Oops: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] CPU: 0 UID: 0 PID: 5989 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:kvm_sync_apic_virt_timer+0x82/0x120 arch/x86/kvm/lapic.c:1871 Code: 00 00 41 8b 2f 89 ee 83 e6 01 31 ff e8 37 68 74 00 40 f6 c5 01 75 64 e8 ec 63 74 00 4c 8d bb 81 00 00 00 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 75 71 41 80 3f 00 74 2f e8 ca 63 74 00 4c 89 RSP: 0018:ffffc90003f96f90 EFLAGS: 00010202 RAX: 0000000000000010 RBX: 0000000000000000 RCX: ffff88817447c980 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88810435003f R09: 1ffff1102086a007 R10: dffffc0000000000 R11: ffffed102086a008 R12: dffffc0000000000 R13: dffffc0000000000 R14: ffff888104350000 R15: 0000000000000081 FS: 0000555587f08500(0000) GS:ffff88818e328000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000175a26000 CR4: 0000000000352ef0 Call Trace: nested_vmx_enter_non_root_mode+0x897/0xaa10 arch/x86/kvm/vmx/nested.c:3751 nested_vmx_run+0x5fb/0xc30 arch/x86/kvm/vmx/nested.c:3951 __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6792 [inline] vmx_handle_exit+0xf22/0x1670 arch/x86/kvm/vmx/vmx.c:6802 vcpu_enter_guest arch/x86/kvm/x86.c:11491 [inline] vcpu_run+0x5581/0x76e0 arch/x86/kvm/x86.c:11652 kvm_arch_vcpu_ioctl_run+0x1010/0x1dc0 arch/x86/kvm/x86.c:11997 kvm_vcpu_ioctl+0xa62/0xfd0 virt/kvm/kvm_main.c:4492 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f94ddb9acb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe0d9bd148 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f94dde15fa0 RCX: 00007f94ddb9acb9 RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005 RBP: 00007f94ddc08bf7 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f94dde15fac R14: 00007f94dde15fa0 R15: 00007f94dde15fa0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:kvm_sync_apic_virt_timer+0x82/0x120 arch/x86/kvm/lapic.c:1871 Code: 00 00 41 8b 2f 89 ee 83 e6 01 31 ff e8 37 68 74 00 40 f6 c5 01 75 64 e8 ec 63 74 00 4c 8d bb 81 00 00 00 4c 89 f8 48 c1 e8 03 <42> 0f b6 04 20 84 c0 75 71 41 80 3f 00 74 2f e8 ca 63 74 00 4c 89 RSP: 0018:ffffc90003f96f90 EFLAGS: 00010202 RAX: 0000000000000010 RBX: 0000000000000000 RCX: ffff88817447c980 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff88810435003f R09: 1ffff1102086a007 R10: dffffc0000000000 R11: ffffed102086a008 R12: dffffc0000000000 R13: dffffc0000000000 R14: ffff888104350000 R15: 0000000000000081 FS: 0000555587f08500(0000) GS:ffff88818e328000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000175a26000 CR4: 0000000000352ef0 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 41 8b 2f mov (%r15),%ebp 5: 89 ee mov %ebp,%esi 7: 83 e6 01 and $0x1,%esi a: 31 ff xor %edi,%edi c: e8 37 68 74 00 call 0x746848 11: 40 f6 c5 01 test $0x1,%bpl 15: 75 64 jne 0x7b 17: e8 ec 63 74 00 call 0x746408 1c: 4c 8d bb 81 00 00 00 lea 0x81(%rbx),%r15 23: 4c 89 f8 mov %r15,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 75 71 jne 0xa4 33: 41 80 3f 00 cmpb $0x0,(%r15) 37: 74 2f je 0x68 39: e8 ca 63 74 00 call 0x746408 3e: 4c rex.WR 3f: 89 .byte 0x89