Re: Re: WARNING in x86_emulate_insn
On 2017年12月12日 06:45, Paolo Bonzini wrote: > On 08/12/2017 09:28, Tianyu Lan wrote: >> I find this is pop instruction emulation issue. According "SDM VOL2, >> chapter INSTRUCTION >> SET REFERENCE. POP—Pop a Value from the Stack" >> >> Protected Mode Exceptions >> #GP(0) If attempt is made to load SS register with NULL segment selector. > > This is not what the testcase is testing; this is already covered by > __load_segment_descriptor: > > if (null_selector) { > if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR) > goto exception; > > if (seg == VCPU_SREG_SS) { > if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl) > goto exception; > ... > } Yes, __load_segment_descriptor() does such check. I find em_pop doesn't load SS segment. SS isn't loaded before calling em_pop in the test case. Should this be fixed? > > Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting > ctxt->exception.vector and/or without going through emulate_exception? > > I don't think it's possible to write a test in kvm-unit-tests, because the > state has "impossible" segment descriptor cache contents. Sent out a fix patch for the issue. Please have a look. Thanks. https://marc.info/?l=kvm=151306208214733=2 > > Paolo > >> This test case hits it but current code doesn't check such case. >> The following patch can fix the issue. >> >> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >> index abe74f7..e2ac5cc 100644 >> --- a/arch/x86/kvm/emulate.c >> +++ b/arch/x86/kvm/emulate.c >> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, >> int rc; >> struct segmented_address addr; >> >> + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) >> + return emulate_gp(ctxt, 0); >> + >> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); >> addr.seg = VCPU_SREG_SS; >> rc = segmented_read(ctxt, addr, dest, len); > -- Best regards Tianyu Lan
Re: Re: WARNING in x86_emulate_insn
On 2017年12月12日 06:45, Paolo Bonzini wrote: > On 08/12/2017 09:28, Tianyu Lan wrote: >> I find this is pop instruction emulation issue. According "SDM VOL2, >> chapter INSTRUCTION >> SET REFERENCE. POP—Pop a Value from the Stack" >> >> Protected Mode Exceptions >> #GP(0) If attempt is made to load SS register with NULL segment selector. > > This is not what the testcase is testing; this is already covered by > __load_segment_descriptor: > > if (null_selector) { > if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR) > goto exception; > > if (seg == VCPU_SREG_SS) { > if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl) > goto exception; > ... > } Yes, __load_segment_descriptor() does such check. I find em_pop doesn't load SS segment. SS isn't loaded before calling em_pop in the test case. Should this be fixed? > > Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting > ctxt->exception.vector and/or without going through emulate_exception? > > I don't think it's possible to write a test in kvm-unit-tests, because the > state has "impossible" segment descriptor cache contents. Sent out a fix patch for the issue. Please have a look. Thanks. https://marc.info/?l=kvm=151306208214733=2 > > Paolo > >> This test case hits it but current code doesn't check such case. >> The following patch can fix the issue. >> >> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >> index abe74f7..e2ac5cc 100644 >> --- a/arch/x86/kvm/emulate.c >> +++ b/arch/x86/kvm/emulate.c >> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, >> int rc; >> struct segmented_address addr; >> >> + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) >> + return emulate_gp(ctxt, 0); >> + >> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); >> addr.seg = VCPU_SREG_SS; >> rc = segmented_read(ctxt, addr, dest, len); > -- Best regards Tianyu Lan
Re: WARNING in x86_emulate_insn
On 08/12/2017 09:28, Tianyu Lan wrote: > I find this is pop instruction emulation issue. According "SDM VOL2, > chapter INSTRUCTION > SET REFERENCE. POP—Pop a Value from the Stack" > > Protected Mode Exceptions > #GP(0) If attempt is made to load SS register with NULL segment selector. This is not what the testcase is testing; this is already covered by __load_segment_descriptor: if (null_selector) { if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR) goto exception; if (seg == VCPU_SREG_SS) { if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl) goto exception; ... } Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting ctxt->exception.vector and/or without going through emulate_exception? I don't think it's possible to write a test in kvm-unit-tests, because the state has "impossible" segment descriptor cache contents. Paolo > This test case hits it but current code doesn't check such case. > The following patch can fix the issue. > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index abe74f7..e2ac5cc 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, > int rc; > struct segmented_address addr; > > + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) > + return emulate_gp(ctxt, 0); > + > addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); > addr.seg = VCPU_SREG_SS; > rc = segmented_read(ctxt, addr, dest, len);
Re: WARNING in x86_emulate_insn
On 08/12/2017 09:28, Tianyu Lan wrote: > I find this is pop instruction emulation issue. According "SDM VOL2, > chapter INSTRUCTION > SET REFERENCE. POP—Pop a Value from the Stack" > > Protected Mode Exceptions > #GP(0) If attempt is made to load SS register with NULL segment selector. This is not what the testcase is testing; this is already covered by __load_segment_descriptor: if (null_selector) { if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR) goto exception; if (seg == VCPU_SREG_SS) { if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl) goto exception; ... } Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting ctxt->exception.vector and/or without going through emulate_exception? I don't think it's possible to write a test in kvm-unit-tests, because the state has "impossible" segment descriptor cache contents. Paolo > This test case hits it but current code doesn't check such case. > The following patch can fix the issue. > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index abe74f7..e2ac5cc 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, > int rc; > struct segmented_address addr; > > + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) > + return emulate_gp(ctxt, 0); > + > addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); > addr.seg = VCPU_SREG_SS; > rc = segmented_read(ctxt, addr, dest, len);
Re: Re: WARNING in x86_emulate_insn
On 12/8/2017 5:27 PM, Wanpeng Li wrote: 2017-12-08 16:28 GMT+08:00 Tianyu Lan: Hi Jim: Thanks for your help. 2017-12-08 5:25 GMT+08:00 Jim Mattson : Try disabling the module parameter, "unrestricted_guest." Make sure that the module parameter, "emulate_invalid_guest_state" is enabled. This combination allows userspace to feed invalid guest state into the in-kernel emulator. Yes, you are right. I need to disable unrestricted_guest to reproduce the issue. I can observe ctxt->exception.vector == 0xff which triggers Dmitry's report. Do you figure out the reason? Yes, this is caused by that emulation callback returns error code while not emulate exception and not set exception vector. ctxt->exception.vector is default to be 0xff in emulate instruction code path.
Re: Re: WARNING in x86_emulate_insn
On 12/8/2017 5:27 PM, Wanpeng Li wrote: 2017-12-08 16:28 GMT+08:00 Tianyu Lan : Hi Jim: Thanks for your help. 2017-12-08 5:25 GMT+08:00 Jim Mattson : Try disabling the module parameter, "unrestricted_guest." Make sure that the module parameter, "emulate_invalid_guest_state" is enabled. This combination allows userspace to feed invalid guest state into the in-kernel emulator. Yes, you are right. I need to disable unrestricted_guest to reproduce the issue. I can observe ctxt->exception.vector == 0xff which triggers Dmitry's report. Do you figure out the reason? Yes, this is caused by that emulation callback returns error code while not emulate exception and not set exception vector. ctxt->exception.vector is default to be 0xff in emulate instruction code path.
Re: WARNING in x86_emulate_insn
2017-12-08 16:28 GMT+08:00 Tianyu Lan: > Hi Jim: > Thanks for your help. > > 2017-12-08 5:25 GMT+08:00 Jim Mattson : >> Try disabling the module parameter, "unrestricted_guest." Make sure >> that the module parameter, "emulate_invalid_guest_state" is enabled. >> This combination allows userspace to feed invalid guest state into the >> in-kernel emulator. > > Yes, you are right. I need to disable unrestricted_guest to reproduce the > issue. I can observe ctxt->exception.vector == 0xff which triggers Dmitry's report. Do you figure out the reason? Regards, Wanpeng Li > > I find this is pop instruction emulation issue. According "SDM VOL2, > chapter INSTRUCTION > SET REFERENCE. POP—Pop a Value from the Stack" > > Protected Mode Exceptions > #GP(0) If attempt is made to load SS register with NULL segment selector. > > This test case hits it but current code doesn't check such case. > The following patch can fix the issue. > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index abe74f7..e2ac5cc 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, > int rc; > struct segmented_address addr; > > + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) > + return emulate_gp(ctxt, 0); > + > addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); > addr.seg = VCPU_SREG_SS; > rc = segmented_read(ctxt, addr, dest, len);
Re: WARNING in x86_emulate_insn
2017-12-08 16:28 GMT+08:00 Tianyu Lan : > Hi Jim: > Thanks for your help. > > 2017-12-08 5:25 GMT+08:00 Jim Mattson : >> Try disabling the module parameter, "unrestricted_guest." Make sure >> that the module parameter, "emulate_invalid_guest_state" is enabled. >> This combination allows userspace to feed invalid guest state into the >> in-kernel emulator. > > Yes, you are right. I need to disable unrestricted_guest to reproduce the > issue. I can observe ctxt->exception.vector == 0xff which triggers Dmitry's report. Do you figure out the reason? Regards, Wanpeng Li > > I find this is pop instruction emulation issue. According "SDM VOL2, > chapter INSTRUCTION > SET REFERENCE. POP—Pop a Value from the Stack" > > Protected Mode Exceptions > #GP(0) If attempt is made to load SS register with NULL segment selector. > > This test case hits it but current code doesn't check such case. > The following patch can fix the issue. > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index abe74f7..e2ac5cc 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, > int rc; > struct segmented_address addr; > > + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) > + return emulate_gp(ctxt, 0); > + > addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); > addr.seg = VCPU_SREG_SS; > rc = segmented_read(ctxt, addr, dest, len);
Re: WARNING in x86_emulate_insn
2017-12-08 16:44 GMT+08:00 Ingo Molnar: > > * Tianyu Lan wrote: > >> Hi Jim: >> Thanks for your help. >> >> 2017-12-08 5:25 GMT+08:00 Jim Mattson : >> > Try disabling the module parameter, "unrestricted_guest." Make sure >> > that the module parameter, "emulate_invalid_guest_state" is enabled. >> > This combination allows userspace to feed invalid guest state into the >> > in-kernel emulator. >> >> Yes, you are right. I need to disable unrestricted_guest to reproduce the >> issue. >> >> I find this is pop instruction emulation issue. According "SDM VOL2, >> chapter INSTRUCTION >> SET REFERENCE. POP—Pop a Value from the Stack" >> >> Protected Mode Exceptions >> #GP(0) If attempt is made to load SS register with NULL segment selector. >> >> This test case hits it but current code doesn't check such case. >> The following patch can fix the issue. >> >> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >> index abe74f7..e2ac5cc 100644 >> --- a/arch/x86/kvm/emulate.c >> +++ b/arch/x86/kvm/emulate.c >> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, >> int rc; >> struct segmented_address addr; >> >> + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) >> + return emulate_gp(ctxt, 0); >> + >> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); >> addr.seg = VCPU_SREG_SS; >> rc = segmented_read(ctxt, addr, dest, len); > > s/if ( !get_segment_selector > /if (!get_segment_selector Sorry. I mixed xen and kernel code style... > > I think it would also be nice to convert the syzkaller testcase to a new KVM > unit > test: Sure. I will add it. > > git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git > > There's a test_pop() function in kvm-unit-tests/x86/emulator.c. > > Thanks, > > Ingo -- Best regards Tianyu Lan
Re: WARNING in x86_emulate_insn
2017-12-08 16:44 GMT+08:00 Ingo Molnar : > > * Tianyu Lan wrote: > >> Hi Jim: >> Thanks for your help. >> >> 2017-12-08 5:25 GMT+08:00 Jim Mattson : >> > Try disabling the module parameter, "unrestricted_guest." Make sure >> > that the module parameter, "emulate_invalid_guest_state" is enabled. >> > This combination allows userspace to feed invalid guest state into the >> > in-kernel emulator. >> >> Yes, you are right. I need to disable unrestricted_guest to reproduce the >> issue. >> >> I find this is pop instruction emulation issue. According "SDM VOL2, >> chapter INSTRUCTION >> SET REFERENCE. POP—Pop a Value from the Stack" >> >> Protected Mode Exceptions >> #GP(0) If attempt is made to load SS register with NULL segment selector. >> >> This test case hits it but current code doesn't check such case. >> The following patch can fix the issue. >> >> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >> index abe74f7..e2ac5cc 100644 >> --- a/arch/x86/kvm/emulate.c >> +++ b/arch/x86/kvm/emulate.c >> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, >> int rc; >> struct segmented_address addr; >> >> + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) >> + return emulate_gp(ctxt, 0); >> + >> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); >> addr.seg = VCPU_SREG_SS; >> rc = segmented_read(ctxt, addr, dest, len); > > s/if ( !get_segment_selector > /if (!get_segment_selector Sorry. I mixed xen and kernel code style... > > I think it would also be nice to convert the syzkaller testcase to a new KVM > unit > test: Sure. I will add it. > > git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git > > There's a test_pop() function in kvm-unit-tests/x86/emulator.c. > > Thanks, > > Ingo -- Best regards Tianyu Lan
Re: WARNING in x86_emulate_insn
* Tianyu Lanwrote: > Hi Jim: > Thanks for your help. > > 2017-12-08 5:25 GMT+08:00 Jim Mattson : > > Try disabling the module parameter, "unrestricted_guest." Make sure > > that the module parameter, "emulate_invalid_guest_state" is enabled. > > This combination allows userspace to feed invalid guest state into the > > in-kernel emulator. > > Yes, you are right. I need to disable unrestricted_guest to reproduce the > issue. > > I find this is pop instruction emulation issue. According "SDM VOL2, > chapter INSTRUCTION > SET REFERENCE. POP—Pop a Value from the Stack" > > Protected Mode Exceptions > #GP(0) If attempt is made to load SS register with NULL segment selector. > > This test case hits it but current code doesn't check such case. > The following patch can fix the issue. > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index abe74f7..e2ac5cc 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, > int rc; > struct segmented_address addr; > > + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) > + return emulate_gp(ctxt, 0); > + > addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); > addr.seg = VCPU_SREG_SS; > rc = segmented_read(ctxt, addr, dest, len); s/if ( !get_segment_selector /if (!get_segment_selector I think it would also be nice to convert the syzkaller testcase to a new KVM unit test: git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git There's a test_pop() function in kvm-unit-tests/x86/emulator.c. Thanks, Ingo
Re: WARNING in x86_emulate_insn
* Tianyu Lan wrote: > Hi Jim: > Thanks for your help. > > 2017-12-08 5:25 GMT+08:00 Jim Mattson : > > Try disabling the module parameter, "unrestricted_guest." Make sure > > that the module parameter, "emulate_invalid_guest_state" is enabled. > > This combination allows userspace to feed invalid guest state into the > > in-kernel emulator. > > Yes, you are right. I need to disable unrestricted_guest to reproduce the > issue. > > I find this is pop instruction emulation issue. According "SDM VOL2, > chapter INSTRUCTION > SET REFERENCE. POP—Pop a Value from the Stack" > > Protected Mode Exceptions > #GP(0) If attempt is made to load SS register with NULL segment selector. > > This test case hits it but current code doesn't check such case. > The following patch can fix the issue. > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index abe74f7..e2ac5cc 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, > int rc; > struct segmented_address addr; > > + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) > + return emulate_gp(ctxt, 0); > + > addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); > addr.seg = VCPU_SREG_SS; > rc = segmented_read(ctxt, addr, dest, len); s/if ( !get_segment_selector /if (!get_segment_selector I think it would also be nice to convert the syzkaller testcase to a new KVM unit test: git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git There's a test_pop() function in kvm-unit-tests/x86/emulator.c. Thanks, Ingo
Re: WARNING in x86_emulate_insn
Hi Jim: Thanks for your help. 2017-12-08 5:25 GMT+08:00 Jim Mattson: > Try disabling the module parameter, "unrestricted_guest." Make sure > that the module parameter, "emulate_invalid_guest_state" is enabled. > This combination allows userspace to feed invalid guest state into the > in-kernel emulator. Yes, you are right. I need to disable unrestricted_guest to reproduce the issue. I find this is pop instruction emulation issue. According "SDM VOL2, chapter INSTRUCTION SET REFERENCE. POP—Pop a Value from the Stack" Protected Mode Exceptions #GP(0) If attempt is made to load SS register with NULL segment selector. This test case hits it but current code doesn't check such case. The following patch can fix the issue. diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index abe74f7..e2ac5cc 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, int rc; struct segmented_address addr; + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) + return emulate_gp(ctxt, 0); + addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); addr.seg = VCPU_SREG_SS; rc = segmented_read(ctxt, addr, dest, len);
Re: WARNING in x86_emulate_insn
Hi Jim: Thanks for your help. 2017-12-08 5:25 GMT+08:00 Jim Mattson : > Try disabling the module parameter, "unrestricted_guest." Make sure > that the module parameter, "emulate_invalid_guest_state" is enabled. > This combination allows userspace to feed invalid guest state into the > in-kernel emulator. Yes, you are right. I need to disable unrestricted_guest to reproduce the issue. I find this is pop instruction emulation issue. According "SDM VOL2, chapter INSTRUCTION SET REFERENCE. POP—Pop a Value from the Stack" Protected Mode Exceptions #GP(0) If attempt is made to load SS register with NULL segment selector. This test case hits it but current code doesn't check such case. The following patch can fix the issue. diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index abe74f7..e2ac5cc 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt, int rc; struct segmented_address addr; + if ( !get_segment_selector(ctxt, VCPU_SREG_SS)) + return emulate_gp(ctxt, 0); + addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt); addr.seg = VCPU_SREG_SS; rc = segmented_read(ctxt, addr, dest, len);
Re: WARNING in x86_emulate_insn
2017-12-08 11:22 GMT+08:00 syzbot: > syzkaller has found reproducer for the following crash on > 968edbd93c0cbb40ab48aca972392d377713a0c3 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C reproducer is attached > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > I will have a look. Regards, Wanpeng Li > > kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu > WARNING: CPU: 0 PID: 3153 at arch/x86/kvm/emulate.c:5654 > x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 3153 Comm: syzkaller990902 Not tainted 4.15.0-rc2+ #212 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > panic+0x1e4/0x41c kernel/panic.c:183 > __warn+0x1dc/0x200 kernel/panic.c:547 > report_bug+0x211/0x2d0 lib/bug.c:184 > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 > fixup_bug arch/x86/kernel/traps.c:246 [inline] > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 > invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930 > RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > RSP: 0018:8801c56f7300 EFLAGS: 00010293 > RAX: 8801c62d2080 RBX: 110038adee69 RCX: 81154231 > RDX: RSI: RDI: 8801c55da888 > RBP: 8801c56f7410 R08: 8801c55d8040 R09: 85224dc0 > R10: 0002 R11: ed0038abb551 R12: 00ff > R13: 8801c55da860 R14: 0002 R15: 8801c55da983 > x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5769 > emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] > handle_invalid_guest_state arch/x86/kvm/vmx.c:6606 [inline] > vmx_handle_exit+0x6e3/0x1ce0 arch/x86/kvm/vmx.c:8826 > vcpu_enter_guest arch/x86/kvm/x86.c:7082 [inline] > vcpu_run arch/x86/kvm/x86.c:7144 [inline] > kvm_arch_vcpu_ioctl_run+0x1cb4/0x5c60 arch/x86/kvm/x86.c:7312 > kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 > vfs_ioctl fs/ioctl.c:46 [inline] > do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 > SYSC_ioctl fs/ioctl.c:701 [inline] > SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x4402e9 > RSP: 002b:7ffde2bdf2c8 EFLAGS: 0217 ORIG_RAX: 0010 > RAX: ffda RBX: RCX: 004402e9 > RDX: RSI: ae80 RDI: 0005 > RBP: 006ca018 R08: R09: > R10: R11: 0217 R12: 00401c50 > R13: 00401ce0 R14: R15: > > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. >
Re: WARNING in x86_emulate_insn
2017-12-08 11:22 GMT+08:00 syzbot : > syzkaller has found reproducer for the following crash on > 968edbd93c0cbb40ab48aca972392d377713a0c3 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > C reproducer is attached > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > I will have a look. Regards, Wanpeng Li > > kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu > WARNING: CPU: 0 PID: 3153 at arch/x86/kvm/emulate.c:5654 > x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 3153 Comm: syzkaller990902 Not tainted 4.15.0-rc2+ #212 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > panic+0x1e4/0x41c kernel/panic.c:183 > __warn+0x1dc/0x200 kernel/panic.c:547 > report_bug+0x211/0x2d0 lib/bug.c:184 > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 > fixup_bug arch/x86/kernel/traps.c:246 [inline] > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 > invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930 > RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > RSP: 0018:8801c56f7300 EFLAGS: 00010293 > RAX: 8801c62d2080 RBX: 110038adee69 RCX: 81154231 > RDX: RSI: RDI: 8801c55da888 > RBP: 8801c56f7410 R08: 8801c55d8040 R09: 85224dc0 > R10: 0002 R11: ed0038abb551 R12: 00ff > R13: 8801c55da860 R14: 0002 R15: 8801c55da983 > x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5769 > emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] > handle_invalid_guest_state arch/x86/kvm/vmx.c:6606 [inline] > vmx_handle_exit+0x6e3/0x1ce0 arch/x86/kvm/vmx.c:8826 > vcpu_enter_guest arch/x86/kvm/x86.c:7082 [inline] > vcpu_run arch/x86/kvm/x86.c:7144 [inline] > kvm_arch_vcpu_ioctl_run+0x1cb4/0x5c60 arch/x86/kvm/x86.c:7312 > kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 > vfs_ioctl fs/ioctl.c:46 [inline] > do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 > SYSC_ioctl fs/ioctl.c:701 [inline] > SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x4402e9 > RSP: 002b:7ffde2bdf2c8 EFLAGS: 0217 ORIG_RAX: 0010 > RAX: ffda RBX: RCX: 004402e9 > RDX: RSI: ae80 RDI: 0005 > RBP: 006ca018 R08: R09: > R10: R11: 0217 R12: 00401c50 > R13: 00401ce0 R14: R15: > > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. >
Re: WARNING in x86_emulate_insn
Try disabling the module parameter, "unrestricted_guest." Make sure that the module parameter, "emulate_invalid_guest_state" is enabled. This combination allows userspace to feed invalid guest state into the in-kernel emulator. On Thu, Dec 7, 2017 at 2:40 AM, Wanpeng Liwrote: > 2017-12-07 15:52 GMT+08:00 Wanpeng Li : >> 2017-12-07 15:49 GMT+08:00 蓝天宇 : >>> Hi Dmitry: >>> I tried to reproduce the issue via syz-execprog with attached >>> reproducer on latest linux-next but it causes VM-entry failure due to >>> invalid guest state... >> >> Because rflags is 0 in his program. You can set ept=0 and retry. > > In addition, you can apply this commit > https://lkml.org/lkml/2017/12/7/144 before testing. > >> >> Regards, >> Wanpeng Li >> >>> >>> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov : On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: > 2017-12-06 4:07 GMT+08:00 syzbot > : >> Hello, >> >> syzkaller hit the following crash on >> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d >> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >> for information about syzkaller reproducers >> > > Is there a c program to reproduce? No, syzbot does not hide reproducers. See the referenced doc for details: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers > Regards, > Wanpeng Li > >> >> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu >> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 >> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> Kernel panic - not syncing: panic_on_warn set ... >> >> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted >> 4.15.0-rc1-next-20171201+ >> #57 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> Call Trace: >> __dump_stack lib/dump_stack.c:17 [inline] >> dump_stack+0x194/0x257 lib/dump_stack.c:53 >> panic+0x1e4/0x41c kernel/panic.c:183 >> __warn+0x1dc/0x200 kernel/panic.c:547 >> report_bug+0x211/0x2d0 lib/bug.c:184 >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 >> fixup_bug arch/x86/kernel/traps.c:246 [inline] >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 >> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 >> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 >> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 >> RDX: RSI: RDI: 8801d0b5b5c8 >> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 >> R10: 0001 R11: ed003a16b6d4 R12: 00ff >> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 >> x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 >> emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] >> complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] >> complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 >> kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 >> kvm_vcpu_ioctl+0x64c/0x1010 >> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 >> vfs_ioctl fs/ioctl.c:46 [inline] >> do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 >> SYSC_ioctl fs/ioctl.c:701 [inline] >> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 >> entry_SYSCALL_64_fastpath+0x1f/0x96 >> RIP: 0033:0x4529d9 >> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 >> RAX: ffda RBX: 00758020 RCX: 004529d9 >> RDX: RSI: ae80 RDI: 0004 >> RBP: 039b R08: R09: >> R10: R11: 0212 R12: 006f2728 >> R13: R14: 7f6b6b2d66d4 R15: >> Dumping ftrace buffer: >>(ftrace buffer empty) >> Kernel Offset: disabled >> Rebooting in 86400 seconds.. >> >> >> --- >> This bug is generated by a dumb bot. It may contain errors. >> See https://goo.gl/tpsmEJ for details. >> Direct all questions to syzkal...@googlegroups.com. >> Please credit me with: Reported-by: syzbot >> >> syzbot will keep track of this bug report. >> Once a fix for this bug is committed, please reply to this email with: >> #syz fix:
Re: WARNING in x86_emulate_insn
Try disabling the module parameter, "unrestricted_guest." Make sure that the module parameter, "emulate_invalid_guest_state" is enabled. This combination allows userspace to feed invalid guest state into the in-kernel emulator. On Thu, Dec 7, 2017 at 2:40 AM, Wanpeng Li wrote: > 2017-12-07 15:52 GMT+08:00 Wanpeng Li : >> 2017-12-07 15:49 GMT+08:00 蓝天宇 : >>> Hi Dmitry: >>> I tried to reproduce the issue via syz-execprog with attached >>> reproducer on latest linux-next but it causes VM-entry failure due to >>> invalid guest state... >> >> Because rflags is 0 in his program. You can set ept=0 and retry. > > In addition, you can apply this commit > https://lkml.org/lkml/2017/12/7/144 before testing. > >> >> Regards, >> Wanpeng Li >> >>> >>> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov : On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: > 2017-12-06 4:07 GMT+08:00 syzbot > : >> Hello, >> >> syzkaller hit the following crash on >> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d >> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >> for information about syzkaller reproducers >> > > Is there a c program to reproduce? No, syzbot does not hide reproducers. See the referenced doc for details: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers > Regards, > Wanpeng Li > >> >> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu >> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 >> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> Kernel panic - not syncing: panic_on_warn set ... >> >> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted >> 4.15.0-rc1-next-20171201+ >> #57 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> Call Trace: >> __dump_stack lib/dump_stack.c:17 [inline] >> dump_stack+0x194/0x257 lib/dump_stack.c:53 >> panic+0x1e4/0x41c kernel/panic.c:183 >> __warn+0x1dc/0x200 kernel/panic.c:547 >> report_bug+0x211/0x2d0 lib/bug.c:184 >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 >> fixup_bug arch/x86/kernel/traps.c:246 [inline] >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 >> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 >> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 >> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 >> RDX: RSI: RDI: 8801d0b5b5c8 >> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 >> R10: 0001 R11: ed003a16b6d4 R12: 00ff >> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 >> x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 >> emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] >> complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] >> complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 >> kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 >> kvm_vcpu_ioctl+0x64c/0x1010 >> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 >> vfs_ioctl fs/ioctl.c:46 [inline] >> do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 >> SYSC_ioctl fs/ioctl.c:701 [inline] >> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 >> entry_SYSCALL_64_fastpath+0x1f/0x96 >> RIP: 0033:0x4529d9 >> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 >> RAX: ffda RBX: 00758020 RCX: 004529d9 >> RDX: RSI: ae80 RDI: 0004 >> RBP: 039b R08: R09: >> R10: R11: 0212 R12: 006f2728 >> R13: R14: 7f6b6b2d66d4 R15: >> Dumping ftrace buffer: >>(ftrace buffer empty) >> Kernel Offset: disabled >> Rebooting in 86400 seconds.. >> >> >> --- >> This bug is generated by a dumb bot. It may contain errors. >> See https://goo.gl/tpsmEJ for details. >> Direct all questions to syzkal...@googlegroups.com. >> Please credit me with: Reported-by: syzbot >> >> syzbot will keep track of this bug report. >> Once a fix for this bug is committed, please reply to this email with: >> #syz fix: exact-commit-title >> If you want to test a patch for this bug, please reply with: >> #syz test: git://repo/address.git branch >> and provide the patch inline or as an attachment. >> To mark this as a
Re: WARNING in x86_emulate_insn
2017-12-07 15:52 GMT+08:00 Wanpeng Li: > 2017-12-07 15:49 GMT+08:00 蓝天宇 : >> Hi Dmitry: >> I tried to reproduce the issue via syz-execprog with attached >> reproducer on latest linux-next but it causes VM-entry failure due to >> invalid guest state... > > Because rflags is 0 in his program. You can set ept=0 and retry. In addition, you can apply this commit https://lkml.org/lkml/2017/12/7/144 before testing. > > Regards, > Wanpeng Li > >> >> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov : >>> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: 2017-12-06 4:07 GMT+08:00 syzbot : > Hello, > > syzkaller hit the following crash on > fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > Is there a c program to reproduce? >>> >>> No, syzbot does not hide reproducers. See the referenced doc for >>> details: >>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers >>> >>> Regards, Wanpeng Li > > kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu > WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 > x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ > #57 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > panic+0x1e4/0x41c kernel/panic.c:183 > __warn+0x1dc/0x200 kernel/panic.c:547 > report_bug+0x211/0x2d0 lib/bug.c:184 > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 > fixup_bug arch/x86/kernel/traps.c:246 [inline] > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 > invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 > RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 > RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 > RDX: RSI: RDI: 8801d0b5b5c8 > RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 > R10: 0001 R11: ed003a16b6d4 R12: 00ff > R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 > x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 > emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] > complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] > complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 > kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 > kvm_vcpu_ioctl+0x64c/0x1010 > arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 > vfs_ioctl fs/ioctl.c:46 [inline] > do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 > SYSC_ioctl fs/ioctl.c:701 [inline] > SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x4529d9 > RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 > RAX: ffda RBX: 00758020 RCX: 004529d9 > RDX: RSI: ae80 RDI: 0004 > RBP: 039b R08: R09: > R10: R11: 0212 R12: 006f2728 > R13: R14: 7f6b6b2d66d4 R15: > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a dumb bot. It may contain errors. > See https://goo.gl/tpsmEJ for details. > Direct all questions to syzkal...@googlegroups.com. > Please credit me with: Reported-by: syzbot > > syzbot will keep track of this bug report. > Once a fix for this bug is committed, please reply to this email with: > #syz fix: exact-commit-title > If you want to test a patch for this bug, please reply with: > #syz test: git://repo/address.git branch > and provide the patch inline or as an attachment. > To mark this as a duplicate of another syzbot report, please reply with: > #syz dup: exact-subject-of-another-report > If it's a one-off invalid bug report, please reply with: > #syz invalid > Note: if the crash
Re: WARNING in x86_emulate_insn
2017-12-07 15:52 GMT+08:00 Wanpeng Li : > 2017-12-07 15:49 GMT+08:00 蓝天宇 : >> Hi Dmitry: >> I tried to reproduce the issue via syz-execprog with attached >> reproducer on latest linux-next but it causes VM-entry failure due to >> invalid guest state... > > Because rflags is 0 in his program. You can set ept=0 and retry. In addition, you can apply this commit https://lkml.org/lkml/2017/12/7/144 before testing. > > Regards, > Wanpeng Li > >> >> 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov : >>> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: 2017-12-06 4:07 GMT+08:00 syzbot : > Hello, > > syzkaller hit the following crash on > fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > Is there a c program to reproduce? >>> >>> No, syzbot does not hide reproducers. See the referenced doc for >>> details: >>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers >>> >>> Regards, Wanpeng Li > > kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu > WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 > x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ > #57 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > panic+0x1e4/0x41c kernel/panic.c:183 > __warn+0x1dc/0x200 kernel/panic.c:547 > report_bug+0x211/0x2d0 lib/bug.c:184 > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 > fixup_bug arch/x86/kernel/traps.c:246 [inline] > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 > invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 > RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 > RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 > RDX: RSI: RDI: 8801d0b5b5c8 > RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 > R10: 0001 R11: ed003a16b6d4 R12: 00ff > R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 > x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 > emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] > complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] > complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 > kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 > kvm_vcpu_ioctl+0x64c/0x1010 > arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 > vfs_ioctl fs/ioctl.c:46 [inline] > do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 > SYSC_ioctl fs/ioctl.c:701 [inline] > SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x4529d9 > RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 > RAX: ffda RBX: 00758020 RCX: 004529d9 > RDX: RSI: ae80 RDI: 0004 > RBP: 039b R08: R09: > R10: R11: 0212 R12: 006f2728 > R13: R14: 7f6b6b2d66d4 R15: > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a dumb bot. It may contain errors. > See https://goo.gl/tpsmEJ for details. > Direct all questions to syzkal...@googlegroups.com. > Please credit me with: Reported-by: syzbot > > syzbot will keep track of this bug report. > Once a fix for this bug is committed, please reply to this email with: > #syz fix: exact-commit-title > If you want to test a patch for this bug, please reply with: > #syz test: git://repo/address.git branch > and provide the patch inline or as an attachment. > To mark this as a duplicate of another syzbot report, please reply with: > #syz dup: exact-subject-of-another-report > If it's a one-off invalid bug report, please reply with: > #syz invalid > Note: if the crash happens again, it will cause creation of a new bug > report. > Note: all commands must start from beginning of the line in the email > body. -- You received this
Re: WARNING in x86_emulate_insn
2017-12-07 15:49 GMT+08:00 蓝天宇: > Hi Dmitry: > I tried to reproduce the issue via syz-execprog with attached > reproducer on latest linux-next but it causes VM-entry failure due to > invalid guest state... Because rflags is 0 in his program. You can set ept=0 and retry. Regards, Wanpeng Li > > 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov : >> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: >>> 2017-12-06 4:07 GMT+08:00 syzbot >>> : Hello, syzkaller hit the following crash on fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master compiler: gcc (GCC) 7.1.1 20170620 .config is attached Raw console output is attached. syzkaller reproducer is attached. See https://goo.gl/kgGztJ for information about syzkaller reproducers >>> >>> Is there a c program to reproduce? >> >> No, syzbot does not hide reproducers. See the referenced doc for >> details: >> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers >> >> >>> Regards, >>> Wanpeng Li >>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ #57 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x211/0x2d0 lib/bug.c:184 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 fixup_bug arch/x86/kernel/traps.c:246 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 RDX: RSI: RDI: 8801d0b5b5c8 RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 R10: 0001 R11: ed003a16b6d4 R12: 00ff R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 RAX: ffda RBX: 00758020 RCX: 004529d9 RDX: RSI: ae80 RDI: 0004 RBP: 039b R08: R09: R10: R11: 0212 R12: 006f2728 R13: R14: 7f6b6b2d66d4 R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. Please credit me with: Reported-by: syzbot syzbot will keep track of this bug report. Once a fix for this bug is committed, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "syzkaller-bugs" group. >>> To
Re: WARNING in x86_emulate_insn
2017-12-07 15:49 GMT+08:00 蓝天宇 : > Hi Dmitry: > I tried to reproduce the issue via syz-execprog with attached > reproducer on latest linux-next but it causes VM-entry failure due to > invalid guest state... Because rflags is 0 in his program. You can set ept=0 and retry. Regards, Wanpeng Li > > 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov : >> On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: >>> 2017-12-06 4:07 GMT+08:00 syzbot >>> : Hello, syzkaller hit the following crash on fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master compiler: gcc (GCC) 7.1.1 20170620 .config is attached Raw console output is attached. syzkaller reproducer is attached. See https://goo.gl/kgGztJ for information about syzkaller reproducers >>> >>> Is there a c program to reproduce? >> >> No, syzbot does not hide reproducers. See the referenced doc for >> details: >> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers >> >> >>> Regards, >>> Wanpeng Li >>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ #57 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x211/0x2d0 lib/bug.c:184 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 fixup_bug arch/x86/kernel/traps.c:246 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 RDX: RSI: RDI: 8801d0b5b5c8 RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 R10: 0001 R11: ed003a16b6d4 R12: 00ff R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 vfs_ioctl fs/ioctl.c:46 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x4529d9 RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 RAX: ffda RBX: 00758020 RCX: 004529d9 RDX: RSI: ae80 RDI: 0004 RBP: 039b R08: R09: R10: R11: 0212 R12: 006f2728 R13: R14: 7f6b6b2d66d4 R15: Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkal...@googlegroups.com. Please credit me with: Reported-by: syzbot syzbot will keep track of this bug report. Once a fix for this bug is committed, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "syzkaller-bugs" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to syzkaller-bugs+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit
Re: WARNING in x86_emulate_insn
Hi Dmitry: I tried to reproduce the issue via syz-execprog with attached reproducer on latest linux-next but it causes VM-entry failure due to invalid guest state... 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov: > On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: >> 2017-12-06 4:07 GMT+08:00 syzbot >> : >>> Hello, >>> >>> syzkaller hit the following crash on >>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d >>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >>> compiler: gcc (GCC) 7.1.1 20170620 >>> .config is attached >>> Raw console output is attached. >>> >>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >>> for information about syzkaller reproducers >>> >> >> Is there a c program to reproduce? > > No, syzbot does not hide reproducers. See the referenced doc for > details: > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers > > >> Regards, >> Wanpeng Li >> >>> >>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu >>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 >>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >>> Kernel panic - not syncing: panic_on_warn set ... >>> >>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ >>> #57 >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >>> Google 01/01/2011 >>> Call Trace: >>> __dump_stack lib/dump_stack.c:17 [inline] >>> dump_stack+0x194/0x257 lib/dump_stack.c:53 >>> panic+0x1e4/0x41c kernel/panic.c:183 >>> __warn+0x1dc/0x200 kernel/panic.c:547 >>> report_bug+0x211/0x2d0 lib/bug.c:184 >>> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 >>> fixup_bug arch/x86/kernel/traps.c:246 [inline] >>> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 >>> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 >>> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 >>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 >>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 >>> RDX: RSI: RDI: 8801d0b5b5c8 >>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 >>> R10: 0001 R11: ed003a16b6d4 R12: 00ff >>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 >>> x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 >>> emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] >>> complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] >>> complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 >>> kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 >>> kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 >>> vfs_ioctl fs/ioctl.c:46 [inline] >>> do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 >>> SYSC_ioctl fs/ioctl.c:701 [inline] >>> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 >>> entry_SYSCALL_64_fastpath+0x1f/0x96 >>> RIP: 0033:0x4529d9 >>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 >>> RAX: ffda RBX: 00758020 RCX: 004529d9 >>> RDX: RSI: ae80 RDI: 0004 >>> RBP: 039b R08: R09: >>> R10: R11: 0212 R12: 006f2728 >>> R13: R14: 7f6b6b2d66d4 R15: >>> Dumping ftrace buffer: >>>(ftrace buffer empty) >>> Kernel Offset: disabled >>> Rebooting in 86400 seconds.. >>> >>> >>> --- >>> This bug is generated by a dumb bot. It may contain errors. >>> See https://goo.gl/tpsmEJ for details. >>> Direct all questions to syzkal...@googlegroups.com. >>> Please credit me with: Reported-by: syzbot >>> >>> syzbot will keep track of this bug report. >>> Once a fix for this bug is committed, please reply to this email with: >>> #syz fix: exact-commit-title >>> If you want to test a patch for this bug, please reply with: >>> #syz test: git://repo/address.git branch >>> and provide the patch inline or as an attachment. >>> To mark this as a duplicate of another syzbot report, please reply with: >>> #syz dup: exact-subject-of-another-report >>> If it's a one-off invalid bug report, please reply with: >>> #syz invalid >>> Note: if the crash happens again, it will cause creation of a new bug >>> report. >>> Note: all commands must start from beginning of the line in the email body. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "syzkaller-bugs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to syzkaller-bugs+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >>
Re: WARNING in x86_emulate_insn
Hi Dmitry: I tried to reproduce the issue via syz-execprog with attached reproducer on latest linux-next but it causes VM-entry failure due to invalid guest state... 2017-12-07 14:25 GMT+08:00 Dmitry Vyukov : > On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: >> 2017-12-06 4:07 GMT+08:00 syzbot >> : >>> Hello, >>> >>> syzkaller hit the following crash on >>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d >>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >>> compiler: gcc (GCC) 7.1.1 20170620 >>> .config is attached >>> Raw console output is attached. >>> >>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >>> for information about syzkaller reproducers >>> >> >> Is there a c program to reproduce? > > No, syzbot does not hide reproducers. See the referenced doc for > details: > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers > > >> Regards, >> Wanpeng Li >> >>> >>> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu >>> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 >>> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >>> Kernel panic - not syncing: panic_on_warn set ... >>> >>> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ >>> #57 >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >>> Google 01/01/2011 >>> Call Trace: >>> __dump_stack lib/dump_stack.c:17 [inline] >>> dump_stack+0x194/0x257 lib/dump_stack.c:53 >>> panic+0x1e4/0x41c kernel/panic.c:183 >>> __warn+0x1dc/0x200 kernel/panic.c:547 >>> report_bug+0x211/0x2d0 lib/bug.c:184 >>> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 >>> fixup_bug arch/x86/kernel/traps.c:246 [inline] >>> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 >>> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 >>> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 >>> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >>> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 >>> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 >>> RDX: RSI: RDI: 8801d0b5b5c8 >>> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 >>> R10: 0001 R11: ed003a16b6d4 R12: 00ff >>> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 >>> x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 >>> emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] >>> complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] >>> complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 >>> kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 >>> kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 >>> vfs_ioctl fs/ioctl.c:46 [inline] >>> do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 >>> SYSC_ioctl fs/ioctl.c:701 [inline] >>> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 >>> entry_SYSCALL_64_fastpath+0x1f/0x96 >>> RIP: 0033:0x4529d9 >>> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 >>> RAX: ffda RBX: 00758020 RCX: 004529d9 >>> RDX: RSI: ae80 RDI: 0004 >>> RBP: 039b R08: R09: >>> R10: R11: 0212 R12: 006f2728 >>> R13: R14: 7f6b6b2d66d4 R15: >>> Dumping ftrace buffer: >>>(ftrace buffer empty) >>> Kernel Offset: disabled >>> Rebooting in 86400 seconds.. >>> >>> >>> --- >>> This bug is generated by a dumb bot. It may contain errors. >>> See https://goo.gl/tpsmEJ for details. >>> Direct all questions to syzkal...@googlegroups.com. >>> Please credit me with: Reported-by: syzbot >>> >>> syzbot will keep track of this bug report. >>> Once a fix for this bug is committed, please reply to this email with: >>> #syz fix: exact-commit-title >>> If you want to test a patch for this bug, please reply with: >>> #syz test: git://repo/address.git branch >>> and provide the patch inline or as an attachment. >>> To mark this as a duplicate of another syzbot report, please reply with: >>> #syz dup: exact-subject-of-another-report >>> If it's a one-off invalid bug report, please reply with: >>> #syz invalid >>> Note: if the crash happens again, it will cause creation of a new bug >>> report. >>> Note: all commands must start from beginning of the line in the email body. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "syzkaller-bugs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to syzkaller-bugs+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/syzkaller-bugs/CANRm%2BCw6u-Tvq6M%2B8hFm9UmxyTWsqvrm5L9bzfoTAvEsaeC1-w%40mail.gmail.com. >> For more options, visit https://groups.google.com/d/optout. -- Best regards Tianyu Lan
Re: WARNING in x86_emulate_insn
On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Liwrote: > 2017-12-06 4:07 GMT+08:00 syzbot > : >> Hello, >> >> syzkaller hit the following crash on >> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d >> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >> for information about syzkaller reproducers >> > > Is there a c program to reproduce? No, syzbot does not hide reproducers. See the referenced doc for details: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers > Regards, > Wanpeng Li > >> >> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu >> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 >> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> Kernel panic - not syncing: panic_on_warn set ... >> >> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ >> #57 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> Call Trace: >> __dump_stack lib/dump_stack.c:17 [inline] >> dump_stack+0x194/0x257 lib/dump_stack.c:53 >> panic+0x1e4/0x41c kernel/panic.c:183 >> __warn+0x1dc/0x200 kernel/panic.c:547 >> report_bug+0x211/0x2d0 lib/bug.c:184 >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 >> fixup_bug arch/x86/kernel/traps.c:246 [inline] >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 >> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 >> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 >> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 >> RDX: RSI: RDI: 8801d0b5b5c8 >> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 >> R10: 0001 R11: ed003a16b6d4 R12: 00ff >> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 >> x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 >> emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] >> complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] >> complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 >> kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 >> kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 >> vfs_ioctl fs/ioctl.c:46 [inline] >> do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 >> SYSC_ioctl fs/ioctl.c:701 [inline] >> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 >> entry_SYSCALL_64_fastpath+0x1f/0x96 >> RIP: 0033:0x4529d9 >> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 >> RAX: ffda RBX: 00758020 RCX: 004529d9 >> RDX: RSI: ae80 RDI: 0004 >> RBP: 039b R08: R09: >> R10: R11: 0212 R12: 006f2728 >> R13: R14: 7f6b6b2d66d4 R15: >> Dumping ftrace buffer: >>(ftrace buffer empty) >> Kernel Offset: disabled >> Rebooting in 86400 seconds.. >> >> >> --- >> This bug is generated by a dumb bot. It may contain errors. >> See https://goo.gl/tpsmEJ for details. >> Direct all questions to syzkal...@googlegroups.com. >> Please credit me with: Reported-by: syzbot >> >> syzbot will keep track of this bug report. >> Once a fix for this bug is committed, please reply to this email with: >> #syz fix: exact-commit-title >> If you want to test a patch for this bug, please reply with: >> #syz test: git://repo/address.git branch >> and provide the patch inline or as an attachment. >> To mark this as a duplicate of another syzbot report, please reply with: >> #syz dup: exact-subject-of-another-report >> If it's a one-off invalid bug report, please reply with: >> #syz invalid >> Note: if the crash happens again, it will cause creation of a new bug >> report. >> Note: all commands must start from beginning of the line in the email body. > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/CANRm%2BCw6u-Tvq6M%2B8hFm9UmxyTWsqvrm5L9bzfoTAvEsaeC1-w%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout.
Re: WARNING in x86_emulate_insn
On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li wrote: > 2017-12-06 4:07 GMT+08:00 syzbot > : >> Hello, >> >> syzkaller hit the following crash on >> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d >> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> >> syzkaller reproducer is attached. See https://goo.gl/kgGztJ >> for information about syzkaller reproducers >> > > Is there a c program to reproduce? No, syzbot does not hide reproducers. See the referenced doc for details: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers > Regards, > Wanpeng Li > >> >> kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu >> WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 >> x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> Kernel panic - not syncing: panic_on_warn set ... >> >> CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ >> #57 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 01/01/2011 >> Call Trace: >> __dump_stack lib/dump_stack.c:17 [inline] >> dump_stack+0x194/0x257 lib/dump_stack.c:53 >> panic+0x1e4/0x41c kernel/panic.c:183 >> __warn+0x1dc/0x200 kernel/panic.c:547 >> report_bug+0x211/0x2d0 lib/bug.c:184 >> fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 >> fixup_bug arch/x86/kernel/traps.c:246 [inline] >> do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 >> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 >> invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 >> RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 >> RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 >> RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 >> RDX: RSI: RDI: 8801d0b5b5c8 >> RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 >> R10: 0001 R11: ed003a16b6d4 R12: 00ff >> R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 >> x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 >> emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] >> complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] >> complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 >> kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 >> kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 >> vfs_ioctl fs/ioctl.c:46 [inline] >> do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 >> SYSC_ioctl fs/ioctl.c:701 [inline] >> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 >> entry_SYSCALL_64_fastpath+0x1f/0x96 >> RIP: 0033:0x4529d9 >> RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 >> RAX: ffda RBX: 00758020 RCX: 004529d9 >> RDX: RSI: ae80 RDI: 0004 >> RBP: 039b R08: R09: >> R10: R11: 0212 R12: 006f2728 >> R13: R14: 7f6b6b2d66d4 R15: >> Dumping ftrace buffer: >>(ftrace buffer empty) >> Kernel Offset: disabled >> Rebooting in 86400 seconds.. >> >> >> --- >> This bug is generated by a dumb bot. It may contain errors. >> See https://goo.gl/tpsmEJ for details. >> Direct all questions to syzkal...@googlegroups.com. >> Please credit me with: Reported-by: syzbot >> >> syzbot will keep track of this bug report. >> Once a fix for this bug is committed, please reply to this email with: >> #syz fix: exact-commit-title >> If you want to test a patch for this bug, please reply with: >> #syz test: git://repo/address.git branch >> and provide the patch inline or as an attachment. >> To mark this as a duplicate of another syzbot report, please reply with: >> #syz dup: exact-subject-of-another-report >> If it's a one-off invalid bug report, please reply with: >> #syz invalid >> Note: if the crash happens again, it will cause creation of a new bug >> report. >> Note: all commands must start from beginning of the line in the email body. > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/CANRm%2BCw6u-Tvq6M%2B8hFm9UmxyTWsqvrm5L9bzfoTAvEsaeC1-w%40mail.gmail.com. > For more options, visit https://groups.google.com/d/optout.
Re: WARNING in x86_emulate_insn
2017-12-06 4:07 GMT+08:00 syzbot: > Hello, > > syzkaller hit the following crash on > fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > Is there a c program to reproduce? Regards, Wanpeng Li > > kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu > WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 > x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ > #57 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > panic+0x1e4/0x41c kernel/panic.c:183 > __warn+0x1dc/0x200 kernel/panic.c:547 > report_bug+0x211/0x2d0 lib/bug.c:184 > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 > fixup_bug arch/x86/kernel/traps.c:246 [inline] > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 > invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 > RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 > RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 > RDX: RSI: RDI: 8801d0b5b5c8 > RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 > R10: 0001 R11: ed003a16b6d4 R12: 00ff > R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 > x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 > emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] > complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] > complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 > kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 > kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 > vfs_ioctl fs/ioctl.c:46 [inline] > do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 > SYSC_ioctl fs/ioctl.c:701 [inline] > SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x4529d9 > RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 > RAX: ffda RBX: 00758020 RCX: 004529d9 > RDX: RSI: ae80 RDI: 0004 > RBP: 039b R08: R09: > R10: R11: 0212 R12: 006f2728 > R13: R14: 7f6b6b2d66d4 R15: > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a dumb bot. It may contain errors. > See https://goo.gl/tpsmEJ for details. > Direct all questions to syzkal...@googlegroups.com. > Please credit me with: Reported-by: syzbot > > syzbot will keep track of this bug report. > Once a fix for this bug is committed, please reply to this email with: > #syz fix: exact-commit-title > If you want to test a patch for this bug, please reply with: > #syz test: git://repo/address.git branch > and provide the patch inline or as an attachment. > To mark this as a duplicate of another syzbot report, please reply with: > #syz dup: exact-subject-of-another-report > If it's a one-off invalid bug report, please reply with: > #syz invalid > Note: if the crash happens again, it will cause creation of a new bug > report. > Note: all commands must start from beginning of the line in the email body.
Re: WARNING in x86_emulate_insn
2017-12-06 4:07 GMT+08:00 syzbot : > Hello, > > syzkaller hit the following crash on > fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > Is there a c program to reproduce? Regards, Wanpeng Li > > kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu > WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654 > x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+ > #57 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > panic+0x1e4/0x41c kernel/panic.c:183 > __warn+0x1dc/0x200 kernel/panic.c:547 > report_bug+0x211/0x2d0 lib/bug.c:184 > fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177 > fixup_bug arch/x86/kernel/traps.c:246 [inline] > do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314 > invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066 > RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654 > RSP: 0018:8801d0fff3e8 EFLAGS: 00010293 > RAX: 8801d17b60c0 RBX: 11003a1ffe86 RCX: 81154351 > RDX: RSI: RDI: 8801d0b5b5c8 > RBP: 8801d0fff4f8 R08: 8801d0b58d80 R09: 85224da0 > R10: 0001 R11: ed003a16b6d4 R12: 00ff > R13: 8801d0b5b5a0 R14: 0002 R15: 8801d0b5b6c3 > x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771 > emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline] > complete_emulated_io arch/x86/kvm/x86.c:7190 [inline] > complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201 > kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305 > kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574 > vfs_ioctl fs/ioctl.c:46 [inline] > do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686 > SYSC_ioctl fs/ioctl.c:701 [inline] > SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692 > entry_SYSCALL_64_fastpath+0x1f/0x96 > RIP: 0033:0x4529d9 > RSP: 002b:7f6b6b2d5c58 EFLAGS: 0212 ORIG_RAX: 0010 > RAX: ffda RBX: 00758020 RCX: 004529d9 > RDX: RSI: ae80 RDI: 0004 > RBP: 039b R08: R09: > R10: R11: 0212 R12: 006f2728 > R13: R14: 7f6b6b2d66d4 R15: > Dumping ftrace buffer: >(ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. > > > --- > This bug is generated by a dumb bot. It may contain errors. > See https://goo.gl/tpsmEJ for details. > Direct all questions to syzkal...@googlegroups.com. > Please credit me with: Reported-by: syzbot > > syzbot will keep track of this bug report. > Once a fix for this bug is committed, please reply to this email with: > #syz fix: exact-commit-title > If you want to test a patch for this bug, please reply with: > #syz test: git://repo/address.git branch > and provide the patch inline or as an attachment. > To mark this as a duplicate of another syzbot report, please reply with: > #syz dup: exact-subject-of-another-report > If it's a one-off invalid bug report, please reply with: > #syz invalid > Note: if the crash happens again, it will cause creation of a new bug > report. > Note: all commands must start from beginning of the line in the email body.