bisecting cause commit starting from 614124bea77e452aa6df7a8714e8bc820b489922
building syzkaller on e59537be40a9ad863e953e187c14dbde57caf1b1
testing commit 614124bea77e452aa6df7a8714e8bc820b489922 with gcc (GCC) 10.2.1 20210217
kernel signature: c83abe1efc5170f17dc13d85c2aa6e9d5abc4c495911029397a1ed0541e8294a
all runs: crashed: general protection fault in __gfn_to_rmap
testing release v5.12
testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217
kernel signature: d440b4cda7d2ab4e7a9fb717e84bf516b6131e0226170a2accac2a704eba3a26
all runs: crashed: general protection fault in __gfn_to_rmap
testing release v5.11
testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217
kernel signature: 765cd1540c326c0950c950fbd0fec8db62a5661f5639cb7fd27d9b0db4d90c60
all runs: crashed: general protection fault in __gfn_to_rmap
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217
kernel signature: df7feb4d91f8944dbc6f04c6ce0d62cee0e23c247a3d664c8d09e4380a1d4db4
all runs: crashed: general protection fault in __gfn_to_rmap
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217
kernel signature: 729377365c17b92d66ed1bdf532053d69e13d473b5ea80ef6b5eacb7eb88528b
all runs: crashed: general protection fault in __gfn_to_rmap
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.4.1 20210217
kernel signature: fe4cf10963fe22623041f7dd2621a870da3a6c1c0337ee4720a2074a1ed96570
all runs: crashed: general protection fault in gfn_to_rmap
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.4.1 20210217
kernel signature: 2c6056a2dfdd16b432db0590dcf44d9466ab6d94a2975fdc54052aff1a1c3cf4
all runs: crashed: general protection fault in gfn_to_rmap
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.4.1 20210217
kernel signature: 3e55c7c138041a575a7239b7dc3aeb1b6aecc1db234951c50f555812908a4b2a
all runs: crashed: general protection fault in gfn_to_rmap
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.4.1 20210217
kernel signature: 89020a51f26df558b213c9a7dfe9c7402f92181b93c6cc34e4d3b9095dbeeada
all runs: crashed: general protection fault in gfn_to_rmap
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.4.1 20210217
kernel signature: 34b0d7a7eede4147416f7de3ea9702c5c9ff39168af217389162232a1e920b4c
all runs: crashed: general protection fault in gfn_to_rmap
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.4.1 20210217
kernel signature: 90c927f3427843a3c6552973063dfc92d95e46afa59f99de25a5f09fa1b925e8
all runs: crashed: general protection fault in __gfn_to_rmap
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.4.1 20210217
kernel signature: 19a65526e5f516df5d36bb66ed11fe6a0c0578a98cb3b41ae10d8dc625494d24
all runs: crashed: general protection fault in gfn_to_rmap
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.4.1 20210217
kernel signature: 7666f09f755bb9631f57b4d5ec80e4256ca0b0f7dac5f5e59a8a1a69154d504c
all runs: crashed: general protection fault in gfn_to_rmap
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.4.1 20210217
kernel signature: c6e9e9952ce07dc03d64b2123ccce455504d5141a9a8b39d7fbb3090a792f193
all runs: OK
# git bisect start e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd 1c163f4c7b3f621efff9b28a47abb36f7378d783
Bisecting: 7074 revisions left to test after this (roughly 13 steps)
[b5dd0c658c31b469ccff1b637e5124851e7a4a1c] Merge branch 'akpm' (patches from Andrew)

testing commit b5dd0c658c31b469ccff1b637e5124851e7a4a1c with gcc (GCC) 8.4.1 20210217
kernel signature: 983acfa2a9fd1996c68edb96a7c83ef5027f4bed1111ee5cfddfa1e7d0b526bd
all runs: OK
# git bisect good b5dd0c658c31b469ccff1b637e5124851e7a4a1c
Bisecting: 3573 revisions left to test after this (roughly 12 steps)
[4f0237062ca70c8e34e16e518aee4b84c30d1832] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input

testing commit 4f0237062ca70c8e34e16e518aee4b84c30d1832 with gcc (GCC) 8.4.1 20210217
kernel signature: 51e7ba38e9486a2f3ef39cd500a996b6cc44ec6c59089ed4f7bb707d964c8e62
all runs: OK
# git bisect good 4f0237062ca70c8e34e16e518aee4b84c30d1832
Bisecting: 1796 revisions left to test after this (roughly 11 steps)
[345077c8e172c255ea0707214303ccd099e5656b] KVM: PPC: Book3S: Protect memslots while validating user address

testing commit 345077c8e172c255ea0707214303ccd099e5656b with gcc (GCC) 8.4.1 20210217
kernel signature: 5b508ff02b702dc954b6b21908d4e5c4d37e07374db9c665c3203319426987d8
all runs: OK
# git bisect good 345077c8e172c255ea0707214303ccd099e5656b
Bisecting: 898 revisions left to test after this (roughly 10 steps)
[8065a779f17e94536a1c4dcee4f9d88011672f97] failover: allow name change on IFF_UP slave interfaces

testing commit 8065a779f17e94536a1c4dcee4f9d88011672f97 with gcc (GCC) 8.4.1 20210217
kernel signature: 6c99a0b79d952cf33b1e0c5aab4be59f59a28e4e380da26f341f399187647c49
all runs: OK
# git bisect good 8065a779f17e94536a1c4dcee4f9d88011672f97
Bisecting: 443 revisions left to test after this (roughly 9 steps)
[3ecafda911f4e56cb80149fd7ab87f8610c7765f] Merge branch 'akpm' (patches from Andrew)

testing commit 3ecafda911f4e56cb80149fd7ab87f8610c7765f with gcc (GCC) 8.4.1 20210217
kernel signature: 2dcea8e14790086ee4ccf2fbb6808eff217e2cf84496c49b22db696c267ea6d5
all runs: crashed: general protection fault in gfn_to_rmap
# git bisect bad 3ecafda911f4e56cb80149fd7ab87f8610c7765f
Bisecting: 227 revisions left to test after this (roughly 8 steps)
[dc4060a5dc2557e6b5aa813bf5b73677299d62d2] Linux 5.1-rc5

testing commit dc4060a5dc2557e6b5aa813bf5b73677299d62d2 with gcc (GCC) 8.4.1 20210217
kernel signature: 8ebe7abe3edfea8ce2f79ecdc104a35e91363684c7d22369d94cf60c3e50b67d
all runs: OK
# git bisect good dc4060a5dc2557e6b5aa813bf5b73677299d62d2
Bisecting: 100 revisions left to test after this (roughly 7 steps)
[2a3a028fc61d03e80ac57091330eb514280bd5be] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

testing commit 2a3a028fc61d03e80ac57091330eb514280bd5be with gcc (GCC) 8.4.1 20210217
kernel signature: 268b620d701087baa7a91ce79bdd6284a070ec3c2daf9ff1bb0eac20efdff8ce
all runs: crashed: general protection fault in gfn_to_rmap
# git bisect bad 2a3a028fc61d03e80ac57091330eb514280bd5be
Bisecting: 71 revisions left to test after this (roughly 6 steps)
[732488018281632c9408e64349a808b22f0cd6a4] Merge tag 'mlx5-fixes-2019-04-09' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

testing commit 732488018281632c9408e64349a808b22f0cd6a4 with gcc (GCC) 8.4.1 20210217
kernel signature: 9e2a6c45859853facd00613644b7ca07eaeab45afad84091236ccbc96a582efb
all runs: OK
# git bisect good 732488018281632c9408e64349a808b22f0cd6a4
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[444fe991353987c1c9bc5ab1f903d01f1b4ad415] Merge tag 'riscv-for-linus-5.1-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux

testing commit 444fe991353987c1c9bc5ab1f903d01f1b4ad415 with gcc (GCC) 8.4.1 20210217
kernel signature: a1ec5d6e77a204734456f694a62d9d21ee5527bd0513807209c441b2610df5d9
all runs: crashed: general protection fault in gfn_to_rmap
# git bisect bad 444fe991353987c1c9bc5ab1f903d01f1b4ad415
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[79904c9de0d1a6cd66853b3af802343b0ba3720c] selftests: kvm: add a selftest for SMM

testing commit 79904c9de0d1a6cd66853b3af802343b0ba3720c with gcc (GCC) 8.4.1 20210217
kernel signature: dbf60e3a40990b7c19d0615e91f380f9f3a80f940a04bba0dd6d12ed35328230
all runs: crashed: general protection fault in gfn_to_rmap
# git bisect bad 79904c9de0d1a6cd66853b3af802343b0ba3720c
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[672ff6cff80ca43bf3258410d2b887036969df5f] KVM: x86: Raise #GP when guest vCPU do not support PMU

testing commit 672ff6cff80ca43bf3258410d2b887036969df5f with gcc (GCC) 8.4.1 20210217
kernel signature: a8f4099784ca951889312090e41a09e7d3e492fb5195eb601cd8dc0d27c0e5e8
all runs: OK
# git bisect good 672ff6cff80ca43bf3258410d2b887036969df5f
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[9ec19493fb86d6d5fbf9286b94ff21e56ef66376] KVM: x86: clear SMM flags before loading state while leaving SMM

testing commit 9ec19493fb86d6d5fbf9286b94ff21e56ef66376 with gcc (GCC) 8.4.1 20210217
kernel signature: 1350a5ced1c082c1bd798cb521bd3644d7210ac5a8db8fdddd872019ba55c2c1
all runs: crashed: general protection fault in gfn_to_rmap
# git bisect bad 9ec19493fb86d6d5fbf9286b94ff21e56ef66376
Bisecting: 1 revision left to test after this (roughly 1 step)
[ed19321fb6571214f410b30322e4ad6e6b7c3915] KVM: x86: Load SMRAM in a single shot when leaving SMM

testing commit ed19321fb6571214f410b30322e4ad6e6b7c3915 with gcc (GCC) 8.4.1 20210217
kernel signature: 9c4f0e46be7d72209118604d64c4dd5fa1cf2799f4a1814f281fdd7b9dc9c11f
all runs: OK
# git bisect good ed19321fb6571214f410b30322e4ad6e6b7c3915
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[c5833c7a43a66bfe2f36439cb2f1281a588668af] KVM: x86: Open code kvm_set_hflags

testing commit c5833c7a43a66bfe2f36439cb2f1281a588668af with gcc (GCC) 8.4.1 20210217
kernel signature: 99863023eba9ed4e724224f6c65759e52370dd2a26aef384c37cf38f6ab56d36
all runs: OK
# git bisect good c5833c7a43a66bfe2f36439cb2f1281a588668af
9ec19493fb86d6d5fbf9286b94ff21e56ef66376 is the first bad commit
commit 9ec19493fb86d6d5fbf9286b94ff21e56ef66376
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Tue Apr 2 08:03:11 2019 -0700

    KVM: x86: clear SMM flags before loading state while leaving SMM
    
    RSM emulation is currently broken on VMX when the interrupted guest has
    CR4.VMXE=1.  Stop dancing around the issue of HF_SMM_MASK being set when
    loading SMSTATE into architectural state, e.g. by toggling it for
    problematic flows, and simply clear HF_SMM_MASK prior to loading
    architectural state (from SMRAM save state area).
    
    Reported-by: Jon Doron <arilou@gmail.com>
    Cc: Jim Mattson <jmattson@google.com>
    Cc: Liran Alon <liran.alon@oracle.com>
    Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
    Fixes: 5bea5123cbf0 ("KVM: VMX: check nested state and CR4.VMXE against SMM")
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Tested-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 arch/x86/kvm/emulate.c | 12 ++++++------
 arch/x86/kvm/svm.c     | 12 ++++--------
 arch/x86/kvm/vmx/vmx.c |  2 --
 3 files changed, 10 insertions(+), 16 deletions(-)

culprit signature: 1350a5ced1c082c1bd798cb521bd3644d7210ac5a8db8fdddd872019ba55c2c1
parent  signature: 99863023eba9ed4e724224f6c65759e52370dd2a26aef384c37cf38f6ab56d36
revisions tested: 28, total time: 5h48m23.622009038s (build: 3h21m40.024657838s, test: 2h21m52.618453608s)
first bad commit: 9ec19493fb86d6d5fbf9286b94ff21e56ef66376 KVM: x86: clear SMM flags before loading state while leaving SMM
recipients (to): ["pbonzini@redhat.com" "sean.j.christopherson@intel.com" "vkuznets@redhat.com"]
recipients (cc): []
crash: general protection fault in gfn_to_rmap
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 10352 Comm: syz-executor.3 Not tainted 5.1.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:search_memslots include/linux/kvm_host.h:993 [inline]
RIP: 0010:__gfn_to_memslot include/linux/kvm_host.h:1005 [inline]
RIP: 0010:gfn_to_rmap+0x25f/0x580 arch/x86/kvm/mmu.c:1366
Code: ff df 48 89 fe 48 c1 ee 03 80 3c 16 00 0f 85 d7 02 00 00 4c 03 63 08 4d 39 e6 0f 82 b3 00 00 00 48 b8 00 00 00 00 00 fc ff df <80> 38 00 0f 85 dc 02 00 00 4c 8b 3c 25 00 00 00 00 31 db 48 b8 00
RSP: 0018:ffff8880962ff380 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88809d480060 RCX: ffffffff810c8862
RDX: dffffc0000000000 RSI: 1ffff11013a9000d RDI: ffff88809d480068
RBP: ffff8880962ff3d0 R08: ffffed1013a91682 R09: ffff88809d48b408
R10: ffffed1013a91681 R11: ffff88809d48b40b R12: 0000000000000000
R13: ffff88809d480000 R14: 0000000000000003 R15: 0000000000000001
FS:  00007f078c5e8700(0000) GS:ffff8880ba200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000089461000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rmap_add arch/x86/kvm/mmu.c:1385 [inline]
 mmu_set_spte+0x43d/0x800 arch/x86/kvm/mmu.c:3059
 __direct_map+0x293/0x3f0 arch/x86/kvm/mmu.c:3164
 tdp_page_fault+0x390/0x500 arch/x86/kvm/mmu.c:4149
 kvm_mmu_page_fault+0x17b/0x1510 arch/x86/kvm/mmu.c:5368
 handle_ept_violation+0x149/0x360 arch/x86/kvm/vmx/vmx.c:5094
 vmx_handle_exit+0x1bd/0x10b0 arch/x86/kvm/vmx/vmx.c:5839
 vcpu_enter_guest arch/x86/kvm/x86.c:7948 [inline]
 vcpu_run arch/x86/kvm/x86.c:8012 [inline]
 kvm_arch_vcpu_ioctl_run+0x20a6/0x5a60 arch/x86/kvm/x86.c:8212
 kvm_vcpu_ioctl+0x535/0xb60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2683
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x10c0 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xa3/0x440 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665d9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f078c5e8188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffd63b2803f R14: 00007f078c5e8300 R15: 0000000000022000
Modules linked in:
---[ end trace c461a8a43dc7b8b7 ]---
RIP: 0010:search_memslots include/linux/kvm_host.h:993 [inline]
RIP: 0010:__gfn_to_memslot include/linux/kvm_host.h:1005 [inline]
RIP: 0010:gfn_to_rmap+0x25f/0x580 arch/x86/kvm/mmu.c:1366
Code: ff df 48 89 fe 48 c1 ee 03 80 3c 16 00 0f 85 d7 02 00 00 4c 03 63 08 4d 39 e6 0f 82 b3 00 00 00 48 b8 00 00 00 00 00 fc ff df <80> 38 00 0f 85 dc 02 00 00 4c 8b 3c 25 00 00 00 00 31 db 48 b8 00
RSP: 0018:ffff8880962ff380 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88809d480060 RCX: ffffffff810c8862
RDX: dffffc0000000000 RSI: 1ffff11013a9000d RDI: ffff88809d480068
RBP: ffff8880962ff3d0 R08: ffffed1013a91682 R09: ffff88809d48b408
R10: ffffed1013a91681 R11: ffff88809d48b40b R12: 0000000000000000
R13: ffff88809d480000 R14: 0000000000000003 R15: 0000000000000001
FS:  00007f078c5e8700(0000) GS:ffff8880ba200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000089461000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400