lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 7 Sep 2021 15:17:32 +0000
From:   Sean Christopherson <seanjc@...gle.com>
To:     Hao Sun <sunhao.th@...il.com>
Cc:     linux-kernel@...r.kernel.org, bp@...en8.de, hpa@...or.com,
        jmattson@...gle.com, joro@...tes.org, kvm@...r.kernel.org,
        mingo@...hat.com, pbonzini@...hat.com, tglx@...utronix.de,
        vkuznets@...hat.com, wanpengli@...cent.com, x86@...nel.org
Subject: Re: BUG: spinlock bad magic in synchronize_srcu

On Tue, Sep 07, 2021, Hao Sun wrote:
> Hello,
> 
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
> 
> HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04'
> git tree: upstream
> console output:
> https://drive.google.com/file/d/1AauK3Op9WjrF8tZOM0r76XOGMrvgK65e/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing
> Similar bug report:
> https://groups.google.com/g/syzkaller-bugs/c/JMQALBa9wVE/m/_Wp1KGYzBwAJ
> 
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@...il.com>
> 
> BUG: spinlock bad magic on CPU#3, syz-executor/11945
>  lock: 0xffff88813dd00040, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
> CPU: 3 PID: 11945 Comm: syz-executor Not tainted 5.14.0+ #13
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Call Trace:
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:105
>  spin_bug kernel/locking/spinlock_debug.c:77 [inline]
>  debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
>  do_raw_spin_lock+0x6c/0xc0 kernel/locking/spinlock_debug.c:114
>  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
>  _raw_spin_lock_irqsave+0x40/0x50 kernel/locking/spinlock.c:162
>  srcu_might_be_idle kernel/rcu/srcutree.c:767 [inline]
>  synchronize_srcu+0x33/0xf0 kernel/rcu/srcutree.c:1008
>  kvm_mmu_uninit_vm+0x18/0x30 arch/x86/kvm/mmu/mmu.c:5585


Likely a known bug[*], KVM doesn't check the return of init_srcu_struct() in
kvm_page_track_init() and explodes when referencing the bad struct.

https://lkml.kernel.org/r/1630376040-20567-1-git-send-email-tcs_kernel@tencent.com

>  kvm_arch_destroy_vm+0x225/0x2d0 arch/x86/kvm/x86.c:11277
>  kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1060 [inline]
>  kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4486 [inline]
>  kvm_dev_ioctl+0x7c7/0xc00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4541
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:874 [inline]
>  __se_sys_ioctl fs/ioctl.c:860 [inline]
>  __x64_sys_ioctl+0xb6/0x100 fs/ioctl.c:860
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ