L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ================================================================== BUG: KASAN: slab-out-of-bounds in search_memslots include/linux/kvm_host.h:1051 [inline] BUG: KASAN: slab-out-of-bounds in __gfn_to_memslot include/linux/kvm_host.h:1063 [inline] BUG: KASAN: slab-out-of-bounds in __kvm_gfn_to_hva_cache_init+0x30b/0x710 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2443 Read of size 8 at addr ffff8880a6b60468 by task syz-executor122/7016 CPU: 0 PID: 7016 Comm: syz-executor122 Not tainted 5.7.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1e9/0x30e lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:382 __kasan_report+0x103/0x1a0 mm/kasan/report.c:511 kasan_report+0x4d/0x80 mm/kasan/common.c:625 Allocated by task 7016: save_stack mm/kasan/common.c:49 [inline] set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc+0x114/0x160 mm/kasan/common.c:495 kmalloc_node include/linux/slab.h:578 [inline] kvmalloc_node+0x81/0x100 mm/util.c:574 kvmalloc include/linux/mm.h:757 [inline] kvzalloc include/linux/mm.h:765 [inline] kvm_dup_memslots arch/x86/kvm/../../../virt/kvm/kvm_main.c:1101 [inline] kvm_set_memslot+0x124/0x15b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1118 __kvm_set_memory_region+0x1388/0x16c0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1300 __x86_set_memory_region+0x319/0x620 arch/x86/kvm/x86.c:9856 alloc_apic_access_page arch/x86/kvm/vmx/vmx.c:3540 [inline] vmx_create_vcpu+0x843/0x1380 arch/x86/kvm/vmx/vmx.c:6799 kvm_arch_vcpu_create+0x660/0x950 arch/x86/kvm/x86.c:9376 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:3030 [inline] kvm_vm_ioctl+0xe6d/0x2530 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3585 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl fs/ioctl.c:763 [inline] __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl+0xf9/0x160 fs/ioctl.c:770 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 2704: save_stack mm/kasan/common.c:49 [inline] set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0x125/0x190 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x220 mm/slab.c:3757 process_one_work+0x76e/0xfd0 kernel/workqueue.c:2268 worker_thread+0xa7f/0x1450 kernel/workqueue.c:2414 kthread+0x353/0x380 kernel/kthread.c:268 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880a6b60000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1128 bytes inside of 2048-byte region [ffff8880a6b60000, ffff8880a6b60800) The buggy address belongs to the page: page:ffffea00029ad800 refcount:1 mapcount:0 mapping:0000000080c84a18 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00029ad208 ffffea00029adc48 ffff8880aa400e00 raw: 0000000000000000 ffff8880a6b60000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a6b60300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a6b60380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880a6b60400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ^ ffff8880a6b60480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a6b60500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================