bisecting cause commit starting from 4f8a3cc1183c442daee6cc65360e3385021131e4 building syzkaller on 36b0b05078430cbedb73c32bed7f78056ce77536 testing commit 4f8a3cc1183c442daee6cc65360e3385021131e4 with gcc (GCC) 8.1.0 kernel signature: 19909d7a442bad810d0b06903585d26d1888986869bab44f781bcf59963191be all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: f4426c3645c1732064872ea0f2351a93288d1f720318c08e04e89bbf3dc3dd73 all runs: OK # git bisect start 4f8a3cc1183c442daee6cc65360e3385021131e4 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 6924 revisions left to test after this (roughly 13 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: 8c6220337451a644b2625d96b42a9b3774c3cab2aca4bda9b866ee3e1cb8c34e all runs: OK # git bisect good 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 3422 revisions left to test after this (roughly 12 steps) [79f51b7b9c4719303f758ae8406c4e5997ed6aa3] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi testing commit 79f51b7b9c4719303f758ae8406c4e5997ed6aa3 with gcc (GCC) 8.1.0 kernel signature: 336966fc30ae8bab3293f1a250ca35329f3fdbb6fc6f61390aed86103402d11d all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 79f51b7b9c4719303f758ae8406c4e5997ed6aa3 Bisecting: 1689 revisions left to test after this (roughly 11 steps) [919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc with gcc (GCC) 8.1.0 kernel signature: f46a7343cde8ebd43744e2dccd48b18007a72c73f5e7a7c6dd36496c262f647a all runs: OK # git bisect good 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc Bisecting: 913 revisions left to test after this (roughly 10 steps) [bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0 kernel signature: 12ca7fd165e8f5d51c93a644edece8d98f8747bf29338343f5830de63410c64f all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad bc3b3f4bfbded031a11c4284106adddbfacd05bb Bisecting: 398 revisions left to test after this (roughly 9 steps) [f14a9532ee30c68a56ff502c382860f674cc180c] Merge tag 'x86-urgent-2020-04-02' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit f14a9532ee30c68a56ff502c382860f674cc180c with gcc (GCC) 8.1.0 kernel signature: 0bd3424077d66e835f45684df09824ec18d8fd7eb6fa85ada43b558f5939c24b all runs: OK # git bisect good f14a9532ee30c68a56ff502c382860f674cc180c Bisecting: 180 revisions left to test after this (roughly 8 steps) [1c482452d5db0f52e4e8eed95bd7314eec537d78] Merge tag 'kvm-s390-next-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD testing commit 1c482452d5db0f52e4e8eed95bd7314eec537d78 with gcc (GCC) 8.1.0 kernel signature: 7dde6e7e4026c97a9f4ffde6b4388ae06a6ad596e8233fdd7d3de54fb384c94a run #0: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #1: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #2: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #3: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #4: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #5: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #6: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #7: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #8: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva run #9: boot failed: can't ssh into the instance # git bisect bad 1c482452d5db0f52e4e8eed95bd7314eec537d78 Bisecting: 108 revisions left to test after this (roughly 7 steps) [733deafc00df1dda5130fc14f87a1d3993913243] KVM: x86: Handle RDTSCP CPUID adjustment in VMX code testing commit 733deafc00df1dda5130fc14f87a1d3993913243 with gcc (GCC) 8.1.0 kernel signature: e7ed51e53bbc7f8c3ab83db2a158955ab12d71874cb823b6c9738dc5cc287137 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 733deafc00df1dda5130fc14f87a1d3993913243 Bisecting: 54 revisions left to test after this (roughly 6 steps) [0be44352071dc87a4f9bf879642b1d44876971d9] KVM: x86/mmu: Reuse the current root if possible for fast switch testing commit 0be44352071dc87a4f9bf879642b1d44876971d9 with gcc (GCC) 8.1.0 kernel signature: 63d9f1fc147a60e816f38c040264b59f578c5ea4f2f7f8b511bb037e1d3bc463 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 0be44352071dc87a4f9bf879642b1d44876971d9 Bisecting: 26 revisions left to test after this (roughly 5 steps) [82307e676f9d885871f121e4921b12905a53397d] KVM: PPC: Move memslot memory allocation into prepare_memory_region() testing commit 82307e676f9d885871f121e4921b12905a53397d with gcc (GCC) 8.1.0 kernel signature: d1fed50efb85ba8b6aa341918ae8840cab4dd54f9d85204006ff3b86989ffb08 all runs: OK # git bisect good 82307e676f9d885871f121e4921b12905a53397d Bisecting: 13 revisions left to test after this (roughly 4 steps) [0577d1abe704c315bb5cdfc71f4ca7b9b5358f59] KVM: Terminate memslot walks via used_slots testing commit 0577d1abe704c315bb5cdfc71f4ca7b9b5358f59 with gcc (GCC) 8.1.0 kernel signature: 45219feeaf8874e57a7ba6322d5ad54ff2751570a94f4893fec8786695cefc1c all runs: OK # git bisect good 0577d1abe704c315bb5cdfc71f4ca7b9b5358f59 Bisecting: 6 revisions left to test after this (roughly 3 steps) [d18b2f43b9147c8005ae0844fb445d8cc6a87e31] KVM: x86: Gracefully handle __vmalloc() failure during VM allocation testing commit d18b2f43b9147c8005ae0844fb445d8cc6a87e31 with gcc (GCC) 8.1.0 kernel signature: ce97eea68dc0c92071b7e0c449c225eb459db4aa284f23edcdecd94e2a7e01d0 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad d18b2f43b9147c8005ae0844fb445d8cc6a87e31 Bisecting: 3 revisions left to test after this (roughly 2 steps) [b3594ffbf932c8e8b23201cdc2c173708a4472dc] KVM: x86/mmu: Move kvm_arch_flush_remote_tlbs_memslot() to mmu.c testing commit b3594ffbf932c8e8b23201cdc2c173708a4472dc with gcc (GCC) 8.1.0 kernel signature: c50462b61697566b611911443fe09f5ad2f0d9efcf48356dc635411bb4702ef5 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad b3594ffbf932c8e8b23201cdc2c173708a4472dc Bisecting: 0 revisions left to test after this (roughly 1 step) [13e48aa9429d1be05ecf8b9eefb212ac58f3f704] KVM: selftests: Add test for KVM_SET_USER_MEMORY_REGION testing commit 13e48aa9429d1be05ecf8b9eefb212ac58f3f704 with gcc (GCC) 8.1.0 kernel signature: 0ac9655dbb7fa4645cb51fd85a806e1bfdbc11913c6c4c66515171fcf8ff45b2 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 13e48aa9429d1be05ecf8b9eefb212ac58f3f704 Bisecting: 0 revisions left to test after this (roughly 0 steps) [36947254e5f981aeeedab1c7dfa35fc34d330e80] KVM: Dynamically size memslot array based on number of used slots testing commit 36947254e5f981aeeedab1c7dfa35fc34d330e80 with gcc (GCC) 8.1.0 kernel signature: c2ef0ef475382e4dc478db1aa02a5bea7eb4094fdadaa598026205f347cf13f5 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 36947254e5f981aeeedab1c7dfa35fc34d330e80 36947254e5f981aeeedab1c7dfa35fc34d330e80 is the first bad commit commit 36947254e5f981aeeedab1c7dfa35fc34d330e80 Author: Sean Christopherson Date: Tue Feb 18 13:07:32 2020 -0800 KVM: Dynamically size memslot array based on number of used slots Now that the memslot logic doesn't assume memslots are always non-NULL, dynamically size the array of memslots instead of unconditionally allocating memory for the maximum number of memslots. Note, because a to-be-deleted memslot must first be invalidated, the array size cannot be immediately reduced when deleting a memslot. However, consecutive deletions will realize the memory savings, i.e. a second deletion will trim the entry. Tested-by: Christoffer Dall Tested-by: Marc Zyngier Reviewed-by: Peter Xu Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini include/linux/kvm_host.h | 2 +- virt/kvm/kvm_main.c | 31 ++++++++++++++++++++++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) culprit signature: c2ef0ef475382e4dc478db1aa02a5bea7eb4094fdadaa598026205f347cf13f5 parent signature: 45219feeaf8874e57a7ba6322d5ad54ff2751570a94f4893fec8786695cefc1c revisions tested: 16, total time: 3h30m1.198136933s (build: 1h41m57.151614767s, test: 1h47m1.872622914s) first bad commit: 36947254e5f981aeeedab1c7dfa35fc34d330e80 KVM: Dynamically size memslot array based on number of used slots cc: ["christoffer.dall@arm.com" "maz@kernel.org" "pbonzini@redhat.com" "peterx@redhat.com" "sean.j.christopherson@intel.com"] crash: KASAN: slab-out-of-bounds Read in gfn_to_hva ================================================================== BUG: KASAN: slab-out-of-bounds in search_memslots include/linux/kvm_host.h:1029 [inline] BUG: KASAN: slab-out-of-bounds in __gfn_to_memslot include/linux/kvm_host.h:1054 [inline] BUG: KASAN: slab-out-of-bounds in gfn_to_memslot arch/x86/kvm/../../../virt/kvm/kvm_main.c:1604 [inline] BUG: KASAN: slab-out-of-bounds in gfn_to_hva+0x3f7/0x430 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1684 Read of size 8 at addr ffff888090d23410 by task syz-executor.3/8585 CPU: 0 PID: 8585 Comm: syz-executor.3 Not tainted 5.6.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 search_memslots include/linux/kvm_host.h:1029 [inline] __gfn_to_memslot include/linux/kvm_host.h:1054 [inline] gfn_to_memslot arch/x86/kvm/../../../virt/kvm/kvm_main.c:1604 [inline] gfn_to_hva+0x3f7/0x430 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1684 kvm_arch_mmu_notifier_invalidate_range+0x17/0x40 arch/x86/kvm/x86.c:8065 kvm_mmu_notifier_invalidate_range_start+0x180/0x240 arch/x86/kvm/../../../virt/kvm/kvm_main.c:423 mn_hlist_invalidate_range_start mm/mmu_notifier.c:487 [inline] __mmu_notifier_invalidate_range_start+0x394/0x5b0 mm/mmu_notifier.c:519 mmu_notifier_invalidate_range_start include/linux/mmu_notifier.h:446 [inline] change_pmd_range mm/mprotect.c:190 [inline] change_pud_range mm/mprotect.c:240 [inline] change_p4d_range mm/mprotect.c:260 [inline] change_protection_range mm/mprotect.c:285 [inline] change_protection+0x804/0x1e00 mm/mprotect.c:306 mprotect_fixup+0x3b9/0x790 mm/mprotect.c:427 do_mprotect_pkey+0x3c2/0x700 mm/mprotect.c:553 __do_sys_mprotect mm/mprotect.c:578 [inline] __se_sys_mprotect mm/mprotect.c:575 [inline] __x64_sys_mprotect+0x6f/0xb0 mm/mprotect.c:575 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c987 Code: 00 00 00 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 0a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffeaba210c8 EFLAGS: 00000246 ORIG_RAX: 000000000000000a RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 000000000045c987 RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007fc763c1e000 RBP: 00007ffeaba211b0 R08: 00000000007217e0 R09: 00000000007217e0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffeaba212a0 R13: 00007fc763c3e700 R14: 00007fc763c3e9c0 R15: 000000000076c04c Allocated by task 8586: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515 kvmalloc include/linux/mm.h:645 [inline] kvzalloc include/linux/mm.h:653 [inline] kvm_alloc_memslots arch/x86/kvm/../../../virt/kvm/kvm_main.c:564 [inline] kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:699 [inline] kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3823 [inline] kvm_dev_ioctl+0x778/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3875 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xb8/0x110 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888090d23000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1040 bytes inside of 2048-byte region [ffff888090d23000, ffff888090d23800) The buggy address belongs to the page: page:ffffea00024348c0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea000277d988 ffffea0002391c08 ffff8880aa400e00 raw: 0000000000000000 ffff888090d23000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888090d23300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888090d23380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888090d23400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888090d23480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888090d23500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================