Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+59dcc2e7283a6f5f5ba1@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2)
Date: Fri, 29 Dec 2023 17:22:04 -0800	[thread overview]
Message-ID: <000000000000f55b69060daff97a@google.com> (raw)
In-Reply-To: <20231230010350.2074-1-hdanton@sina.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in drm_prime_del_handles

general protection fault, probably for non-canonical address 0xe000130900000017: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x0000b848000000b8-0x0000b848000000bf]
CPU: 1 PID: 5576 Comm: syz-executor.0 Not tainted 6.7.0-rc7-syzkaller-00041-gf016f7547aee-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:292 [inline]
RIP: 0010:rb_erase+0xbb/0x1360 lib/rbtree.c:443
Code: 5e 10 4c 89 f5 48 ba 00 00 00 00 00 fc ff df 48 85 db 75 0b e9 e8 04 00 00 48 89 dd 48 89 c3 4c 8d 63 10 4c 89 e0 48 c1 e8 03 <80> 3c 10 00 0f 85 de 0b 00 00 48 8b 43 10 48 85 c0 75 dc 4c 8d 7b
RSP: 0018:ffffc9000526fd20 EFLAGS: 00010216
RAX: 0000170900000017 RBX: 0000b848000000a8 RCX: ffff88806486d408
RDX: dffffc0000000000 RSI: ffff88806486d408 RDI: ffff88802919b810
RBP: ffffffff84f351e0 R08: 0000000000000000 R09: fffffbfff1e327ba
R10: ffffc9000526fd70 R11: 0000000000000000 R12: 0000b848000000b8
R13: ffff88802808eff8 R14: ffff88802919b800 R15: 0000000000000001
FS:  0000555556b94480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01823cd5e8 CR3: 0000000023343000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 drm_prime_del_handles+0x55/0xb0 drivers/gpu/drm/drm_prime.c:203
 drm_file_free.part.0+0x73b/0xba0 drivers/gpu/drm/drm_file.c:290
 drm_file_free drivers/gpu/drm/drm_file.c:247 [inline]
 drm_close_helper.isra.0+0x180/0x1f0 drivers/gpu/drm/drm_file.c:308
 drm_release+0x22a/0x4f0 drivers/gpu/drm/drm_file.c:495
 __fput+0x270/0xb70 fs/file_table.c:394
 __fput_sync+0x47/0x50 fs/file_table.c:475
 __do_sys_close fs/open.c:1587 [inline]
 __se_sys_close fs/open.c:1572 [inline]
 __x64_sys_close+0x87/0xf0 fs/open.c:1572
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f32ec87bbda
Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24
RSP: 002b:00007ffe0da98170 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f32ec87bbda
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f32ec99d980 R08: 0000001b2ea60000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000014e33
R13: ffffffffffffffff R14: 00007f32ec400000 R15: 0000000000014af2
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:292 [inline]
RIP: 0010:rb_erase+0xbb/0x1360 lib/rbtree.c:443
Code: 5e 10 4c 89 f5 48 ba 00 00 00 00 00 fc ff df 48 85 db 75 0b e9 e8 04 00 00 48 89 dd 48 89 c3 4c 8d 63 10 4c 89 e0 48 c1 e8 03 <80> 3c 10 00 0f 85 de 0b 00 00 48 8b 43 10 48 85 c0 75 dc 4c 8d 7b
RSP: 0018:ffffc9000526fd20 EFLAGS: 00010216
RAX: 0000170900000017 RBX: 0000b848000000a8 RCX: ffff88806486d408
RDX: dffffc0000000000 RSI: ffff88806486d408 RDI: ffff88802919b810
RBP: ffffffff84f351e0 R08: 0000000000000000 R09: fffffbfff1e327ba
R10: ffffc9000526fd70 R11: 0000000000000000 R12: 0000b848000000b8
R13: ffff88802808eff8 R14: ffff88802919b800 R15: 0000000000000001
FS:  0000555556b94480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01823cd5e8 CR3: 0000000023343000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	5e                   	pop    %rsi
   1:	10 4c 89 f5          	adc    %cl,-0xb(%rcx,%rcx,4)
   5:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
   c:	fc ff df
   f:	48 85 db             	test   %rbx,%rbx
  12:	75 0b                	jne    0x1f
  14:	e9 e8 04 00 00       	jmp    0x501
  19:	48 89 dd             	mov    %rbx,%rbp
  1c:	48 89 c3             	mov    %rax,%rbx
  1f:	4c 8d 63 10          	lea    0x10(%rbx),%r12
  23:	4c 89 e0             	mov    %r12,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 10 00          	cmpb   $0x0,(%rax,%rdx,1) <-- trapping instruction
  2e:	0f 85 de 0b 00 00    	jne    0xc12
  34:	48 8b 43 10          	mov    0x10(%rbx),%rax
  38:	48 85 c0             	test   %rax,%rax
  3b:	75 dc                	jne    0x19
  3d:	4c                   	rex.WR
  3e:	8d                   	.byte 0x8d
  3f:	7b                   	.byte 0x7b


Tested on:

commit:         f016f754 Merge tag 'gpio-fixes-for-v6.7-rc8' of git://..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14b493a1e80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c7bcb8f62f1e2c3e
dashboard link: https://syzkaller.appspot.com/bug?extid=59dcc2e7283a6f5f5ba1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1510031de80000

next prev parent reply	other threads:[~2023-12-30  1:22 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-27 20:51 [syzbot] [dri?] WARNING in drm_prime_destroy_file_private (2) syzbot
2023-12-28  2:57 ` Qi Zheng
2023-12-28  2:57   ` Qi Zheng
2024-01-03 15:12   ` Christian König
2024-01-03 15:12     ` Christian König
2023-12-28 11:56 ` Hillf Danton
2023-12-28 12:16   ` syzbot
2023-12-29 11:28 ` Hillf Danton
2023-12-29 12:23   ` syzbot
2023-12-30  1:03 ` Hillf Danton
2023-12-30  1:22   ` syzbot [this message]
2023-12-30  1:59 ` Hillf Danton
2023-12-30  2:47   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000f55b69060daff97a@google.com \
    --to=syzbot+59dcc2e7283a6f5f5ba1@syzkaller.appspotmail.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.