bisecting fixing commit since dbc29aff8d04f134553326a0c533a442a1774041 building syzkaller on d96e88f3207d7ac7ad65e13b896f702ad04c46f7 testing commit dbc29aff8d04f134553326a0c533a442a1774041 with gcc (GCC) 8.1.0 kernel signature: 92173c0a48cf47542c7fa9c6b2e732e1456421a3 run #0: crashed: WARNING in handle_desc run #1: crashed: WARNING in handle_desc run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in corrupted run #4: crashed: WARNING in handle_desc run #5: crashed: WARNING in handle_desc run #6: crashed: WARNING in handle_desc run #7: crashed: WARNING in handle_desc run #8: crashed: WARNING in handle_desc run #9: crashed: WARNING in handle_desc testing current HEAD fb683b5e3f53a73e761952735736180939a313df testing commit fb683b5e3f53a73e761952735736180939a313df with gcc (GCC) 8.1.0 kernel signature: 16227d4942574994f695744238a4d5051e42da9c all runs: OK # git bisect start fb683b5e3f53a73e761952735736180939a313df dbc29aff8d04f134553326a0c533a442a1774041 Bisecting: 1207 revisions left to test after this (roughly 10 steps) [1b0581bf379f78a6e2376514a6a7405cc0ba9e0e] ath9k: fix tx99 with monitor mode interface testing commit 1b0581bf379f78a6e2376514a6a7405cc0ba9e0e with gcc (GCC) 8.1.0 kernel signature: ec7afcd975a12a2bb9a32ce22df74d1ff7a5a60a all runs: OK # git bisect bad 1b0581bf379f78a6e2376514a6a7405cc0ba9e0e Bisecting: 603 revisions left to test after this (roughly 9 steps) [f7ab1c54c1a4413dc42bd9e522b7b9db4076f161] USB: serial: option: add Telit FN980 compositions testing commit f7ab1c54c1a4413dc42bd9e522b7b9db4076f161 with gcc (GCC) 8.1.0 kernel signature: 39cc37bd0d5b1d8aa40ebd6f699b5e5e3fbb4601 all runs: OK # git bisect bad f7ab1c54c1a4413dc42bd9e522b7b9db4076f161 Bisecting: 301 revisions left to test after this (roughly 8 steps) [e9bcaf82dd373545a8c2acce6f2f78ad2c522808] ceph: use ceph_evict_inode to cleanup inode's resource testing commit e9bcaf82dd373545a8c2acce6f2f78ad2c522808 with gcc (GCC) 8.1.0 kernel signature: 7b749f1d02d33b2db98b4902b8d5749c7c600f23 run #0: crashed: WARNING in handle_desc run #1: crashed: WARNING in handle_desc run #2: crashed: WARNING in corrupted run #3: crashed: WARNING in handle_desc run #4: crashed: WARNING in handle_desc run #5: crashed: WARNING in handle_desc run #6: crashed: WARNING in handle_desc run #7: crashed: WARNING in handle_desc run #8: crashed: WARNING in handle_desc run #9: crashed: WARNING in handle_desc # git bisect good e9bcaf82dd373545a8c2acce6f2f78ad2c522808 Bisecting: 150 revisions left to test after this (roughly 7 steps) [a1afd826e549e13f36d118a5b2200a5527b53651] xen-netfront: do not use ~0U as error return value for xennet_fill_frags() testing commit a1afd826e549e13f36d118a5b2200a5527b53651 with gcc (GCC) 8.1.0 kernel signature: 07b6dad17d0d35be5ea34b70560602bf2c05830d run #0: crashed: WARNING in handle_desc run #1: crashed: WARNING in handle_desc run #2: crashed: WARNING in handle_desc run #3: crashed: WARNING in handle_desc run #4: crashed: WARNING in handle_desc run #5: crashed: WARNING in handle_desc run #6: crashed: WARNING in handle_desc run #7: crashed: WARNING in handle_desc run #8: crashed: WARNING in handle_desc run #9: crashed: WARNING in corrupted # git bisect good a1afd826e549e13f36d118a5b2200a5527b53651 Bisecting: 75 revisions left to test after this (roughly 6 steps) [c01a9dbec18af8dbbe6dc75c033003427de68ed8] thermal: Fix use-after-free when unregistering thermal zone device testing commit c01a9dbec18af8dbbe6dc75c033003427de68ed8 with gcc (GCC) 8.1.0 kernel signature: 880e7be1e4605627b5d38b958e58c35df054ebac all runs: OK # git bisect bad c01a9dbec18af8dbbe6dc75c033003427de68ed8 Bisecting: 37 revisions left to test after this (roughly 5 steps) [fb93ccde081e39631fd16c03d1c9eb0b4bef7edd] MIPS: Treat Loongson Extensions as ASEs testing commit fb93ccde081e39631fd16c03d1c9eb0b4bef7edd with gcc (GCC) 8.1.0 kernel signature: 2276490e28eb5d27f6e6ba495836c29b4e24a2ac all runs: OK # git bisect bad fb93ccde081e39631fd16c03d1c9eb0b4bef7edd Bisecting: 18 revisions left to test after this (roughly 4 steps) [21874027e1deba5a5b8edaa6de8e49a4a2dd99b3] KVM: X86: Fix userspace set invalid CR4 testing commit 21874027e1deba5a5b8edaa6de8e49a4a2dd99b3 with gcc (GCC) 8.1.0 kernel signature: d6fc185df64df1599aa988e7dd1d54eea4d74348 all runs: OK # git bisect bad 21874027e1deba5a5b8edaa6de8e49a4a2dd99b3 Bisecting: 8 revisions left to test after this (roughly 3 steps) [5b0446c8e0a85b97148c070f73e273bc3903af5c] 9p/cache.c: Fix memory leak in v9fs_cache_session_get_cookie testing commit 5b0446c8e0a85b97148c070f73e273bc3903af5c with gcc (GCC) 8.1.0 kernel signature: fff10d9221da57f0bcae2e3ea84f476d1eaaabc1 all runs: crashed: WARNING in handle_desc # git bisect good 5b0446c8e0a85b97148c070f73e273bc3903af5c Bisecting: 4 revisions left to test after this (roughly 2 steps) [9aa823b3c0a6997092c5e0f7efc63d27479afb42] s390/topology: avoid firing events before kobjs are created testing commit 9aa823b3c0a6997092c5e0f7efc63d27479afb42 with gcc (GCC) 8.1.0 kernel signature: acc8aa2a6e92b27899efacb448a26feca221aca7 run #0: crashed: WARNING in handle_desc run #1: crashed: WARNING in handle_desc run #2: crashed: WARNING in handle_desc run #3: crashed: WARNING in handle_desc run #4: crashed: WARNING in handle_desc run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in handle_desc run #7: crashed: WARNING in handle_desc run #8: crashed: WARNING in handle_desc run #9: crashed: WARNING in handle_desc # git bisect good 9aa823b3c0a6997092c5e0f7efc63d27479afb42 Bisecting: 2 revisions left to test after this (roughly 1 step) [577a5119d7af31f77f5c427be9867431df070d0d] KVM: PPC: Book3S HV: Fix race in re-enabling XIVE escalation interrupts testing commit 577a5119d7af31f77f5c427be9867431df070d0d with gcc (GCC) 8.1.0 kernel signature: 17ce89dbfdecc34e4b1d407a4fb5cda2798738a4 run #0: crashed: WARNING in handle_desc run #1: crashed: WARNING in handle_desc run #2: crashed: WARNING in handle_desc run #3: crashed: WARNING in handle_desc run #4: crashed: WARNING in handle_desc run #5: crashed: WARNING in handle_desc run #6: crashed: WARNING in handle_desc run #7: crashed: WARNING in handle_desc run #8: crashed: WARNING in corrupted run #9: crashed: WARNING in handle_desc # git bisect good 577a5119d7af31f77f5c427be9867431df070d0d Bisecting: 0 revisions left to test after this (roughly 1 step) [30fbe0d380aa038b0a629bc9c7f1961d340cd83b] KVM: PPC: Book3S HV: Don't lose pending doorbell request on migration on P9 testing commit 30fbe0d380aa038b0a629bc9c7f1961d340cd83b with gcc (GCC) 8.1.0 kernel signature: 457c4eba5233b93a573222d3ec4fc36e9dfb743d run #0: crashed: WARNING in handle_desc run #1: crashed: WARNING in handle_desc run #2: crashed: WARNING in handle_desc run #3: crashed: WARNING in handle_desc run #4: crashed: WARNING in handle_desc run #5: crashed: WARNING in corrupted run #6: crashed: WARNING in handle_desc run #7: crashed: WARNING in handle_desc run #8: crashed: WARNING in handle_desc run #9: crashed: WARNING in handle_desc # git bisect good 30fbe0d380aa038b0a629bc9c7f1961d340cd83b 21874027e1deba5a5b8edaa6de8e49a4a2dd99b3 is the first bad commit commit 21874027e1deba5a5b8edaa6de8e49a4a2dd99b3 Author: Wanpeng Li Date: Wed Sep 18 17:50:10 2019 +0800 KVM: X86: Fix userspace set invalid CR4 commit 3ca94192278ca8de169d78c085396c424be123b3 upstream. Reported by syzkaller: WARNING: CPU: 0 PID: 6544 at /home/kernel/data/kvm/arch/x86/kvm//vmx/vmx.c:4689 handle_desc+0x37/0x40 [kvm_intel] CPU: 0 PID: 6544 Comm: a.out Tainted: G OE 5.3.0-rc4+ #4 RIP: 0010:handle_desc+0x37/0x40 [kvm_intel] Call Trace: vmx_handle_exit+0xbe/0x6b0 [kvm_intel] vcpu_enter_guest+0x4dc/0x18d0 [kvm] kvm_arch_vcpu_ioctl_run+0x407/0x660 [kvm] kvm_vcpu_ioctl+0x3ad/0x690 [kvm] do_vfs_ioctl+0xa2/0x690 ksys_ioctl+0x6d/0x80 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x74/0x720 entry_SYSCALL_64_after_hwframe+0x49/0xbe When CR4.UMIP is set, guest should have UMIP cpuid flag. Current kvm set_sregs function doesn't have such check when userspace inputs sregs values. SECONDARY_EXEC_DESC is enabled on writes to CR4.UMIP in vmx_set_cr4 though guest doesn't have UMIP cpuid flag. The testcast triggers handle_desc warning when executing ltr instruction since guest architectural CR4 doesn't set UMIP. This patch fixes it by adding valid CR4 and CPUID combination checking in __set_sregs. syzkaller source: https://syzkaller.appspot.com/x/repro.c?x=138efb99600000 Reported-by: syzbot+0f1819555fbdce992df9@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman arch/x86/kvm/x86.c | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) kernel signature: d6fc185df64df1599aa988e7dd1d54eea4d74348 previous signature: 457c4eba5233b93a573222d3ec4fc36e9dfb743d revisions tested: 13, total time: 3h13m54.869591033s (build: 1h49m3.350001492s, test: 1h23m20.425525493s) first good commit: 21874027e1deba5a5b8edaa6de8e49a4a2dd99b3 KVM: X86: Fix userspace set invalid CR4 cc: ["gregkh@linuxfoundation.org" "pbonzini@redhat.com" "sean.j.christopherson@intel.com" "wanpengli@tencent.com"]