Re: BUG: spinlock bad magic in synchronize_srcu

From: Sean Christopherson
Date: Tue Sep 07 2021 - 11:17:42 EST

Next message: Jan Engelhardt: "Re: [PATCH net v2] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED"
Previous message: Tvrtko Ursulin: "Re: [Intel-gfx] [PATCH v7 3/8] i915/gvt: use DEFINE_DYNAMIC_DEBUG_CATEGORIES to create "gvt:core:" etc categories"
In reply to: Hao Sun: "BUG: spinlock bad magic in synchronize_srcu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 07, 2021, Hao Sun wrote:
> Hello,
>
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
>
> HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04'
> git tree: upstream
> console output:
> https://drive.google.com/file/d/1AauK3Op9WjrF8tZOM0r76XOGMrvgK65e/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing
> Similar bug report:
> https://groups.google.com/g/syzkaller-bugs/c/JMQALBa9wVE/m/_Wp1KGYzBwAJ
>
> Sorry, I don't have a reproducer for this crash, hope the symbolized
> report can help.
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Hao Sun <sunhao.th@xxxxxxxxx>
>
> BUG: spinlock bad magic on CPU#3, syz-executor/11945
> lock: 0xffff88813dd00040, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
> CPU: 3 PID: 11945 Comm: syz-executor Not tainted 5.14.0+ #13
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:105
> spin_bug kernel/locking/spinlock_debug.c:77 [inline]
> debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline]
> do_raw_spin_lock+0x6c/0xc0 kernel/locking/spinlock_debug.c:114
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
> _raw_spin_lock_irqsave+0x40/0x50 kernel/locking/spinlock.c:162
> srcu_might_be_idle kernel/rcu/srcutree.c:767 [inline]
> synchronize_srcu+0x33/0xf0 kernel/rcu/srcutree.c:1008
> kvm_mmu_uninit_vm+0x18/0x30 arch/x86/kvm/mmu/mmu.c:5585

Likely a known bug[*], KVM doesn't check the return of init_srcu_struct() in
kvm_page_track_init() and explodes when referencing the bad struct.

https://lkml.kernel.org/r/1630376040-20567-1-git-send-email-tcs_kernel@xxxxxxxxxxx

> kvm_arch_destroy_vm+0x225/0x2d0 arch/x86/kvm/x86.c:11277
> kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1060 [inline]
> kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:4486 [inline]
> kvm_dev_ioctl+0x7c7/0xc00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4541
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
> __se_sys_ioctl fs/ioctl.c:860 [inline]
> __x64_sys_ioctl+0xb6/0x100 fs/ioctl.c:860
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae

Next message: Jan Engelhardt: "Re: [PATCH net v2] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED"
Previous message: Tvrtko Ursulin: "Re: [Intel-gfx] [PATCH v7 3/8] i915/gvt: use DEFINE_DYNAMIC_DEBUG_CATEGORIES to create "gvt:core:" etc categories"
In reply to: Hao Sun: "BUG: spinlock bad magic in synchronize_srcu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]