bisecting fixing commit since a5758c5311775625be7f6dd54757ed356dbf2977 building syzkaller on 34bf9440bd06034f86b5d9ac8afbf078129cbdae testing commit a5758c5311775625be7f6dd54757ed356dbf2977 with gcc (GCC) 8.1.0 kernel signature: bc0d7e408bf5e6b410a8c8303a1bcd3f19eeff38 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write testing current HEAD fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f testing commit fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f with gcc (GCC) 8.1.0 kernel signature: 2c1fc6b39621c4a8eb9e2a34986ddd0e4fca1963 all runs: OK # git bisect start fbc5fe7a54d02e11972e3b2a5ddb6ffc88162c8f a5758c5311775625be7f6dd54757ed356dbf2977 Bisecting: 1230 revisions left to test after this (roughly 10 steps) [e6e2dc7790141d3c37ce9939c511199d7df67a90] KVM: x86: always stop emulation on page fault testing commit e6e2dc7790141d3c37ce9939c511199d7df67a90 with gcc (GCC) 8.1.0 kernel signature: 94b4879671bd4d6ead95d7599d8d54dac9eb9d2b all runs: OK # git bisect bad e6e2dc7790141d3c37ce9939c511199d7df67a90 Bisecting: 614 revisions left to test after this (roughly 9 steps) [b19ffe6e7205c0b0d26b750673873f3f9f61da35] Linux 4.14.137 testing commit b19ffe6e7205c0b0d26b750673873f3f9f61da35 with gcc (GCC) 8.1.0 kernel signature: 1db7a47bf24e6137afe1a19e499202f2de53f6e2 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good b19ffe6e7205c0b0d26b750673873f3f9f61da35 Bisecting: 307 revisions left to test after this (roughly 8 steps) [91910cc0016578a0d9c181d2bb6f7806a07dbf73] drm/mediatek: set DMA max segment size testing commit 91910cc0016578a0d9c181d2bb6f7806a07dbf73 with gcc (GCC) 8.1.0 kernel signature: 957c1989af4182e4b2c2eab590b7663416ecf839 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 91910cc0016578a0d9c181d2bb6f7806a07dbf73 Bisecting: 153 revisions left to test after this (roughly 7 steps) [d14a5710f801487e149d847247e93cd8f1b8816c] floppy: fix usercopy direction testing commit d14a5710f801487e149d847247e93cd8f1b8816c with gcc (GCC) 8.1.0 kernel signature: 878e23c43e3bec95032cda5137ff19bca792b1fe all runs: OK # git bisect bad d14a5710f801487e149d847247e93cd8f1b8816c Bisecting: 76 revisions left to test after this (roughly 6 steps) [370ade836975679b65a7633d33c631a24267a26e] KVM: nVMX: handle page fault in vmread testing commit 370ade836975679b65a7633d33c631a24267a26e with gcc (GCC) 8.1.0 kernel signature: e626028fe9b8e5950cf9df177be4827b16e542d2 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 370ade836975679b65a7633d33c631a24267a26e Bisecting: 38 revisions left to test after this (roughly 5 steps) [c65ced6288deb8658c315d345e4200bdf338531d] s390/bpf: fix lcgr instruction encoding testing commit c65ced6288deb8658c315d345e4200bdf338531d with gcc (GCC) 8.1.0 kernel signature: 0abf27f88904cf8817cf19435f79fb6d66f0e976 all runs: OK # git bisect bad c65ced6288deb8658c315d345e4200bdf338531d Bisecting: 18 revisions left to test after this (roughly 4 steps) [a75883f402214561a4e584d37d89a96a1f6931e8] platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table testing commit a75883f402214561a4e584d37d89a96a1f6931e8 with gcc (GCC) 8.1.0 kernel signature: aab15be78dfaf8089d9d766a474c3ee2c4fb414f all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good a75883f402214561a4e584d37d89a96a1f6931e8 Bisecting: 9 revisions left to test after this (roughly 3 steps) [6915935a32ed38269e0b46f711c1a4fae9c14b43] media: tm6000: double free if usb disconnect while streaming testing commit 6915935a32ed38269e0b46f711c1a4fae9c14b43 with gcc (GCC) 8.1.0 kernel signature: eb61ad33fd0449d19b26a9105648510b5cb98f4d all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 6915935a32ed38269e0b46f711c1a4fae9c14b43 Bisecting: 4 revisions left to test after this (roughly 2 steps) [4632fbfda83af1c122efd1a6586f49c30fc07454] serial: sprd: correct the wrong sequence of arguments testing commit 4632fbfda83af1c122efd1a6586f49c30fc07454 with gcc (GCC) 8.1.0 kernel signature: 74ee006366a80c94d2ef9327a41ad523b84a5ba3 all runs: OK # git bisect bad 4632fbfda83af1c122efd1a6586f49c30fc07454 Bisecting: 2 revisions left to test after this (roughly 1 step) [e0f600b69df33b5ef69c2821ac69fafa96baab98] net_sched: let qdisc_put() accept NULL pointer testing commit e0f600b69df33b5ef69c2821ac69fafa96baab98 with gcc (GCC) 8.1.0 kernel signature: 3d4234b46aeb13189b48043d3a46a63d1ad13601 run #0: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #1: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #2: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #3: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #4: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #5: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #6: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #7: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #8: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write run #9: crashed: BUG: unable to handle kernel # git bisect good e0f600b69df33b5ef69c2821ac69fafa96baab98 Bisecting: 0 revisions left to test after this (roughly 1 step) [e28c683440a64c0a1451d54aeb41301f588a004a] firmware: google: check if size is valid when decoding VPD data testing commit e28c683440a64c0a1451d54aeb41301f588a004a with gcc (GCC) 8.1.0 kernel signature: 1bd6ec6b8ed993bd53f841f7503b63597c8b3c40 all runs: OK # git bisect bad e28c683440a64c0a1451d54aeb41301f588a004a Bisecting: 0 revisions left to test after this (roughly 0 steps) [bf81752d808cd31e18d9a8db6d92b73497aa48d2] KVM: coalesced_mmio: add bounds checking testing commit bf81752d808cd31e18d9a8db6d92b73497aa48d2 with gcc (GCC) 8.1.0 kernel signature: ce0685d192dd11784db3065f455d93be4c1053be all runs: OK # git bisect bad bf81752d808cd31e18d9a8db6d92b73497aa48d2 bf81752d808cd31e18d9a8db6d92b73497aa48d2 is the first bad commit commit bf81752d808cd31e18d9a8db6d92b73497aa48d2 Author: Matt Delco Date: Mon Sep 16 14:16:54 2019 -0700 KVM: coalesced_mmio: add bounds checking commit b60fe990c6b07ef6d4df67bc0530c7c90a62623a upstream. The first/last indexes are typically shared with a user app. The app can change the 'last' index that the kernel uses to store the next result. This change sanity checks the index before using it for writing to a potentially arbitrary address. This fixes CVE-2019-14821. Cc: stable@vger.kernel.org Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)") Signed-off-by: Matt Delco Signed-off-by: Jim Mattson Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com [Use READ_ONCE. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman virt/kvm/coalesced_mmio.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) kernel signature: ce0685d192dd11784db3065f455d93be4c1053be previous signature: 3d4234b46aeb13189b48043d3a46a63d1ad13601 revisions tested: 14, total time: 3h35m47.288184546s (build: 1h50m15.830324613s, test: 1h41m10.796957707s) first good commit: bf81752d808cd31e18d9a8db6d92b73497aa48d2 KVM: coalesced_mmio: add bounds checking cc: ["delco@chromium.org" "gregkh@linuxfoundation.org" "jmattson@google.com" "pbonzini@redhat.com"]