lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250910000310.6672-1-hdanton@sina.com>
Date: Wed, 10 Sep 2025 08:03:09 +0800
From: Hillf Danton <hdanton@...a.com>
To: syzbot <syzbot+cef594105ac7e60c6d93@...kaller.appspotmail.com>
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [kvmarm?] [kvm?] WARNING: locking bug in vgic_put_irq

> Date: Mon, 25 Aug 2025 14:08:41 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7b8346bd9fce KVM: arm64: Don't attempt vLPI mappings when ..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git next
> console output: https://syzkaller.appspot.com/x/log.txt?x=17b4e862580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7c53d3478750eda0
> dashboard link: https://syzkaller.appspot.com/bug?extid=cef594105ac7e60c6d93
> compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15860634580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1074e862580000

#syz test

--- x/arch/arm64/kvm/vgic/vgic.c
+++ y/arch/arm64/kvm/vgic/vgic.c
@@ -146,20 +146,25 @@ void vgic_flush_pending_lpis(struct kvm_
 	struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
 	struct vgic_irq *irq, *tmp;
 	unsigned long flags;
+	LIST_HEAD(head);
 
 	raw_spin_lock_irqsave(&vgic_cpu->ap_list_lock, flags);
 
 	list_for_each_entry_safe(irq, tmp, &vgic_cpu->ap_list_head, ap_list) {
 		if (irq->intid >= VGIC_MIN_LPI) {
 			raw_spin_lock(&irq->irq_lock);
-			list_del(&irq->ap_list);
+			list_move(&irq->ap_list, &head);
 			irq->vcpu = NULL;
 			raw_spin_unlock(&irq->irq_lock);
-			vgic_put_irq(vcpu->kvm, irq);
 		}
 	}
 
 	raw_spin_unlock_irqrestore(&vgic_cpu->ap_list_lock, flags);
+
+	list_for_each_entry_safe(irq, tmp, &head, ap_list) {
+		list_del(&irq->ap_list);
+		vgic_put_irq(vcpu->kvm, irq);
+	}
 }
 
 void vgic_irq_set_phys_pending(struct vgic_irq *irq, bool pending)
--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ