[syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    15724a984643 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
console output: https://syzkaller.appspot.com/x/log.txt?x=123090f0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1324fe8c580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1206ed82580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-15724a98.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ec0f03d375a1/vmlinux-15724a98.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a36232f8c6dd/Image-15724a98.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1f6f096afda6f4f8f565@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 3603 at arch/arm64/kvm/inject_fault.c:71 pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
Modules linked in:
CPU: 0 UID: 0 PID: 3603 Comm: syz.2.16 Not tainted 6.16.0-rc3-syzkaller-g15724a984643 #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
pstate: 81402009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
lr : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
sp : ffff80008e807930
x29: ffff80008e807930 x28: d7f0000016ae8028 x27: 0000000000000001
x26: 0000000000000000 x25: 0000000000000001 x24: 00000000000000d7
x23: d7f0000016ae82a8 x22: 00000000000000d7 x21: d7f0000016ae8e81
x20: 0000000000000007 x19: efff800000000000 x18: 0000000000000000
x17: 000000000000005a x16: ffff800080011d9c x15: 0000000020000200
x14: ffffffffffffffff x13: 0000000000000028 x12: 0000000000000081
x11: 81f000001f049564 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 81f000001f048000 x7 : ffff800080b08704 x6 : ffff80008e807a88
x5 : ffff80008e807a88 x4 : 0000000000000001 x3 : ffff8000801a2e80
x2 : 0000000000000000 x1 : 0000000000000002 x0 : 0000000000000000
Call trace:
 pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 (P)
 kvm_inject_serror_esr+0x274/0xe40 arch/arm64/kvm/inject_fault.c:330
 __kvm_arm_vcpu_set_events+0x1d4/0x238 arch/arm64/kvm/guest.c:-1
 kvm_arm_vcpu_set_events arch/arm64/kvm/arm.c:1698 [inline]
 kvm_arch_vcpu_ioctl+0xed8/0x16b0 arch/arm64/kvm/arm.c:1810
 kvm_vcpu_ioctl+0x5c4/0xc2c virt/kvm/kvm_main.c:4632
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl fs/ioctl.c:893 [inline]
 __arm64_sys_ioctl+0x18c/0x244 fs/ioctl.c:893
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x90/0x2b4 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x180/0x2f4 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x160 arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
irq event stamp: 2728
hardirqs last  enabled at (2727): [<ffff80008653cb88>] __raw_read_unlock_irqrestore include/linux/rwlock_api_smp.h:241 [inline]
hardirqs last  enabled at (2727): [<ffff80008653cb88>] _raw_read_unlock_irqrestore+0x44/0xbc kernel/locking/spinlock.c:268
hardirqs last disabled at (2728): [<ffff800086517e08>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
softirqs last  enabled at (2702): [<ffff8000800c988c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (2700): [<ffff8000800c9858>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@gmail.com

#syz test

From: Arnav Kapoor <kapoorarnnav43@gmail.com>
Date: Fri, 27 Dec 2024 02:35:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS 
field

The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.

The problematic check:
  if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
      kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  else
      return -EINVAL;

allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling 
kvm_set_sei_esr(), and userspace should not be able to control it.

Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):

  if (events->exception.serror_esr & ~GENMASK(23, 0))
      return -EINVAL;

This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field. The condition is
simplified since we now have a straightforward check for invalid bits.

Reported-by: syzbot+92be0215d467e7deb043@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoorarnnav43@gmail.com>
---
 arch/arm64/kvm/guest.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 123456..789012 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -843,7 +843,7 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
  if (serror_pending && has_esr) {
  if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
  return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
+ return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);


On Sunday, 13 July 2025 at 05:36:31 UTC+5:30 syzbot wrote:

Hello, 

syzbot found the following issue on: 

HEAD commit: 15724a984643 Merge branch 'kvm-arm64/doublefault2' into kv.. 
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git 
next 
console output: https://syzkaller.appspot.com/x/log.txt?x=123090f0580000 
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314 
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565 
compiler: Debian clang version 20.1.7 
(++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 
20.1.7 
userspace arch: arm64 
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1324fe8c580000 
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1206ed82580000 

Downloadable assets: 
disk image (non-bootable): 
https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-15724a98.raw.xz 
vmlinux: 
https://storage.googleapis.com/syzbot-assets/ec0f03d375a1/vmlinux-15724a98.xz 
kernel image: 
https://storage.googleapis.com/syzbot-assets/a36232f8c6dd/Image-15724a98.gz.xz 

IMPORTANT: if you fix the issue, please add the following tag to the 
commit: 
Reported-by: syzbot+1f6f09...@syzkaller.appspotmail.com 

------------[ cut here ]------------ 
WARNING: CPU: 0 PID: 3603 at arch/arm64/kvm/inject_fault.c:71 
pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 
Modules linked in: 
CPU: 0 UID: 0 PID: 3603 Comm: syz.2.16 Not tainted 
6.16.0-rc3-syzkaller-g15724a984643 #0 PREEMPT 
Hardware name: linux,dummy-virt (DT) 
pstate: 81402009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) 
pc : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 
lr : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 
sp : ffff80008e807930 
x29: ffff80008e807930 x28: d7f0000016ae8028 x27: 0000000000000001 
x26: 0000000000000000 x25: 0000000000000001 x24: 00000000000000d7 
x23: d7f0000016ae82a8 x22: 00000000000000d7 x21: d7f0000016ae8e81 
x20: 0000000000000007 x19: efff800000000000 x18: 0000000000000000 
x17: 000000000000005a x16: ffff800080011d9c x15: 0000000020000200 
x14: ffffffffffffffff x13: 0000000000000028 x12: 0000000000000081 
x11: 81f000001f049564 x10: 0000000000ff0100 x9 : 0000000000000000 
x8 : 81f000001f048000 x7 : ffff800080b08704 x6 : ffff80008e807a88 
x5 : ffff80008e807a88 x4 : 0000000000000001 x3 : ffff8000801a2e80 
x2 : 0000000000000000 x1 : 0000000000000002 x0 : 0000000000000000 
Call trace: 
pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 (P) 
kvm_inject_serror_esr+0x274/0xe40 arch/arm64/kvm/inject_fault.c:330 
__kvm_arm_vcpu_set_events+0x1d4/0x238 arch/arm64/kvm/guest.c:-1 
kvm_arm_vcpu_set_events arch/arm64/kvm/arm.c:1698 [inline] 
kvm_arch_vcpu_ioctl+0xed8/0x16b0 arch/arm64/kvm/arm.c:1810 
kvm_vcpu_ioctl+0x5c4/0xc2c virt/kvm/kvm_main.c:4632 
vfs_ioctl fs/ioctl.c:51 [inline] 
__do_sys_ioctl fs/ioctl.c:907 [inline] 
__se_sys_ioctl fs/ioctl.c:893 [inline] 
__arm64_sys_ioctl+0x18c/0x244 fs/ioctl.c:893 
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] 
invoke_syscall+0x90/0x2b4 arch/arm64/kernel/syscall.c:49 
el0_svc_common+0x180/0x2f4 arch/arm64/kernel/syscall.c:132 
do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151 
el0_svc+0x58/0x160 arch/arm64/kernel/entry-common.c:767 
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 
irq event stamp: 2728 
hardirqs last enabled at (2727): [<ffff80008653cb88>] 
__raw_read_unlock_irqrestore include/linux/rwlock_api_smp.h:241 [inline] 
hardirqs last enabled at (2727): [<ffff80008653cb88>] 
_raw_read_unlock_irqrestore+0x44/0xbc kernel/locking/spinlock.c:268 
hardirqs last disabled at (2728): [<ffff800086517e08>] el1_dbg+0x24/0x80 
arch/arm64/kernel/entry-common.c:511 
softirqs last enabled at (2702): [<ffff8000800c988c>] 
local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 
softirqs last disabled at (2700): [<ffff8000800c9858>] 
local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 
---[ end trace 0000000000000000 ]--- 


--- 
This report is generated by a bot. It may contain errors. 
See https://goo.gl/tpsmEJ for more information about syzbot. 
syzbot engineers can be reached at syzk...@googlegroups.com. 

syzbot will keep track of this issue. See: 
https://goo.gl/tpsmEJ#status for how to communicate with syzbot. 

If the report is already addressed, let syzbot know by replying with: 
#syz fix: exact-commit-title 

If you want syzbot to run the reproducer, reply with: 
#syz test: git://repo/address.git branch-or-commit-hash 
If you attach or paste a git patch, syzbot will apply it before testing. 

If you want to overwrite report's subsystems, reply with: 
#syz set subsystems: new-subsystem 
(See the list of subsystem names on the web dashboard) 

If the report is a duplicate of another one, reply with: 
#syz dup: exact-subject-of-another-report 

If you want to undo deduplication, reply with: 
#syz undup 

Re: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file arch/arm64/kvm/guest.c
patch: **** malformed patch at line 13:  




Tested on:

commit:         15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config:  https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:       
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10844e8c580000

Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@gmail.com

#syz test

From: Arnav Kapoor <kapoorarnnav43@gmail.com>
Date: Sat, 13 Jul 2025 20:30:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS 
field

The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.

The problematic check:
  if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
      kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  else
      return -EINVAL;

allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling 
kvm_set_sei_esr(), and userspace should not be able to control it.

Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):

  if (events->exception.serror_esr & ~GENMASK(23, 0))
      return -EINVAL;

This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field. The condition is
simplified since we now have a straightforward check for invalid bits.

Reported-by: syzbot+1f6f096afda6f4f8f565@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoorarnnav43@gmail.com>
---
 arch/arm64/kvm/guest.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..abc123def456 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,9 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
  if (serror_pending && has_esr) {
  if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
  return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
  return -EINVAL;
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  } else if (serror_pending) {
  kvm_inject_vabt(vcpu);
  }


On Sunday, 13 July 2025 at 05:51:05 UTC+5:30 syzbot wrote:

Hello, 

syzbot tried to test the proposed patch but the build/boot failed: 

failed to apply patch: 
checking file arch/arm64/kvm/guest.c 
patch: **** malformed patch at line 13: 




Tested on: 

commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv.. 
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git 
next 
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314 
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565 
compiler: 
userspace arch: arm64 
patch: https://syzkaller.appspot.com/x/patch.diff?x=10844e8c580000 

Re: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED



Tested on:

commit:         15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config:  https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:       
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10644e8c580000

Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@gmail.com

#syz test

From: Arnav Kapoor <kapoorarnnav43@gmail.com>
Date: Sat, 13 Jul 2025 20:30:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS 
field

The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.

The problematic check:
  if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
      kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  else
      return -EINVAL;

allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling 
kvm_set_sei_esr(), and userspace should not be able to control it.

Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):

  if (events->exception.serror_esr & ~GENMASK(23, 0))
      return -EINVAL;

This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field. The condition is
simplified since we now have a straightforward check for invalid bits.

Reported-by: syzbot+1f6f096afda6f4f8f565@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoorarnnav43@gmail.com>
---
 arch/arm64/kvm/guest.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..cbe1e310f477 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,10 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
  if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
  return -EINVAL;
 
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
  return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  } else if (serror_pending) {
  kvm_inject_vabt(vcpu);
  }
-- 
2.43.0


On Sunday, 13 July 2025 at 05:58:05 UTC+5:30 syzbot wrote:

Hello, 

syzbot tried to test the proposed patch but the build/boot failed: 

failed to apply patch: 
checking file arch/arm64/kvm/guest.c 
Hunk #1 FAILED at 844. 
1 out of 1 hunk FAILED 



Tested on: 

commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv.. 
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git 
next 
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314 
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565 
compiler: 
userspace arch: arm64 
patch: https://syzkaller.appspot.com/x/patch.diff?x=10644e8c580000 

Re: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED



Tested on:

commit:         15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config:  https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:       
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10ebfe8c580000

Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@gmail.com

#syz test 
From: Arnav Kapoor <kapoorarnnav43@gmail.com>
Date: Sat, 13 Jul 2025 21:00:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS 
field

The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.

The problematic check:
  if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
      kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  else
      return -EINVAL;

allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling 
kvm_set_sei_esr(), and userspace should not be able to control it.

Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):

  if (events->exception.serror_esr & ~GENMASK(23, 0))
      return -EINVAL;

This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field.

Reported-by: syzbot+1f6f096afda6f4f8f565@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoorarnnav43@gmail.com>
---
 arch/arm64/kvm/guest.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..cbe1e310f477 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,10 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
  if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
  return -EINVAL;
 
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
  return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  } else if (serror_pending) {
  kvm_inject_vabt(vcpu);
  }
-- 
2.43.0



On Sunday, 13 July 2025 at 06:07:03 UTC+5:30 syzbot wrote:

Hello, 

syzbot tried to test the proposed patch but the build/boot failed: 

failed to apply patch: 
checking file arch/arm64/kvm/guest.c 
Hunk #1 FAILED at 844. 
1 out of 1 hunk FAILED 



Tested on: 

commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv.. 
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git 
next 
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314 
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565 
compiler: 
userspace arch: arm64 
patch: https://syzkaller.appspot.com/x/patch.diff?x=10ebfe8c580000 

Re: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED



Tested on:

commit:         15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config:  https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:       
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=153d90f0580000

Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@gmail.com

#syz test

rom: Arnav Kapoor <kapoorarnnav43@gmail.com>
Date: Sat, 13 Jul 2025 21:30:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS 
field

The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.

The problematic check uses ESR_ELx_ISS_MASK which includes bit 24, allowing
userspace to control the ISV bit when it should only control bits 23:0.

This creates a potential security issue where userspace can manipulate the
ISV bit to potentially confuse or exploit kernel handling of SError 
exceptions.

Fix this by changing the validation to use GENMASK(23, 0) which explicitly
masks only the ISS field, preventing userspace from setting the ISV bit or
any other reserved bits beyond the ISS field.

The fix changes the logic from:
  if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
to:
  if (events->exception.serror_esr & ~GENMASK(23, 0))
      return -EINVAL;

This ensures that any attempt to set bits beyond the ISS field (including
the ISV bit) will be rejected with -EINVAL.

Reported-by: syzbot+1f6f096afda6f4f8f565@syzkaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Cc: stable@vger.kernel.org
Signed-off-by: Arnav Kapoor <kapoorarnnav43@gmail.com>
---
 arch/arm64/kvm/guest.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 12345678..87654321 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,9 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
  if (serror_pending && has_esr) {
  if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
  return -EINVAL;
-
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ 
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
  return -EINVAL;
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
  } else if (serror_pending) {
  kvm_inject_vabt(vcpu);
  }
-- 
2.40.1


On Sunday, 13 July 2025 at 06:13:04 UTC+5:30 syzbot wrote:

Hello, 

syzbot tried to test the proposed patch but the build/boot failed: 

failed to apply patch: 
checking file arch/arm64/kvm/guest.c 
Hunk #1 FAILED at 844. 
1 out of 1 hunk FAILED 



Tested on: 

commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv.. 
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git 
next 
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314 
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565 
compiler: 
userspace arch: arm64 
patch: https://syzkaller.appspot.com/x/patch.diff?x=153d90f0580000 

Re: [syzbot] [kvmarm?] WARNING in pend_serror_exception

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED



Tested on:

commit:         15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
kernel config:  https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:       
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=125c07d4580000