From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5138AC433F5 for ; Tue, 21 Sep 2021 23:36:37 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 14D6061242 for ; Tue, 21 Sep 2021 23:36:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 14D6061242 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=EZ4bG9AFIyeBgc+C2Uyqz+NqqQLc1MxYzUnu3/udtHc=; b=F8FjmsGQ88Fdk/ 2/HRHloCa2hjp80YqR/nnW+qHMVnHgD2Pfn5Mo+CXTnCh5TwtMiqwiV3L3UK4Fpo0bERIy8bD93UH OYoJQfc8nC87ktLDf10bBVjD+9bN54ZYn6XkiCpsKqKH5BmesgpEzBwc/RIh3B3e3v9ltfnIC/yo/ TuHUKFqUSf5gl3q76vEDcS5cMDS//mbnEANVFtKf/vvuE85tGBJwaNENIlteJVwORZD/iOlpY546N +kZUqP+GrSOz5m3smOh9cub3B+V1Fkzfw9rs7Ho0kNfj2565o0WGYwBLUORi2ha17GxzHZcNjEmTT OIbFk85W7V9o4XwkzJCg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mSpHG-006F50-UE; Tue, 21 Sep 2021 23:34:19 +0000 Received: from mail-pf1-x434.google.com ([2607:f8b0:4864:20::434]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mSpHC-006F3u-Nd for linux-arm-kernel@lists.infradead.org; Tue, 21 Sep 2021 23:34:16 +0000 Received: by mail-pf1-x434.google.com with SMTP id q23so1032950pfs.9 for ; Tue, 21 Sep 2021 16:34:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=CLwXFb9bh237p3NLMPDDN3QcXe2KmKQWVOAqgszlTS8=; b=ZvuPio6qyfipioiP/dvGdAsdJVc+VUAkgK2fA/9fKTi893FzD+/qJT1K/0XuvIF7X8 5Ci6Nj/XWd3iJCThByjK2fo0cqpDqERIE3PCv/LgArpAkqmf80Mlae+qWWJo6x5JyHKa VQnECUX7tTC9EY+jo/uOG8Itd3jZixAT3pNOLdICTqpK4H+TmjmL1sV3bpHizrFX5+RK mlptqnXrh0TxAMAiWCrjP9OgYeGd6wV+RifJ+nxvtJETCsvHzxtEvI/Bsc9De0BwyBtQ bIifOxXSXdx9nQ35PERkINo2ExXvJIC+K9wYXVs8vb1bpSf44QabIrApjQsBuuK+cYc6 4fQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=CLwXFb9bh237p3NLMPDDN3QcXe2KmKQWVOAqgszlTS8=; b=ikZXBXnmXtnBpZ0P3GcU62lHW4IpTZnVS0UsPGnW1pjQYmGBkwENHf9itnM92M9qDL 4tP3ow4cti4CdvedoTaFRiodCpnt4/Lhiu1mhVVFdp2qKsqfYHCGGac4659iZu2HVyFg ASgUpltgECnPTd4LxST+z2XF21Fs0hqMU+QtVDL01GM0z3dNIk7isJVPqaCgoehVw/7p HkI+PkpRcn6XC4L98/MUqKi4I1Ul5cfthnql80UD1ftHfBcQt2qdowv4GVmq3dCi9zzC d0ZSmrf/DtliUlIuJ5jHgtVjHGpCYPcNknjrgqs465NtUJt2Tcum81TGnrtcTXWW4bUt ulnA== X-Gm-Message-State: AOAM532GeQ8MsiLzwo7Gkypjsji8wR1vCli9hjFBs0yIQlhwWcfg/vEC q06pH4uXkHwinjZU6iVD73iwaw== X-Google-Smtp-Source: ABdhPJyeyei+KC0c9FO+SEEq5fFZ0WoTeeAjimEYskFd5/X3mugtX1W01HtIQmxapsWcTaEdUsmHZA== X-Received: by 2002:aa7:9282:0:b0:3e2:800a:b423 with SMTP id j2-20020aa79282000000b003e2800ab423mr32998153pfa.21.1632267253615; Tue, 21 Sep 2021 16:34:13 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id g3sm161923pjm.22.2021.09.21.16.34.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Sep 2021 16:34:12 -0700 (PDT) Date: Tue, 21 Sep 2021 23:34:09 +0000 From: Sean Christopherson To: Dmitry Vyukov Cc: Marco Elver , syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, the arch/x86 maintainers , Linux ARM , kasan-dev Subject: Re: [syzbot] upstream test error: KFENCE: use-after-free in kvm_fastop_exception Message-ID: References: <000000000000d6b66705cb2fffd4@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210921_163414_822251_FD2F955B X-CRM114-Status: GOOD ( 19.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Sep 17, 2021, Dmitry Vyukov wrote: > On Fri, 17 Sept 2021 at 13:04, Marco Elver wrote: > > > So it looks like in both cases the top fault frame is just wrong. But > > > I would assume it's extracted by arch-dependent code, so it's > > > suspicious that it affects both x86 and arm64... > > > > > > Any ideas what's happening? > > > > My suspicion for the x86 case is that kvm_fastop_exception is related > > to instruction emulation and the fault occurs in an emulated > > instruction? > > Why would the kernel emulate a plain MOV? > 2a: 4c 8b 21 mov (%rcx),%r12 > > And it would also mean a broken unwind because the emulated > instruction is in __d_lookup, so it should be in the stack trace. kvm_fastop_exception is a red herring. It's indeed related to emulation, and while MOV emulation is common in KVM, that emulation is for KVM guests not for the host kernel where this splat occurs (ignoring the fact that the "host" is itself a guest). kvm_fastop_exception is out-of-line fixup, and certainly shouldn't be reachable via d_lookup. It's also two instruction, XOR+RET, neither of which are in the code stream. IIRC, the unwinder gets confused when given an IP that's in out-of-line code, e.g. exception fixup like this. If you really want to find out what code blew up, you might be able to objdump -D the kernel and search for unique, matching disassembly, e.g. find "jmpq 0xf86d288c" and go from there. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA971C433EF for ; Tue, 21 Sep 2021 23:34:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B032661178 for ; Tue, 21 Sep 2021 23:34:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230244AbhIUXfn (ORCPT ); Tue, 21 Sep 2021 19:35:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230220AbhIUXfn (ORCPT ); Tue, 21 Sep 2021 19:35:43 -0400 Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 635CCC061575 for ; Tue, 21 Sep 2021 16:34:14 -0700 (PDT) Received: by mail-pf1-x42a.google.com with SMTP id 203so999296pfy.13 for ; Tue, 21 Sep 2021 16:34:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=CLwXFb9bh237p3NLMPDDN3QcXe2KmKQWVOAqgszlTS8=; b=ZvuPio6qyfipioiP/dvGdAsdJVc+VUAkgK2fA/9fKTi893FzD+/qJT1K/0XuvIF7X8 5Ci6Nj/XWd3iJCThByjK2fo0cqpDqERIE3PCv/LgArpAkqmf80Mlae+qWWJo6x5JyHKa VQnECUX7tTC9EY+jo/uOG8Itd3jZixAT3pNOLdICTqpK4H+TmjmL1sV3bpHizrFX5+RK mlptqnXrh0TxAMAiWCrjP9OgYeGd6wV+RifJ+nxvtJETCsvHzxtEvI/Bsc9De0BwyBtQ bIifOxXSXdx9nQ35PERkINo2ExXvJIC+K9wYXVs8vb1bpSf44QabIrApjQsBuuK+cYc6 4fQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=CLwXFb9bh237p3NLMPDDN3QcXe2KmKQWVOAqgszlTS8=; b=8EeXglRHr71MNq/EkFWKMv2xqaF9eyrLLSqVDtKHgEaXtx3bQe4nK+timJGV/bx9YS aB5ME75vR8+zeF9iGzkI8wUBk68fjnG2KG1GmJeKIrPk/YlCpGT61EHAwUwmWK1qhHra FnrjCuy2AeJ5t3Dt7DgKVXET1STIc9lRgnsySUmNLbeItZ0xj5QOYyRWz1101w2w/Ket DOFuWwVe+VFYv7LvRO658cewuFRfP2BGG2SSYytrMCidwHPTp5djo5NoT52LtKzwoPKh JIiFAQOoVcop8TbDJJMh/peS3rqDPzjPKzDfg1Lx3oUzx34rDj+2or3l/CO94ODqqT2t gpdg== X-Gm-Message-State: AOAM530qacB4ba5nFK2/dLNbB7yE88B2RjfkcF+u/bjss9fQGf6BVCFx N6hr/mmLyGkdAozaSQ+clVb8sQ== X-Google-Smtp-Source: ABdhPJyeyei+KC0c9FO+SEEq5fFZ0WoTeeAjimEYskFd5/X3mugtX1W01HtIQmxapsWcTaEdUsmHZA== X-Received: by 2002:aa7:9282:0:b0:3e2:800a:b423 with SMTP id j2-20020aa79282000000b003e2800ab423mr32998153pfa.21.1632267253615; Tue, 21 Sep 2021 16:34:13 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id g3sm161923pjm.22.2021.09.21.16.34.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Sep 2021 16:34:12 -0700 (PDT) Date: Tue, 21 Sep 2021 23:34:09 +0000 From: Sean Christopherson To: Dmitry Vyukov Cc: Marco Elver , syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, the arch/x86 maintainers , Linux ARM , kasan-dev Subject: Re: [syzbot] upstream test error: KFENCE: use-after-free in kvm_fastop_exception Message-ID: References: <000000000000d6b66705cb2fffd4@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Fri, Sep 17, 2021, Dmitry Vyukov wrote: > On Fri, 17 Sept 2021 at 13:04, Marco Elver wrote: > > > So it looks like in both cases the top fault frame is just wrong. But > > > I would assume it's extracted by arch-dependent code, so it's > > > suspicious that it affects both x86 and arm64... > > > > > > Any ideas what's happening? > > > > My suspicion for the x86 case is that kvm_fastop_exception is related > > to instruction emulation and the fault occurs in an emulated > > instruction? > > Why would the kernel emulate a plain MOV? > 2a: 4c 8b 21 mov (%rcx),%r12 > > And it would also mean a broken unwind because the emulated > instruction is in __d_lookup, so it should be in the stack trace. kvm_fastop_exception is a red herring. It's indeed related to emulation, and while MOV emulation is common in KVM, that emulation is for KVM guests not for the host kernel where this splat occurs (ignoring the fact that the "host" is itself a guest). kvm_fastop_exception is out-of-line fixup, and certainly shouldn't be reachable via d_lookup. It's also two instruction, XOR+RET, neither of which are in the code stream. IIRC, the unwinder gets confused when given an IP that's in out-of-line code, e.g. exception fixup like this. If you really want to find out what code blew up, you might be able to objdump -D the kernel and search for unique, matching disassembly, e.g. find "jmpq 0xf86d288c" and go from there.