bisecting cause commit starting from 5d30bcacd91af6874481129797af364a53cd9b46 building syzkaller on a8c6a3f8da30ccf825c6001c81a8adff21829c30 testing commit 5d30bcacd91af6874481129797af364a53cd9b46 with gcc (GCC) 8.1.0 kernel signature: 93f4e3f9e14bd996d429e3ceae9eb4cd99f08a233d60c2e6b5362bba1e73268d all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: aba8cf6027ba757ba905dceeefb5b89f3ec54dbb38d963a9beeb917e380921a8 all runs: OK # git bisect start 5d30bcacd91af6874481129797af364a53cd9b46 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 6460 revisions left to test after this (roughly 13 steps) [4646de87d32526ee87b46c2e0130413367fb5362] Merge tag 'mailbox-v5.7' of git://git.linaro.org/landing-teams/working/fujitsu/integration testing commit 4646de87d32526ee87b46c2e0130413367fb5362 with gcc (GCC) 8.1.0 kernel signature: 30e67f0d7f15483f79e52d6ccf2d7917cefaab672c3a596f1dbbaa356f824b82 all runs: OK # git bisect good 4646de87d32526ee87b46c2e0130413367fb5362 Bisecting: 3182 revisions left to test after this (roughly 12 steps) [e109f506074152b7241bcbd3949a099e776cb802] Merge tag 'mtd/for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux testing commit e109f506074152b7241bcbd3949a099e776cb802 with gcc (GCC) 8.1.0 kernel signature: 0400a9a8051fbbb19cb4f509c8d514a679dbbdcee48d03a9de9064299e7697e3 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad e109f506074152b7241bcbd3949a099e776cb802 Bisecting: 1641 revisions left to test after this (roughly 11 steps) [193bc55b6d4e0a7b4ad0216ed9794252bee6436e] Merge tag 'xarray-5.7' of git://git.infradead.org/users/willy/linux-dax testing commit 193bc55b6d4e0a7b4ad0216ed9794252bee6436e with gcc (GCC) 8.1.0 kernel signature: 0281428d714b97aae53c61ff312cb1702edfe5b06370182465379b4babeb6c49 all runs: OK # git bisect good 193bc55b6d4e0a7b4ad0216ed9794252bee6436e Bisecting: 801 revisions left to test after this (roughly 10 steps) [8c1b724ddb218f221612d4c649bc9c7819d8d7a6] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 8c1b724ddb218f221612d4c649bc9c7819d8d7a6 with gcc (GCC) 8.1.0 kernel signature: a7a20af3a92e9253edb3c574088548ce7e02ee2334624a834edcf3a1fead8b50 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 8c1b724ddb218f221612d4c649bc9c7819d8d7a6 Bisecting: 450 revisions left to test after this (roughly 9 steps) [7be97138e7276c71cc9ad1752dcb502d28f4400d] Merge tag 'xfs-5.7-merge-8' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux testing commit 7be97138e7276c71cc9ad1752dcb502d28f4400d with gcc (GCC) 8.1.0 kernel signature: 95973438ad4afd859544308f4a757b4eb0ac76964ed3c959cf6180957da00039 all runs: OK # git bisect good 7be97138e7276c71cc9ad1752dcb502d28f4400d Bisecting: 225 revisions left to test after this (roughly 8 steps) [cf6c26ec7bf5386706cd6522708766eb6522995e] KVM: x86: Code style cleanup in kvm_arch_dev_ioctl() testing commit cf6c26ec7bf5386706cd6522708766eb6522995e with gcc (GCC) 8.1.0 kernel signature: bad8b19d683f10fbb69282c6849865fcf9fe4cc99d0a8dca566eea4f7a945b1e all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad cf6c26ec7bf5386706cd6522708766eb6522995e Bisecting: 112 revisions left to test after this (roughly 7 steps) [9e6d01c2d9088efb8326997cafa8580295a49435] KVM: x86: Refactor handling of XSAVES CPUID adjustment testing commit 9e6d01c2d9088efb8326997cafa8580295a49435 with gcc (GCC) 8.1.0 kernel signature: d44ec7aa7b1e9a442c50a4f3de8c6322c6ddee4356600a8fdeae166db512754a all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 9e6d01c2d9088efb8326997cafa8580295a49435 Bisecting: 55 revisions left to test after this (roughly 6 steps) [49f933d445b611a237a4687ec7135b57b6b2cfba] KVM: Fix some obsolete comments testing commit 49f933d445b611a237a4687ec7135b57b6b2cfba with gcc (GCC) 8.1.0 kernel signature: 99d7b45003fe2a6315f2a4c81b4c7b5970506637139e46ccee70e92bb04287f1 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 49f933d445b611a237a4687ec7135b57b6b2cfba Bisecting: 27 revisions left to test after this (roughly 5 steps) [0dab98b7ade66598cab3b59931995ce91bd61258] KVM: x86: Allocate memslot resources during prepare_memory_region() testing commit 0dab98b7ade66598cab3b59931995ce91bd61258 with gcc (GCC) 8.1.0 kernel signature: 985e55be72be956e04ba2b897213c176e76bd3bb6baebc6aeaba231d8c3ddf53 all runs: OK # git bisect good 0dab98b7ade66598cab3b59931995ce91bd61258 Bisecting: 13 revisions left to test after this (roughly 4 steps) [13e48aa9429d1be05ecf8b9eefb212ac58f3f704] KVM: selftests: Add test for KVM_SET_USER_MEMORY_REGION testing commit 13e48aa9429d1be05ecf8b9eefb212ac58f3f704 with gcc (GCC) 8.1.0 kernel signature: edd3d8ad33ab1c080be6e0a5a39032d27cbb06c45a7865854638c1282bf1c113 all runs: crashed: KASAN: slab-out-of-bounds Read in gfn_to_hva # git bisect bad 13e48aa9429d1be05ecf8b9eefb212ac58f3f704 Bisecting: 6 revisions left to test after this (roughly 3 steps) [5c0b4f3d5ccc2ced94b01c3256db1cf79dc95b81] KVM: Move memslot deletion to helper function testing commit 5c0b4f3d5ccc2ced94b01c3256db1cf79dc95b81 with gcc (GCC) 8.1.0 kernel signature: d7c24d4bcc2e03eac7f4f1a62c3f82fe8b3f62c8039bd54071d17c6aac05d37c run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect bad 5c0b4f3d5ccc2ced94b01c3256db1cf79dc95b81 Bisecting: 3 revisions left to test after this (roughly 2 steps) [71a4c30bf0d39306882c726cac68229eb38e1e85] KVM: Refactor error handling for setting memory region testing commit 71a4c30bf0d39306882c726cac68229eb38e1e85 with gcc (GCC) 8.1.0 kernel signature: 60a7bf613d6146b47f81e312000af25ef2e785866ee93951d1d908f7b1de8292 all runs: OK # git bisect good 71a4c30bf0d39306882c726cac68229eb38e1e85 Bisecting: 1 revision left to test after this (roughly 1 step) [9d4c197c0e94c372ceffd2ffc53a23518f301ed9] KVM: Drop "const" attribute from old memslot in commit_memory_region() testing commit 9d4c197c0e94c372ceffd2ffc53a23518f301ed9 with gcc (GCC) 8.1.0 kernel signature: 6c8f3974cdc85a10faffd4dd2377f6a53bcd5b6331727a5db35e4d149c3cbc5a all runs: OK # git bisect good 9d4c197c0e94c372ceffd2ffc53a23518f301ed9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [21198846de1c348304280436caf3a5dc936d5c65] KVM: x86: Free arrays for old memslot when moving memslot's base gfn testing commit 21198846de1c348304280436caf3a5dc936d5c65 with gcc (GCC) 8.1.0 kernel signature: e35586b8036f6518ba42c6d16903dae6dfcd1b4d0d48efd163b174651e2a7f24 all runs: OK # git bisect good 21198846de1c348304280436caf3a5dc936d5c65 5c0b4f3d5ccc2ced94b01c3256db1cf79dc95b81 is the first bad commit commit 5c0b4f3d5ccc2ced94b01c3256db1cf79dc95b81 Author: Sean Christopherson Date: Tue Feb 18 13:07:26 2020 -0800 KVM: Move memslot deletion to helper function Move memslot deletion into its own routine so that the success path for other memslot updates does not need to use kvm_free_memslot(), i.e. can explicitly destroy the dirty bitmap when necessary. This paves the way for dropping @dont from kvm_free_memslot(), i.e. all callers now pass NULL for @dont. Add a comment above the code to make a copy of the existing memslot prior to deletion, it is not at all obvious that the pointer will become stale during sorting and/or installation of new memslots. Note, kvm_arch_commit_memory_region() allows an architecture to free resources when moving a memslot or changing its flags, e.g. x86 frees its arch specific memslot metadata during commit_memory_region(). Acked-by: Christoffer Dall Tested-by: Christoffer Dall Reviewed-by: Peter Xu Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini virt/kvm/kvm_main.c | 75 ++++++++++++++++++++++++++++++++--------------------- 1 file changed, 46 insertions(+), 29 deletions(-) culprit signature: d7c24d4bcc2e03eac7f4f1a62c3f82fe8b3f62c8039bd54071d17c6aac05d37c parent signature: e35586b8036f6518ba42c6d16903dae6dfcd1b4d0d48efd163b174651e2a7f24 revisions tested: 16, total time: 3h34m41.382938444s (build: 1h41m58.061476557s, test: 1h51m36.253578244s) first bad commit: 5c0b4f3d5ccc2ced94b01c3256db1cf79dc95b81 KVM: Move memslot deletion to helper function cc: ["christoffer.dall@arm.com" "pbonzini@redhat.com" "peterx@redhat.com" "sean.j.christopherson@intel.com"] crash: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks ================================================================== BUG: KASAN: vmalloc-out-of-bounds in __read_once_size include/linux/compiler.h:199 [inline] BUG: KASAN: vmalloc-out-of-bounds in rcu_seq_current kernel/rcu/rcu.h:99 [inline] BUG: KASAN: vmalloc-out-of-bounds in srcu_invoke_callbacks+0x2fb/0x320 kernel/rcu/srcutree.c:1170 Read of size 8 at addr ffffc9000276ec80 by task kworker/1:6/4061 CPU: 1 PID: 4061 Comm: kworker/1:6 Not tainted 5.6.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: rcu_gp srcu_invoke_callbacks Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x56/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 __read_once_size include/linux/compiler.h:199 [inline] rcu_seq_current kernel/rcu/rcu.h:99 [inline] srcu_invoke_callbacks+0x2fb/0x320 kernel/rcu/srcutree.c:1170 process_one_work+0x903/0x15c0 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Memory state around the buggy address: ffffc9000276eb80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ffffc9000276ec00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 >ffffc9000276ec80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ^ ffffc9000276ed00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ffffc9000276ed80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ==================================================================