From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
To: Dmitry Vyukov <dvyukov@google.com>,
Gleb Natapov <gleb@kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
"x86@kernel.org" <x86@kernel.org>,
kvm@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
mtosatti@redhat.com, yoshikawa_takuya_b1@lab.ntt.co.jp
Cc: syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Eric Dumazet <edumazet@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: Re: kvm: GPF in kvm_lapic_latched_init
Date: Mon, 18 Jan 2016 17:57:32 +0800 [thread overview]
Message-ID: <569CB70C.90503@linux.intel.com> (raw)
In-Reply-To: <CACT4Y+ZyMieThC1te0OC7ReH_HX+nvwDbwiuEe4WgfzT9hgOGg@mail.gmail.com>
Hi Dmitry,
Thanks for your report. What's the qemu parameters you are using so that
i can reproduce it locally?
Thanks!
On 01/16/2016 01:12 AM, Dmitry Vyukov wrote:
> On Fri, Jan 8, 2016 at 7:42 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> Hello,
>>
>> The following program triggers GPF in kvm_lapic_latched_init if run in
>> a parallel loop:
>> https://gist.githubusercontent.com/dvyukov/524b398f379440b21115/raw/9627095f57a72501fb51bf7565471d31732beeee/gistfile1.txt
>>
>> kasan: GPF could be caused by NULL-ptr deref or user memory
>> accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
>> Modules linked in:
>> CPU: 3 PID: 14426 Comm: a.out Not tainted 4.4.0-rc8+ #217
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff880061099780 ti: ffff880062e30000 task.ti: ffff880062e30000
>> RIP: 0010:[<ffffffff81057171>] [<ffffffff81057171>]
>> kvm_arch_vcpu_ioctl+0xa31/0x2ef0
>> RSP: 0018:ffff880062e37900 EFLAGS: 00010206
>> RAX: dffffc0000000000 RBX: 1ffff1000c5c6f25 RCX: 1ffff1000c41b7cb
>> RDX: 000000000000001e RSI: 000000008040ae9f RDI: 00000000000000f0
>> RBP: ffff880062e37c10 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
>> R13: 0000000000000000 R14: ffff880062e37be8 R15: 0000000000000000
>> FS: 00007f4aa815f700(0000) GS:ffff88006d700000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>> CR2: 00007f4aa795de78 CR3: 00000000613c2000 CR4: 00000000000026e0
>> Stack:
>> 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> 0000000020006fe4 0000000041b58ab3 ffffffff86e2e588 ffffffff81056740
>> 0000000000000001 ffff880061099f60 0000000000000498 ffff880061099f68
>> Call Trace:
>> [<ffffffff8101cb52>] kvm_vcpu_ioctl+0x1e2/0xd00
>> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2526
>> [< inline >] vfs_ioctl fs/ioctl.c:43
>> [<ffffffff817b36b1>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
>> [< inline >] SYSC_ioctl fs/ioctl.c:622
>> [<ffffffff817b3eff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
>> [<ffffffff85e745b6>] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>> Code: 85 2d 20 00 00 4d 8b a4 24 60 03 00 00 e8 c8 8b 50 00 49 8d bc
>> 24 f0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
>> 3c 02 00 0f 85 f3 1f 00 00 4d 8b a4 24 f0 00 00 00 41 83 e4
>> RIP [< inline >] constant_test_bit ./arch/x86/include/asm/bitops.h:311
>> RIP [< inline >] kvm_lapic_latched_init arch/x86/kvm/lapic.h:164
>> RIP [< inline >] kvm_vcpu_ioctl_x86_get_vcpu_events
>> arch/x86/kvm/x86.c:2936
>> RIP [<ffffffff81057171>] kvm_arch_vcpu_ioctl+0xa31/0x2ef0
>> arch/x86/kvm/x86.c:3347
>> RSP <ffff880062e37900>
>> ---[ end trace 16449377928e034b ]---
>>
>>
>> or:
>>
>> kasan: GPF could be caused by NULL-ptr deref or user memory
>> accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
>> Modules linked in:
>> CPU: 0 PID: 9555 Comm: syz-executor Not tainted 4.4.0-rc8+ #217
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff88006301de00 ti: ffff880062568000 task.ti: ffff880062568000
>> RIP: 0010:[<ffffffff810cf5ab>] [<ffffffff810cf5ab>]
>> wait_lapic_expire+0x6b/0x560
>> RSP: 0018:ffff88006256fa48 EFLAGS: 00010006
>> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88006301e5c8
>> RDX: 0000000000000011 RSI: 0000000000000000 RDI: ffff880033590360
>> RBP: ffff88006256fa88 R08: 0000000000000001 R09: 0000000000000002
>> R10: 0000000000000001 R11: 0000000000000001 R12: ffff880033590000
>> R13: ffff880033590030 R14: 0000000000000088 R15: ffff88003359002c
>> FS: 00007f4809354700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f4808b53000 CR3: 0000000033f3f000 CR4: 00000000000026f0
>> Stack:
>> ffff88006256fa70 0000000000000082 0000000000000003 ffff88006301de00
>> ffff880033590030 ffff880033590030 ffff880033590000 ffff88003359002c
>> ffff88006256fc10 ffffffff8106a1dc ffffffff8106a75b 0000000000013210
>> Call Trace:
>> [< inline >] vcpu_enter_guest arch/x86/kvm/x86.c:6523
>> [< inline >] vcpu_run arch/x86/kvm/x86.c:6660
>> [<ffffffff8106a1dc>] kvm_arch_vcpu_ioctl_run+0x25ec/0x5820
>> arch/x86/kvm/x86.c:6818
>> [<ffffffff8101cf61>] kvm_vcpu_ioctl+0x5f1/0xd00
>> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2375
>> [< inline >] vfs_ioctl fs/ioctl.c:43
>> [<ffffffff817b36b1>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
>> [< inline >] SYSC_ioctl fs/ioctl.c:622
>> [<ffffffff817b3eff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
>> [<ffffffff85e745b6>] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>> Code: 60 03 00 00 0f 1f 44 00 00 e8 92 07 49 00 4c 8d b3 88 00 00 00
>> e8 86 07 49 00 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>
>> 3c 02 00 0f 85 d8 04 00 00 4c 8b ab 88 00 00 00 4d 85 ed 75
>> RIP [<ffffffff810cf5ab>] wait_lapic_expire+0x6b/0x560 arch/x86/kvm/lapic.c:1245
>> RSP <ffff88006256fa48>
>> ---[ end trace 560c2b85e36670bc ]---
>>
>> or:
>>
>> kasan: GPF could be caused by NULL-ptr deref or user memory
>> accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
>> Modules linked in:
>> CPU: 3 PID: 11264 Comm: syz-executor Not tainted 4.4.0-rc8+ #217
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff880064d55e00 ti: ffff880064dc0000 task.ti: ffff880064dc0000
>> RIP: 0010:[<ffffffff810d138d>] [<ffffffff810d138d>]
>> apic_has_pending_timer+0x7d/0x210
>> RSP: 0018:ffff880064dc7a60 EFLAGS: 00010206
>> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000004
>> RDX: 0000000000000017 RSI: 0000000000000000 RDI: 00000000000000b8
>> RBP: ffff880064dc7a70 R08: 0000000000000002 R09: 0000000000000001
>> R10: ffff880064d55e00 R11: ffff880063528220 R12: ffff880063250030
>> R13: ffff880063250030 R14: ffff880063250000 R15: 0000000000000000
>> FS: 00007fb05f305700(0000) GS:ffff88006d700000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000006d7760 CR3: 0000000065ae9000 CR4: 00000000000026e0
>> Stack:
>> ffff880063250000 ffff880063250030 ffff880064dc7a88 ffffffff810c7af5
>> ffffffff86fee5c0 ffff880064dc7c10 ffffffff810685d4 ffffffff8106a75b
>> 0000000000013210 ffff880065a35000 1ffff1000c9b8f59 ffff880064dc0008
>> Call Trace:
>> [<ffffffff810c7af5>] kvm_cpu_has_pending_timer+0x15/0x20 arch/x86/kvm/irq.c:36
>> [< inline >] vcpu_run arch/x86/kvm/x86.c:6669
>> [<ffffffff810685d4>] kvm_arch_vcpu_ioctl_run+0x9e4/0x5820
>> arch/x86/kvm/x86.c:6818
>> [<ffffffff8101cf61>] kvm_vcpu_ioctl+0x5f1/0xd00
>> arch/x86/kvm/../../../virt/kvm/kvm_main.c:2375
>> [< inline >] vfs_ioctl fs/ioctl.c:43
>> [<ffffffff817b36b1>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
>> [< inline >] SYSC_ioctl fs/ioctl.c:622
>> [<ffffffff817b3eff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
>> [<ffffffff85e745b6>] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>> Code: ba e9 48 00 0f 1f 44 00 00 e8 b0 e9 48 00 e8 ab e9 48 00 48 8d
>> bb b8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
>> 3c 02 00 0f 85 46 01 00 00 4c 8b a3 b8 00 00 00 48 b8 00 00
>> RIP [< inline >] arch_static_branch
>> ./arch/x86/include/asm/jump_label.h:21
>> RIP [< inline >] static_key_false include/linux/jump_label.h:133
>> RIP [< inline >] kvm_apic_hw_enabled arch/x86/kvm/lapic.h:117
>> RIP [< inline >] apic_enabled arch/x86/kvm/lapic.c:121
>> RIP [<ffffffff810d138d>] apic_has_pending_timer+0x7d/0x210
>> arch/x86/kvm/lapic.c:1731
>> RSP <ffff880064dc7a60>
>> ---[ end trace fe9c10b88e48c946 ]---
>>
>>
>> All crashes suggest that apic is NULL.
>>
>> On commit b06f3a168cdcd80026276898fd1fee443ef25743 (Jan 6).
>
> + more kvm people
>
next prev parent reply other threads:[~2016-01-18 9:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-08 18:42 kvm: GPF in kvm_lapic_latched_init Dmitry Vyukov
2016-01-15 17:12 ` Dmitry Vyukov
2016-01-18 9:57 ` Xiao Guangrong [this message]
2016-01-18 10:11 ` Dmitry Vyukov
2016-06-22 8:20 ` Dmitry Vyukov
2016-06-22 8:36 ` Paolo Bonzini
2016-06-22 8:38 ` Dmitry Vyukov
2016-06-22 8:46 ` Paolo Bonzini
2016-06-22 9:56 ` Dmitry Vyukov
2016-01-15 19:59 ` Jeff Merkey
2016-01-15 20:09 ` Dmitry Vyukov
2016-01-15 20:54 ` Jeff Merkey
2016-05-31 10:35 ` Paolo Bonzini
2016-06-01 7:59 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569CB70C.90503@linux.intel.com \
--to=guangrong.xiao@linux.intel.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=gleb@kernel.org \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=kcc@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yoshikawa_takuya_b1@lab.ntt.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.