Re: WARNING in do_debug

From: Dmitry Vyukov
Date: Tue Oct 31 2017 - 07:47:53 EST


On Tue, Oct 31, 2017 at 2:34 PM, syzbot
<bot+adbefe6736a5b37af36f19ebfa8764fcdd9ddaed@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 0787643a5f6aad1f0cdeb305f7fe492b71943ea4
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
> cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
> WARNING: CPU: 0 PID: 3045 at arch/x86/kernel/traps.c:776
> do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
> Kernel panic - not syncing: panic_on_warn set ...
>
> CPU: 0 PID: 3045 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #142
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> <#DB>
> __dump_stack lib/dump_stack.c:16 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:52
> panic+0x1e4/0x417 kernel/panic.c:181
> __warn+0x1c4/0x1d9 kernel/panic.c:542
> report_bug+0x211/0x2d0 lib/bug.c:183
> fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
> do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
> do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
> do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
> do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
> invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
> RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
> RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
> RSP: 0018:ffff8801db20fe98 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: ffff8801db20ff58 RCX: 0000000000000000
> RDX: 1ffff1003b641ffc RSI: 0000000000000001 RDI: ffffffff85ac6398
> RBP: ffff8801db20ff48 R08: ffff8801db20ffe8 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000004001
> R13: ffff8801cd8541c0 R14: 1ffff1003b641fd8 R15: 0000000000004000
> debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
> RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20
> arch/x86/lib/copy_user_64.S:180
> RSP: 0018:ffff8801cd2cfe68 EFLAGS: 00010246
> RAX: ffffed0039a59fe1 RBX: 0000000020000000 RCX: 000000000000003f
> RDX: 0000000000000040 RSI: 0000000020000001 RDI: ffff8801cd2cfec9
> RBP: ffff8801cd2cfe98 R08: ffffed0039a59fe1 R09: ffffed0039a59fe1
> R10: 0000000000000008 R11: ffffed0039a59fe0 R12: 0000000000000040
> R13: ffff8801cd2cfec8 R14: 00007ffffffff000 R15: 0000000020000040
> </#DB>
> copy_from_user include/linux/uaccess.h:146 [inline]
> SYSC_timer_create kernel/time/posix-timers.c:579 [inline]
> SyS_timer_create+0x89/0x120 kernel/time/posix-timers.c:572
> entry_SYSCALL_64_fastpath+0x1f/0xbe
> RIP: 0033:0x452719
> RSP: 002b:00007f906f324be8 EFLAGS: 00000212 ORIG_RAX: 00000000000000de
> RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452719
> RDX: 0000000020000000 RSI: 0000000020000000 RDI: ffffffffffffffff
> RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f3cf8
> R13: 00000000ffffffff R14: 00007f906f3256d4 R15: 0000000000000000
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..


I think this is kvm bug, so +kvm maintainers.

Unfortunately, this does not reproduce with a C program. But I was
able to easily reproduce it with the provided syzkaller program by
running:
./syz-execprog repro.txt

On upstream 15f859ae5c43c7f0a064ed92d33f7a5bc5de6de0 (Oct 26).
Seems that guest somehow sets debug register contents for host:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
WARNING: CPU: 0 PID: 3079 at arch/x86/kernel/traps.c:776
do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 3079 Comm: syz-executor Not tainted 4.14.0-rc6+ #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
<#DB>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
panic+0x1e4/0x417 kernel/panic.c:181
__warn+0x1c4/0x1d9 kernel/panic.c:542
report_bug+0x211/0x2d0 lib/bug.c:183
fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:178
do_trap_no_signal arch/x86/kernel/traps.c:212 [inline]
do_trap+0x260/0x390 arch/x86/kernel/traps.c:261
do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:298
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:311
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
RIP: 0010:cond_local_irq_disable arch/x86/kernel/traps.c:85 [inline]
RIP: 0010:do_debug+0x4d8/0x6e0 arch/x86/kernel/traps.c:790
RSP: 0018:ffff88006ca0fe98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88006ca0ff58 RCX: 0000000000000000
RDX: 1ffff1000d941ffc RSI: 0000000000000001 RDI: ffffffff85ac63d8
RBP: ffff88006ca0ff48 R08: ffff88006ca0ffe8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000e001
R13: ffff88006a8d2500 R14: 1ffff1000d941fd8 R15: 0000000000004000
debug+0x34/0x70 arch/x86/entry/entry_64.S:1056
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline]
RIP: 0010:strncpy_from_user+0x188/0x430 lib/strncpy_from_user.c:117
RSP: 0018:ffff88006b717d28 EFLAGS: 00000246
RAX: 6d766b2f7665642f RBX: ffff88006b717dc0 RCX: ffffc90000e41000
RDX: 0000000000000000 RSI: ffffffff82466043 RDI: ffff88006b717d88
RBP: ffff88006b717de8 R08: ffff88006c5f9780 R09: ffff88006b2e8c00
R10: 0000000000000000 R11: ffffed000d65d37f R12: 0000000000000fe4
R13: 0000000000000fe4 R14: 0000000020000000 R15: 8080808080808080
</#DB>
getname_flags+0x10e/0x580 fs/namei.c:148
getname+0x19/0x20 fs/namei.c:208
do_sys_open+0x2e7/0x6d0 fs/open.c:1053
SYSC_openat fs/open.c:1086 [inline]
SyS_openat+0x30/0x40 fs/open.c:1080
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x447c89
RSP: 002b:00007f23a6c51bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f23a6c526cc RCX: 0000000000447c89
RDX: 0000000000080000 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f23a6c529c0 R15: 00007f23a6c52700
Kernel Offset: disabled
Rebooting in 86400 seconds..




> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@xxxxxxxxxxxxxxxxx
> Please credit me with: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is committed, please reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxxx
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a113f83b2b3b8b8055cd621f3%40google.com.
> For more options, visit https://groups.google.com/d/optout.