https://bugzilla.kernel.org/show_bug.cgi?id=103141
Bug ID: 103141
Summary: Host-triggerable NULL pointer oops
Product: Virtualization
Version: unspecified
Kernel Version: 4.1.5
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: kvm
Assignee: virtualization_...@kernel-bugs.osdl.org
Reporter: felix.vo...@posteo.de
Regression: No
Created attachment 185241
--> https://bugzilla.kernel.org/attachment.cgi?id=185241&action=edit
Test program (C99)
Amusingly enough, I found this while trying to come up with a minimal test
program for #103131.
Running ioctl(KVM_CREATE_VCPU) _after_ ioctl(KVM_SET_USER_MEMORY_REGION) with
certain address/size combinations may generate a null pointer dereference.
dmesg after running the test program:
[11557.519426] BUG: unable to handle kernel NULL pointer dereference at
000000000000005f
[11557.520561] IP: [<ffffffffa045b2f5>] vmx_fpu_activate+0x5/0x20 [kvm_intel]
[11557.521716] PGD 13841a067 PUD 13857c067 PMD 0
[11557.522891] Oops: 0000 [#25] PREEMPT SMP
[11557.524073] Modules linked in: [REDACTED]
[11557.534572] CPU: 5 PID: 4295 Comm: tcc Tainted: P D O
4.1.5-1-ARCH #1
[11557.536451] Hardware name: [REDACTED]
[11557.538361] task: ffff880068425180 ti: ffff880138784000 task.ti:
ffff880138784000
[11557.540331] RIP: 0010:[<ffffffffa045b2f5>] [<ffffffffa045b2f5>]
vmx_fpu_activate+0x5/0x20 [kvm_intel]
[11557.542367] RSP: 0018:ffff880138787da0 EFLAGS: 00010292
[11557.544411] RAX: ffffffffa0476160 RBX: ffffffffffffffef RCX:
0000000000000000
[11557.546476] RDX: 0000000000001f85 RSI: ffff88014b15e8b0 RDI:
ffffffffffffffef
[11557.548553] RBP: ffff880138787db8 R08: 000000000001e8b0 R09:
ffffffffa045cbf3
[11557.550605] R10: ffffea00027eee00 R11: ffff88014b157348 R12:
0000000000000000
[11557.552637] R13: 0000000000000000 R14: 000000000000ae41 R15:
0000000000000000
[11557.554691] FS: 00007fba3936d700(0000) GS:ffff88014b140000(0000)
knlGS:0000000000000000
[11557.556796] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11557.558914] CR2: 000000000000005f CR3: 000000013857d000 CR4:
00000000000426e0
[11557.561092] Stack:
[11557.563213] ffffffffa03deaf1 0000000000000000 ffff8800a52fc000
ffff880138787e78
[11557.565412] ffffffffa03ca6d8 ffff880138787de8 ffffffff81175b5b
ffff88011edffb80
[11557.567650] 0000000000000000 00000000fffbc000 0000000000044000
00007fba39371000
[11557.569906] Call Trace:
[11557.572169] [<ffffffffa03deaf1>] ? kvm_arch_vcpu_create+0x51/0x70 [kvm]
[11557.574476] [<ffffffffa03ca6d8>] kvm_vm_ioctl+0x1c8/0x7a0 [kvm]
[11557.576773] [<ffffffff81175b5b>] ?
lru_cache_add_active_or_unevictable+0x2b/0xb0
[11557.579118] [<ffffffff811f4646>] do_vfs_ioctl+0x2c6/0x4d0
[11557.581470] [<ffffffff811f48d1>] SyS_ioctl+0x81/0xa0
[11557.583841] [<ffffffff8158bf2e>] system_call_fastpath+0x12/0x71
[11557.586265] Code: 00 e8 20 bf ff ff 5b 41 5c 5d c3 0f 1f 00 48 8b 05 31 85
fc ff ff 90 b8 00 00 00 eb 87 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <8b> 47
70 85 c0 75 0a 55 48 89 e5 e8 3b ff ff ff 5d f3 c3 0f 1f
[11557.592112] RIP [<ffffffffa045b2f5>] vmx_fpu_activate+0x5/0x20 [kvm_intel]
[11557.594990] RSP <ffff880138787da0>
[11557.597859] CR2: 000000000000005f
[11557.600786] ---[ end trace b28b93d27b3449c9 ]---
When I move ioctl(KVM_CREATE_VCPU) immediately below ioctl(KVM_CREATE_VM) there
is no oops, but a later KVM_RUN exits with KVM_EXIT_INTERNAL_ERROR, subcode
KVM_INTERNAL_ERROR_EMULATION. The crashes also stop when I decrease
umr.memory_size below what I specified in the attached test program.
--
You are receiving this mail because:
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
