Kernel WARNING via bochsdrmfb mmap

From: Takashi Iwai
Date: Mon Mar 07 2016 - 09:30:27 EST

Next message: Michal Hocko: "[PATCH] mm, oom: protect !costly allocations some more"
Previous message: Ludovic Desroches: "[PATCH v2 1/2] iio: core: introduce IIO_CHAN_INFO_SIGNED"
Next in thread: Jiri Slaby: "Re: Kernel WARNING via bochsdrmfb mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Jiri Slaby reported a kernel WARNING triggered by syzkaller. It can
be reliably reproduced via fbdev mmap access on bochs drm. The
warning looks like below:

WARNING: CPU: 3 PID: 29356 at ../drivers/gpu/drm/ttm/ttm_bo_vm.c:265 ttm_bo_vm_open+0x11a/0x180 [ttm]()
Modules linked in: ...
Supported: Yes
CPU: 3 PID: 29356 Comm: syz-executor Tainted: G E 4.4.3-0-default #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20151112_172657-sheep25 04/01/2014
0000000000000003 ffff880036cbfb50 ffffffff819eae91 0000000000000000
ffff880035294000 ffffffffa0a46d60 0000000000000009 ffff880036cbfb90
ffffffff8116face ffffffffa0a34e5a ffffffffa0a46d60 0000000000000109
Call Trace:
[<ffffffff819eae91>] ? dump_stack+0xb3/0x112
[<ffffffff8116face>] ? warn_slowpath_common+0xde/0x140
[<ffffffffa0a34e5a>] ? ttm_bo_vm_open+0x11a/0x180 [ttm]
[<ffffffffa0a34d40>] ? ttm_bo_vm_fault+0xe70/0xe70 [ttm]
[<ffffffff8116fcfe>] ? warn_slowpath_null+0x2e/0x40
[<ffffffffa0a34e5a>] ? ttm_bo_vm_open+0x11a/0x180 [ttm]
[<ffffffff815833bd>] ? __split_vma.isra.30+0x3ed/0x7f0
[<ffffffff815877e4>] ? do_munmap+0xd14/0x1010
[<ffffffff81276d6d>] ? __lock_acquire+0xb3d/0x49d0
[<ffffffff81588ab5>] ? mmap_region+0x1d5/0x11d0
[<ffffffff81825ea6>] ? cap_mmap_addr+0x46/0x110
[<ffffffff8158a208>] ? do_mmap+0x758/0x990
[<ffffffff815401f4>] ? vm_mmap_pgoff+0x164/0x1b0
[<ffffffff81540090>] ? task_of_stack+0x240/0x240
[<ffffffff8158454d>] ? SyS_mmap_pgoff+0xcd/0x590
[<ffffffff81584480>] ? vm_stat_account+0x130/0x130
[<ffffffff818316d1>] ? security_file_ioctl+0x91/0xc0
[<ffffffff81005044>] ? lockdep_sys_exit_thunk+0x12/0x14
[<ffffffff81053b6b>] ? SyS_mmap+0x1b/0x30
[<ffffffff823f7972>] ? entry_SYSCALL_64_fastpath+0x12/0x76

The bug was confirmed to happen on the latest vanilla 4.5-rc6, too.
The reproducer code is attached below.

Judging from the code, it comes from the fact that
vma->vm_file->f_mapping via fbdev access isn't changed to bodev's
one. In the case of /dev/dri/*, f_mapping is replaced in drm_open().
But, fbdev open doesn't change f_mapping, and its callback doesn't
take the file pointer, so there is no way to fiddle with it there,
either.

What's the preferred way to fix this? I can think of several ways,
e.g.
- adding f_mapping pointer field in struct fb_info
- passing the file pointer in fbdev open callback so that f_mapping
can be corrected
- adjusting f_mapping in vm_open dynamically (is it safe?)
or
- drop WARN_ON() :)

thanks,

Takashi

---
#include <err.h>
#include <fcntl.h>
#include <stdint.h>
#include <unistd.h>

#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(void)
{
void *addr;

int fd = open("/dev/fb0", O_RDONLY);
if (fd < 0)
err(1, "open");

addr = mmap(0, 8192, PROT_READ, MAP_SHARED, fd, 0);
if (addr == MAP_FAILED)
err(1, "1st mmap");

if (mmap(addr, 4096, PROT_READ, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0) == MAP_FAILED)
err(1, "2nd mmap");

return 0;
}

Next message: Michal Hocko: "[PATCH] mm, oom: protect !costly allocations some more"
Previous message: Ludovic Desroches: "[PATCH v2 1/2] iio: core: introduce IIO_CHAN_INFO_SIGNED"
Next in thread: Jiri Slaby: "Re: Kernel WARNING via bochsdrmfb mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]