Forwarded: (No Subject)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+919877893c9d28162dc2@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: (No Subject)
Date: Sun, 15 Mar 2026 08:07:52 -0700	[thread overview]
Message-ID: <69b6cb48.050a0220.12d28.0155.GAE@google.com> (raw)
In-Reply-To: <673f4bbc.050a0220.3c9d61.0174.GAE@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: (No Subject)
Author: zxcyui967@proton.me

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From kettlebellok Mon Sep 17 00:00:00 2001
From: kettlebellok <zxcyui967@proton.me>
Date: Wed, 12 Mar 2026 00:00:00 +0800
Subject: [PATCH] KVM: xen: fix sleeping lock in hardirq context in
xen_timer_callback()

xen_timer_callback() calls kvm_xen_set_evtchn_fast(), which acquires
gpc->lock via read_lock_irqsave(). This is a regular rwlock, which
becomes a sleeping lock on PREEMPT_RT kernels. Since xen_timer_callback()
runs in hardirq context (hrtimer), this is invalid and triggers:

BUG: Invalid wait context
kvm_xen_set_evtchn_fast
xen_timer_callback
__hrtimer_run_queues
hrtimer_interrupt

Fix this by removing the kvm_xen_set_evtchn_fast() call from
xen_timer_callback() and always deferring event delivery via the
existing timer_pending mechanism. The vCPU will then deliver the
event through kvm_xen_inject_timer_irqs() in a safe process context.
This was already the fallback path when kvm_xen_set_evtchn_fast()
returned -EWOULDBLOCK.

Reported-by: syzbot+919877893c9d28162dc2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=919877893c9d28162dc2
Signed-off-by: kettlebellok <zxcyui967@proton.me>
---
arch/x86/kvm/xen.c | 13 -------------
1 file changed, 13 deletions(-)

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index 91fd3673c09a..e588a188f50a 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -126,23 +126,10 @@ static enum hrtimer_restart xen_timer_callback(struct hrtimer *timer)
{
struct kvm_vcpu *vcpu = container_of(timer, struct kvm_vcpu,
arch.xen.timer);
- struct kvm_xen_evtchn e;
- int rc;

if (atomic_read(&vcpu->arch.xen.timer_pending))
return HRTIMER_NORESTART;

- e.vcpu_id = vcpu->vcpu_id;
- e.vcpu_idx = vcpu->vcpu_idx;
- e.port = vcpu->arch.xen.timer_virq;
- e.priority = KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL;
-
- rc = kvm_xen_set_evtchn_fast(&e, vcpu->kvm);
- if (rc != -EWOULDBLOCK) {
- vcpu->arch.xen.timer_expires = 0;
- return HRTIMER_NORESTART;
- }
-
atomic_inc(&vcpu->arch.xen.timer_pending);
kvm_make_request(KVM_REQ_UNBLOCK, vcpu);
kvm_vcpu_kick(vcpu);
-- 2.43.0

     prev parent reply	other threads:[~2026-03-15 15:07 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-21 15:03 [syzbot] [kvm?] WARNING: locking bug in kvm_xen_set_evtchn_fast syzbot
2024-11-23 13:17 ` syzbot
2024-11-23 23:32   ` Hillf Danton
2024-11-26 14:24 ` syzbot
2024-11-26 14:49   ` David Woodhouse
2024-11-26 15:03     ` Sebastian Andrzej Siewior
2024-11-26 16:26       ` David Woodhouse
2026-03-15 13:58 ` Forwarded: syzbot
2026-03-15 15:00 ` Forwarded: (No Subject) syzbot
2026-03-15 15:07 ` syzbot [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:91fd3673c09 dfblob:e588a188f50 )
 OR (
bs:"KVM: xen: fix sleeping lock in hardirq context in" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69b6cb48.050a0220.12d28.0155.GAE@google.com \
    --to=syzbot+919877893c9d28162dc2@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox