[Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load)

[bugzilla-daemon@bugzilla.kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=203923

            Bug ID: 203923
           Summary: Running a nested freedos results in NULL pointer
                    dereference in L0 (kvm_mmu_load)
           Product: Virtualization
           Version: unspecified
    Kernel Version: 5.1
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: jpalecek@web.de
        Regression: No

Hello,

while I was playing around with kvm and trying nested virtual machines, I got
OOPS on the hardware machine. I ran

$ qemu-system-i386 -enable-kvm -virtfs
local,path=.,security_model=none,mount_tag=hostfs -cpu host
/mnt/extras/src/qemu-image-autopkgtest2

and inside the machine, I ran a freedos install image residing in teh currect
directory (ie. through the virtfs mount). The image is running a 5.2-rc4
kernel; note that when I run a 4.19 kernel as the L1 guest it seems to work. It
crashed very early, before the nested system prints anything to the screen. The
error on L0 was:


[  505.814203] BUG: unable to handle kernel NULL pointer dereference at
00000000
[  505.814208] #PF error: [WRITE]
[  505.814209] *pdpt = 0000000015f1f001 *pde = 0000000000000000 
[  505.814212] Oops: 0002 [#1] SMP NOPTI
[  505.814216] CPU: 1 PID: 2292 Comm: qemu-system-i38 Tainted: P           O   
  5.1.0-bughunt+ #2
[  505.814217] Hardware name: System manufacturer System Product Name/M4N68T-M,
BIOS 1301    07/05/2011
[  505.814234] EIP: kvm_mmu_load+0x292/0x4c0 [kvm]
[  505.814236] Code: 55 e8 e8 d1 f0 ff ff 8b 48 20 ff 40 28 8b 07 81 c1 00 00
00 40 c6 00 00 0f 1f 00 8b 87 68 02 00 00 0b 4d dc 8b 80 88 00 00 00 <89> 0c 30
c7 44 30 04 00 00 00 00 e9 6b ff ff ff 8d b6 00 00 00 00
[  505.814238] EAX: 00000000 EBX: 00000000 ECX: 1267a001 EDX: d30c7d6c
[  505.814239] ESI: 00000000 EDI: d2538000 EBP: d30c7dd0 ESP: d30c7d9c
[  505.814241] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00210202
[  505.814242] CR0: 80050033 CR2: 00000000 CR3: 223e2e40 CR4: 000006f0
[  505.814243] Call Trace:
[  505.814256]  kvm_arch_vcpu_ioctl_run+0xc87/0x1910 [kvm]
[  505.814260]  ? _copy_to_user+0x21/0x30
[  505.814264]  ? tomoyo_path_number_perm+0x5f/0x200
[  505.814274]  kvm_vcpu_ioctl+0x214/0x580 [kvm]
[  505.814284]  ? __bpf_trace_kvm_async_pf_nopresent_ready+0x30/0x30 [kvm]
[  505.814287]  do_vfs_ioctl+0x91/0x6b0
[  505.814290]  ? __audit_syscall_entry+0xb8/0x100
[  505.814292]  ? syscall_trace_enter+0x1e1/0x240
[  505.814294]  ? tomoyo_file_ioctl+0x19/0x20
[  505.814296]  ? security_file_ioctl+0x2a/0x40
[  505.814298]  ksys_ioctl+0x60/0x90
[  505.814300]  sys_ioctl+0x16/0x20
[  505.814302]  do_fast_syscall_32+0x91/0x17c
[  505.814304]  entry_SYSENTER_32+0x6b/0xbe
[  505.814306] EIP: 0xb7f8b83d
[  505.814307] Code: 54 cd ff ff 8b 98 58 cd ff ff 85 d2 89 c8 74 02 89 0a 5b
5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59
c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[  505.814308] EAX: ffffffda EBX: 0000000e ECX: 0000ae80 EDX: 00000000
[  505.814309] ESI: 0224ead0 EDI: 00000000 EBP: b50f6000 ESP: b31bbc98
[  505.814311] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00200292
[  505.814313]  ? nmi+0x8b/0x190
[  505.814314] Modules linked in: snd_hrtimer snd_seq_midi snd_seq_midi_event
snd_rawmidi snd_seq snd_seq_device cpufreq_powersave cpufreq_userspace
cpufreq_conservative nvidia_drm(PO) drm_kms_helper drm fb_sys_fops syscopyarea
sysfillrect sysimgblt nvidia_modeset(PO) nvidia(PO) binfmt_misc fuse
snd_hda_codec_via snd_hda_codec_hdmi snd_hda_codec_generic nls_iso8859_2
nls_cp437 vfat kvm_amd snd_hda_intel fat kvm snd_hda_codec snd_hda_core
snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd ohci_pci irqbypass
ohci_hcd soundcore k10temp ehci_pci ehci_hcd forcedeth i2c_nforce2 sr_mod
sata_nv cdrom sg asus_atk0110 pcc_cpufreq pcspkr acpi_cpufreq button
ipmi_devintf ipmi_msghandler usblp usbcore parport_pc ppdev lp parport
ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod
psmouse evdev serio_raw ata_generic pata_amd libata scsi_mod
[  505.814341] CR2: 0000000000000000
[  505.814343] ---[ end trace f9a592688c8617bc ]---
[  505.814354] EIP: kvm_mmu_load+0x292/0x4c0 [kvm]
[  505.814355] Code: 55 e8 e8 d1 f0 ff ff 8b 48 20 ff 40 28 8b 07 81 c1 00 00
00 40 c6 00 00 0f 1f 00 8b 87 68 02 00 00 0b 4d dc 8b 80 88 00 00 00 <89> 0c 30
c7 44 30 04 00 00 00 00 e9 6b ff ff ff 8d b6 00 00 00 00
[  505.814357] EAX: 00000000 EBX: 00000000 ECX: 1267a001 EDX: d30c7d6c
[  505.814358] ESI: 00000000 EDI: d2538000 EBP: d30c7dd0 ESP: d6a0d3bc
[  505.814359] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00210202
[  505.814360] CR0: 80050033 CR2: 00000000 CR3: 223e2e40 CR4: 000006f0

The processor on L0 is Athlon II X2 240.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.