Re: general protection fault in finish_task_switch (2)
On Wed, Aug 22, 2018 at 2:08 AM, Peter Zijlstra wrote: > On Tue, Aug 21, 2018 at 02:28:02PM -0700, syzbot wrote: >> syzbot has found a reproducer for the following crash on: >> >> HEAD commit:778a33959a8a Merge tag 'please-pull-noboot' of git://git.k.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=14a5385a40 >> kernel config: https://syzkaller.appspot.com/x/.config?x=214e4990bd49329f >> dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> userspace arch: i386 >> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13ffa56140 > > FWIW the lack of whitespace between "repro:" and the URL makes it hard > to copy paste. Fixed by: https://github.com/google/syzkaller/commit/307deaee5e23e4585d4b408ebcf329b9dc8ebdb4 Thanks >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 > > >> RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 > > That repro thing does something dodgy with KVM, which then corrupts the > premption notifier thing. I'm sufficiently KVM clueless to not really > know where to start looking though..
Re: general protection fault in finish_task_switch (2)
On Wed, Aug 22, 2018 at 2:08 AM, Peter Zijlstra wrote: > On Tue, Aug 21, 2018 at 02:28:02PM -0700, syzbot wrote: >> syzbot has found a reproducer for the following crash on: >> >> HEAD commit:778a33959a8a Merge tag 'please-pull-noboot' of git://git.k.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=14a5385a40 >> kernel config: https://syzkaller.appspot.com/x/.config?x=214e4990bd49329f >> dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> userspace arch: i386 >> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13ffa56140 > > FWIW the lack of whitespace between "repro:" and the URL makes it hard > to copy paste. Fixed by: https://github.com/google/syzkaller/commit/307deaee5e23e4585d4b408ebcf329b9dc8ebdb4 Thanks >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 > > >> RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 > > That repro thing does something dodgy with KVM, which then corrupts the > premption notifier thing. I'm sufficiently KVM clueless to not really > know where to start looking though..
Re: general protection fault in finish_task_switch (2)
On 22/08/2018 11:08, Peter Zijlstra wrote: >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 > >> RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 > That repro thing does something dodgy with KVM, which then corrupts the > premption notifier thing. I'm sufficiently KVM clueless to not really > know where to start looking though.. It seems to be a reference counting issue, or something like that. I'm looking at it... Paolo
Re: general protection fault in finish_task_switch (2)
On 22/08/2018 11:08, Peter Zijlstra wrote: >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 > >> RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 > That repro thing does something dodgy with KVM, which then corrupts the > premption notifier thing. I'm sufficiently KVM clueless to not really > know where to start looking though.. It seems to be a reference counting issue, or something like that. I'm looking at it... Paolo
Re: general protection fault in finish_task_switch (2)
On Tue, Aug 21, 2018 at 02:28:02PM -0700, syzbot wrote: > syzbot has found a reproducer for the following crash on: > > HEAD commit:778a33959a8a Merge tag 'please-pull-noboot' of git://git.k.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=14a5385a40 > kernel config: https://syzkaller.appspot.com/x/.config?x=214e4990bd49329f > dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > userspace arch: i386 > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13ffa56140 FWIW the lack of whitespace between "repro:" and the URL makes it hard to copy paste. > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 > RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 That repro thing does something dodgy with KVM, which then corrupts the premption notifier thing. I'm sufficiently KVM clueless to not really know where to start looking though..
Re: general protection fault in finish_task_switch (2)
On Tue, Aug 21, 2018 at 02:28:02PM -0700, syzbot wrote: > syzbot has found a reproducer for the following crash on: > > HEAD commit:778a33959a8a Merge tag 'please-pull-noboot' of git://git.k.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=14a5385a40 > kernel config: https://syzkaller.appspot.com/x/.config?x=214e4990bd49329f > dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > userspace arch: i386 > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13ffa56140 FWIW the lack of whitespace between "repro:" and the URL makes it hard to copy paste. > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 > RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 That repro thing does something dodgy with KVM, which then corrupts the premption notifier thing. I'm sufficiently KVM clueless to not really know where to start looking though..
Re: general protection fault in finish_task_switch (2)
syzbot has found a reproducer for the following crash on: HEAD commit:778a33959a8a Merge tag 'please-pull-noboot' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14a5385a40 kernel config: https://syzkaller.appspot.com/x/.config?x=214e4990bd49329f dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f compiler: gcc (GCC) 8.0.1 20180413 (experimental) userspace arch: i386 syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13ffa56140 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+1f56df64bfb3c29dd...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN CPU: 0 PID: 4489 Comm: syz-executor233 Not tainted 4.18.0+ #103 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 8c a5 67 00 eb 9e 80 3d 8b c3 32 07 00 0f RSP: 0018:8801ac0ff058 EFLAGS: 00010a06 RAX: RBX: 8801db02cc40 RCX: 1bd5a022 RDX: RSI: 810ed162 RDI: dead0110 RBP: 8801ac0ff140 R08: 8801acb8c300 R09: ed003b221b6c R10: ed003b221b6c R11: 8801d910db67 R12: dead0100 R13: 8801ca5e0040 R14: R15: dc00 FS: () GS:8801db00(0063) knlGS:f7f07b40 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: 7f1304e0b000 CR3: 0001acab3000 CR4: 001426f0 Call Trace: context_switch kernel/sched/core.c:2826 [inline] __schedule+0x884/0x1df0 kernel/sched/core.c:3471 schedule+0xfb/0x450 kernel/sched/core.c:3515 freezable_schedule include/linux/freezer.h:172 [inline] futex_wait_queue_me+0x3f9/0x840 kernel/futex.c:2530 futex_wait+0x45b/0xa20 kernel/futex.c:2645 do_futex+0x336/0x27d0 kernel/futex.c:3527 __do_compat_sys_futex kernel/futex_compat.c:201 [inline] __se_compat_sys_futex kernel/futex_compat.c:175 [inline] __ia32_compat_sys_futex+0x3d9/0x5f0 kernel/futex_compat.c:175 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f0bca9 Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:f7f071ec EFLAGS: 0296 ORIG_RAX: 00f0 RAX: ffda RBX: 080fb008 RCX: RDX: RSI: RDI: 0005 RBP: c080aebe R08: R09: R10: R11: R12: R13: R14: R15: Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace a4bb2f1beb6735f0 ]--- RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 8c a5 67 00 eb 9e 80 3d 8b c3 32 07 00 0f RSP: 0018:8801ac0ff058 EFLAGS: 00010a06 RAX: RBX: 8801db02cc40 RCX: 1bd5a022 RDX: RSI: 810ed162 RDI: dead0110 RBP: 8801ac0ff140 R08: 8801acb8c300 R09: ed003b221b6c R10: ed003b221b6c R11: 8801d910db67 R12: dead0100 R13: 8801ca5e0040 R14: R15: dc00 FS: () GS:8801db00(0063) knlGS:f7f07b40 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: 7f1304e0b000 CR3: 0001acab3000 CR4: 001426f0
Re: general protection fault in finish_task_switch (2)
syzbot has found a reproducer for the following crash on: HEAD commit:778a33959a8a Merge tag 'please-pull-noboot' of git://git.k.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14a5385a40 kernel config: https://syzkaller.appspot.com/x/.config?x=214e4990bd49329f dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f compiler: gcc (GCC) 8.0.1 20180413 (experimental) userspace arch: i386 syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=13ffa56140 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1002396140 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+1f56df64bfb3c29dd...@syzkaller.appspotmail.com random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN CPU: 0 PID: 4489 Comm: syz-executor233 Not tainted 4.18.0+ #103 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 8c a5 67 00 eb 9e 80 3d 8b c3 32 07 00 0f RSP: 0018:8801ac0ff058 EFLAGS: 00010a06 RAX: RBX: 8801db02cc40 RCX: 1bd5a022 RDX: RSI: 810ed162 RDI: dead0110 RBP: 8801ac0ff140 R08: 8801acb8c300 R09: ed003b221b6c R10: ed003b221b6c R11: 8801d910db67 R12: dead0100 R13: 8801ca5e0040 R14: R15: dc00 FS: () GS:8801db00(0063) knlGS:f7f07b40 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: 7f1304e0b000 CR3: 0001acab3000 CR4: 001426f0 Call Trace: context_switch kernel/sched/core.c:2826 [inline] __schedule+0x884/0x1df0 kernel/sched/core.c:3471 schedule+0xfb/0x450 kernel/sched/core.c:3515 freezable_schedule include/linux/freezer.h:172 [inline] futex_wait_queue_me+0x3f9/0x840 kernel/futex.c:2530 futex_wait+0x45b/0xa20 kernel/futex.c:2645 do_futex+0x336/0x27d0 kernel/futex.c:3527 __do_compat_sys_futex kernel/futex_compat.c:201 [inline] __se_compat_sys_futex kernel/futex_compat.c:175 [inline] __ia32_compat_sys_futex+0x3d9/0x5f0 kernel/futex_compat.c:175 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f0bca9 Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:f7f071ec EFLAGS: 0296 ORIG_RAX: 00f0 RAX: ffda RBX: 080fb008 RCX: RDX: RSI: RDI: 0005 RBP: c080aebe R08: R09: R10: R11: R12: R13: R14: R15: Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace a4bb2f1beb6735f0 ]--- RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 8c a5 67 00 eb 9e 80 3d 8b c3 32 07 00 0f RSP: 0018:8801ac0ff058 EFLAGS: 00010a06 RAX: RBX: 8801db02cc40 RCX: 1bd5a022 RDX: RSI: 810ed162 RDI: dead0110 RBP: 8801ac0ff140 R08: 8801acb8c300 R09: ed003b221b6c R10: ed003b221b6c R11: 8801d910db67 R12: dead0100 R13: 8801ca5e0040 R14: R15: dc00 FS: () GS:8801db00(0063) knlGS:f7f07b40 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: 7f1304e0b000 CR3: 0001acab3000 CR4: 001426f0
general protection fault in finish_task_switch (2)
Hello, syzbot found the following crash on: HEAD commit:8c8399e0a3fb Add linux-next specific files for 20180806 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=16c6b8e240 kernel config: https://syzkaller.appspot.com/x/.config?x=1b6bc1781e49e93e dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+1f56df64bfb3c29dd...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN vmwrite_error+0x4c/0x60 arch/x86/kvm/vmx.c:2201 CPU: 0 PID: 9256 Comm: syz-executor2 Not tainted 4.18.0-rc8-next-20180806+ #32 __vmcs_writel arch/x86/kvm/vmx.c:2211 [inline] vmcs_writel arch/x86/kvm/vmx.c:2251 [inline] vmx_vcpu_load+0xcdb/0xfe0 arch/x86/kvm/vmx.c:2917 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 1c e8 67 00 eb 9e 80 3d 80 e4 31 07 00 0f RSP: 0018:8801977a7980 EFLAGS: 00010a06 RAX: RBX: 8801db02ca40 RCX: 1bd5a022 RDX: 0004 RSI: 810edd32 RDI: dead0110 RBP: 8801977a7a68 R08: 88019386a080 R09: fbfff1107d28 R10: fbfff1107d28 R11: 0003 R12: dead0100 kvm_arch_vcpu_load+0x22b/0x940 arch/x86/kvm/x86.c:3081 R13: 88019549c240 R14: R15: dc00 FS: 7fd2dc8cf700() GS:8801db00() knlGS: kvm_sched_in+0x82/0xa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3975 CS: 0010 DS: ES: CR0: 80050033 __fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] finish_task_switch+0x50d/0x870 kernel/sched/core.c:2679 CR2: 001b2fb21000 CR3: 000190863000 CR4: 001426f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: context_switch kernel/sched/core.c:2826 [inline] __schedule+0x884/0x1ec0 kernel/sched/core.c:3471 context_switch kernel/sched/core.c:2826 [inline] __schedule+0x884/0x1ec0 kernel/sched/core.c:3471 preempt_schedule_common+0x22/0x60 kernel/sched/core.c:3595 schedule+0xfb/0x450 kernel/sched/core.c:3515 _cond_resched+0x1d/0x30 kernel/sched/core.c:4961 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0x13d/0x1700 kernel/locking/mutex.c:1073 exit_to_usermode_loop+0x22f/0x380 arch/x86/entry/common.c:152 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x456cb9 Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fd2dc8cecf8 EFLAGS: 0246 ORIG_RAX: 00ca RAX: 0001 RBX: 00930148 RCX: 00456cb9 RDX: 0016 RSI: 0001 RDI: 0093014c RBP: 00930140 R08: R09: mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088 R10: R11: 0246 R12: 0093014c R13: 7ffd09c12e5f R14: 7fd2dc8cf9c0 R15: 0001 arch_jump_label_transform+0x1b/0x40 arch/x86/kernel/jump_label.c:112 Modules linked in: __jump_label_update+0x16e/0x1a0 kernel/jump_label.c:375 jump_label_update+0x151/0x2e0 kernel/jump_label.c:760 Dumping ftrace buffer: static_key_slow_inc_cpuslocked+0x341/0x430 kernel/jump_label.c:110 (ftrace buffer empty) ---[ end trace de1ac742ecfe90a2 ]--- RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 1c e8 67 00 eb 9e 80
general protection fault in finish_task_switch (2)
Hello, syzbot found the following crash on: HEAD commit:8c8399e0a3fb Add linux-next specific files for 20180806 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=16c6b8e240 kernel config: https://syzkaller.appspot.com/x/.config?x=1b6bc1781e49e93e dashboard link: https://syzkaller.appspot.com/bug?extid=1f56df64bfb3c29dde6f compiler: gcc (GCC) 8.0.1 20180413 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+1f56df64bfb3c29dd...@syzkaller.appspotmail.com kasan: CONFIG_KASAN_INLINE enabled Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN vmwrite_error+0x4c/0x60 arch/x86/kvm/vmx.c:2201 CPU: 0 PID: 9256 Comm: syz-executor2 Not tainted 4.18.0-rc8-next-20180806+ #32 __vmcs_writel arch/x86/kvm/vmx.c:2211 [inline] vmcs_writel arch/x86/kvm/vmx.c:2251 [inline] vmx_vcpu_load+0xcdb/0xfe0 arch/x86/kvm/vmx.c:2917 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 1c e8 67 00 eb 9e 80 3d 80 e4 31 07 00 0f RSP: 0018:8801977a7980 EFLAGS: 00010a06 RAX: RBX: 8801db02ca40 RCX: 1bd5a022 RDX: 0004 RSI: 810edd32 RDI: dead0110 RBP: 8801977a7a68 R08: 88019386a080 R09: fbfff1107d28 R10: fbfff1107d28 R11: 0003 R12: dead0100 kvm_arch_vcpu_load+0x22b/0x940 arch/x86/kvm/x86.c:3081 R13: 88019549c240 R14: R15: dc00 FS: 7fd2dc8cf700() GS:8801db00() knlGS: kvm_sched_in+0x82/0xa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3975 CS: 0010 DS: ES: CR0: 80050033 __fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] finish_task_switch+0x50d/0x870 kernel/sched/core.c:2679 CR2: 001b2fb21000 CR3: 000190863000 CR4: 001426f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: context_switch kernel/sched/core.c:2826 [inline] __schedule+0x884/0x1ec0 kernel/sched/core.c:3471 context_switch kernel/sched/core.c:2826 [inline] __schedule+0x884/0x1ec0 kernel/sched/core.c:3471 preempt_schedule_common+0x22/0x60 kernel/sched/core.c:3595 schedule+0xfb/0x450 kernel/sched/core.c:3515 _cond_resched+0x1d/0x30 kernel/sched/core.c:4961 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0x13d/0x1700 kernel/locking/mutex.c:1073 exit_to_usermode_loop+0x22f/0x380 arch/x86/entry/common.c:152 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x456cb9 Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fd2dc8cecf8 EFLAGS: 0246 ORIG_RAX: 00ca RAX: 0001 RBX: 00930148 RCX: 00456cb9 RDX: 0016 RSI: 0001 RDI: 0093014c RBP: 00930140 R08: R09: mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088 R10: R11: 0246 R12: 0093014c R13: 7ffd09c12e5f R14: 7fd2dc8cf9c0 R15: 0001 arch_jump_label_transform+0x1b/0x40 arch/x86/kernel/jump_label.c:112 Modules linked in: __jump_label_update+0x16e/0x1a0 kernel/jump_label.c:375 jump_label_update+0x151/0x2e0 kernel/jump_label.c:760 Dumping ftrace buffer: static_key_slow_inc_cpuslocked+0x341/0x430 kernel/jump_label.c:110 (ftrace buffer empty) ---[ end trace de1ac742ecfe90a2 ]--- RIP: 0010:__fire_sched_in_preempt_notifiers kernel/sched/core.c:2481 [inline] RIP: 0010:fire_sched_in_preempt_notifiers kernel/sched/core.c:2487 [inline] RIP: 0010:finish_task_switch+0x538/0x870 kernel/sched/core.c:2679 Code: 89 e1 48 c1 e9 03 42 80 3c 39 00 0f 85 ab 01 00 00 4d 8b 24 24 4d 85 e4 0f 84 e3 fc ff ff 49 8d 7c 24 10 48 89 f9 48 c1 e9 03 <42> 80 3c 39 00 74 a5 e8 1c e8 67 00 eb 9e 80