On 2018/03/28 16:29, Wanpeng Li wrote: >> syzbot dashboard link: >> https://syzkaller.appspot.com/bug?extid=760a73552f47a8cd0fd9 >> > Maybe the same as this one. https://lkml.org/lkml/2018/3/21/174 Paolo, > any idea against my analysis? No progress for 4 years. Did somebody check Wanpeng's analysis ? Since I'm not familiar with KVM, my questions from different direction... syzbot is hitting WARN_ON(vcpu->arch.pio.count || vcpu->mmio_needed) added by commit 716d51abff06f484 ("KVM: Provide userspace IO exit completion callback") due to vcpu->mmio_needed == true. Question 1: what is the intent of checking for vcpu->mmio_needed == false? If we run a reproducer provided by syzbot, we can observe that mutex_unlock(&vcpu->mutex) in kvm_vcpu_ioctl() is called with vcpu->mmio_needed == true. Question 2: Is kvm_vcpu_ioctl() supposed to leave with vcpu->mmio_needed == false? In other words, is doing --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4104,6 +4104,7 @@ static long kvm_vcpu_ioctl(struct file *filp, r = kvm_arch_vcpu_ioctl(filp, ioctl, arg); } out: + WARN_ON_ONCE(vcpu->mmio_needed); mutex_unlock(&vcpu->mutex); kfree(fpu); kfree(kvm_sregs); appropriate?
