From: syzbot <syzbot+f6a46b038fc243ac0175@syzkaller.appspotmail.com>
To: catalin.marinas@arm.com, joey.gouly@arm.com, kvm@vger.kernel.org,
kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, maz@kernel.org, oupton@kernel.org,
suzuki.poulose@arm.com, syzkaller-bugs@googlegroups.com,
will@kernel.org, yuzenghui@huawei.com
Subject: [syzbot] [kvmarm?] [kvm?] BUG: unable to handle kernel paging request in kvm_vgic_destroy
Date: Sat, 28 Feb 2026 03:46:20 -0800 [thread overview]
Message-ID: <69a2d58c.050a0220.3a55be.003b.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 6316366129d2 Merge branch kvm-arm64/misc-6.20 into kvmarm-..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
console output: https://syzkaller.appspot.com/x/log.txt?x=15e59c4a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=148fc9aa8e041d0a
dashboard link: https://syzkaller.appspot.com/bug?extid=f6a46b038fc243ac0175
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13182006580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173900ba580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-63163661.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1018400deda3/vmlinux-63163661.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fb8a8bb5d8a4/Image-63163661.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f6a46b038fc243ac0175@syzkaller.appspotmail.com
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x90/0x230 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x120/0x2f4 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x238 arch/arm64/kernel/entry-common.c:724
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Unable to handle kernel paging request at virtual address ffef800000000000
KASAN: maybe wild-memory-access in range [0xff00000000000000-0xff0000000000000f]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ffef800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] SMP
Modules linked in:
CPU: 0 UID: 0 PID: 3651 Comm: syz.2.17 Not tainted syzkaller #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 01402009 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : kvm_vgic_dist_destroy arch/arm64/kvm/vgic/vgic-init.c:445 [inline]
pc : kvm_vgic_destroy+0x2d4/0x624 arch/arm64/kvm/vgic/vgic-init.c:518
lr : kvm_vgic_dist_destroy arch/arm64/kvm/vgic/vgic-init.c:444 [inline]
lr : kvm_vgic_destroy+0x290/0x624 arch/arm64/kvm/vgic/vgic-init.c:518
sp : ffff80008e647b90
x29: ffff80008e647ba0 x28: 0000000000000005 x27: cdf00000200a52d8
x26: cdf00000200a4db0 x25: 00000000000000cd x24: cdf00000200a4d8c
x23: 00000000000000cd x22: 00000000000000cd x21: cdf00000200a4ad0
x20: efff800000000000 x19: cdf00000200a4000 x18: 00000000030f4b63
x17: 0000000000000031 x16: 0000000000000000 x15: ffff800088209a68
x14: ffffffffffffffff x13: 0000000000000028 x12: 5df000001795c1f0
x11: ffff800088209a68 x10: 0000000000ff0100 x9 : 0ff0000000000000
x8 : 0000000000000000 x7 : ffff80008672f958 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000007
Call trace:
kvm_vgic_dist_destroy arch/arm64/kvm/vgic/vgic-init.c:445 [inline] (P)
kvm_vgic_destroy+0x2d4/0x624 arch/arm64/kvm/vgic/vgic-init.c:518 (P)
kvm_arch_destroy_vm+0x88/0x138 arch/arm64/kvm/arm.c:299
kvm_destroy_vm virt/kvm/kvm_main.c:1317 [inline]
kvm_put_kvm+0x778/0xbe0 virt/kvm/kvm_main.c:1354
kvm_vm_release+0x58/0x78 virt/kvm/kvm_main.c:1377
__fput+0x4ac/0x978 fs/file_table.c:468
____fput+0x20/0x58 fs/file_table.c:496
task_work_run+0x1b8/0x250 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
exit_to_user_mode_loop+0x110/0x188 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
exit_to_user_mode_prepare_legacy include/linux/irq-entry-common.h:242 [inline]
arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:81 [inline]
el0_svc+0x17c/0x238 arch/arm64/kernel/entry-common.c:725
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: 54000420 b2481c28 d344fd09 d378fc28 (38696a89)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 54000420 b.eq 0x84 // b.none
4: b2481c28 orr x8, x1, #0xff00000000000000
8: d344fd09 lsr x9, x8, #4
c: d378fc28 lsr x8, x1, #56
* 10: 38696a89 ldrb w9, [x20, x9] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2026-02-28 11:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-28 11:46 syzbot [this message]
2026-02-28 14:55 ` [syzbot] [kvmarm?] [kvm?] BUG: unable to handle kernel paging request in kvm_vgic_destroy Marc Zyngier
2026-02-28 15:57 ` syzbot
2026-03-02 12:59 ` Dmitry Vyukov
2026-03-02 13:26 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69a2d58c.050a0220.3a55be.003b.GAE@google.com \
--to=syzbot+f6a46b038fc243ac0175@syzkaller.appspotmail.com \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=oupton@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.