On Tue, Oct 31, 2017 at 2:34 PM, syzbot <bot+adbefe6736a5b37af36f19ebfa8764fcdd9ddaed@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > Hello, > > syzkaller hit the following crash on > 0787643a5f6aad1f0cdeb305f7fe492b71943ea4 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ > for information about syzkaller reproducers > > > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776 > cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline] > WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776 > do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790 > Kernel panic - not syncing: panic_on_warn set ... > > CPU: 0 PID: 3045 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #142 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > <#DB> > __dump_stack lib/dump_stack.c:16 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:52 > panic+0x1e4/0x417 kernel/panic.c:181 > __warn+0x1c4/0x1d9 kernel/panic.c:542 > report_bug+0x211/0x2d0 lib/bug.c:183 > fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178 > do_trap_no_signal arch/x86/kernel/traps.c:212 [inline] > do_trap+0x260/0x390 arch/x86/kernel/traps.c:261 > do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298 > do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311 > invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905 > RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline] > RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790 > RSP: 0018:ffff8801db20fe98 EFLAGS: 00010246 > RAX: dffffc0000000000 RBX: ffff8801db20ff58 RCX: 0000000000000000 > RDX: 1ffff1003b641ffc RSI: 0000000000000001 RDI: ffffffff85ac6398 > RBP: ffff8801db20ff48 R08: ffff8801db20ffe8 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000004001 > R13: ffff8801cd8541c0 R14: 1ffff1003b641fd8 R15: 0000000000004000 > debug+0x34/0x70 arch/x86/entry/entry_64.S:1056 > RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20 > arch/x86/lib/copy_user_64.S:180 > RSP: 0018:ffff8801cd2cfe68 EFLAGS: 00010246 > RAX: ffffed0039a59fe1 RBX: 0000000020000000 RCX: 000000000000003f > RDX: 0000000000000040 RSI: 0000000020000001 RDI: ffff8801cd2cfec9 > RBP: ffff8801cd2cfe98 R08: ffffed0039a59fe1 R09: ffffed0039a59fe1 > R10: 0000000000000008 R11: ffffed0039a59fe0 R12: 0000000000000040 > R13: ffff8801cd2cfec8 R14: 00007ffffffff000 R15: 0000000020000040 > </#DB> > copy_from_user include/linux/uaccess.h:146 [inline] > SYSC_timer_create kernel/time/posix-timers.c:579 [inline] > SyS_timer_create+0x89/0x120 kernel/time/posix-timers.c:572 > entry_SYSCALL_64_fastpath+0x1f/0xbe > RIP: 0033:0x452719 > RSP: 002b:00007f906f324be8 EFLAGS: 00000212 ORIG_RAX: 00000000000000de > RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719 > RDX: 0000000020000000 RSI: 0000000020000000 RDI: ffffffffffffffff > RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3cf8 > R13: 00000000ffffffff R14: 00007f906f3256d4 R15: 0000000000000000 > Dumping ftrace buffer: > (ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. I think this is kvm bug, so +kvm maintainers. Unfortunately, this does not reproduce with a C program. But I was able to easily reproduce it with the provided syzkaller program by running: ./syz-execprog repro.txt On upstream 15f859ae5c43c7f0a064ed92d33f7a5bc5de6de0 (Oct 26). Seems that guest somehow sets debug register contents for host: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776 cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline] WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776 do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 3079 Comm: syz-executor Not tainted 4.14.0-rc6+ #12 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: <#DB> __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 panic+0x1e4/0x417 kernel/panic.c:181 __warn+0x1c4/0x1d9 kernel/panic.c:542 report_bug+0x211/0x2d0 lib/bug.c:183 fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178 do_trap_no_signal arch/x86/kernel/traps.c:212 [inline] do_trap+0x260/0x390 arch/x86/kernel/traps.c:261 do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311 invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905 RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline] RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790 RSP: 0018:ffff88006ca0fe98 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88006ca0ff58 RCX: 0000000000000000 RDX: 1ffff1000d941ffc RSI: 0000000000000001 RDI: ffffffff85ac63d8 RBP: ffff88006ca0ff48 R08: ffff88006ca0ffe8 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000e001 R13: ffff88006a8d2500 R14: 1ffff1000d941fd8 R15: 0000000000004000 debug+0x34/0x70 arch/x86/entry/entry_64.S:1056 RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline] RIP: 0010:strncpy_from_user+0x188/0x430 lib/strncpy_from_user.c:117 RSP: 0018:ffff88006b717d28 EFLAGS: 00000246 RAX: 6d766b2f7665642f RBX: ffff88006b717dc0 RCX: ffffc90000e41000 RDX: 0000000000000000 RSI: ffffffff82466043 RDI: ffff88006b717d88 RBP: ffff88006b717de8 R08: ffff88006c5f9780 R09: ffff88006b2e8c00 R10: 0000000000000000 R11: ffffed000d65d37f R12: 0000000000000fe4 R13: 0000000000000fe4 R14: 0000000020000000 R15: 8080808080808080 </#DB> getname_flags+0x10e/0x580 fs/namei.c:148 getname+0x19/0x20 fs/namei.c:208 do_sys_open+0x2e7/0x6d0 fs/open.c:1053 SYSC_openat fs/open.c:1086 [inline] SyS_openat+0x30/0x40 fs/open.c:1080 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447c89 RSP: 002b:00007f23a6c51bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f23a6c526cc RCX: 0000000000447c89 RDX: 0000000000080000 RSI: 0000000020000000 RDI: ffffffffffffff9c RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f23a6c529c0 R15: 00007f23a6c52700 Kernel Offset: disabled Rebooting in 86400 seconds.. > --- > This bug is generated by a dumb bot. It may contain errors. > See https://goo.gl/tpsmEJ for details. > Direct all questions to syzkaller@xxxxxxxxxxxxxxxx. > Please credit me with: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx> > > syzbot will keep track of this bug report. > Once a fix for this bug is committed, please reply to this email with: > #syz fix: exact-commit-title > To mark this as a duplicate of another syzbot report, please reply with: > #syz dup: exact-subject-of-another-report > If it's a one-off invalid bug report, please reply with: > #syz invalid > Note: if the crash happens again, it will cause creation of a new bug > report. > Note: all commands must start from beginning of the line. > > -- > You received this message because you are subscribed to the Google Groups > "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller-bugs/001a113f83b2b3b8b8055cd621f3%40google.com. > For more options, visit https://groups.google.com/d/optout.
