[Bug 203923] Running a nested freedos on AMD Athlon i686-pae results in NULL pointer dereference in L0 (kvm_mmu_load)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 203923] Running a nested freedos on AMD Athlon i686-pae results in NULL pointer dereference in L0 (kvm_mmu_load)
Date: Wed, 01 Apr 2020 04:39:50 +0000	[thread overview]
Message-ID: <bug-203923-28872-AS0dA0De57@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-203923-28872@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=203923

Anders Kaseorg (andersk@mit.edu) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andersk@mit.edu

--- Comment #8 from Anders Kaseorg (andersk@mit.edu) ---
The second patch was committed as v5.4-rc1~138^2~6.

I found this while staring at a similar-looking kvm_mmu_load NULL dereference
on the hardware kernel while starting a nested VM on an AMD Ryzen 7 1800X,
kernel 5.4.28.  Should I try to expand this into a full report, or does your
original recipe still reproduce?

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0 
Oops: 0002 [#1] SMP NOPTI
CPU: 5 PID: 1994 Comm: CPU 7/KVM Tainted: P           OE     5.4.28 #1-NixOS
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./AB350M Pro4, BIOS
P5.90 07/03/2019
RIP: 0010:kvm_mmu_load+0x2e6/0x5b0 [kvm]
Code: 2b 0d 46 c7 0c fa 83 40 50 01 49 8b 3f c6 07 00 0f 1f 40 00 49 8b 87 68
03 00 00 48 01 ca 48 0b 54 24 08 48 8b 80 b8 00 00 00 <4a> 89 14 30 e9 57 ff ff
ff 48 c1 e8 0c 4c 89 ff 48 89 c6 49 89 c5
RSP: 0018:ffffbc2883aefcc8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00006355c0000000
RDX: 00000007b954a027 RSI: ffffbc2883aefc68 RDI: ffffbc2883ab1000
RBP: 0000000000000000 R08: ffffbc2883ab1000 R09: ffffbc2883aefbf0
R10: ffffbc2883aefc68 R11: ffff9cb05e950008 R12: 0000000000000000
R13: 00000000000290a3 R14: 0000000000000000 R15: ffff9cb15c0c38f0
FS:  0000000000000000(0000) GS:ffff9cb1be940000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000079fda4000 CR4: 00000000003406e0
Call Trace:
 kvm_arch_vcpu_ioctl_run+0xfe4/0x1d60 [kvm]
 ? _copy_to_user+0x28/0x30
 ? kvm_vm_ioctl+0x7ab/0x8e0 [kvm]
 kvm_vcpu_ioctl+0x215/0x5c0 [kvm]
 ? __seccomp_filter+0x7b/0x670
 do_vfs_ioctl+0x3fe/0x660
 ksys_ioctl+0x5e/0x90
 __x64_sys_ioctl+0x16/0x20
 do_syscall_64+0x4e/0x120
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f4a959ba147
Code: 00 00 90 48 8b 05 39 9d 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff
c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 8b 0d 09 9d 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007f4a79ffa508 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000000ae80 RCX: 00007f4a959ba147
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000022
RBP: 00005563acc09d00 R08: 00005563aab57b90 R09: 00000000000000ff
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00005563ab1ba980 R14: 0000000000000001 R15: 0000000000000000
Modules linked in: fuse vhost_net vhost ip6table_mangle ebtable_filter ebtables
iptable_mangle xt_CHECKSUM xt_comment xt_MASQUERADE nf_conntrack_netlink
nfnetlink xfrm_user xfrm_algo xt_addrtype br_netfilter msr ip6table_nat
iptable_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv4 ip6t_rpfilter
ipt_rpfilter ip6table_raw iptable_raw xt_pkttype nf_log_ipv6 nf_log_ipv4
nf_log_common xt_LOG ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4
xt_tcpudp ip6table_filter ip6_tables iptable_filter sch_fq_codel nls_iso8859_1
nls_cp437 vfat snd_hda_codec_hdmi fat snd_hda_codec_realtek wmi_bmof
nvidia_drm(POE) snd_hda_codec_generic ledtrig_audio drm_kms_helper edac_mce_amd
nvidia_modeset(POE) snd_hda_intel edac_core snd_intel_nhlt nvidia_uvm(OE) drm
joydev snd_hda_codec evdev mousedev mac_hid deflate efi_pstore crct10dif_pclmul
pstore agpgart sp5100_tco snd_hda_core crc32_pclmul fb_sys_fops watchdog
syscopyarea efivars sysfillrect snd_hwdep ghash_clmulni_intel i2c_piix4
sysimgblt
 k10temp gpio_amdpt pinctrl_amd gpio_generic wmi button acpi_cpufreq
nvidia(POE) ipmi_devintf ipmi_msghandler i2c_core snd_pcm_oss snd_mixer_oss
snd_pcm snd_timer snd soundcore atkbd libps2 serio loop cpufreq_ondemand tap
macvlan bridge stp llc tun efivarfs ip_tables x_tables ipv6 nf_defrag_ipv6
crc_ccitt autofs4 dm_crypt algif_skcipher af_alg input_leds led_class sd_mod
hid_generic usbhid hid xhci_pci ahci xhci_hcd libahci libata usbcore
aesni_intel scsi_mod crypto_simd cryptd glue_helper usb_common rtc_cmos
af_packet dm_mod btrfs libcrc32c crc32c_generic crc32c_intel xor
zstd_decompress zstd_compress raid6_pq kvm_amd kvm irqbypass r8169 realtek
libphy
CR2: 0000000000000000
---[ end trace d6db99b9073bce58 ]---
RIP: 0010:kvm_mmu_load+0x2e6/0x5b0 [kvm]
Code: 2b 0d 46 c7 0c fa 83 40 50 01 49 8b 3f c6 07 00 0f 1f 40 00 49 8b 87 68
03 00 00 48 01 ca 48 0b 54 24 08 48 8b 80 b8 00 00 00 <4a> 89 14 30 e9 57 ff ff
ff 48 c1 e8 0c 4c 89 ff 48 89 c6 49 89 c5
RSP: 0018:ffffbc2883aefcc8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00006355c0000000
RDX: 00000007b954a027 RSI: ffffbc2883aefc68 RDI: ffffbc2883ab1000
RBP: 0000000000000000 R08: ffffbc2883ab1000 R09: ffffbc2883aefbf0
R10: ffffbc2883aefc68 R11: ffff9cb05e950008 R12: 0000000000000000
R13: 00000000000290a3 R14: 0000000000000000 R15: ffff9cb15c0c38f0
FS:  0000000000000000(0000) GS:ffff9cb1be940000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000079fda4000 CR4: 00000000003406e0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

next prev parent reply	other threads:[~2020-04-01  4:39 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-18 15:01 [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load) bugzilla-daemon
2019-06-18 15:03 ` [Bug 203923] Running a nested freedos on AMD Athlon i686-pae " bugzilla-daemon
2019-06-20 10:19 ` bugzilla-daemon
2019-06-20 13:57 ` bugzilla-daemon
2019-06-20 22:14 ` bugzilla-daemon
2019-06-22 22:49 ` bugzilla-daemon
2020-04-01  4:39 ` bugzilla-daemon [this message]
2020-04-01 17:09 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-203923-28872-AS0dA0De57@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.