ci starts bisection 2022-12-06 15:48:16.412853826 +0000 UTC m=+4927.026983676 bisecting cause commit starting from a6afa4199d3d038fbfdff5511f7523b0e30cb774 building syzkaller on aea5da898f473385f3b66c94f8aa49ca9a1c9744 ensuring issue is reproducible on original commit a6afa4199d3d038fbfdff5511f7523b0e30cb774 testing commit a6afa4199d3d038fbfdff5511f7523b0e30cb774 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c8417d6d6a137a9e8c94d35caac7e7a77a9e6ec1507ee3546fcdf378f4eb0af0 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #2: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #3: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #4: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #5: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #6: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #7: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #8: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #9: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #10: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #11: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #12: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #13: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #14: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #15: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #16: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #17: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #18: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #19: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e9592c6291b7a68dd17aaa345ee124e80b714192ad92d330eadf09d2fb3edb02 all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put testing release v5.19 testing commit 3d7cb6b04c3f3115719235cc6866b10326de34cd gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5493c0dbd1caff16a8b2d87ff1b3b0b5b1b94c94c34ed9febc5548f31c1ae590 all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 597d5ff19e067f26c3bdc5a1edef02cc38bbce237d55701add21bf6b893cf3b7 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect start 3d7cb6b04c3f3115719235cc6866b10326de34cd 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 8493 revisions left to test after this (roughly 13 steps) [c011dd537ffe47462051930413fed07dbdc80313] Merge tag 'arm-soc-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit c011dd537ffe47462051930413fed07dbdc80313 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0a11b03594b7393c665e09d509eb2518bd80529b9e145e285f4e3cd658c72f40 all runs: OK # git bisect good c011dd537ffe47462051930413fed07dbdc80313 Bisecting: 4244 revisions left to test after this (roughly 12 steps) [5d4af9c1f04ab0411ba5818baad9a68e87f33099] Merge branch 'mv88e6xxx-fixes-for-reading-serdes-state' testing commit 5d4af9c1f04ab0411ba5818baad9a68e87f33099 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 98bb1b8913dc3e9b5b116d10d05efe8f62d5c9265aeab0bc08abe3ab9f5c8cb4 all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad 5d4af9c1f04ab0411ba5818baad9a68e87f33099 Bisecting: 2116 revisions left to test after this (roughly 11 steps) [7e284070abe53d448517b80493863595af4ab5f0] Merge tag 'for-5.19/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm testing commit 7e284070abe53d448517b80493863595af4ab5f0 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c054fad709069c3a8507d65d85596a903c10a5bfcfbd2c40d4dae354f54169ae all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad 7e284070abe53d448517b80493863595af4ab5f0 Bisecting: 1057 revisions left to test after this (roughly 10 steps) [a0439cf4eca05fe562f19ece4b6761852d911adb] Merge tag 'arm-defconfig-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit a0439cf4eca05fe562f19ece4b6761852d911adb gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ec9d0f888904d277e68e64bc1bfc6a120c77aa4fb2d633807671fda2209864b9 all runs: OK # git bisect good a0439cf4eca05fe562f19ece4b6761852d911adb Bisecting: 536 revisions left to test after this (roughly 9 steps) [98931dd95fd489fcbfa97da563505a6f071d7c77] Merge tag 'mm-stable-2022-05-25' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit 98931dd95fd489fcbfa97da563505a6f071d7c77 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ec60034e5f2dfe55925f1db06967ad6ecb82f6114a2fc4c041398c8670ec1f13 all runs: OK # git bisect good 98931dd95fd489fcbfa97da563505a6f071d7c77 Bisecting: 240 revisions left to test after this (roughly 8 steps) [7182e897695d5b70fb772736f1f08639ca0fff78] Merge tag 'gpio-updates-for-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux testing commit 7182e897695d5b70fb772736f1f08639ca0fff78 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e9616dbc8ac9bb0aead40d4c1c463b7344a721de68aebc413ab8571aa2133c15 all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad 7182e897695d5b70fb772736f1f08639ca0fff78 Bisecting: 186 revisions left to test after this (roughly 7 steps) [825be3b5abae1e67db45ff7d4b9a7764a2419bd9] KVM: selftests: x86: Fix test failure on arch lbr capable platforms testing commit 825be3b5abae1e67db45ff7d4b9a7764a2419bd9 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4198cba88eefc31a417f1429fd869ccaff3a514bec4e4f17f87a44ec2f117580 all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad 825be3b5abae1e67db45ff7d4b9a7764a2419bd9 Bisecting: 54 revisions left to test after this (roughly 6 steps) [c24a950ec7d60c4da91dc3f273295c7f438b531e] KVM, SEV: Add KVM_EXIT_SHUTDOWN metadata for SEV-ES testing commit c24a950ec7d60c4da91dc3f273295c7f438b531e gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3132de5c1fa94c55b0eed6f947ab0ae2021a9679c36d79c61264afecbfce9900 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #2: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #3: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #4: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #5: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #6: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #7: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #8: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put run #9: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad c24a950ec7d60c4da91dc3f273295c7f438b531e Bisecting: 26 revisions left to test after this (roughly 5 steps) [d063de55f4799261858676d5cfa49a1612cd57ea] KVM: x86: Support the vCPU preemption check with nopvspin and realtime hint testing commit d063de55f4799261858676d5cfa49a1612cd57ea gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: acde2bad5622ceb73460ada1c8cc406e201fcb99dfc585ecb2d3d930b605c359 all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad d063de55f4799261858676d5cfa49a1612cd57ea Bisecting: 13 revisions left to test after this (roughly 4 steps) [0ec6c5c5bb6585320a2e51a316c2fd381fdec836] KVM: x86/xen: handle PV IPI vcpu yield testing commit 0ec6c5c5bb6585320a2e51a316c2fd381fdec836 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e2b83e04b2e190c50e30a45efb63cdb2db24231ebdd917a2ffc1bbccec122eaf all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad 0ec6c5c5bb6585320a2e51a316c2fd381fdec836 Bisecting: 6 revisions left to test after this (roughly 3 steps) [a795cd43c5b5819b8ee94690f22caa5e2e4d8620] KVM: x86/xen: Use gfn_to_pfn_cache for runstate area testing commit a795cd43c5b5819b8ee94690f22caa5e2e4d8620 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1331afdf39facdca8acace7953f195a4e2e8fba83c4775d25e8445bb2c29d6c8 all runs: OK # git bisect good a795cd43c5b5819b8ee94690f22caa5e2e4d8620 Bisecting: 3 revisions left to test after this (roughly 2 steps) [69d413cfcf77920bb4d7c4bbfbf305781fa53a0e] KVM: x86/xen: Use gfn_to_pfn_cache for vcpu_time_info testing commit 69d413cfcf77920bb4d7c4bbfbf305781fa53a0e gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9c292a0389f877a04abe1f899d271bc7bc41ed43c3e4b50a496fe894a048efc5 all runs: OK # git bisect good 69d413cfcf77920bb4d7c4bbfbf305781fa53a0e Bisecting: 1 revision left to test after this (roughly 1 step) [35025735a79eaa894c43837b94fd33c9d6b122df] KVM: x86/xen: Support direct injection of event channel events testing commit 35025735a79eaa894c43837b94fd33c9d6b122df gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 61e82f7fae11d87a5cf34f0227218747ad203413f31eda7207f74251be6e4582 all runs: OK # git bisect good 35025735a79eaa894c43837b94fd33c9d6b122df Bisecting: 0 revisions left to test after this (roughly 0 steps) [2fd6df2f2b47d4301b1ee0fe9d627d1c061a5988] KVM: x86/xen: intercept EVTCHNOP_send from guests testing commit 2fd6df2f2b47d4301b1ee0fe9d627d1c061a5988 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 072562545768fba833e974d36c7bb64d4db4d2e8efc03e98d51bfc3e95b102d4 all runs: crashed: BUG: unable to handle kernel paging request in eventfd_ctx_put # git bisect bad 2fd6df2f2b47d4301b1ee0fe9d627d1c061a5988 2fd6df2f2b47d4301b1ee0fe9d627d1c061a5988 is the first bad commit commit 2fd6df2f2b47d4301b1ee0fe9d627d1c061a5988 Author: Joao Martins Date: Thu Mar 3 15:41:19 2022 +0000 KVM: x86/xen: intercept EVTCHNOP_send from guests Userspace registers a sending @port to either deliver to an @eventfd or directly back to a local event channel port. After binding events the guest or host may wish to bind those events to a particular vcpu. This is usually done for unbound and and interdomain events. Update requests are handled via the KVM_XEN_EVTCHN_UPDATE flag. Unregistered ports are handled by the emulator. Co-developed-by: Ankur Arora Co-developed-By: David Woodhouse Signed-off-by: Joao Martins Signed-off-by: Ankur Arora Signed-off-by: David Woodhouse Signed-off-by: Paolo Bonzini Message-Id: <20220303154127.202856-10-dwmw2@infradead.org> Signed-off-by: Paolo Bonzini arch/x86/include/asm/kvm_host.h | 1 + arch/x86/kvm/xen.c | 295 ++++++++++++++++++++++++++++++++++++++-- include/uapi/linux/kvm.h | 28 ++++ 3 files changed, 309 insertions(+), 15 deletions(-) culprit signature: 072562545768fba833e974d36c7bb64d4db4d2e8efc03e98d51bfc3e95b102d4 parent signature: 61e82f7fae11d87a5cf34f0227218747ad203413f31eda7207f74251be6e4582 revisions tested: 18, total time: 3h31m33.258934137s (build: 1h51m42.134751376s, test: 1h37m52.816560299s) first bad commit: 2fd6df2f2b47d4301b1ee0fe9d627d1c061a5988 KVM: x86/xen: intercept EVTCHNOP_send from guests recipients (to): ["ankur.a.arora@oracle.com" "dwmw@amazon.co.uk" "joao.m.martins@oracle.com" "pbonzini@redhat.com"] recipients (cc): [] crash: BUG: unable to handle kernel paging request in eventfd_ctx_put L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. BUG: unable to handle page fault for address: ffffffffffffffea #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD aa8f067 P4D aa8f067 PUD aa91067 PMD 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 0 PID: 4154 Comm: syz-executor.0 Not tainted 5.17.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:177 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:eventfd_ctx_put+0x13/0x90 fs/eventfd.c:112 Code: e3 ff 48 8b 54 24 10 48 8b 44 24 08 e9 7d fd ff ff 66 0f 1f 44 00 00 55 be 04 00 00 00 48 89 fd e8 52 61 e3 ff b8 ff ff ff ff 0f c1 45 00 83 f8 01 74 06 85 c0 7e 51 5d c3 48 8d 7d 64 48 b8 RSP: 0018:ffffc900024cf778 EFLAGS: 00010246 RAX: 00000000ffffffff RBX: ffffc900024cfa30 RCX: ffffffff81c69dfe RDX: fffffbfffffffffe RSI: 0000000000000004 RDI: ffffffffffffffea RBP: ffffffffffffffea R08: 0000000000000001 R09: ffffffffffffffed R10: fffffbfffffffffd R11: 0000000000000000 R12: 0000000000000020 R13: 00000000ffffffea R14: ffffffffffffffea R15: ffffc90002768000 FS: 00007f4cd6bb3700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffea CR3: 000000001d11a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kvm_xen_eventfd_assign arch/x86/kvm/xen.c:1268 [inline] kvm_xen_setattr_evtchn arch/x86/kvm/xen.c:1327 [inline] kvm_xen_hvm_set_attr+0x5d4/0x1330 arch/x86/kvm/xen.c:403 kvm_arch_vm_ioctl+0x5bf/0x12c0 arch/x86/kvm/x86.c:6505 kvm_vm_ioctl+0xaf3/0x1f20 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4656 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x11f/0x190 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f4cd743f5a9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4cd6bb3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f4cd7560f80 RCX: 00007f4cd743f5a9 RDX: 00000000200005c0 RSI: 000000004048aec9 RDI: 0000000000000004 RBP: 00007f4cd749a580 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc489f65cf R14: 00007f4cd6bb3300 R15: 0000000000022000 Modules linked in: CR2: ffffffffffffffea ---[ end trace 0000000000000000 ]--- RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:177 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:eventfd_ctx_put+0x13/0x90 fs/eventfd.c:112 Code: e3 ff 48 8b 54 24 10 48 8b 44 24 08 e9 7d fd ff ff 66 0f 1f 44 00 00 55 be 04 00 00 00 48 89 fd e8 52 61 e3 ff b8 ff ff ff ff 0f c1 45 00 83 f8 01 74 06 85 c0 7e 51 5d c3 48 8d 7d 64 48 b8 RSP: 0018:ffffc900024cf778 EFLAGS: 00010246 RAX: 00000000ffffffff RBX: ffffc900024cfa30 RCX: ffffffff81c69dfe RDX: fffffbfffffffffe RSI: 0000000000000004 RDI: ffffffffffffffea RBP: ffffffffffffffea R08: 0000000000000001 R09: ffffffffffffffed R10: fffffbfffffffffd R11: 0000000000000000 R12: 0000000000000020 R13: 00000000ffffffea R14: ffffffffffffffea R15: ffffc90002768000 FS: 00007f4cd6bb3700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffea CR3: 000000001d11a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: e3 ff jrcxz 0x1 2: 48 8b 54 24 10 mov 0x10(%rsp),%rdx 7: 48 8b 44 24 08 mov 0x8(%rsp),%rax c: e9 7d fd ff ff jmpq 0xfffffd8e 11: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 17: 55 push %rbp 18: be 04 00 00 00 mov $0x4,%esi 1d: 48 89 fd mov %rdi,%rbp 20: e8 52 61 e3 ff callq 0xffe36177 25: b8 ff ff ff ff mov $0xffffffff,%eax * 2a: f0 0f c1 45 00 lock xadd %eax,0x0(%rbp) <-- trapping instruction 2f: 83 f8 01 cmp $0x1,%eax 32: 74 06 je 0x3a 34: 85 c0 test %eax,%eax 36: 7e 51 jle 0x89 38: 5d pop %rbp 39: c3 retq 3a: 48 8d 7d 64 lea 0x64(%rbp),%rdi 3e: 48 rex.W 3f: b8 .byte 0xb8