linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* general protection fault in rcu_segcblist_enqueue
@ 2021-09-18  1:36 Hao Sun
  2021-09-20 14:32 ` Sean Christopherson
  0 siblings, 1 reply; 2+ messages in thread
From: Hao Sun @ 2021-09-18  1:36 UTC (permalink / raw)
  To: Linux Kernel Mailing List
  Cc: bp, hpa, jmattson, joro, kvm, mingo, pbonzini, seanjc, tglx,
	vkuznets, wanpengli, x86

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: ff1ffd71d5f0 Merge tag 'hyperv-fixes-signed-20210915
git tree: upstream
console output:
https://drive.google.com/file/d/1I3q-rH7yJXxmr16cI418avyA_tHdoOVE/view?usp=sharing
kernel config: https://drive.google.com/file/d/1zXpDhs-IdE7tX17B7MhaYP0VGUfP6m9B/view?usp=sharing

Sorry, I don't have a reproducer for this crash, hope the symbolized
report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@gmail.com>

general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 3 PID: 18519 Comm: syz-executor Not tainted 5.15.0-rc1+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:rcu_segcblist_enqueue+0xf5/0x1d0 kernel/rcu/rcu_segcblist.c:348
Code: 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 75 7c
48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 75 4f 48 89 ea 49 89 34 24 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90001bafbd0 EFLAGS: 00010056
RAX: dffffc0000000000 RBX: ffff888135d00080 RCX: ffffffff815c1ca0
RDX: 0000000000000000 RSI: ffffc90001bafcd0 RDI: ffff888135d00080
RBP: ffff888135d000a0 R08: 0000000000000001 R09: fffff52000375f6e
R10: 0000000000000003 R11: fffff52000375f6d R12: 0000000000000000
R13: 0000000000000000 R14: ffff888135d00080 R15: ffff888135d00040
FS:  00007f2d96e17700(0000) GS:ffff888135d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2d96df5db8 CR3: 000000010aedf000 CR4: 0000000000350ee0
Call Trace:
 srcu_gp_start_if_needed+0x145/0xbf0 kernel/rcu/srcutree.c:823
 __synchronize_srcu+0x1f4/0x270 kernel/rcu/srcutree.c:929
 kvm_mmu_uninit_vm+0x18/0x30 arch/x86/kvm/mmu/mmu.c:5711
 kvm_arch_destroy_vm+0x42b/0x5b0 arch/x86/kvm/x86.c:11331
 kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1094 [inline]
 kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4583 [inline]
 kvm_dev_ioctl+0x1508/0x1aa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4638
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4739cd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d96e16c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 00000000004739cd
RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003
RBP: 00000000004ebd80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0a0
R13: 00007ffd87419e4f R14: 00007ffd87419ff0 R15: 00007f2d96e16dc0
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 786f845bf6575473 ]---
RIP: 0010:rcu_segcblist_enqueue+0xf5/0x1d0 kernel/rcu/rcu_segcblist.c:348
Code: 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 75 7c
48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 75 4f 48 89 ea 49 89 34 24 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90001bafbd0 EFLAGS: 00010056
RAX: dffffc0000000000 RBX: ffff888135d00080 RCX: ffffffff815c1ca0
RDX: 0000000000000000 RSI: ffffc90001bafcd0 RDI: ffff888135d00080
RBP: ffff888135d000a0 R08: 0000000000000001 R09: fffff52000375f6e
R10: 0000000000000003 R11: fffff52000375f6d R12: 0000000000000000
R13: 0000000000000000 R14: ffff888135d00080 R15: ffff888135d00040
FS:  00007f2d96e17700(0000) GS:ffff888135d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2d96df5db8 CR3: 000000010aedf000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0: 00 00                add    %al,(%rax)
   2: 00 00                add    %al,(%rax)
   4: 00 fc                add    %bh,%ah
   6: ff                    (bad)
   7: df 48 89              fisttps -0x77(%rax)
   a: ea                    (bad)
   b: 48 c1 ea 03          shr    $0x3,%rdx
   f: 80 3c 02 00          cmpb   $0x0,(%rdx,%rax,1)
  13: 75 7c                jne    0x91
  15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
  1c: fc ff df
  1f: 4c 8b 63 20          mov    0x20(%rbx),%r12
  23: 4c 89 e2              mov    %r12,%rdx
  26: 48 c1 ea 03          shr    $0x3,%rdx
* 2a: 80 3c 02 00          cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e: 75 4f                jne    0x7f
  30: 48 89 ea              mov    %rbp,%rdx
  33: 49 89 34 24          mov    %rsi,(%r12)
  37: 48                    rex.W
  38: b8 00 00 00 00        mov    $0x0,%eax
  3d: 00 fc                add    %bh,%ah
  3f: ff                    .byte 0xff

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: general protection fault in rcu_segcblist_enqueue
  2021-09-18  1:36 general protection fault in rcu_segcblist_enqueue Hao Sun
@ 2021-09-20 14:32 ` Sean Christopherson
  0 siblings, 0 replies; 2+ messages in thread
From: Sean Christopherson @ 2021-09-20 14:32 UTC (permalink / raw)
  To: Hao Sun
  Cc: Linux Kernel Mailing List, bp, hpa, jmattson, joro, kvm, mingo,
	pbonzini, tglx, vkuznets, wanpengli, x86

On Sat, Sep 18, 2021, Hao Sun wrote:
> Hello,
> 
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
> 
> HEAD commit: ff1ffd71d5f0 Merge tag 'hyperv-fixes-signed-20210915
> git tree: upstream
> console output:
> https://drive.google.com/file/d/1I3q-rH7yJXxmr16cI418avyA_tHdoOVE/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1zXpDhs-IdE7tX17B7MhaYP0VGUfP6m9B/view?usp=sharing
> 
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@gmail.com>
> 
> general protection fault, probably for non-canonical address

...

>  srcu_gp_start_if_needed+0x145/0xbf0 kernel/rcu/srcutree.c:823
>  __synchronize_srcu+0x1f4/0x270 kernel/rcu/srcutree.c:929

Duplicate of https://lkml.kernel.org/r/CACkBjsZ55MKvOBGYJyQxwHBCQOTP=Lz=yfYwJtdOzNiT59E38g@mail.gmail.com

>  kvm_mmu_uninit_vm+0x18/0x30 arch/x86/kvm/mmu/mmu.c:5711
>  kvm_arch_destroy_vm+0x42b/0x5b0 arch/x86/kvm/x86.c:11331
>  kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1094 [inline]
>  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4583 [inline]
>  kvm_dev_ioctl+0x1508/0x1aa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4638

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-20 14:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-18  1:36 general protection fault in rcu_segcblist_enqueue Hao Sun
2021-09-20 14:32 ` Sean Christopherson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).