L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ================================================================== BUG: KASAN: slab-out-of-bounds in search_memslots include/linux/kvm_host.h:1051 [inline] BUG: KASAN: slab-out-of-bounds in __gfn_to_memslot include/linux/kvm_host.h:1063 [inline] BUG: KASAN: slab-out-of-bounds in kvm_vcpu_gfn_to_memslot+0x2b5/0x4c0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1603 Read of size 8 at addr ffff8880a6aec468 by task syz-executor438/7156 CPU: 0 PID: 7156 Comm: syz-executor438 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1e9/0x30e lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:374 __kasan_report+0x103/0x190 mm/kasan/report.c:503 kasan_report+0x4d/0x80 mm/kasan/common.c:648 Allocated by task 7156: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:518 kmalloc_node include/linux/slab.h:578 [inline] kvmalloc_node+0x81/0x100 mm/util.c:574 kvmalloc include/linux/mm.h:733 [inline] kvzalloc include/linux/mm.h:741 [inline] kvm_dup_memslots arch/x86/kvm/../../../virt/kvm/kvm_main.c:1101 [inline] kvm_set_memslot+0x124/0x15b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1118 __kvm_set_memory_region+0x1388/0x16c0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1300 __x86_set_memory_region+0x319/0x620 arch/x86/kvm/x86.c:9845 alloc_apic_access_page arch/x86/kvm/vmx/vmx.c:3544 [inline] vmx_create_vcpu+0x843/0x1380 arch/x86/kvm/vmx/vmx.c:6772 kvm_arch_vcpu_create+0x660/0x950 arch/x86/kvm/x86.c:9365 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:3030 [inline] kvm_vm_ioctl+0xe6d/0x2530 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3585 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl fs/ioctl.c:763 [inline] __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl+0xf9/0x160 fs/ioctl.c:770 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 7123: save_stack mm/kasan/common.c:72 [inline] set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:340 [inline] __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:479 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x220 mm/slab.c:3757 skb_release_all net/core/skbuff.c:664 [inline] __kfree_skb+0x56/0x1c0 net/core/skbuff.c:678 unix_stream_read_generic+0x1b20/0x2080 net/unix/af_unix.c:2416 unix_stream_recvmsg+0x106/0x150 net/unix/af_unix.c:2474 sock_recvmsg_nosec net/socket.c:886 [inline] sock_recvmsg net/socket.c:904 [inline] sock_read_iter+0x2c2/0x3a0 net/socket.c:982 call_read_iter include/linux/fs.h:1901 [inline] new_sync_read fs/read_write.c:414 [inline] __vfs_read+0x549/0x700 fs/read_write.c:427 vfs_read+0x1c3/0x400 fs/read_write.c:461 ksys_read+0x11b/0x220 fs/read_write.c:587 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff8880a6aec000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1128 bytes inside of 2048-byte region [ffff8880a6aec000, ffff8880a6aec800) The buggy address belongs to the page: page:ffffea00029abb00 refcount:1 mapcount:0 mapping:00000000fb1151f5 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00029aba08 ffffea00029abbc8 ffff8880aa400e00 raw: 0000000000000000 ffff8880a6aec000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a6aec300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a6aec380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880a6aec400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ^ ffff8880a6aec480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a6aec500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================