From: Sean Christopherson <seanjc@google.com>
To: syzbot <syzbot+5234e75fb68b86fe89e3@syzkaller.appspotmail.com>
Cc: bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
mingo@redhat.com, pbonzini@redhat.com,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
x86@kernel.org
Subject: Re: [syzbot] [kvm?] WARNING in __load_segment_descriptor
Date: Thu, 13 Jul 2023 08:57:52 -0700 [thread overview]
Message-ID: <ZLAfAF+kQ1HE44QI@google.com> (raw)
In-Reply-To: <000000000000a531410600582572@google.com>
On Wed, Jul 12, 2023, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 1c7873e33645 mm: lock newly mapped VMA with corrected orde..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=106f1664a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=7ad417033279f15a
> dashboard link: https://syzkaller.appspot.com/bug?extid=5234e75fb68b86fe89e3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146864a8a80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134a32bca80000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/7eb52a4d9cf3/disk-1c7873e3.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/b9aa9a9e09e8/vmlinux-1c7873e3.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/782d5e4196e2/bzImage-1c7873e3.xz
>
> The issue was bisected to:
>
> commit 65966aaca18a5cbf42ac22234cb9cbbf60a4d33c
> Author: Sean Christopherson <seanjc@google.com>
> Date: Thu Feb 16 20:22:54 2023 +0000
>
> KVM: x86: Assert that the emulator doesn't load CS with garbage in !RM
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16c70f4ca80000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=15c70f4ca80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=11c70f4ca80000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+5234e75fb68b86fe89e3@syzkaller.appspotmail.com
> Fixes: 65966aaca18a ("KVM: x86: Assert that the emulator doesn't load CS with garbage in !RM")
>
> kvm_intel: set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state.
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 5022 at arch/x86/kvm/emulate.c:1648 __load_segment_descriptor+0xf89/0x1200 arch/x86/kvm/emulate.c:1648
This is the caused by the bug where KVM doesn't check the incoming CR0 provided
by userspace via KVM_SET_SREGS, and ultimately ends up with KVM being confused
about whether the vCPU is in Real Mode. The new WARN is just the messenger, i.e.
detects that KVM is confused.
#syz dup: WARNING in kvm_arch_vcpu_ioctl_run (5)
prev parent reply other threads:[~2023-07-13 15:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-13 6:07 [syzbot] [kvm?] WARNING in __load_segment_descriptor syzbot
2023-07-13 15:57 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZLAfAF+kQ1HE44QI@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=syzbot+5234e75fb68b86fe89e3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.