bisecting fixing commit since 78778071092e60ab947a0ac99c6bb59aad304526 building syzkaller on 34bf9440bd06034f86b5d9ac8afbf078129cbdae testing commit 78778071092e60ab947a0ac99c6bb59aad304526 with gcc (GCC) 8.1.0 kernel signature: d0ab9424f35fa7e937f283002f35333ff4619450 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write testing current HEAD 14260788bbb9c94b0e36abc17294266b69dd46e4 testing commit 14260788bbb9c94b0e36abc17294266b69dd46e4 with gcc (GCC) 8.1.0 kernel signature: 62cd2c2ddd135c932fe286b0c2cc906983ea0984 all runs: OK # git bisect start 14260788bbb9c94b0e36abc17294266b69dd46e4 78778071092e60ab947a0ac99c6bb59aad304526 Bisecting: 1731 revisions left to test after this (roughly 11 steps) [254b9b2971a71ddaa3623cd665bbebc862a05937] tools/power x86_energy_perf_policy: Fix "uninitialized variable" warnings at -O2 testing commit 254b9b2971a71ddaa3623cd665bbebc862a05937 with gcc (GCC) 8.1.0 kernel signature: 7cf1d23870930607f326a79cd0ac675909ad1326 all runs: OK # git bisect bad 254b9b2971a71ddaa3623cd665bbebc862a05937 Bisecting: 865 revisions left to test after this (roughly 10 steps) [475f7781a8047d5fc5a16b1f6148cd0bc62d8a69] scsi: core: Avoid that a kernel warning appears during system resume testing commit 475f7781a8047d5fc5a16b1f6148cd0bc62d8a69 with gcc (GCC) 8.1.0 kernel signature: 41ae91087773b316acc15306c2106bfc6a4b482e all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 475f7781a8047d5fc5a16b1f6148cd0bc62d8a69 Bisecting: 432 revisions left to test after this (roughly 9 steps) [0c39d818aae44bc7033a7b6b49e2f041cbfd68ab] tools: hv: fixed Python pep8/flake8 warnings for lsvmbus testing commit 0c39d818aae44bc7033a7b6b49e2f041cbfd68ab with gcc (GCC) 8.1.0 kernel signature: b6b8896e2218a7992c660a87d7383934311adcaf all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 0c39d818aae44bc7033a7b6b49e2f041cbfd68ab Bisecting: 216 revisions left to test after this (roughly 8 steps) [687e470e9123a72a25ba56e9dec5929619edf4b1] bcache: treat stale && dirty keys as bad keys testing commit 687e470e9123a72a25ba56e9dec5929619edf4b1 with gcc (GCC) 8.1.0 kernel signature: 0f92add0ad20559d5b58a1e4ae2d157837f82be2 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 687e470e9123a72a25ba56e9dec5929619edf4b1 Bisecting: 108 revisions left to test after this (roughly 7 steps) [2354e925e3616e028079353c87c0dd55f5225fc1] isdn/capi: check message length in capi_write() testing commit 2354e925e3616e028079353c87c0dd55f5225fc1 with gcc (GCC) 8.1.0 kernel signature: 76d60cab7876c4e110e58de24cb8b5a5d1fc13cf all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 2354e925e3616e028079353c87c0dd55f5225fc1 Bisecting: 54 revisions left to test after this (roughly 6 steps) [abf389e0795aa6d0efb307cab8b95e6a33c12a94] media: tm6000: double free if usb disconnect while streaming testing commit abf389e0795aa6d0efb307cab8b95e6a33c12a94 with gcc (GCC) 8.1.0 kernel signature: 4a2b1207ba58b0e5fc209609010cbead6049ab34 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good abf389e0795aa6d0efb307cab8b95e6a33c12a94 Bisecting: 27 revisions left to test after this (roughly 5 steps) [a02c676c0f03ee56f3fca6c30fa54c365e2278d7] netfilter: nft_flow_offload: missing netlink attribute policy testing commit a02c676c0f03ee56f3fca6c30fa54c365e2278d7 with gcc (GCC) 8.1.0 kernel signature: dc6de000dae5682206f9c1eeed62706eedbc7cd1 all runs: OK # git bisect bad a02c676c0f03ee56f3fca6c30fa54c365e2278d7 Bisecting: 13 revisions left to test after this (roughly 4 steps) [ac8f26f6a03537f5c1fe5d5a0a960ce92f5260c3] ieee802154: hwsim: unregister hw while hwsim_subscribe_all_others fails testing commit ac8f26f6a03537f5c1fe5d5a0a960ce92f5260c3 with gcc (GCC) 8.1.0 kernel signature: ac6fc08d0fd23085317c7e45f9a4bd27133d6469 all runs: OK # git bisect bad ac8f26f6a03537f5c1fe5d5a0a960ce92f5260c3 Bisecting: 6 revisions left to test after this (roughly 3 steps) [232a6462f43fceeac82bd99ef092b38e3a7ee296] KVM: coalesced_mmio: add bounds checking testing commit 232a6462f43fceeac82bd99ef092b38e3a7ee296 with gcc (GCC) 8.1.0 kernel signature: 5c3de9b9f87d81967c0113839604541f701cdc69 all runs: OK # git bisect bad 232a6462f43fceeac82bd99ef092b38e3a7ee296 Bisecting: 2 revisions left to test after this (roughly 2 steps) [fdd60d80c4294b7203d6f9d075a57da0a8d85fba] udp: correct reuseport selection with connected sockets testing commit fdd60d80c4294b7203d6f9d075a57da0a8d85fba with gcc (GCC) 8.1.0 kernel signature: f3573b8b38713ad40c17d5e78a7404507d579118 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good fdd60d80c4294b7203d6f9d075a57da0a8d85fba Bisecting: 0 revisions left to test after this (roughly 1 step) [7a1bad565cebfbf6956f9bb36dba734a48fa31d4] net_sched: let qdisc_put() accept NULL pointer testing commit 7a1bad565cebfbf6956f9bb36dba734a48fa31d4 with gcc (GCC) 8.1.0 kernel signature: 3942dae8e64693855901a98fba35d2f7a326bc32 all runs: crashed: BUG: unable to handle kernel paging request in coalesced_mmio_write # git bisect good 7a1bad565cebfbf6956f9bb36dba734a48fa31d4 232a6462f43fceeac82bd99ef092b38e3a7ee296 is the first bad commit commit 232a6462f43fceeac82bd99ef092b38e3a7ee296 Author: Matt Delco Date: Mon Sep 16 14:16:54 2019 -0700 KVM: coalesced_mmio: add bounds checking commit b60fe990c6b07ef6d4df67bc0530c7c90a62623a upstream. The first/last indexes are typically shared with a user app. The app can change the 'last' index that the kernel uses to store the next result. This change sanity checks the index before using it for writing to a potentially arbitrary address. This fixes CVE-2019-14821. Cc: stable@vger.kernel.org Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)") Signed-off-by: Matt Delco Signed-off-by: Jim Mattson Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com [Use READ_ONCE. - Paolo] Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman virt/kvm/coalesced_mmio.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) kernel signature: 5c3de9b9f87d81967c0113839604541f701cdc69 previous signature: 3942dae8e64693855901a98fba35d2f7a326bc32 revisions tested: 13, total time: 3h7m23.78088145s (build: 1h47m27.796686118s, test: 1h15m54.98890566s) first good commit: 232a6462f43fceeac82bd99ef092b38e3a7ee296 KVM: coalesced_mmio: add bounds checking cc: ["delco@chromium.org" "gregkh@linuxfoundation.org" "jmattson@google.com" "pbonzini@redhat.com"]