Re: Another kvm null pointer dereference on 4.20-rc3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 20 Nov 2018 at 14:06, Wei Wu <ww9210@xxxxxxxxx> wrote:
>
> This program will cause a null pointer dereference over
> apic->irr_pending. Maybe it is due to use-before-initialization over
> apic object.
>
> reproducer + panic report is provided, tested on master available at
> the time of writing and on 4.20-rc3 as well as 4.20-rc2, 4.18 and 4.15
> is not affected.

Just fix it, thanks for the report. https://lkml.org/lkml/2018/11/20/580

Regards,
Wanpeng Li

>
> Thank you!
>
> ww9210
>
> -----
> // autogenerated by syzkaller (https://github.com/google/syzkaller)
>
> #define _GNU_SOURCE
>
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
>
> int main(void)
> {
>   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>   long res = 0;
>   memcpy((void*)0x20000040, "/dev/kvm", 9);
>   res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>   if (res != -1)
>     r[0] = res;
>   res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>   if (res != -1)
>     r[1] = res;
>   res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>   if (res != -1)
>     r[2] = res;
>   memcpy(
>       (void*)0x20000080,
>       "\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>       "\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>       "\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>       "\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>       "\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>       "\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>       106);
>   syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>   syscall(__NR_ioctl, r[2], 0xae80, 0);
>   return 0;
> }
>
> -----
>
> [   19.350071] BUG: unable to handle kernel NULL pointer dereference
> at 0000000000000091
> [   19.351450] PGD 800000007cfad067 P4D 800000007cfad067 PUD 7ced4067 PMD 0
> [   19.352594] Oops: 0000 [#1] SMP PTI
> [   19.353311] CPU: 1 PID: 1966 Comm: poc Not tainted 4.20.0-rc3 #1
> [   19.354338] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.10.2-1ubuntu1 04/01/2014
> [   19.355895] RIP: 0010:kvm_lapic_find_highest_irr+0x7/0x50
> [   19.356962] Code: 00 00 00 48 8b 8f 20 03 00 00 48 89 f0 48 89 c7
> 48 8b b1 a0 00 00 00 e9 67 ff ff ff 0f 1f 80 00 00 00 00 48 8b 87 20
> 03 00 00 <80> b8 91 00 00 00 00 74 35 48 8b 88 a0 00 00 00 b8 e0 00 00
> 00 89
> [   19.360290] RSP: 0018:ffffc90000477d18 EFLAGS: 00010246
> [   19.361324] RAX: 0000000000000000 RBX: ffff888079998000 RCX: 0000000100000000
> [   19.362755] RDX: 0000607f822046c0 RSI: ffffffffffffffff RDI: ffff888079998000
> [   19.364009] RBP: ffffc90000477dd0 R08: 0000000000000000 R09: 0000000000000000
> [   19.365204] R10: ffffc90000477d28 R11: 0000000000000000 R12: 0000000000000000
> [   19.366399] R13: ffff888079998000 R14: 0000000000000000 R15: ffff888079998330
> [   19.367665] FS:  00000000018ad880(0000) GS:ffff88807db00000(0000)
> knlGS:0000000000000000
> [   19.369021] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   19.369993] CR2: 0000000000000091 CR3: 000000007bbbe001 CR4: 00000000001626e0
> [   19.371199] Call Trace:
> [   19.371649]  vmx_sync_pir_to_irr+0x81/0xf0
> [   19.372357]  ? vcpu_load+0x1f/0x30
> [   19.372946]  kvm_arch_vcpu_ioctl_run+0x14e2/0x1a80
> [   19.373763]  ? kvm_arch_vcpu_postcreate+0xab/0xc0
> [   19.374564]  ? kvm_vcpu_ioctl+0x23e/0x5c0
> [   19.375257]  kvm_vcpu_ioctl+0x23e/0x5c0
> [   19.375926]  ? __switch_to_asm+0x34/0x70
> [   19.376599]  ? __switch_to_asm+0x40/0x70
> [   19.377269]  ? __switch_to_asm+0x34/0x70
> [   19.377940]  ? __switch_to_asm+0x40/0x70
> [   19.378614]  ? __switch_to_asm+0x34/0x70
> [   19.379295]  ? __switch_to_asm+0x40/0x70
> [   19.379991]  ? __switch_to_asm+0x34/0x70
> [   19.380668]  ? __switch_to_asm+0x40/0x70
> [   19.381354]  ? emulate_vsyscall+0x5a/0x3b0
> [   19.382065]  do_vfs_ioctl+0x9f/0x620
> [   19.382680]  ksys_ioctl+0x6b/0x80
> [   19.383259]  __x64_sys_ioctl+0x11/0x20
> [   19.383915]  do_syscall_64+0x43/0xf0
> [   19.384547]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [   19.385416] RIP: 0033:0x44a0b9
> [   19.385943] Code: 00 b8 00 01 00 00 eb e1 e8 e4 19 00 00 0f 1f 40
> 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
> 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89
> 01 48
> [   19.389067] RSP: 002b:00007fff79342da8 EFLAGS: 00000207 ORIG_RAX:
> 0000000000000010
> [   19.390345] RAX: ffffffffffffffda RBX: 0000000000400400 RCX: 000000000044a0b9
> [   19.391566] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
> [   19.392878] RBP: 00007fff79342dc0 R08: 0000000000000000 R09: 0000000000000000
> [   19.394088] R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000401a30
> [   19.395565] R13: 0000000000000000 R14: 00000000006b9018 R15: 0000000000000000
> [   19.396805] Modules linked in:
> [   19.397340] Dumping ftrace buffer:
> [   19.397928]    (ftrace buffer empty)
> [   19.398549] CR2: 0000000000000091
> [   19.399152] ---[ end trace 5826da4a0b8d97bb ]---
> [   19.399967] RIP: 0010:kvm_lapic_find_highest_irr+0x7/0x50
> [   19.400918] Code: 00 00 00 48 8b 8f 20 03 00 00 48 89 f0 48 89 c7
> 48 8b b1 a0 00 00 00 e9 67 ff ff ff 0f 1f 80 00 00 00 00 48 8b 87 20
> 03 00 00 <80> b8 91 00 00 00 00 74 35 48 8b 88 a0 00 00 00 b8 e0 00 00
> 00 89
> [   19.404113] RSP: 0018:ffffc90000477d18 EFLAGS: 00010246
> [   19.405007] RAX: 0000000000000000 RBX: ffff888079998000 RCX: 0000000100000000
> [   19.406301] RDX: 0000607f822046c0 RSI: ffffffffffffffff RDI: ffff888079998000
> [   19.407533] RBP: ffffc90000477dd0 R08: 0000000000000000 R09: 0000000000000000
> [   19.408862] R10: ffffc90000477d28 R11: 0000000000000000 R12: 0000000000000000
> [   19.410089] R13: ffff888079998000 R14: 0000000000000000 R15: ffff888079998330
> [   19.411575] FS:  00000000018ad880(0000) GS:ffff88807db00000(0000)
> knlGS:0000000000000000
> [   19.412972] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   19.413960] CR2: 0000000000000091 CR3: 000000007bbbe001 CR4: 00000000001626e0
> [   19.415479] Kernel panic - not syncing: Fatal exception
> [   19.416994] Dumping ftrace buffer:
> [   19.417583]    (ftrace buffer empty)
> [   19.418196] Kernel Offset: disabled
> [   19.418804] ---[ end Kernel panic - not syncing: Fatal exception ]---
> [   19.419940] ------------[ cut here ]------------
> [   19.420732] sched: Unexpected reschedule of offline CPU#0!
> [   19.421671] WARNING: CPU: 1 PID: 1966 at arch/x86/kernel/smp.c:128
> native_smp_send_reschedule+0x2f/0x40
> [   19.423256] Kernel panic - not syncing: panic_on_warn set ...
> [   19.424254] Dumping ftrace buffer:
> [   19.424843]    (ftrace buffer empty)
> [   19.425460] Kernel Offset: disabled
> [   19.426061] ---[ end Kernel panic - not syncing: panic_on_warn set ... ]---
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux