subject:"Re\: WARNING in x86_emulate

Re: Re: WARNING in x86_emulate_insn

2017-12-12 Thread Lan Tianyu

On 2017年12月12日 06:45, Paolo Bonzini wrote:
> On 08/12/2017 09:28, Tianyu Lan wrote:
>> I find this is pop instruction emulation issue. According "SDM VOL2,
>> chapter INSTRUCTION
>> SET REFERENCE. POP—Pop a Value from the Stack"
>>
>> Protected Mode Exceptions
>> #GP(0) If attempt is made to load SS register with NULL segment selector.
> 
> This is not what the testcase is testing; this is already covered by 
> __load_segment_descriptor:
> 
> if (null_selector) {
> if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
> goto exception;
> 
> if (seg == VCPU_SREG_SS) {
> if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
> goto exception;
>   ...
>   }

Yes, __load_segment_descriptor() does such check. I find em_pop doesn't
load SS segment. SS isn't loaded before calling em_pop in the test case.
Should this be fixed?

> 
> Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting
> ctxt->exception.vector and/or without going through emulate_exception?
> 
> I don't think it's possible to write a test in kvm-unit-tests, because the
> state has "impossible" segment descriptor cache contents.

Sent out a fix patch for the issue. Please have a look. Thanks.
https://marc.info/?l=kvm=151306208214733=2

> 
> Paolo
> 
>> This test case hits it but current code doesn't check such case.
>> The following patch can fix the issue.
>>
>> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
>> index abe74f7..e2ac5cc 100644
>> --- a/arch/x86/kvm/emulate.c
>> +++ b/arch/x86/kvm/emulate.c
>> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
>> int rc;
>> struct segmented_address addr;
>>
>> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
>> +   return emulate_gp(ctxt, 0);
>> +
>> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
>> addr.seg = VCPU_SREG_SS;
>> rc = segmented_read(ctxt, addr, dest, len);
> 


-- 
Best regards
Tianyu Lan

Re: Re: WARNING in x86_emulate_insn

2017-12-12 Thread Lan Tianyu

On 2017年12月12日 06:45, Paolo Bonzini wrote:
> On 08/12/2017 09:28, Tianyu Lan wrote:
>> I find this is pop instruction emulation issue. According "SDM VOL2,
>> chapter INSTRUCTION
>> SET REFERENCE. POP—Pop a Value from the Stack"
>>
>> Protected Mode Exceptions
>> #GP(0) If attempt is made to load SS register with NULL segment selector.
> 
> This is not what the testcase is testing; this is already covered by 
> __load_segment_descriptor:
> 
> if (null_selector) {
> if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
> goto exception;
> 
> if (seg == VCPU_SREG_SS) {
> if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
> goto exception;
>   ...
>   }

Yes, __load_segment_descriptor() does such check. I find em_pop doesn't
load SS segment. SS isn't loaded before calling em_pop in the test case.
Should this be fixed?

> 
> Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting
> ctxt->exception.vector and/or without going through emulate_exception?
> 
> I don't think it's possible to write a test in kvm-unit-tests, because the
> state has "impossible" segment descriptor cache contents.

Sent out a fix patch for the issue. Please have a look. Thanks.
https://marc.info/?l=kvm=151306208214733=2

> 
> Paolo
> 
>> This test case hits it but current code doesn't check such case.
>> The following patch can fix the issue.
>>
>> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
>> index abe74f7..e2ac5cc 100644
>> --- a/arch/x86/kvm/emulate.c
>> +++ b/arch/x86/kvm/emulate.c
>> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
>> int rc;
>> struct segmented_address addr;
>>
>> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
>> +   return emulate_gp(ctxt, 0);
>> +
>> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
>> addr.seg = VCPU_SREG_SS;
>> rc = segmented_read(ctxt, addr, dest, len);
> 


-- 
Best regards
Tianyu Lan

Re: WARNING in x86_emulate_insn

2017-12-11 Thread Paolo Bonzini

On 08/12/2017 09:28, Tianyu Lan wrote:
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
> 
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.

This is not what the testcase is testing; this is already covered by 
__load_segment_descriptor:

if (null_selector) {
if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
goto exception;

if (seg == VCPU_SREG_SS) {
if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
goto exception;
...
}

Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting
ctxt->exception.vector and/or without going through emulate_exception?

I don't think it's possible to write a test in kvm-unit-tests, because the
state has "impossible" segment descriptor cache contents.

Paolo

> This test case hits it but current code doesn't check such case.
> The following patch can fix the issue.
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index abe74f7..e2ac5cc 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
> int rc;
> struct segmented_address addr;
> 
> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
> +   return emulate_gp(ctxt, 0);
> +
> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
> addr.seg = VCPU_SREG_SS;
> rc = segmented_read(ctxt, addr, dest, len);

Re: WARNING in x86_emulate_insn

2017-12-11 Thread Paolo Bonzini

On 08/12/2017 09:28, Tianyu Lan wrote:
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
> 
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.

This is not what the testcase is testing; this is already covered by 
__load_segment_descriptor:

if (null_selector) {
if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
goto exception;

if (seg == VCPU_SREG_SS) {
if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
goto exception;
...
}

Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting
ctxt->exception.vector and/or without going through emulate_exception?

I don't think it's possible to write a test in kvm-unit-tests, because the
state has "impossible" segment descriptor cache contents.

Paolo

> This test case hits it but current code doesn't check such case.
> The following patch can fix the issue.
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index abe74f7..e2ac5cc 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
> int rc;
> struct segmented_address addr;
> 
> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
> +   return emulate_gp(ctxt, 0);
> +
> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
> addr.seg = VCPU_SREG_SS;
> rc = segmented_read(ctxt, addr, dest, len);

Re: Re: WARNING in x86_emulate_insn

2017-12-08 Thread Lan, Tianyu



On 12/8/2017 5:27 PM, Wanpeng Li wrote:

2017-12-08 16:28 GMT+08:00 Tianyu Lan :

Hi Jim:
  Thanks for your help.

2017-12-08 5:25 GMT+08:00 Jim Mattson :

Try disabling the module parameter, "unrestricted_guest." Make sure
that the module parameter, "emulate_invalid_guest_state" is enabled.
This combination allows userspace to feed invalid guest state into the
in-kernel emulator.


Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.


I can observe ctxt->exception.vector == 0xff which triggers Dmitry's
report. Do you figure out the reason?



Yes, this is caused by that emulation callback returns error code while
not emulate exception and not set exception vector.
ctxt->exception.vector is default to be 0xff in emulate instruction code
path.

Re: Re: WARNING in x86_emulate_insn

2017-12-08 Thread Lan, Tianyu



On 12/8/2017 5:27 PM, Wanpeng Li wrote:

2017-12-08 16:28 GMT+08:00 Tianyu Lan :

Hi Jim:
  Thanks for your help.

2017-12-08 5:25 GMT+08:00 Jim Mattson :

Try disabling the module parameter, "unrestricted_guest." Make sure
that the module parameter, "emulate_invalid_guest_state" is enabled.
This combination allows userspace to feed invalid guest state into the
in-kernel emulator.


Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.


I can observe ctxt->exception.vector == 0xff which triggers Dmitry's
report. Do you figure out the reason?



Yes, this is caused by that emulation callback returns error code while
not emulate exception and not set exception vector.
ctxt->exception.vector is default to be 0xff in emulate instruction code
path.

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Wanpeng Li

2017-12-08 16:28 GMT+08:00 Tianyu Lan :
> Hi Jim:
>  Thanks for your help.
>
> 2017-12-08 5:25 GMT+08:00 Jim Mattson :
>> Try disabling the module parameter, "unrestricted_guest." Make sure
>> that the module parameter, "emulate_invalid_guest_state" is enabled.
>> This combination allows userspace to feed invalid guest state into the
>> in-kernel emulator.
>
> Yes, you are right. I need to disable unrestricted_guest to reproduce the 
> issue.

I can observe ctxt->exception.vector == 0xff which triggers Dmitry's
report. Do you figure out the reason?

Regards,
Wanpeng Li

>
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
>
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.
>
> This test case hits it but current code doesn't check such case.
> The following patch can fix the issue.
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index abe74f7..e2ac5cc 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
> int rc;
> struct segmented_address addr;
>
> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
> +   return emulate_gp(ctxt, 0);
> +
> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
> addr.seg = VCPU_SREG_SS;
> rc = segmented_read(ctxt, addr, dest, len);

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Wanpeng Li

2017-12-08 16:28 GMT+08:00 Tianyu Lan :
> Hi Jim:
>  Thanks for your help.
>
> 2017-12-08 5:25 GMT+08:00 Jim Mattson :
>> Try disabling the module parameter, "unrestricted_guest." Make sure
>> that the module parameter, "emulate_invalid_guest_state" is enabled.
>> This combination allows userspace to feed invalid guest state into the
>> in-kernel emulator.
>
> Yes, you are right. I need to disable unrestricted_guest to reproduce the 
> issue.

I can observe ctxt->exception.vector == 0xff which triggers Dmitry's
report. Do you figure out the reason?

Regards,
Wanpeng Li

>
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
>
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.
>
> This test case hits it but current code doesn't check such case.
> The following patch can fix the issue.
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index abe74f7..e2ac5cc 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
> int rc;
> struct segmented_address addr;
>
> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
> +   return emulate_gp(ctxt, 0);
> +
> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
> addr.seg = VCPU_SREG_SS;
> rc = segmented_read(ctxt, addr, dest, len);

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Tianyu Lan

2017-12-08 16:44 GMT+08:00 Ingo Molnar :
>
> * Tianyu Lan  wrote:
>
>> Hi Jim:
>>  Thanks for your help.
>>
>> 2017-12-08 5:25 GMT+08:00 Jim Mattson :
>> > Try disabling the module parameter, "unrestricted_guest." Make sure
>> > that the module parameter, "emulate_invalid_guest_state" is enabled.
>> > This combination allows userspace to feed invalid guest state into the
>> > in-kernel emulator.
>>
>> Yes, you are right. I need to disable unrestricted_guest to reproduce the 
>> issue.
>>
>> I find this is pop instruction emulation issue. According "SDM VOL2,
>> chapter INSTRUCTION
>> SET REFERENCE. POP—Pop a Value from the Stack"
>>
>> Protected Mode Exceptions
>> #GP(0) If attempt is made to load SS register with NULL segment selector.
>>
>> This test case hits it but current code doesn't check such case.
>> The following patch can fix the issue.
>>
>> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
>> index abe74f7..e2ac5cc 100644
>> --- a/arch/x86/kvm/emulate.c
>> +++ b/arch/x86/kvm/emulate.c
>> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
>> int rc;
>> struct segmented_address addr;
>>
>> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
>> +   return emulate_gp(ctxt, 0);
>> +
>> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
>> addr.seg = VCPU_SREG_SS;
>> rc = segmented_read(ctxt, addr, dest, len);
>
> s/if ( !get_segment_selector
>  /if (!get_segment_selector

Sorry. I mixed xen and kernel code style...

>
> I think it would also be nice to convert the syzkaller testcase to a new KVM 
> unit
> test:

Sure. I will add it.

>
>   git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git
>
> There's a test_pop() function in kvm-unit-tests/x86/emulator.c.
>
> Thanks,
>
> Ingo



-- 
Best regards
Tianyu Lan

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Tianyu Lan

2017-12-08 16:44 GMT+08:00 Ingo Molnar :
>
> * Tianyu Lan  wrote:
>
>> Hi Jim:
>>  Thanks for your help.
>>
>> 2017-12-08 5:25 GMT+08:00 Jim Mattson :
>> > Try disabling the module parameter, "unrestricted_guest." Make sure
>> > that the module parameter, "emulate_invalid_guest_state" is enabled.
>> > This combination allows userspace to feed invalid guest state into the
>> > in-kernel emulator.
>>
>> Yes, you are right. I need to disable unrestricted_guest to reproduce the 
>> issue.
>>
>> I find this is pop instruction emulation issue. According "SDM VOL2,
>> chapter INSTRUCTION
>> SET REFERENCE. POP—Pop a Value from the Stack"
>>
>> Protected Mode Exceptions
>> #GP(0) If attempt is made to load SS register with NULL segment selector.
>>
>> This test case hits it but current code doesn't check such case.
>> The following patch can fix the issue.
>>
>> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
>> index abe74f7..e2ac5cc 100644
>> --- a/arch/x86/kvm/emulate.c
>> +++ b/arch/x86/kvm/emulate.c
>> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
>> int rc;
>> struct segmented_address addr;
>>
>> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
>> +   return emulate_gp(ctxt, 0);
>> +
>> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
>> addr.seg = VCPU_SREG_SS;
>> rc = segmented_read(ctxt, addr, dest, len);
>
> s/if ( !get_segment_selector
>  /if (!get_segment_selector

Sorry. I mixed xen and kernel code style...

>
> I think it would also be nice to convert the syzkaller testcase to a new KVM 
> unit
> test:

Sure. I will add it.

>
>   git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git
>
> There's a test_pop() function in kvm-unit-tests/x86/emulator.c.
>
> Thanks,
>
> Ingo



-- 
Best regards
Tianyu Lan

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Ingo Molnar


* Tianyu Lan  wrote:

> Hi Jim:
>  Thanks for your help.
> 
> 2017-12-08 5:25 GMT+08:00 Jim Mattson :
> > Try disabling the module parameter, "unrestricted_guest." Make sure
> > that the module parameter, "emulate_invalid_guest_state" is enabled.
> > This combination allows userspace to feed invalid guest state into the
> > in-kernel emulator.
> 
> Yes, you are right. I need to disable unrestricted_guest to reproduce the 
> issue.
> 
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
> 
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.
> 
> This test case hits it but current code doesn't check such case.
> The following patch can fix the issue.
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index abe74f7..e2ac5cc 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
> int rc;
> struct segmented_address addr;
> 
> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
> +   return emulate_gp(ctxt, 0);
> +
> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
> addr.seg = VCPU_SREG_SS;
> rc = segmented_read(ctxt, addr, dest, len);

s/if ( !get_segment_selector
 /if (!get_segment_selector

I think it would also be nice to convert the syzkaller testcase to a new KVM 
unit 
test:

  git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git

There's a test_pop() function in kvm-unit-tests/x86/emulator.c.

Thanks,

Ingo

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Ingo Molnar


* Tianyu Lan  wrote:

> Hi Jim:
>  Thanks for your help.
> 
> 2017-12-08 5:25 GMT+08:00 Jim Mattson :
> > Try disabling the module parameter, "unrestricted_guest." Make sure
> > that the module parameter, "emulate_invalid_guest_state" is enabled.
> > This combination allows userspace to feed invalid guest state into the
> > in-kernel emulator.
> 
> Yes, you are right. I need to disable unrestricted_guest to reproduce the 
> issue.
> 
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
> 
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.
> 
> This test case hits it but current code doesn't check such case.
> The following patch can fix the issue.
> 
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index abe74f7..e2ac5cc 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
> int rc;
> struct segmented_address addr;
> 
> +   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
> +   return emulate_gp(ctxt, 0);
> +
> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
> addr.seg = VCPU_SREG_SS;
> rc = segmented_read(ctxt, addr, dest, len);

s/if ( !get_segment_selector
 /if (!get_segment_selector

I think it would also be nice to convert the syzkaller testcase to a new KVM 
unit 
test:

  git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git

There's a test_pop() function in kvm-unit-tests/x86/emulator.c.

Thanks,

Ingo

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Tianyu Lan

Hi Jim:
 Thanks for your help.

2017-12-08 5:25 GMT+08:00 Jim Mattson :
> Try disabling the module parameter, "unrestricted_guest." Make sure
> that the module parameter, "emulate_invalid_guest_state" is enabled.
> This combination allows userspace to feed invalid guest state into the
> in-kernel emulator.

Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.

I find this is pop instruction emulation issue. According "SDM VOL2,
chapter INSTRUCTION
SET REFERENCE. POP—Pop a Value from the Stack"

Protected Mode Exceptions
#GP(0) If attempt is made to load SS register with NULL segment selector.

This test case hits it but current code doesn't check such case.
The following patch can fix the issue.

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index abe74f7..e2ac5cc 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
int rc;
struct segmented_address addr;

+   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
+   return emulate_gp(ctxt, 0);
+
addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
addr.seg = VCPU_SREG_SS;
rc = segmented_read(ctxt, addr, dest, len);

Re: WARNING in x86_emulate_insn

2017-12-08 Thread Tianyu Lan

Hi Jim:
 Thanks for your help.

2017-12-08 5:25 GMT+08:00 Jim Mattson :
> Try disabling the module parameter, "unrestricted_guest." Make sure
> that the module parameter, "emulate_invalid_guest_state" is enabled.
> This combination allows userspace to feed invalid guest state into the
> in-kernel emulator.

Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.

I find this is pop instruction emulation issue. According "SDM VOL2,
chapter INSTRUCTION
SET REFERENCE. POP—Pop a Value from the Stack"

Protected Mode Exceptions
#GP(0) If attempt is made to load SS register with NULL segment selector.

This test case hits it but current code doesn't check such case.
The following patch can fix the issue.

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index abe74f7..e2ac5cc 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
int rc;
struct segmented_address addr;

+   if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
+   return emulate_gp(ctxt, 0);
+
addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
addr.seg = VCPU_SREG_SS;
rc = segmented_read(ctxt, addr, dest, len);

Re: WARNING in x86_emulate_insn

2017-12-07 Thread Wanpeng Li

2017-12-08 11:22 GMT+08:00 syzbot
:
> syzkaller has found reproducer for the following crash on
> 968edbd93c0cbb40ab48aca972392d377713a0c3
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>

I will have a look.

Regards,
Wanpeng Li

>
> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
> WARNING: CPU: 0 PID: 3153 at arch/x86/kvm/emulate.c:5654
> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 3153 Comm: syzkaller990902 Not tainted 4.15.0-rc2+ #212
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  panic+0x1e4/0x41c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x211/0x2d0 lib/bug.c:184
>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>  invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930
> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> RSP: 0018:8801c56f7300 EFLAGS: 00010293
> RAX: 8801c62d2080 RBX: 110038adee69 RCX: 81154231
> RDX:  RSI:  RDI: 8801c55da888
> RBP: 8801c56f7410 R08: 8801c55d8040 R09: 85224dc0
> R10: 0002 R11: ed0038abb551 R12: 00ff
> R13: 8801c55da860 R14: 0002 R15: 8801c55da983
>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5769
>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>  handle_invalid_guest_state arch/x86/kvm/vmx.c:6606 [inline]
>  vmx_handle_exit+0x6e3/0x1ce0 arch/x86/kvm/vmx.c:8826
>  vcpu_enter_guest arch/x86/kvm/x86.c:7082 [inline]
>  vcpu_run arch/x86/kvm/x86.c:7144 [inline]
>  kvm_arch_vcpu_ioctl_run+0x1cb4/0x5c60 arch/x86/kvm/x86.c:7312
>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>  SYSC_ioctl fs/ioctl.c:701 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4402e9
> RSP: 002b:7ffde2bdf2c8 EFLAGS: 0217 ORIG_RAX: 0010
> RAX: ffda RBX:  RCX: 004402e9
> RDX:  RSI: ae80 RDI: 0005
> RBP: 006ca018 R08:  R09: 
> R10:  R11: 0217 R12: 00401c50
> R13: 00401ce0 R14:  R15: 
>
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>

Re: WARNING in x86_emulate_insn

2017-12-07 Thread Wanpeng Li

2017-12-08 11:22 GMT+08:00 syzbot
:
> syzkaller has found reproducer for the following crash on
> 968edbd93c0cbb40ab48aca972392d377713a0c3
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>

I will have a look.

Regards,
Wanpeng Li

>
> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
> WARNING: CPU: 0 PID: 3153 at arch/x86/kvm/emulate.c:5654
> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 3153 Comm: syzkaller990902 Not tainted 4.15.0-rc2+ #212
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  panic+0x1e4/0x41c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x211/0x2d0 lib/bug.c:184
>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>  invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930
> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> RSP: 0018:8801c56f7300 EFLAGS: 00010293
> RAX: 8801c62d2080 RBX: 110038adee69 RCX: 81154231
> RDX:  RSI:  RDI: 8801c55da888
> RBP: 8801c56f7410 R08: 8801c55d8040 R09: 85224dc0
> R10: 0002 R11: ed0038abb551 R12: 00ff
> R13: 8801c55da860 R14: 0002 R15: 8801c55da983
>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5769
>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>  handle_invalid_guest_state arch/x86/kvm/vmx.c:6606 [inline]
>  vmx_handle_exit+0x6e3/0x1ce0 arch/x86/kvm/vmx.c:8826
>  vcpu_enter_guest arch/x86/kvm/x86.c:7082 [inline]
>  vcpu_run arch/x86/kvm/x86.c:7144 [inline]
>  kvm_arch_vcpu_ioctl_run+0x1cb4/0x5c60 arch/x86/kvm/x86.c:7312
>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>  SYSC_ioctl fs/ioctl.c:701 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4402e9
> RSP: 002b:7ffde2bdf2c8 EFLAGS: 0217 ORIG_RAX: 0010
> RAX: ffda RBX:  RCX: 004402e9
> RDX:  RSI: ae80 RDI: 0005
> RBP: 006ca018 R08:  R09: 
> R10:  R11: 0217 R12: 00401c50
> R13: 00401ce0 R14:  R15: 
>
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>

Re: WARNING in x86_emulate_insn

2017-12-07 Thread Jim Mattson

Try disabling the module parameter, "unrestricted_guest." Make sure
that the module parameter, "emulate_invalid_guest_state" is enabled.
This combination allows userspace to feed invalid guest state into the
in-kernel emulator.

On Thu, Dec 7, 2017 at 2:40 AM, Wanpeng Li  wrote:
> 2017-12-07 15:52 GMT+08:00 Wanpeng Li :
>> 2017-12-07 15:49 GMT+08:00 蓝天宇 :
>>> Hi Dmitry:
>>>  I tried to reproduce the issue via syz-execprog with attached
>>> reproducer on latest linux-next but it causes VM-entry failure due to
>>> invalid guest state...
>>
>> Because rflags is 0 in his program. You can set ept=0 and retry.
>
> In addition, you can apply this commit
> https://lkml.org/lkml/2017/12/7/144 before testing.
>
>>
>> Regards,
>> Wanpeng Li
>>
>>>
>>> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
 On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
> 2017-12-06 4:07 GMT+08:00 syzbot
> :
>> Hello,
>>
>> syzkaller hit the following crash on
>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> Is there a c program to reproduce?

 No, syzbot does not hide reproducers. See the referenced doc for
 details: 
 https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers


> Regards,
> Wanpeng Li
>
>>
>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> Kernel panic - not syncing: panic_on_warn set ...
>>
>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 
>> 4.15.0-rc1-next-20171201+
>> #57
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17 [inline]
>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>  panic+0x1e4/0x41c kernel/panic.c:183
>>  __warn+0x1dc/0x200 kernel/panic.c:547
>>  report_bug+0x211/0x2d0 lib/bug.c:184
>>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
>> RDX:  RSI:  RDI: 8801d0b5b5c8
>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
>> R10: 0001 R11: ed003a16b6d4 R12: 00ff
>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>>  kvm_vcpu_ioctl+0x64c/0x1010 
>> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>>  vfs_ioctl fs/ioctl.c:46 [inline]
>>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>>  SYSC_ioctl fs/ioctl.c:701 [inline]
>>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>>  entry_SYSCALL_64_fastpath+0x1f/0x96
>> RIP: 0033:0x4529d9
>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
>> RAX: ffda RBX: 00758020 RCX: 004529d9
>> RDX:  RSI: ae80 RDI: 0004
>> RBP: 039b R08:  R09: 
>> R10:  R11: 0212 R12: 006f2728
>> R13:  R14: 7f6b6b2d66d4 R15: 
>> Dumping ftrace buffer:
>>(ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkal...@googlegroups.com.
>> Please credit me with: Reported-by: syzbot 
>>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is committed, please reply to this email with:
>> #syz fix:

Re: WARNING in x86_emulate_insn

2017-12-07 Thread Jim Mattson

Try disabling the module parameter, "unrestricted_guest." Make sure
that the module parameter, "emulate_invalid_guest_state" is enabled.
This combination allows userspace to feed invalid guest state into the
in-kernel emulator.

On Thu, Dec 7, 2017 at 2:40 AM, Wanpeng Li  wrote:
> 2017-12-07 15:52 GMT+08:00 Wanpeng Li :
>> 2017-12-07 15:49 GMT+08:00 蓝天宇 :
>>> Hi Dmitry:
>>>  I tried to reproduce the issue via syz-execprog with attached
>>> reproducer on latest linux-next but it causes VM-entry failure due to
>>> invalid guest state...
>>
>> Because rflags is 0 in his program. You can set ept=0 and retry.
>
> In addition, you can apply this commit
> https://lkml.org/lkml/2017/12/7/144 before testing.
>
>>
>> Regards,
>> Wanpeng Li
>>
>>>
>>> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
 On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
> 2017-12-06 4:07 GMT+08:00 syzbot
> :
>> Hello,
>>
>> syzkaller hit the following crash on
>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> Is there a c program to reproduce?

 No, syzbot does not hide reproducers. See the referenced doc for
 details: 
 https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers


> Regards,
> Wanpeng Li
>
>>
>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> Kernel panic - not syncing: panic_on_warn set ...
>>
>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 
>> 4.15.0-rc1-next-20171201+
>> #57
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17 [inline]
>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>  panic+0x1e4/0x41c kernel/panic.c:183
>>  __warn+0x1dc/0x200 kernel/panic.c:547
>>  report_bug+0x211/0x2d0 lib/bug.c:184
>>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
>> RDX:  RSI:  RDI: 8801d0b5b5c8
>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
>> R10: 0001 R11: ed003a16b6d4 R12: 00ff
>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>>  kvm_vcpu_ioctl+0x64c/0x1010 
>> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>>  vfs_ioctl fs/ioctl.c:46 [inline]
>>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>>  SYSC_ioctl fs/ioctl.c:701 [inline]
>>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>>  entry_SYSCALL_64_fastpath+0x1f/0x96
>> RIP: 0033:0x4529d9
>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
>> RAX: ffda RBX: 00758020 RCX: 004529d9
>> RDX:  RSI: ae80 RDI: 0004
>> RBP: 039b R08:  R09: 
>> R10:  R11: 0212 R12: 006f2728
>> R13:  R14: 7f6b6b2d66d4 R15: 
>> Dumping ftrace buffer:
>>(ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkal...@googlegroups.com.
>> Please credit me with: Reported-by: syzbot 
>>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is committed, please reply to this email with:
>> #syz fix: exact-commit-title
>> If you want to test a patch for this bug, please reply with:
>> #syz test: git://repo/address.git branch
>> and provide the patch inline or as an attachment.
>> To mark this as a

Re: WARNING in x86_emulate_insn

2017-12-07 Thread Wanpeng Li

2017-12-07 15:52 GMT+08:00 Wanpeng Li :
> 2017-12-07 15:49 GMT+08:00 蓝天宇 :
>> Hi Dmitry:
>>  I tried to reproduce the issue via syz-execprog with attached
>> reproducer on latest linux-next but it causes VM-entry failure due to
>> invalid guest state...
>
> Because rflags is 0 in his program. You can set ept=0 and retry.

In addition, you can apply this commit
https://lkml.org/lkml/2017/12/7/144 before testing.

>
> Regards,
> Wanpeng Li
>
>>
>> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
>>> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
 2017-12-06 4:07 GMT+08:00 syzbot
 :
> Hello,
>
> syzkaller hit the following crash on
> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>

 Is there a c program to reproduce?
>>>
>>> No, syzbot does not hide reproducers. See the referenced doc for
>>> details: 
>>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>>>
>>>
 Regards,
 Wanpeng Li

>
> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
> #57
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  panic+0x1e4/0x41c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x211/0x2d0 lib/bug.c:184
>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
> RDX:  RSI:  RDI: 8801d0b5b5c8
> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
> R10: 0001 R11: ed003a16b6d4 R12: 00ff
> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>  kvm_vcpu_ioctl+0x64c/0x1010 
> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>  SYSC_ioctl fs/ioctl.c:701 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4529d9
> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
> RAX: ffda RBX: 00758020 RCX: 004529d9
> RDX:  RSI: ae80 RDI: 0004
> RBP: 039b R08:  R09: 
> R10:  R11: 0212 R12: 006f2728
> R13:  R14: 7f6b6b2d66d4 R15: 
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkal...@googlegroups.com.
> Please credit me with: Reported-by: syzbot 
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash

Re: WARNING in x86_emulate_insn

2017-12-07 Thread Wanpeng Li

2017-12-07 15:52 GMT+08:00 Wanpeng Li :
> 2017-12-07 15:49 GMT+08:00 蓝天宇 :
>> Hi Dmitry:
>>  I tried to reproduce the issue via syz-execprog with attached
>> reproducer on latest linux-next but it causes VM-entry failure due to
>> invalid guest state...
>
> Because rflags is 0 in his program. You can set ept=0 and retry.

In addition, you can apply this commit
https://lkml.org/lkml/2017/12/7/144 before testing.

>
> Regards,
> Wanpeng Li
>
>>
>> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
>>> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
 2017-12-06 4:07 GMT+08:00 syzbot
 :
> Hello,
>
> syzkaller hit the following crash on
> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>

 Is there a c program to reproduce?
>>>
>>> No, syzbot does not hide reproducers. See the referenced doc for
>>> details: 
>>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>>>
>>>
 Regards,
 Wanpeng Li

>
> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
> #57
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  panic+0x1e4/0x41c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x211/0x2d0 lib/bug.c:184
>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
> RDX:  RSI:  RDI: 8801d0b5b5c8
> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
> R10: 0001 R11: ed003a16b6d4 R12: 00ff
> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>  kvm_vcpu_ioctl+0x64c/0x1010 
> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>  SYSC_ioctl fs/ioctl.c:701 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4529d9
> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
> RAX: ffda RBX: 00758020 RCX: 004529d9
> RDX:  RSI: ae80 RDI: 0004
> RBP: 039b R08:  R09: 
> R10:  R11: 0212 R12: 006f2728
> R13:  R14: 7f6b6b2d66d4 R15: 
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkal...@googlegroups.com.
> Please credit me with: Reported-by: syzbot 
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email 
> body.

 --
 You received this

Re: WARNING in x86_emulate_insn

2017-12-06 Thread Wanpeng Li

2017-12-07 15:49 GMT+08:00 蓝天宇 :
> Hi Dmitry:
>  I tried to reproduce the issue via syz-execprog with attached
> reproducer on latest linux-next but it causes VM-entry failure due to
> invalid guest state...

Because rflags is 0 in his program. You can set ept=0 and retry.

Regards,
Wanpeng Li

>
> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
>> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
>>> 2017-12-06 4:07 GMT+08:00 syzbot
>>> :
 Hello,

 syzkaller hit the following crash on
 fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
 git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
 compiler: gcc (GCC) 7.1.1 20170620
 .config is attached
 Raw console output is attached.

 syzkaller reproducer is attached. See https://goo.gl/kgGztJ
 for information about syzkaller reproducers

>>>
>>> Is there a c program to reproduce?
>>
>> No, syzbot does not hide reproducers. See the referenced doc for
>> details: 
>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>>
>>
>>> Regards,
>>> Wanpeng Li
>>>

 kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
 WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
 x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
 Kernel panic - not syncing: panic_on_warn set ...

 CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
 #57
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
 Google 01/01/2011
 Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  panic+0x1e4/0x41c kernel/panic.c:183
  __warn+0x1dc/0x200 kernel/panic.c:547
  report_bug+0x211/0x2d0 lib/bug.c:184
  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
  fixup_bug arch/x86/kernel/traps.c:246 [inline]
  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
 RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
 RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
 RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
 RDX:  RSI:  RDI: 8801d0b5b5c8
 RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
 R10: 0001 R11: ed003a16b6d4 R12: 00ff
 R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
  vfs_ioctl fs/ioctl.c:46 [inline]
  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
  SYSC_ioctl fs/ioctl.c:701 [inline]
  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
  entry_SYSCALL_64_fastpath+0x1f/0x96
 RIP: 0033:0x4529d9
 RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
 RAX: ffda RBX: 00758020 RCX: 004529d9
 RDX:  RSI: ae80 RDI: 0004
 RBP: 039b R08:  R09: 
 R10:  R11: 0212 R12: 006f2728
 R13:  R14: 7f6b6b2d66d4 R15: 
 Dumping ftrace buffer:
(ftrace buffer empty)
 Kernel Offset: disabled
 Rebooting in 86400 seconds..


 ---
 This bug is generated by a dumb bot. It may contain errors.
 See https://goo.gl/tpsmEJ for details.
 Direct all questions to syzkal...@googlegroups.com.
 Please credit me with: Reported-by: syzbot 

 syzbot will keep track of this bug report.
 Once a fix for this bug is committed, please reply to this email with:
 #syz fix: exact-commit-title
 If you want to test a patch for this bug, please reply with:
 #syz test: git://repo/address.git branch
 and provide the patch inline or as an attachment.
 To mark this as a duplicate of another syzbot report, please reply with:
 #syz dup: exact-subject-of-another-report
 If it's a one-off invalid bug report, please reply with:
 #syz invalid
 Note: if the crash happens again, it will cause creation of a new bug
 report.
 Note: all commands must start from beginning of the line in the email body.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups 
>>> "syzkaller-bugs" group.
>>> To

Re: WARNING in x86_emulate_insn

2017-12-06 Thread Wanpeng Li

2017-12-07 15:49 GMT+08:00 蓝天宇 :
> Hi Dmitry:
>  I tried to reproduce the issue via syz-execprog with attached
> reproducer on latest linux-next but it causes VM-entry failure due to
> invalid guest state...

Because rflags is 0 in his program. You can set ept=0 and retry.

Regards,
Wanpeng Li

>
> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
>> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
>>> 2017-12-06 4:07 GMT+08:00 syzbot
>>> :
 Hello,

 syzkaller hit the following crash on
 fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
 git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
 compiler: gcc (GCC) 7.1.1 20170620
 .config is attached
 Raw console output is attached.

 syzkaller reproducer is attached. See https://goo.gl/kgGztJ
 for information about syzkaller reproducers

>>>
>>> Is there a c program to reproduce?
>>
>> No, syzbot does not hide reproducers. See the referenced doc for
>> details: 
>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>>
>>
>>> Regards,
>>> Wanpeng Li
>>>

 kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
 WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
 x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
 Kernel panic - not syncing: panic_on_warn set ...

 CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
 #57
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
 Google 01/01/2011
 Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  panic+0x1e4/0x41c kernel/panic.c:183
  __warn+0x1dc/0x200 kernel/panic.c:547
  report_bug+0x211/0x2d0 lib/bug.c:184
  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
  fixup_bug arch/x86/kernel/traps.c:246 [inline]
  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
 RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
 RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
 RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
 RDX:  RSI:  RDI: 8801d0b5b5c8
 RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
 R10: 0001 R11: ed003a16b6d4 R12: 00ff
 R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
  vfs_ioctl fs/ioctl.c:46 [inline]
  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
  SYSC_ioctl fs/ioctl.c:701 [inline]
  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
  entry_SYSCALL_64_fastpath+0x1f/0x96
 RIP: 0033:0x4529d9
 RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
 RAX: ffda RBX: 00758020 RCX: 004529d9
 RDX:  RSI: ae80 RDI: 0004
 RBP: 039b R08:  R09: 
 R10:  R11: 0212 R12: 006f2728
 R13:  R14: 7f6b6b2d66d4 R15: 
 Dumping ftrace buffer:
(ftrace buffer empty)
 Kernel Offset: disabled
 Rebooting in 86400 seconds..


 ---
 This bug is generated by a dumb bot. It may contain errors.
 See https://goo.gl/tpsmEJ for details.
 Direct all questions to syzkal...@googlegroups.com.
 Please credit me with: Reported-by: syzbot 

 syzbot will keep track of this bug report.
 Once a fix for this bug is committed, please reply to this email with:
 #syz fix: exact-commit-title
 If you want to test a patch for this bug, please reply with:
 #syz test: git://repo/address.git branch
 and provide the patch inline or as an attachment.
 To mark this as a duplicate of another syzbot report, please reply with:
 #syz dup: exact-subject-of-another-report
 If it's a one-off invalid bug report, please reply with:
 #syz invalid
 Note: if the crash happens again, it will cause creation of a new bug
 report.
 Note: all commands must start from beginning of the line in the email body.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups 
>>> "syzkaller-bugs" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to syzkaller-bugs+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit

Re: WARNING in x86_emulate_insn

2017-12-06 Thread 蓝天宇

Hi Dmitry:
 I tried to reproduce the issue via syz-execprog with attached
reproducer on latest linux-next but it causes VM-entry failure due to
invalid guest state...

2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
>> 2017-12-06 4:07 GMT+08:00 syzbot
>> :
>>> Hello,
>>>
>>> syzkaller hit the following crash on
>>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached
>>> Raw console output is attached.
>>>
>>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>>> for information about syzkaller reproducers
>>>
>>
>> Is there a c program to reproduce?
>
> No, syzbot does not hide reproducers. See the referenced doc for
> details: 
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>
>
>> Regards,
>> Wanpeng Li
>>
>>>
>>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
>>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
>>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>>> Kernel panic - not syncing: panic_on_warn set ...
>>>
>>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
>>> #57
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>>  __dump_stack lib/dump_stack.c:17 [inline]
>>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>>  panic+0x1e4/0x41c kernel/panic.c:183
>>>  __warn+0x1dc/0x200 kernel/panic.c:547
>>>  report_bug+0x211/0x2d0 lib/bug.c:184
>>>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>>>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>>>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>>>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>>>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
>>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
>>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
>>> RDX:  RSI:  RDI: 8801d0b5b5c8
>>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
>>> R10: 0001 R11: ed003a16b6d4 R12: 00ff
>>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>>>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>>>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>>>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>>>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>>>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>>>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>>>  vfs_ioctl fs/ioctl.c:46 [inline]
>>>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>>>  SYSC_ioctl fs/ioctl.c:701 [inline]
>>>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>>>  entry_SYSCALL_64_fastpath+0x1f/0x96
>>> RIP: 0033:0x4529d9
>>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
>>> RAX: ffda RBX: 00758020 RCX: 004529d9
>>> RDX:  RSI: ae80 RDI: 0004
>>> RBP: 039b R08:  R09: 
>>> R10:  R11: 0212 R12: 006f2728
>>> R13:  R14: 7f6b6b2d66d4 R15: 
>>> Dumping ftrace buffer:
>>>(ftrace buffer empty)
>>> Kernel Offset: disabled
>>> Rebooting in 86400 seconds..
>>>
>>>
>>> ---
>>> This bug is generated by a dumb bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for details.
>>> Direct all questions to syzkal...@googlegroups.com.
>>> Please credit me with: Reported-by: syzbot 
>>>
>>> syzbot will keep track of this bug report.
>>> Once a fix for this bug is committed, please reply to this email with:
>>> #syz fix: exact-commit-title
>>> If you want to test a patch for this bug, please reply with:
>>> #syz test: git://repo/address.git branch
>>> and provide the patch inline or as an attachment.
>>> To mark this as a duplicate of another syzbot report, please reply with:
>>> #syz dup: exact-subject-of-another-report
>>> If it's a one-off invalid bug report, please reply with:
>>> #syz invalid
>>> Note: if the crash happens again, it will cause creation of a new bug
>>> report.
>>> Note: all commands must start from beginning of the line in the email body.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to syzkaller-bugs+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>>

Re: WARNING in x86_emulate_insn

2017-12-06 Thread 蓝天宇

Hi Dmitry:
 I tried to reproduce the issue via syz-execprog with attached
reproducer on latest linux-next but it causes VM-entry failure due to
invalid guest state...

2017-12-07 14:25 GMT+08:00 Dmitry Vyukov :
> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
>> 2017-12-06 4:07 GMT+08:00 syzbot
>> :
>>> Hello,
>>>
>>> syzkaller hit the following crash on
>>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached
>>> Raw console output is attached.
>>>
>>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>>> for information about syzkaller reproducers
>>>
>>
>> Is there a c program to reproduce?
>
> No, syzbot does not hide reproducers. See the referenced doc for
> details: 
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
>
>
>> Regards,
>> Wanpeng Li
>>
>>>
>>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
>>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
>>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>>> Kernel panic - not syncing: panic_on_warn set ...
>>>
>>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
>>> #57
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>>  __dump_stack lib/dump_stack.c:17 [inline]
>>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>>  panic+0x1e4/0x41c kernel/panic.c:183
>>>  __warn+0x1dc/0x200 kernel/panic.c:547
>>>  report_bug+0x211/0x2d0 lib/bug.c:184
>>>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>>>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>>>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>>>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>>>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
>>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
>>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
>>> RDX:  RSI:  RDI: 8801d0b5b5c8
>>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
>>> R10: 0001 R11: ed003a16b6d4 R12: 00ff
>>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>>>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>>>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>>>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>>>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>>>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>>>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>>>  vfs_ioctl fs/ioctl.c:46 [inline]
>>>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>>>  SYSC_ioctl fs/ioctl.c:701 [inline]
>>>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>>>  entry_SYSCALL_64_fastpath+0x1f/0x96
>>> RIP: 0033:0x4529d9
>>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
>>> RAX: ffda RBX: 00758020 RCX: 004529d9
>>> RDX:  RSI: ae80 RDI: 0004
>>> RBP: 039b R08:  R09: 
>>> R10:  R11: 0212 R12: 006f2728
>>> R13:  R14: 7f6b6b2d66d4 R15: 
>>> Dumping ftrace buffer:
>>>(ftrace buffer empty)
>>> Kernel Offset: disabled
>>> Rebooting in 86400 seconds..
>>>
>>>
>>> ---
>>> This bug is generated by a dumb bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for details.
>>> Direct all questions to syzkal...@googlegroups.com.
>>> Please credit me with: Reported-by: syzbot 
>>>
>>> syzbot will keep track of this bug report.
>>> Once a fix for this bug is committed, please reply to this email with:
>>> #syz fix: exact-commit-title
>>> If you want to test a patch for this bug, please reply with:
>>> #syz test: git://repo/address.git branch
>>> and provide the patch inline or as an attachment.
>>> To mark this as a duplicate of another syzbot report, please reply with:
>>> #syz dup: exact-subject-of-another-report
>>> If it's a one-off invalid bug report, please reply with:
>>> #syz invalid
>>> Note: if the crash happens again, it will cause creation of a new bug
>>> report.
>>> Note: all commands must start from beginning of the line in the email body.
>>
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to syzkaller-bugs+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/syzkaller-bugs/CANRm%2BCw6u-Tvq6M%2B8hFm9UmxyTWsqvrm5L9bzfoTAvEsaeC1-w%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.



-- 
Best regards
Tianyu Lan

Re: WARNING in x86_emulate_insn

2017-12-06 Thread Dmitry Vyukov

On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
> 2017-12-06 4:07 GMT+08:00 syzbot
> :
>> Hello,
>>
>> syzkaller hit the following crash on
>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> Is there a c program to reproduce?

No, syzbot does not hide reproducers. See the referenced doc for
details: 
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers


> Regards,
> Wanpeng Li
>
>>
>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> Kernel panic - not syncing: panic_on_warn set ...
>>
>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
>> #57
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17 [inline]
>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>  panic+0x1e4/0x41c kernel/panic.c:183
>>  __warn+0x1dc/0x200 kernel/panic.c:547
>>  report_bug+0x211/0x2d0 lib/bug.c:184
>>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
>> RDX:  RSI:  RDI: 8801d0b5b5c8
>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
>> R10: 0001 R11: ed003a16b6d4 R12: 00ff
>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>>  vfs_ioctl fs/ioctl.c:46 [inline]
>>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>>  SYSC_ioctl fs/ioctl.c:701 [inline]
>>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>>  entry_SYSCALL_64_fastpath+0x1f/0x96
>> RIP: 0033:0x4529d9
>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
>> RAX: ffda RBX: 00758020 RCX: 004529d9
>> RDX:  RSI: ae80 RDI: 0004
>> RBP: 039b R08:  R09: 
>> R10:  R11: 0212 R12: 006f2728
>> R13:  R14: 7f6b6b2d66d4 R15: 
>> Dumping ftrace buffer:
>>(ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkal...@googlegroups.com.
>> Please credit me with: Reported-by: syzbot 
>>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is committed, please reply to this email with:
>> #syz fix: exact-commit-title
>> If you want to test a patch for this bug, please reply with:
>> #syz test: git://repo/address.git branch
>> and provide the patch inline or as an attachment.
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/syzkaller-bugs/CANRm%2BCw6u-Tvq6M%2B8hFm9UmxyTWsqvrm5L9bzfoTAvEsaeC1-w%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

Re: WARNING in x86_emulate_insn

2017-12-06 Thread Dmitry Vyukov

On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li  wrote:
> 2017-12-06 4:07 GMT+08:00 syzbot
> :
>> Hello,
>>
>> syzkaller hit the following crash on
>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> Is there a c program to reproduce?

No, syzbot does not hide reproducers. See the referenced doc for
details: 
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers


> Regards,
> Wanpeng Li
>
>>
>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> Kernel panic - not syncing: panic_on_warn set ...
>>
>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
>> #57
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17 [inline]
>>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>>  panic+0x1e4/0x41c kernel/panic.c:183
>>  __warn+0x1dc/0x200 kernel/panic.c:547
>>  report_bug+0x211/0x2d0 lib/bug.c:184
>>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
>> RDX:  RSI:  RDI: 8801d0b5b5c8
>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
>> R10: 0001 R11: ed003a16b6d4 R12: 00ff
>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>>  vfs_ioctl fs/ioctl.c:46 [inline]
>>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>>  SYSC_ioctl fs/ioctl.c:701 [inline]
>>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>>  entry_SYSCALL_64_fastpath+0x1f/0x96
>> RIP: 0033:0x4529d9
>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
>> RAX: ffda RBX: 00758020 RCX: 004529d9
>> RDX:  RSI: ae80 RDI: 0004
>> RBP: 039b R08:  R09: 
>> R10:  R11: 0212 R12: 006f2728
>> R13:  R14: 7f6b6b2d66d4 R15: 
>> Dumping ftrace buffer:
>>(ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkal...@googlegroups.com.
>> Please credit me with: Reported-by: syzbot 
>>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is committed, please reply to this email with:
>> #syz fix: exact-commit-title
>> If you want to test a patch for this bug, please reply with:
>> #syz test: git://repo/address.git branch
>> and provide the patch inline or as an attachment.
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to syzkaller-bugs+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/syzkaller-bugs/CANRm%2BCw6u-Tvq6M%2B8hFm9UmxyTWsqvrm5L9bzfoTAvEsaeC1-w%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

Re: WARNING in x86_emulate_insn

2017-12-06 Thread Wanpeng Li

2017-12-06 4:07 GMT+08:00 syzbot
:
> Hello,
>
> syzkaller hit the following crash on
> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>

Is there a c program to reproduce?

Regards,
Wanpeng Li

>
> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
> #57
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  panic+0x1e4/0x41c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x211/0x2d0 lib/bug.c:184
>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
> RDX:  RSI:  RDI: 8801d0b5b5c8
> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
> R10: 0001 R11: ed003a16b6d4 R12: 00ff
> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>  SYSC_ioctl fs/ioctl.c:701 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4529d9
> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
> RAX: ffda RBX: 00758020 RCX: 004529d9
> RDX:  RSI: ae80 RDI: 0004
> RBP: 039b R08:  R09: 
> R10:  R11: 0212 R12: 006f2728
> R13:  R14: 7f6b6b2d66d4 R15: 
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkal...@googlegroups.com.
> Please credit me with: Reported-by: syzbot 
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.

Re: WARNING in x86_emulate_insn

2017-12-06 Thread Wanpeng Li

2017-12-06 4:07 GMT+08:00 syzbot
:
> Hello,
>
> syzkaller hit the following crash on
> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>

Is there a c program to reproduce?

Regards,
Wanpeng Li

>
> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
> #57
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  panic+0x1e4/0x41c kernel/panic.c:183
>  __warn+0x1dc/0x200 kernel/panic.c:547
>  report_bug+0x211/0x2d0 lib/bug.c:184
>  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
>  fixup_bug arch/x86/kernel/traps.c:246 [inline]
>  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
>  invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293
> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351
> RDX:  RSI:  RDI: 8801d0b5b5c8
> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0
> R10: 0001 R11: ed003a16b6d4 R12: 00ff
> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3
>  x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
>  emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
>  complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
>  complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
>  kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
>  kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
>  vfs_ioctl fs/ioctl.c:46 [inline]
>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
>  SYSC_ioctl fs/ioctl.c:701 [inline]
>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x4529d9
> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010
> RAX: ffda RBX: 00758020 RCX: 004529d9
> RDX:  RSI: ae80 RDI: 0004
> RBP: 039b R08:  R09: 
> R10:  R11: 0212 R12: 006f2728
> R13:  R14: 7f6b6b2d66d4 R15: 
> Dumping ftrace buffer:
>(ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkal...@googlegroups.com.
> Please credit me with: Reported-by: syzbot 
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.

Re: Re: WARNING in x86_emulate_insn

Re: Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: Re: WARNING in x86_emulate_insn

Re: Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

Re: WARNING in x86_emulate_insn

28 matches

Site Navigation

Mail list logo

Footer information