BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:71 in_atomic(): 1, irqs_disabled(): 0, pid: 16501, name: syz-executor3 2 locks held by syz-executor3/16501: #0: (&vcpu->mutex){+.+.}, at: [] vcpu_load+0x1c/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:154 #1: (&kvm->srcu){....}, at: [] vcpu_enter_guest arch/x86/kvm/x86.c:7023 [inline] #1: (&kvm->srcu){....}, at: [] vcpu_run arch/x86/kvm/x86.c:7102 [inline] #1: (&kvm->srcu){....}, at: [] kvm_arch_vcpu_ioctl_run+0x1bdd/0x5a30 arch/x86/kvm/x86.c:7263 CPU: 3 PID: 16501 Comm: syz-executor3 Not tainted 4.13.0-rc6-next-20170825+ #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6022 __might_sleep+0x95/0x190 kernel/sched/core.c:5975 __might_fault+0xab/0x1d0 mm/memory.c:4483 __copy_from_user include/linux/uaccess.h:71 [inline] paging32_walk_addr_generic+0x427/0x1e10 arch/x86/kvm/paging_tmpl.h:369 paging32_walk_addr arch/x86/kvm/paging_tmpl.h:475 [inline] paging32_gva_to_gpa+0xa5/0x230 arch/x86/kvm/paging_tmpl.h:913 kvm_read_guest_virt_helper+0xd8/0x140 arch/x86/kvm/x86.c:4427 kvm_read_guest_virt_system+0x3c/0x50 arch/x86/kvm/x86.c:4494 segmented_read_std+0x10c/0x180 arch/x86/kvm/emulate.c:822 em_fxrstor+0x27b/0x410 arch/x86/kvm/emulate.c:4025 x86_emulate_insn+0x55d/0x3cf0 arch/x86/kvm/emulate.c:5483 x86_emulate_instruction+0x411/0x1ca0 arch/x86/kvm/x86.c:5726 kvm_mmu_page_fault+0x1b0/0x2f0 arch/x86/kvm/mmu.c:4932 handle_ept_violation+0x194/0x540 arch/x86/kvm/vmx.c:6509 vmx_handle_exit+0x24b/0x1a60 arch/x86/kvm/vmx.c:8830 vcpu_enter_guest arch/x86/kvm/x86.c:7040 [inline] vcpu_run arch/x86/kvm/x86.c:7102 [inline] kvm_arch_vcpu_ioctl_run+0x1d36/0x5a30 arch/x86/kvm/x86.c:7263 kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2592 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x446749 RSP: 002b:00007f650fcfec08 EFLAGS: 00000282 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000446749 RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 000000000000001a RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000282 R12: 0000000000009120 R13: 000000002aaaaaab R14: 00000000006e7690 R15: 000000000000001a netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. QAT: Invalid ioctl netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=17507 comm=syz-executor4 syz3: Invalid MTU 26 requested, hw min 68 syz3: Invalid MTU 26 requested, hw min 68 do_dccp_setsockopt: sockopt(CHANGE_L/R) is deprecated: fix your app do_dccp_setsockopt: sockopt(CHANGE_L/R) is deprecated: fix your app audit: type=1326 audit(1503830896.837:52): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=17677 comm="syz-executor2" exe="/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446749 code=0xffff0000 audit: type=1326 audit(1503830896.894:53): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=17677 comm="syz-executor2" exe="/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446749 code=0xffff0000 xprt_adjust_timeout: rq_timeout = 0! xprt_adjust_timeout: rq_timeout = 0! QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl audit: type=1326 audit(1503830897.512:54): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=17913 comm="syz-executor3" exe="/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446749 code=0xffff0000 audit: type=1326 audit(1503830897.569:55): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=17913 comm="syz-executor3" exe="/syz-executor3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446749 code=0xffff0000 nla_parse: 10 callbacks suppressed netlink: 6 bytes leftover after parsing attributes in process `syz-executor4'. SELinux: unknown mount option device syz3 entered promiscuous mode device syz3 left promiscuous mode device syz3 entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): syz3.0: link becomes ready sctp: [Deprecated]: syz-executor3 (pid 18183) Use of int in max_burst socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor3 (pid 18183) Use of int in max_burst socket option. Use struct sctp_assoc_value instead netlink: 12 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor4'. program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO audit: type=1326 audit(1503830898.417:56): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=18265 comm="syz-executor6" exe="/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446749 code=0xffff0000 program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO program syz-executor4 is using a deprecated SCSI ioctl, please convert it to SG_IO netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=18359 comm=syz-executor4 audit: type=1326 audit(1503830898.590:57): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=18344 comm="syz-executor2" exe="/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446749 code=0x0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14606 sclass=netlink_route_socket pig=18355 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=55705 sclass=netlink_route_socket pig=18355 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=14606 sclass=netlink_route_socket pig=18372 comm=syz-executor1 audit: type=1326 audit(1503830898.679:58): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=18344 comm="syz-executor2" exe="/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x446749 code=0x0 kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008f kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008e kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008d kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008c kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008b kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008a kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000089 kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000088 kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000087 kvm [18384]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000086 sctp: [Deprecated]: syz-executor4 (pid 18459) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor4 (pid 18476) Use of int in max_burst socket option deprecated. Use struct sctp_assoc_value instead kvm_hv_set_msr: 129 callbacks suppressed kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008f data 0x71 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008e data 0x71 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008d data 0x71 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008c data 0x71 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008b data 0xd1 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x4000008a data 0x31 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000089 data 0x31 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000088 data 0x31 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000087 data 0x31 kvm [18537]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000086 data 0x31 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=19 sclass=netlink_audit_socket pig=18640 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=19 sclass=netlink_audit_socket pig=18653 comm=syz-executor0 netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. QAT: Invalid ioctl QAT: Invalid ioctl RDS: rds_bind could not find a transport for 224.0.0.2, load rds_tcp or rds_rdma? netlink: 4 bytes leftover after parsing attributes in process `syz-executor2'. RDS: rds_bind could not find a transport for 224.0.0.2, load rds_tcp or rds_rdma? netlink: 4 bytes leftover after parsing attributes in process `syz-executor2'. devpts: called with bogus options devpts: called with bogus options QAT: Invalid ioctl IPv6: NLM_F_REPLACE set, but no existing node found! IPv6: NLM_F_REPLACE set, but no existing node found! kvm: MONITOR instruction emulated as NOP! pte_list_remove: ffff88006c8ae008 0->BUG ------------[ cut here ]------------ kernel BUG at arch/x86/kvm/mmu.c:1194! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 18928 Comm: syz-executor3 Tainted: G W 4.13.0-rc6-next-20170825+ #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880049820540 task.stack: ffff88006c8e8000 RIP: 0010:pte_list_remove+0x3ae/0x3c0 arch/x86/kvm/mmu.c:1193 RSP: 0018:ffff88006c8ee8d8 EFLAGS: 00010282 RAX: 0000000000000028 RBX: ffff88003d080048 RCX: 0000000000000000 RDX: 0000000000000028 RSI: 1ffff1000d91dcdb RDI: ffffed000d91dd0f RBP: ffff88006c8ee918 R08: ffff88006c8edfc8 R09: 0000000000000000 R10: ffff88006c8ee6c8 R11: 0000000000000000 R12: ffff88006c8ae008 R13: 0000000000000000 R14: ffff880068ae5b20 R15: ffff880068ae5b48 FS: 0000000000000000(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020fb2000 CR3: 000000003c3ee000 CR4: 00000000000026e0 Call Trace: rmap_remove arch/x86/kvm/mmu.c:1270 [inline] drop_spte+0x15a/0x250 arch/x86/kvm/mmu.c:1352 mmu_page_zap_pte+0x224/0x340 arch/x86/kvm/mmu.c:2484 kvm_mmu_page_unlink_children arch/x86/kvm/mmu.c:2506 [inline] kvm_mmu_prepare_zap_page+0x1c5/0x1310 arch/x86/kvm/mmu.c:2550 kvm_zap_obsolete_pages arch/x86/kvm/mmu.c:5305 [inline] kvm_mmu_invalidate_zap_all_pages+0x4a0/0x680 arch/x86/kvm/mmu.c:5346 kvm_arch_flush_shadow_all+0x15/0x20 arch/x86/kvm/x86.c:8435 kvm_mmu_notifier_release+0x59/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:508 __mmu_notifier_release+0x1d5/0x690 mm/mmu_notifier.c:75 mmu_notifier_release include/linux/mmu_notifier.h:235 [inline] exit_mmap+0x415/0x510 mm/mmap.c:2981 __mmput kernel/fork.c:916 [inline] mmput+0x223/0x6d0 kernel/fork.c:937 exit_mm kernel/exit.c:544 [inline] do_exit+0x9a1/0x1b40 kernel/exit.c:852 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x7e8/0x17e0 kernel/signal.c:2334 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808 exit_to_usermode_loop+0x224/0x300 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath+0x42f/0x500 arch/x86/entry/common.c:266 entry_SYSCALL_64_fastpath+0xbc/0xbe RIP: 0033:0x446749 RSP: 002b:00007f650fc93cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 0000000000708218 RCX: 0000000000446749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000708218 RBP: 00000000007081f8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f650fc949c0 R15: 00007f650fc94700 Code: 59 eb 5e 00 48 8b 75 d0 48 c7 c7 a0 59 e2 84 e8 9e b3 49 00 0f 0b e8 42 eb 5e 00 48 8b 75 d0 48 c7 c7 60 59 e2 84 e8 87 b3 49 00 <0f> 0b 4c 89 ef e8 88 8c 93 00 e9 01 fe ff ff 0f 1f 00 55 48 89 RIP: pte_list_remove+0x3ae/0x3c0 arch/x86/kvm/mmu.c:1193 RSP: ffff88006c8ee8d8 ---[ end trace fb5196dfe7dd6a98 ]---