Re: WARNING in kvm_arch_vcpu_ioctl_run

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just patched it, after dropping the sanity check, I rerun the
reproduce program, and the crash was not triggered.
seems like the problem is fixed for now, Thanks

Sean Christopherson <seanjc@xxxxxxxxxx> 于2023年8月4日周五 04:46写道:
>
> On Thu, Jul 27, 2023, Yikebaer Aizezi wrote:
> > Hello, I'm sorry for the mistake in my previous email. I forgot to add
> > a subject. This is my second attempt to send the message.
> >
> > When using Healer to fuzz the latest Linux kernel, the following crash
> > was triggered.
> >
> > HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)
> >
> > git tree: upstream
> >
> > console output:
> > https://drive.google.com/file/d/1FiemC_AWRT-6EGscpQJZNzYhXZty6BVr/view?usp=drive_link
> > kernel config: https://drive.google.com/file/d/1fgPLKOw7QbKzhK6ya5KUyKyFhumQgunw/view?usp=drive_link
> > C reproducer: https://drive.google.com/file/d/1SiLpYTZ7Du39ubgf1k1BIPlu9ZvMjiWZ/view?usp=drive_link
> > Syzlang reproducer:
> > https://drive.google.com/file/d/1eWSmwvNGOlZNU-0-xsKhUgZ4WG2VLZL5/view?usp=drive_link
> > Similar report:
> > https://groups.google.com/g/syzkaller-bugs/c/C2ud-S1Thh0/m/z4iI7l_dAgAJ
> >
> > If you fix this issue, please add the following tag to the commit:
> > Reported-by: Yikebaer Aizezi <yikebaer61@xxxxxxxxx>
> >
> > kvm: vcpu 129: requested lapic timer restore with starting count
> > register 0x390=4241646265 (4241646265 ns) > initial count (296265111
> > ns). Using initial count to start timer.
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 1977 at arch/x86/kvm/x86.c:11098
> > kvm_arch_vcpu_ioctl_run+0x152f/0x1830 arch/x86/kvm/x86.c:11098
>
> Well that's annoying.  The WARN is a sanity check that KVM doesn't somehow put
> the guest into an uninitialized state while emulating the guest's APIC timer, but
> I completely overlooked the fact that userspace can simply stuff the should-be-
> impossible guest state. *sigh*
>
> Sadly, I think the most reasonable thing to do is to simply drop the sanity check :-(
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 0145d844283b..e9e262b244b8 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -11091,12 +11091,17 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu)
>                         r = -EINTR;
>                         goto out;
>                 }
> +
>                 /*
> -                * It should be impossible for the hypervisor timer to be in
> -                * use before KVM has ever run the vCPU.
> +                * Don't bother switching APIC timer emulation from the
> +                * hypervisor timer to the software timer, the only way for the
> +                * APIC timer to be active is if userspace stuffed vCPU state,
> +                * i.e. put the vCPU and into a nonsensical state.  The only
> +                * transition out of UNINITIALIZED (without more state stuffing
> +                * from userspace) is an INIT, which will reset the local APIC
> +                * and thus smother the timer anyways, i.e. APIC timer IRQs
> +                * will be dropped no matter what.
>                  */
> -               WARN_ON_ONCE(kvm_lapic_hv_timer_in_use(vcpu));
> -
>                 kvm_vcpu_srcu_read_unlock(vcpu);
>                 kvm_vcpu_block(vcpu);
>                 kvm_vcpu_srcu_read_lock(vcpu);
>




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux