Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp3876642ybx;
        Mon, 4 Nov 2019 04:21:07 -0800 (PST)
X-Google-Smtp-Source: APXvYqx1WuvCBqrkM2vmsq2mkLM5XKLMSclUG+YCJj58QkPNhoPDhBs9NmCXEh9mPPREOQfojgI3
X-Received: by 2002:aa7:cc95:: with SMTP id p21mr28772862edt.189.1572870067304;
        Mon, 04 Nov 2019 04:21:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1572870067; cv=none;
        d=google.com; s=arc-20160816;
        b=sajiIUSbyZXLEWsxOqx0z1um06pwNBLxZyIws1rvhy3wD0ocYSLm08lu0fB+UHtKqQ
         lyHrCrZNAAVSsMHB0AmXhjh21lRhy7VCMZxd0yDWxHCpXDmcvIuxgY1hbFLtv4Cu+5J9
         1wIJbVv1Voug5m0gArFr0bDfmoxGdGvdfAZn+hVQ+hVvu1NaVvapYYPkyIa0uWynThST
         ysY4Fvqsef52K6zhybX8CGCdBT1AcuFUK3CYVsAymt+Uk+MgFJD9N0qheTRw5/U6nE2t
         14AUZP59+pw5kwBoj3F4seI717VYpaj9gbTw/mM+nClfBY498NbDAAu1xqKI/ltxKuVT
         cWQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=47JQeuFealI4jSM8NIAlNeCFyhat+1KtTcPGYTc+/B8=;
        b=gKThLXTYOw7XwV6FW/VrHV2h3ujVVSMjJNr1tMSjOWxWuLfl87TQ7dO1Y5vbjadhq+
         mJXdovWamY2WmBWNoY0REkSmqzk2YyK1G1e4KPL/ccYNsvqG5yueocu1WoHRRHdOq4L6
         i6iiiDC0urQE3kCjK+id6X4maVi9kyGSVxkHWSPMr/kddakK7OUecinavcB8WMujo8gJ
         8da4ccr15YGQjnboFhBcq8XyuA/jFBCUPPMoCn09yt8Q3Yxdtm636B1AEccUFapInZ2y
         Hx0gfkwdmj/WhpJuJICA1V+r1Wz7vDt1IbjE+tYZlsFvGUA7f/WmlMHjV836HzxtxFKj
         KeeQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=FPu6E5dG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y38si7686584edb.87.2019.11.04.04.20.43;
        Mon, 04 Nov 2019 04:21:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=FPu6E5dG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728992AbfKDMRG (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Mon, 4 Nov 2019 07:17:06 -0500
Received: from mail-ot1-f65.google.com ([209.85.210.65]:46333 "EHLO
        mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728481AbfKDMRG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Nov 2019 07:17:06 -0500
Received: by mail-ot1-f65.google.com with SMTP id n23so3928511otr.13;
        Mon, 04 Nov 2019 04:17:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=47JQeuFealI4jSM8NIAlNeCFyhat+1KtTcPGYTc+/B8=;
        b=FPu6E5dGuSRTF6T/chyqu3HS3QEMsl5rfwZPsGs0ptx4/DFVAWuoxW4eupR2kW6pLB
         YzkXisGoHccl2mdW/jxtTSupOn6Xz+LQask4MV4S3TD3xNI27X2Hq1UEatMuGosoPXE8
         rHgxMMVgoP96+VFrD3+hA6OKb2042UKfJtHTcJ3re5M3lPEmsZ12f7RKIPCmqdQ8h4mw
         QDvRZgP5bRoAg0DfUyjxAljiCDCMN0zJWS/Mj3xNjCNHp+c2d6xcfOLFJPuhN5U5RN2D
         0AJMjvEZdCFcuNzb6YjqqqssJUTokMhoHpdp+Svm9U5mWxOcEdC4PqFDnTqky2UrKLSS
         C/6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=47JQeuFealI4jSM8NIAlNeCFyhat+1KtTcPGYTc+/B8=;
        b=e6ni6SIsngQd3O4btfQmt0S4W8O2cOIlDbieYzCcfU8yALSUU4UL+oc/zBiV8Tx3Uz
         x0IepCY5APOjzbkBo9Deqetn0Un8JSA2ZgXkzmadEsOr06gUzjWg2yDmeJxBqEUFhcLm
         JCZZWx2a6jG6lvyEUePbN3QYIxSC3dZGF3mpTQ8jfkfX6DID0oOY+TDWoo0C1IGfc+rJ
         Nj7k/s+Adwe6jK5uaGp0Dqa9s18aiFV/KhhUIJdU9n2YHSJwUaOxG3x4F0u+JWesoVKd
         PWxB4yEgW3wZ55t/7zXlVCT+ADLCvkdyLeymMYQAtM7GUW0n6XhKdre4Y72FjLwdrGMf
         MuAw==
X-Gm-Message-State: APjAAAV/96etiBSWJ/BER2AdiIJ9wjnj5pgiMJu9rKc4CkfH1RPTma37
        6dHWN3TkfXExfF52mn3EumjTlPC2AI5eirDTJKI=
X-Received: by 2002:a9d:7b43:: with SMTP id f3mr17403056oto.254.1572869825122;
 Mon, 04 Nov 2019 04:17:05 -0800 (PST)
MIME-Version: 1.0
References: <1572848879-21011-1-git-send-email-wanpengli@tencent.com>
 <1572848879-21011-2-git-send-email-wanpengli@tencent.com> <c32d632b-8fb0-f7c6-4937-07c30769b924@redhat.com>
In-Reply-To: <c32d632b-8fb0-f7c6-4937-07c30769b924@redhat.com>
From:   Wanpeng Li <kernellwp@gmail.com>
Date:   Mon, 4 Nov 2019 20:16:58 +0800
Message-ID: <CANRm+CzkbrbE2C2yFKL1=mQCBCZMfVH8Tue3eXXqTL5Z1VUB5w@mail.gmail.com>
Subject: Re: [PATCH 2/2] KVM: Fix rcu splat if vm creation fails
To:     Paolo Bonzini <pbonzini@redhat.com>
Cc:     LKML <linux-kernel@vger.kernel.org>, kvm <kvm@vger.kernel.org>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, 4 Nov 2019 at 19:18, Paolo Bonzini <pbonzini@redhat.com> wrote:
>
> On 04/11/19 07:27, Wanpeng Li wrote:
> > From: Wanpeng Li <wanpengli@tencent.com>
> >
> > Reported by syzkaller:
> >
> >    =============================
> >    WARNING: suspicious RCU usage
> >    -----------------------------
> >    ./include/linux/kvm_host.h:536 suspicious rcu_dereference_check() usage!
> >
> >    other info that might help us debug this:
> >
> >    rcu_scheduler_active = 2, debug_locks = 1
> >    no locks held by repro_11/12688.
> >
> >    stack backtrace:
> >    Call Trace:
> >     dump_stack+0x7d/0xc5
> >     lockdep_rcu_suspicious+0x123/0x170
> >     kvm_dev_ioctl+0x9a9/0x1260 [kvm]
> >     do_vfs_ioctl+0x1a1/0xfb0
> >     ksys_ioctl+0x6d/0x80
> >     __x64_sys_ioctl+0x73/0xb0
> >     do_syscall_64+0x108/0xaa0
> >     entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >
> > Commit a97b0e773e4 (kvm: call kvm_arch_destroy_vm if vm creation fails)
> > sets users_count to 1 before kvm_arch_init_vm(), however, if kvm_arch_init_vm()
> > fails, we need to dec this count. Or, we can move the sets refcount after
> > kvm_arch_init_vm().
>
> I don't understand this one, hasn't
>
>         WARN_ON_ONCE(!refcount_dec_and_test(&kvm->users_count));
>
> decreased the conut already?  With your patch the refcount would then
> underflow.

r = kvm_arch_init_vm(kvm, type);
if (r)
    goto out_err_no_arch_destroy_vm;

out_err_no_disable:
    kvm_arch_destroy_vm(kvm);
    WARN_ON_ONCE(!refcount_dec_and_test(&kvm->users_count));
out_err_no_arch_destroy_vm:

So, if kvm_arch_init_vm() fails, we will not execute
WARN_ON_ONCE(!refcount_dec_and_test(&kvm->users_count));

    Wanpeng