syzbot


kernel BUG at arch/x86/kvm/mmu.c:LINE! (2)
Status: closed as dup on 2019/11/08 19:42
Reported-by: syzbot+824609cfabee9c6e153c@syzkaller.appspotmail.com
First crash: 930d, last: 925d

Cause bisection: introduced by (bisect log) :
commit 1ffe8bdc09f8bfcaad76d71ae68b623c7e03f20f
Author: Spencer E. Olson <olsonse@umich.edu>
Date: Mon Oct 10 14:14:19 2016 +0000

  staging: comedi: ni_mio_common: split out ao arming from ni_ao_inttrig

Crash: no output from test machine (log)
Repro: C syz .config
Duplicate of (1):
Title Repro Cause bisect Fix bisect Count Last Reported
KASAN: slab-out-of-bounds Read in handle_vmptrld C done error 6 987d 987d
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 kernel BUG at arch/x86/kvm/mmu.c:LINE! C done error 12 281d 930d 0/1 upstream: reported C repro on 2019/11/07 21:27
linux-4.14 kernel BUG at arch/x86/kvm/mmu.c:LINE! C done inconclusive 4 660d 930d 0/1 upstream: reported C repro on 2019/11/07 23:54
upstream kernel BUG at arch/x86/kvm/mmu.c:LINE! C 695 1549d 1666d 4/22 fixed on 2018/03/06 13:29

Sample crash report:
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/mmu.c:3324!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 9398 Comm: syz-executor266 Not tainted 5.4.0-rc7+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:transparent_hugepage_adjust+0x490/0x530 arch/x86/kvm/mmu.c:3324
Code: 63 00 48 8b 45 b8 48 83 e8 01 e9 19 fd ff ff e8 e6 3e 63 00 48 8b 45 b8 48 83 e8 01 48 89 45 c8 e9 a1 fd ff ff e8 d0 3e 63 00 <0f> 0b 48 89 df e8 36 a1 9e 00 e9 9f fb ff ff 4c 89 ff e8 29 a1 9e
RSP: 0018:ffff8880942f7690 EFLAGS: 00010293
RAX: ffff888093148500 RBX: ffff8880942f7778 RCX: ffffffff810fe787
RDX: 0000000000000000 RSI: ffffffff810fe8c0 RDI: 0000000000000007
RBP: ffff8880942f76d8 R08: ffff888093148500 R09: ffffed1014809682
R10: ffffed1014809681 R11: ffff8880a404b40b R12: ffff8880942f7768
R13: 00000000000001a3 R14: 000000000008aba1 R15: 0000000000000000
FS:  000000000202d880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a9270000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tdp_page_fault+0x56e/0x650 arch/x86/kvm/mmu.c:4216
 kvm_mmu_page_fault+0x1dd/0x1800 arch/x86/kvm/mmu.c:5439
 handle_ept_violation+0x259/0x560 arch/x86/kvm/vmx/vmx.c:5185
 vmx_handle_exit+0x29f/0x1730 arch/x86/kvm/vmx/vmx.c:5929
 vcpu_enter_guest arch/x86/kvm/x86.c:8227 [inline]
 vcpu_run arch/x86/kvm/x86.c:8291 [inline]
 kvm_arch_vcpu_ioctl_run+0x1cb8/0x70d0 arch/x86/kvm/x86.c:8498
 kvm_vcpu_ioctl+0x4dc/0xfc0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2772
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443f49
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd76f8f418 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000443f49
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006
RBP: 00000000006ce018 R08: 00000000004002e0 R09: 00000000004002e0
R10: 00000000004002e0 R11: 0000000000000246 R12: 0000000000401c50
R13: 0000000000401ce0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace a620bbd2bf29c775 ]---
RIP: 0010:transparent_hugepage_adjust+0x490/0x530 arch/x86/kvm/mmu.c:3324
Code: 63 00 48 8b 45 b8 48 83 e8 01 e9 19 fd ff ff e8 e6 3e 63 00 48 8b 45 b8 48 83 e8 01 48 89 45 c8 e9 a1 fd ff ff e8 d0 3e 63 00 <0f> 0b 48 89 df e8 36 a1 9e 00 e9 9f fb ff ff 4c 89 ff e8 29 a1 9e
RSP: 0018:ffff8880942f7690 EFLAGS: 00010293
RAX: ffff888093148500 RBX: ffff8880942f7778 RCX: ffffffff810fe787
RDX: 0000000000000000 RSI: ffffffff810fe8c0 RDI: 0000000000000007
RBP: ffff8880942f76d8 R08: ffff888093148500 R09: ffffed1014809682
R10: ffffed1014809681 R11: ffff8880a404b40b R12: ffff8880942f7768
R13: 00000000000001a3 R14: 000000000008aba1 R15: 0000000000000000
FS:  000000000202d880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000a9270000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (5):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2019/11/13 07:46 upstream 100d46bd72ec 048f2d49 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/11/10 16:31 upstream 00aff6836241 dc438b91 .config log report syz C
ci-upstream-kasan-gce-root 2019/11/09 10:06 upstream 6737e7634951 dc438b91 .config log report syz C
ci-upstream-kasan-gce 2019/11/08 01:06 upstream 847120f859cc f39aff9e .config log report syz C
ci-upstream-kasan-gce-386 2019/11/09 20:13 upstream 0058b0a506e4 dc438b91 .config log report syz C