Received: by 10.223.164.221 with SMTP id h29csp3777246wrb;
        Tue, 31 Oct 2017 04:49:47 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+TAlcAX0+fPNnjK5MBxMzhST8fAPXRJ52YUbbWFjVgE/Ois/BZOyMG7OOHh76v1YSxY54yu
X-Received: by 10.84.168.35 with SMTP id e32mr1635723plb.294.1509450587582;
        Tue, 31 Oct 2017 04:49:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1509450587; cv=none;
        d=google.com; s=arc-20160816;
        b=TGGOnyhqpxRjdeYOcOr84ewwnaRSRih6njFgNXa8hhIODT1kKbxARn3FS+hCbRjh0T
         vm9OKITGWCtv8V1QYjBjQP5d0iBmKVDJaVUcXEk7smS9r1enGPJTF0q8E2ZrVuQxOuvw
         fzRXlDso3kdleDFE4MVBQ7WWFHF6JNxKLQZ2xnPVCLHiByZa3JIJHl8QO/17ChVszz/e
         5iX0qYXwTncT7g36oQUDnlVSHlbFA6JzdInSQnl/djBE7vMVQmUhfhJ1BhCoV7DvgydP
         MJ7Rp7N3o6EfyyJOaMrr6sUq1h2mDUEU4sA5KVGri6JlS2/zyQsWxTP49NgQFVMusUJG
         PEFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=NehCAxME8jWq5xjzOJFnc+wrR92PFSREzgMF9z1OLzk=;
        b=BSMxd98C3ownJlR6/oRwg15OFyWbk55ipV0iuYw6Reg4/HG+R98LghV0388y2q7Aef
         Y1kQSfz4D2P5DPZOEOpl9jg053M6zxfNQ2z80QxpWzU+b71vUhlx6tFNSvcwP3FM2HaC
         fNWcBB4hT1rpv6myAWAASLFGlcEPMQojRQ3pdysp/c8G09knbohWVZd16vPkF6POV+BG
         6G6hDyK6h58NKauPyXu7LZWu/TP4RWiBTlj9RLepfe7bBT42yKycFmWLurasDnyGtUUG
         Y+tRe8fKvGpihmbmv5wiEpQcHDUpe/ydvGdgITJYa8a6w8T7iE0lKCXpOAXXafwVXV0b
         7Waw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=U+0zJ/JP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w10si1322842pgr.25.2017.10.31.04.49.33;
        Tue, 31 Oct 2017 04:49:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=U+0zJ/JP;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752434AbdJaLrs (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Tue, 31 Oct 2017 07:47:48 -0400
Received: from mail-io0-f194.google.com ([209.85.223.194]:51446 "EHLO
        mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751779AbdJaLrq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 31 Oct 2017 07:47:46 -0400
Received: by mail-io0-f194.google.com with SMTP id b186so34382819iof.8
        for <linux-kernel@vger.kernel.org>; Tue, 31 Oct 2017 04:47:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=NehCAxME8jWq5xjzOJFnc+wrR92PFSREzgMF9z1OLzk=;
        b=U+0zJ/JP4psZKL9jeWac5DvGGI75LY7tDYkGID62+Dq8HqV4jDDKAsVp3ooIFO/D+v
         vF2C9II+H2UVShhPzl3CfV+QXdZai4qikGvkv5oMZlFihe4R0IJUXf56inmgDD4YhEUZ
         h38wFCi2kodPv/4Wo5mf7Fcx7xY1Dv7vS211dT7i2OOPQxAuVefjX+ZsTuutsrL1MJqu
         xiXfKom3YuHLRwHcJ4W9PElTYwQC5ULUon2PhfrUVwb8ft+xoBuBzRUXeyeHWcL2BsD/
         40f5Q+j3jW9wUD8tsctXdAzB95ipM++9vgiksti1ppo7n1fyfcbuS1ALRkyYboq+Z6+V
         3rBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=NehCAxME8jWq5xjzOJFnc+wrR92PFSREzgMF9z1OLzk=;
        b=uGT7gpxUwHA/zZbVRH4RD/lytgo2XNIHj5UZ61vNYlbMxXIvTHDP4vG+OoVL8yE+Ii
         3QHJcii6NyiN86toR9h+YaPtx0txN7aWxXBGltsclQPkdIjTTC8GzfDwtHYANcoDN+Hh
         1rgClrWUK2YaETeD78viUid+9UdA8YfP3+AYm0RxF4vWN5Ebk7AFIjY7d1PLzTKuLVqN
         xpuilcarsf2LH7qoRg7Y6Yz/9AscuRi1iSbkC/2Xzn2FRR4oKb9s2XpVh8hWy+Oa2AZ1
         6uNnsYCT5Rl+7swBUuSwxTOOWcMS2iYxstlwPUssxdHpkZySsUO6wAH4IrjYoW1vS++c
         NvlQ==
X-Gm-Message-State: AMCzsaVI4/RLI9hLlsG7GGDkhUl56Zg8xlldrXQY5HSdRordZ08rfdeZ
        vBwX6XZflBycb5GhTuUAhNIB7TRUSIOUtkE/bJBCOQ==
X-Received: by 10.107.142.208 with SMTP id q199mr2041168iod.186.1509450465369;
 Tue, 31 Oct 2017 04:47:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.155.231 with HTTP; Tue, 31 Oct 2017 04:47:25 -0700 (PDT)
In-Reply-To: <001a113f83b2b3b8b8055cd621f3@google.com>
References: <001a113f83b2b3b8b8055cd621f3@google.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Tue, 31 Oct 2017 14:47:25 +0300
Message-ID: <CACT4Y+bU88Sf0TjyYnqipQTcjP_G+xvP6MCzt7vRZbZNaExL5Q@mail.gmail.com>
Subject: Re: WARNING in do_debug
To:     syzbot 
        <bot+adbefe6736a5b37af36f19ebfa8764fcdd9ddaed@syzkaller.appspotmail.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com, KVM list <kvm@vger.kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Haozhong Zhang <haozhong.zhang@intel.com>,
        David Hildenbrand <david@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Oct 31, 2017 at 2:34 PM, syzbot
<bot+adbefe6736a5b37af36f19ebfa8764fcdd9ddaed@syzkaller.appspotmail.com>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 0787643a5f6aad1f0cdeb305f7fe492b71943ea4
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
> cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
> WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
> do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 3045 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #142
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  <#DB>
>  __dump_stack lib/dump_stack.c:16 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:52
>  panic+0x1e4/0x417 kernel/panic.c:181
>  __warn+0x1c4/0x1d9 kernel/panic.c:542
>  report_bug+0x211/0x2d0 lib/bug.c:183
>  fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
>  do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
>  do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
>  do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
>  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
>  invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
> RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
> RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
> RSP: 0018:ffff8801db20fe98 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: ffff8801db20ff58 RCX: 0000000000000000
> RDX: 1ffff1003b641ffc RSI: 0000000000000001 RDI: ffffffff85ac6398
> RBP: ffff8801db20ff48 R08: ffff8801db20ffe8 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000004001
> R13: ffff8801cd8541c0 R14: 1ffff1003b641fd8 R15: 0000000000004000
>  debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
> RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20
> arch/x86/lib/copy_user_64.S:180
> RSP: 0018:ffff8801cd2cfe68 EFLAGS: 00010246
> RAX: ffffed0039a59fe1 RBX: 0000000020000000 RCX: 000000000000003f
> RDX: 0000000000000040 RSI: 0000000020000001 RDI: ffff8801cd2cfec9
> RBP: ffff8801cd2cfe98 R08: ffffed0039a59fe1 R09: ffffed0039a59fe1
> R10: 0000000000000008 R11: ffffed0039a59fe0 R12: 0000000000000040
> R13: ffff8801cd2cfec8 R14: 00007ffffffff000 R15: 0000000020000040
>  </#DB>
>  copy_from_user include/linux/uaccess.h:146 [inline]
>  SYSC_timer_create kernel/time/posix-timers.c:579 [inline]
>  SyS_timer_create+0x89/0x120 kernel/time/posix-timers.c:572
>  entry_SYSCALL_64_fastpath+0x1f/0xbe
> RIP: 0033:0x452719
> RSP: 002b:00007f906f324be8 EFLAGS: 00000212 ORIG_RAX: 00000000000000de
> RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
> RDX: 0000000020000000 RSI: 0000000020000000 RDI: ffffffffffffffff
> RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3cf8
> R13: 00000000ffffffff R14: 00007f906f3256d4 R15: 0000000000000000
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..


I think this is kvm bug, so +kvm maintainers.

Unfortunately, this does not reproduce with a C program. But I was
able to easily reproduce it with the provided syzkaller program by
running:
./syz-execprog repro.txt

On upstream 15f859ae5c43c7f0a064ed92d33f7a5bc5de6de0 (Oct 26).
Seems that guest somehow sets debug register contents for host:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 3079 Comm: syz-executor Not tainted 4.14.0-rc6+ #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 <#DB>
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 panic+0x1e4/0x417 kernel/panic.c:181
 __warn+0x1c4/0x1d9 kernel/panic.c:542
 report_bug+0x211/0x2d0 lib/bug.c:183
 fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
 do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
 do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
 do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
 invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
RSP: 0018:ffff88006ca0fe98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88006ca0ff58 RCX: 0000000000000000
RDX: 1ffff1000d941ffc RSI: 0000000000000001 RDI: ffffffff85ac63d8
RBP: ffff88006ca0ff48 R08: ffff88006ca0ffe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000e001
R13: ffff88006a8d2500 R14: 1ffff1000d941fd8 R15: 0000000000004000
 debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline]
RIP: 0010:strncpy_from_user+0x188/0x430 lib/strncpy_from_user.c:117
RSP: 0018:ffff88006b717d28 EFLAGS: 00000246
RAX: 6d766b2f7665642f RBX: ffff88006b717dc0 RCX: ffffc90000e41000
RDX: 0000000000000000 RSI: ffffffff82466043 RDI: ffff88006b717d88
RBP: ffff88006b717de8 R08: ffff88006c5f9780 R09: ffff88006b2e8c00
R10: 0000000000000000 R11: ffffed000d65d37f R12: 0000000000000fe4
R13: 0000000000000fe4 R14: 0000000020000000 R15: 8080808080808080
 </#DB>
 getname_flags+0x10e/0x580 fs/namei.c:148
 getname+0x19/0x20 fs/namei.c:208
 do_sys_open+0x2e7/0x6d0 fs/open.c:1053
 SYSC_openat fs/open.c:1086 [inline]
 SyS_openat+0x30/0x40 fs/open.c:1080
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007f23a6c51bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f23a6c526cc RCX: 0000000000447c89
RDX: 0000000000080000 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f23a6c529c0 R15: 00007f23a6c52700
Kernel Offset: disabled
Rebooting in 86400 seconds..




> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@googlegroups.com.
> Please credit me with: Reported-by: syzbot <syzkaller@googlegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a113f83b2b3b8b8055cd621f3%40google.com.
> For more options, visit https://groups.google.com/d/optout.

From 1582772793279943434@xxx Tue Oct 31 11:36:01 +0000 2017
X-GM-THRID: 1582772793279943434
X-Gmail-Labels: Inbox,Category Forums