[Bug 103141] New: Host-triggerable NULL pointer oops

All of lore.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 103141] New: Host-triggerable NULL pointer oops
Date: Wed, 19 Aug 2015 16:42:28 +0000	[thread overview]
Message-ID: <bug-103141-28872@https.bugzilla.kernel.org/> (raw)

https://bugzilla.kernel.org/show_bug.cgi?id=103141

            Bug ID: 103141
           Summary: Host-triggerable NULL pointer oops
           Product: Virtualization
           Version: unspecified
    Kernel Version: 4.1.5
          Hardware: x86-64
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: felix.von.s@posteo.de
        Regression: No

Created attachment 185241
  --> https://bugzilla.kernel.org/attachment.cgi?id=185241&action=edit
Test program (C99)

Amusingly enough, I found this while trying to come up with a minimal test
program for #103131.

Running ioctl(KVM_CREATE_VCPU) _after_ ioctl(KVM_SET_USER_MEMORY_REGION) with
certain address/size combinations may generate a null pointer dereference.

dmesg after running the test program:

[11557.519426] BUG: unable to handle kernel NULL pointer dereference at
000000000000005f
[11557.520561] IP: [<ffffffffa045b2f5>] vmx_fpu_activate+0x5/0x20 [kvm_intel]
[11557.521716] PGD 13841a067 PUD 13857c067 PMD 0 
[11557.522891] Oops: 0000 [#25] PREEMPT SMP 
[11557.524073] Modules linked in: [REDACTED]
[11557.534572] CPU: 5 PID: 4295 Comm: tcc Tainted: P      D    O   
4.1.5-1-ARCH #1
[11557.536451] Hardware name: [REDACTED]
[11557.538361] task: ffff880068425180 ti: ffff880138784000 task.ti:
ffff880138784000
[11557.540331] RIP: 0010:[<ffffffffa045b2f5>]  [<ffffffffa045b2f5>]
vmx_fpu_activate+0x5/0x20 [kvm_intel]
[11557.542367] RSP: 0018:ffff880138787da0  EFLAGS: 00010292
[11557.544411] RAX: ffffffffa0476160 RBX: ffffffffffffffef RCX:
0000000000000000
[11557.546476] RDX: 0000000000001f85 RSI: ffff88014b15e8b0 RDI:
ffffffffffffffef
[11557.548553] RBP: ffff880138787db8 R08: 000000000001e8b0 R09:
ffffffffa045cbf3
[11557.550605] R10: ffffea00027eee00 R11: ffff88014b157348 R12:
0000000000000000
[11557.552637] R13: 0000000000000000 R14: 000000000000ae41 R15:
0000000000000000
[11557.554691] FS:  00007fba3936d700(0000) GS:ffff88014b140000(0000)
knlGS:0000000000000000
[11557.556796] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11557.558914] CR2: 000000000000005f CR3: 000000013857d000 CR4:
00000000000426e0
[11557.561092] Stack:
[11557.563213]  ffffffffa03deaf1 0000000000000000 ffff8800a52fc000
ffff880138787e78
[11557.565412]  ffffffffa03ca6d8 ffff880138787de8 ffffffff81175b5b
ffff88011edffb80
[11557.567650]  0000000000000000 00000000fffbc000 0000000000044000
00007fba39371000
[11557.569906] Call Trace:
[11557.572169]  [<ffffffffa03deaf1>] ? kvm_arch_vcpu_create+0x51/0x70 [kvm]
[11557.574476]  [<ffffffffa03ca6d8>] kvm_vm_ioctl+0x1c8/0x7a0 [kvm]
[11557.576773]  [<ffffffff81175b5b>] ?
lru_cache_add_active_or_unevictable+0x2b/0xb0
[11557.579118]  [<ffffffff811f4646>] do_vfs_ioctl+0x2c6/0x4d0
[11557.581470]  [<ffffffff811f48d1>] SyS_ioctl+0x81/0xa0
[11557.583841]  [<ffffffff8158bf2e>] system_call_fastpath+0x12/0x71
[11557.586265] Code: 00 e8 20 bf ff ff 5b 41 5c 5d c3 0f 1f 00 48 8b 05 31 85
fc ff ff 90 b8 00 00 00 eb 87 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <8b> 47
70 85 c0 75 0a 55 48 89 e5 e8 3b ff ff ff 5d f3 c3 0f 1f 
[11557.592112] RIP  [<ffffffffa045b2f5>] vmx_fpu_activate+0x5/0x20 [kvm_intel]
[11557.594990]  RSP <ffff880138787da0>
[11557.597859] CR2: 000000000000005f
[11557.600786] ---[ end trace b28b93d27b3449c9 ]---

When I move ioctl(KVM_CREATE_VCPU) immediately below ioctl(KVM_CREATE_VM) there
is no oops, but a later KVM_RUN exits with KVM_EXIT_INTERNAL_ERROR, subcode
KVM_INTERNAL_ERROR_EMULATION. The crashes also stop when I decrease
umr.memory_size below what I specified in the attached test program.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

next             reply	other threads:[~2015-08-19 16:42 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-19 16:42 bugzilla-daemon [this message]
2015-08-19 22:48 ` [Bug 103141] Host-triggerable NULL pointer oops bugzilla-daemon
2015-08-24 15:46 ` bugzilla-daemon
2015-08-24 15:57 ` bugzilla-daemon
2019-07-14 18:09 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-103141-28872@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.