From: Sean Christopherson <seanjc@google.com>
To: syzbot <syzbot+5234e75fb68b86fe89e3@syzkaller.appspotmail.com>
Cc: bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
mingo@redhat.com, pbonzini@redhat.com,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
x86@kernel.org
Subject: Re: [syzbot] [kvm?] WARNING in __load_segment_descriptor
Date: Thu, 13 Jul 2023 08:57:52 -0700 [thread overview]
Message-ID: <ZLAfAF+kQ1HE44QI@google.com> (raw)
In-Reply-To: <000000000000a531410600582572@google.com>
On Wed, Jul 12, 2023, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 1c7873e33645 mm: lock newly mapped VMA with corrected orde..
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=106f1664a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=7ad417033279f15a
> dashboard link: https://syzkaller.appspot.com/bug?extid=5234e75fb68b86fe89e3
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146864a8a80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=134a32bca80000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/7eb52a4d9cf3/disk-1c7873e3.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/b9aa9a9e09e8/vmlinux-1c7873e3.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/782d5e4196e2/bzImage-1c7873e3.xz
>
> The issue was bisected to:
>
> commit 65966aaca18a5cbf42ac22234cb9cbbf60a4d33c
> Author: Sean Christopherson <seanjc@google.com>
> Date: Thu Feb 16 20:22:54 2023 +0000
>
> KVM: x86: Assert that the emulator doesn't load CS with garbage in !RM
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16c70f4ca80000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=15c70f4ca80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=11c70f4ca80000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+5234e75fb68b86fe89e3@syzkaller.appspotmail.com
> Fixes: 65966aaca18a ("KVM: x86: Assert that the emulator doesn't load CS with garbage in !RM")
>
> kvm_intel: set kvm_intel.dump_invalid_vmcs=1 to dump internal KVM state.
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 5022 at arch/x86/kvm/emulate.c:1648 __load_segment_descriptor+0xf89/0x1200 arch/x86/kvm/emulate.c:1648
This is the caused by the bug where KVM doesn't check the incoming CR0 provided
by userspace via KVM_SET_SREGS, and ultimately ends up with KVM being confused
about whether the vCPU is in Real Mode. The new WARN is just the messenger, i.e.
detects that KVM is confused.
#syz dup: WARNING in kvm_arch_vcpu_ioctl_run (5)
prev parent reply other threads:[~2023-07-13 15:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-13 6:07 [syzbot] [kvm?] WARNING in __load_segment_descriptor syzbot
2023-07-13 15:57 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZLAfAF+kQ1HE44QI@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=syzbot+5234e75fb68b86fe89e3@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).