bisecting fixing commit since 0347b16583990db22fff7b3faa6a9aacf4c7cbac
building syzkaller on 214351e168def9426c79e1f65a93ddb112cee906
testing commit 0347b16583990db22fff7b3faa6a9aacf4c7cbac
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 94e70c0bac8bdf556a0983937c93948da16f11cdf8047c32bdcdb61ebdf6172c
all runs: crashed: KASAN: use-after-free Read in hardware_disable
testing current HEAD cbfab5c59cf6abbc3d36bcbf7730b3bbcc5492b7
testing commit cbfab5c59cf6abbc3d36bcbf7730b3bbcc5492b7
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: da34059b859d396c0880c0d013f6054b462112cee46fa55edc8384294fe6a79f
all runs: OK
# git bisect start cbfab5c59cf6abbc3d36bcbf7730b3bbcc5492b7 0347b16583990db22fff7b3faa6a9aacf4c7cbac
Bisecting: 563 revisions left to test after this (roughly 9 steps)
[fdcfabd0952d0b66aee4128739e07ec4d212484a] bnx2x: Utilize firmware 7.13.21.0

testing commit fdcfabd0952d0b66aee4128739e07ec4d212484a
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 0ea67feba30786389bfb4ac007458a2122757f8082c2b75209b643c477818ed3
all runs: crashed: KASAN: use-after-free Read in hardware_disable
# git bisect good fdcfabd0952d0b66aee4128739e07ec4d212484a
Bisecting: 281 revisions left to test after this (roughly 8 steps)
[4a384c1e4058fd8dd3d7d32eb16505191f5dfb92] bonding: pair enable_port with slave_arr_updates

testing commit 4a384c1e4058fd8dd3d7d32eb16505191f5dfb92
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ff52caa13177111e8dc602769d2cb002800752c83203f6cd6fc0d6f5157fa4b7
all runs: OK
# git bisect bad 4a384c1e4058fd8dd3d7d32eb16505191f5dfb92
Bisecting: 140 revisions left to test after this (roughly 7 steps)
[a7de1002135cf94367748ffc695a29812d7633b5] ALSA: hda: Fix UAF of leds class devs at unbinding

testing commit a7de1002135cf94367748ffc695a29812d7633b5
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 01d1ec61d1828861d58516c6cf78fc9bc79fedf9336a803954c0e7f40c5ed93c
all runs: OK
# git bisect bad a7de1002135cf94367748ffc695a29812d7633b5
Bisecting: 70 revisions left to test after this (roughly 6 steps)
[4cd0ef621509950b30503a4d2fd7047cb7eaf0de] ipv6: annotate accesses to fn->fn_sernum

testing commit 4cd0ef621509950b30503a4d2fd7047cb7eaf0de
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: d8baa9018a1f336d873fa3a3758af2162fe66923485b94ebc84e164c54b72357
all runs: crashed: KASAN: use-after-free Read in hardware_disable
# git bisect good 4cd0ef621509950b30503a4d2fd7047cb7eaf0de
Bisecting: 35 revisions left to test after this (roughly 5 steps)
[b63e120189fd92aff00096d11e2fc5253f60248b] block: Fix wrong offset in bio_truncate()

testing commit b63e120189fd92aff00096d11e2fc5253f60248b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 2b4f198d2adab64647221518d6749d44cd6fa49b43046de1c6d8e16b4ffb9127
all runs: crashed: KASAN: use-after-free Read in hardware_disable
# git bisect good b63e120189fd92aff00096d11e2fc5253f60248b
Bisecting: 17 revisions left to test after this (roughly 4 steps)
[cadfa7dce526334d7ae1425cdc66c626f8adfbf5] net: amd-xgbe: ensure to reset the tx_timer_active flag

testing commit cadfa7dce526334d7ae1425cdc66c626f8adfbf5
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 9229be6029376fdc2d5a581dc8eb962a12f1648727f8a123ff1044bd070bbea6
all runs: OK
# git bisect bad cadfa7dce526334d7ae1425cdc66c626f8adfbf5
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[d4e4e61d4a5b87bfc9953c306a11d35d869417fd] psi: Fix uaf issue when psi trigger is destroyed while being polled

testing commit d4e4e61d4a5b87bfc9953c306a11d35d869417fd
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c222bfd476703d1028137b7dc6ee4be13403abfd67a5e2eb640a42a666854d22
all runs: OK
# git bisect bad d4e4e61d4a5b87bfc9953c306a11d35d869417fd
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[2ed912e3e057b2e883cade4dcf9be74fcc5a7e82] net: ipa: fix atomic update in ipa_endpoint_replenish()

testing commit 2ed912e3e057b2e883cade4dcf9be74fcc5a7e82
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 997fec1e3fe72fb74de7f93d92a9e14dbbfa53c34bd9eb67f26d5b77b4b2c526
all runs: crashed: KASAN: use-after-free Read in hardware_disable
# git bisect good 2ed912e3e057b2e883cade4dcf9be74fcc5a7e82
Bisecting: 2 revisions left to test after this (roughly 1 step)
[42fdbf8b7dab0328554899455a5b0a58526f8a63] net: ipa: prevent concurrent replenish

testing commit 42fdbf8b7dab0328554899455a5b0a58526f8a63
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: ef5395dbf78705ddf30b153982bb6970fd69e368acca3a4f7e7d956a2b9467e4
all runs: crashed: KASAN: use-after-free Read in hardware_disable
# git bisect good 42fdbf8b7dab0328554899455a5b0a58526f8a63
Bisecting: 0 revisions left to test after this (roughly 1 step)
[080dbe7e9b86a0392d8dffc00d9971792afc121f] KVM: x86: Forcibly leave nested virt when SMM state is toggled

testing commit 080dbe7e9b86a0392d8dffc00d9971792afc121f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 7165f03b075a86eab30f629cc83a212a4f24781dbec410b7a949fb0f681c70b6
all runs: OK
# git bisect bad 080dbe7e9b86a0392d8dffc00d9971792afc121f
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[063029a8820e63198ffdaec25f32bd7ed79fd2f0] Revert "drivers: bus: simple-pm-bus: Add support for probing simple bus only devices"

testing commit 063029a8820e63198ffdaec25f32bd7ed79fd2f0
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: df1e643033951003142cf95de1836419055e81e44a281e21dbf3111b56efb320
all runs: crashed: KASAN: use-after-free Read in hardware_disable
# git bisect good 063029a8820e63198ffdaec25f32bd7ed79fd2f0
080dbe7e9b86a0392d8dffc00d9971792afc121f is the first bad commit
commit 080dbe7e9b86a0392d8dffc00d9971792afc121f
Author: Sean Christopherson <seanjc@google.com>
Date:   Tue Jan 25 22:03:58 2022 +0000

    KVM: x86: Forcibly leave nested virt when SMM state is toggled
    
    commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb upstream.
    
    Forcibly leave nested virtualization operation if userspace toggles SMM
    state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS.  If userspace
    forces the vCPU out of SMM while it's post-VMXON and then injects an SMI,
    vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both
    vmxon=false and smm.vmxon=false, but all other nVMX state allocated.
    
    Don't attempt to gracefully handle the transition as (a) most transitions
    are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't
    sufficient information to handle all transitions, e.g. SVM wants access
    to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede
    KVM_SET_NESTED_STATE during state restore as the latter disallows putting
    the vCPU into L2 if SMM is active, and disallows tagging the vCPU as
    being post-VMXON in SMM if SMM is not active.
    
    Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX
    due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond
    just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU
    in an architecturally impossible state.
    
      WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]
      WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656
      Modules linked in:
      CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]
      RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656
      Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00
      Call Trace:
       <TASK>
       kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123
       kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]
       kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460
       kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]
       kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676
       kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]
       kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250
       kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273
       __fput+0x286/0x9f0 fs/file_table.c:311
       task_work_run+0xdd/0x1a0 kernel/task_work.c:164
       exit_task_work include/linux/task_work.h:32 [inline]
       do_exit+0xb29/0x2a30 kernel/exit.c:806
       do_group_exit+0xd2/0x2f0 kernel/exit.c:935
       get_signal+0x4b0/0x28c0 kernel/signal.c:2862
       arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
       handle_signal_work kernel/entry/common.c:148 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
       exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
       __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
       syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
       do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x44/0xae
       </TASK>
    
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+8112db3ab20e70d50c31@syzkaller.appspotmail.com
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20220125220358.2091737-1-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Backported-by: Tadeusz Struk <tadeusz.struk@linaro.org>
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 arch/x86/include/asm/kvm_host.h |  1 +
 arch/x86/kvm/svm/nested.c       | 10 ++++++++--
 arch/x86/kvm/svm/svm.c          |  2 +-
 arch/x86/kvm/svm/svm.h          |  2 +-
 arch/x86/kvm/vmx/nested.c       |  1 +
 arch/x86/kvm/x86.c              |  2 ++
 6 files changed, 14 insertions(+), 4 deletions(-)

culprit signature: 7165f03b075a86eab30f629cc83a212a4f24781dbec410b7a949fb0f681c70b6
parent  signature: df1e643033951003142cf95de1836419055e81e44a281e21dbf3111b56efb320
revisions tested: 13, total time: 2h5m20.31387916s (build: 1h12m20.547460853s, test: 51m28.580749039s)
first good commit: 080dbe7e9b86a0392d8dffc00d9971792afc121f KVM: x86: Forcibly leave nested virt when SMM state is toggled
recipients (to): ["gregkh@linuxfoundation.org" "pbonzini@redhat.com" "seanjc@google.com"]
recipients (cc): []