general protection fault in rcu_segcblist_enqueue

[Hao Sun]

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: ff1ffd71d5f0 Merge tag 'hyperv-fixes-signed-20210915
git tree: upstream
console output:
https://drive.google.com/file/d/1I3q-rH7yJXxmr16cI418avyA_tHdoOVE/view?usp=sharing
kernel config: https://drive.google.com/file/d/1zXpDhs-IdE7tX17B7MhaYP0VGUfP6m9B/view?usp=sharing

Sorry, I don't have a reproducer for this crash, hope the symbolized
report can help.
If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@xxxxxxxxx>

general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 3 PID: 18519 Comm: syz-executor Not tainted 5.15.0-rc1+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:rcu_segcblist_enqueue+0xf5/0x1d0 kernel/rcu/rcu_segcblist.c:348
Code: 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 75 7c
48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 75 4f 48 89 ea 49 89 34 24 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90001bafbd0 EFLAGS: 00010056
RAX: dffffc0000000000 RBX: ffff888135d00080 RCX: ffffffff815c1ca0
RDX: 0000000000000000 RSI: ffffc90001bafcd0 RDI: ffff888135d00080
RBP: ffff888135d000a0 R08: 0000000000000001 R09: fffff52000375f6e
R10: 0000000000000003 R11: fffff52000375f6d R12: 0000000000000000
R13: 0000000000000000 R14: ffff888135d00080 R15: ffff888135d00040
FS:  00007f2d96e17700(0000) GS:ffff888135d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2d96df5db8 CR3: 000000010aedf000 CR4: 0000000000350ee0
Call Trace:
 srcu_gp_start_if_needed+0x145/0xbf0 kernel/rcu/srcutree.c:823
 __synchronize_srcu+0x1f4/0x270 kernel/rcu/srcutree.c:929
 kvm_mmu_uninit_vm+0x18/0x30 arch/x86/kvm/mmu/mmu.c:5711
 kvm_arch_destroy_vm+0x42b/0x5b0 arch/x86/kvm/x86.c:11331
 kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1094 [inline]
 kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4583 [inline]
 kvm_dev_ioctl+0x1508/0x1aa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4638
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4739cd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2d96e16c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 00000000004739cd
RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003
RBP: 00000000004ebd80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000059c0a0
R13: 00007ffd87419e4f R14: 00007ffd87419ff0 R15: 00007f2d96e16dc0
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 786f845bf6575473 ]---
RIP: 0010:rcu_segcblist_enqueue+0xf5/0x1d0 kernel/rcu/rcu_segcblist.c:348
Code: 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 75 7c
48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 4c 89 e2 48 c1 ea 03 <80> 3c
02 00 75 4f 48 89 ea 49 89 34 24 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc90001bafbd0 EFLAGS: 00010056
RAX: dffffc0000000000 RBX: ffff888135d00080 RCX: ffffffff815c1ca0
RDX: 0000000000000000 RSI: ffffc90001bafcd0 RDI: ffff888135d00080
RBP: ffff888135d000a0 R08: 0000000000000001 R09: fffff52000375f6e
R10: 0000000000000003 R11: fffff52000375f6d R12: 0000000000000000
R13: 0000000000000000 R14: ffff888135d00080 R15: ffff888135d00040
FS:  00007f2d96e17700(0000) GS:ffff888135d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2d96df5db8 CR3: 000000010aedf000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess):
   0: 00 00                add    %al,(%rax)
   2: 00 00                add    %al,(%rax)
   4: 00 fc                add    %bh,%ah
   6: ff                    (bad)
   7: df 48 89              fisttps -0x77(%rax)
   a: ea                    (bad)
   b: 48 c1 ea 03          shr    $0x3,%rdx
   f: 80 3c 02 00          cmpb   $0x0,(%rdx,%rax,1)
  13: 75 7c                jne    0x91
  15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
  1c: fc ff df
  1f: 4c 8b 63 20          mov    0x20(%rbx),%r12
  23: 4c 89 e2              mov    %r12,%rdx
  26: 48 c1 ea 03          shr    $0x3,%rdx
* 2a: 80 3c 02 00          cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e: 75 4f                jne    0x7f
  30: 48 89 ea              mov    %rbp,%rdx
  33: 49 89 34 24          mov    %rsi,(%r12)
  37: 48                    rex.W
  38: b8 00 00 00 00        mov    $0x0,%eax
  3d: 00 fc                add    %bh,%ah
  3f: ff                    .byte 0xff