syzbot


general protection fault in kvm_ioapic_scan_entry

Status: fixed on 2019/02/27 11:24
Reported-by: syzbot+20eae20afcbd851b8601@syzkaller.appspotmail.com
Fix commit: dcbd3e49c2f0 KVM: X86: Fix NULL deref in vcpu_scan_ioapic
First crash: 1464d, last: 1350d

Sample crash report:
audit: type=1800 audit(1538091113.313:30): pid=5239 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5396 Comm: syz-executor203 Not tainted 4.19.0-rc5+ #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0x237/0x4ec0 kernel/locking/lockdep.c:3290
Code: 28 00 00 00 0f 85 aa 33 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 6d 35 00 00 49 81 7d 00 20 c6 8e 8a 0f 84 54 ff
RSP: 0018:ffff8801d7856fb0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1003af0ae72 RCX: 0000000000000000
RDX: 0000000000000039 RSI: 0000000000000000 RDI: ffffffff89723ac0
RBP: ffff8801d7857338 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 00000000000001c8 R14: ffff8801baef4440 R15: 0000000000000000
FS:  0000000000f7b880(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9ab78b9000 CR3: 00000001d8952000 CR4: 00000000001426f0
Call Trace:
 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3900
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2d/0x40 kernel/locking/spinlock.c:144
 spin_lock include/linux/spinlock.h:329 [inline]
 kvm_ioapic_scan_entry+0x7f/0x3c0 arch/x86/kvm/ioapic.c:246
 vcpu_scan_ioapic arch/x86/kvm/x86.c:7316 [inline]
 vcpu_enter_guest+0x492f/0x62b0 arch/x86/kvm/x86.c:7458
 vcpu_run arch/x86/kvm/x86.c:7730 [inline]
 kvm_arch_vcpu_ioctl_run+0x375/0x16e0 arch/x86/kvm/x86.c:7930
 kvm_vcpu_ioctl+0x72b/0x1150 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2590
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:685
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:702
 __do_sys_ioctl fs/ioctl.c:709 [inline]
 __se_sys_ioctl fs/ioctl.c:707 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:707
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440099
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff6531bf48 EFLAGS: 00000207 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440099
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000207 R12: 0000000000401920
R13: 00000000004019b0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace f895e7ace384fdf1 ]---
RIP: 0010:__lock_acquire+0x237/0x4ec0 kernel/locking/lockdep.c:3290
Code: 28 00 00 00 0f 85 aa 33 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 6d 35 00 00 49 81 7d 00 20 c6 8e 8a 0f 84 54 ff
RSP: 0018:ffff8801d7856fb0 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 1ffff1003af0ae72 RCX: 0000000000000000
RDX: 0000000000000039 RSI: 0000000000000000 RDI: ffffffff89723ac0
RBP: ffff8801d7857338 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 00000000000001c8 R14: ffff8801baef4440 R15: 0000000000000000
FS:  0000000000f7b880(0000) GS:ffff8801dac00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9ab78b9000 CR3: 00000001d8952000 CR4: 00000000001426f0

Crashes (148):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2018/09/27 23:34 upstream c127e59bee3e 0c2fa87b .config log report syz C
ci-upstream-kasan-gce-selinux-root 2018/09/27 23:24 upstream c127e59bee3e 0c2fa87b .config log report syz C
ci-upstream-kasan-gce 2018/09/27 23:24 upstream c127e59bee3e 0c2fa87b .config log report syz C
ci-upstream-kasan-gce-root 2018/09/27 23:22 upstream c127e59bee3e 0c2fa87b .config log report syz C
ci-upstream-kasan-gce-386 2018/09/28 00:15 upstream c127e59bee3e 0c2fa87b .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/12/01 12:36 linux-next 442b8cea2477 d8988561 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/09/27 23:01 linux-next 9e27e2c2d003 0c2fa87b .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/08/12 17:21 linux-next 4110b42356f3 7a88b141 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/08/10 07:04 linux-next 1c2f2531cf8b 1fb62d58 .config log report syz C
ci-upstream-kasan-gce-root 2018/11/28 11:24 upstream ef78e5ec9214 4b6d14f2 .config log report
ci-upstream-kasan-gce-selinux-root 2018/11/28 10:07 upstream ef78e5ec9214 4b6d14f2 .config log report
ci-upstream-kasan-gce-smack-root 2018/11/28 08:41 upstream ef78e5ec9214 4b6d14f2 .config log report
ci-upstream-kasan-gce 2018/11/26 14:05 upstream 2e6e902d1850 ac912200 .config log report
ci-upstream-kasan-gce-root 2018/11/26 06:37 upstream d6d460b89378 3d3ec907 .config log report
ci-upstream-kasan-gce 2018/11/24 19:44 upstream 7c98a4261827 ecc7c870 .config log report
ci-upstream-kasan-gce-smack-root 2018/11/23 23:15 upstream e6005d3c4233 eb9ed731 .config log report
ci-upstream-kasan-gce-root 2018/11/23 05:43 upstream edeca3a769ad 87815d9d .config log report
ci-upstream-kasan-gce 2018/11/22 14:09 upstream 92b419289cee 2ee77802 .config log report
ci-upstream-kasan-gce-smack-root 2018/11/19 12:22 upstream 9ff01193a20d adf636a8 .config log report
ci-upstream-kasan-gce-selinux-root 2018/11/19 00:53 upstream c67a98c00ea3 adf636a8 .config log report
ci-upstream-kasan-gce-root 2018/11/18 07:30 upstream 1ce80e0fe98e adf636a8 .config log report
ci-upstream-kasan-gce 2018/11/17 14:28 upstream 1ce80e0fe98e b08ee62a .config log report
ci-upstream-kasan-gce-root 2018/11/17 04:32 upstream 1ce80e0fe98e b08ee62a .config log report
ci-upstream-kasan-gce-root 2018/11/16 11:03 upstream da5322e65940 f5e275d1 .config log report
ci-upstream-kasan-gce 2018/11/14 22:49 upstream d41217aac0a5 5f5f6d14 .config log report
ci-upstream-kasan-gce-root 2018/11/14 13:40 upstream ccda4af0f4b9 5f5f6d14 .config log report
ci-upstream-kasan-gce 2018/11/13 22:34 upstream ccda4af0f4b9 5f5f6d14 .config log report
ci-upstream-kasan-gce 2018/11/13 13:02 upstream ccda4af0f4b9 5f5f6d14 .config log report
ci-upstream-kasan-gce-root 2018/11/13 06:20 upstream ccda4af0f4b9 74dbb806 .config log report
ci-upstream-kasan-gce-smack-root 2018/11/08 05:22 upstream e09d51adfbb1 e85d2a61 .config log report
ci-upstream-kasan-gce-selinux-root 2018/11/08 00:06 upstream e09d51adfbb1 e85d2a61 .config log report
ci-upstream-kasan-gce-smack-root 2018/11/07 21:18 upstream e09d51adfbb1 e85d2a61 .config log report
ci-upstream-kasan-gce-selinux-root 2018/11/07 03:29 upstream 8053e5b93eca 8bd6bd63 .config log report
ci-upstream-kasan-gce 2018/11/06 17:13 upstream 163c8d54a997 8bd6bd63 .config log report
ci-upstream-kasan-gce-root 2018/11/05 08:30 upstream 4710e78940d8 8bd6bd63 .config log report
ci-upstream-kasan-gce 2018/11/04 06:00 upstream d2ff0ff2c23f 8bd6bd63 .config log report
ci-upstream-kasan-gce-selinux-root 2018/11/03 23:52 upstream d2ff0ff2c23f 8bd6bd63 .config log report
ci-upstream-kasan-gce 2018/11/02 16:08 upstream e468f5c06b5e 1f38e9ae .config log report
ci-upstream-kasan-gce-selinux-root 2018/11/02 13:35 upstream e468f5c06b5e 1f38e9ae .config log report
ci-upstream-kasan-gce-root 2018/11/02 01:47 upstream 5b7449810ae6 1f38e9ae .config log report
ci-upstream-kasan-gce-386 2018/11/28 12:53 upstream ef78e5ec9214 4b6d14f2 .config log report
ci-upstream-kasan-gce-386 2018/11/17 17:50 upstream 1ce80e0fe98e b08ee62a .config log report
ci-upstream-kasan-gce-386 2018/11/17 07:56 upstream 1ce80e0fe98e b08ee62a .config log report
ci-upstream-kasan-gce-386 2018/11/15 02:14 upstream d41217aac0a5 5f5f6d14 .config log report
ci-upstream-kasan-gce-386 2018/11/10 00:42 upstream 3541833fd1f2 f9815aaf .config log report
ci-upstream-linux-next-kasan-gce-root 2018/12/02 03:56 linux-next 442b8cea2477 5a581673 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/30 08:22 linux-next 442b8cea2477 66071e27 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/29 03:47 linux-next 442b8cea2477 4b6d14f2 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/26 21:48 linux-next 442b8cea2477 ac912200 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/25 17:19 linux-next 442b8cea2477 3d3ec907 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/24 10:26 linux-next 442b8cea2477 ecc7c870 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/18 15:59 linux-next 442b8cea2477 adf636a8 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/14 19:56 linux-next 442b8cea2477 5f5f6d14 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/14 16:45 linux-next 442b8cea2477 5f5f6d14 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/11 02:40 linux-next 442b8cea2477 f3c4e618 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/09 14:55 linux-next 442b8cea2477 8fd01d3a .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/07 11:29 linux-next d881de30d29e 8bd6bd63 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/05 02:02 linux-next 25e9471b6a27 8bd6bd63 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/04 15:04 linux-next 25e9471b6a27 8bd6bd63 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/03 22:38 linux-next 25e9471b6a27 8bd6bd63 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/11/03 10:31 linux-next 25e9471b6a27 8bd6bd63 .config log report