kvm: GPF in gfn_to_rmap

35 views
Skip to first unread message

Dmitry Vyukov

unread,
Nov 12, 2016, 5:07:26 PM11/12/16
to Paolo Bonzini, rkr...@redhat.com, Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x...@kernel.org, KVM list, LKML, Steve Rutherford, syzkaller
Hello,

The following program triggers GPF in gfn_to_rmap:
https://gist.githubusercontent.com/dvyukov/6669049830e8786d2cfa0ffec5928186/raw/b7d1ec4dc555146ac0175b5b0aae98c1904299eb/gistfile1.txt

On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11).

general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 29153 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800387e9700 task.stack: ffff88003c200000
RIP: 0010:[<ffffffff810d1c8c>] [< inline >] search_memslots
include/linux/kvm_host.h:913
RIP: 0010:[<ffffffff810d1c8c>] [< inline >] __gfn_to_memslot
include/linux/kvm_host.h:928
RIP: 0010:[<ffffffff810d1c8c>] [<ffffffff810d1c8c>]
gfn_to_rmap+0x33c/0x400 arch/x86/kvm/mmu.c:1060
RSP: 0018:ffff88003c207538 EFLAGS: 00010283
RAX: dffffc0000000000 RBX: ffffc900074980b8 RCX: ffffc90000535000
RDX: 0000000000000867 RSI: ffffc90007498000 RDI: ffffc900074980c0
RBP: ffff88003c207588 R08: 0000000000000000 R09: 000000000003985d
R10: ffffffff84da2600 R11: 1ffff10007840eaa R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS: 00007f4da434d700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000003d850000 CR4: 00000000000026e0
Stack:
1ffff10000000001 ffffc900074a3408 ffff88003b399008 0000000000000002
ffffc90007498000 ffff88003d087000 ffff880039620040 0000000000000000
ffff88003b399008 ffff8800bd087000 ffff88003c207600 ffffffff810d3dbb
Call Trace:
[< inline >] rmap_add arch/x86/kvm/mmu.c:1079
[<ffffffff810d3dbb>] mmu_set_spte+0x36b/0x6f0 arch/x86/kvm/mmu.c:2654
[<ffffffff810e3e90>] __direct_map.part.115+0x2a0/0x400 arch/x86/kvm/mmu.c:2759
[< inline >] __direct_map arch/x86/kvm/mmu.c:3586
[<ffffffff810e4a0c>] tdp_page_fault+0x4fc/0x5e0 arch/x86/kvm/mmu.c:3586
[<ffffffff810cd727>] kvm_mmu_page_fault+0xe7/0x200 arch/x86/kvm/mmu.c:4530
[<ffffffff8115a8f6>] handle_ept_violation+0x116/0x480 arch/x86/kvm/vmx.c:6195
[<ffffffff8116bd65>] vmx_handle_exit+0x545/0x34c0 arch/x86/kvm/vmx.c:8494
[< inline >] vcpu_enter_guest arch/x86/kvm/x86.c:6767
[< inline >] vcpu_run arch/x86/kvm/x86.c:6826
[<ffffffff810bae42>] kvm_arch_vcpu_ioctl_run+0x29c2/0x5a90
arch/x86/kvm/x86.c:6984
[<ffffffff81060cee>] kvm_vcpu_ioctl+0x61e/0xdd0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Code: 89 d8 8b 5d c8 89 45 c8 e8 72 be 38 00 8b 45 c8 89 5d c8 44 8d
60 01 e9 41 fe ff ff e8 5e be 38 00 48 b8 00 00 00 00 00 fc ff df <80>
38 00 75 0f 4c 8b 24 25 00 00 00 00 31 db e9 67 ff ff ff 31
RIP [< inline >] search_memslots include/linux/kvm_host.h:913
RIP [< inline >] __gfn_to_memslot include/linux/kvm_host.h:928
RIP [<ffffffff810d1c8c>] gfn_to_rmap+0x33c/0x400 arch/x86/kvm/mmu.c:1060
RSP <ffff88003c207538>
---[ end trace 531b7f0c43302f3c ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
reboot: cpu_has_vmx: ecx=80a02021 1

Dmitry Vyukov

unread,
Dec 12, 2016, 3:58:18 AM12/12/16
to Steve Rutherford, Paolo Bonzini, Radim Krčmář, syzkaller
On Sat, Dec 10, 2016 at 1:19 AM, Steve Rutherford
<sruth...@google.com> wrote:
> Meta-question: How hard would it be to automatically label ioctl numbers,
> and the structures/fields being passed in? I have to stare at the
> definitions to chase things like this, and it would be a lot easier if
> things were pretty-printed-ish.
>
> If this isn't easy on your end, I'm certainly going to make a sketchy
> script.

+syzkaller

It would be great to output more readable descriptions of executed
syscalls. But it is not trivial, we currently only have means to do
"forward" translation (from descriptions to syscalls). "Backwards"
translation will require more info in descriptions (e.g. figuring out
syscall and union discriminator fields, and will require some work.
There is currently a discussion of providing descriptions for all
linux syscalls in kernel codebase:
https://groups.google.com/d/msg/syzkaller/n8EXbb0BxWQ/Nn46EBgaBQAJ
Such description should all to do among other things strace-like
functionality. But it is quite ambitions effort.
Meanwhile you can run the program under strace. It should provide some
deciphering.
Reply all
Reply to author
Forward
0 new messages