syzbot


BUG: unable to handle kernel NULL pointer dereference in kvm_vcpu_gfn_to_memslot

Status: fixed on 2020/07/17 17:58
Subsystems: kvm
[Documentation on labels]
Fix commit: 3021e69219e2 kcov: check kcov_softirq in kcov_remote_stop()
First crash: 1465d, last: 1465d

Sample crash report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD a10d6067 P4D a10d6067 PUD 9aee6067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 13919 Comm: syz-executor.4 Not tainted 5.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x3f/0x60 kernel/kcov.c:202
Code: c2 00 01 ff 00 74 11 f7 c2 00 01 00 00 74 35 83 b9 04 14 00 00 00 74 2c 8b 91 e0 13 00 00 83 fa 02 75 21 48 8b 91 e8 13 00 00 <48> 8b 32 48 8d 7e 01 8b 89 e4 13 00 00 48 39 cf 73 08 48 89 44 f2
RSP: 0018:ffffc900015d7300 EFLAGS: 00010246
RAX: ffffffff8106b5f3 RBX: ffff88809b858af8 RCX: ffff888096a34480
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: ffff88809b858af0 R08: ffffffff8106b5e5 R09: ffffed101370b082
R10: ffffed101370b082 R11: 0000000000000000 R12: 0000000000000004
R13: ffff88809b858000 R14: 0000000000000014 R15: 0000000000000003
FS:  00007f200fb59700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000009f5da000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 atomic_set include/linux/kvm_host.h:1058 [inline]
 search_memslots include/linux/kvm_host.h:1060 [inline]
 __gfn_to_memslot include/linux/kvm_host.h:1070 [inline]
 kvm_vcpu_gfn_to_memslot+0x333/0x500 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1612
 kvm_vcpu_gfn_to_hva_prot+0x23/0x150 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1721
 paging64_walk_addr_generic+0x471/0x16c0 arch/x86/kvm/mmu/paging_tmpl.h:397
 paging64_walk_addr arch/x86/kvm/mmu/paging_tmpl.h:516 [inline]
 paging64_gva_to_gpa+0x6d/0x110 arch/x86/kvm/mmu/paging_tmpl.h:959
 kvm_fetch_guest_virt+0xc1/0x170 arch/x86/kvm/x86.c:5543
 __do_insn_fetch_bytes+0x240/0x640 arch/x86/kvm/emulate.c:918
 x86_decode_insn+0x291/0x50d0 arch/x86/kvm/emulate.c:5171
 x86_emulate_instruction+0x2a7/0x2df0 arch/x86/kvm/x86.c:6905
 kvm_mmu_page_fault+0x2e9/0xde0 arch/x86/kvm/mmu/mmu.c:5471
 vcpu_enter_guest+0x6666/0x89a0 arch/x86/kvm/x86.c:8604
 vcpu_run+0x352/0xcd0 arch/x86/kvm/x86.c:8669
 kvm_arch_vcpu_ioctl_run+0x451/0x8f0 arch/x86/kvm/x86.c:8890
 kvm_vcpu_ioctl+0x64f/0xa60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3163
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl fs/ioctl.c:771 [inline]
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl+0xf9/0x160 fs/ioctl.c:778
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca59
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f200fb58c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e84e0 RCX: 000000000045ca59
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000003cc R14: 00000000004c6799 R15: 00007f200fb596d4
Modules linked in:
CR2: 0000000000000000
---[ end trace 38176a279a6846db ]---
RIP: 0010:__read_once_size include/linux/compiler.h:252 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x3f/0x60 kernel/kcov.c:202
Code: c2 00 01 ff 00 74 11 f7 c2 00 01 00 00 74 35 83 b9 04 14 00 00 00 74 2c 8b 91 e0 13 00 00 83 fa 02 75 21 48 8b 91 e8 13 00 00 <48> 8b 32 48 8d 7e 01 8b 89 e4 13 00 00 48 39 cf 73 08 48 89 44 f2
RSP: 0018:ffffc900015d7300 EFLAGS: 00010246
RAX: ffffffff8106b5f3 RBX: ffff88809b858af8 RCX: ffff888096a34480
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: ffff88809b858af0 R08: ffffffff8106b5e5 R09: ffffed101370b082
R10: ffffed101370b082 R11: 0000000000000000 R12: 0000000000000004
R13: ffff88809b858000 R14: 0000000000000014 R15: 0000000000000003
FS:  00007f200fb59700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000b90004 CR3: 000000009f5da000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/18 03:14 upstream 7ae77150d94d b9f3810b .config console log report ci-upstream-kasan-gce-smack-root
* Struck through repros no longer work on HEAD.