subject:"general protection fault in start

Re: general protection fault in start_creating

2020-06-05 Thread Paolo Bonzini

On 05/06/20 15:38, Vitaly Kuznetsov wrote:
> 
> I think what happens here is one thread does kvm_vm_ioctl_create_vcpu()
> and another tries to delete the VM. The problem was probably present
> even before the commit as both kvm_create_vcpu_debugfs() and
> kvm_destroy_vm_debugfs() happen outside of kvm_lock but maybe it was
> harder to trigger.

I think it wasn't, because:

- you cannot reach kvm_vcpu_release before you have created the file
descriptor, and the patch moved debugfs creation after creation of
the file descriptor

- on the other hand you cannot reach kvm_vm_release during KVM_CREATE_VCPU,
so you cannot reach kvm_destroy_vm either (because the VM file descriptor
holds a reference).  So the bug can only occur for things that are touched
by kvm_vcpu_release, and that is only the debugfs dentry.

I have a patch for this already, which is simply removing the 
debugfs_remove_recursive call in kvm_vcpu_release, but I have forgotten to
send it.  What you have below could work but i don't see a good reason to
put things under kvm->lock.

Paolo

> I think what happens here is one thread does kvm_vm_ioctl_create_vcpu()
> and another tries to delete the VM. The problem was probably present
> even before the commit as both kvm_create_vcpu_debugfs() and
> kvm_destroy_vm_debugfs() happen outside of kvm_lock but maybe it was
> harder to trigger. Is there a reason to not put all this under kvm_lock?
> I.e. the following:
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 7fa1e38e1659..d53784cb920f 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -793,9 +793,9 @@ static void kvm_destroy_vm(struct kvm *kvm)
> struct mm_struct *mm = kvm->mm;
>  
> kvm_uevent_notify_change(KVM_EVENT_DESTROY_VM, kvm);
> -   kvm_destroy_vm_debugfs(kvm);
> kvm_arch_sync_events(kvm);
> mutex_lock(&kvm_lock);
> +   kvm_destroy_vm_debugfs(kvm);
> list_del(&kvm->vm_list);
> mutex_unlock(&kvm_lock);
> kvm_arch_pre_destroy_vm(kvm);
> @@ -3084,9 +3084,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, 
> u32 id)
> smp_wmb();
> atomic_inc(&kvm->online_vcpus);
>  
> +   kvm_create_vcpu_debugfs(vcpu);
> mutex_unlock(&kvm->lock);
> kvm_arch_vcpu_postcreate(vcpu);
> -   kvm_create_vcpu_debugfs(vcpu);
> return r;
>  
>  unlock_vcpu_destroy:
> 
> should probably do. The reproducer doesn't work for me (or just takes
> too long so I gave up), unfortunately. Or I may have misunderstood
> everything

Re: general protection fault in start_creating

2020-06-05 Thread Vitaly Kuznetsov

syzbot  writes:

> syzbot has found a reproducer for the following crash on:
>
> HEAD commit:cb8e59cc Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> git tree:   upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=170f49de10
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a16ddbc78955e3a9
> dashboard link: https://syzkaller.appspot.com/bug?extid=705f4401d5a93a59b87d
> compiler:   gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=1367410e10
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e07e0e10
>
> The bug was bisected to:
>
> commit 63d04348371b7ea4a134bcf47c79763d969e9168
> Author: Paolo Bonzini 
> Date:   Tue Mar 31 22:42:22 2020 +
>
> KVM: x86: move kvm_create_vcpu_debugfs after last failure point
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1366069a10
> final crash:https://syzkaller.appspot.com/x/report.txt?x=10e6069a10
> console output: https://syzkaller.appspot.com/x/log.txt?x=1766069a10
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+705f4401d5a93a59b...@syzkaller.appspotmail.com
> Fixes: 63d04348371b ("KVM: x86: move kvm_create_vcpu_debugfs after last 
> failure point")
>
> general protection fault, probably for non-canonical address 
> 0xdc2a:  [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0150-0x0157]
> CPU: 0 PID: 19367 Comm: syz-executor088 Not tainted 5.7.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS 
> Google 01/01/2011
> RIP: 0010:__lock_acquire+0xe1b/0x4a70 kernel/locking/lockdep.c:4250
> Code: 91 0a 41 be 01 00 00 00 0f 86 ce 0b 00 00 89 05 4b 9a 91 0a e9 c3 0b 00 
> 00 48 b8 00 00 00 00 00 fc ff df 4c 89 d2 48 c1 ea 03 <80> 3c 02 00 0f 85 57 
> 2e 00 00 49 81 3a c0 74 c0 8b 0f 84 b0 f2 ff
> RSP: 0018:c90004b477b8 EFLAGS: 00010002
> RAX: dc00 RBX: 0001 RCX: 
> RDX: 002a RSI:  RDI: 0150
> RBP: 0001 R08: 0001 R09: 
> R10: 0150 R11: 0001 R12: 
> R13: 8880a77c2200 R14:  R15: 
> FS:  7f9f3c6e5700() GS:8880ae60() knlGS:
> CS:  0010 DS:  ES:  CR0: 80050033
> CR2: 004d5bb0 CR3: 821f9000 CR4: 001426f0
> DR0:  DR1:  DR2: 
> DR3:  DR6: fffe0ff0 DR7: 0400
> Call Trace:
>  lock_acquire+0x1f2/0x8f0 kernel/locking/lockdep.c:4959
>  down_write+0x8d/0x150 kernel/locking/rwsem.c:1531
>  inode_lock include/linux/fs.h:799 [inline]
>  start_creating+0xa8/0x250 fs/debugfs/inode.c:334
>  __debugfs_create_file+0x62/0x400 fs/debugfs/inode.c:383
>  kvm_arch_create_vcpu_debugfs+0x9f/0x200 arch/x86/kvm/debugfs.c:52
>  kvm_create_vcpu_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:3012 
> [inline]

...

I think what happens here is one thread does kvm_vm_ioctl_create_vcpu()
and another tries to delete the VM. The problem was probably present
even before the commit as both kvm_create_vcpu_debugfs() and
kvm_destroy_vm_debugfs() happen outside of kvm_lock but maybe it was
harder to trigger. Is there a reason to not put all this under kvm_lock?
I.e. the following:

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 7fa1e38e1659..d53784cb920f 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -793,9 +793,9 @@ static void kvm_destroy_vm(struct kvm *kvm)
struct mm_struct *mm = kvm->mm;
 
kvm_uevent_notify_change(KVM_EVENT_DESTROY_VM, kvm);
-   kvm_destroy_vm_debugfs(kvm);
kvm_arch_sync_events(kvm);
mutex_lock(&kvm_lock);
+   kvm_destroy_vm_debugfs(kvm);
list_del(&kvm->vm_list);
mutex_unlock(&kvm_lock);
kvm_arch_pre_destroy_vm(kvm);
@@ -3084,9 +3084,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 
id)
smp_wmb();
atomic_inc(&kvm->online_vcpus);
 
+   kvm_create_vcpu_debugfs(vcpu);
mutex_unlock(&kvm->lock);
kvm_arch_vcpu_postcreate(vcpu);
-   kvm_create_vcpu_debugfs(vcpu);
return r;
 
 unlock_vcpu_destroy:

should probably do. The reproducer doesn't work for me (or just takes
too long so I gave up), unfortunately. Or I may have misunderstood
everything :-)

-- 
Vitaly

Re: general protection fault in start_creating

2020-06-04 Thread syzbot

syzbot has found a reproducer for the following crash on:

HEAD commit:cb8e59cc Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree:   upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=170f49de10
kernel config:  https://syzkaller.appspot.com/x/.config?x=a16ddbc78955e3a9
dashboard link: https://syzkaller.appspot.com/bug?extid=705f4401d5a93a59b87d
compiler:   gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=1367410e10
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e07e0e10

The bug was bisected to:

commit 63d04348371b7ea4a134bcf47c79763d969e9168
Author: Paolo Bonzini 
Date:   Tue Mar 31 22:42:22 2020 +

KVM: x86: move kvm_create_vcpu_debugfs after last failure point

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1366069a10
final crash:https://syzkaller.appspot.com/x/report.txt?x=10e6069a10
console output: https://syzkaller.appspot.com/x/log.txt?x=1766069a10

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+705f4401d5a93a59b...@syzkaller.appspotmail.com
Fixes: 63d04348371b ("KVM: x86: move kvm_create_vcpu_debugfs after last failure 
point")

general protection fault, probably for non-canonical address 
0xdc2a:  [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0150-0x0157]
CPU: 0 PID: 19367 Comm: syz-executor088 Not tainted 5.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
RIP: 0010:__lock_acquire+0xe1b/0x4a70 kernel/locking/lockdep.c:4250
Code: 91 0a 41 be 01 00 00 00 0f 86 ce 0b 00 00 89 05 4b 9a 91 0a e9 c3 0b 00 
00 48 b8 00 00 00 00 00 fc ff df 4c 89 d2 48 c1 ea 03 <80> 3c 02 00 0f 85 57 2e 
00 00 49 81 3a c0 74 c0 8b 0f 84 b0 f2 ff
RSP: 0018:c90004b477b8 EFLAGS: 00010002
RAX: dc00 RBX: 0001 RCX: 
RDX: 002a RSI:  RDI: 0150
RBP: 0001 R08: 0001 R09: 
R10: 0150 R11: 0001 R12: 
R13: 8880a77c2200 R14:  R15: 
FS:  7f9f3c6e5700() GS:8880ae60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 004d5bb0 CR3: 821f9000 CR4: 001426f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 lock_acquire+0x1f2/0x8f0 kernel/locking/lockdep.c:4959
 down_write+0x8d/0x150 kernel/locking/rwsem.c:1531
 inode_lock include/linux/fs.h:799 [inline]
 start_creating+0xa8/0x250 fs/debugfs/inode.c:334
 __debugfs_create_file+0x62/0x400 fs/debugfs/inode.c:383
 kvm_arch_create_vcpu_debugfs+0x9f/0x200 arch/x86/kvm/debugfs.c:52
 kvm_create_vcpu_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:3012 [inline]
 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:3089 
[inline]
 kvm_vm_ioctl+0x1c0b/0x2440 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3617
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:771
 __do_sys_ioctl fs/ioctl.c:780 [inline]
 __se_sys_ioctl fs/ioctl.c:778 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:778
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x44e5d9
Code: e8 7c e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 
1b 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f9f3c6e4ce8 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 006eaa08 RCX: 0044e5d9
RDX:  RSI: ae41 RDI: 0004
RBP: 006eaa00 R08:  R09: 
R10:  R11: 0246 R12: 006eaa0c
R13: 7ffe67678f9f R14: 7f9f3c6e59c0 R15: 20c49ba5e353f7cf
Modules linked in:
---[ end trace b7d92d5fd0bd5c5f ]---
RIP: 0010:__lock_acquire+0xe1b/0x4a70 kernel/locking/lockdep.c:4250
Code: 91 0a 41 be 01 00 00 00 0f 86 ce 0b 00 00 89 05 4b 9a 91 0a e9 c3 0b 00 
00 48 b8 00 00 00 00 00 fc ff df 4c 89 d2 48 c1 ea 03 <80> 3c 02 00 0f 85 57 2e 
00 00 49 81 3a c0 74 c0 8b 0f 84 b0 f2 ff
RSP: 0018:c90004b477b8 EFLAGS: 00010002
RAX: dc00 RBX: 0001 RCX: 
RDX: 002a RSI:  RDI: 0150
RBP: 0001 R08: 0001 R09: 
R10: 0150 R11: 0001 R12: 
R13: 8880a77c2200 R14:  R15: 
FS:  7f9f3c6e5700() GS:8880ae60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 004d5bb0 CR3: 821f9000 CR4: 001426f0
DR0:  DR1:  DR2: 0

general protection fault in start_creating

2020-05-26 Thread syzbot

Hello,

syzbot found the following crash on:

HEAD commit:c11d28ab Add linux-next specific files for 20200522
git tree:   linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1135d53c10
kernel config:  https://syzkaller.appspot.com/x/.config?x=3f6dbdea4159fb66
dashboard link: https://syzkaller.appspot.com/bug?extid=705f4401d5a93a59b87d
compiler:   gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:  https://syzkaller.appspot.com/x/repro.syz?x=110448d210

The bug was bisected to:

commit 63d04348371b7ea4a134bcf47c79763d969e9168
Author: Paolo Bonzini 
Date:   Tue Mar 31 22:42:22 2020 +

KVM: x86: move kvm_create_vcpu_debugfs after last failure point

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1366069a10
final crash:https://syzkaller.appspot.com/x/report.txt?x=10e6069a10
console output: https://syzkaller.appspot.com/x/log.txt?x=1766069a10

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+705f4401d5a93a59b...@syzkaller.appspotmail.com
Fixes: 63d04348371b ("KVM: x86: move kvm_create_vcpu_debugfs after last failure 
point")

general protection fault, probably for non-canonical address 
0xdc2a:  [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0150-0x0157]
CPU: 0 PID: 8143 Comm: syz-executor.0 Not tainted 
5.7.0-rc6-next-20200522-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 
01/01/2011
RIP: 0010:__lock_acquire+0xe1b/0x48a0 kernel/locking/lockdep.c:4250
Code: b6 0a 41 be 01 00 00 00 0f 86 ce 0b 00 00 89 05 ab 87 b6 0a e9 c3 0b 00 
00 48 b8 00 00 00 00 00 fc ff df 4c 89 d2 48 c1 ea 03 <80> 3c 02 00 0f 85 e5 2c 
00 00 49 81 3a 40 75 e5 8b 0f 84 b0 f2 ff
RSP: 0018:c900043cf7b8 EFLAGS: 00010002
RAX: dc00 RBX: 0001 RCX: 
RDX: 002a RSI:  RDI: 0150
RBP: 0001 R08: 0001 R09: 
R10: 0150 R11: 0001 R12: 
R13: 8880966f8240 R14:  R15: 
FS:  7f6300c10700() GS:8880ae60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f6300bcbdb8 CR3: 92f4d000 CR4: 001426f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 0400
Call Trace:
 lock_acquire+0x1f2/0x8f0 kernel/locking/lockdep.c:4959
 down_write+0x8d/0x150 kernel/locking/rwsem.c:1531
 inode_lock include/linux/fs.h:801 [inline]
 start_creating+0xa8/0x250 fs/debugfs/inode.c:334
 __debugfs_create_file+0x62/0x400 fs/debugfs/inode.c:383
 kvm_arch_create_vcpu_debugfs+0x9f/0x200 arch/x86/kvm/debugfs.c:52
 kvm_create_vcpu_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:2998 [inline]
 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:3075 
[inline]
 kvm_vm_ioctl+0x1c28/0x2460 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3603
 vfs_ioctl fs/ioctl.c:48 [inline]
 ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
 __do_sys_ioctl fs/ioctl.c:762 [inline]
 __se_sys_ioctl fs/ioctl.c:760 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 
db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:7f6300c0fc78 EFLAGS: 0246 ORIG_RAX: 0010
RAX: ffda RBX: 004e73c0 RCX: 0045ca29
RDX:  RSI: ae41 RDI: 0005
RBP: 0078bf00 R08:  R09: 
R10:  R11: 0246 R12: 
R13: 0396 R14: 004c62c6 R15: 7f6300c106d4
Modules linked in:
---[ end trace b2ea4e12631736e7 ]---
RIP: 0010:__lock_acquire+0xe1b/0x48a0 kernel/locking/lockdep.c:4250
Code: b6 0a 41 be 01 00 00 00 0f 86 ce 0b 00 00 89 05 ab 87 b6 0a e9 c3 0b 00 
00 48 b8 00 00 00 00 00 fc ff df 4c 89 d2 48 c1 ea 03 <80> 3c 02 00 0f 85 e5 2c 
00 00 49 81 3a 40 75 e5 8b 0f 84 b0 f2 ff
RSP: 0018:c900043cf7b8 EFLAGS: 00010002
RAX: dc00 RBX: 0001 RCX: 
RDX: 002a RSI:  RDI: 0150
RBP: 0001 R08: 0001 R09: 
R10: 0150 R11: 0001 R12: 
R13: 8880966f8240 R14:  R15: 
FS:  7f6300c10700() GS:8880ae60() knlGS:
CS:  0010 DS:  ES:  CR0: 80050033
CR2: 7f6300bcbdb8 CR3: 92f4d000 CR4: 001426f0
DR0:  DR1:  DR2: 
DR3:  DR6: fffe0ff0 DR7: 000

Re: general protection fault in start_creating

Re: general protection fault in start_creating

Re: general protection fault in start_creating

general protection fault in start_creating

4 matches

Site Navigation

Mail list logo

Footer information