bisecting cause commit starting from 4f8a3cc1183c442daee6cc65360e3385021131e4
building syzkaller on 36b0b05078430cbedb73c32bed7f78056ce77536
testing commit 4f8a3cc1183c442daee6cc65360e3385021131e4 with gcc (GCC) 8.1.0
kernel signature: 19909d7a442bad810d0b06903585d26d1888986869bab44f781bcf59963191be
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: f4426c3645c1732064872ea0f2351a93288d1f720318c08e04e89bbf3dc3dd73
all runs: OK
# git bisect start 4f8a3cc1183c442daee6cc65360e3385021131e4 7111951b8d4973bda27ff663f2cf18b663d15b48
Bisecting: 6924 revisions left to test after this (roughly 13 steps)
[4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration
testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0
kernel signature: 8c6220337451a644b2625d96b42a9b3774c3cab2aca4bda9b866ee3e1cb8c34e
all runs: OK
# git bisect good 4646de87d32526ee87b46c2e0130413367fb5362
Bisecting: 3422 revisions left to test after this (roughly 12 steps)
[79f51b7b9c4719303f758ae8406c4e5997ed6aa3] Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
testing commit 79f51b7b9c4719303f758ae8406c4e5997ed6aa3 with gcc (GCC) 8.1.0
kernel signature: 336966fc30ae8bab3293f1a250ca35329f3fdbb6fc6f61390aed86103402d11d
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad 79f51b7b9c4719303f758ae8406c4e5997ed6aa3
Bisecting: 1689 revisions left to test after this (roughly 11 steps)
[919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
testing commit 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc with gcc (GCC) 8.1.0
kernel signature: f46a7343cde8ebd43744e2dccd48b18007a72c73f5e7a7c6dd36496c262f647a
all runs: OK
# git bisect good 919dce24701f7b34681a6a1d3ef95c9f6c4fb1cc
Bisecting: 913 revisions left to test after this (roughly 10 steps)
[bc3b3f4bfbded031a11c4284106adddbfacd05bb] Merge tag 'pinctrl-v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit bc3b3f4bfbded031a11c4284106adddbfacd05bb with gcc (GCC) 8.1.0
kernel signature: 12ca7fd165e8f5d51c93a644edece8d98f8747bf29338343f5830de63410c64f
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad bc3b3f4bfbded031a11c4284106adddbfacd05bb
Bisecting: 398 revisions left to test after this (roughly 9 steps)
[f14a9532ee30c68a56ff502c382860f674cc180c] Merge tag 'x86-urgent-2020-04-02' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit f14a9532ee30c68a56ff502c382860f674cc180c with gcc (GCC) 8.1.0
kernel signature: 0bd3424077d66e835f45684df09824ec18d8fd7eb6fa85ada43b558f5939c24b
all runs: OK
# git bisect good f14a9532ee30c68a56ff502c382860f674cc180c
Bisecting: 180 revisions left to test after this (roughly 8 steps)
[1c482452d5db0f52e4e8eed95bd7314eec537d78] Merge tag 'kvm-s390-next-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD
testing commit 1c482452d5db0f52e4e8eed95bd7314eec537d78 with gcc (GCC) 8.1.0
kernel signature: 7dde6e7e4026c97a9f4ffde6b4388ae06a6ad596e8233fdd7d3de54fb384c94a
run #0: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #1: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #2: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #3: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #4: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #5: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #6: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #7: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #8: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
run #9: boot failed: can't ssh into the instance
# git bisect bad 1c482452d5db0f52e4e8eed95bd7314eec537d78
Bisecting: 108 revisions left to test after this (roughly 7 steps)
[733deafc00df1dda5130fc14f87a1d3993913243] KVM: x86: Handle RDTSCP CPUID adjustment in VMX code
testing commit 733deafc00df1dda5130fc14f87a1d3993913243 with gcc (GCC) 8.1.0
kernel signature: e7ed51e53bbc7f8c3ab83db2a158955ab12d71874cb823b6c9738dc5cc287137
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad 733deafc00df1dda5130fc14f87a1d3993913243
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[0be44352071dc87a4f9bf879642b1d44876971d9] KVM: x86/mmu: Reuse the current root if possible for fast switch
testing commit 0be44352071dc87a4f9bf879642b1d44876971d9 with gcc (GCC) 8.1.0
kernel signature: 63d9f1fc147a60e816f38c040264b59f578c5ea4f2f7f8b511bb037e1d3bc463
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad 0be44352071dc87a4f9bf879642b1d44876971d9
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[82307e676f9d885871f121e4921b12905a53397d] KVM: PPC: Move memslot memory allocation into prepare_memory_region()
testing commit 82307e676f9d885871f121e4921b12905a53397d with gcc (GCC) 8.1.0
kernel signature: d1fed50efb85ba8b6aa341918ae8840cab4dd54f9d85204006ff3b86989ffb08
all runs: OK
# git bisect good 82307e676f9d885871f121e4921b12905a53397d
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[0577d1abe704c315bb5cdfc71f4ca7b9b5358f59] KVM: Terminate memslot walks via used_slots
testing commit 0577d1abe704c315bb5cdfc71f4ca7b9b5358f59 with gcc (GCC) 8.1.0
kernel signature: 45219feeaf8874e57a7ba6322d5ad54ff2751570a94f4893fec8786695cefc1c
all runs: OK
# git bisect good 0577d1abe704c315bb5cdfc71f4ca7b9b5358f59
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[d18b2f43b9147c8005ae0844fb445d8cc6a87e31] KVM: x86: Gracefully handle __vmalloc() failure during VM allocation
testing commit d18b2f43b9147c8005ae0844fb445d8cc6a87e31 with gcc (GCC) 8.1.0
kernel signature: ce97eea68dc0c92071b7e0c449c225eb459db4aa284f23edcdecd94e2a7e01d0
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad d18b2f43b9147c8005ae0844fb445d8cc6a87e31
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[b3594ffbf932c8e8b23201cdc2c173708a4472dc] KVM: x86/mmu: Move kvm_arch_flush_remote_tlbs_memslot() to mmu.c
testing commit b3594ffbf932c8e8b23201cdc2c173708a4472dc with gcc (GCC) 8.1.0
kernel signature: c50462b61697566b611911443fe09f5ad2f0d9efcf48356dc635411bb4702ef5
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad b3594ffbf932c8e8b23201cdc2c173708a4472dc
Bisecting: 0 revisions left to test after this (roughly 1 step)
[13e48aa9429d1be05ecf8b9eefb212ac58f3f704] KVM: selftests: Add test for KVM_SET_USER_MEMORY_REGION
testing commit 13e48aa9429d1be05ecf8b9eefb212ac58f3f704 with gcc (GCC) 8.1.0
kernel signature: 0ac9655dbb7fa4645cb51fd85a806e1bfdbc11913c6c4c66515171fcf8ff45b2
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad 13e48aa9429d1be05ecf8b9eefb212ac58f3f704
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[36947254e5f981aeeedab1c7dfa35fc34d330e80] KVM: Dynamically size memslot array based on number of used slots
testing commit 36947254e5f981aeeedab1c7dfa35fc34d330e80 with gcc (GCC) 8.1.0
kernel signature: c2ef0ef475382e4dc478db1aa02a5bea7eb4094fdadaa598026205f347cf13f5
all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva
# git bisect bad 36947254e5f981aeeedab1c7dfa35fc34d330e80
36947254e5f981aeeedab1c7dfa35fc34d330e80 is the first bad commit
commit 36947254e5f981aeeedab1c7dfa35fc34d330e80
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date:   Tue Feb 18 13:07:32 2020 -0800

    KVM: Dynamically size memslot array based on number of used slots
    
    Now that the memslot logic doesn't assume memslots are always non-NULL,
    dynamically size the array of memslots instead of unconditionally
    allocating memory for the maximum number of memslots.
    
    Note, because a to-be-deleted memslot must first be invalidated, the
    array size cannot be immediately reduced when deleting a memslot.
    However, consecutive deletions will realize the memory savings, i.e.
    a second deletion will trim the entry.
    
    Tested-by: Christoffer Dall <christoffer.dall@arm.com>
    Tested-by: Marc Zyngier <maz@kernel.org>
    Reviewed-by: Peter Xu <peterx@redhat.com>
    Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

 include/linux/kvm_host.h |  2 +-
 virt/kvm/kvm_main.c      | 31 ++++++++++++++++++++++++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)
culprit signature: c2ef0ef475382e4dc478db1aa02a5bea7eb4094fdadaa598026205f347cf13f5
parent  signature: 45219feeaf8874e57a7ba6322d5ad54ff2751570a94f4893fec8786695cefc1c
revisions tested: 16, total time: 3h30m1.198136933s (build: 1h41m57.151614767s, test: 1h47m1.872622914s)
first bad commit: 36947254e5f981aeeedab1c7dfa35fc34d330e80 KVM: Dynamically size memslot array based on number of used slots
cc: ["christoffer.dall@arm.com" "maz@kernel.org" "pbonzini@redhat.com" "peterx@redhat.com" "sean.j.christopherson@intel.com"]
crash: KASAN: slab-out-of-bounds Read in gfn_to_hva
==================================================================
BUG: KASAN: slab-out-of-bounds in search_memslots include/linux/kvm_host.h:1029 [inline]
BUG: KASAN: slab-out-of-bounds in __gfn_to_memslot include/linux/kvm_host.h:1054 [inline]
BUG: KASAN: slab-out-of-bounds in gfn_to_memslot arch/x86/kvm/../../../virt/kvm/kvm_main.c:1604 [inline]
BUG: KASAN: slab-out-of-bounds in gfn_to_hva+0x3f7/0x430 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1684
Read of size 8 at addr ffff888090d23410 by task syz-executor.3/8585

CPU: 0 PID: 8585 Comm: syz-executor.3 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374
 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 search_memslots include/linux/kvm_host.h:1029 [inline]
 __gfn_to_memslot include/linux/kvm_host.h:1054 [inline]
 gfn_to_memslot arch/x86/kvm/../../../virt/kvm/kvm_main.c:1604 [inline]
 gfn_to_hva+0x3f7/0x430 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1684
 kvm_arch_mmu_notifier_invalidate_range+0x17/0x40 arch/x86/kvm/x86.c:8065
 kvm_mmu_notifier_invalidate_range_start+0x180/0x240 arch/x86/kvm/../../../virt/kvm/kvm_main.c:423
 mn_hlist_invalidate_range_start mm/mmu_notifier.c:487 [inline]
 __mmu_notifier_invalidate_range_start+0x394/0x5b0 mm/mmu_notifier.c:519
 mmu_notifier_invalidate_range_start include/linux/mmu_notifier.h:446 [inline]
 change_pmd_range mm/mprotect.c:190 [inline]
 change_pud_range mm/mprotect.c:240 [inline]
 change_p4d_range mm/mprotect.c:260 [inline]
 change_protection_range mm/mprotect.c:285 [inline]
 change_protection+0x804/0x1e00 mm/mprotect.c:306
 mprotect_fixup+0x3b9/0x790 mm/mprotect.c:427
 do_mprotect_pkey+0x3c2/0x700 mm/mprotect.c:553
 __do_sys_mprotect mm/mprotect.c:578 [inline]
 __se_sys_mprotect mm/mprotect.c:575 [inline]
 __x64_sys_mprotect+0x6f/0xb0 mm/mprotect.c:575
 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c987
Code: 00 00 00 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 0a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffeaba210c8 EFLAGS: 00000246 ORIG_RAX: 000000000000000a
RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 000000000045c987
RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007fc763c1e000
RBP: 00007ffeaba211b0 R08: 00000000007217e0 R09: 00000000007217e0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffeaba212a0
R13: 00007fc763c3e700 R14: 00007fc763c3e9c0 R15: 000000000076c04c

Allocated by task 8586:
 save_stack+0x19/0x80 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515
 kvmalloc include/linux/mm.h:645 [inline]
 kvzalloc include/linux/mm.h:653 [inline]
 kvm_alloc_memslots arch/x86/kvm/../../../virt/kvm/kvm_main.c:564 [inline]
 kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:699 [inline]
 kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3823 [inline]
 kvm_dev_ioctl+0x778/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3875
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0xb8/0x110 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770
 do_syscall_64+0xc6/0x5e0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888090d23000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1040 bytes inside of
 2048-byte region [ffff888090d23000, ffff888090d23800)
The buggy address belongs to the page:
page:ffffea00024348c0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000277d988 ffffea0002391c08 ffff8880aa400e00
raw: 0000000000000000 ffff888090d23000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888090d23300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888090d23380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888090d23400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff888090d23480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888090d23500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================