L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ================================================================== BUG: KASAN: slab-out-of-bounds in search_memslots include/linux/kvm_host.h:1051 [inline] BUG: KASAN: slab-out-of-bounds in __gfn_to_memslot include/linux/kvm_host.h:1063 [inline] BUG: KASAN: slab-out-of-bounds in __kvm_gfn_to_hva_cache_init+0x30b/0x710 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2443 Read of size 8 at addr ffff888093e57468 by task syz-executor509/7133 CPU: 0 PID: 7133 Comm: syz-executor509 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1e9/0x30e lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:382 __kasan_report+0x103/0x1a0 mm/kasan/report.c:511 kasan_report+0x4d/0x80 mm/kasan/common.c:625 Allocated by task 7133: save_stack mm/kasan/common.c:49 [inline] set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc+0x114/0x160 mm/kasan/common.c:495 kmalloc_node include/linux/slab.h:578 [inline] kvmalloc_node+0x81/0x100 mm/util.c:574 kvmalloc include/linux/mm.h:739 [inline] kvzalloc include/linux/mm.h:747 [inline] kvm_dup_memslots arch/x86/kvm/../../../virt/kvm/kvm_main.c:1101 [inline] kvm_set_memslot+0x124/0x15b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1118 __kvm_set_memory_region+0x1388/0x16c0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1300 __x86_set_memory_region+0x319/0x620 arch/x86/kvm/x86.c:9846 alloc_apic_access_page arch/x86/kvm/vmx/vmx.c:3540 [inline] vmx_create_vcpu+0x843/0x1380 arch/x86/kvm/vmx/vmx.c:6768 kvm_arch_vcpu_create+0x660/0x950 arch/x86/kvm/x86.c:9366 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:3030 [inline] kvm_vm_ioctl+0xe6d/0x2530 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3585 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl fs/ioctl.c:763 [inline] __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl+0xf9/0x160 fs/ioctl.c:770 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888093e57000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1128 bytes inside of 2048-byte region [ffff888093e57000, ffff888093e57800) The buggy address belongs to the page: page:ffffea00024f95c0 refcount:1 mapcount:0 mapping:0000000085a453c7 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00029ca488 ffffea0002429ec8 ffff8880aa400e00 raw: 0000000000000000 ffff888093e57000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888093e57300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888093e57380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888093e57400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ^ ffff888093e57480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888093e57500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================