On Tue, Sep 07, 2021, Hao Sun wrote: > Hello, > > When using Healer to fuzz the latest Linux kernel, the following crash > was triggered. > > HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04' > git tree: upstream > console output: > https://drive.google.com/file/d/1AauK3Op9WjrF8tZOM0r76XOGMrvgK65e/view?usp=sharing > kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing > Similar bug report: > https://groups.google.com/g/syzkaller-bugs/c/JMQALBa9wVE/m/_Wp1KGYzBwAJ > > Sorry, I don't have a reproducer for this crash, hope the symbolized > report can help. > If you fix this issue, please add the following tag to the commit: > Reported-by: Hao Sun <sunhao.th@xxxxxxxxx> > > BUG: spinlock bad magic on CPU#3, syz-executor/11945 > lock: 0xffff88813dd00040, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0 > CPU: 3 PID: 11945 Comm: syz-executor Not tainted 5.14.0+ #13 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 > Call Trace: > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:105 > spin_bug kernel/locking/spinlock_debug.c:77 [inline] > debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] > do_raw_spin_lock+0x6c/0xc0 kernel/locking/spinlock_debug.c:114 > __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] > _raw_spin_lock_irqsave+0x40/0x50 kernel/locking/spinlock.c:162 > srcu_might_be_idle kernel/rcu/srcutree.c:767 [inline] > synchronize_srcu+0x33/0xf0 kernel/rcu/srcutree.c:1008 > kvm_mmu_uninit_vm+0x18/0x30 arch/x86/kvm/mmu/mmu.c:5585 Likely a known bug[*], KVM doesn't check the return of init_srcu_struct() in kvm_page_track_init() and explodes when referencing the bad struct. https://lkml.kernel.org/r/1630376040-20567-1-git-send-email-tcs_kernel@xxxxxxxxxxx > kvm_arch_destroy_vm+0x225/0x2d0 arch/x86/kvm/x86.c:11277 > kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1060 [inline] > kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4486 [inline] > kvm_dev_ioctl+0x7c7/0xc00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4541 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:874 [inline] > __se_sys_ioctl fs/ioctl.c:860 [inline] > __x64_sys_ioctl+0xb6/0x100 fs/ioctl.c:860 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae