bisecting cause commit starting from cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2 building syzkaller on b0d1c0d5784ef15b3080395d9bc04cbf9ac2a45b testing commit cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2 with gcc (GCC) 8.1.0 kernel signature: f861d6e28c188cdb20d7a98fd89459ee6ff3cd423a435a8eabefc7d105a28462 all runs: crashed: WARNING in kvm_inject_emulated_page_fault testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: e47e0d9f21d91cb54b350b3582f84e44afec528b7ccd0ab2e3c6e7bb308cecd1 all runs: OK # git bisect start cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 3620 revisions left to test after this (roughly 12 steps) [d9afbb3509900a953f5cf90bc57e793ee80c1108] Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security testing commit d9afbb3509900a953f5cf90bc57e793ee80c1108 with gcc (GCC) 8.1.0 kernel signature: aefd6d890d4b98b5ba96a286fe1349a3a4a256322df17a9e39fc2c070e2b3e2e all runs: OK # git bisect good d9afbb3509900a953f5cf90bc57e793ee80c1108 Bisecting: 1818 revisions left to test after this (roughly 11 steps) [46c54f9500afad6128e19138c7d97fa4900331f6] Merge tag 'mlx5-updates-2020-05-22' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 46c54f9500afad6128e19138c7d97fa4900331f6 with gcc (GCC) 8.1.0 kernel signature: ce6a8bb337c7828116b9d918fd2d028518b171a091486a63e5f15496eae50330 all runs: OK # git bisect good 46c54f9500afad6128e19138c7d97fa4900331f6 Bisecting: 909 revisions left to test after this (roughly 10 steps) [be6e19818ba626eb1b354490aee40a2cfc1a219f] bpftool: Extract helpers for showing link attach type testing commit be6e19818ba626eb1b354490aee40a2cfc1a219f with gcc (GCC) 8.1.0 kernel signature: 7ab76a97a40a53b3c25cad1e084a8abde8b240fd4ea816b67375e153a03f0275 all runs: OK # git bisect good be6e19818ba626eb1b354490aee40a2cfc1a219f Bisecting: 526 revisions left to test after this (roughly 9 steps) [e8f4abf8fd1a2beb94983cb95ed713df75b3d135] Merge branch 'uaccess.csum' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit e8f4abf8fd1a2beb94983cb95ed713df75b3d135 with gcc (GCC) 8.1.0 kernel signature: b571932c4d46995678816abc145b1dc59a305183e0705f669c80cae3ebd0caa7 all runs: OK # git bisect good e8f4abf8fd1a2beb94983cb95ed713df75b3d135 Bisecting: 264 revisions left to test after this (roughly 8 steps) [13ffbd8db1dd43d63d086517872a4e702a6bf309] KVM: selftests: fix rdtsc() for vmx_tsc_adjust_test testing commit 13ffbd8db1dd43d63d086517872a4e702a6bf309 with gcc (GCC) 8.1.0 kernel signature: d70639a7a9db3df51cb1cd56ab11e25e1a248e269c8154e7f2a120ec0881927c all runs: crashed: WARNING in kvm_inject_emulated_page_fault # git bisect bad 13ffbd8db1dd43d63d086517872a4e702a6bf309 Bisecting: 130 revisions left to test after this (roughly 7 steps) [e662ec3e0705cfee5b36aecd62adbc36df85eab3] KVM: x86/mmu: Move max hugepage level to a separate #define testing commit e662ec3e0705cfee5b36aecd62adbc36df85eab3 with gcc (GCC) 8.1.0 kernel signature: dfbdfabf545fc82edf87ad1921665cb8f58127fabafbaeff158d571684f3cebd all runs: crashed: WARNING in kvm_inject_emulated_page_fault # git bisect bad e662ec3e0705cfee5b36aecd62adbc36df85eab3 Bisecting: 65 revisions left to test after this (roughly 6 steps) [9932b49e5abef0218254d15b8278e3dbee5ceea3] KVM: nVMX: Invoke ept_save_pdptrs() if and only if PAE paging is enabled testing commit 9932b49e5abef0218254d15b8278e3dbee5ceea3 with gcc (GCC) 8.1.0 kernel signature: 7fbae0740d4b3bd3b283150897f5048c08c5f2383a04f4ac9a51dcb84ea9a52c all runs: crashed: WARNING in kvm_inject_emulated_page_fault # git bisect bad 9932b49e5abef0218254d15b8278e3dbee5ceea3 Bisecting: 32 revisions left to test after this (roughly 5 steps) [72b38320872666f7fb6ff9564bf91139c685c234] KVM: SVM: Wire up ->tlb_flush_guest() directly to svm_flush_tlb() testing commit 72b38320872666f7fb6ff9564bf91139c685c234 with gcc (GCC) 8.1.0 kernel signature: 9fb5f9b094d5391bcb240edab8c60e4029759c6c2fcb8c700a8c7faa7e007eb2 all runs: crashed: WARNING in kvm_inject_emulated_page_fault # git bisect bad 72b38320872666f7fb6ff9564bf91139c685c234 Bisecting: 15 revisions left to test after this (roughly 4 steps) [f8aa7e3958bc433087ae7b9d7f24a92036c41141] KVM: nVMX: Invalidate all EPTP contexts when emulating INVEPT for L1 testing commit f8aa7e3958bc433087ae7b9d7f24a92036c41141 with gcc (GCC) 8.1.0 kernel signature: 62592dd0dfc085f5a55b9fad14cc0c36d353420349c8a9bb1c2e67eb89d53fa5 all runs: OK # git bisect good f8aa7e3958bc433087ae7b9d7f24a92036c41141 Bisecting: 7 revisions left to test after this (roughly 3 steps) [8a8b097c6cd0041da6ba3a0701f911bfee05c652] KVM: VMX: Move vpid_sync_vcpu_addr() down a few lines testing commit 8a8b097c6cd0041da6ba3a0701f911bfee05c652 with gcc (GCC) 8.1.0 kernel signature: 5af4e1d1ab66455658739ce1b7f1e8fbd45d0c858437a8f8ce85cef18661659f all runs: crashed: WARNING in kvm_inject_emulated_page_fault # git bisect bad 8a8b097c6cd0041da6ba3a0701f911bfee05c652 Bisecting: 3 revisions left to test after this (roughly 2 steps) [0cd665bd20f9088d363158b4ac75592af18ecf4f] KVM: x86: cleanup kvm_inject_emulated_page_fault testing commit 0cd665bd20f9088d363158b4ac75592af18ecf4f with gcc (GCC) 8.1.0 kernel signature: 79bbb76024137e787f37177321fa00fefe65ef01594a9851c5eb91f342076423 all runs: OK # git bisect good 0cd665bd20f9088d363158b4ac75592af18ecf4f Bisecting: 1 revision left to test after this (roughly 1 step) [c746b3a4b84cc6eb2f8a45e89210f57d252d98fd] KVM: VMX: Skip global INVVPID fallback if vpid==0 in vpid_sync_context() testing commit c746b3a4b84cc6eb2f8a45e89210f57d252d98fd with gcc (GCC) 8.1.0 kernel signature: c83cea380907b4e82b7a9a1e0ad2f74805609dd057b591e397cccc0bacc561e7 all runs: crashed: WARNING in kvm_inject_emulated_page_fault # git bisect bad c746b3a4b84cc6eb2f8a45e89210f57d252d98fd Bisecting: 0 revisions left to test after this (roughly 0 steps) [ee1fa209f5e5ca5c1e76c7aa1c2aab292f371f4a] KVM: x86: Sync SPTEs when injecting page/EPT fault into L1 testing commit ee1fa209f5e5ca5c1e76c7aa1c2aab292f371f4a with gcc (GCC) 8.1.0 kernel signature: 40a50a3da10d79d23ff381cf4261fe9e620285d58664a2fb94dd58df5a1446cf all runs: crashed: WARNING in kvm_inject_emulated_page_fault # git bisect bad ee1fa209f5e5ca5c1e76c7aa1c2aab292f371f4a ee1fa209f5e5ca5c1e76c7aa1c2aab292f371f4a is the first bad commit commit ee1fa209f5e5ca5c1e76c7aa1c2aab292f371f4a Author: Junaid Shahid Date: Fri Mar 20 14:28:03 2020 -0700 KVM: x86: Sync SPTEs when injecting page/EPT fault into L1 When injecting a page fault or EPT violation/misconfiguration, KVM is not syncing any shadow PTEs associated with the faulting address, including those in previous MMUs that are associated with L1's current EPTP (in a nested EPT scenario), nor is it flushing any hardware TLB entries. All this is done by kvm_mmu_invalidate_gva. Page faults that are either !PRESENT or RSVD are exempt from the flushing, as the CPU is not allowed to cache such translations. Signed-off-by: Junaid Shahid Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Message-Id: <20200320212833.3507-8-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini arch/x86/kvm/vmx/nested.c | 12 ++++++------ arch/x86/kvm/vmx/vmx.c | 2 +- arch/x86/kvm/x86.c | 11 ++++++++++- 3 files changed, 17 insertions(+), 8 deletions(-) culprit signature: 40a50a3da10d79d23ff381cf4261fe9e620285d58664a2fb94dd58df5a1446cf parent signature: 79bbb76024137e787f37177321fa00fefe65ef01594a9851c5eb91f342076423 revisions tested: 15, total time: 3h7m30.705397565s (build: 1h28m33.180141768s, test: 1h37m55.129521769s) first bad commit: ee1fa209f5e5ca5c1e76c7aa1c2aab292f371f4a KVM: x86: Sync SPTEs when injecting page/EPT fault into L1 cc: ["junaids@google.com" "pbonzini@redhat.com" "sean.j.christopherson@intel.com"] crash: WARNING in kvm_inject_emulated_page_fault L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 8408 at arch/x86/kvm/x86.c:618 kvm_inject_emulated_page_fault+0x1b8/0x230 arch/x86/kvm/x86.c:629 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 8408 Comm: syz-executor.1 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x26 kernel/panic.c:582 report_bug+0x1ad/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:175 [inline] do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:kvm_inject_emulated_page_fault+0x1b8/0x230 arch/x86/kvm/x86.c:618 Code: b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 74 48 8b 53 08 4c 89 ee 4c 89 e7 e8 bd ef 09 00 e9 1f ff ff ff <0f> 0b e9 79 fe ff ff 48 89 ef e8 b9 d7 92 00 e9 97 fe ff ff 48 89 RSP: 0018:ffffc90004497940 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc900044979d0 RCX: 0000000000000008 RDX: 1ffff92000892f3a RSI: ffffc900044979d0 RDI: ffff88809f574040 RBP: ffff88809f574040 R08: fffff52000892f55 R09: fffff52000892f55 R10: ffffc90004497aa7 R11: fffff52000892f54 R12: ffff88809f574040 R13: ffffc900044979d0 R14: ffff88809f574078 R15: ffff88809f574040 nested_vmx_get_vmptr+0x136/0x150 arch/x86/kvm/vmx/nested.c:4563 handle_vmon+0x119/0x2d0 arch/x86/kvm/vmx/nested.c:4692 vcpu_enter_guest arch/x86/kvm/x86.c:8484 [inline] vcpu_run arch/x86/kvm/x86.c:8547 [inline] kvm_arch_vcpu_ioctl_run+0x2ab7/0x55c0 arch/x86/kvm/x86.c:8769 kvm_vcpu_ioctl+0x41b/0xaf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3138 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xb8/0x110 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ca69 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7b64502c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004e8000 RCX: 000000000045ca69 RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000006 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000003c6 R14: 00000000004c6743 R15: 00007f7b645036d4 Kernel Offset: disabled Rebooting in 86400 seconds..