Hello, The following program triggers vmalloc allocation failure in kvm_vcpu_ioctl_set_cpuid (tries to allocate 0 bytes, but looks scary in dmesg): // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdint.h> long r[8]; int main() { memset(r, -1, sizeof(r)); r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20000000, "\x2f\x64\x65\x76\x2f\x6b\x76\x6d", 8); r[2] = syscall(SYS_open, 0x20000000ul, 0x2ul, 0x0ul, 0, 0, 0); r[3] = syscall(SYS_ioctl, r[2], 0xae01ul, 0x0ul, 0, 0, 0); r[4] = syscall(SYS_ioctl, r[3], 0xae41ul, 0x8ul, 0, 0, 0); *(uint32_t*)0x20000000 = (uint32_t)0x0; *(uint32_t*)0x20000004 = (uint32_t)0x6; r[7] = syscall(SYS_ioctl, r[4], 0x4008ae8aul, 0x20000000ul, 0, 0, 0); return 0; } vmalloc: allocation failure: 0 bytes syz-executor: page allocation failure: order:0, mode:0x24000c2 CPU: 3 PID: 7070 Comm: syz-executor Not tainted 4.4.0-rc8+ #213 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff88006255f648 ffffffff82906ccd 1ffff1000c4abecd ffffffff85fbce20 dffffc0000000000 ffff88006255f760 ffffffff8164e364 ffff880063704680 0000000000000001 0000000041b58ab3 ffffffff86e43544 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82906ccd>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [<ffffffff8164e364>] warn_alloc_failed+0x1f4/0x250 mm/page_alloc.c:2677 [<ffffffff816f530b>] __vmalloc_node_range+0x42b/0x6d0 mm/vmalloc.c:1692 [< inline >] __vmalloc_node mm/vmalloc.c:1715 [< inline >] __vmalloc_node_flags mm/vmalloc.c:1729 [<ffffffff816f567b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [<ffffffff810df80e>] kvm_vcpu_ioctl_set_cpuid+0xae/0x9b0 arch/x86/kvm/cpuid.c:177 [<ffffffff810588b6>] kvm_arch_vcpu_ioctl+0x2176/0x2ef0 arch/x86/kvm/x86.c:3262 [<ffffffff8101cb52>] kvm_vcpu_ioctl+0x1e2/0xd00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2526 [ 331.709691] Mem-Info: [ 331.709910] active_anon:2753 inactive_anon:58 isolated_anon:0 [ 331.709910] active_file:4796 inactive_file:3639 isolated_file:0 [ 331.709910] unevictable:0 dirty:26 writeback:0 unstable:0 [ 331.709910] slab_reclaimable:9522 slab_unreclaimable:51558 [ 331.709910] mapped:3216 shmem:65 pagetables:336 bounce:0 [ 331.709910] free:320048 free_pcp:468 free_cma:0 [ 331.712795] Node 0 DMA free:9544kB min:48kB low:60kB high:72kB active_anon:104kB inactive_anon:0kB active_file:364kB inactive_file:340kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:15992kB managed:15908kB mlocked:51539607552kB dirty:0kB writeback:0kB mapped:336kB shmem:0kB slab_reclaimable:384kB slab_unreclaimable:4088kB kernel_stack:32kB pagetables:20kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no [ 331.716610] lowmem_reserve[]: 0 862 862 862 [ 331.717084] Node 0 DMA32 free:691300kB min:2664kB low:3328kB high:3996kB active_anon:2660kB inactive_anon:124kB active_file:9004kB inactive_file:8048kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:1032192kB managed:883568kB mlocked:2473901162496kB dirty:80kB writeback:0kB mapped:7380kB shmem:136kB slab_reclaimable:22568kB slab_unreclaimable:113320kB kernel_stack:3168kB pagetables:500kB unstable:0kB bounce:0kB free_pcp:916kB local_pcp:460kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no [ 331.721165] lowmem_reserve[]: 0 0 0 0 [ 331.721577] Node 1 DMA32 free:579348kB min:2252kB low:2812kB high:3376kB active_anon:8248kB inactive_anon:108kB active_file:9816kB inactive_file:6168kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:1048560kB managed:746804kB mlocked:1425929142272kB dirty:24kB writeback:0kB mapped:5148kB shmem:124kB slab_reclaimable:15136kB slab_unreclaimable:88824kB kernel_stack:3232kB pagetables:824kB unstable:0kB bounce:0kB free_pcp:952kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no [ 331.725806] lowmem_reserve[]: 0 0 0 0 [ 331.726243] Node 0 DMA: 26*4kB (UM) 16*8kB (UM) 10*16kB (UM) 8*32kB (UM) 9*64kB (UME) 1*128kB (U) 2*256kB (UM) 3*512kB (UME) 2*1024kB (UE) 2*2048kB (UM) 0*4096kB = 9544kB [ 331.727981] Node 0 DMA32: 357*4kB (UM) 304*8kB (UME) 371*16kB (UME) 187*32kB (UM) 95*64kB (UME) 44*128kB (UME) 21*256kB (UME) 14*512kB (ME) 10*1024kB (UM) 3*2048kB (UM) 155*4096kB (M) = 691300kB [ 331.729932] Node 1 DMA32: 3*4kB (UME) 145*8kB (UM) 310*16kB (UM) 191*32kB (UME) 101*64kB (UME) 32*128kB (UME) 20*256kB (UME) 19*512kB (UME) 5*1024kB (UM) 6*2048kB (UM) 128*4096kB (ME) = 579348kB [ 331.731880] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB [ 331.733086] Node 1 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB [ 331.733841] 8504 total pagecache pages [ 331.734202] 0 pages in swap cache [ 331.734508] Swap cache stats: add 0, delete 0, find 0/0 [ 331.734972] Free swap = 0kB [ 331.735241] Total swap = 0kB [ 331.735510] 524186 pages RAM [ 331.735769] 0 pages HighMem/MovableOnly [ 331.736159] 112616 pages reserved On commit b06f3a168cdcd80026276898fd1fee443ef25743 (Jan 6). -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
