Re: KASAN: use-after-free Read in vgem_gem_dumb_create

From: Christian KÃnig
Date: Mon Feb 03 2020 - 10:09:08 EST

Next message: Peter Zijlstra: "Re: [PATCH -v2 5/7] locking/percpu-rwsem: Remove the embedded rwsem"
Previous message: Johannes Thumshirn: "Re: [PATCH v10 2/2] zonefs: Add documentation"
In reply to: Dan Carpenter: "Re: KASAN: use-after-free Read in vgem_gem_dumb_create"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am 03.02.20 um 10:06 schrieb Dan Carpenter:

On Sun, Feb 02, 2020 at 02:19:18PM +0100, Daniel Vetter wrote:

On Fri, Jan 31, 2020 at 11:28 PM syzbot
<syzbot+0dc4444774d419e916c8@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hello,

syzbot found the following crash on:

HEAD commit: 39bed42d Merge tag 'for-linus-hmm' of git://git.kernel.org..
git tree: upstream
console output: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%2Flog.txt%3Fx%3D179465bee00000&data=02%7C01%7Cchristian.koenig%40amd.com%7C529f2273b8374f38560108d7a88862eb%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637163176051177627&sdata=3goGqBs4%2BjkjCeV2bX5VTB%2F1PRLEP5bzq5Ec%2BN7fKHs%3D&reserved=0
kernel config: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%2F.config%3Fx%3D2646535f8818ae25&data=02%7C01%7Cchristian.koenig%40amd.com%7C529f2273b8374f38560108d7a88862eb%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637163176051177627&sdata=SnlKln%2FAG%2BVRVjSrOSJjUE%2BhSDf35wTqzWLCAyGQVss%3D&reserved=0
dashboard link: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsyzkaller.appspot.com%2Fbug%3Fextid%3D0dc4444774d419e916c8&data=02%7C01%7Cchristian.koenig%40amd.com%7C529f2273b8374f38560108d7a88862eb%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637163176051177627&sdata=33EJNAWjTm6Edi1J0oPBfs8epb%2BQ2cpAKlzl1sT40CQ%3D&reserved=0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%2Frepro.syz%3Fx%3D16251279e00000&data=02%7C01%7Cchristian.koenig%40amd.com%7C529f2273b8374f38560108d7a88862eb%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637163176051177627&sdata=zmUyyp7znqQfLzzNZ80bNgCILAjeMeCVVr7xf7CHaWk%3D&reserved=0

The bug was bisected to:

commit 7611750784664db46d0db95631e322aeb263dde7
Author: Alex Deucher <alexander.deucher@xxxxxxx>
Date: Wed Jun 21 16:31:41 2017 +0000

drm/amdgpu: use kernel is_power_of_2 rather than local version

bisection log: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%2Fbisect.txt%3Fx%3D11628df1e00000&data=02%7C01%7Cchristian.koenig%40amd.com%7C529f2273b8374f38560108d7a88862eb%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637163176051177627&sdata=5QpTG4iU%2FOt22L3jxRbNxtVPZZ2EvBAcFGZdqVnVCbU%3D&reserved=0
final crash: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%2Freport.txt%3Fx%3D13628df1e00000&data=02%7C01%7Cchristian.koenig%40amd.com%7C529f2273b8374f38560108d7a88862eb%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637163176051177627&sdata=hN6UZnFR2nIMPMspjIF7S82oXstaRl%2BLAzmz5yujPac%3D&reserved=0
console output: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%2Flog.txt%3Fx%3D15628df1e00000&data=02%7C01%7Cchristian.koenig%40amd.com%7C529f2273b8374f38560108d7a88862eb%7C3dd8961fe4884e608e11a82d994e183d%7C0%7C0%7C637163176051177627&sdata=LHXMANOURDv3EsqTSvHSBZnPEzGQoJU1RbeqYExCaGk%3D&reserved=0

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0dc4444774d419e916c8@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 761175078466 ("drm/amdgpu: use kernel is_power_of_2 rather than local version")

Aside: This bisect line is complete nonsense ... I'm kinda at the
point where I'm assuming that syzbot bisect results are garbage, which
is maybe not what we want. I guess much stricter filtering for noise
is needed, dunno.
-Danile

With race conditions the git bisect is often nonsense.

Which makes sense, but we can still try to sanitize the result. I'm not familiar with the test case, but I think it doesn't even compile the amdgpu driver.

So skipping all patches of stuff you don't even compile would make not only the result of bisecting quite a bit more reliable, but also speed the process up quite a bit.

But no good idea to how teach that to a compile bot or the git bisect command.

Regards,
Christian.

regards,
dan carpenter

Next message: Peter Zijlstra: "Re: [PATCH -v2 5/7] locking/percpu-rwsem: Remove the embedded rwsem"
Previous message: Johannes Thumshirn: "Re: [PATCH v10 2/2] zonefs: Add documentation"
In reply to: Dan Carpenter: "Re: KASAN: use-after-free Read in vgem_gem_dumb_create"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]