lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Zr-Ydj8FBpiqmY_c@google.com>
Date: Fri, 16 Aug 2024 11:20:38 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: syzbot <syzbot+d8775ae2dbebe5ab16fd@...kaller.appspotmail.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, pbonzini@...hat.com, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [kvm?] WARNING in kvm_put_kvm

On Mon, Jun 17, 2024, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    2ccbdf43d5e7 Merge tag 'for-linus' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1695b7ee980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
> dashboard link: https://syzkaller.appspot.com/bug?extid=d8775ae2dbebe5ab16fd
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a4edf8b28d7f/disk-2ccbdf43.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/5f9b0fd6168d/vmlinux-2ccbdf43.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/a2c5f918ca4f/bzImage-2ccbdf43.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d8775ae2dbebe5ab16fd@...kaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 17017 at kernel/rcu/srcutree.c:653 cleanup_srcu_struct+0x37c/0x520 kernel/rcu/srcutree.c:653
> Modules linked in:
> CPU: 0 PID: 17017 Comm: syz-executor.4 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
> RIP: 0010:cleanup_srcu_struct+0x37c/0x520 kernel/rcu/srcutree.c:653
> Code: 83 c4 20 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 0f 0b 90 48 83 c4 20 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 <0f> 0b 90 e9 35 ff ff ff 90 0f 0b 90 48 b8 00 00 00 00 00 fc ff df
> RSP: 0018:ffffc90003567d20 EFLAGS: 00010202
> RAX: 0000000000000001 RBX: ffffc90002d6e000 RCX: 0000000000000002
> RDX: fffff91ffffab294 RSI: 0000000000000008 RDI: ffffe8ffffd59498
> RBP: ffff88805b6c0000 R08: 0000000000000000 R09: fffff91ffffab293
> R10: ffffe8ffffd5949f R11: 0000000000000000 R12: ffffc90002d778a8
> R13: ffffc90002d77880 R14: ffffc90002d77868 R15: 0000000000000004
> FS:  00007fa719dec6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020078000 CR3: 000000006176a000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1351 [inline]
>  kvm_put_kvm+0x8df/0xb80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1380
>  kvm_vm_release+0x42/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1403
>  __fput+0x408/0xbb0 fs/file_table.c:422
>  task_work_run+0x14e/0x250 kernel/task_work.c:180
>  resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
>  exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
>  exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
>  syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
>  do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f

syzbot reported a rash of KVM cleanup_srcu_struct() splats, and while they suggest
that KVM has a rogue SRCU reader, I strongly suspect that something is/was going
sideways with bcachefs, and KVM is an innocent bystander.  All of the splats have
bcachefs activity shortly before the failure, and syzbot has never managed to find
a reproducer.

If if KVM were at fault, e.g. was accessing SRCU after its freed, I would expect
at least one report to not include bcachefs activity, and I would think we'd have
at least one reproducer.

Furthermore, except for the __timer_delete_sync() splat, all of the issues
mysteriously stopped occuring at roughly the same time, and I definitely don't
recall fixing anything remotely relevant in KVM.

So, I'm going to close all of the stale reports as invalid, and assign the
__timer_delete_sync() to bcachefs, because again there's nothing in there that
suggests KVM is at fault.

        general protection fault in detach_if_pending (3) bcachefs kvm		5	52d	52d	
        general protection fault in get_work_pool (2) kvm			5	59d	59d	
        WARNING in kvm_put_kvm kvm				                14	51d	60d	
        KASAN: wild-memory-access Read in __timer_delete_sync kvm		5	14d	81d	<= ???
        WARNING in srcu_check_nmi_safety kvm				        255	51d	104d	
        WARNING in cleanup_srcu_struct (4) kvm bcachefs				3567	51d	105d	

#syz invalid

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ