: 0000000000000000 ffff88809f4ed000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809f4ed780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809f4ed800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88809f4ed880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88809f4ed900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809f4ed980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.4 required=3.0 tests=FROM_LOCAL_HEX, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06810C43603 for ; Fri, 6 Dec 2019 08:17:52 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D863B2467A for ; Fri, 6 Dec 2019 08:17:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D863B2467A Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 0D35A6EB2A; Fri, 6 Dec 2019 08:17:35 +0000 (UTC) Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) by gabe.freedesktop.org (Postfix) with ESMTPS id 10B0B6F8B3 for ; Thu, 5 Dec 2019 16:46:09 +0000 (UTC) Received: by mail-il1-f199.google.com with SMTP id d3so2928446ilg.20 for ; Thu, 05 Dec 2019 08:46:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=6XRIMuzgh02Ovw3rxeyz54ijBjPe2X9NHJTkVKkX31c=; b=DefHHjBjuGfjGRuqphXuLS4W6x0ozYbEy80PvdZjHdBEEheIzQsNj9enqtQnXZQGBx I3SyB2WzT+MzXcX4WqV1czm0xfNiW2heFyeO4xs/n1sewksfshAsAPlfetL+MVVRlIeH 1QRepgKMiuPyAspVdEWuLNPaCE5DVkdlk4S/fKG8MlJ+UkkdSSBeO7KS+f7Y+b8cEQmx jYuaQ7s0V8iQtFR9wXHCXhGIZKaeUHAA618em6a0rDhJLkvcN0sFeQR89w3zQ3FHebHC qiXVMDFEv4CBhyeC/zsjUxNa2iDX6OfV29i7pCCczOj+d+pcTdOcs0X3y4ebPWYf/LMr sEiw== X-Gm-Message-State: APjAAAXbyM8lW2J8q+FGVSSLYDngY6DgbsGI3VIKMzetjRkko969l7tI JDusndWDyd9Zr9XfgZNBz5IVFPvLRA33ADd2wUhD+GJpZcru X-Google-Smtp-Source: APXvYqxQVnQDUVP2INDpxyPnyG5PtM7v1M6Mm6zZiDrpKRt8Oj8xWWXGWPnM0NftkIPnk0Nc6bZSd6+4j6uheUrk7UGEGl/O9jKS MIME-Version: 1.0 X-Received: by 2002:a02:9f09:: with SMTP id z9mr8888680jal.119.1575564368341; Thu, 05 Dec 2019 08:46:08 -0800 (PST) Date: Thu, 05 Dec 2019 08:46:08 -0800 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000007f075c0598f7aa38@google.com> Subject: KASAN: slab-out-of-bounds Read in bit_putcs From: syzbot To: b.zolnierkie@samsung.com, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com X-Mailman-Approved-At: Fri, 06 Dec 2019 08:17:34 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed"; DelSp="yes" Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" SGVsbG8sCgpzeXpib3QgZm91bmQgdGhlIGZvbGxvd2luZyBjcmFzaCBvbjoKCkhFQUQgY29tbWl0 OiAgICAyODJmZmRmMyBBZGQgbGludXgtbmV4dCBzcGVjaWZpYyBmaWxlcyBmb3IgMjAxOTEyMDUK Z2l0IHRyZWU6ICAgICAgIGxpbnV4LW5leHQKY29uc29sZSBvdXRwdXQ6IGh0dHBzOi8vc3l6a2Fs bGVyLmFwcHNwb3QuY29tL3gvbG9nLnR4dD94PTE2NTYyN2YyZTAwMDAwCmtlcm5lbCBjb25maWc6 ICBodHRwczovL3N5emthbGxlci5hcHBzcG90LmNvbS94Ly5jb25maWc/eD0yOTM3MmMwMjQzYjRi OTgwCmRhc2hib2FyZCBsaW5rOiBodHRwczovL3N5emthbGxlci5hcHBzcG90LmNvbS9idWc/ZXh0 aWQ9OTk4ZGVjNjQ1MjE0NmJkN2E5MGMKY29tcGlsZXI6ICAgICAgIGdjYyAoR0NDKSA5LjAuMCAy MDE4MTIzMSAoZXhwZXJpbWVudGFsKQoKVW5mb3J0dW5hdGVseSwgSSBkb24ndCBoYXZlIGFueSBy ZXByb2R1Y2VyIGZvciB0aGlzIGNyYXNoIHlldC4KCklNUE9SVEFOVDogaWYgeW91IGZpeCB0aGUg YnVnLCBwbGVhc2UgYWRkIHRoZSBmb2xsb3dpbmcgdGFnIHRvIHRoZSBjb21taXQ6ClJlcG9ydGVk LWJ5OiBzeXpib3QrOTk4ZGVjNjQ1MjE0NmJkN2E5MGNAc3l6a2FsbGVyLmFwcHNwb3RtYWlsLmNv bQoKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09CkJVRzogS0FTQU46IHNsYWItb3V0LW9mLWJvdW5kcyBpbiBfX2ZiX3BhZF9h bGlnbmVkX2J1ZmZlciAgCmluY2x1ZGUvbGludXgvZmIuaDo2NTUgW2lubGluZV0KQlVHOiBLQVNB Tjogc2xhYi1vdXQtb2YtYm91bmRzIGluIGJpdF9wdXRjc19hbGlnbmVkICAKZHJpdmVycy92aWRl by9mYmRldi9jb3JlL2JpdGJsaXQuYzo5NiBbaW5saW5lXQpCVUc6IEtBU0FOOiBzbGFiLW91dC1v Zi1ib3VuZHMgaW4gYml0X3B1dGNzKzB4ZDVkLzB4ZjEwICAKZHJpdmVycy92aWRlby9mYmRldi9j b3JlL2JpdGJsaXQuYzoxODUKUmVhZCBvZiBzaXplIDEgYXQgYWRkciBmZmZmODg4MDlmNGVkOGZl IGJ5IHRhc2sgc3l6LWV4ZWN1dG9yLjEvMjIyNjQKCkNQVTogMCBQSUQ6IDIyMjY0IENvbW06IHN5 ei1leGVjdXRvci4xIE5vdCB0YWludGVkICAKNS40LjAtbmV4dC0yMDE5MTIwNS1zeXprYWxsZXIg IzAKSGFyZHdhcmUgbmFtZTogR29vZ2xlIEdvb2dsZSBDb21wdXRlIEVuZ2luZS9Hb29nbGUgQ29t cHV0ZSBFbmdpbmUsIEJJT1MgIApHb29nbGUgMDEvMDEvMjAxMQpDYWxsIFRyYWNlOgogIF9fZHVt cF9zdGFjayBsaWIvZHVtcF9zdGFjay5jOjc3IFtpbmxpbmVdCiAgZHVtcF9zdGFjaysweDE5Ny8w eDIxMCBsaWIvZHVtcF9zdGFjay5jOjExOAogIHByaW50X2FkZHJlc3NfZGVzY3JpcHRpb24uY29u c3Rwcm9wLjAuY29sZCsweGQ0LzB4MzBiIG1tL2thc2FuL3JlcG9ydC5jOjM3NAogIF9fa2FzYW5f cmVwb3J0LmNvbGQrMHgxYi8weDQxIG1tL2thc2FuL3JlcG9ydC5jOjUwNgogIGthc2FuX3JlcG9y dCsweDEyLzB4MjAgbW0va2FzYW4vY29tbW9uLmM6NjM5CiAgX19hc2FuX3JlcG9ydF9sb2FkMV9u b2Fib3J0KzB4MTQvMHgyMCBtbS9rYXNhbi9nZW5lcmljX3JlcG9ydC5jOjEzMgogIF9fZmJfcGFk X2FsaWduZWRfYnVmZmVyIGluY2x1ZGUvbGludXgvZmIuaDo2NTUgW2lubGluZV0KICBiaXRfcHV0 Y3NfYWxpZ25lZCBkcml2ZXJzL3ZpZGVvL2ZiZGV2L2NvcmUvYml0YmxpdC5jOjk2IFtpbmxpbmVd CiAgYml0X3B1dGNzKzB4ZDVkLzB4ZjEwIGRyaXZlcnMvdmlkZW8vZmJkZXYvY29yZS9iaXRibGl0 LmM6MTg1CiAgZmJjb25fcHV0Y3MrMHgzM2MvMHgzZTAgZHJpdmVycy92aWRlby9mYmRldi9jb3Jl L2ZiY29uLmM6MTM1MwogIGRvX3VwZGF0ZV9yZWdpb24rMHg0MmIvMHg2ZjAgZHJpdmVycy90dHkv dnQvdnQuYzo2NzcKICByZWRyYXdfc2NyZWVuKzB4Njc2LzB4N2QwIGRyaXZlcnMvdHR5L3Z0L3Z0 LmM6MTAxMQogIHZjX2RvX3Jlc2l6ZSsweDEwYzkvMHgxNDYwIGRyaXZlcnMvdHR5L3Z0L3Z0LmM6 MTI4NAogIHZjX3Jlc2l6ZSsweDRkLzB4NjAgZHJpdmVycy90dHkvdnQvdnQuYzoxMzA0CiAgdnRf aW9jdGwrMHgyMDc2LzB4MjZkMCBkcml2ZXJzL3R0eS92dC92dF9pb2N0bC5jOjg4NwogIHR0eV9p b2N0bCsweGEzNy8weDE0ZjAgZHJpdmVycy90dHkvdHR5X2lvLmM6MjY2MAogIHZmc19pb2N0bCBm cy9pb2N0bC5jOjQ3IFtpbmxpbmVdCiAgZmlsZV9pb2N0bCBmcy9pb2N0bC5jOjU0NSBbaW5saW5l XQogIGRvX3Zmc19pb2N0bCsweDk3Ny8weDE0ZTAgZnMvaW9jdGwuYzo3MzIKICBrc3lzX2lvY3Rs KzB4YWIvMHhkMCBmcy9pb2N0bC5jOjc0OQogIF9fZG9fc3lzX2lvY3RsIGZzL2lvY3RsLmM6NzU2 IFtpbmxpbmVdCiAgX19zZV9zeXNfaW9jdGwgZnMvaW9jdGwuYzo3NTQgW2lubGluZV0KICBfX3g2 NF9zeXNfaW9jdGwrMHg3My8weGIwIGZzL2lvY3RsLmM6NzU0CiAgZG9fc3lzY2FsbF82NCsweGZh LzB4NzkwIGFyY2gveDg2L2VudHJ5L2NvbW1vbi5jOjI5NAogIGVudHJ5X1NZU0NBTExfNjRfYWZ0 ZXJfaHdmcmFtZSsweDQ5LzB4YmUKUklQOiAwMDMzOjB4NDVhNjc5CkNvZGU6IGFkIGI2IGZiIGZm IGMzIDY2IDJlIDBmIDFmIDg0IDAwIDAwIDAwIDAwIDAwIDY2IDkwIDQ4IDg5IGY4IDQ4IDg5IGY3 ICAKNDggODkgZDYgNDggODkgY2EgNGQgODkgYzIgNGQgODkgYzggNGMgOGIgNGMgMjQgMDggMGYg MDUgPDQ4PiAzZCAwMSBmMCBmZiAgCmZmIDBmIDgzIDdiIGI2IGZiIGZmIGMzIDY2IDJlIDBmIDFm IDg0IDAwIDAwIDAwIDAwClJTUDogMDAyYjowMDAwN2ZjZTU5M2EwYzc4IEVGTEFHUzogMDAwMDAy NDYgT1JJR19SQVg6IDAwMDAwMDAwMDAwMDAwMTAKUkFYOiBmZmZmZmZmZmZmZmZmZmRhIFJCWDog MDAwMDAwMDAwMDAwMDAwMyBSQ1g6IDAwMDAwMDAwMDA0NWE2NzkKUkRYOiAwMDAwMDAwMDIwMDAw MmMwIFJTSTogMDAwMDAwMDAwMDAwNTYwYSBSREk6IDAwMDAwMDAwMDAwMDAwMDMKUkJQOiAwMDAw MDAwMDAwNzViZjIwIFIwODogMDAwMDAwMDAwMDAwMDAwMCBSMDk6IDAwMDAwMDAwMDAwMDAwMDAK UjEwOiAwMDAwMDAwMDAwMDAwMDAwIFIxMTogMDAwMDAwMDAwMDAwMDI0NiBSMTI6IDAwMDA3ZmNl NTkzYTE2ZDQKUjEzOiAwMDAwMDAwMDAwNGM2Y2UyIFIxNDogMDAwMDAwMDAwMDRkZDJkMCBSMTU6 IDAwMDAwMDAwZmZmZmZmZmYKCkFsbG9jYXRlZCBieSB0YXNrIDE4OTM2OgogIHNhdmVfc3RhY2sr MHgyMy8weDkwIG1tL2thc2FuL2NvbW1vbi5jOjcyCiAgc2V0X3RyYWNrIG1tL2thc2FuL2NvbW1v bi5jOjgwIFtpbmxpbmVdCiAgX19rYXNhbl9rbWFsbG9jIG1tL2thc2FuL2NvbW1vbi5jOjUxMyBb aW5saW5lXQogIF9fa2FzYW5fa21hbGxvYy5jb25zdHByb3AuMCsweGNmLzB4ZTAgbW0va2FzYW4v Y29tbW9uLmM6NDg2CiAga2FzYW5fa21hbGxvYysweDkvMHgxMCBtbS9rYXNhbi9jb21tb24uYzo1 MjcKICBfX2RvX2ttYWxsb2MgbW0vc2xhYi5jOjM2NTYgW2lubGluZV0KICBfX2ttYWxsb2MrMHgx NjMvMHg3NzAgbW0vc2xhYi5jOjM2NjUKICBrbWFsbG9jIGluY2x1ZGUvbGludXgvc2xhYi5oOjU2 MSBbaW5saW5lXQogIGZiY29uX3NldF9mb250KzB4MzJkLzB4ODYwIGRyaXZlcnMvdmlkZW8vZmJk ZXYvY29yZS9mYmNvbi5jOjI2NjMKICBjb25fZm9udF9zZXQgZHJpdmVycy90dHkvdnQvdnQuYzo0 NTM4IFtpbmxpbmVdCiAgY29uX2ZvbnRfb3ArMHhlMzAvMHgxMjcwIGRyaXZlcnMvdHR5L3Z0L3Z0 LmM6NDYwMwogIHZ0X2lvY3RsKzB4ZDJlLzB4MjZkMCBkcml2ZXJzL3R0eS92dC92dF9pb2N0bC5j OjkxMwogIHR0eV9pb2N0bCsweGEzNy8weDE0ZjAgZHJpdmVycy90dHkvdHR5X2lvLmM6MjY2MAog IHZmc19pb2N0bCBmcy9pb2N0bC5jOjQ3IFtpbmxpbmVdCiAgZmlsZV9pb2N0bCBmcy9pb2N0bC5j OjU0NSBbaW5saW5lXQogIGRvX3Zmc19pb2N0bCsweDk3Ny8weDE0ZTAgZnMvaW9jdGwuYzo3MzIK ICBrc3lzX2lvY3RsKzB4YWIvMHhkMCBmcy9pb2N0bC5jOjc0OQogIF9fZG9fc3lzX2lvY3RsIGZz L2lvY3RsLmM6NzU2IFtpbmxpbmVdCiAgX19zZV9zeXNfaW9jdGwgZnMvaW9jdGwuYzo3NTQgW2lu bGluZV0KICBfX3g2NF9zeXNfaW9jdGwrMHg3My8weGIwIGZzL2lvY3RsLmM6NzU0CiAgZG9fc3lz Y2FsbF82NCsweGZhLzB4NzkwIGFyY2gveDg2L2VudHJ5L2NvbW1vbi5jOjI5NAogIGVudHJ5X1NZ U0NBTExfNjRfYWZ0ZXJfaHdmcmFtZSsweDQ5LzB4YmUKCkZyZWVkIGJ5IHRhc2sgMTg1MDI6CiAg c2F2ZV9zdGFjaysweDIzLzB4OTAgbW0va2FzYW4vY29tbW9uLmM6NzIKICBzZXRfdHJhY2sgbW0v a2FzYW4vY29tbW9uLmM6ODAgW2lubGluZV0KICBrYXNhbl9zZXRfZnJlZV9pbmZvIG1tL2thc2Fu L2NvbW1vbi5jOjMzNSBbaW5saW5lXQogIF9fa2FzYW5fc2xhYl9mcmVlKzB4MTAyLzB4MTUwIG1t L2thc2FuL2NvbW1vbi5jOjQ3NAogIGthc2FuX3NsYWJfZnJlZSsweGUvMHgxMCBtbS9rYXNhbi9j b21tb24uYzo0ODMKICBfX2NhY2hlX2ZyZWUgbW0vc2xhYi5jOjM0MjYgW2lubGluZV0KICBrZnJl ZSsweDEwYS8weDJjMCBtbS9zbGFiLmM6Mzc1NwogIGZyZWVfZXZlbnRfcmN1KzB4NWUvMHg3MCBr ZXJuZWwvZXZlbnRzL2NvcmUuYzo0MzcyCiAgX19yY3VfcmVjbGFpbSBrZXJuZWwvcmN1L3JjdS5o OjIyMiBbaW5saW5lXQogIHJjdV9kb19iYXRjaCBrZXJuZWwvcmN1L3RyZWUuYzoyMTgzIFtpbmxp bmVdCiAgcmN1X2NvcmUrMHg1NzAvMHgxNTQwIGtlcm5lbC9yY3UvdHJlZS5jOjI0MDgKICByY3Vf Y29yZV9zaSsweDkvMHgxMCBrZXJuZWwvcmN1L3RyZWUuYzoyNDE3CiAgX19kb19zb2Z0aXJxKzB4 MjYyLzB4OThjIGtlcm5lbC9zb2Z0aXJxLmM6MjkyCgpUaGUgYnVnZ3kgYWRkcmVzcyBiZWxvbmdz IHRvIHRoZSBvYmplY3QgYXQgZmZmZjg4ODA5ZjRlZDAwMAogIHdoaWNoIGJlbG9uZ3MgdG8gdGhl IGNhY2hlIGttYWxsb2MtMmsgb2Ygc2l6ZSAyMDQ4ClRoZSBidWdneSBhZGRyZXNzIGlzIGxvY2F0 ZWQgMjU0IGJ5dGVzIHRvIHRoZSByaWdodCBvZgogIDIwNDgtYnl0ZSByZWdpb24gW2ZmZmY4ODgw OWY0ZWQwMDAsIGZmZmY4ODgwOWY0ZWQ4MDApClRoZSBidWdneSBhZGRyZXNzIGJlbG9uZ3MgdG8g dGhlIHBhZ2U6CnBhZ2U6ZmZmZmVhMDAwMjdkM2I0MCByZWZjb3VudDoxIG1hcGNvdW50OjAgbWFw cGluZzpmZmZmODg4MGFhNDAwZTAwICAKaW5kZXg6MHgwCnJhdzogMDBmZmZlMDAwMDAwMDIwMCBm ZmZmZWEwMDAyOWJjOWM4IGZmZmZlYTAwMDI0YWU0MDggZmZmZjg4ODBhYTQwMGUwMApyYXc6IDAw MDAwMDAwMDAwMDAwMDAgZmZmZjg4ODA5ZjRlZDAwMCAwMDAwMDAwMTAwMDAwMDAxIDAwMDAwMDAw MDAwMDAwMDAKcGFnZSBkdW1wZWQgYmVjYXVzZToga2FzYW46IGJhZCBhY2Nlc3MgZGV0ZWN0ZWQK Ck1lbW9yeSBzdGF0ZSBhcm91bmQgdGhlIGJ1Z2d5IGFkZHJlc3M6CiAgZmZmZjg4ODA5ZjRlZDc4 MDogZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMKICBmZmZm ODg4MDlmNGVkODAwOiBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBm YyBmYwo+IGZmZmY4ODgwOWY0ZWQ4ODA6IGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZj IGZjIGZjIGZjIGZjIGZjCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgXgogIGZmZmY4ODgwOWY0ZWQ5MDA6IGZjIGZjIGZjIGZj IGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjCiAgZmZmZjg4ODA5ZjRlZDk4MDog ZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMgZmMKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 CgoKLS0tClRoaXMgYnVnIGlzIGdlbmVyYXRlZCBieSBhIGJvdC4gSXQgbWF5IGNvbnRhaW4gZXJy b3JzLgpTZWUgaHR0cHM6Ly9nb28uZ2wvdHBzbUVKIGZvciBtb3JlIGluZm9ybWF0aW9uIGFib3V0 IHN5emJvdC4Kc3l6Ym90IGVuZ2luZWVycyBjYW4gYmUgcmVhY2hlZCBhdCBzeXprYWxsZXJAZ29v Z2xlZ3JvdXBzLmNvbS4KCnN5emJvdCB3aWxsIGtlZXAgdHJhY2sgb2YgdGhpcyBidWcgcmVwb3J0 LiBTZWU6Cmh0dHBzOi8vZ29vLmdsL3Rwc21FSiNzdGF0dXMgZm9yIGhvdyB0byBjb21tdW5pY2F0 ZSB3aXRoIHN5emJvdC4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Au b3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRl dmVs From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.4 required=3.0 tests=FROM_LOCAL_HEX, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C630EC2BD09 for ; Thu, 5 Dec 2019 16:46:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9BD1D21823 for ; Thu, 5 Dec 2019 16:46:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729887AbfLEQqK (ORCPT ); Thu, 5 Dec 2019 11:46:10 -0500 Received: from mail-il1-f200.google.com ([209.85.166.200]:39007 "EHLO mail-il1-f200.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729598AbfLEQqJ (ORCPT ); Thu, 5 Dec 2019 11:46:09 -0500 Received: by mail-il1-f200.google.com with SMTP id v11so2946996ilg.6 for ; Thu, 05 Dec 2019 08:46:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=6XRIMuzgh02Ovw3rxeyz54ijBjPe2X9NHJTkVKkX31c=; b=AYYemlZi/S4VbE3aySCcX5tnqj9GnUwl/nlpfn3kOqlYaaqOww70GqMAYWvsnlUVar NNOacVMufXalEO/JURlR7sXCHszxIFW8Pph3uCXz773BQCnqNAIx7hIebPoJwfD1QPTm VZnemHICEr/yn8f11p05Q3QMgQsz7UPsOm33B7/wYJ2VtzE2gTAJwxpIW7ic25ase8lR cavPG3C9S4rgTSGlzOcejqkWFLJY/e2c6oSO1FoqP5cFkgygdTcc/Uea5T/JbfYbMneg bEzyLiEWJCLmZZpsx3J8anSXdQi5h+J5JS6FA3ZBrpxsK6xdzpo43SIXSn4FP1YmYNXw SUqg== X-Gm-Message-State: APjAAAXh35/04v0ufYVgJzY4dNghWb0WfEcw0b+QakFO+PfKKbiyDyGg jppCI93JhSEz1ULz+altiqim4Ltw5heFK5RAgUuVdqsv25Rc X-Google-Smtp-Source: APXvYqxQVnQDUVP2INDpxyPnyG5PtM7v1M6Mm6zZiDrpKRt8Oj8xWWXGWPnM0NftkIPnk0Nc6bZSd6+4j6uheUrk7UGEGl/O9jKS MIME-Version: 1.0 X-Received: by 2002:a02:9f09:: with SMTP id z9mr8888680jal.119.1575564368341; Thu, 05 Dec 2019 08:46:08 -0800 (PST) Date: Thu, 05 Dec 2019 08:46:08 -0800 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000007f075c0598f7aa38@google.com> Subject: KASAN: slab-out-of-bounds Read in bit_putcs From: syzbot To: b.zolnierkie@samsung.com, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, syzbot found the following crash on: HEAD commit: 282ffdf3 Add linux-next specific files for 20191205 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=165627f2e00000 kernel config: https://syzkaller.appspot.com/x/.config?x=29372c0243b4b980 dashboard link: https://syzkaller.appspot.com/bug?extid=998dec6452146bd7a90c compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+998dec6452146bd7a90c@syzkaller.appspotmail.com ================================================================== BUG: KASAN: slab-out-of-bounds in __fb_pad_aligned_buffer include/linux/fb.h:655 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xd5d/0xf10 drivers/video/fbdev/core/bitblit.c:185 Read of size 1 at addr ffff88809f4ed8fe by task syz-executor.1/22264 CPU: 0 PID: 22264 Comm: syz-executor.1 Not tainted 5.4.0-next-20191205-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __fb_pad_aligned_buffer include/linux/fb.h:655 [inline] bit_putcs_aligned drivers/video/fbdev/core/bitblit.c:96 [inline] bit_putcs+0xd5d/0xf10 drivers/video/fbdev/core/bitblit.c:185 fbcon_putcs+0x33c/0x3e0 drivers/video/fbdev/core/fbcon.c:1353 do_update_region+0x42b/0x6f0 drivers/tty/vt/vt.c:677 redraw_screen+0x676/0x7d0 drivers/tty/vt/vt.c:1011 vc_do_resize+0x10c9/0x1460 drivers/tty/vt/vt.c:1284 vc_resize+0x4d/0x60 drivers/tty/vt/vt.c:1304 vt_ioctl+0x2076/0x26d0 drivers/tty/vt/vt_ioctl.c:887 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a679 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fce593a0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a679 RDX: 00000000200002c0 RSI: 000000000000560a RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fce593a16d4 R13: 00000000004c6ce2 R14: 00000000004dd2d0 R15: 00000000ffffffff Allocated by task 18936: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x163/0x770 mm/slab.c:3665 kmalloc include/linux/slab.h:561 [inline] fbcon_set_font+0x32d/0x860 drivers/video/fbdev/core/fbcon.c:2663 con_font_set drivers/tty/vt/vt.c:4538 [inline] con_font_op+0xe30/0x1270 drivers/tty/vt/vt.c:4603 vt_ioctl+0xd2e/0x26d0 drivers/tty/vt/vt_ioctl.c:913 tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 vfs_ioctl fs/ioctl.c:47 [inline] file_ioctl fs/ioctl.c:545 [inline] do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732 ksys_ioctl+0xab/0xd0 fs/ioctl.c:749 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 18502: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 free_event_rcu+0x5e/0x70 kernel/events/core.c:4372 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2183 [inline] rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417 __do_softirq+0x262/0x98c kernel/softirq.c:292 The buggy address belongs to the object at ffff88809f4ed000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 254 bytes to the right of 2048-byte region [ffff88809f4ed000, ffff88809f4ed800) The buggy address belongs to the page: page:ffffea00027d3b40 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 raw: 00fffe0000000200 ffffea00029bc9c8 ffffea00024ae408 ffff8880aa400e00 raw: 0000000000000000 ffff88809f4ed000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809f4ed780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809f4ed800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88809f4ed880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88809f4ed900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88809f4ed980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot.