Re: BUG: spinlock bad magic in synchronize_srcu

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 07, 2021, Hao Sun wrote:
> Hello,
> 
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
> 
> HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04'
> git tree: upstream
> console output:
> https://drive.google.com/file/d/1AauK3Op9WjrF8tZOM0r76XOGMrvgK65e/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing
> Similar bug report:
> https://groups.google.com/g/syzkaller-bugs/c/JMQALBa9wVE/m/_Wp1KGYzBwAJ
> 
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@xxxxxxxxx>
> 
> BUG: spinlock bad magic on CPU#3, syz-executor/11945
>  lock: 0xffff88813dd00040, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
> CPU: 3 PID: 11945 Comm: syz-executor Not tainted 5.14.0+ #13
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:105
>  spin_bug kernel/locking/spinlock_debug.c:77 [inline]
>  debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
>  do_raw_spin_lock+0x6c/0xc0 kernel/locking/spinlock_debug.c:114
>  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
>  _raw_spin_lock_irqsave+0x40/0x50 kernel/locking/spinlock.c:162
>  srcu_might_be_idle kernel/rcu/srcutree.c:767 [inline]
>  synchronize_srcu+0x33/0xf0 kernel/rcu/srcutree.c:1008
>  kvm_mmu_uninit_vm+0x18/0x30 arch/x86/kvm/mmu/mmu.c:5585


Likely a known bug[*], KVM doesn't check the return of init_srcu_struct() in
kvm_page_track_init() and explodes when referencing the bad struct.

https://lkml.kernel.org/r/1630376040-20567-1-git-send-email-tcs_kernel@xxxxxxxxxxx

>  kvm_arch_destroy_vm+0x225/0x2d0 arch/x86/kvm/x86.c:11277
>  kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1060 [inline]
>  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4486 [inline]
>  kvm_dev_ioctl+0x7c7/0xc00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4541
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:874 [inline]
>  __se_sys_ioctl fs/ioctl.c:860 [inline]
>  __x64_sys_ioctl+0xb6/0x100 fs/ioctl.c:860
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux