lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6982f952.050a0220.3b3015.0012.GAE@google.com>
Date: Tue, 03 Feb 2026 23:46:26 -0800
From: syzbot ci <syzbot+ci66a37fb2e2f8de71@...kaller.appspotmail.com>
To: isaku.yamahata@...il.com, isaku.yamahata@...el.com, kvm@...r.kernel.org, 
	linux-kernel@...r.kernel.org, oliver.sang@...el.com, pbonzini@...hat.com, 
	seanjc@...gle.com, yang.zhong@...ux.intel.com
Cc: syzbot@...ts.linux.dev, syzkaller-bugs@...glegroups.com
Subject: [syzbot ci] Re: KVM: VMX APIC timer virtualization support

syzbot ci has tested the following series

[v1] KVM: VMX APIC timer virtualization support
https://lore.kernel.org/all/cover.1770116050.git.isaku.yamahata@intel.com
* [PATCH 01/32] KVM: VMX: Detect APIC timer virtualization bit
* [PATCH 02/32] KVM: x86: Implement APIC virt timer helpers with callbacks
* [PATCH 03/32] KVM: x86/lapic: Start/stop sw/hv timer on vCPU un/block
* [PATCH 04/32] KVM: x86/lapic: Wire DEADLINE MSR update to guest virtual TSC deadline
* [PATCH 05/32] KVM: x86/lapic: Add a trace point for guest virtual timer
* [PATCH 06/32] KVM: VMX: Implement the hooks for VMX guest virtual deadline timer
* [PATCH 07/32] KVM: VMX: Update APIC timer virtualization on apicv changed
* [PATCH 08/32] KVM: nVMX: Disallow/allow guest APIC timer virtualization switch to/from L2
* [PATCH 09/32] KVM: nVMX: Pass struct msr_data to VMX MSRs emulation
* [PATCH 10/32] KVM: nVMX: Supports VMX tertiary controls and GUEST_APIC_TIMER bit
* [PATCH 11/32] KVM: nVMX: Add tertiary VM-execution control VMCS support
* [PATCH 12/32] KVM: nVMX: Update intercept on TSC deadline MSR
* [PATCH 13/32] KVM: nVMX: Handle virtual timer vector VMCS field
* [PATCH 14/32] KVM: VMX: Make vmx_calc_deadline_l1_to_host() non-static
* [PATCH 15/32] KVM: nVMX: Enable guest deadline and its shadow VMCS field
* [PATCH 16/32] KVM: nVMX: Add VM entry checks related to APIC timer virtualization
* [PATCH 17/32] KVM: nVMX: Add check vmread/vmwrite on tertiary control
* [PATCH 18/32] KVM: nVMX: Add check VMCS index for guest timer virtualization
* [PATCH 19/32] KVM: VMX: Advertise tertiary controls to the user space
* [PATCH 20/32] KVM: VMX: dump_vmcs() support the guest virt timer
* [PATCH 21/32] KVM: VMX: Enable APIC timer virtualization
* [PATCH 22/32] KVM: VMX: Introduce module parameter for APIC virt timer support
* [PATCH 23/32] KVM: nVMX: Introduce module parameter for nested APIC timer virtualization
* [PATCH 24/32] KVM: selftests: Add a test to measure local timer latency
* [PATCH 25/32] KVM: selftests: Add nVMX support to timer_latency test case
* [PATCH 26/32] KVM: selftests: Add test for nVMX MSR_IA32_VMX_PROCBASED_CTLS3
* [PATCH 27/32] KVM: selftests: Add test vmx_set_nested_state_test with EVMCS disabled
* [PATCH 28/32] KVM: selftests: Add tests nested state of APIC timer virtualization
* [PATCH 29/32] KVM: selftests: Add VMCS access test to APIC timer virtualization
* [PATCH 30/32] KVM: selftests: Test cases for L1 APIC timer virtualization
* [PATCH 31/32] KVM: selftests: Add tests for nVMX to vmx_apic_timer_virt
* [PATCH 32/32] Documentation: KVM: x86: Update documentation of struct vmcs12

and found the following issue:
general protection fault in kvm_sync_apic_virt_timer

Full report is available here:
https://ci.syzbot.org/series/febd2a47-f17d-45ba-954d-44cd44564c81

***

general protection fault in kvm_sync_apic_virt_timer

tree:      kvm-next
URL:       https://kernel.googlesource.com/pub/scm/virt/kvm/kvm/
base:      e89f0e9a0a007e8c3afb8ecd739c0b3255422b00
arch:      amd64
compiler:  Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config:    https://ci.syzbot.org/builds/2a120ac0-8f97-4828-b0ef-4e034e7362b8/config
C repro:   https://ci.syzbot.org/findings/e56d47d6-212d-4ddf-a0e9-1bab4ec317ca/c_repro
syz repro: https://ci.syzbot.org/findings/e56d47d6-212d-4ddf-a0e9-1bab4ec317ca/syz_repro

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
CPU: 0 UID: 0 PID: 5989 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:kvm_sync_apic_virt_timer+0x82/0x120 arch/x86/kvm/lapic.c:1871
Code: 00 00 41 8b 2f 89 ee 83 e6 01 31 ff e8 37 68 74 00 40 f6 c5 01 75 64 e8 ec 63 74 00 4c 8d bb 81 00 00 00 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 75 71 41 80 3f 00 74 2f e8 ca 63 74 00 4c 89
RSP: 0018:ffffc90003f96f90 EFLAGS: 00010202
RAX: 0000000000000010 RBX: 0000000000000000 RCX: ffff88817447c980
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88810435003f R09: 1ffff1102086a007
R10: dffffc0000000000 R11: ffffed102086a008 R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff888104350000 R15: 0000000000000081
FS:  0000555587f08500(0000) GS:ffff88818e328000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000175a26000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 nested_vmx_enter_non_root_mode+0x897/0xaa10 arch/x86/kvm/vmx/nested.c:3751
 nested_vmx_run+0x5fb/0xc30 arch/x86/kvm/vmx/nested.c:3951
 __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6792 [inline]
 vmx_handle_exit+0xf22/0x1670 arch/x86/kvm/vmx/vmx.c:6802
 vcpu_enter_guest arch/x86/kvm/x86.c:11491 [inline]
 vcpu_run+0x5581/0x76e0 arch/x86/kvm/x86.c:11652
 kvm_arch_vcpu_ioctl_run+0x1010/0x1dc0 arch/x86/kvm/x86.c:11997
 kvm_vcpu_ioctl+0xa62/0xfd0 virt/kvm/kvm_main.c:4492
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f94ddb9acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe0d9bd148 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f94dde15fa0 RCX: 00007f94ddb9acb9
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00007f94ddc08bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f94dde15fac R14: 00007f94dde15fa0 R15: 00007f94dde15fa0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kvm_sync_apic_virt_timer+0x82/0x120 arch/x86/kvm/lapic.c:1871
Code: 00 00 41 8b 2f 89 ee 83 e6 01 31 ff e8 37 68 74 00 40 f6 c5 01 75 64 e8 ec 63 74 00 4c 8d bb 81 00 00 00 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 75 71 41 80 3f 00 74 2f e8 ca 63 74 00 4c 89
RSP: 0018:ffffc90003f96f90 EFLAGS: 00010202
RAX: 0000000000000010 RBX: 0000000000000000 RCX: ffff88817447c980
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88810435003f R09: 1ffff1102086a007
R10: dffffc0000000000 R11: ffffed102086a008 R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff888104350000 R15: 0000000000000081
FS:  0000555587f08500(0000) GS:ffff88818e328000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000175a26000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	41 8b 2f             	mov    (%r15),%ebp
   5:	89 ee                	mov    %ebp,%esi
   7:	83 e6 01             	and    $0x1,%esi
   a:	31 ff                	xor    %edi,%edi
   c:	e8 37 68 74 00       	call   0x746848
  11:	40 f6 c5 01          	test   $0x1,%bpl
  15:	75 64                	jne    0x7b
  17:	e8 ec 63 74 00       	call   0x746408
  1c:	4c 8d bb 81 00 00 00 	lea    0x81(%rbx),%r15
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	75 71                	jne    0xa4
  33:	41 80 3f 00          	cmpb   $0x0,(%r15)
  37:	74 2f                	je     0x68
  39:	e8 ca 63 74 00       	call   0x746408
  3e:	4c                   	rex.WR
  3f:	89                   	.byte 0x89


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
  Tested-by: syzbot@...kaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@...glegroups.com.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ