bisecting cause commit starting from 9d2345057538bb97b1e556508ad69983f446462f
building syzkaller on a41ca8fa8285754d8561dcc3ed54cca2da60eed7
testing commit 9d2345057538bb97b1e556508ad69983f446462f with gcc (GCC) 8.1.0
run #0: crashed: general protection fault in kvm_coalesced_mmio_init
run #1: crashed: INFO: task hung in synchronize_rcu
run #2: crashed: INFO: task hung in synchronize_rcu
run #3: crashed: INFO: task hung in synchronize_rcu
run #4: crashed: INFO: task hung in synchronize_rcu
run #5: crashed: INFO: task hung in synchronize_rcu
run #6: crashed: INFO: task hung in synchronize_rcu
run #7: crashed: INFO: task hung in synchronize_rcu
run #8: crashed: INFO: task hung in synchronize_rcu
run #9: crashed: INFO: task hung in synchronize_rcu
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
all runs: OK
# git bisect start 9d2345057538bb97b1e556508ad69983f446462f v5.3
Bisecting: 7562 revisions left to test after this (roughly 13 steps)
[0bb73e42f027db64054fff4c3b3203c1626b9dc1] Merge tag 'afs-next-20190915' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
testing commit 0bb73e42f027db64054fff4c3b3203c1626b9dc1 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 0bb73e42f027db64054fff4c3b3203c1626b9dc1
Bisecting: 3741 revisions left to test after this (roughly 12 steps)
[10fd71780f7d155f4e35fecfad0ebd4a725a244b] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit 10fd71780f7d155f4e35fecfad0ebd4a725a244b with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 10fd71780f7d155f4e35fecfad0ebd4a725a244b
Bisecting: 1823 revisions left to test after this (roughly 11 steps)
[02dc96ef6c25f990452c114c59d75c368a1f4c8f] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
testing commit 02dc96ef6c25f990452c114c59d75c368a1f4c8f with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 02dc96ef6c25f990452c114c59d75c368a1f4c8f
Bisecting: 915 revisions left to test after this (roughly 10 steps)
[8eb4b3b0dd9ae3e5399ff902da87d13740a2b70f] Merge tag 'copy-struct-from-user-v5.4-rc4' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux
testing commit 8eb4b3b0dd9ae3e5399ff902da87d13740a2b70f with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 8eb4b3b0dd9ae3e5399ff902da87d13740a2b70f
Bisecting: 455 revisions left to test after this (roughly 9 steps)
[9e2dd2ca85d211a6ef2a1e95ba9239ec69959b1e] Merge tag 'modules-for-v5.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux
testing commit 9e2dd2ca85d211a6ef2a1e95ba9239ec69959b1e with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9e2dd2ca85d211a6ef2a1e95ba9239ec69959b1e
Bisecting: 228 revisions left to test after this (roughly 8 steps)
[d540c398db780271a81690eeb2bbc61876c37904] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
testing commit d540c398db780271a81690eeb2bbc61876c37904 with gcc (GCC) 8.1.0
all runs: crashed: INFO: task hung in synchronize_rcu
# git bisect bad d540c398db780271a81690eeb2bbc61876c37904
Bisecting: 115 revisions left to test after this (roughly 7 steps)
[9e5eefba3d098d66defa1ce59a34a41a96f49771] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
testing commit 9e5eefba3d098d66defa1ce59a34a41a96f49771 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 9e5eefba3d098d66defa1ce59a34a41a96f49771
Bisecting: 62 revisions left to test after this (roughly 6 steps)
[2858598006961cd1ec06ebcc0549e7b3bd83f58c] Merge tag 'sound-5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
testing commit 2858598006961cd1ec06ebcc0549e7b3bd83f58c with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2858598006961cd1ec06ebcc0549e7b3bd83f58c
Bisecting: 29 revisions left to test after this (roughly 5 steps)
[e54de91a24753da713b9bcf9fcd93eec246e45e7] Merge tag 'drm-fixes-5.4-2019-10-30' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
testing commit e54de91a24753da713b9bcf9fcd93eec246e45e7 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good e54de91a24753da713b9bcf9fcd93eec246e45e7
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[4252a1a9b01f3757481f08b4775d27f90d422b23] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
testing commit 4252a1a9b01f3757481f08b4775d27f90d422b23 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 4252a1a9b01f3757481f08b4775d27f90d422b23
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[b88866b60d98f2fe1f66f2a4e1a181d9f2b36b5d] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit b88866b60d98f2fe1f66f2a4e1a181d9f2b36b5d with gcc (GCC) 8.1.0
all runs: crashed: INFO: task hung in synchronize_rcu
# git bisect bad b88866b60d98f2fe1f66f2a4e1a181d9f2b36b5d
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[146162449186f95bf123f59fa57a2c28a8a075e5] Merge tag 'drm-fixes-2019-11-01' of git://anongit.freedesktop.org/drm/drm
testing commit 146162449186f95bf123f59fa57a2c28a8a075e5 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 146162449186f95bf123f59fa57a2c28a8a075e5
Bisecting: 1 revision left to test after this (roughly 1 step)
[a97b0e773e492ae319a7e981e98962a1060215f9] kvm: call kvm_arch_destroy_vm if vm creation fails
testing commit a97b0e773e492ae319a7e981e98962a1060215f9 with gcc (GCC) 8.1.0
all runs: crashed: INFO: task hung in synchronize_rcu
# git bisect bad a97b0e773e492ae319a7e981e98962a1060215f9
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[9121923c457d1d8667a6e3a67302c29e5c5add6b] kvm: Allocate memslots and buses before calling kvm_arch_init_vm
testing commit 9121923c457d1d8667a6e3a67302c29e5c5add6b with gcc (GCC) 8.1.0
all runs: crashed: general protection fault in kvm_coalesced_mmio_init
# git bisect bad 9121923c457d1d8667a6e3a67302c29e5c5add6b
9121923c457d1d8667a6e3a67302c29e5c5add6b is the first bad commit
commit 9121923c457d1d8667a6e3a67302c29e5c5add6b
Author: Jim Mattson <jmattson@google.com>
Date:   Thu Oct 24 16:03:26 2019 -0700

    kvm: Allocate memslots and buses before calling kvm_arch_init_vm
    
    This reorganization will allow us to call kvm_arch_destroy_vm in the
    event that kvm_create_vm fails after calling kvm_arch_init_vm.
    
    Suggested-by: Junaid Shahid <junaids@google.com>
    Signed-off-by: Jim Mattson <jmattson@google.com>
    Reviewed-by: Junaid Shahid <junaids@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

:040000 040000 7f6dc6857c76fcd68095f116c77b51df7455fc7f 398831880e519dc087b95cbba734b838a7a01f37 M	virt
revisions tested: 16, total time: 4h4m23.573104531s (build: 1h33m41.802248751s, test: 2h26m27.372470663s)
first bad commit: 9121923c457d1d8667a6e3a67302c29e5c5add6b kvm: Allocate memslots and buses before calling kvm_arch_init_vm
cc: ["jmattson@google.com" "junaids@google.com" "kvm@vger.kernel.org" "linux-kernel@vger.kernel.org" "pbonzini@redhat.com" "rkrcmar@redhat.com"]
crash: general protection fault in kvm_coalesced_mmio_init
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 14727 Comm: syz-executor.3 Not tainted 5.4.0-rc4+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kvm_coalesced_mmio_init+0x5d/0x110 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:121
Code: 00 48 01 d0 48 ba 00 00 00 00 80 88 ff ff 48 c1 f8 06 48 89 f9 48 c1 e0 0c 48 c1 e9 03 48 01 d0 48 ba 00 00 00 00 00 fc ff df <80> 3c 11 00 0f 85 8e 00 00 00 48 89 83 d8 96 00 00 48 c7 c2 60 0a
RSP: 0018:ffff88807d5a7c08 EFLAGS: 00010286
RAX: ffff888080673000 RBX: 0000000000000000 RCX: 00000000000012db
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000096d8
RBP: ffff88807d5a7c20 R08: ffffed1015d66b75 R09: ffffed1015d66b75
R10: ffffed1015d66b74 R11: ffff8880aeb35ba3 R12: ffffffff8828a220
R13: dffffc0000000000 R14: 1ffff1100fab4f8f R15: 0000000000000000
FS:  00007faca0113700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0da2989db8 CR3: 00000000a0e58000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3446 [inline]
 kvm_dev_ioctl+0x781/0x1490 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3494
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696
 ksys_ioctl+0x62/0x90 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718
 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459f49
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007faca0112c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459f49
RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007faca01136d4
R13: 00000000004c30a8 R14: 00000000004d7018 R15: 00000000ffffffff
Modules linked in:
---[ end trace 84dede49670d22f4 ]---
RIP: 0010:kvm_coalesced_mmio_init+0x5d/0x110 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:121
Code: 00 48 01 d0 48 ba 00 00 00 00 80 88 ff ff 48 c1 f8 06 48 89 f9 48 c1 e0 0c 48 c1 e9 03 48 01 d0 48 ba 00 00 00 00 00 fc ff df <80> 3c 11 00 0f 85 8e 00 00 00 48 89 83 d8 96 00 00 48 c7 c2 60 0a
RSP: 0018:ffff88807d5a7c08 EFLAGS: 00010286
RAX: ffff888080673000 RBX: 0000000000000000 RCX: 00000000000012db
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000096d8
RBP: ffff88807d5a7c20 R08: ffffed1015d66b75 R09: ffffed1015d66b75
R10: ffffed1015d66b74 R11: ffff8880aeb35ba3 R12: ffffffff8828a220
R13: dffffc0000000000 R14: 1ffff1100fab4f8f R15: 0000000000000000
FS:  00007faca0113700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000075c000 CR3: 00000000a0e58000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400