[syzbot] [kvmarm?] WARNING in pend_serror_exception
18 views
Skip to first unread message
syzbot
Jul 12, 2025, 8:06:31 PM7/12/25
to catalin...@arm.com, joey....@arm.com, kvm...@lists.linux.dev, linux-ar...@lists.infradead.org, linux-...@vger.kernel.org, m...@kernel.org, oliver...@linux.dev, suzuki....@arm.com, syzkall...@googlegroups.com, wi...@kernel.org, yuze...@huawei.com
Hello,
syzbot found the following issue on:
HEAD commit: 15724a984643 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
console output: https://syzkaller.appspot.com/x/log.txt?x=123090f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1324fe8c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1206ed82580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-15724a98.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ec0f03d375a1/vmlinux-15724a98.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a36232f8c6dd/Image-15724a98.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f6f09...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3603 at arch/arm64/kvm/inject_fault.c:71 pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
Modules linked in:
CPU: 0 UID: 0 PID: 3603 Comm: syz.2.16 Not tainted 6.16.0-rc3-syzkaller-g15724a984643 #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 81402009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
lr : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
sp : ffff80008e807930
x29: ffff80008e807930 x28: d7f0000016ae8028 x27: 0000000000000001
x26: 0000000000000000 x25: 0000000000000001 x24: 00000000000000d7
x23: d7f0000016ae82a8 x22: 00000000000000d7 x21: d7f0000016ae8e81
x20: 0000000000000007 x19: efff800000000000 x18: 0000000000000000
x17: 000000000000005a x16: ffff800080011d9c x15: 0000000020000200
x14: ffffffffffffffff x13: 0000000000000028 x12: 0000000000000081
x11: 81f000001f049564 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 81f000001f048000 x7 : ffff800080b08704 x6 : ffff80008e807a88
x5 : ffff80008e807a88 x4 : 0000000000000001 x3 : ffff8000801a2e80
x2 : 0000000000000000 x1 : 0000000000000002 x0 : 0000000000000000
Call trace:
pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 (P)
kvm_inject_serror_esr+0x274/0xe40 arch/arm64/kvm/inject_fault.c:330
__kvm_arm_vcpu_set_events+0x1d4/0x238 arch/arm64/kvm/guest.c:-1
kvm_arm_vcpu_set_events arch/arm64/kvm/arm.c:1698 [inline]
kvm_arch_vcpu_ioctl+0xed8/0x16b0 arch/arm64/kvm/arm.c:1810
kvm_vcpu_ioctl+0x5c4/0xc2c virt/kvm/kvm_main.c:4632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__arm64_sys_ioctl+0x18c/0x244 fs/ioctl.c:893
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x90/0x2b4 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x180/0x2f4 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x160 arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
irq event stamp: 2728
hardirqs last enabled at (2727): [<ffff80008653cb88>] __raw_read_unlock_irqrestore include/linux/rwlock_api_smp.h:241 [inline]
hardirqs last enabled at (2727): [<ffff80008653cb88>] _raw_read_unlock_irqrestore+0x44/0xbc kernel/locking/spinlock.c:268
hardirqs last disabled at (2728): [<ffff800086517e08>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
softirqs last enabled at (2702): [<ffff8000800c988c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (2700): [<ffff8000800c9858>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 15724a984643 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
console output: https://syzkaller.appspot.com/x/log.txt?x=123090f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1324fe8c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1206ed82580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-15724a98.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ec0f03d375a1/vmlinux-15724a98.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a36232f8c6dd/Image-15724a98.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f6f09...@syzkaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3603 at arch/arm64/kvm/inject_fault.c:71 pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
Modules linked in:
CPU: 0 UID: 0 PID: 3603 Comm: syz.2.16 Not tainted 6.16.0-rc3-syzkaller-g15724a984643 #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 81402009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
lr : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
sp : ffff80008e807930
x29: ffff80008e807930 x28: d7f0000016ae8028 x27: 0000000000000001
x26: 0000000000000000 x25: 0000000000000001 x24: 00000000000000d7
x23: d7f0000016ae82a8 x22: 00000000000000d7 x21: d7f0000016ae8e81
x20: 0000000000000007 x19: efff800000000000 x18: 0000000000000000
x17: 000000000000005a x16: ffff800080011d9c x15: 0000000020000200
x14: ffffffffffffffff x13: 0000000000000028 x12: 0000000000000081
x11: 81f000001f049564 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 81f000001f048000 x7 : ffff800080b08704 x6 : ffff80008e807a88
x5 : ffff80008e807a88 x4 : 0000000000000001 x3 : ffff8000801a2e80
x2 : 0000000000000000 x1 : 0000000000000002 x0 : 0000000000000000
Call trace:
pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 (P)
kvm_inject_serror_esr+0x274/0xe40 arch/arm64/kvm/inject_fault.c:330
__kvm_arm_vcpu_set_events+0x1d4/0x238 arch/arm64/kvm/guest.c:-1
kvm_arm_vcpu_set_events arch/arm64/kvm/arm.c:1698 [inline]
kvm_arch_vcpu_ioctl+0xed8/0x16b0 arch/arm64/kvm/arm.c:1810
kvm_vcpu_ioctl+0x5c4/0xc2c virt/kvm/kvm_main.c:4632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__arm64_sys_ioctl+0x18c/0x244 fs/ioctl.c:893
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x90/0x2b4 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x180/0x2f4 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x160 arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
irq event stamp: 2728
hardirqs last enabled at (2727): [<ffff80008653cb88>] __raw_read_unlock_irqrestore include/linux/rwlock_api_smp.h:241 [inline]
hardirqs last enabled at (2727): [<ffff80008653cb88>] _raw_read_unlock_irqrestore+0x44/0xbc kernel/locking/spinlock.c:268
hardirqs last disabled at (2728): [<ffff800086517e08>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
softirqs last enabled at (2702): [<ffff8000800c988c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (2700): [<ffff8000800c9858>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 12, 2025, 8:18:12 PM7/12/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoor...@gmail.com
#syz test
From: Arnav Kapoor <kapoora...@gmail.com>
Date: Fri, 27 Dec 2024 02:35:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
kvm_set_sei_esr(vcpu, events->exception.serror_esr);
else
return -EINVAL;
allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling
kvm_set_sei_esr(), and userspace should not be able to control it.
Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field. The condition is
simplified since we now have a straightforward check for invalid bits.
Reported-by: syzbot+92be02...@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoora...@gmail.com>
---
arch/arm64/kvm/guest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 123456..789012 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -843,7 +843,7 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (serror_pending && has_esr) {
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
+ return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoor...@gmail.com
#syz test
From: Arnav Kapoor <kapoora...@gmail.com>
Date: Fri, 27 Dec 2024 02:35:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
kvm_set_sei_esr(vcpu, events->exception.serror_esr);
else
return -EINVAL;
allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling
kvm_set_sei_esr(), and userspace should not be able to control it.
Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field. The condition is
simplified since we now have a straightforward check for invalid bits.
Reported-by: syzbot+92be02...@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoora...@gmail.com>
---
arch/arm64/kvm/guest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 123456..789012 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -843,7 +843,7 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (serror_pending && has_esr) {
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
+ return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
syzbot
Jul 12, 2025, 8:21:05 PM7/12/25
to kapoor...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
patch: **** malformed patch at line 13:
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
patch: https://syzkaller.appspot.com/x/patch.diff?x=10844e8c580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
patch: **** malformed patch at line 13:
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=10844e8c580000
syzbot
Jul 12, 2025, 8:27:01 PM7/12/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoora...@gmail.com>
---
arch/arm64/kvm/guest.c | 5 ++---
Signed-off-by: Arnav Kapoor <kapoora...@gmail.com>
---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..abc123def456 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,9 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (serror_pending && has_esr) {
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
On Sunday, 13 July 2025 at 05:51:05 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
patch: **** malformed patch at line 13:
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
On Sunday, 13 July 2025 at 05:51:05 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
patch: **** malformed patch at line 13:
Tested on:
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
syzbot
Jul 12, 2025, 8:28:05 PM7/12/25
to kapoor...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
syzbot
Jul 12, 2025, 8:36:01 PM7/12/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..cbe1e310f477 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,10 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
--
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
2.43.0
On Sunday, 13 July 2025 at 05:58:05 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
syzbot
Jul 12, 2025, 8:37:03 PM7/12/25
to kapoor...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=10ebfe8c580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
syzbot
Jul 12, 2025, 8:41:38 PM7/12/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoor...@gmail.com
#syz test
From: Arnav Kapoor <kapoora...@gmail.com>
Date: Sat, 13 Jul 2025 21:00:00 +0000
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoor...@gmail.com
#syz test
From: Arnav Kapoor <kapoora...@gmail.com>
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
kvm_set_sei_esr(vcpu, events->exception.serror_esr);
else
return -EINVAL;
allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling
kvm_set_sei_esr(), and userspace should not be able to control it.
Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field.
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
kvm_set_sei_esr(vcpu, events->exception.serror_esr);
else
return -EINVAL;
allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling
kvm_set_sei_esr(), and userspace should not be able to control it.
Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field.
Reported-by: syzbot+1f6f09...@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoora...@gmail.com>
---
arch/arm64/kvm/guest.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..cbe1e310f477 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,10 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
--
2.43.0
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoora...@gmail.com>
---
arch/arm64/kvm/guest.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..cbe1e310f477 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,10 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
--
2.43.0
On Sunday, 13 July 2025 at 06:07:03 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
syzbot
Jul 12, 2025, 8:43:04 PM7/12/25
to kapoor...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=153d90f0580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
syzbot
Jul 13, 2025, 1:51:22 AM7/13/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoor...@gmail.com
#syz test
rom: Arnav Kapoor <kapoora...@gmail.com>
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoor...@gmail.com
#syz test
Date: Sat, 13 Jul 2025 21:30:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check uses ESR_ELx_ISS_MASK which includes bit 24, allowing
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
userspace to control the ISV bit when it should only control bits 23:0.
This creates a potential security issue where userspace can manipulate the
ISV bit to potentially confuse or exploit kernel handling of SError
exceptions.
Fix this by changing the validation to use GENMASK(23, 0) which explicitly
masks only the ISS field, preventing userspace from setting the ISV bit or
any other reserved bits beyond the ISS field.
The fix changes the logic from:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
to:
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This ensures that any attempt to set bits beyond the ISS field (including
return -EINVAL;
the ISV bit) will be rejected with -EINVAL.
Reported-by: syzbot+1f6f09...@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
arch/arm64/kvm/guest.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 12345678..87654321 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,9 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (serror_pending && has_esr) {
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
-
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
--
2.40.1
return -EINVAL;
-
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
--
On Sunday, 13 July 2025 at 06:13:04 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
syzbot
Jul 13, 2025, 1:52:04 AM7/13/25
to kapoor...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=125c07d4580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
Reply all
Reply to author
Forward
0 new messages