Dmitry Vyukov
unread,Nov 12, 2016, 5:21:33 PM11/12/16Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Paolo Bonzini, rkr...@redhat.com, KVM list, LKML, Steve Rutherford, syzkaller
Hello,
I've got the following crash while running syzkaller fuzzer:
BUG: unable to handle kernel paging request at ffffc90005204408
IP: [< inline >] __read_once_size include/linux/compiler.h:243
IP: [< inline >] atomic_read arch/x86/include/asm/atomic.h:26
IP: [< inline >] search_memslots include/linux/kvm_host.h:900
IP: [< inline >] __gfn_to_memslot include/linux/kvm_host.h:928
IP: [< inline >] gfn_to_memslot
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1227
IP: [<ffffffff8105a299>] kvm_gfn_to_hva_cache_init+0x239/0x9f0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1951
PGD 3e90a067 [ 112.607074] PUD 6dc08067
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 10437 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006b8b2dc0 task.stack: ffff88006d5f0000
RIP: 0010:[<ffffffff8105a299>] [< inline >] __read_once_size
include/linux/compiler.h:243
RIP: 0010:[<ffffffff8105a299>] [< inline >] atomic_read
arch/x86/include/asm/atomic.h:26
RIP: 0010:[<ffffffff8105a299>] [< inline >] search_memslots
include/linux/kvm_host.h:900
RIP: 0010:[<ffffffff8105a299>] [< inline >] __gfn_to_memslot
include/linux/kvm_host.h:928
RIP: 0010:[<ffffffff8105a299>] [< inline >] gfn_to_memslot
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1227
RIP: 0010:[<ffffffff8105a299>] [<ffffffff8105a299>]
kvm_gfn_to_hva_cache_init+0x239/0x9f0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1951
RSP: 0018:ffff88006d5f7730 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000004 RCX: ffffc900013a5000
RDX: 0000000000000000 RSI: ffff88006de32d50 RDI: ffffc900051f9000
RBP: ffff88006d5f7808 R08: ffffed000dabef36 R09: ffffed000dabef36
R10: ffffed000dabef35 R11: ffff88006d5f79af R12: ffffffffffffff6e
R13: ffff88006b290420 R14: 0000000000000001 R15: 0000000000000002
FS: 00007f6db05f1700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90005204408 CR3: 000000003c36a000 CR4: 00000000000026e0
Stack:
1ffff1000dabeef0 ffff88006ba840c0 ffff88006d5f7750 ffffc90005204408
0000000000000001 ffff88006ba84000 0000000000000001 0000000000001000
ffff88006de32d50 ffffc900051f9000 0000000041b58ab3 ffffffff837c394f
Call Trace:
[<ffffffff8112696d>] kvm_lapic_set_vapic_addr+0xed/0x140
arch/x86/kvm/lapic.c:2217
[<ffffffff810a77e4>] kvm_arch_vcpu_ioctl+0x224/0x3100 arch/x86/kvm/x86.c:3425
[<ffffffff810608b2>] kvm_vcpu_ioctl+0x1e2/0xdd0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2708
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Code: 03 48 b8 00 00 00 00 00 fc ff df 0f b6 14 02 48 89 f8 83 e0 07
83 c0 03 38 d0 7c 08 84 d2 0f 85 59 06 00 00 48 8b bd 70 ff ff ff <48>
63 87 08 b4 00 00 4c 8d 6f 08 48 8d 14 80 48 8d 04 50 49 8d
RIP [< inline >] __read_once_size include/linux/compiler.h:243
RIP [< inline >] atomic_read arch/x86/include/asm/atomic.h:26
RIP [< inline >] search_memslots include/linux/kvm_host.h:900
RIP [< inline >] __gfn_to_memslot include/linux/kvm_host.h:928
RIP [< inline >] gfn_to_memslot
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1227
RIP [<ffffffff8105a299>] kvm_gfn_to_hva_cache_init+0x239/0x9f0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1951
RSP <ffff88006d5f7730>
CR2: ffffc90005204408
---[ end trace b42cbfdf0baf531e ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
reboot: cpu_has_vmx: ecx=80a02021 1
and another almost identical:
BUG: unable to handle kernel paging request at ffffc90005907408
IP: [< inline >] __read_once_size include/linux/compiler.h:243
IP: [< inline >] atomic_read arch/x86/include/asm/atomic.h:26
IP: [< inline >] search_memslots include/linux/kvm_host.h:900
IP: [< inline >] __gfn_to_memslot include/linux/kvm_host.h:928
IP: [< inline >] gfn_to_memslot
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1227
IP: [<ffffffff8105a299>] kvm_gfn_to_hva_cache_init+0x239/0x9f0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1951
PGD 3e90a067 [ 2974.428060] PUD 6dc08067
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 3 PID: 20506 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880066c08040 task.stack: ffff8800665a8000
RIP: 0010:[<ffffffff8105a299>] [< inline >] __read_once_size
include/linux/compiler.h:243
RIP: 0010:[<ffffffff8105a299>] [< inline >] atomic_read
arch/x86/include/asm/atomic.h:26
RIP: 0010:[<ffffffff8105a299>] [< inline >] search_memslots
include/linux/kvm_host.h:900
RIP: 0010:[<ffffffff8105a299>] [< inline >] __gfn_to_memslot
include/linux/kvm_host.h:928
RIP: 0010:[<ffffffff8105a299>] [< inline >] gfn_to_memslot
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1227
RIP: 0010:[<ffffffff8105a299>] [<ffffffff8105a299>]
kvm_gfn_to_hva_cache_init+0x239/0x9f0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1951
RSP: 0018:ffff8800665af730 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000004 RCX: ffffc90000b65000
RDX: 0000000000000000 RSI: ffff88006d85a3f0 RDI: ffffc900058fc000
RBP: ffff8800665af808 R08: ffffed000ccb5f36 R09: ffffed000ccb5f36
R10: ffffed000ccb5f35 R11: ffff8800665af9af R12: ffffffffffffff70
R13: ffff88006cf98420 R14: 0000000000000001 R15: 0000000000000003
FS: 00007f569fcf5700(0000) GS:ffff88006e300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90005907408 CR3: 0000000069c4f000 CR4: 00000000000026e0
Stack:
1ffff1000ccb5ef0 ffff88006b1cc0c0 ffff8800665af750 ffffc90005907408
0000000000000001 ffff88006b1cc000 0000000000000001 0000000000001000
ffff88006d85a3f0 ffffc900058fc000 0000000041b58ab3 ffffffff837c394f
Call Trace:
[<ffffffff8112696d>] kvm_lapic_set_vapic_addr+0xed/0x140
arch/x86/kvm/lapic.c:2217
[<ffffffff810a77e4>] kvm_arch_vcpu_ioctl+0x224/0x3100 arch/x86/kvm/x86.c:3425
uhci_hcd 0000:00:01.2: BAR 4: can't reserve [io 0xc680-0xc69f]
kvm_vm_ioctl_assign_device: Could not get access to device regions
[<ffffffff810608b2>] kvm_vcpu_ioctl+0x1e2/0xdd0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2708
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
uhci_hcd 0000:00:01.2: BAR 4: can't reserve [io 0xc680-0xc69f]
kvm_vm_ioctl_assign_device: Could not get access to device regions
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Code: 03 48 b8 00 00 00 00 00 fc ff df 0f b6 14 02 48 89 f8 83 e0 07
83 c0 03 38 d0 7c 08 84 d2 0f 85 59 06 00 00 48 8b bd 70 ff ff ff <48>
63 87 08 b4 00 00 4c 8d 6f 08 48 8d 14 80 48 8d 04 50 49 8d
RIP [< inline >] __read_once_size include/linux/compiler.h:243
RIP [< inline >] atomic_read arch/x86/include/asm/atomic.h:26
RIP [< inline >] search_memslots include/linux/kvm_host.h:900
RIP [< inline >] __gfn_to_memslot include/linux/kvm_host.h:928
RIP [< inline >] gfn_to_memslot
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1227
RIP [<ffffffff8105a299>] kvm_gfn_to_hva_cache_init+0x239/0x9f0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:1951
RSP <ffff8800665af730>
CR2: ffffc90005907408
---[ end trace 1382154a6662ad57 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
reboot: cpu_has_vmx: ecx=80a02021 1
Also I've seen crashed in __gfn_to_hva_many on similar programs:
BUG: unable to handle kernel paging request in __gfn_to_hva_many
(but I don't have full reports for these)
Unfortunately this is not reproducible.
On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11).