Re: [syzbot ci] Re: KVM: x86/hyperv: Fix racy usage of vcpu->arch.hyperv

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <seanjc@google.com>
To: syzbot ci <syzbot+ciaa819f991480b300@syzkaller.appspotmail.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	pbonzini@redhat.com,  syzbot@syzkaller.appspotmail.com,
	vkuznets@redhat.com, syzbot@lists.linux.dev,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot ci] Re: KVM: x86/hyperv: Fix racy usage of vcpu->arch.hyperv
Date: Mon, 15 Jun 2026 07:28:19 -0700	[thread overview]
Message-ID: <ajAMA_cWeZon3SYs@google.com> (raw)
In-Reply-To: <6a2dbfcc.8812e0fc.3c3fa4.000a.GAE@google.com>

On Sat, Jun 13, 2026, syzbot ci wrote:
> Full report is available here:
> https://ci.syzbot.org/series/674ef35a-9335-4710-8a6d-b18d01510cbb
> 
> ***
> 
> WARNING in kvm_hv_vcpu_uninit
> 
> tree:      linux-next
> URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next
> base:      c1f7303302927f9cbf4efedf70f0512cde168c65
> arch:      amd64
> compiler:  Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> config:    https://ci.syzbot.org/builds/20dd789e-0a89-4465-844c-9d91b5ce4a45/config
> syz repro: https://ci.syzbot.org/findings/eeefcfe6-b8e9-4c5b-900e-855d814f5d97/syz_repro
> 
> ------------[ cut here ]------------
> debug_locks && !(lock_is_held(&(&vcpu->mutex)->dep_map) || vcpu->vcpu_idx < 0 || !refcount_read(&vcpu->kvm->users_count))
> WARNING: ./include/linux/kvm_host.h:996 at kvm_lockdep_assert_vcpu_is_locked_or_unreachable include/linux/kvm_host.h:994 [inline], CPU#1: syz.1.25/5883
> WARNING: ./include/linux/kvm_host.h:996 at to_hv_vcpu arch/x86/kvm/hyperv.h:78 [inline], CPU#1: syz.1.25/5883
> WARNING: ./include/linux/kvm_host.h:996 at kvm_hv_vcpu_uninit+0x198/0x210 arch/x86/kvm/hyperv.c:906, CPU#1: syz.1.25/5883
> Modules linked in:
> CPU: 1 UID: 0 PID: 5883 Comm: syz.1.25 Not tainted syzkaller #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> RIP: 0010:kvm_lockdep_assert_vcpu_is_locked_or_unreachable include/linux/kvm_host.h:994 [inline]
> RIP: 0010:to_hv_vcpu arch/x86/kvm/hyperv.h:78 [inline]
> RIP: 0010:kvm_hv_vcpu_uninit+0x198/0x210 arch/x86/kvm/hyperv.c:906
> Call Trace:
>  <TASK>
>  kvm_arch_vcpu_destroy+0x1a9/0x380 arch/x86/kvm/x86.c:12905
>  kvm_vm_ioctl_create_vcpu+0x68b/0x940 virt/kvm/kvm_main.c:4262

Darn error injection.  xa_insert() can fail with -ENOMEM.  It's kinda ugly, but
unwinding vcpu_idx on failure is a logically sound fix.  And a good excuse to
document that the index needs to be set before adding it to the array, e.g.

diff --git virt/kvm/kvm_main.c virt/kvm/kvm_main.c
index b3d2a678210c..98da4c889ffc 100644
--- virt/kvm/kvm_main.c
+++ virt/kvm/kvm_main.c
@@ -4218,11 +4218,18 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id)
                goto unlock_vcpu_destroy;
        }
 
+       /*
+        * Set the vCPU's index *before* the vCPU is reachable by other tasks.
+        * Unwind the index back to -1 on failure so that KVM can use the index
+        * to detect that the vCPU is unreachable, e.g. for lockdep asserts.
+        */
        vcpu->vcpu_idx = atomic_read(&kvm->online_vcpus);
        r = xa_insert(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, GFP_KERNEL_ACCOUNT);
        WARN_ON_ONCE(r == -EBUSY);
-       if (r)
+       if (r) {
+               vcpu->vcpu_idx = -1;
                goto unlock_vcpu_destroy;
+       }
 
        /*
         * Now it's all set up, let userspace reach it.  Grab the vCPU's mutex

>  kvm_vm_ioctl+0x893/0xd50 virt/kvm/kvm_main.c:5161
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:597 [inline]
>  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fbc0659ce59
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fbc073dc028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fbc06815fa0 RCX: 00007fbc0659ce59
> RDX: 0000000000000001 RSI: 000000000000ae41 RDI: 00000000000000f7
> RBP: 00007fbc06632d6f R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fbc06816038 R14: 00007fbc06815fa0 R15: 00007fffc5de9fc8
>  </TASK>

next prev parent reply	other threads:[~2026-06-15 14:28 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-12 23:06 [PATCH v2 0/8] KVM: x86/hyperv: Fix racy usage of vcpu->arch.hyperv Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 1/8] KVM: x86/hyperv: Get target FIFO in hv_tlb_flush_enqueue(), not caller Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 2/8] KVM: x86/hyperv: Check for NULL vCPU Hyper-V object in kvm_hv_get_tlb_flush_fifo() Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 3/8] KVM: x86/hyperv: Ensure vCPU's Hyper-V object is initialized on cross-vCPU accesses Sean Christopherson
2026-06-12 23:22   ` sashiko-bot
2026-06-13  0:20     ` Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 4/8] KVM: Initialize a vCPU's index to '-1' while it's being created Sean Christopherson
2026-06-12 23:30   ` sashiko-bot
2026-06-12 23:40     ` Sean Christopherson
2026-06-13  0:49       ` David Woodhouse
2026-06-15 14:12         ` Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 5/8] KVM: Move nVMX's lockdep logic for vcpu->mutex to a common helper Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 6/8] KVM: x86: Treat a vCPU as unreachable if its index is invalid Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 7/8] KVM: x86/hyperv: Assert vCPU's mutex is held in to_hv_vcpu() Sean Christopherson
2026-06-12 23:06 ` [PATCH v2 8/8] KVM: x86/hyperv: Use {READ,WRITE}_ONCE for cross-task synic->active accesses Sean Christopherson
2026-06-13 20:38 ` [syzbot ci] Re: KVM: x86/hyperv: Fix racy usage of vcpu->arch.hyperv syzbot ci
2026-06-15 14:28   ` Sean Christopherson [this message]
  -- strict thread matches above, loose matches on Subject: below --
2026-04-23 14:08 [PATCH 0/5] " Sean Christopherson
2026-04-23 20:52 ` [syzbot ci] " syzbot ci
2026-04-23 21:40   ` Sean Christopherson

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b3d2a678210 dfblob:98da4c889ff )
 OR (
bs:"Re: [syzbot ci] Re: KVM: x86/hyperv: Fix racy usage of vcpu->arch.hyperv" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ajAMA_cWeZon3SYs@google.com \
    --to=seanjc@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=syzbot+ciaa819f991480b300@syzkaller.appspotmail.com \
    --cc=syzbot@lists.linux.dev \
    --cc=syzbot@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vkuznets@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.