From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91EAAEB64DC for ; Tue, 11 Jul 2023 16:15:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3567B6B0074; Tue, 11 Jul 2023 12:15:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 306E76B0075; Tue, 11 Jul 2023 12:15:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1F7CD6B0078; Tue, 11 Jul 2023 12:15:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 1059C6B0074 for ; Tue, 11 Jul 2023 12:15:10 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 64BC2C02C2 for ; Tue, 11 Jul 2023 16:15:09 +0000 (UTC) X-FDA: 80999830338.25.E542E9A Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) by imf06.hostedemail.com (Postfix) with ESMTP id 7142E180029 for ; Tue, 11 Jul 2023 16:15:03 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b="6GfxYY+/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf06.hostedemail.com: domain of 3BoCtZAYKCOcbNJWSLPXXPUN.LXVURWdg-VVTeJLT.XaP@flex--seanjc.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=3BoCtZAYKCOcbNJWSLPXXPUN.LXVURWdg-VVTeJLT.XaP@flex--seanjc.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689092103; a=rsa-sha256; cv=none; b=XrqPq02qwxlvfvcAsxyhrRalEYPzNTtk/0bXLKn5rnqAu/8wS6hsuqP0+lfQW44JIWp07O WvH7nnzZsJLRTR2fRLoeqJ9MLMy8xaEofu/iKTDOIxcISeQuC6CvKeEyC/9yG+xT167+EO t4FAhOLnbKYG3gbTYaS55IqV4kUeOto= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b="6GfxYY+/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf06.hostedemail.com: domain of 3BoCtZAYKCOcbNJWSLPXXPUN.LXVURWdg-VVTeJLT.XaP@flex--seanjc.bounces.google.com designates 209.85.128.201 as permitted sender) smtp.mailfrom=3BoCtZAYKCOcbNJWSLPXXPUN.LXVURWdg-VVTeJLT.XaP@flex--seanjc.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689092103; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=srPbiHu7W6kwoYdYL0mD3A931iU7Il78HDCrkGjWI18=; b=GNQFQtdW9+heHI4lD9PN58Yk4vi8HkLLs86pMVUAe22vWLdb9ViWOCZnuujsb1+tKeq+u2 eTTyLLsDDI0g6tmEvcgu09mASMt4AfxM9/3d3k+lHIL6OllYRd6EZXoW4J/R01zvhgn9Sm fs/ajRtZnryp3wiga/JpXCGfGjQaikE= Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-573a92296c7so53216497b3.1 for ; Tue, 11 Jul 2023 09:15:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689092102; x=1691684102; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=srPbiHu7W6kwoYdYL0mD3A931iU7Il78HDCrkGjWI18=; b=6GfxYY+/kNebainzUExcm0kQOXE8VIdIJTrFYR88700u3EMMAkDsbxBLzYT9Bo0Dbn X4WP8RKAKpiRw38HH1IOD/Ll3c5Mr2BWvHVFgcWeOdni6SH5iNaJXixzQ6xeyWbmE6Ja ZRugymzdXfIlfEUuZWO5wYF6iiixvGnAHNCg4K0b6Q9PBi0zp/VrhYEbH06FtOjVzOX+ 6d5/+WoGA3vU8omo9fueeHecveYzIQkopQ0b8jSbNK9of4g9wYbl7HuAih2KCXstCAyc YoYsnumvUOSKzTJafNIfgDKaCUAha6iaZhM9ZGYH4meQGAw16z+PyYFzBgq8B7o68DGq J0PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689092102; x=1691684102; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=srPbiHu7W6kwoYdYL0mD3A931iU7Il78HDCrkGjWI18=; b=bQHIw33kpJFfOb1gYORTXg4pFKZROkayi+YkKA5ewqapzz2hl9iUUOjBRl/jMmrmmv 9EycZUxrsoYdJHM7wGJWJfkFJRZFB4dnn10YXG+VS1lcbUV0CUGQW+wPc1u/AZD1Y+ka G31sqOAopN5CWCS9+EJi5PHAMs8TotCz5rM2Lwe3GSY8dZ1BZLDoGTVdBQ+Cy/9AIWtR 0iMkzLWG80oaFFNywCAGvI3/k+Ltka9mPFwPRjL+fgfLdlNE5noaNoVZdF5O1VVO7/IM NZJOAQydLjvzRSSjohaMqmzxt//097sQDNoAjaNo67z8wBIfH7/VITjxGmM6pbsjO7SG 13ig== X-Gm-Message-State: ABy/qLYEOU56fqO3nGu4/ECHyDgYPxTTy+1SoizOrPQ7sgbQFoxgngl2 736f2JY+Ib5pVSdcsdYsLTF//W3DsaQ= X-Google-Smtp-Source: APBJJlFDVl9hAuTBxssdwIqHHMl2Olc1sB8n2KGDINQU8/fv4APjnsjPNp19mUGXHW8A1zY9dOMASSOsb5o= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a81:b663:0:b0:570:7d9b:9b16 with SMTP id h35-20020a81b663000000b005707d9b9b16mr114199ywk.2.1689092102486; Tue, 11 Jul 2023 09:15:02 -0700 (PDT) Date: Tue, 11 Jul 2023 09:15:00 -0700 In-Reply-To: <20230710133427.fb599ef486c7b764d9ca2cc3@linux-foundation.org> Mime-Version: 1.0 References: <20230710133427.fb599ef486c7b764d9ca2cc3@linux-foundation.org> Message-ID: Subject: Re: [BUG]: bad usercopy in kvm_stats_read in mm/usercopy.c From: Sean Christopherson To: Andrew Morton Cc: Zheng Zhang , keescook@chromium.org, linux-hardening@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Content-Type: text/plain; charset="us-ascii" X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 7142E180029 X-Stat-Signature: g9euabwu3xg76z9cynsdnr4rz67jmup6 X-HE-Tag: 1689092103-11444 X-HE-Meta: U2FsdGVkX19PQAsTGwNds3ZoZCcNg2r5b8H0EkADrQmtDIOaYeX7rU+6T+P1+XNINV+n/xGWji0GBUDUXeK7ycL0GpajjkrMf2/injQrE/b7k+2sIEx13Z4Jga9UOlP55xI3hYIqHKvvBsUdUqJwNCKKBucUvj/PkfyRiEWgZIhx3vBxFVbJYs6gegxGAiugAKyekAsfZVMUfWwdH2SXRrolmat1ko4z+x1wzITRw3rmYByjTT1G7d7PnOe5L7FmChNpSLmY/mIl2ryV9VmweNzQOth+hP7Uiy+KNCVhnrS/rgWnMR3LOdcuEEo5XqmKejvLpQ2dlrpO1m49trMzRtrEM+VhNCjToLaqUZNHAx0qAUgsjVsyBx1y4UzcwDenfVNWOHGVRXLm3nhPc0GYDQUkWv9K6769sIBEyNamCZz5QJazCNPeJalzVAbq3GvPa3PdKgnXsv3R8jPDcGKkskVg3gX8EVi1U4lBIEayIguKlRE/olvlnI7N42JvZz8oTYmSDk58zX9O8GrpCMV+jBVj24a877L0xO7OHOGkQ3L38dd7X7B4MXheZgcW60Lj9BYHwgYTCpROuvNnnDJcu3QRMywGi+jE+EJVjr8vnWYmTbe3pMHOEgzoH9wmKWbjxOVMzteGT8WI6Md3AILVytE5ipPuFGxZFdVsyctB8jyZKS8gZ7AhcpgmQd5F5Y0cV6bT8BHZjImZIOlc/DdKLpN+UB8L6SFV8QNBxCZ0kbjDpZK4sbPFpS9ke+pCposzZ0W8vrcSY66D2diSfcB/iSJB+BqZ7YYp2TbfqDga+iaWYe0VmFFmOJpkd4t+mwKuGK7pI+9k/qrYf+f3oRk31YKa7g3kpAvDhvH8Jql2g5o/nL57vqn8NuvbNrkAZ0DdsfQC+/HbaP/6HzQ4nRgYMoJI3KapOu8FIFI1ziY2QS9c3Hmjwm7ldW4gSWGt01zAqAflJ9kRaJbOXra3Gl2 SVaJApWg Z73pLofWusMX6hW4fIlD5cb7L9U2won7sfi4d2afbaxRwOE/6gHZnAZIjkgAktLffn9dgH7pe9i0cNOXEwoa09bY2Jco+pG3uJ20i4gPVu+r/86Ruj4RsanBYW49WBfvW1laCbr5STJ2T045PFT41Ofjs68v8VhIVeszaSSsVDCw6qXbrUG81o5etAt8vBSrXB49m8BJnTj2eniJNBkC6qISjX9NKPy9TndmO93x4dvZti7AgzozZrXXXdNAaxsCWTJkWcdAo7Demcu2KqpIXlUwRaQzXmtuibAc4rA7qdSTRQ8RR8dyRglpaIS/7nZ5EcUjjPE/I3uwb3Kbxa79LrxwX1l/E7pnk/QfKcnTBtSaXjRbEWyBy7Hk5pCPn2SM9qAVjttZCDxo9XDA9Vu5S7hqfoNxfDNgT6rztHleNOrwKhau/9D8W9HdWD9JfW7pyx0hvoayVPw16MdWy2omR87AHM0boE8ppRUoCkSmEC4BypPwZFnqwL7clajcdZKVdNB3x878Z6T/ATsTyof2FQ6J3KLpwZTpx1hQ3KS5B7W1f9AuoBwDe5AeToN8oyGE/RKjomzMAKOAmalYsqN+n0iGtj1fzoc01POo7GRQ4CB+glmbfYX20FQDKup9aBhIIrhdO1qGzSJljSBFRGtSt5fhg3bRy3BFJ6WXKiP2PJMOTWN/zeppLb/kvnFSJ9wnfYxCwx759suf+TYv2OvrjNDfE/w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000063, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Jul 10, 2023, Andrew Morton wrote: > On Sun, 9 Jul 2023 14:32:09 -0700 Zheng Zhang wrote: > > > Kees, Andrew, and to whom it may concern: > > > > Hello! We have found a bug in the Linux kernel version 6.2.0 by syzkaller > > with our own templates. It also produces a POC. > > Attached is the report, log, and reproducers generated by syzkaller > > Please let me know if there is any additional information that I can > > provide to help debug this issue. > > Thanks! > > Let's cc the kvm mailing list. > > Original email is at > https://lkml.kernel.org/r/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com Yeaaaah. We failed kernel programming 101. KVM installs file descriptors to let userspace read VM and vCPU stats, but doesn't grab a reference to the VM to ensure the VM and its vCPUs are kept alive until the stats fds are closed. I'll send a patch.