WARNING in do_debug
43 views
Skip to first unread message
syzbot
Oct 31, 2017, 7:34:02 AM10/31/17
to linux-...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzkaller hit the following crash on
0787643a5f6aad1f0cdeb305f7fe492b71943ea4
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 3045 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #142
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<#DB>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
panic+0x1e4/0x417 kernel/panic.c:181
__warn+0x1c4/0x1d9 kernel/panic.c:542
report_bug+0x211/0x2d0 lib/bug.c:183
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
RSP: 0018:ffff8801db20fe98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8801db20ff58 RCX: 0000000000000000
RDX: 1ffff1003b641ffc RSI: 0000000000000001 RDI: ffffffff85ac6398
RBP: ffff8801db20ff48 R08: ffff8801db20ffe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000004001
R13: ffff8801cd8541c0 R14: 1ffff1003b641fd8 R15: 0000000000004000
debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20
arch/x86/lib/copy_user_64.S:180
RSP: 0018:ffff8801cd2cfe68 EFLAGS: 00010246
RAX: ffffed0039a59fe1 RBX: 0000000020000000 RCX: 000000000000003f
RDX: 0000000000000040 RSI: 0000000020000001 RDI: ffff8801cd2cfec9
RBP: ffff8801cd2cfe98 R08: ffffed0039a59fe1 R09: ffffed0039a59fe1
R10: 0000000000000008 R11: ffffed0039a59fe0 R12: 0000000000000040
R13: ffff8801cd2cfec8 R14: 00007ffffffff000 R15: 0000000020000040
</#DB>
copy_from_user include/linux/uaccess.h:146 [inline]
SYSC_timer_create kernel/time/posix-timers.c:579 [inline]
SyS_timer_create+0x89/0x120 kernel/time/posix-timers.c:572
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007f906f324be8 EFLAGS: 00000212 ORIG_RAX: 00000000000000de
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000020000000 RSI: 0000000020000000 RDI: ffffffffffffffff
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3cf8
R13: 00000000ffffffff R14: 00007f906f3256d4 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzkaller hit the following crash on
0787643a5f6aad1f0cdeb305f7fe492b71943ea4
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 3045 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #142
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<#DB>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
panic+0x1e4/0x417 kernel/panic.c:181
__warn+0x1c4/0x1d9 kernel/panic.c:542
report_bug+0x211/0x2d0 lib/bug.c:183
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
RSP: 0018:ffff8801db20fe98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8801db20ff58 RCX: 0000000000000000
RDX: 1ffff1003b641ffc RSI: 0000000000000001 RDI: ffffffff85ac6398
RBP: ffff8801db20ff48 R08: ffff8801db20ffe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000004001
R13: ffff8801cd8541c0 R14: 1ffff1003b641fd8 R15: 0000000000004000
debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20
arch/x86/lib/copy_user_64.S:180
RSP: 0018:ffff8801cd2cfe68 EFLAGS: 00010246
RAX: ffffed0039a59fe1 RBX: 0000000020000000 RCX: 000000000000003f
RDX: 0000000000000040 RSI: 0000000020000001 RDI: ffff8801cd2cfec9
RBP: ffff8801cd2cfe98 R08: ffffed0039a59fe1 R09: ffffed0039a59fe1
R10: 0000000000000008 R11: ffffed0039a59fe0 R12: 0000000000000040
R13: ffff8801cd2cfec8 R14: 00007ffffffff000 R15: 0000000020000040
</#DB>
copy_from_user include/linux/uaccess.h:146 [inline]
SYSC_timer_create kernel/time/posix-timers.c:579 [inline]
SyS_timer_create+0x89/0x120 kernel/time/posix-timers.c:572
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007f906f324be8 EFLAGS: 00000212 ORIG_RAX: 00000000000000de
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
RDX: 0000000020000000 RSI: 0000000020000000 RDI: ffffffffffffffff
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3cf8
R13: 00000000ffffffff R14: 00007f906f3256d4 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
Dmitry Vyukov
Oct 31, 2017, 7:47:46 AM10/31/17
to syzbot, LKML, syzkall...@googlegroups.com, KVM list, Paolo Bonzini, Radim Krčmář, Haozhong Zhang, David Hildenbrand
On Tue, Oct 31, 2017 at 2:34 PM, syzbot
<bot+adbefe6736a5b37af3...@syzkaller.appspotmail.com>
wrote:
I think this is kvm bug, so +kvm maintainers.
Unfortunately, this does not reproduce with a C program. But I was
able to easily reproduce it with the provided syzkaller program by
running:
./syz-execprog repro.txt
On upstream 15f859ae5c43c7f0a064ed92d33f7a5bc5de6de0 (Oct 26).
Seems that guest somehow sets debug register contents for host:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
RAX: dffffc0000000000 RBX: ffff88006ca0ff58 RCX: 0000000000000000
RDX: 1ffff1000d941ffc RSI: 0000000000000001 RDI: ffffffff85ac63d8
RBP: ffff88006ca0ff48 R08: ffff88006ca0ffe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000e001
R13: ffff88006a8d2500 R14: 1ffff1000d941fd8 R15: 0000000000004000
debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline]
RIP: 0010:strncpy_from_user+0x188/0x430 lib/strncpy_from_user.c:117
RSP: 0018:ffff88006b717d28 EFLAGS: 00000246
RAX: 6d766b2f7665642f RBX: ffff88006b717dc0 RCX: ffffc90000e41000
RDX: 0000000000000000 RSI: ffffffff82466043 RDI: ffff88006b717d88
RBP: ffff88006b717de8 R08: ffff88006c5f9780 R09: ffff88006b2e8c00
R10: 0000000000000000 R11: ffffed000d65d37f R12: 0000000000000fe4
R13: 0000000000000fe4 R14: 0000000020000000 R15: 8080808080808080
</#DB>
getname_flags+0x10e/0x580 fs/namei.c:148
getname+0x19/0x20 fs/namei.c:208
do_sys_open+0x2e7/0x6d0 fs/open.c:1053
SYSC_openat fs/open.c:1086 [inline]
SyS_openat+0x30/0x40 fs/open.c:1080
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007f23a6c51bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f23a6c526cc RCX: 0000000000447c89
RDX: 0000000000080000 RSI: 0000000020000000 RDI: ffffffffffffff9c
R13: 0000000000000000 R14: 00007f23a6c529c0 R15: 00007f23a6c52700
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a113f83b2b3b8b8055cd621f3%40google.com.
> For more options, visit https://groups.google.com/d/optout.
<bot+adbefe6736a5b37af3...@syzkaller.appspotmail.com>
wrote:
Unfortunately, this does not reproduce with a C program. But I was
able to easily reproduce it with the provided syzkaller program by
running:
./syz-execprog repro.txt
On upstream 15f859ae5c43c7f0a064ed92d33f7a5bc5de6de0 (Oct 26).
Seems that guest somehow sets debug register contents for host:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 3079 Comm: syz-executor Not tainted 4.14.0-rc6+ #12
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
<#DB>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
panic+0x1e4/0x417 kernel/panic.c:181
__warn+0x1c4/0x1d9 kernel/panic.c:542
report_bug+0x211/0x2d0 lib/bug.c:183
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
RSP: 0018:ffff88006ca0fe98 EFLAGS: 00010246
<#DB>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
panic+0x1e4/0x417 kernel/panic.c:181
__warn+0x1c4/0x1d9 kernel/panic.c:542
report_bug+0x211/0x2d0 lib/bug.c:183
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
RAX: dffffc0000000000 RBX: ffff88006ca0ff58 RCX: 0000000000000000
RDX: 1ffff1000d941ffc RSI: 0000000000000001 RDI: ffffffff85ac63d8
RBP: ffff88006ca0ff48 R08: ffff88006ca0ffe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000e001
R13: ffff88006a8d2500 R14: 1ffff1000d941fd8 R15: 0000000000004000
debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline]
RIP: 0010:strncpy_from_user+0x188/0x430 lib/strncpy_from_user.c:117
RSP: 0018:ffff88006b717d28 EFLAGS: 00000246
RAX: 6d766b2f7665642f RBX: ffff88006b717dc0 RCX: ffffc90000e41000
RDX: 0000000000000000 RSI: ffffffff82466043 RDI: ffff88006b717d88
RBP: ffff88006b717de8 R08: ffff88006c5f9780 R09: ffff88006b2e8c00
R10: 0000000000000000 R11: ffffed000d65d37f R12: 0000000000000fe4
R13: 0000000000000fe4 R14: 0000000020000000 R15: 8080808080808080
</#DB>
getname_flags+0x10e/0x580 fs/namei.c:148
getname+0x19/0x20 fs/namei.c:208
do_sys_open+0x2e7/0x6d0 fs/open.c:1053
SYSC_openat fs/open.c:1086 [inline]
SyS_openat+0x30/0x40 fs/open.c:1080
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007f23a6c51bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f23a6c526cc RCX: 0000000000447c89
RDX: 0000000000080000 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f23a6c529c0 R15: 00007f23a6c52700
Kernel Offset: disabled
Rebooting in 86400 seconds..
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzk...@googlegroups.com.
> Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line.
>
> --
Rebooting in 86400 seconds..
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzk...@googlegroups.com.
> Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line.
>
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a113f83b2b3b8b8055cd621f3%40google.com.
> For more options, visit https://groups.google.com/d/optout.
David Hildenbrand
Nov 7, 2017, 12:44:38 PM11/7/17
to Dmitry Vyukov, syzbot, LKML, syzkall...@googlegroups.com, KVM list, Paolo Bonzini, Radim Krčmář, Haozhong Zhang, Thomas Gleixner, Ingo Molnar
In kvm, we only restore dr6 (via hw_breakpoint_restore()) in case hw
breakpoints are active (hw_breakpoint_active()).
However I am getting the feeling that we should restore dr6
unconditionally to current->thread.debugreg6 (as it doesn't seem to be
related to hw breakpoints only).
The question would then be, when we have to restore it (maybe its
already too late at that point?).
(no expert on x86 debug regs (yet)).
--
Thanks,
David / dhildenb
syzbot
Dec 25, 2017, 7:22:01 PM12/25/17
to da...@redhat.com, dvy...@google.com, haozhon...@intel.com, k...@vger.kernel.org, linux-...@vger.kernel.org, mi...@redhat.com, pbon...@redhat.com, rkr...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de
syzkaller has found reproducer for the following crash on
464e1d5f23cca236b930ef068c328a64cab78fb1
cond_local_irq_disable arch/x86/kernel/traps.c:86 [inline]
WARNING: CPU: 0 PID: 3356 at arch/x86/kernel/traps.c:801
do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:815
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1061
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:86 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:815
RSP: 0018:fffffe800000ee98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: fffffe800000ef58 RCX: 0000000000000000
RDX: 1fffffd000001dfc RSI: 0000000000000001 RDI: ffffffff85ec81f8
RBP: fffffe800000ef48 R08: fffffe800000efe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000e003
R13: ffff8801c2340040 R14: 1fffffd000001dd8 R15: 0000000000004000
debug+0x34/0x60 arch/x86/entry/entry_64.S:1214
RIP: 0010:__put_user_8+0x1f/0x25 arch/x86/lib/putuser.S:83
RSP: 0018:ffff8801c9f8ff28 EFLAGS: 00000293
RAX: 000000005a4195b6 RBX: 00007fffffffeff9 RCX: 0000000020000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffff8801c9f8ff48 R08: 0000000000000000 R09: 1ffff100393f1fc2
R10: ffff8801c9f8fdd8 R11: 0000000000000000 R12: 000000005a4195b6
R13: 0000000020000000 R14: 00007f2c937f99c0 R15: 0000000000000001
</#DB>
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x44aef9
RSP: 002b:00007f2c937f8ce8 EFLAGS: 00000206 ORIG_RAX: 00000000000000c9
RAX: ffffffffffffffda RBX: 00000000006dcc24 RCX: 000000000044aef9
RDX: 000000000044aef9 RSI: 000000000044aef9 RDI: 0000000020000000
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007ffe9191073f R14: 00007f2c937f99c0 R15: 0000000000000001
464e1d5f23cca236b930ef068c328a64cab78fb1
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
WARNING: CPU: 0 PID: 3356 at arch/x86/kernel/traps.c:801
for information about syzkaller reproducers
cond_local_irq_disable arch/x86/kernel/traps.c:86 [inline]
WARNING: CPU: 0 PID: 3356 at arch/x86/kernel/traps.c:801
do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:815
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 3356 Comm: syzkaller834441 Not tainted 4.15.0-rc5+ #237
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<#DB>
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
<#DB>
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1061
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:86 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:815
RSP: 0018:fffffe800000ee98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: fffffe800000ef58 RCX: 0000000000000000
RDX: 1fffffd000001dfc RSI: 0000000000000001 RDI: ffffffff85ec81f8
RBP: fffffe800000ef48 R08: fffffe800000efe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000e003
R13: ffff8801c2340040 R14: 1fffffd000001dd8 R15: 0000000000004000
debug+0x34/0x60 arch/x86/entry/entry_64.S:1214
RIP: 0010:__put_user_8+0x1f/0x25 arch/x86/lib/putuser.S:83
RSP: 0018:ffff8801c9f8ff28 EFLAGS: 00000293
RAX: 000000005a4195b6 RBX: 00007fffffffeff9 RCX: 0000000020000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffff8801c9f8ff48 R08: 0000000000000000 R09: 1ffff100393f1fc2
R10: ffff8801c9f8fdd8 R11: 0000000000000000 R12: 000000005a4195b6
R13: 0000000020000000 R14: 00007f2c937f99c0 R15: 0000000000000001
</#DB>
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x44aef9
RSP: 002b:00007f2c937f8ce8 EFLAGS: 00000206 ORIG_RAX: 00000000000000c9
RAX: ffffffffffffffda RBX: 00000000006dcc24 RCX: 000000000044aef9
RDX: 000000000044aef9 RSI: 000000000044aef9 RDI: 0000000020000000
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007ffe9191073f R14: 00007f2c937f99c0 R15: 0000000000000001
Wanpeng Li
Dec 25, 2017, 7:55:50 PM12/25/17
to syzbot, David Hildenbrand, Dmitry Vyukov, Haozhong Zhang, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner
2017-12-26 8:22 GMT+08:00 syzbot
<syzbot+adbefe6736a5b37a...@syzkaller.appspotmail.com>:
There is a fix in kvm/queue.
Regards,
Wanpeng Li
<syzbot+adbefe6736a5b37a...@syzkaller.appspotmail.com>:
> syzkaller has found reproducer for the following crash on
> 464e1d5f23cca236b930ef068c328a64cab78fb1
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=ed3b37ac63a060bdc184d126c0655c1af8b6de62
> 464e1d5f23cca236b930ef068c328a64cab78fb1
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
There is a fix in kvm/queue.
Regards,
Wanpeng Li
Dmitry Vyukov
Dec 26, 2017, 2:08:35 AM12/26/17
to Wanpeng Li, syzbot, David Hildenbrand, Haozhong Zhang, kvm, LKML, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner
On Tue, Dec 26, 2017 at 1:55 AM, Wanpeng Li <kern...@gmail.com> wrote:
> 2017-12-26 8:22 GMT+08:00 syzbot
> <syzbot+adbefe6736a5b37a...@syzkaller.appspotmail.com>:
>> syzkaller has found reproducer for the following crash on
>> 464e1d5f23cca236b930ef068c328a64cab78fb1
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> C reproducer is attached
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=ed3b37ac63a060bdc184d126c0655c1af8b6de62
>
> There is a fix in kvm/queue.
Hi Wanpeng,
> 2017-12-26 8:22 GMT+08:00 syzbot
> <syzbot+adbefe6736a5b37a...@syzkaller.appspotmail.com>:
>> syzkaller has found reproducer for the following crash on
>> 464e1d5f23cca236b930ef068c328a64cab78fb1
>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> C reproducer is attached
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=ed3b37ac63a060bdc184d126c0655c1af8b6de62
>
> There is a fix in kvm/queue.
syzbot does not know about the fix and still thinks that this bug is
open. Please tell it about the fix:
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> Note: all commands must start from beginning of the line.
Eric Biggers
Jan 26, 2018, 2:47:30 PM1/26/18
to Dmitry Vyukov, Wanpeng Li, syzbot, David Hildenbrand, Haozhong Zhang, kvm, LKML, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner
On Tue, Dec 26, 2017 at 08:08:13AM +0100, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> On Tue, Dec 26, 2017 at 1:55 AM, Wanpeng Li <kern...@gmail.com> wrote:
> > 2017-12-26 8:22 GMT+08:00 syzbot
> > <syzbot+adbefe6736a5b37a...@syzkaller.appspotmail.com>:
> >> syzkaller has found reproducer for the following crash on
> >> 464e1d5f23cca236b930ef068c328a64cab78fb1
> >> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> >> compiler: gcc (GCC) 7.1.1 20170620
> >> .config is attached
> >> Raw console output is attached.
> >> C reproducer is attached
> >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> >> for information about syzkaller reproducers
> >>
> >
> > https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=ed3b37ac63a060bdc184d126c0655c1af8b6de62
> >
> > There is a fix in kvm/queue.
>
> Hi Wanpeng,
>
> syzbot does not know about the fix and still thinks that this bug is
> open. Please tell it about the fix:
>
>
> > syzbot will keep track of this bug report.
> > Once a fix for this bug is committed, please reply to this email with:
> > #syz fix: exact-commit-title
> > Note: all commands must start from beginning of the line.
#syz fix: KVM: x86: fix escape of guest dr6 to the host
> On Tue, Dec 26, 2017 at 1:55 AM, Wanpeng Li <kern...@gmail.com> wrote:
> > 2017-12-26 8:22 GMT+08:00 syzbot
> > <syzbot+adbefe6736a5b37a...@syzkaller.appspotmail.com>:
> >> syzkaller has found reproducer for the following crash on
> >> 464e1d5f23cca236b930ef068c328a64cab78fb1
> >> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> >> compiler: gcc (GCC) 7.1.1 20170620
> >> .config is attached
> >> Raw console output is attached.
> >> C reproducer is attached
> >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> >> for information about syzkaller reproducers
> >>
> >
> > https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?h=queue&id=ed3b37ac63a060bdc184d126c0655c1af8b6de62
> >
> > There is a fix in kvm/queue.
>
> Hi Wanpeng,
>
> syzbot does not know about the fix and still thinks that this bug is
> open. Please tell it about the fix:
>
>
> > syzbot will keep track of this bug report.
> > Once a fix for this bug is committed, please reply to this email with:
> > #syz fix: exact-commit-title
> > Note: all commands must start from beginning of the line.
Wanpeng, shouldn't this be Cc'ed to stable?
- Eric
Reply all
Reply to author
Forward
0 new messages