https://bugzilla.kernel.org/show_bug.cgi?id=103141 Bug ID: 103141 Summary: Host-triggerable NULL pointer oops Product: Virtualization Version: unspecified Kernel Version: 4.1.5 Hardware: x86-64 OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: kvm Assignee: virtualization_kvm@xxxxxxxxxxxxxxxxxxxx Reporter: felix.von.s@xxxxxxxxx Regression: No Created attachment 185241 --> https://bugzilla.kernel.org/attachment.cgi?id=185241&action=edit Test program (C99) Amusingly enough, I found this while trying to come up with a minimal test program for #103131. Running ioctl(KVM_CREATE_VCPU) _after_ ioctl(KVM_SET_USER_MEMORY_REGION) with certain address/size combinations may generate a null pointer dereference. dmesg after running the test program: [11557.519426] BUG: unable to handle kernel NULL pointer dereference at 000000000000005f [11557.520561] IP: [<ffffffffa045b2f5>] vmx_fpu_activate+0x5/0x20 [kvm_intel] [11557.521716] PGD 13841a067 PUD 13857c067 PMD 0 [11557.522891] Oops: 0000 [#25] PREEMPT SMP [11557.524073] Modules linked in: [REDACTED] [11557.534572] CPU: 5 PID: 4295 Comm: tcc Tainted: P D O 4.1.5-1-ARCH #1 [11557.536451] Hardware name: [REDACTED] [11557.538361] task: ffff880068425180 ti: ffff880138784000 task.ti: ffff880138784000 [11557.540331] RIP: 0010:[<ffffffffa045b2f5>] [<ffffffffa045b2f5>] vmx_fpu_activate+0x5/0x20 [kvm_intel] [11557.542367] RSP: 0018:ffff880138787da0 EFLAGS: 00010292 [11557.544411] RAX: ffffffffa0476160 RBX: ffffffffffffffef RCX: 0000000000000000 [11557.546476] RDX: 0000000000001f85 RSI: ffff88014b15e8b0 RDI: ffffffffffffffef [11557.548553] RBP: ffff880138787db8 R08: 000000000001e8b0 R09: ffffffffa045cbf3 [11557.550605] R10: ffffea00027eee00 R11: ffff88014b157348 R12: 0000000000000000 [11557.552637] R13: 0000000000000000 R14: 000000000000ae41 R15: 0000000000000000 [11557.554691] FS: 00007fba3936d700(0000) GS:ffff88014b140000(0000) knlGS:0000000000000000 [11557.556796] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [11557.558914] CR2: 000000000000005f CR3: 000000013857d000 CR4: 00000000000426e0 [11557.561092] Stack: [11557.563213] ffffffffa03deaf1 0000000000000000 ffff8800a52fc000 ffff880138787e78 [11557.565412] ffffffffa03ca6d8 ffff880138787de8 ffffffff81175b5b ffff88011edffb80 [11557.567650] 0000000000000000 00000000fffbc000 0000000000044000 00007fba39371000 [11557.569906] Call Trace: [11557.572169] [<ffffffffa03deaf1>] ? kvm_arch_vcpu_create+0x51/0x70 [kvm] [11557.574476] [<ffffffffa03ca6d8>] kvm_vm_ioctl+0x1c8/0x7a0 [kvm] [11557.576773] [<ffffffff81175b5b>] ? lru_cache_add_active_or_unevictable+0x2b/0xb0 [11557.579118] [<ffffffff811f4646>] do_vfs_ioctl+0x2c6/0x4d0 [11557.581470] [<ffffffff811f48d1>] SyS_ioctl+0x81/0xa0 [11557.583841] [<ffffffff8158bf2e>] system_call_fastpath+0x12/0x71 [11557.586265] Code: 00 e8 20 bf ff ff 5b 41 5c 5d c3 0f 1f 00 48 8b 05 31 85 fc ff ff 90 b8 00 00 00 eb 87 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <8b> 47 70 85 c0 75 0a 55 48 89 e5 e8 3b ff ff ff 5d f3 c3 0f 1f [11557.592112] RIP [<ffffffffa045b2f5>] vmx_fpu_activate+0x5/0x20 [kvm_intel] [11557.594990] RSP <ffff880138787da0> [11557.597859] CR2: 000000000000005f [11557.600786] ---[ end trace b28b93d27b3449c9 ]--- When I move ioctl(KVM_CREATE_VCPU) immediately below ioctl(KVM_CREATE_VM) there is no oops, but a later KVM_RUN exits with KVM_EXIT_INTERNAL_ERROR, subcode KVM_INTERNAL_ERROR_EMULATION. The crashes also stop when I decrease umr.memory_size below what I specified in the attached test program. -- You are receiving this mail because: You are watching the assignee of the bug. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
