Bug 98372

Summary: UBSAN in ../drivers/gpu/drm/drm_modes.c:325:49
Product: DRI Reporter: Martin Liška <marxin.liska>
Component: DRM/otherAssignee: Default DRI bug account <dri-devel>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Martin Liška 2016-10-21 12:58:45 UTC
Running $uname -a
Linux linux-h8g6 4.9.0-rc1-2-syzkaller #1 SMP PREEMPT Mon Oct 17 19:37:55 UTC 2016 (55c3dd5) x86_64 x86_64 x86_64 GNU/Linux

with enabled UBSAN (built by GCC 7.0) in qemu, I reached following error:

[   48.723720] UBSAN: Undefined behaviour in ../drivers/gpu/drm/drm_modes.c:325:49
[   48.726943] signed integer overflow:
[   48.728503] 2240 * 1000000 cannot be represented in type 'int'
Comment 1 Martin Liška 2016-10-21 12:59:23 UTC
Backtrace:

[   48.730135] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
[   48.730138]  ffff88005cb3edb8 ffffffff83f982ea 0000000041b58ab3 ffffffff853754ab
[   48.730144]  ffffffff83f981de ffff88005cb3ede0 ffff88005cb3ed80 0000000000000000
[   48.730149]  ffffffffc12855e0 ffff88005cb3eeb8 00000000000f4240 ffff88005cb30001
[   48.730154] Call Trace:
[   48.730161]  [<ffffffff83f982ea>] dump_stack+0x10c/0x192
[   48.730165]  [<ffffffff83f981de>] ? _atomic_dec_and_lock+0x12e/0x12e
[   48.730173]  [<ffffffff8407262a>] ubsan_epilogue+0x12/0x8f
[   48.730177]  [<ffffffff84074165>] handle_overflow+0x23d/0x297
[   48.730182]  [<ffffffff84073f28>] ? __ubsan_handle_negate_overflow+0x1bd/0x1bd
[   48.730187]  [<ffffffff84d666ce>] ? mutex_unlock+0xe/0x10
[   48.730207]  [<ffffffffc11e34f8>] ? drm_mode_object_get_reg+0x1b8/0x240 [drm]
[   48.730221]  [<ffffffffc11e3340>] ? drm_mode_object_unreference+0x1a0/0x1a0 [drm]
[   48.730226]  [<ffffffff83832ff9>] ? kmem_cache_alloc_trace+0x149/0x4b0
[   48.730231]  [<ffffffff8407424b>] __ubsan_handle_mul_overflow+0x2a/0x3f
[   48.730245]  [<ffffffffc11a22c0>] drm_cvt_mode+0xa50/0x1090 [drm]
[   48.730254]  [<ffffffffc15ed8b3>] qxl_conn_get_modes+0x343/0xce0 [qxl]
[   48.730261]  [<ffffffffc15ed570>] ? qxl_crtc_cursor_move+0x5d0/0x5d0 [qxl]
[   48.730265]  [<ffffffff844e2116>] ? driver_register+0x1d6/0x410
[   48.730271]  [<ffffffffc110808d>] ? qxl_init+0x8d/0x1000 [qxl]
[   48.730275]  [<ffffffff83002327>] ? do_one_initcall+0xc7/0x2d0
[   48.730284]  [<ffffffffc151a89a>] ? drm_kms_helper_poll_enable_locked+0x28a/0x450 [drm_kms_helper]
[   48.730292]  [<ffffffffc151b791>] drm_helper_probe_single_connector_modes+0xa71/0x1560 [drm_kms_helper]
[   48.730301]  [<ffffffffc155c6f3>] drm_fb_helper_initial_config+0x2e3/0x1700 [drm_kms_helper]
[   48.730306]  [<ffffffff84d664d0>] ? __mutex_unlock_slowpath+0x240/0x430
[   48.730314]  [<ffffffffc155c410>] ? drm_fb_helper_set_par+0x160/0x160 [drm_kms_helper]
[   48.730322]  [<ffffffffc1557f87>] ? drm_fb_helper_add_one_connector+0x237/0x4b0 [drm_kms_helper]
[   48.730330]  [<ffffffffc155826f>] ? drm_fb_helper_single_add_all_connectors+0x6f/0x4c0 [drm_kms_helper]
[   48.730337]  [<ffffffffc15fc523>] qxl_fbdev_init+0x273/0x320 [qxl]
[   48.730343]  [<ffffffffc15fc2b0>] ? qxl_get_handle_for_primary_fb+0xf0/0xf0 [qxl]
[   48.730346]  [<ffffffff84d666ce>] ? mutex_unlock+0xe/0x10
[   48.730361]  [<ffffffffc11dcbc2>] ? drm_connector_register+0x72/0x220 [drm]
[   48.730367]  [<ffffffffc15f718a>] qxl_modeset_init+0x66a/0x970 [qxl]
[   48.730373]  [<ffffffffc15ebcf0>] ? qxl_driver_unload+0x440/0x440 [qxl]
[   48.730379]  [<ffffffffc15ebdfe>] qxl_driver_load+0x10e/0x1b0 [qxl]
[   48.730392]  [<ffffffffc118033d>] drm_dev_register+0x12d/0x230 [drm]
[   48.730405]  [<ffffffffc1189485>] drm_get_pci_dev+0x235/0x9d0 [drm]
[   48.730419]  [<ffffffffc1189250>] ? drm_pci_agp_destroy+0x120/0x120 [drm]
[   48.730424]  [<ffffffff833558ea>] ? trace_hardirqs_on_caller+0x3da/0x6c0
[   48.730428]  [<ffffffff83355bdd>] ? trace_hardirqs_on+0xd/0x10
[   48.730434]  [<ffffffffc15e8860>] ? qxl_pm_suspend+0x90/0x90 [qxl]
[   48.730439]  [<ffffffffc15e88ba>] qxl_pci_probe+0x5a/0xb0 [qxl]
[   48.730444]  [<ffffffff840e59cc>] local_pci_probe+0xfc/0x1f0
[   48.730448]  [<ffffffff840ea8e5>] pci_device_probe+0x215/0x3a0
[   48.730453]  [<ffffffff840ea6d0>] ? pci_device_remove+0x2f0/0x2f0
[   48.730458]  [<ffffffff844dce13>] ? driver_sysfs_add+0x133/0x310
[   48.730462]  [<ffffffff840ea6d0>] ? pci_device_remove+0x2f0/0x2f0
[   48.730466]  [<ffffffff844dea08>] driver_probe_device+0x288/0xfa0
[   48.730469]  [<ffffffff844df720>] ? driver_probe_device+0xfa0/0xfa0
[   48.730473]  [<ffffffff844df893>] __driver_attach+0x173/0x280
[   48.730477]  [<ffffffff844d757a>] bus_for_each_dev+0x15a/0x1f0
[   48.730481]  [<ffffffff844d7420>] ? subsys_dev_iter_init+0x110/0x110
[   48.730486]  [<ffffffff844dd347>] driver_attach+0x47/0x70
[   48.730491]  [<ffffffff844dbeb7>] bus_add_driver+0x547/0x890
[   48.730495]  [<ffffffff844e2116>] driver_register+0x1d6/0x410
[   48.730498]  [<ffffffff83366092>] ? __raw_spin_lock_init+0x32/0x120
[   48.730503]  [<ffffffff840e4576>] __pci_register_driver+0x1a6/0x250
[   48.730507]  [<ffffffff840e43d0>] ? pci_pm_runtime_idle+0x1b0/0x1b0
[   48.730511]  [<ffffffff830021de>] ? initcall_blacklisted+0x14e/0x1d0
[   48.730515]  [<ffffffff83002090>] ? try_to_run_init_process+0x50/0x50
[   48.730518]  [<ffffffffc1108000>] ? 0xffffffffc1108000
[   48.730531]  [<ffffffffc118a07e>] drm_pci_init+0x45e/0x5d0 [drm]
[   48.730536]  [<ffffffff84d6fb39>] ? retint_kernel+0x2d/0x2d
[   48.730549]  [<ffffffffc1189c20>] ? drm_get_pci_dev+0x9d0/0x9d0 [drm]
[   48.730553]  [<ffffffff8300501a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[   48.730556]  [<ffffffffc1108000>] ? 0xffffffffc1108000
[   48.730561]  [<ffffffffc110808d>] qxl_init+0x8d/0x1000 [qxl]
[   48.730565]  [<ffffffff83002327>] do_one_initcall+0xc7/0x2d0
[   48.730569]  [<ffffffff83002260>] ? initcall_blacklisted+0x1d0/0x1d0
[   48.730573]  [<ffffffff83fdce8b>] ? memset_erms+0xb/0x10
[   48.730578]  [<ffffffff8383ba05>] ? kasan_unpoison_shadow+0x35/0x50
[   48.730582]  [<ffffffff8383ba9f>] ? __asan_register_globals+0x7f/0xa0
[   48.730587]  [<ffffffff836a54f3>] do_init_module+0x272/0x64d
[   48.730591]  [<ffffffff836a5281>] ? kzalloc.constprop.34+0x10/0x10
[   48.730596]  [<ffffffff83457848>] load_module+0x3528/0x5ae0
[   48.730600]  [<ffffffff83449820>] ? m_show+0x540/0x540
[   48.730607]  [<ffffffff83454320>] ? layout_and_allocate+0x48e0/0x48e0
[   48.730612]  [<ffffffff838da9e0>] ? read_code+0x50/0x50
[   48.730616]  [<ffffffff8393be3c>] ? __fget_light+0x18c/0x270
[   48.730621]  [<ffffffff838db436>] ? kernel_read_file_from_fd+0x76/0x90
[   48.730625]  [<ffffffff8345a18b>] SYSC_finit_module+0x18b/0x1b0
[   48.730629]  [<ffffffff8345a000>] ? SYSC_init_module+0x200/0x200
[   48.730633]  [<ffffffff834dc1ce>] ? __audit_syscall_entry+0x34e/0x5d0
[   48.730638]  [<ffffffff83009e76>] ? do_syscall_64+0x56/0x520
[   48.730642]  [<ffffffff8345a1c0>] ? SyS_init_module+0x10/0x10
[   48.730646]  [<ffffffff8345a1ce>] SyS_finit_module+0xe/0x10
[   48.730650]  [<ffffffff83009fce>] do_syscall_64+0x1ae/0x520
[   48.730654]  [<ffffffff84d6f1cd>] entry_SYSCALL64_slow_path+0x25/0x25
[   48.730657] ================================================================================
Comment 2 Chris Wilson 2016-10-21 19:55:24 UTC
commit 8a5bbf327aa16025c78491266a6425807c7fbee0
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Fri Oct 21 15:15:40 2016 +0100

    drm: Use u64 for intermediate dotclock calculations
    
    We have reached the era where monitor bandwidths now exceed 31bits in
    frequency calculations, though as we stored them in kHz units we are
    safe from overflow in the modelines for some time.
    
    [   48.723720] UBSAN: Undefined behaviour in ../drivers/gpu/drm/drm_modes.c:325:49
    [   48.726943] signed integer overflow:
    [   48.728503] 2240 * 1000000 cannot be represented in type 'int'
    
    Reported-by: Martin Liška <marxin.liska@gmail.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98372
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Link: http://patchwork.freedesktop.org/patch/msgid/20161021141540.26837-1-chris@chris-wilson.co.uk

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.