Re: [syzbot] KASAN: use-after-free Read in drm_gem_object_release_handle
syzbot has bisected this issue to: commit 45d9c8dde4cd8589f9180309ec60f0da2ce486e4 Author: Daniel Vetter Date: Thu Aug 12 13:14:12 2021 + drm/vgem: use shmem helpers bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=147953cbb0 start commit: 3f667b5d4053 Merge tag 'tty-5.16-rc6' of git://git.kernel... git tree: upstream final oops: https://syzkaller.appspot.com/x/report.txt?x=167953cbb0 console output: https://syzkaller.appspot.com/x/log.txt?x=127953cbb0 kernel config: https://syzkaller.appspot.com/x/.config?x=fa556098924b78f0 dashboard link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16fd41ebb0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1483c7d5b0 Reported-by: syzbot+c8ae65286134dd1b8...@syzkaller.appspotmail.com Fixes: 45d9c8dde4cd ("drm/vgem: use shmem helpers") For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: [syzbot] KASAN: use-after-free Read in drm_gem_object_release_handle
syzbot has found a reproducer for the following issue on: HEAD commit:fbf252e09678 Add linux-next specific files for 20211216 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=168bf493b0 kernel config: https://syzkaller.appspot.com/x/.config?x=7fcbb9aa19a433c8 dashboard link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144be7cbb0 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=136e3193b0 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c8ae65286134dd1b8...@syzkaller.appspotmail.com RBP: 7ffe623d1b90 R08: 0003 R09: 0001 R10: 0012 R11: 0246 R12: 0004 R13: R14: R15: == BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 drivers/gpu/drm/drm_gem.c:252 Read of size 8 at addr 8881473d3228 by task syz-executor513/3605 CPU: 1 PID: 3605 Comm: syz-executor513 Not tainted 5.16.0-rc5-next-20211216-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xa5/0x3ed mm/kasan/report.c:255 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] __kasan_report mm/kasan/report.c:442 [inline] mm/kasan/report.c:459 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 mm/kasan/report.c:459 drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 drivers/gpu/drm/drm_gem.c:252 idr_for_each+0x113/0x220 lib/idr.c:208 lib/idr.c:208 drm_gem_release+0x22/0x30 drivers/gpu/drm/drm_gem.c:930 drivers/gpu/drm/drm_gem.c:930 drm_file_free.part.0+0x805/0xb80 drivers/gpu/drm/drm_file.c:281 drivers/gpu/drm/drm_file.c:281 drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drivers/gpu/drm/drm_file.c:308 drm_close_helper.isra.0+0x17d/0x1f0 drivers/gpu/drm/drm_file.c:308 drivers/gpu/drm/drm_file.c:308 drm_release+0x1e6/0x530 drivers/gpu/drm/drm_file.c:495 drivers/gpu/drm/drm_file.c:495 __fput+0x286/0x9f0 fs/file_table.c:311 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] exit_task_work include/linux/task_work.h:32 [inline] kernel/exit.c:832 do_exit+0xc14/0x2c20 kernel/exit.c:832 kernel/exit.c:832 do_group_exit+0x125/0x310 kernel/exit.c:929 kernel/exit.c:929 __do_sys_exit_group kernel/exit.c:940 [inline] __se_sys_exit_group kernel/exit.c:938 [inline] __do_sys_exit_group kernel/exit.c:940 [inline] kernel/exit.c:938 __se_sys_exit_group kernel/exit.c:938 [inline] kernel/exit.c:938 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:938 kernel/exit.c:938 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_x64 arch/x86/entry/common.c:50 [inline] arch/x86/entry/common.c:80 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7ff6a71909f9 Code: Unable to access opcode bytes at RIP 0x7ff6a71909cf. RSP: 002b:7ffe623d1b68 EFLAGS: 0246 ORIG_RAX: 00e7 RAX: ffda RBX: 7ff6a72043f0 RCX: 7ff6a71909f9 RDX: 003c RSI: 00e7 RDI: RBP: R08: ffc0 R09: 0001 R10: 0012 R11: 0246 R12: 7ff6a72043f0 R13: 0001 R14: R15: 0001 Allocated by task 3605: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] kasan_kmalloc mm/kasan/common.c:515 [inline] kasan_kmalloc mm/kasan/common.c:474 [inline] kasan_set_track mm/kasan/common.c:45 [inline] mm/kasan/common.c:524 set_alloc_info mm/kasan/common.c:436 [inline] mm/kasan/common.c:524 kasan_kmalloc mm/kasan/common.c:515 [inline] mm/kasan/common.c:524 kasan_kmalloc mm/kasan/common.c:474 [inline] mm/kasan/common.c:524 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 mm/kasan/common.c:524 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:715 [inline] kmalloc include/linux/slab.h:581 [inline] drivers/gpu/drm/vgem/vgem_drv.c:98 kzalloc include/linux/slab.h:715 [inline] drivers/gpu/drm/vgem/vgem_drv.c:98 vgem_gem_create_object+0x38/0xb0 drivers/gpu/drm/vgem/vgem_drv.c:98 drivers/gpu/drm/vgem/vgem_drv.c:98 __drm_gem_shmem_creat
[syzbot] KASAN: use-after-free Read in drm_gem_object_release_handle
Hello, syzbot found the following issue on: HEAD commit:8ab774587903 Merge tag 'trace-v5.16-5' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1174ace6b0 kernel config: https://syzkaller.appspot.com/x/.config?x=6d3b8fd1977c1e73 dashboard link: https://syzkaller.appspot.com/bug?extid=c8ae65286134dd1b800d compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 userspace arch: i386 Unfortunately, I don't have any reproducer for this issue yet. IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c8ae65286134dd1b8...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 Read of size 8 at addr 888028419a28 by task syz-executor.2/10905 CPU: 0 PID: 10905 Comm: syz-executor.2 Not tainted 5.16.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 drm_gem_object_release_handle+0xf2/0x110 drivers/gpu/drm/drm_gem.c:252 idr_for_each+0x113/0x220 lib/idr.c:208 drm_gem_release+0x22/0x30 drivers/gpu/drm/drm_gem.c:930 drm_file_free.part.0+0x805/0xb80 drivers/gpu/drm/drm_file.c:281 drm_file_free drivers/gpu/drm/drm_file.c:248 [inline] drm_close_helper.isra.0+0x17d/0x1f0 drivers/gpu/drm/drm_file.c:308 drm_release+0x1e6/0x530 drivers/gpu/drm/drm_file.c:495 __fput+0x286/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 __do_fast_syscall_32+0x72/0xf0 arch/x86/entry/common.c:181 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf6f4e549 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:ff954ef0 EFLAGS: 0282 ORIG_RAX: 0006 RAX: RBX: 0003 RCX: 0002 RDX: RSI: f7084000 RDI: f70aafac RBP: f7084000 R08: R09: R10: R11: R12: R13: R14: R15: Allocated by task 10906: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] kasan_kmalloc mm/kasan/common.c:513 [inline] kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:590 [inline] kzalloc include/linux/slab.h:724 [inline] __drm_gem_shmem_create+0x3d8/0x470 drivers/gpu/drm/drm_gem_shmem_helper.c:56 drm_gem_shmem_create drivers/gpu/drm/drm_gem_shmem_helper.c:116 [inline] drm_gem_shmem_create_with_handle+0x26/0x100 drivers/gpu/drm/drm_gem_shmem_helper.c:422 drm_gem_shmem_dumb_create+0x13f/0x290 drivers/gpu/drm/drm_gem_shmem_helper.c:538 drm_mode_create_dumb+0x26c/0x2f0 drivers/gpu/drm/drm_dumb_buffers.c:96 drm_ioctl_kernel+0x27d/0x4e0 drivers/gpu/drm/drm_ioctl.c:782 drm_ioctl+0x51e/0x9d0 drivers/gpu/drm/drm_ioctl.c:885 drm_compat_ioctl+0x270/0x330 drivers/gpu/drm/drm_ioc32.c:987 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c Freed by task 10906: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 kasan_slab_free mm/kasan/common.c:366 [inline] kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749 slab_free mm/slub.c:3513 [inline] kfree+0xf6/0x560 mm/slub.c:4561 drm_gem_object_free+0x58/0x80 drivers/gpu/drm/drm_gem.c:972 kref_put include/linux/kref.h:65 [inline] __drm_gem_object_put include/drm/drm_gem.h:371 [inline] drm_gem_object_put include/drm/drm_gem.h:384 [inline] drm_