bisecting cause commit starting from c11d28ab4a691736e30b49813fb801847bd44e83
building syzkaller on 9682898d6f14dd27f95c419d059fd867bb91b22b
testing commit c11d28ab4a691736e30b49813fb801847bd44e83 with gcc (GCC) 8.1.0
kernel signature: 76b60fef3366ed9fd40f49c65b16f13c1998307bf0813412d3a8f962f6cdfa3d
all runs: crashed: kernel BUG at arch/x86/kvm/mmu/mmu.c:LINE!
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 3f4168d1290e97dd081a28bdf52899feef8ef846fb940577d6ca551294d0acf4
all runs: OK
# git bisect start c11d28ab4a691736e30b49813fb801847bd44e83 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 13326 revisions left to test after this (roughly 14 steps)
[74cd3984f13381049627cfa260fd87e6fcd31add] media: imx: utils: Split find|enum_format into fourcc and mbus functions
testing commit 74cd3984f13381049627cfa260fd87e6fcd31add with gcc (GCC) 8.1.0
kernel signature: 1a77dad5d70b5b0d08eaee6860bf385a2817ebe6c58a16c95452f56eb8dcad6e
all runs: OK
# git bisect good 74cd3984f13381049627cfa260fd87e6fcd31add
Bisecting: 6630 revisions left to test after this (roughly 13 steps)
[8bf9e28a25c6bbff58513b8175620e096368ede4] Merge remote-tracking branch 'net-next/master'
testing commit 8bf9e28a25c6bbff58513b8175620e096368ede4 with gcc (GCC) 8.1.0
kernel signature: b2a8196b797eabdd95f08fec83f7b36321127f9feb34ddaba5cfe53dea06b78c
all runs: OK
# git bisect good 8bf9e28a25c6bbff58513b8175620e096368ede4
Bisecting: 3403 revisions left to test after this (roughly 12 steps)
[27e0b188b775a88574d0c86793b8a4ae2a2be5fe] Merge remote-tracking branch 'spi/for-next'
testing commit 27e0b188b775a88574d0c86793b8a4ae2a2be5fe with gcc (GCC) 8.1.0
kernel signature: 55680a76768b33f33211a946077afae6cc589d1a725c46e80f9d21ee294cb173
all runs: OK
# git bisect good 27e0b188b775a88574d0c86793b8a4ae2a2be5fe
Bisecting: 1934 revisions left to test after this (roughly 11 steps)
[10f5f72ec20bee1fce20f701826cd5f816cfbfbc] Merge remote-tracking branch 'thunderbolt/next'
testing commit 10f5f72ec20bee1fce20f701826cd5f816cfbfbc with gcc (GCC) 8.1.0
kernel signature: b84fccd71af6b9ac798d63a8f52199973c537d2cc9984d78f1e230950696f8b6
all runs: crashed: kernel BUG at arch/x86/kvm/mmu/mmu.c:LINE!
# git bisect bad 10f5f72ec20bee1fce20f701826cd5f816cfbfbc
Bisecting: 781 revisions left to test after this (roughly 10 steps)
[f2d8ef2c95ea717894cd059f725524bf6176ce11] next-20200519/rcu
testing commit f2d8ef2c95ea717894cd059f725524bf6176ce11 with gcc (GCC) 8.1.0
kernel signature: 33b50fd2f1697ec4988c6e7596d592a3703098e695a0ec52d079c4808a382f57
all runs: OK
# git bisect good f2d8ef2c95ea717894cd059f725524bf6176ce11
Bisecting: 409 revisions left to test after this (roughly 9 steps)
[8579b345bb924fecc6b8c75e55aee8569d2b5eae] Merge remote-tracking branch 'usb/usb-next'
testing commit 8579b345bb924fecc6b8c75e55aee8569d2b5eae with gcc (GCC) 8.1.0
kernel signature: e357b881286e2b669b2ff6c053338972b796856db06b6e0500e2b7c3cab9ac00
all runs: crashed: kernel BUG at arch/x86/kvm/mmu/mmu.c:LINE!
# git bisect bad 8579b345bb924fecc6b8c75e55aee8569d2b5eae
Bisecting: 186 revisions left to test after this (roughly 8 steps)
[77158bd537ac5a9fea6831d22e8b5a22be4856a6] Merge remote-tracking branch 'kvms390/next'
testing commit 77158bd537ac5a9fea6831d22e8b5a22be4856a6 with gcc (GCC) 8.1.0
kernel signature: eca2a39db601d5a481af05c638f30e600191629baef159a6e24ec1dde8985831
all runs: crashed: kernel BUG at arch/x86/kvm/mmu/mmu.c:LINE!
# git bisect bad 77158bd537ac5a9fea6831d22e8b5a22be4856a6
Bisecting: 92 revisions left to test after this (roughly 7 steps)
[6e085cbfb0f0c7de4ca0f370adb572b0e07a818c] KVM: SVM: immediately inject INTR vmexit
testing commit 6e085cbfb0f0c7de4ca0f370adb572b0e07a818c with gcc (GCC) 8.1.0
kernel signature: ff26964387dfd446b52153abe6e24634b5e9e86feb5bf5a236c8dfd8482485a0
run #0: crashed: general protection fault in start_creating
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 6e085cbfb0f0c7de4ca0f370adb572b0e07a818c
Bisecting: 45 revisions left to test after this (roughly 6 steps)
[4a632ac6ca66fb29b94a16495624c58f4d313f2f] KVM: x86/mmu: Add separate override for MMU sync during fast CR3 switch
testing commit 4a632ac6ca66fb29b94a16495624c58f4d313f2f with gcc (GCC) 8.1.0
kernel signature: b1f7fb37e10a50f987f4b62d7d2dd3c2c8afc4786f7165d06f72b109a35f905d
all runs: OK
# git bisect good 4a632ac6ca66fb29b94a16495624c58f4d313f2f
Bisecting: 22 revisions left to test after this (roughly 5 steps)
[8791585837f659943936b8e1cce9d039436ad1ca] KVM: VMX: Cache vmcs.EXIT_INTR_INFO using arch avail_reg flags
testing commit 8791585837f659943936b8e1cce9d039436ad1ca with gcc (GCC) 8.1.0
kernel signature: 71eb3f49365bee4fb10ec6bc1f0724754e1fbb34e1bae2c4e505658fedf02032
run #0: crashed: general protection fault in start_creating
run #1: crashed: general protection fault in start_creating
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 8791585837f659943936b8e1cce9d039436ad1ca
Bisecting: 11 revisions left to test after this (roughly 4 steps)
[7b7bd87dbd6aa8c09d5e8a8028bda69c3ab13969] KVM: nVMX: Uninline nested_vmx_reflect_vmexit(), i.e. move it to nested.c
testing commit 7b7bd87dbd6aa8c09d5e8a8028bda69c3ab13969 with gcc (GCC) 8.1.0
kernel signature: a89ae36f2cf4a1f37a7122f291b67407f7f385807283a5a033895860ca24f539
run #0: crashed: general protection fault in start_creating
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 7b7bd87dbd6aa8c09d5e8a8028bda69c3ab13969
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[be01e8e2c632c41c69bb30e7196661ec6e8fdc10] KVM: x86: Replace "cr3" with "pgd" in "new cr3/pgd" related code
testing commit be01e8e2c632c41c69bb30e7196661ec6e8fdc10 with gcc (GCC) 8.1.0
kernel signature: 30fae8270acf423e92e4a90ce2843e891c59d302741b130c7d103304739389f9
all runs: OK
# git bisect good be01e8e2c632c41c69bb30e7196661ec6e8fdc10
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[63d04348371b7ea4a134bcf47c79763d969e9168] KVM: x86: move kvm_create_vcpu_debugfs after last failure point
testing commit 63d04348371b7ea4a134bcf47c79763d969e9168 with gcc (GCC) 8.1.0
kernel signature: 47b96008d4a4593460642220b3d94b0a18ee152817efa97dbbd199260ddbf387
run #0: crashed: general protection fault in start_creating
run #1: crashed: general protection fault in start_creating
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 63d04348371b7ea4a134bcf47c79763d969e9168
Bisecting: 0 revisions left to test after this (roughly 1 step)
[1c164cb3ffd084e5359a56abde715acf121e69a4] KVM: SVM: Use do_machine_check to pass MCE to the host
testing commit 1c164cb3ffd084e5359a56abde715acf121e69a4 with gcc (GCC) 8.1.0
kernel signature: 5b4d03deecdb6f8f2f65b1e6705db6770297499d92b6bcf1921e4588797f3f99
all runs: OK
# git bisect good 1c164cb3ffd084e5359a56abde715acf121e69a4
63d04348371b7ea4a134bcf47c79763d969e9168 is the first bad commit
commit 63d04348371b7ea4a134bcf47c79763d969e9168
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Wed Apr 1 00:42:22 2020 +0200

    KVM: x86: move kvm_create_vcpu_debugfs after last failure point
    
    The placement of kvm_create_vcpu_debugfs is more or less irrelevant, since
    it cannot fail and userspace should not care about the debugfs entries until
    it knows the vcpu has been created.  Moving it after the last failure
    point removes the need to remove the directory when unwinding the creation.
    
    Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
    Message-Id: <20200331224222.393439-1-pbonzini@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 virt/kvm/kvm_main.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
culprit signature: 47b96008d4a4593460642220b3d94b0a18ee152817efa97dbbd199260ddbf387
parent  signature: 5b4d03deecdb6f8f2f65b1e6705db6770297499d92b6bcf1921e4588797f3f99
revisions tested: 16, total time: 3h50m14.362477126s (build: 1h34m56.430418385s, test: 2h14m7.913416088s)
first bad commit: 63d04348371b7ea4a134bcf47c79763d969e9168 KVM: x86: move kvm_create_vcpu_debugfs after last failure point
cc: ["eesposit@redhat.com" "kvm@vger.kernel.org" "linux-kernel@vger.kernel.org" "pbonzini@redhat.com"]
crash: general protection fault in start_creating
general protection fault, probably for non-canonical address 0xdffffc000000002a: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000150-0x0000000000000157]
CPU: 1 PID: 27281 Comm: syz-executor.3 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xde0/0x3740 kernel/locking/lockdep.c:4214
Code: c7 44 24 04 01 00 00 00 0f 86 de 00 00 00 89 05 26 53 bc 09 e9 d3 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 83 21 00 00 48 81 7d 00 80 b8 e2 8a 0f 84 e4 f2
RSP: 0018:ffffc900054d77b8 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: ffff8880a92f6280 RCX: 0000000000000000
RDX: 000000000000002a RSI: 0000000000000000 RDI: 0000000000000150
RBP: 0000000000000150 R08: 0000000000000001 R09: 0000000000000000
R10: ffffffff89bcec87 R11: fffffbfff1379d90 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f5e3b139700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000b90004 CR3: 0000000073ffc000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 lock_acquire+0x1e3/0x970 kernel/locking/lockdep.c:4923
 down_write+0x8e/0x150 kernel/locking/rwsem.c:1531
 inode_lock include/linux/fs.h:797 [inline]
 start_creating+0x7f/0x1f0 fs/debugfs/inode.c:334
 __debugfs_create_file+0x33/0x380 fs/debugfs/inode.c:383
 kvm_arch_create_vcpu_debugfs+0x49/0x1c0 arch/x86/kvm/debugfs.c:48
 kvm_create_vcpu_debugfs arch/x86/kvm/../../../virt/kvm/kvm_main.c:2985 [inline]
 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:3062 [inline]
 kvm_vm_ioctl+0x15bf/0x1eb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3582
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0xb8/0x110 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5e3b138c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e73c0 RCX: 000000000045ca29
RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004
RBP: 000000000078bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000396 R14: 00000000004c62c6 R15: 00007f5e3b1396d4
Modules linked in:
---[ end trace b193319797617e06 ]---
RIP: 0010:__lock_acquire+0xde0/0x3740 kernel/locking/lockdep.c:4214
Code: c7 44 24 04 01 00 00 00 0f 86 de 00 00 00 89 05 26 53 bc 09 e9 d3 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 83 21 00 00 48 81 7d 00 80 b8 e2 8a 0f 84 e4 f2
RSP: 0018:ffffc900054d77b8 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: ffff8880a92f6280 RCX: 0000000000000000
RDX: 000000000000002a RSI: 0000000000000000 RDI: 0000000000000150
RBP: 0000000000000150 R08: 0000000000000001 R09: 0000000000000000
R10: ffffffff89bcec87 R11: fffffbfff1379d90 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f5e3b139700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000b90004 CR3: 0000000073ffc000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400