BUG: unable to handle kernel paging request in imageblit

[Dipanjan Das]

Hi,

We would like to report the following bug which has been found by our
modified version of syzkaller.

======================================================
description: BUG: unable to handle kernel paging request in imageblit
affected file: drivers/gpu/drm/drm_fb_helper.c
kernel version: 5.4.206
kernel commit: 6584107915561f860b7b05dcca5c903dd62a308d
git tree: upstream
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=1aab6d4187ddf667
crash reproducer: attached
======================================================
Crash log:
======================================================
BUG: unable to handle page fault for address: ffffc90000c19000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 119554067 P4D 119554067 PUD 119555067 PMD 10be9f067 PTE 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 27220 Comm: syz-executor.4 Tainted: G           OE     5.4.206+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x1137/0x16f0 drivers/video/fbdev/core/sysimgblt.c:275
Code: 24 18 23 18 4c 89 f0 48 c1 e8 03 33 5c 24 60 0f b6 14 30 4c 89
f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 56 03 00 00 31 ff <41> 89
5f fc 44 89 e6 e8 0d 6f b2 fd 45 85 e4 75 0f e8 93 6d b2 fd
RSP: 0018:ffff8880824df250 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000
RBP: ffff88810f56c213 R08: ffff8880922f82c0 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000007
R13: 0000000000000002 R14: ffffc90000c19000 R15: ffffc90000c19004
FS:  00007f9076748700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000c19000 CR3: 0000000090190001 CR4: 0000000000162ef0
Call Trace:
 drm_fb_helper_sys_imageblit+0x1c/0x130 drivers/gpu/drm/drm_fb_helper.c:809
 bit_putcs_unaligned drivers/video/fbdev/core/bitblit.c:139 [inline]
 bit_putcs+0x904/0xd90 drivers/video/fbdev/core/bitblit.c:188
 fbcon_putcs+0x39c/0x4c0 drivers/video/fbdev/core/fbcon.c:1302
 fbcon_putc+0x86/0xb0 drivers/video/fbdev/core/fbcon.c:1312
 complement_pos+0x360/0x720 drivers/tty/vt/vt.c:817
 highlight_pointer drivers/tty/vt/selection.c:63 [inline]
 clear_selection+0x17/0x70 drivers/tty/vt/selection.c:83
 vc_do_resize+0x1026/0x13a0 drivers/tty/vt/vt.c:1253
 fbcon_do_set_font+0x579/0x9f0 drivers/video/fbdev/core/fbcon.c:2442
 fbcon_set_font+0xa43/0xda0 drivers/video/fbdev/core/fbcon.c:2542
 con_font_set drivers/tty/vt/vt.c:4591 [inline]
 con_font_op+0x75b/0xcc0 drivers/tty/vt/vt.c:4635
 vt_ioctl+0x1663/0x2580 drivers/tty/vt/vt_ioctl.c:898
 tty_ioctl+0xda5/0x14c0 drivers/tty/tty_io.c:2657
 vfs_ioctl fs/ioctl.c:47 [inline]
 file_ioctl fs/ioctl.c:510 [inline]
 do_vfs_ioctl+0xd30/0x1340 fs/ioctl.c:697
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:714
 __do_sys_ioctl fs/ioctl.c:721 [inline]
 __se_sys_ioctl fs/ioctl.c:719 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:719
 do_syscall_64+0xf6/0x7b0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f90787974ed
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9076747be8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f90788b5f60 RCX: 00007f90787974ed
RDX: 0000000020000480 RSI: 0000000000004b72 RDI: 0000000000000003
RBP: 00007f90788032e1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffed03d269f R14: 00007f90788b5f60 R15: 00007f9076747d80
Modules linked in: uio_ivshmem(OE) uio(E)
CR2: ffffc90000c19000
---[ end trace af2a9beecf656bf6 ]---
RIP: 0010:fast_imageblit drivers/video/fbdev/core/sysimgblt.c:229 [inline]
RIP: 0010:sys_imageblit+0x1137/0x16f0 drivers/video/fbdev/core/sysimgblt.c:275
Code: 24 18 23 18 4c 89 f0 48 c1 e8 03 33 5c 24 60 0f b6 14 30 4c 89
f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 56 03 00 00 31 ff <41> 89
5f fc 44 89 e6 e8 0d 6f b2 fd 45 85 e4 75 0f e8 93 6d b2 fd
RSP: 0018:ffff8880824df250 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000
RBP: ffff88810f56c213 R08: ffff8880922f82c0 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000007
R13: 0000000000000002 R14: ffffc90000c19000 R15: ffffc90000c19004
FS:  00007f9076748700(0000) GS:ffff88811a000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90000c19000 CR3: 0000000090190001 CR4: 0000000000162ef0
----------------
Code disassembly (best guess):
   0: 24 18                and    $0x18,%al
   2: 23 18                and    (%rax),%ebx
   4: 4c 89 f0              mov    %r14,%rax
   7: 48 c1 e8 03          shr    $0x3,%rax
   b: 33 5c 24 60          xor    0x60(%rsp),%ebx
   f: 0f b6 14 30          movzbl (%rax,%rsi,1),%edx
  13: 4c 89 f0              mov    %r14,%rax
  16: 83 e0 07              and    $0x7,%eax
  19: 83 c0 03              add    $0x3,%eax
  1c: 38 d0                cmp    %dl,%al
  1e: 7c 08                jl     0x28
  20: 84 d2                test   %dl,%dl
  22: 0f 85 56 03 00 00    jne    0x37e
  28: 31 ff                xor    %edi,%edi
* 2a: 41 89 5f fc          mov    %ebx,-0x4(%r15) <-- trapping instruction
  2e: 44 89 e6              mov    %r12d,%esi
  31: e8 0d 6f b2 fd        callq  0xfdb26f43
  36: 45 85 e4              test   %r12d,%r12d
  39: 75 0f                jne    0x4a
  3b: e8 93 6d b2 fd        callq  0xfdb26dd3

-- 
Thanks and Regards,

Dipanjan
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE 

#include <endian.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2)
{
	if (a0 == 0xc || a0 == 0xb) {
		char buf[128];
		sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2);
		return open(buf, O_RDWR, 0);
	} else {
		char buf[1024];
		char* hash;
		strncpy(buf, (char*)a0, sizeof(buf) - 1);
		buf[sizeof(buf) - 1] = 0;
		while ((hash = strchr(buf, '#'))) {
			*hash = '0' + (char)(a1 % 10);
			a1 /= 10;
		}
		return open(buf, a2, 0);
	}
}

uint64_t r[2] = {0xffffffffffffffff, 0xffffffffffffffff};

int main(void)
{
		syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
	syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
	syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
				intptr_t res = 0;
	res = -1;
res = syz_open_dev(0xc, 4, 1);
	if (res != -1)
		r[0] = res;
*(uint8_t*)0x20000000 = 2;
*(uint8_t*)0x20000001 = 2;
*(uint16_t*)0x20000002 = 0;
*(uint16_t*)0x20000004 = 0;
*(uint16_t*)0x20000006 = 0;
*(uint16_t*)0x20000008 = 0x300;
*(uint16_t*)0x2000000a = 0;
	syscall(__NR_ioctl, r[0], 0x541c, 0x20000000ul);
	res = -1;
res = syz_open_dev(0xc, 4, 1);
	if (res != -1)
		r[1] = res;
*(uint32_t*)0x20000480 = 0;
*(uint32_t*)0x20000484 = 0;
*(uint32_t*)0x20000488 = 3;
*(uint32_t*)0x2000048c = 0x1b;
*(uint32_t*)0x20000490 = 0x200;
*(uint64_t*)0x20000498 = 0x20000040;
memcpy((void*)0x20000040, "\x11\x6a\x9c\xaf\xf7\x3a\x85\x29\x62\x2e\x69\x8f\x1e\xf3\xfa\x4e\x3b\xb4\x95\x29\x22\x28\x7b\xf4\xd4\xdb\x58\x01\x0b\x0c\x93\x12\x7b\xd5\xa1\x8d\xbd\x09\xe7\xdf\x91\x90\xc1\x72\x96\x29\xd0\x0f\x2d\xc5\xc8\x4f\x82\xea\xec\xd3\x50\xc6\xca\x4e\x70\x46\x88\x19\xde\x14\xe3\xd0\xe4\x91\x5c\x5d\x8d\x6a\xbf\x71\xee\xd2\xd4\x06\x95\xc5\x5c\x78\x1d\xca\xf8\x0a\x4a\x26\x9e\x1c\x43\xc7\xed\x9e\xd5\xe5\xe3\x86\xa2\x90\x24\x2a\x8b\x00\x70\xa7\xc0\x09\x23\x41\x0a\xe2\xf9\x51\xad\x46\x59\x3b\xe8\xb5\x03\x00\x00\x00\xaf\xa7\xcd\x0f\xc2\xea\x46\xb4\x21\xa4\xaa\x74\x1c\x80\x85\xfd\x17\xd5\xd9\x9c\x82\x92\x59\x18\x29\x39\x01\x46\x1b\xf7\x08\x9c\x38\x0e\x12\x7f\x8d\xe6\x87\x58\x11\x32\xc7\x30\xde\xf2\x66\x54\x4b\xbb\xc6\x0d\x21\xe8\x9d\x64\x79\x5d\xe7\x9b\x55\xbb\x1e\xd9\xd8\x7a\xa9\xf3\xa3\xd5\x01\x05\x91\xf8\x6f\x6a\x52\x50\x38\xee\x6c\xd8\xe6\x92\x0c\x3f\x6e\xdb\xc4\x04\x16\xe0\x45\x35\xdb\x71\x88\x2a\xa5\x82\xde\x9f\x25\x5e\xaf\x5e\xc5\x74\xe4\x63\x3c\x8d\x41\x97\x17\x8d\xa4\x9d\xb2\xab\xb0\xc4\x39\x98\x31\x6b\xbf\x1d\xc6\x9a\x79\x0c\xc9\x5a\x93\x7e\x09\x78\xc5\x38\x29\x17\x04\xdf\x87\x69\xce\xe5\xb1\xf3\x02\x41\x92\x0a\x72\xef\xbc\xcc\xeb\x61\x30\xfa\x88\xdb\x0e\x50\x1e\x3f\x58\x87\x45\x9d\xb4\xb7\x7c\x15\x81\xf6\xd5\x8a\x3a\x1e\x47\x00\x18\x8a\x88\x47\x52\xb2\xaf\xc2\xc8\x0e\x7b\xc3\xc3\xfc\xe7\x84\xf6\x70\xaa\x01\x33\x1e\xee\x95\x4d\x0c\x93\xbb\x66\x45\xff\xf3\xe3\xfa\xfb\xd8\x28\xaa\x12\xb7\xe4\x96\xa5\xac\x39\x47\xa3\xee\xec\x9c\x74\xa0\x4a\x14\x34\x0c\x8a\xb6\x7c\x14\xab\x34\x40\x20\x99\x6f\x21\x13\x6b\x46\x9b\x8b\xe0\x95\x8d\x7e\x8b\xcc\x32\x49\x0b\x70\x74\xc5\xe3\x44\xe0\x0b\x6e\xd2\xe2\xeb\xf4\xc9\xa3\xac\x9b\x6f\x74\xd3\xd7\xe7\xd3\xef\x76\xc7\xa7\x89\xa9\x2d\xde\xed\x72\x19\xf0\xbf\xac\x7c\x7a\xce\x85\x8e\xc5\x43\x11\xce\x32\x0f\x12\x61\x5a\xcb\x40\x8d\x58\xc6\x2e\xa3\x63\x94\xdd\xf2\x1f\x0d\x47\xe0\x6e\x88\x15\x4b\xa2\x63\xd2\xa9\x50\xc1\x88\xc9\xcb\x99\xdd\x95\x05\xfa\x7d\xfa\xe0\x8e\xd8\xf6\x8f\xb8\x2e\x94\xcb\x8d\x2f\x1a\x36\xef\x6c\x3c\x9c\x5d\x22\x01\xfe\x53\x8b\x4e\x01\x30\x30\xd2\xf2\x87\x1a\xbb\x04\xd6\xc6\x71\xcb\x37\x8f\xd0\xda\x22\x03\x4f\x28\x0f\xa8\x15\xde\x50\xc4\x2f\x25\xc3\x93\xbc\xdc\xf7\x51\x70\xc7\xa0\xdd\x2b\x9b\x22\xa7\xea\xdf\xbb\x9b\x5e\xa2\xd3\x58\x84\x38\x5e\x20\x45\xbf\xe9\xf3\x88\x03\xda\xf1\x6f\x33\x71\xb3\x8a\xc1\x09\xf0\x8c\x49\x58\x24\x2a\x9d\x21\xa9\xe0\xc1\x2c\xaf\xb3\x5f\xd7\xf4\x39\xc1\xd0\xac\xbe\xc0\x37\xe8\x38\xcc\x3f\x67\x46\x13\xb7\x5f\xb3\x78\xd7\x9c\x5e\x76\x30\x6b\x5e\x7f\x84\x1d\x46\x28\x64\x68\x46\x9d\x0d\x05\x1f\x4a\x3b\xd5\x5b\x6f\x1e\xe3\xc1\x77\xcc\xa1\x56\x21\xc7\x1e\x06\x8b\x1d\xa2\x69\x3d\x28\x00\x2b\x00\xe3\x85\x02\x6f\x6b\x9a\x0d\x5b\x55\xcd\x0e\xb7\x1e\x1d\x5c\x37\x3e\x14\x54\x8b\x69\x25\x4d\xe6\xc5\xbc\xd9\x5b\xff\x09\x29\xd9\x34\x44\xc5\xb9\xa7\xf6\x0c\x8c\x04\x01\xc6\xf8\xd6\xf8\xbc\x3f\x8f\xdb\xf0\x44\x68\x6c\x5b\x74\xa9\xca\xb3\x5f\x56\x3a\x9e\x61\xca\x72\x01\x96\x7c\x08\x39\x86\x5c\xe5\x8b\x38\x79\x49\x30\x95\x54\xc2\x2a\xb5\x51\x0b\xa0\xb9\x13\xac\xcf\x7d\xec\x3e\x88\x0a\x22\x7a\x02\xf8\xf7\x64\xb1\x93\x11\x4a\x88\xad\xf4\xc6\x30\x60\x51\xe6\x74\xd9\xd4\x6b\x35\x80\x8b\x39\x12\xa7\x13\x63\xf8\x02\xd1\x79\x80\x0f\x4f\x91\x8c\x7f\xec\x20\x2c\x35\x54\x7f\xea\xea\x7d\xca\xc7\xee\xb6\xca\x6e\x23\xc8\x99\x95\xc1\x6d\xef\xc0\xda\x19\xf0\x15\x1a\x07\xfa\x8d\x7d\xec\xfa\x09\x39\x66\xd7\x6f\x64\x7e\x93\xfc\xb6\x47\x14\x99\x0a\xe1\x79\x16\xce\xe2\xd0\x79\xfe\xa6\x6c\x2d\x1a\x8a\xf0\x3b\xb8\x42\xbe\x5b\x8b\x72\xf1\xe9\x4c\x91\x42\xb4\x56\x87\x6b\x26\xca\x89\x91\x7c\xb6\xd6\xb7\x2c\x7e\x3c\xce\x64\x93\x00\x40\x6a\x44\x28\x23\x6e\xa0\x12\x8f\x8f\x35\xe4\x30\x53\xa8\xce\x08\x8d\xfa\x59\x8b\xf3\x9b\xc8\xa6\x28\x5f\x2c\x83\x1e\x6b\xa2\xbe\xf3\x91\xc6\x3c\xe9\x69\x56\xb2\x89\x72\x52\x95\x34\xc4\x38\x79\x15\xd0\x1e\x51\xb5\x92\xad\x8e\xc8\x5d\x6a\x5d\x02\xe9\xd8\x75\xb8\x08\x4d\x0b\xbc\xcc\x3f\xf9\x05\x01\x01\xde\x57\x7d\x9e\x3d\x9b\xb8\xc6\x4b\xa4\xb4\xe5\x73\x6c\x5d\x89\xa3\x10\xfc\xce\x1e\xe9\x6f\x1f\xdd\x0a\xd4\xf8\xc5\x5c\xb1\xcd\x10\x0d\x8c\x77\x12\x95\xb7\x12\x29\x18\xd5\x43\xea\xbd\xf6\x78\x98\xa3\x36\x23\x23\xed\x8c\xad\xdd\x4f\x7b\x19\x5b\xb3\x5b\xe1\x09\x4e\xf2\x6e\xbe\x0b", 1024);
	syscall(__NR_ioctl, r[1], 0x4b72, 0x20000480ul);
	return 0;
}

Attachment: repro.syz
Description: Binary data