From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78109C433F5 for ; Mon, 27 Sep 2021 14:16:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5EF0260EC0 for ; Mon, 27 Sep 2021 14:16:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234765AbhI0OS1 (ORCPT ); Mon, 27 Sep 2021 10:18:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234722AbhI0OSY (ORCPT ); Mon, 27 Sep 2021 10:18:24 -0400 Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9407C061575 for ; Mon, 27 Sep 2021 07:16:46 -0700 (PDT) Received: by mail-oi1-x22c.google.com with SMTP id e24so15846824oig.11 for ; Mon, 27 Sep 2021 07:16:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qTD1IG+YmWnt3+MCGA1ZnJmy0L2DQARzYfapPSB4ZVc=; b=tUsn/YgJ/eFCFZpyskDmCMeivFaP2fqq4Oq6Dq6hh6xs0nx946+/BgK+IaxupjHqvx jda3bZtBe1BqDC4akKu2X2DBeYgFKQRhuoSETOnf+wo6kPmykrP+zZPuhfrKgC0nlchY XRkVpzji/EI/EvwCH7YfOfDYJ3SI5fNfEpE57k6N8UohOQnBLGgCUdl994ObEIOtHOzt Iro27+J3JH7jK0ymDgf95lX35HlDaUoU2jFsJEfeL7EdwuQ68t1RE+2FIfnn3UxmrNXe JpB1q4tBafkXOBK1LMQjHqTRdDAiAq/xFk2yBbJy2IyG3IPVFSVSjJfwuaqsnsvAX1DI RM1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qTD1IG+YmWnt3+MCGA1ZnJmy0L2DQARzYfapPSB4ZVc=; b=sGSlkWsOioCoCQe+/czYE39ZbT5oe1E7nU5Y/0HODJnrJ9FtrfVaJ6+zAdWPW26/I8 lUyNwM4vheAa9Y49V+o2OS+3v4FEERtNh0AxBIsVezgyzBOwiE2u+qvpUj46a5JbIrmv 5DeSK1/IzJ0OksFFbfyAruydbLtSBL9mhJvKbb0dcG5AYsBKMU3nmK9pbaveMTcnbpiy HWd3s5LulFP3Hij+fIm53P/bBMcQ7deSGDWcq5QPyq4zbbaqe9mu6Q+sJQSdyIjeBUOI 4mGueFJiyKW2kkXVhsrhNEHledwMLf+0XdCkO+3o0ThY73jlDpsR9Q+Bgz+QJBk+ZQRs IFVg== X-Gm-Message-State: AOAM531ywI6SupaZr0kii0gxZVZhuXzahJu4TIBbWuJ95/c7XknpCvgO zIA4+rRANd16yITPWTygZxVg3K09M/V0aovmW/0Qwg== X-Google-Smtp-Source: ABdhPJxDaeudxwkxlPymimuonBIsjqPbk86VRkuseG9eDQWJkkSHfIPR/ydllYEjjMZpuCCt6ESjslLDIx7h0IttkBQ= X-Received: by 2002:aca:3083:: with SMTP id w125mr110205oiw.109.1632752205257; Mon, 27 Sep 2021 07:16:45 -0700 (PDT) MIME-Version: 1.0 References: <000000000000d6b66705cb2fffd4@google.com> In-Reply-To: From: Dmitry Vyukov Date: Mon, 27 Sep 2021 16:16:33 +0200 Message-ID: Subject: Re: [syzbot] upstream test error: KFENCE: use-after-free in kvm_fastop_exception To: Sean Christopherson Cc: Marco Elver , syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, "the arch/x86 maintainers" , Linux ARM , kasan-dev Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 22 Sept 2021 at 01:34, 'Sean Christopherson' via syzkaller-bugs wrote: > > On Fri, Sep 17, 2021, Dmitry Vyukov wrote: > > On Fri, 17 Sept 2021 at 13:04, Marco Elver wrote: > > > > So it looks like in both cases the top fault frame is just wrong. But > > > > I would assume it's extracted by arch-dependent code, so it's > > > > suspicious that it affects both x86 and arm64... > > > > > > > > Any ideas what's happening? > > > > > > My suspicion for the x86 case is that kvm_fastop_exception is related > > > to instruction emulation and the fault occurs in an emulated > > > instruction? > > > > Why would the kernel emulate a plain MOV? > > 2a: 4c 8b 21 mov (%rcx),%r12 > > > > And it would also mean a broken unwind because the emulated > > instruction is in __d_lookup, so it should be in the stack trace. > > kvm_fastop_exception is a red herring. It's indeed related to emulation, and > while MOV emulation is common in KVM, that emulation is for KVM guests not for > the host kernel where this splat occurs (ignoring the fact that the "host" is > itself a guest). > > kvm_fastop_exception is out-of-line fixup, and certainly shouldn't be reachable > via d_lookup. It's also two instruction, XOR+RET, neither of which are in the > code stream. > > IIRC, the unwinder gets confused when given an IP that's in out-of-line code, > e.g. exception fixup like this. If you really want to find out what code blew > up, you might be able to objdump -D the kernel and search for unique, matching > disassembly, e.g. find "jmpq 0xf86d288c" and go from there. Hi Sean, Thanks for the info. I don't want to find out what code blew (it's __d_lookup). I am interested in getting the unwinder fixed to output truthful and useful frames. Is there more info on this "the unwinder gets confused"? Bug filed somewhere or an email thread? Is it on anybody's radar? From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12F49C433F5 for ; Mon, 27 Sep 2021 14:18:42 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D4F0760EC0 for ; Mon, 27 Sep 2021 14:18:41 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D4F0760EC0 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From: In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=NbuZFIiwl1PNN/lwSJOWzf1ObbQfB0qSRQckK2UwpeE=; b=azEk2s6711lA77 fsHl63mI4rPgUqT6lx1n+zw1oLVz8an9BuAoJt6UUNur93+bIFX2usWsAQDW30xqoNTeYUQUMhFoX qG/Sxb88f+1bki/JK3bHBbanHHwUGz7Yl57SQaUFitfwgyS6Dy50pz/MCU6lEnvbf2Q6qSzqDTble Ir+YtSMbUZkiNGnO3GGXF5gNFGkBQ1R88Y9Rsh2RtpAh1u/X7FL9IOfKuMhYDYT6osi0m/fRbfHgo x9itvq7G1IVbWoBGzfcPEtOSjMgZE/PCGa8P6Ya2l440PwcTKoyQMFqCyEbzrQR4mkIuGIyZ/XcnO Ty8cmAWtsUeqTdKzSuFQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mUrR7-002sE0-B4; Mon, 27 Sep 2021 14:16:53 +0000 Received: from mail-oi1-x234.google.com ([2607:f8b0:4864:20::234]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mUrR4-002sCx-8Z for linux-arm-kernel@lists.infradead.org; Mon, 27 Sep 2021 14:16:51 +0000 Received: by mail-oi1-x234.google.com with SMTP id w206so25800702oiw.4 for ; Mon, 27 Sep 2021 07:16:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qTD1IG+YmWnt3+MCGA1ZnJmy0L2DQARzYfapPSB4ZVc=; b=tUsn/YgJ/eFCFZpyskDmCMeivFaP2fqq4Oq6Dq6hh6xs0nx946+/BgK+IaxupjHqvx jda3bZtBe1BqDC4akKu2X2DBeYgFKQRhuoSETOnf+wo6kPmykrP+zZPuhfrKgC0nlchY XRkVpzji/EI/EvwCH7YfOfDYJ3SI5fNfEpE57k6N8UohOQnBLGgCUdl994ObEIOtHOzt Iro27+J3JH7jK0ymDgf95lX35HlDaUoU2jFsJEfeL7EdwuQ68t1RE+2FIfnn3UxmrNXe JpB1q4tBafkXOBK1LMQjHqTRdDAiAq/xFk2yBbJy2IyG3IPVFSVSjJfwuaqsnsvAX1DI RM1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qTD1IG+YmWnt3+MCGA1ZnJmy0L2DQARzYfapPSB4ZVc=; b=0ZJPB61lia/39VCp2s/AINKT2txXJWP23vVx85i0TTXKn0lQfYezUYHuum3Ki1nlgY 94TCpTMpN15W4JX9LxZgCvIUP6TWkm6w4SewgoF3Ln1iGmNXrk6lAn0DEvpDsSGdsJaH 2ZY6QvF/a9LGbt8svwlAIjowV+MAWQKJkV904eC0m3cB1DcEx98LOTTlWp7NcqgnpgCO JlfPDDItIKgFoigdMTNyFOJEBv11uS0v/BHkbxkt1TLyzwHtRlJTeUriK/kHCxLcW6G/ G7dAZjJLYptOBV6Vl0d9X6AbdlJIbZlG0vQAROx3KJ11vGTm2ej1LJnjjIoH06YW6gso PLxQ== X-Gm-Message-State: AOAM530rL0CvfS2eAm2COCtuoplD80jrAnA5+f2NrN1vNCBPE7CtuO04 V6VdfU0AhY286N/ZNnqbUajjKgY14w6cEvXw4TKaAg== X-Google-Smtp-Source: ABdhPJxDaeudxwkxlPymimuonBIsjqPbk86VRkuseG9eDQWJkkSHfIPR/ydllYEjjMZpuCCt6ESjslLDIx7h0IttkBQ= X-Received: by 2002:aca:3083:: with SMTP id w125mr110205oiw.109.1632752205257; Mon, 27 Sep 2021 07:16:45 -0700 (PDT) MIME-Version: 1.0 References: <000000000000d6b66705cb2fffd4@google.com> In-Reply-To: From: Dmitry Vyukov Date: Mon, 27 Sep 2021 16:16:33 +0200 Message-ID: Subject: Re: [syzbot] upstream test error: KFENCE: use-after-free in kvm_fastop_exception To: Sean Christopherson Cc: Marco Elver , syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, "the arch/x86 maintainers" , Linux ARM , kasan-dev X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210927_071650_314394_7320D642 X-CRM114-Status: GOOD ( 24.10 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, 22 Sept 2021 at 01:34, 'Sean Christopherson' via syzkaller-bugs wrote: > > On Fri, Sep 17, 2021, Dmitry Vyukov wrote: > > On Fri, 17 Sept 2021 at 13:04, Marco Elver wrote: > > > > So it looks like in both cases the top fault frame is just wrong. But > > > > I would assume it's extracted by arch-dependent code, so it's > > > > suspicious that it affects both x86 and arm64... > > > > > > > > Any ideas what's happening? > > > > > > My suspicion for the x86 case is that kvm_fastop_exception is related > > > to instruction emulation and the fault occurs in an emulated > > > instruction? > > > > Why would the kernel emulate a plain MOV? > > 2a: 4c 8b 21 mov (%rcx),%r12 > > > > And it would also mean a broken unwind because the emulated > > instruction is in __d_lookup, so it should be in the stack trace. > > kvm_fastop_exception is a red herring. It's indeed related to emulation, and > while MOV emulation is common in KVM, that emulation is for KVM guests not for > the host kernel where this splat occurs (ignoring the fact that the "host" is > itself a guest). > > kvm_fastop_exception is out-of-line fixup, and certainly shouldn't be reachable > via d_lookup. It's also two instruction, XOR+RET, neither of which are in the > code stream. > > IIRC, the unwinder gets confused when given an IP that's in out-of-line code, > e.g. exception fixup like this. If you really want to find out what code blew > up, you might be able to objdump -D the kernel and search for unique, matching > disassembly, e.g. find "jmpq 0xf86d288c" and go from there. Hi Sean, Thanks for the info. I don't want to find out what code blew (it's __d_lookup). I am interested in getting the unwinder fixed to output truthful and useful frames. Is there more info on this "the unwinder gets confused"? Bug filed somewhere or an email thread? Is it on anybody's radar? _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel