From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5138AC433F5 for ; Tue, 21 Sep 2021 23:36:37 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 14D6061242 for ; Tue, 21 Sep 2021 23:36:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 14D6061242 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=EZ4bG9AFIyeBgc+C2Uyqz+NqqQLc1MxYzUnu3/udtHc=; b=F8FjmsGQ88Fdk/ 2/HRHloCa2hjp80YqR/nnW+qHMVnHgD2Pfn5Mo+CXTnCh5TwtMiqwiV3L3UK4Fpo0bERIy8bD93UH OYoJQfc8nC87ktLDf10bBVjD+9bN54ZYn6XkiCpsKqKH5BmesgpEzBwc/RIh3B3e3v9ltfnIC/yo/ TuHUKFqUSf5gl3q76vEDcS5cMDS//mbnEANVFtKf/vvuE85tGBJwaNENIlteJVwORZD/iOlpY546N +kZUqP+GrSOz5m3smOh9cub3B+V1Fkzfw9rs7Ho0kNfj2565o0WGYwBLUORi2ha17GxzHZcNjEmTT OIbFk85W7V9o4XwkzJCg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mSpHG-006F50-UE; Tue, 21 Sep 2021 23:34:19 +0000 Received: from mail-pf1-x434.google.com ([2607:f8b0:4864:20::434]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mSpHC-006F3u-Nd for linux-arm-kernel@lists.infradead.org; Tue, 21 Sep 2021 23:34:16 +0000 Received: by mail-pf1-x434.google.com with SMTP id q23so1032950pfs.9 for ; Tue, 21 Sep 2021 16:34:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=CLwXFb9bh237p3NLMPDDN3QcXe2KmKQWVOAqgszlTS8=; b=ZvuPio6qyfipioiP/dvGdAsdJVc+VUAkgK2fA/9fKTi893FzD+/qJT1K/0XuvIF7X8 5Ci6Nj/XWd3iJCThByjK2fo0cqpDqERIE3PCv/LgArpAkqmf80Mlae+qWWJo6x5JyHKa VQnECUX7tTC9EY+jo/uOG8Itd3jZixAT3pNOLdICTqpK4H+TmjmL1sV3bpHizrFX5+RK mlptqnXrh0TxAMAiWCrjP9OgYeGd6wV+RifJ+nxvtJETCsvHzxtEvI/Bsc9De0BwyBtQ bIifOxXSXdx9nQ35PERkINo2ExXvJIC+K9wYXVs8vb1bpSf44QabIrApjQsBuuK+cYc6 4fQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=CLwXFb9bh237p3NLMPDDN3QcXe2KmKQWVOAqgszlTS8=; b=ikZXBXnmXtnBpZ0P3GcU62lHW4IpTZnVS0UsPGnW1pjQYmGBkwENHf9itnM92M9qDL 4tP3ow4cti4CdvedoTaFRiodCpnt4/Lhiu1mhVVFdp2qKsqfYHCGGac4659iZu2HVyFg ASgUpltgECnPTd4LxST+z2XF21Fs0hqMU+QtVDL01GM0z3dNIk7isJVPqaCgoehVw/7p HkI+PkpRcn6XC4L98/MUqKi4I1Ul5cfthnql80UD1ftHfBcQt2qdowv4GVmq3dCi9zzC d0ZSmrf/DtliUlIuJ5jHgtVjHGpCYPcNknjrgqs465NtUJt2Tcum81TGnrtcTXWW4bUt ulnA== X-Gm-Message-State: AOAM532GeQ8MsiLzwo7Gkypjsji8wR1vCli9hjFBs0yIQlhwWcfg/vEC q06pH4uXkHwinjZU6iVD73iwaw== X-Google-Smtp-Source: ABdhPJyeyei+KC0c9FO+SEEq5fFZ0WoTeeAjimEYskFd5/X3mugtX1W01HtIQmxapsWcTaEdUsmHZA== X-Received: by 2002:aa7:9282:0:b0:3e2:800a:b423 with SMTP id j2-20020aa79282000000b003e2800ab423mr32998153pfa.21.1632267253615; Tue, 21 Sep 2021 16:34:13 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id g3sm161923pjm.22.2021.09.21.16.34.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Sep 2021 16:34:12 -0700 (PDT) Date: Tue, 21 Sep 2021 23:34:09 +0000 From: Sean Christopherson To: Dmitry Vyukov Cc: Marco Elver , syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, the arch/x86 maintainers , Linux ARM , kasan-dev Subject: Re: [syzbot] upstream test error: KFENCE: use-after-free in kvm_fastop_exception Message-ID: References: <000000000000d6b66705cb2fffd4@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210921_163414_822251_FD2F955B X-CRM114-Status: GOOD ( 19.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Sep 17, 2021, Dmitry Vyukov wrote: > On Fri, 17 Sept 2021 at 13:04, Marco Elver wrote: > > > So it looks like in both cases the top fault frame is just wrong. But > > > I would assume it's extracted by arch-dependent code, so it's > > > suspicious that it affects both x86 and arm64... > > > > > > Any ideas what's happening? > > > > My suspicion for the x86 case is that kvm_fastop_exception is related > > to instruction emulation and the fault occurs in an emulated > > instruction? > > Why would the kernel emulate a plain MOV? > 2a: 4c 8b 21 mov (%rcx),%r12 > > And it would also mean a broken unwind because the emulated > instruction is in __d_lookup, so it should be in the stack trace. kvm_fastop_exception is a red herring. It's indeed related to emulation, and while MOV emulation is common in KVM, that emulation is for KVM guests not for the host kernel where this splat occurs (ignoring the fact that the "host" is itself a guest). kvm_fastop_exception is out-of-line fixup, and certainly shouldn't be reachable via d_lookup. It's also two instruction, XOR+RET, neither of which are in the code stream. IIRC, the unwinder gets confused when given an IP that's in out-of-line code, e.g. exception fixup like this. If you really want to find out what code blew up, you might be able to objdump -D the kernel and search for unique, matching disassembly, e.g. find "jmpq 0xf86d288c" and go from there. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel