Just patched it, after dropping the sanity check, I rerun the reproduce program, and the crash was not triggered. seems like the problem is fixed for now, Thanks Sean Christopherson <seanjc@xxxxxxxxxx> 于2023年8月4日周五 04:46写道: > > On Thu, Jul 27, 2023, Yikebaer Aizezi wrote: > > Hello, I'm sorry for the mistake in my previous email. I forgot to add > > a subject. This is my second attempt to send the message. > > > > When using Healer to fuzz the latest Linux kernel, the following crash > > was triggered. > > > > HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2) > > > > git tree: upstream > > > > console output: > > https://drive.google.com/file/d/1FiemC_AWRT-6EGscpQJZNzYhXZty6BVr/view?usp=drive_link > > kernel config: https://drive.google.com/file/d/1fgPLKOw7QbKzhK6ya5KUyKyFhumQgunw/view?usp=drive_link > > C reproducer: https://drive.google.com/file/d/1SiLpYTZ7Du39ubgf1k1BIPlu9ZvMjiWZ/view?usp=drive_link > > Syzlang reproducer: > > https://drive.google.com/file/d/1eWSmwvNGOlZNU-0-xsKhUgZ4WG2VLZL5/view?usp=drive_link > > Similar report: > > https://groups.google.com/g/syzkaller-bugs/c/C2ud-S1Thh0/m/z4iI7l_dAgAJ > > > > If you fix this issue, please add the following tag to the commit: > > Reported-by: Yikebaer Aizezi <yikebaer61@xxxxxxxxx> > > > > kvm: vcpu 129: requested lapic timer restore with starting count > > register 0x390=4241646265 (4241646265 ns) > initial count (296265111 > > ns). Using initial count to start timer. > > ------------[ cut here ]------------ > > WARNING: CPU: 0 PID: 1977 at arch/x86/kvm/x86.c:11098 > > kvm_arch_vcpu_ioctl_run+0x152f/0x1830 arch/x86/kvm/x86.c:11098 > > Well that's annoying. The WARN is a sanity check that KVM doesn't somehow put > the guest into an uninitialized state while emulating the guest's APIC timer, but > I completely overlooked the fact that userspace can simply stuff the should-be- > impossible guest state. *sigh* > > Sadly, I think the most reasonable thing to do is to simply drop the sanity check :-( > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 0145d844283b..e9e262b244b8 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -11091,12 +11091,17 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) > r = -EINTR; > goto out; > } > + > /* > - * It should be impossible for the hypervisor timer to be in > - * use before KVM has ever run the vCPU. > + * Don't bother switching APIC timer emulation from the > + * hypervisor timer to the software timer, the only way for the > + * APIC timer to be active is if userspace stuffed vCPU state, > + * i.e. put the vCPU and into a nonsensical state. The only > + * transition out of UNINITIALIZED (without more state stuffing > + * from userspace) is an INIT, which will reset the local APIC > + * and thus smother the timer anyways, i.e. APIC timer IRQs > + * will be dropped no matter what. > */ > - WARN_ON_ONCE(kvm_lapic_hv_timer_in_use(vcpu)); > - > kvm_vcpu_srcu_read_unlock(vcpu); > kvm_vcpu_block(vcpu); > kvm_vcpu_srcu_read_lock(vcpu); >
