* reproducible GPF error in native_tss_update_io_bitmap
@ 2025-01-07 2:32 reveliofuzzing
2025-01-07 21:28 ` Dave Hansen
0 siblings, 1 reply; 4+ messages in thread
From: reveliofuzzing @ 2025-01-07 2:32 UTC (permalink / raw)
To: tglx, mingo, bp, dave.hansen, kirill.shutemov; +Cc: x86, linux-kernel
Hello,
We found the following general protection fault bug in Linux kernel 6.12, and
it can be reproduced stably in a QEMU VM. To our knowledge, this problem has not
been observed by SyzBot so we would like to report it for your reference.
- dmesg
syzkaller login: [ 90.849309] Oops: general protection fault,
probably for non-canonical address 0xdffffc0000000000: 0000 [#1]
PREEMPTI
[ 90.853735] KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
[ 90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
[ 90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 90.862774] RIP: 0010:native_tss_update_io_bitmap+0x143/0x510
[ 90.865203] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f
85 ae 03 00 00 48 89 da 4d 8b 75 68 48 b8 00 00 00 00 00 fc ff df 4c
[ 90.872684] RSP: 0018:ffff8880079776c0 EFLAGS: 00010246
[ 90.875623] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff810a7045
[ 90.878708] RDX: 0000000000000000 RSI: ffffffff810a70a6 RDI: ffff88806d20a068
[ 90.881705] RBP: ffff888007977740 R08: ffffffff8171dc14 R09: ffffed10014763c1
[ 90.884683] R10: ffffed10014763c0 R11: ffff88800a3b1e07 R12: 1ffff11000f2eed8
[ 90.887673] R13: ffff88806d20a000 R14: 00000000000005d4 R15: ffff888007977950
[ 90.890639] FS: 000055557b069940(0000) GS:ffff88806d200000(0000)
knlGS:0000000000000000
[ 90.894196] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 90.896589] CR2: 0000000000004028 CR3: 000000000bf84000 CR4: 00000000000006f0
[ 90.899520] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 90.902247] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 90.904931] Call Trace:
[ 90.905938] <TASK>
[ 90.906804] ? show_regs+0x73/0x80
[ 90.908166] ? __die_body+0x1f/0x70
[ 90.909495] ? die_addr+0x4c/0x90
[ 90.910773] ? exc_general_protection+0x15c/0x2a0
[ 90.912665] ? asm_exc_general_protection+0x26/0x30
[ 90.914566] ? kasan_save_stack+0x24/0x50
[ 90.916239] ? native_tss_update_io_bitmap+0x85/0x510
[ 90.918173] ? native_tss_update_io_bitmap+0xe6/0x510
[ 90.920145] ? native_tss_update_io_bitmap+0x143/0x510
[ 90.922509] ? __pfx_native_tss_update_io_bitmap+0x10/0x10
[ 90.925039] ? __pfx_refcount_dec_not_one+0x10/0x10
[ 90.927396] ? __virt_addr_valid+0xcb/0x320
[ 90.929218] ? __pfx_delayed_put_pid+0x10/0x10
[ 90.930957] task_update_io_bitmap+0xa2/0xd0
[ 90.932599] io_bitmap_exit+0x4d/0xd0
[ 90.933995] exit_thread+0x6b/0x80
[ 90.935319] copy_process+0x480f/0x6540
[ 90.936878] ? __pfx_copy_process+0x10/0x10
[ 90.938857] ? _raw_spin_lock_irqsave+0x86/0xe0
[ 90.940957] ? try_to_wake_up+0x117/0x18a0
[ 90.942490] ? __pfx_io_wq_worker+0x10/0x10
[ 90.944116] create_io_thread+0xac/0xf0
[ 90.945578] ? __pfx_create_io_thread+0x10/0x10
[ 90.947344] ? __pfx_io_wq_worker+0x10/0x10
[ 90.948935] ? kasan_save_track+0x14/0x30
[ 90.950458] create_io_worker+0x17e/0x4c0
[ 90.952015] io_wq_enqueue+0x5a1/0x990
[ 90.953427] ? __pfx_io_wq_enqueue+0x10/0x10
[ 90.955081] ? __pfx__raw_spin_lock+0x10/0x10
[ 90.957061] ? __pfx_io_wq_work_match_item+0x10/0x10
[ 90.958969] io_queue_iowq+0x1c4/0x380
[ 90.960413] io_queue_sqe_fallback+0xa4/0x790
[ 90.962097] io_submit_sqes+0x1232/0x1e80
[ 90.963627] io_sq_thread+0xaf9/0x1620
[ 90.965272] ? __pfx_io_sq_thread+0x10/0x10
[ 90.966960] ? __pfx_autoremove_wake_function+0x10/0x10
[ 90.969010] ? _raw_spin_lock_irq+0x81/0xe0
[ 90.970775] ? finish_task_switch+0x1bd/0x650
[ 90.972809] ? __pfx_io_sq_thread+0x10/0x10
[ 90.974572] ? __pfx_io_sq_thread+0x10/0x10
[ 90.976372] ret_from_fork+0x48/0x80
[ 90.977916] ? __pfx_io_sq_thread+0x10/0x10
[ 90.979704] ret_from_fork_asm+0x1a/0x30
[ 90.981443] </TASK>
[ 90.982411] Modules linked in:
[ 90.984086] ---[ end trace 0000000000000000 ]---
[ 90.986042] RIP: 0010:native_tss_update_io_bitmap+0x143/0x510
[ 90.989080] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f
85 ae 03 00 00 48 89 da 4d 8b 75 68 48 b8 00 00 00 00 00 fc ff df 4c
[ 90.997385] RSP: 0018:ffff8880079776c0 EFLAGS: 00010246
[ 91.000093] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff810a7045
[ 91.003230] RDX: 0000000000000000 RSI: ffffffff810a70a6 RDI: ffff88806d20a068
[ 91.006468] RBP: ffff888007977740 R08: ffffffff8171dc14 R09: ffffed10014763c1
[ 91.010241] R10: ffffed10014763c0 R11: ffff88800a3b1e07 R12: 1ffff11000f2eed8
[ 91.014085] R13: ffff88806d20a000 R14: 00000000000005d4 R15: ffff888007977950
[ 91.017484] FS: 000055557b069940(0000) GS:ffff88806d200000(0000)
knlGS:0000000000000000
[ 91.020992] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 91.023575] CR2: 0000000000004028 CR3: 000000000bf84000 CR4: 00000000000006f0
[ 91.026987] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 91.030017] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 91.033300] note: iou-sqp-3264[3265] exited with preempt_count 1
- kernel config
https://drive.google.com/file/d/1ZfeXgVadChVJtIGx5zMhBqHnmlomP3Hf/view?usp=sharing
- bzImage
https://drive.google.com/file/d/1MJf0WQ9_eztvuBcaBwCGC-rb7VBQtuac/view?usp=sharing
- reproducer (compiled binary)
https://drive.google.com/file/d/1KTq0f4yY8kKsUKY8b_6q5u8TeEGvW95B/view?usp=sharing
- steps to reproduce
1. Create the VM image
We use the script
https://github.com/google/syzkaller/blob/master/tools/create-image.sh
to create the image.
2. Run the VM
We run command: qemu-system-x86_64 -m 2G -smp 4 -kernel bzImage \
-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
-drive file=./bullseye.img,format=raw \
-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \
-net nic,model=e1000 \
-enable-kvm \
-nographic \
-pidfile vm.pid \
2>&1 | tee vm.log`
3. Run the reproducer
We ssh into the VM and run the compiled binary `syz-executor` under root.
This error might take a few minutes to happen.
- reproducer (c)
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <setjmp.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#include <linux/capability.h>
#ifndef __NR_io_uring_setup
#define __NR_io_uring_setup 425
#endif
static unsigned long long procid;
static __thread int clone_ongoing;
static __thread int skip_segv;
static __thread jmp_buf segv_env;
static void segv_handler(int sig, siginfo_t* info, void* ctx)
{
if (__atomic_load_n(&clone_ongoing, __ATOMIC_RELAXED) != 0) {
exit(sig);
}
uintptr_t addr = (uintptr_t)info->si_addr;
const uintptr_t prog_start = 1 << 20;
const uintptr_t prog_end = 100 << 20;
int skip = __atomic_load_n(&skip_segv, __ATOMIC_RELAXED) != 0;
int valid = addr < prog_start || addr > prog_end;
if (skip && valid) {
_longjmp(segv_env, 1);
}
exit(sig);
}
static void install_segv_handler(void)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = SIG_IGN;
syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8);
syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8);
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = segv_handler;
sa.sa_flags = SA_NODEFER | SA_SIGINFO;
sigaction(SIGSEGV, &sa, NULL);
sigaction(SIGBUS, &sa, NULL);
}
#define NONFAILING(...) ({ int ok = 1; __atomic_fetch_add(&skip_segv,
1, __ATOMIC_SEQ_CST); if (_setjmp(segv_env) == 0) { __VA_ARGS__; }
else ok = 0; __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); ok;
})
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
#define SIZEOF_IO_URING_SQE 64
#define SIZEOF_IO_URING_CQE 16
#define SQ_HEAD_OFFSET 0
#define SQ_TAIL_OFFSET 64
#define SQ_RING_MASK_OFFSET 256
#define SQ_RING_ENTRIES_OFFSET 264
#define SQ_FLAGS_OFFSET 276
#define SQ_DROPPED_OFFSET 272
#define CQ_HEAD_OFFSET 128
#define CQ_TAIL_OFFSET 192
#define CQ_RING_MASK_OFFSET 260
#define CQ_RING_ENTRIES_OFFSET 268
#define CQ_RING_OVERFLOW_OFFSET 284
#define CQ_FLAGS_OFFSET 280
#define CQ_CQES_OFFSET 320
struct io_sqring_offsets {
uint32_t head;
uint32_t tail;
uint32_t ring_mask;
uint32_t ring_entries;
uint32_t flags;
uint32_t dropped;
uint32_t array;
uint32_t resv1;
uint64_t resv2;
};
struct io_cqring_offsets {
uint32_t head;
uint32_t tail;
uint32_t ring_mask;
uint32_t ring_entries;
uint32_t overflow;
uint32_t cqes;
uint64_t resv[2];
};
struct io_uring_params {
uint32_t sq_entries;
uint32_t cq_entries;
uint32_t flags;
uint32_t sq_thread_cpu;
uint32_t sq_thread_idle;
uint32_t features;
uint32_t resv[4];
struct io_sqring_offsets sq_off;
struct io_cqring_offsets cq_off;
};
#define IORING_OFF_SQ_RING 0
#define IORING_OFF_SQES 0x10000000ULL
#define IORING_SETUP_SQE128 (1U << 10)
#define IORING_SETUP_CQE32 (1U << 11)
static long syz_io_uring_setup(volatile long a0, volatile long a1,
volatile long a2, volatile long a3)
{
uint32_t entries = (uint32_t)a0;
struct io_uring_params* setup_params = (struct io_uring_params*)a1;
void** ring_ptr_out = (void**)a2;
void** sqes_ptr_out = (void**)a3;
setup_params->flags &= ~(IORING_SETUP_CQE32 | IORING_SETUP_SQE128);
uint32_t fd_io_uring = syscall(__NR_io_uring_setup, entries,
setup_params);
uint32_t sq_ring_sz = setup_params->sq_off.array +
setup_params->sq_entries * sizeof(uint32_t);
uint32_t cq_ring_sz = setup_params->cq_off.cqes +
setup_params->cq_entries * SIZEOF_IO_URING_CQE;
uint32_t ring_sz = sq_ring_sz > cq_ring_sz ? sq_ring_sz : cq_ring_sz;
*ring_ptr_out = mmap(0, ring_sz, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQ_RING);
uint32_t sqes_sz = setup_params->sq_entries * SIZEOF_IO_URING_SQE;
*sqes_ptr_out = mmap(0, sqes_sz, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_POPULATE, fd_io_uring, IORING_OFF_SQES);
uint32_t* array = (uint32_t*)((uintptr_t)*ring_ptr_out +
setup_params->sq_off.array);
for (uint32_t index = 0; index < entries; index++)
array[index] = index;
return fd_io_uring;
}
static void setup_gadgetfs();
static void setup_binderfs();
static void setup_fusectl();
static void sandbox_common_mount_tmpfs(void)
{
write_file("/proc/sys/fs/mount-max", "100000");
if (mkdir("./syz-tmp", 0777))
exit(1);
if (mount("", "./syz-tmp", "tmpfs", 0, NULL))
exit(1);
if (mkdir("./syz-tmp/newroot", 0777))
exit(1);
if (mkdir("./syz-tmp/newroot/dev", 0700))
exit(1);
unsigned bind_mount_flags = MS_BIND | MS_REC | MS_PRIVATE;
if (mount("/dev", "./syz-tmp/newroot/dev", NULL,
bind_mount_flags, NULL))
exit(1);
if (mkdir("./syz-tmp/newroot/proc", 0700))
exit(1);
if (mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL))
exit(1);
if (mkdir("./syz-tmp/newroot/selinux", 0700))
exit(1);
const char* selinux_path = "./syz-tmp/newroot/selinux";
if (mount("/selinux", selinux_path, NULL, bind_mount_flags, NULL)) {
if (errno != ENOENT)
exit(1);
if (mount("/sys/fs/selinux", selinux_path, NULL,
bind_mount_flags, NULL) && errno != ENOENT)
exit(1);
}
if (mkdir("./syz-tmp/newroot/sys", 0700))
exit(1);
if (mount("/sys", "./syz-tmp/newroot/sys", 0, bind_mount_flags, NULL))
exit(1);
if (mount("/sys/kernel/debug",
"./syz-tmp/newroot/sys/kernel/debug", NULL, bind_mount_flags, NULL) &&
errno != ENOENT)
exit(1);
if (mount("/sys/fs/smackfs",
"./syz-tmp/newroot/sys/fs/smackfs", NULL, bind_mount_flags, NULL) &&
errno != ENOENT)
exit(1);
if (mount("/proc/sys/fs/binfmt_misc",
"./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, bind_mount_flags,
NULL) && errno != ENOENT)
exit(1);
if (mkdir("./syz-tmp/pivot", 0777))
exit(1);
if (syscall(SYS_pivot_root, "./syz-tmp", "./syz-tmp/pivot")) {
if (chdir("./syz-tmp"))
exit(1);
} else {
if (chdir("/"))
exit(1);
if (umount2("./pivot", MNT_DETACH))
exit(1);
}
if (chroot("./newroot"))
exit(1);
if (chdir("/"))
exit(1);
setup_gadgetfs();
setup_binderfs();
setup_fusectl();
}
static void setup_gadgetfs()
{
if (mkdir("/dev/gadgetfs", 0777)) {
}
if (mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL)) {
}
}
static void setup_fusectl()
{
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}
static void setup_binderfs()
{
if (mkdir("/dev/binderfs", 0777)) {
}
if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
}
if (symlink("/dev/binderfs", "./binderfs")) {
}
}
static void loop();
static void sandbox_common()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
if (getppid() == 1)
exit(1);
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}
static int wait_for_loop(int pid)
{
if (pid < 0)
exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}
static void drop_caps(void)
{
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data))
exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data))
exit(1);
}
static int do_sandbox_none(void)
{
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0)
return wait_for_loop(pid);
sandbox_common();
drop_caps();
if (unshare(CLONE_NEWNET)) {
}
write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
sandbox_common_mount_tmpfs();
loop();
exit(1);
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 ||
strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort),
"/sys/fs/fuse/connections/%s/abort", ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
sleep_ms(10);
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
void execute_one(void)
{
if (write(1, "executing program\n", sizeof("executing
program\n") - 1)) {}
syscall(__NR_ioperm, /*from=*/0ul, /*num=*/0xd8ul, /*on=*/0x80000000ul);
NONFAILING(*(uint64_t*)0x20000040 = 0);
NONFAILING(*(uint64_t*)0x20000048 = 0);
NONFAILING(memset((void*)0x20000050, 0, 24));
NONFAILING(*(uint64_t*)0x20000068 = 0);
NONFAILING(*(uint64_t*)0x20000070 = 0x20000000);
syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0xc0389424,
/*arg=*/0x20000040ul);
NONFAILING(*(uint16_t*)0x20000040 = 0);
NONFAILING(*(uint64_t*)0x20000048 = 0x20000000);
syscall(__NR_setsockopt, /*fd=*/-1, /*level=*/1,
/*optname=*/0x1a, /*optval=*/0x20000040ul, /*optlen=*/0xfffffed3ul);
NONFAILING(*(uint32_t*)0x20000004 = 0);
NONFAILING(*(uint32_t*)0x20000008 = 0x4016);
NONFAILING(*(uint32_t*)0x2000000c = 0);
NONFAILING(*(uint32_t*)0x20000010 = 0);
NONFAILING(*(uint32_t*)0x20000018 = -1);
NONFAILING(memset((void*)0x2000001c, 0, 12));
NONFAILING(syz_io_uring_setup(/*entries=*/0x29bc,
/*params=*/0x20000000, /*ring_ptr=*/0, /*sqes_ptr=*/0));
NONFAILING(memcpy((void*)0x20000000, "9p\000", 3));
syscall(__NR_mq_open, /*name=*/0x20000000ul,
/*flags=O_CREAT*/0x40ul, /*mode=*/0ul, /*attr=*/0ul);
syscall(__NR_sendmsg, /*fd=*/-1, /*msg=*/0ul, /*f=*/0ul);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul,
/*len=*/0x1000ul, /*prot=*/0ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul,
/*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1,
/*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul,
/*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul,
/*fd=*/-1, /*offset=*/0ul);
const char* reason;
(void)reason;
install_segv_handler();
for (procid = 0; procid < 2; procid++) {
if (fork() == 0) {
do_sandbox_none();
}
}
sleep(1000000);
return 0;
}
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: reproducible GPF error in native_tss_update_io_bitmap
2025-01-07 2:32 reproducible GPF error in native_tss_update_io_bitmap reveliofuzzing
@ 2025-01-07 21:28 ` Dave Hansen
2025-01-08 0:24 ` reveliofuzzing
0 siblings, 1 reply; 4+ messages in thread
From: Dave Hansen @ 2025-01-07 21:28 UTC (permalink / raw)
To: reveliofuzzing, tglx, mingo, bp, dave.hansen, kirill.shutemov
Cc: x86, linux-kernel
On 1/6/25 18:32, reveliofuzzing wrote:
> Hello,
>
> We found the following general protection fault bug in Linux kernel 6.12, and
> it can be reproduced stably in a QEMU VM. To our knowledge, this problem has not
> been observed by SyzBot so we would like to report it for your reference.
>
> - dmesg
> syzkaller login: [ 90.849309] Oops: general protection fault,
> probably for non-canonical address 0xdffffc0000000000: 0000 [#1]
> PREEMPTI
> [ 90.853735] KASAN: null-ptr-deref in range
> [0x0000000000000000-0x0000000000000007]
> [ 90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
> [ 90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.13.0-1ubuntu1.1 04/01/2014
> [ 90.862774] RIP: 0010:native_tss_update_io_bitmap+0x143/0x510
The whole thing looks like an issue in the failure path when trying to
create an io_uring io worker thread. It's probably some confusion in
treating the worker thread like a userspace thread with an io bitmap
when the worker thread doesn't have one.
It's _probably_ only reproducible with io_uring. It's arguable whether
it's likely an x86 issue or an io_uring issue.
In any case, running:
scripts/decode_stacktrace.sh
and providing a full vmlinux might be helpful if folks want to dig into
this more.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: reproducible GPF error in native_tss_update_io_bitmap
2025-01-07 21:28 ` Dave Hansen
@ 2025-01-08 0:24 ` reveliofuzzing
2025-01-15 14:22 ` Thomas Gleixner
0 siblings, 1 reply; 4+ messages in thread
From: reveliofuzzing @ 2025-01-08 0:24 UTC (permalink / raw)
To: Dave Hansen
Cc: tglx, mingo, bp, dave.hansen, kirill.shutemov, x86, linux-kernel
On Tue, Jan 7, 2025 at 4:28 PM Dave Hansen <dave.hansen@intel.com> wrote:
>
> On 1/6/25 18:32, reveliofuzzing wrote:
> > Hello,
> >
> > We found the following general protection fault bug in Linux kernel 6.12, and
> > it can be reproduced stably in a QEMU VM. To our knowledge, this problem has not
> > been observed by SyzBot so we would like to report it for your reference.
> >
> > - dmesg
> > syzkaller login: [ 90.849309] Oops: general protection fault,
> > probably for non-canonical address 0xdffffc0000000000: 0000 [#1]
> > PREEMPTI
> > [ 90.853735] KASAN: null-ptr-deref in range
> > [0x0000000000000000-0x0000000000000007]
> > [ 90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
> > [ 90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> > BIOS 1.13.0-1ubuntu1.1 04/01/2014
> > [ 90.862774] RIP: 0010:native_tss_update_io_bitmap+0x143/0x510
>
> The whole thing looks like an issue in the failure path when trying to
> create an io_uring io worker thread. It's probably some confusion in
> treating the worker thread like a userspace thread with an io bitmap
> when the worker thread doesn't have one.
>
> It's _probably_ only reproducible with io_uring. It's arguable whether
> it's likely an x86 issue or an io_uring issue.
>
> In any case, running:
>
> scripts/decode_stacktrace.sh
>
Here is the output of running this script:
[ 90.853735] KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007]
[ 90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
[ 90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 90.862774] RIP: 0010:native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:470)
[ 90.865203] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85
ae 03 00 00 48 89 da 4d 8b 75 68 48 b8 00 00 00 00 00 fc ff df 4c
Code starting with the faulting instruction
===========================================
0: 00 fc add %bh,%ah
2: ff (bad)
3: df 48 89 fisttps -0x77(%rax)
6: fa cli
7: 48 c1 ea 03 shr $0x3,%rdx
b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
f: 0f 85 ae 03 00 00 jne 0x3c3
15: 48 89 da mov %rbx,%rdx
18: 4d 8b 75 68 mov 0x68(%r13),%r14
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
26: 4c rex.WR
[ 90.872684] RSP: 0018:ffff8880079776c0 EFLAGS: 00010246
[ 90.875623] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff810a7045
[ 90.878708] RDX: 0000000000000000 RSI: ffffffff810a70a6 RDI: ffff88806d20a068
[ 90.881705] RBP: ffff888007977740 R08: ffffffff8171dc14 R09: ffffed10014763c1
[ 90.884683] R10: ffffed10014763c0 R11: ffff88800a3b1e07 R12: 1ffff11000f2eed8
[ 90.887673] R13: ffff88806d20a000 R14: 00000000000005d4 R15: ffff888007977950
[ 90.890639] FS: 000055557b069940(0000) GS:ffff88806d200000(0000)
knlGS:0000000000000000
[ 90.894196] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 90.896589] CR2: 0000000000004028 CR3: 000000000bf84000 CR4: 00000000000006f0
[ 90.899520] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 90.902247] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 90.904931] Call Trace:
[ 90.905938] <TASK>
[ 90.906804] ? show_regs (linux-6.12/arch/x86/kernel/dumpstack.c:419)
[ 90.908166] ? __die_body (linux-6.12/arch/x86/kernel/dumpstack.c:423)
[ 90.909495] ? die_addr (linux-6.12/arch/x86/kernel/dumpstack.c:463)
[ 90.910773] ? exc_general_protection
(linux-6.12/arch/x86/kernel/traps.c:751
linux-6.12/arch/x86/kernel/traps.c:693)
[ 90.912665] ? asm_exc_general_protection
(linux-6.12/./arch/x86/include/asm/idtentry.h:617)
[ 90.914566] ? kasan_save_stack (linux-6.12/mm/kasan/common.c:48)
[ 90.916239] ? native_tss_update_io_bitmap
(linux-6.12/./arch/x86/include/asm/bitops.h:206
linux-6.12/./arch/x86/include/asm/bitops.h:238
linux-6.12/./include/asm-generic/bitops/instrumented-non-atomic.h:142
linux-6.12/./include/linux/thread_info.h:118
linux-6.12/arch/x86/kernel/process.c:456)
[ 90.918173] ? native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:464)
[ 90.920145] ? native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:470)
[ 90.922509] ? __pfx_native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:451)
[ 90.925039] ? __pfx_refcount_dec_not_one (linux-6.12/lib/refcount.c:75)
[ 90.927396] ? __virt_addr_valid (linux-6.12/arch/x86/mm/physaddr.c:66)
[ 90.929218] ? __pfx_delayed_put_pid (linux-6.12/kernel/pid.c:128)
[ 90.930957] task_update_io_bitmap
(linux-6.12/./arch/x86/include/asm/preempt.h:94
linux-6.12/arch/x86/kernel/ioport.c:48
linux-6.12/arch/x86/kernel/ioport.c:36)
[ 90.932599] io_bitmap_exit (linux-6.12/arch/x86/kernel/ioport.c:58)
[ 90.933995] exit_thread (linux-6.12/arch/x86/kernel/process.c:122)
[ 90.935319] copy_process (linux-6.12/kernel/fork.c:1764
linux-6.12/kernel/fork.c:2362)
[ 90.936878] ? __pfx_copy_process (linux-6.12/kernel/fork.c:2123)
[ 90.938857] ? _raw_spin_lock_irqsave
(linux-6.12/./arch/x86/include/asm/atomic.h:107
linux-6.12/./include/linux/atomic/atomic-arch-fallback.h:2170
linux-6.12/./include/linux/atomic/atomic-instrumented.h:1302
linux-6.12/./include/asm-generic/qspinlock.h:111
linux-6.12/./include/linux/spinlock.h:187
linux-6.12/./include/linux/spinlock_api_smp.h:111
linux-6.12/kernel/locking/spinlock.c:162)
[ 90.940957] ? try_to_wake_up
(linux-6.12/./include/linux/spinlock.h:551
linux-6.12/kernel/sched/core.c:4165)
[ 90.942490] ? __pfx_io_wq_worker (linux-6.12/io_uring/io-wq.c:632)
[ 90.944116] create_io_thread (linux-6.12/kernel/fork.c:2721)
[ 90.945578] ? __pfx_create_io_thread (linux-6.12/kernel/fork.c:2721)
[ 90.947344] ? __pfx_io_wq_worker (linux-6.12/io_uring/io-wq.c:632)
[ 90.948935] ? kasan_save_track
(linux-6.12/./arch/x86/include/asm/current.h:49
linux-6.12/mm/kasan/common.c:60 linux-6.12/mm/kasan/common.c:69)
[ 90.950458] create_io_worker (linux-6.12/io_uring/io-wq.c:851)
[ 90.952015] io_wq_enqueue (linux-6.12/io_uring/io-wq.c:326
linux-6.12/io_uring/io-wq.c:966)
[ 90.953427] ? __pfx_io_wq_enqueue (linux-6.12/io_uring/io-wq.c:933)
[ 90.955081] ? __pfx__raw_spin_lock (linux-6.12/kernel/locking/spinlock.c:153)
[ 90.957061] ? __pfx_io_wq_work_match_item (linux-6.12/io_uring/io-wq.c:928)
[ 90.958969] io_queue_iowq (linux-6.12/io_uring/io_uring.c:534)
[ 90.960413] io_queue_sqe_fallback (linux-6.12/io_uring/io_uring.c:1980)
[ 90.962097] io_submit_sqes (linux-6.12/io_uring/io_uring.c:2194
linux-6.12/io_uring/io_uring.c:2324)
[ 90.963627] io_sq_thread (linux-6.12/io_uring/napi.h:25
linux-6.12/io_uring/sqpoll.c:324)
[ 90.965272] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[ 90.966960] ? __pfx_autoremove_wake_function
(linux-6.12/kernel/sched/wait.c:383)
[ 90.969010] ? _raw_spin_lock_irq
(linux-6.12/./arch/x86/include/asm/atomic.h:107
linux-6.12/./include/linux/atomic/atomic-arch-fallback.h:2170
linux-6.12/./include/linux/atomic/atomic-instrumented.h:1302
linux-6.12/./include/asm-generic/qspinlock.h:111
linux-6.12/./include/linux/spinlock.h:187
linux-6.12/./include/linux/spinlock_api_smp.h:120
linux-6.12/kernel/locking/spinlock.c:170)
[ 90.970775] ? finish_task_switch
(linux-6.12/./arch/x86/include/asm/atomic.h:67
linux-6.12/./include/linux/atomic/atomic-arch-fallback.h:2278
linux-6.12/./include/linux/atomic/atomic-instrumented.h:1384
linux-6.12/./include/linux/sched/mm.h:54
linux-6.12/./include/linux/sched/mm.h:83
linux-6.12/./include/linux/sched/mm.h:110
linux-6.12/kernel/sched/core.c:5227)
[ 90.972809] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[ 90.974572] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[ 90.976372] ret_from_fork (linux-6.12/arch/x86/kernel/process.c:153)
[ 90.977916] ? __pfx_io_sq_thread (linux-6.12/io_uring/sqpoll.c:268)
[ 90.979704] ret_from_fork_asm (linux-6.12/arch/x86/entry/entry_64.S:257)
[ 90.981443] </TASK>
[ 90.982411] Modules linked in:
[ 90.984086] ---[ end trace 0000000000000000 ]---
[ 90.986042] RIP: 0010:native_tss_update_io_bitmap
(linux-6.12/arch/x86/kernel/process.c:470)
[ 90.989080] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85
ae 03 00 00 48 89 da 4d 8b 75 68 48 b8 00 00 00 00 00 fc ff df 4c
Code starting with the faulting instruction
===========================================
0: 00 fc add %bh,%ah
2: ff (bad)
3: df 48 89 fisttps -0x77(%rax)
6: fa cli
7: 48 c1 ea 03 shr $0x3,%rdx
b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
f: 0f 85 ae 03 00 00 jne 0x3c3
15: 48 89 da mov %rbx,%rdx
18: 4d 8b 75 68 mov 0x68(%r13),%r14
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
26: 4c rex.WR
[ 90.997385] RSP: 0018:ffff8880079776c0 EFLAGS: 00010246
[ 91.000093] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff810a7045
[ 91.003230] RDX: 0000000000000000 RSI: ffffffff810a70a6 RDI: ffff88806d20a068
[ 91.006468] RBP: ffff888007977740 R08: ffffffff8171dc14 R09: ffffed10014763c1
[ 91.010241] R10: ffffed10014763c0 R11: ffff88800a3b1e07 R12: 1ffff11000f2eed8
[ 91.014085] R13: ffff88806d20a000 R14: 00000000000005d4 R15: ffff888007977950
[ 91.017484] FS: 000055557b069940(0000) GS:ffff88806d200000(0000)
knlGS:0000000000000000
[ 91.020992] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 91.023575] CR2: 0000000000004028 CR3: 000000000bf84000 CR4: 00000000000006f0
[ 91.026987] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 91.030017] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 91.033300] note: iou-sqp-3264[3265] exited with preempt_count 1
> and providing a full vmlinux might be helpful if folks want to dig into
> this more.
Here is the vmlinux we use:
https://drive.google.com/file/d/1ESzENhJM9xQsFWAgbIsaxKa-AqcexmFO/view?usp=sharing
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: reproducible GPF error in native_tss_update_io_bitmap
2025-01-08 0:24 ` reveliofuzzing
@ 2025-01-15 14:22 ` Thomas Gleixner
0 siblings, 0 replies; 4+ messages in thread
From: Thomas Gleixner @ 2025-01-15 14:22 UTC (permalink / raw)
To: reveliofuzzing, Dave Hansen
Cc: mingo, bp, dave.hansen, kirill.shutemov, x86, linux-kernel
On Tue, Jan 07 2025 at 19:24, reveliofuzzing@gmail.com wrote:
> On Tue, Jan 7, 2025 at 4:28 PM Dave Hansen <dave.hansen@intel.com> wrote:
>>
>> On 1/6/25 18:32, reveliofuzzing wrote:
>> > Hello,
>> >
>> > We found the following general protection fault bug in Linux kernel 6.12, and
>> > it can be reproduced stably in a QEMU VM. To our knowledge, this problem has not
>> > been observed by SyzBot so we would like to report it for your reference.
>> >
>> > - dmesg
>> > syzkaller login: [ 90.849309] Oops: general protection fault,
>> > probably for non-canonical address 0xdffffc0000000000: 0000 [#1]
>> > PREEMPTI
>> > [ 90.853735] KASAN: null-ptr-deref in range
>> > [0x0000000000000000-0x0000000000000007]
>> > [ 90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
>> > [ 90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
>> > BIOS 1.13.0-1ubuntu1.1 04/01/2014
>> > [ 90.862774] RIP: 0010:native_tss_update_io_bitmap+0x143/0x510
>>
>> The whole thing looks like an issue in the failure path when trying to
>> create an io_uring io worker thread. It's probably some confusion in
>> treating the worker thread like a userspace thread with an io bitmap
>> when the worker thread doesn't have one.
>>
>> It's _probably_ only reproducible with io_uring. It's arguable whether
>> it's likely an x86 issue or an io_uring issue.
>>
>> In any case, running:
>>
>> scripts/decode_stacktrace.sh
>>
> Here is the output of running this script:
So looking at it from the call chain:
> [ 90.935319] copy_process (linux-6.12/kernel/fork.c:1764
This means copy_process() failed at some point and then invokes:
> [ 90.933995] exit_thread (linux-6.12/arch/x86/kernel/process.c:122)
which in turn invokes:
> [ 90.932599] io_bitmap_exit (linux-6.12/arch/x86/kernel/ioport.c:58)
> linux-6.12/arch/x86/kernel/ioport.c:36 - task_update_io_bitmap()
> linux-6.12/arch/x86/kernel/ioport.c:48 - tss_update_io_bitmap()
which ends up in native_tss_update_io_bitmap()
> [ 90.853735] KASAN: null-ptr-deref in range
> [0x0000000000000000-0x0000000000000007]
> [ 90.856772] CPU: 0 PID: 3265 Comm: iou-sqp-3264 Not tainted 6.10.0 #2
> [ 90.859386] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS 1.13.0-1ubuntu1.1 04/01/2014
> [ 90.862774] RIP: 0010:native_tss_update_io_bitmap
> (linux-6.12/arch/x86/kernel/process.c:470)
Which is this code:
if (tss->io_bitmap.prev_sequence != iobm->sequence)
where @iobm is NULL.
But to reach that code it's required that the current task has
TIF_IO_BITMAP set, which is wrong to begin with.
The context of this is:
[ 90.963627] io_sq_thread+0xaf9/0x1620
which is a IO worker thread created via io_uring_setup(). So that thread
inherits the user space thread TIF flags and indeed the syzkaller
reproducer does:
syscall(__NR_ioperm, /*from=*/0ul, /*num=*/0xd8ul, /*on=*/0x80000000ul);
before invoking the io_uring setup.
That inheritance is wrong and easy to fix, but that does not explain the
actual failure. That's a bit more subtle.
copy_thread() sets p->thread.io_bitmap to NULL, leaves TIF_IO_BITMAP set
and then returns before sharing the bitmap of the parent thread.
Now copy_process() fails after copy_thread() and invokes exit_thread()
and due to TIF_IO_BITMAP being set it calls io_bitmap_exit(). The latter
invokes task_update_io_bitmap(), which clears the newly created thread's
IO_BITMAP flag because the new thread has neither iopl_emul == 3 nor a
io_valid bitmap.
task_update_io_bitmap() then invokes tss_update_io_bitmap(), which
checks the current thread's TIF_IO_BITMAP bit, which is set, but the
io_sq_thread (current) does neither have iopl_emul == 3 nor a bitmap
pointer. Game over.
Invoking task_update_io_bitmap() in the failure path of copy_process()
is completely wrong as the newly created task never got active and
therefore has never changed the TSS side. So invalidating or updating
anything here is just bogus. The only important part is to drop the
reference count on the bitmap if it got shared in copy_thread().
Tentative uncompiled fix below.
Thanks,
tglx
---
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
index e2fab3ceb09f..fa7113babc8e 100644
--- a/arch/x86/kernel/ioport.c
+++ b/arch/x86/kernel/ioport.c
@@ -21,6 +21,9 @@ static atomic64_t io_bitmap_sequence;
void io_bitmap_share(struct task_struct *tsk)
{
+ /* Inherit the IOPL level of the parent */
+ tsk->thread.iopl_emul = current->thread.iopl_emul;
+
/* Can be NULL when current->thread.iopl_emul == 3 */
if (current->thread.io_bitmap) {
/*
@@ -54,7 +57,12 @@ void io_bitmap_exit(struct task_struct *tsk)
struct io_bitmap *iobm = tsk->thread.io_bitmap;
tsk->thread.io_bitmap = NULL;
- task_update_io_bitmap(tsk);
+ /*
+ * Only update when a task is exiting, not when a newly created
+ * task is mopped up in the failure path of copy_process().
+ */
+ if (tsk == current)
+ task_update_io_bitmap(tsk);
if (iobm && refcount_dec_and_test(&iobm->refcnt))
kfree(iobm);
}
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index f63f8fd00a91..89c16dc135cf 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -176,6 +176,8 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
p->thread.sp = (unsigned long) fork_frame;
p->thread.io_bitmap = NULL;
p->thread.iopl_warn = 0;
+ p->thread.iopl_emul = 0;
+ clear_tsk_thread_flag(p, TIF_IO_BITMAP);
memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
#ifdef CONFIG_X86_64
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-01-15 14:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-07 2:32 reproducible GPF error in native_tss_update_io_bitmap reveliofuzzing
2025-01-07 21:28 ` Dave Hansen
2025-01-08 0:24 ` reveliofuzzing
2025-01-15 14:22 ` Thomas Gleixner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox