Re: WARNING in kvm_arch_vcpu_ioctl_run

[Sean Christopherson <seanjc@google.com>]

On Thu, Jul 27, 2023, Yikebaer Aizezi wrote:
> Hello, I'm sorry for the mistake in my previous email. I forgot to add
> a subject. This is my second attempt to send the message.
> 
> When using Healer to fuzz the latest Linux kernel, the following crash
> was triggered.
> 
> HEAD commit: fdf0eaf11452d72945af31804e2a1048ee1b574c (tag: v6.5-rc2)
> 
> git tree: upstream
> 
> console output:
> https://drive.google.com/file/d/1FiemC_AWRT-6EGscpQJZNzYhXZty6BVr/view?usp=drive_link
> kernel config: https://drive.google.com/file/d/1fgPLKOw7QbKzhK6ya5KUyKyFhumQgunw/view?usp=drive_link
> C reproducer: https://drive.google.com/file/d/1SiLpYTZ7Du39ubgf1k1BIPlu9ZvMjiWZ/view?usp=drive_link
> Syzlang reproducer:
> https://drive.google.com/file/d/1eWSmwvNGOlZNU-0-xsKhUgZ4WG2VLZL5/view?usp=drive_link
> Similar report:
> https://groups.google.com/g/syzkaller-bugs/c/C2ud-S1Thh0/m/z4iI7l_dAgAJ
> 
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>
> 
> kvm: vcpu 129: requested lapic timer restore with starting count
> register 0x390=4241646265 (4241646265 ns) > initial count (296265111
> ns). Using initial count to start timer.
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 1977 at arch/x86/kvm/x86.c:11098
> kvm_arch_vcpu_ioctl_run+0x152f/0x1830 arch/x86/kvm/x86.c:11098

Well that's annoying.  The WARN is a sanity check that KVM doesn't somehow put
the guest into an uninitialized state while emulating the guest's APIC timer, but
I completely overlooked the fact that userspace can simply stuff the should-be-
impossible guest state. *sigh*

Sadly, I think the most reasonable thing to do is to simply drop the sanity check :-(

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 0145d844283b..e9e262b244b8 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -11091,12 +11091,17 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu)
                        r = -EINTR;
                        goto out;
                }
+
                /*
-                * It should be impossible for the hypervisor timer to be in
-                * use before KVM has ever run the vCPU.
+                * Don't bother switching APIC timer emulation from the
+                * hypervisor timer to the software timer, the only way for the
+                * APIC timer to be active is if userspace stuffed vCPU state,
+                * i.e. put the vCPU and into a nonsensical state.  The only
+                * transition out of UNINITIALIZED (without more state stuffing
+                * from userspace) is an INIT, which will reset the local APIC
+                * and thus smother the timer anyways, i.e. APIC timer IRQs
+                * will be dropped no matter what.
                 */
-               WARN_ON_ONCE(kvm_lapic_hv_timer_in_use(vcpu));
-
                kvm_vcpu_srcu_read_unlock(vcpu);
                kvm_vcpu_block(vcpu);
                kvm_vcpu_srcu_read_lock(vcpu);