WARNING: locking bug in kvm_xen_set_evtchn

Title	Replies (including bot)	Last reply
[syzbot] [kvm?] WARNING: locking bug in kvm_xen_set_evtchn_fast	0 (1)	2024/11/21 15:03

============================= [ BUG: Invalid wait context ] 6.12.0-syzkaller-01892-g8f7c8b88bda4 #0 Not tainted ----------------------------- kworker/u32:4/73 is trying to lock: ffffc90003a90460 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x248/0xe00 arch/x86/kvm/xen.c:1755 other info that might help us debug this: context-{2:2} 7 locks held by kworker/u32:4/73: #0: ffff88810628e948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000fbfd80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffffffff8feec868 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_dad_work+0xcf/0x14d0 net/ipv6/addrconf.c:4196 #3: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #3: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #3: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: ndisc_send_skb+0x864/0x1c30 net/ipv6/ndisc.c:507 #4: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #4: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #4: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: ip6_finish_output2+0x3da/0x1a50 net/ipv6/ip6_output.c:126 #5: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: local_lock_release include/linux/local_lock_internal.h:38 [inline] #5: ffffffff8e1bb1c0 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x3f1/0x15f0 net/core/dev.c:6113 #6: ffffc90003a908c8 (&kvm->srcu){.?.?}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:158 [inline] #6: ffffc90003a908c8 (&kvm->srcu){.?.?}-{0:0}, at: srcu_read_lock include/linux/srcu.h:249 [inline] #6: ffffc90003a908c8 (&kvm->srcu){.?.?}-{0:0}, at: kvm_xen_set_evtchn_fast+0x22e/0xe00 arch/x86/kvm/xen.c:1753 stack backtrace: CPU: 1 UID: 0 PID: 73 Comm: kworker/u32:4 Not tainted 6.12.0-syzkaller-01892-g8f7c8b88bda4 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_lock_invalid_wait_context kernel/locking/lockdep.c:4826 [inline] check_wait_context kernel/locking/lockdep.c:4898 [inline] __lock_acquire+0x878/0x3c40 kernel/locking/lockdep.c:5176 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x46/0x90 kernel/locking/spinlock.c:236 kvm_xen_set_evtchn_fast+0x248/0xe00 arch/x86/kvm/xen.c:1755 xen_timer_callback+0x1dd/0x2a0 arch/x86/kvm/xen.c:140 __run_hrtimer kernel/time/hrtimer.c:1739 [inline] __hrtimer_run_queues+0x5fb/0xae0 kernel/time/hrtimer.c:1803 hrtimer_interrupt+0x392/0x8e0 kernel/time/hrtimer.c:1865 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline] __sysvec_apic_timer_interrupt+0x10f/0x400 arch/x86/kernel/apic/apic.c:1055 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194 Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 26 dc 41 f6 48 89 df e8 9e 5b 42 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 35 52 33 f6 65 8b 05 36 f8 da 74 85 c0 74 16 5b RSP: 0018:ffffc900008b0758 EFLAGS: 00000246 RAX: 0000000000000012 RBX: ffffffff9a9e1520 RCX: 1ffffffff2dc9676 RDX: 0000000000000000 RSI: ffffffff8b6cd740 RDI: ffffffff8bd1db00 RBP: 0000000000000286 R08: 0000000000000001 R09: fffffbfff2dc8999 R10: ffffffff96e44ccf R11: 0000000000000006 R12: ffffffff9a9e1518 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801eec3040 __debug_check_no_obj_freed lib/debugobjects.c:1108 [inline] debug_check_no_obj_freed+0x327/0x600 lib/debugobjects.c:1129 slab_free_hook mm/slub.c:2273 [inline] slab_free mm/slub.c:4579 [inline] kmem_cache_free+0x29c/0x4b0 mm/slub.c:4681 kfree_skbmem+0x1a4/0x1f0 net/core/skbuff.c:1148 __kfree_skb net/core/skbuff.c:1205 [inline] sk_skb_reason_drop+0x136/0x1a0 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1262 [inline] __netif_receive_skb_core.constprop.0+0x592/0x4330 net/core/dev.c:5644 __netif_receive_skb_one_core+0xb1/0x1e0 net/core/dev.c:5668 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5783 process_backlog+0x443/0x15f0 net/core/dev.c:6115 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6779 napi_poll net/core/dev.c:6848 [inline] net_rx_action+0xa92/0x1010 net/core/dev.c:6970 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline] __dev_queue_xmit+0x887/0x4350 net/core/dev.c:4459 dev_queue_xmit include/linux/netdevice.h:3094 [inline] neigh_connected_output+0x45c/0x630 net/core/neighbour.c:1594 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x6a7/0x1a50 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1300 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ndisc_send_skb+0xa2d/0x1c30 net/ipv6/ndisc.c:511 ndisc_send_ns+0xc7/0x150 net/ipv6/ndisc.c:669 addrconf_dad_work+0xc80/0x14d0 net/ipv6/addrconf.c:4284 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> ---------------- Code disassembly (best guess): 0: f5 cmc 1: 53 push %rbx 2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi 7: 48 89 fb mov %rdi,%rbx a: 48 83 c7 18 add $0x18,%rdi e: e8 26 dc 41 f6 call 0xf641dc39 13: 48 89 df mov %rbx,%rdi 16: e8 9e 5b 42 f6 call 0xf6425bb9 1b: f7 c5 00 02 00 00 test $0x200,%ebp 21: 75 23 jne 0x46 23: 9c pushf 24: 58 pop %rax 25: f6 c4 02 test $0x2,%ah 28: 75 37 jne 0x61 * 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction 2f: e8 35 52 33 f6 call 0xf6335269 34: 65 8b 05 36 f8 da 74 mov %gs:0x74daf836(%rip),%eax # 0x74daf871 3b: 85 c0 test %eax,%eax 3d: 74 16 je 0x55 3f: 5b pop %rbx

Crashes (3):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2024/11/21 10:38	upstream	8f7c8b88bda4	4b25d554	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream	WARNING: locking bug in kvm_xen_set_evtchn_fast
2024/11/21 07:57	upstream	8f7c8b88bda4	4b25d554	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream	WARNING: locking bug in kvm_xen_set_evtchn_fast
2024/11/21 04:53	upstream	8f7c8b88bda4	4b25d554	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream	WARNING: locking bug in kvm_xen_set_evtchn_fast

Crashes (3):

Assets (help?)