bisecting cause commit starting from 234b69e3e089d850a98e7b3145bd00e9b52b1111
building syzkaller on 370797126e9ba28a49317bf099076a5ca06e4501
testing commit 234b69e3e089d850a98e7b3145bd00e9b52b1111 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in finish_task_switch
run #1: crashed: KASAN: use-after-free Read in finish_task_switch
run #2: crashed: KASAN: use-after-free Read in finish_task_switch
run #3: crashed: KASAN: use-after-free Read in finish_task_switch
run #4: crashed: KASAN: use-after-free Read in vmx_vcpu_load
run #5: crashed: KASAN: use-after-free Read in finish_task_switch
run #6: crashed: KASAN: use-after-free Read in finish_task_switch
run #7: crashed: KASAN: use-after-free Read in vmx_vcpu_load
run #8: crashed: KASAN: use-after-free Read in finish_task_switch
run #9: crashed: KASAN: use-after-free Read in finish_task_switch
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 234b69e3e089d850a98e7b3145bd00e9b52b1111 v4.18
Bisecting: 7162 revisions left to test after this (roughly 13 steps)
[54dbe75bbf1e189982516de179147208e90b5e45] Merge tag 'drm-next-2018-08-15' of git://anongit.freedesktop.org/drm/drm
testing commit 54dbe75bbf1e189982516de179147208e90b5e45 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 54dbe75bbf1e189982516de179147208e90b5e45
Bisecting: 3587 revisions left to test after this (roughly 12 steps)
[1d0926e99de7b486321e3db924b445531eea5e18] Merge tag 'char-misc-4.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
testing commit 1d0926e99de7b486321e3db924b445531eea5e18 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 1d0926e99de7b486321e3db924b445531eea5e18
Bisecting: 1677 revisions left to test after this (roughly 11 steps)
[2f34a64aeac4d87e8ed8275d9f1230e18a50079c] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
testing commit 2f34a64aeac4d87e8ed8275d9f1230e18a50079c with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad 2f34a64aeac4d87e8ed8275d9f1230e18a50079c
Bisecting: 953 revisions left to test after this (roughly 10 steps)
[fe6f0ed0dac7df01014ef17fdad45e3eaf21b949] Merge tag 'f2fs-for-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs
testing commit fe6f0ed0dac7df01014ef17fdad45e3eaf21b949 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in finish_task_switch
run #1: crashed: KASAN: use-after-free Read in finish_task_switch
run #2: crashed: KASAN: use-after-free Read in finish_task_switch
run #3: crashed: KASAN: use-after-free Read in finish_task_switch
run #4: crashed: KASAN: use-after-free Read in finish_task_switch
run #5: crashed: KASAN: use-after-free Read in finish_task_switch
run #6: crashed: KASAN: use-after-free Read in finish_task_switch
run #7: crashed: KASAN: use-after-free Read in finish_task_switch
run #8: crashed: KASAN: use-after-free Read in finish_task_switch
run #9: crashed: general protection fault in finish_task_switch
# git bisect bad fe6f0ed0dac7df01014ef17fdad45e3eaf21b949
Bisecting: 477 revisions left to test after this (roughly 9 steps)
[e58dd0de5eadf145895b13451a1fef8ef03946eb] bdi: use refcount_t for reference counting instead atomic_t
testing commit e58dd0de5eadf145895b13451a1fef8ef03946eb with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in finish_task_switch
run #1: crashed: KASAN: use-after-free Read in finish_task_switch
run #2: crashed: KASAN: use-after-free Read in finish_task_switch
run #3: crashed: KASAN: use-after-free Read in finish_task_switch
run #4: crashed: KASAN: use-after-free Read in finish_task_switch
run #5: crashed: KASAN: use-after-free Read in finish_task_switch
run #6: crashed: KASAN: use-after-free Read in finish_task_switch
run #7: crashed: general protection fault in finish_task_switch
run #8: crashed: KASAN: use-after-free Read in finish_task_switch
run #9: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad e58dd0de5eadf145895b13451a1fef8ef03946eb
Bisecting: 249 revisions left to test after this (roughly 8 steps)
[61c4fc1eaf736344904767d201b0d4f7a2ebaf79] Merge tag 'backlight-next-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight
testing commit 61c4fc1eaf736344904767d201b0d4f7a2ebaf79 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad 61c4fc1eaf736344904767d201b0d4f7a2ebaf79
Bisecting: 121 revisions left to test after this (roughly 7 steps)
[e61cf2e3a5b452cfefcb145021f5a8ea88735cc1] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit e61cf2e3a5b452cfefcb145021f5a8ea88735cc1 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad e61cf2e3a5b452cfefcb145021f5a8ea88735cc1
Bisecting: 52 revisions left to test after this (roughly 6 steps)
[afe828d1de4047d26eb0cd0c0154f5ac3722bf63] kvm: x86: Add ability to skip TLB flush when switching CR3
testing commit afe828d1de4047d26eb0cd0c0154f5ac3722bf63 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad afe828d1de4047d26eb0cd0c0154f5ac3722bf63
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[7f7f1ba33cf2c21d001821313088c231db42ff40] KVM: x86: do not load vmcs12 pages while still in SMM
testing commit 7f7f1ba33cf2c21d001821313088c231db42ff40 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 7f7f1ba33cf2c21d001821313088c231db42ff40
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[6d894f498f5d121b57a231315b0b459e185abed1] KVM: nVMX: vmread/vmwrite: Use shadow vmcs12 if running L2
testing commit 6d894f498f5d121b57a231315b0b459e185abed1 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad 6d894f498f5d121b57a231315b0b459e185abed1
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[a6192d40d52f6b86997a71449e2ebc3d7f5ca103] KVM: nVMX: Fail VMLAUNCH and VMRESUME on shadow VMCS
testing commit a6192d40d52f6b86997a71449e2ebc3d7f5ca103 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad a6192d40d52f6b86997a71449e2ebc3d7f5ca103
Bisecting: 2 revisions left to test after this (roughly 2 steps)
[392b2f25aa415c0222b348f95875409be49a1201] KVM: VMX: Create struct for VMCS header
testing commit 392b2f25aa415c0222b348f95875409be49a1201 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad 392b2f25aa415c0222b348f95875409be49a1201
Bisecting: 0 revisions left to test after this (roughly 1 step)
[cb5476379f0718046f3c6b3195d18838c5b25ea2] kvm: selftests: add test for nested state save/restore
testing commit cb5476379f0718046f3c6b3195d18838c5b25ea2 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad cb5476379f0718046f3c6b3195d18838c5b25ea2
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[8fcc4b5923af5de58b80b53a069453b135693304] kvm: nVMX: Introduce KVM_CAP_NESTED_STATE
testing commit 8fcc4b5923af5de58b80b53a069453b135693304 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in finish_task_switch
# git bisect bad 8fcc4b5923af5de58b80b53a069453b135693304
8fcc4b5923af5de58b80b53a069453b135693304 is the first bad commit
commit 8fcc4b5923af5de58b80b53a069453b135693304
Author: Jim Mattson <jmattson@google.com>
Date:   Tue Jul 10 11:27:20 2018 +0200

    kvm: nVMX: Introduce KVM_CAP_NESTED_STATE
    
    For nested virtualization L0 KVM is managing a bit of state for L2 guests,
    this state can not be captured through the currently available IOCTLs. In
    fact the state captured through all of these IOCTLs is usually a mix of L1
    and L2 state. It is also dependent on whether the L2 guest was running at
    the moment when the process was interrupted to save its state.
    
    With this capability, there are two new vcpu ioctls: KVM_GET_NESTED_STATE
    and KVM_SET_NESTED_STATE. These can be used for saving and restoring a VM
    that is in VMX operation.
    
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: x86@kernel.org
    Cc: kvm@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Jim Mattson <jmattson@google.com>
    [karahmed@ - rename structs and functions and make them ready for AMD and
                 address previous comments.
               - handle nested.smm state.
               - rebase & a bit of refactoring.
               - Merge 7/8 and 8/8 into one patch. ]
    Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

:040000 040000 bebd2794f126798c6d96ae75a46e31951122400e 08957b9d318f822a2411e400e858725e3913a05a M	Documentation
:040000 040000 2b79a65cf06e4945a989b9526b8944230152c0c7 05543a51892598ffb73a3ab0cadee1dd023f2178 M	arch
:040000 040000 2d941a89cbd12a6b2a52456da84962d94e466dbe d817491cb9566552dae55cb943aeeccdb5ea985b M	include
revisions tested: 16, total time: 3h50m3.108437231s (build: 2h6m16.482101262s, test: 1h35m59.347402767s)
first bad commit: 8fcc4b5923af5de58b80b53a069453b135693304 kvm: nVMX: Introduce KVM_CAP_NESTED_STATE
cc: ["hpa@zytor.com" "jmattson@google.com" "karahmed@amazon.de" "kvm@vger.kernel.org" "linux-kernel@vger.kernel.org" "mingo@redhat.com" "pbonzini@redhat.com" "rkrcmar@redhat.com" "tglx@linutronix.de" "x86@kernel.org"]
crash: KASAN: use-after-free Read in finish_task_switch
8021q: adding VLAN 0 to HW filter on device team0
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: use-after-free in __fire_sched_in_preempt_notifiers kernel/sched/core.c:2511 [inline]
BUG: KASAN: use-after-free in fire_sched_in_preempt_notifiers kernel/sched/core.c:2517 [inline]
BUG: KASAN: use-after-free in finish_task_switch+0x56e/0x8c0 kernel/sched/core.c:2709
Read of size 8 at addr ffff8801d2ba0058 by task syz-executor5/6778

CPU: 0 PID: 6778 Comm: syz-executor5 Not tainted 4.18.0-rc6+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x16e/0x22a lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __fire_sched_in_preempt_notifiers kernel/sched/core.c:2511 [inline]
 fire_sched_in_preempt_notifiers kernel/sched/core.c:2517 [inline]
 finish_task_switch+0x56e/0x8c0 kernel/sched/core.c:2709
 context_switch kernel/sched/core.c:2856 [inline]
 __schedule+0x83e/0x1f40 kernel/sched/core.c:3501
 preempt_schedule_common+0x1f/0xd0 kernel/sched/core.c:3625
 preempt_schedule+0x4d/0x60 kernel/sched/core.c:3651
 ___preempt_schedule+0x16/0x18
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:161 [inline]
 _raw_spin_unlock_irqrestore+0xbb/0xd0 kernel/locking/spinlock.c:184
 try_to_wake_up+0x10a/0x1350 kernel/sched/core.c:2079
 wake_up_process kernel/sched/core.c:2148 [inline]
 wake_up_q+0xa4/0x100 kernel/sched/core.c:447
 futex_wake+0x504/0x8b0 kernel/futex.c:1556
 do_futex+0x877/0x24f0 kernel/futex.c:3531
 __do_sys_futex kernel/futex.c:3587 [inline]
 __se_sys_futex kernel/futex.c:3555 [inline]
 __x64_sys_futex+0x1cb/0x4f0 kernel/futex.c:3555
 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4577c9
Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007fe563988cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 000000000072c048 RCX: 00000000004577c9
RDX: 0000000000000016 RSI: 0000000000000081 RDI: 000000000072c04c
RBP: 000000000072c040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000072c04c
R13: 00007ffc0e6df97f R14: 00007fe5639899c0 R15: 0000000000000002

Allocated by task 6767:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3554
 kmem_cache_zalloc include/linux/slab.h:697 [inline]
 vmx_create_vcpu+0xc6/0x1f50 arch/x86/kvm/vmx.c:10313
 kvm_arch_vcpu_create+0xb0/0x1c0 arch/x86/kvm/x86.c:8387
 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:2466 [inline]
 kvm_vm_ioctl+0x5e0/0x1c60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2967
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x195/0x1650 fs/ioctl.c:684
 ksys_ioctl+0x62/0x90 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:706
 do_syscall_64+0x183/0x700 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 6766:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x83/0x2d0 mm/slab.c:3756
 vmx_free_vcpu+0x200/0x290 arch/x86/kvm/vmx.c:10307
 kvm_arch_vcpu_free arch/x86/kvm/x86.c:8373 [inline]
 kvm_free_vcpus arch/x86/kvm/x86.c:8822 [inline]
 kvm_arch_destroy_vm+0x322/0x7a0 arch/x86/kvm/x86.c:8919
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:746 [inline]
 kvm_put_kvm+0x59c/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:767
 kvm_vcpu_release+0x77/0xa0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2397
 __fput+0x2e6/0x990 fs/file_table.c:209
 ____fput+0x9/0x10 fs/file_table.c:243
 task_work_run+0x19f/0x240 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:192 [inline]
 exit_to_usermode_loop+0x269/0x300 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x587/0x700 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801d2ba0040
 which belongs to the cache kvm_vcpu of size 23616
The buggy address is located 24 bytes inside of
 23616-byte region [ffff8801d2ba0040, ffff8801d2ba5c80)
The buggy address belongs to the page:
page:ffffea00074ae800 count:1 mapcount:0 mapping:ffff8801d52c3c00 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d52a7b48 ffffea0006e6f408 ffff8801d52c3c00
raw: 0000000000000000 ffff8801d2ba0040 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d2b9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d2b9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801d2ba0000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801d2ba0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d2ba0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================