lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANypQFay9zbp9k0AHpfpm1OJ_shKiLZSmhMjCKFQhnhnuJQr0w@mail.gmail.com>
Date: Wed, 27 Aug 2025 16:56:58 +0800
From: Jiaming Zhang <r772577952@...il.com>
To: kvm@...r.kernel.org
Cc: pbonzini@...hat.com, Sean Christopherson <seanjc@...gle.com>, linux-kernel@...r.kernel.org, 
	syzkaller@...glegroups.com
Subject: [BUG?] KVM: Unexpected KVM_CREATE_VCPU failure with EBADF

Hello KVM maintainers and developers,

We are writing to report a potential bug discovered in the KVM
subsystem with our modified syzkaller. The issue is that a
KVM_CREATE_VCPU ioctl call can fail with EBADF on a valid VM file
descriptor.

The attached C program (repro.c) sets up a high-concurrency
environment by forking multiple processes, each running the test logic
in a loop. In the core test function (syz_func), it sequentially
creates two VMs and then attempts to create one VCPU for each.
Intermittently, one of the two KVM_CREATE_VCPU calls fails, returning
-1 and setting errno to 9 (EBADF).

The VM file descriptor (vm_fd1/vm_fd2) passed to KVM_CREATE_VCPU was
just successfully returned by a KVM_CREATE_VM ioctl within the same
thread. An EBADF error in this context is unexpected. In addition, the
threading model of test code ensures that the creation and use of
these file descriptors happen sequentially within a single thread,
ruling out a user-space race condition where another thread could have
closed the file descriptor prematurely.

This issue was first found on v6.1.147 (commit
3594f306da129190de25938b823f353ef7f9e322), and is still reproducible
on the latest version (v6.17-rc3, commit
1b237f190eb3d36f52dffe07a40b5eb210280e00).

Other environmental information:
- Architecture: x86_64
- Distribution: Ubuntu 22.04

The complete C code that triggers this issue and the .config file used
for Linux Kernel v6.1.147 and v6.17-rc3 compilation are attached.

Thank you for your time and for your incredible work on KVM. We hope
this report is helpful. Please let me know if any further information
is required.

Best regards,
Jiaming Zhang

View attachment "repro.c" of type "text/plain" (91092 bytes)

Download attachment "v6.17-rc3.config" of type "application/xml" (262732 bytes)

Download attachment "v6.1.147.config" of type "application/xml" (242484 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ