bisecting cause commit starting from 6398b9fc818eea79dcd6e70f981ce782da22cdee building syzkaller on bc5869180f69e2ad6c6b823e129e08a8e523d800 testing commit 6398b9fc818eea79dcd6e70f981ce782da22cdee with gcc (GCC) 8.1.0 kernel signature: 97416373af704f8500b0920cbc7e754eda1d83df run #0: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks run #1: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks run #2: crashed: KASAN: vmalloc-out-of-bounds Read in srcu_invoke_callbacks run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: 5eee91ecc8b8875b58479bf7dd39254ea3868fd1 run #0: crashed: BUG: unable to handle kernel paging request in srcu_invoke_callbacks run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: c300baf6416933bbea5747f38048bd65fc455ef9 all runs: OK # git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8 Bisecting: 7882 revisions left to test after this (roughly 13 steps) [a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 with gcc (GCC) 8.1.0 kernel signature: f7b588adf1f0d778ef9d7efc59e3bf5cfc7390f3 all runs: OK # git bisect good a9f8b38a071b468276a243ea3ea5a0636e848cf2 Bisecting: 3941 revisions left to test after this (roughly 12 steps) [0a3775e4f883912944481cf2ef36eb6383a9cc74] ocfs2: wait for recovering done after direct unlock request testing commit 0a3775e4f883912944481cf2ef36eb6383a9cc74 with gcc (GCC) 8.1.0 kernel signature: 404041931f58ca814fb4f217a0b861a52f00ac45 all runs: OK # git bisect good 0a3775e4f883912944481cf2ef36eb6383a9cc74 Bisecting: 1972 revisions left to test after this (roughly 11 steps) [63f9bff56beb718ac0a2eb8398a98220b1e119dc] Merge tag 'mips_fixes_5.4_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux testing commit 63f9bff56beb718ac0a2eb8398a98220b1e119dc with gcc (GCC) 8.1.0 kernel signature: 8639d9ea0e3404c2801dc548ecec9cacbfdcd3de all runs: OK # git bisect good 63f9bff56beb718ac0a2eb8398a98220b1e119dc Bisecting: 988 revisions left to test after this (roughly 10 steps) [65a5bf1c790039dc194507563478137b4314a59d] Merge tag 'pm-5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 65a5bf1c790039dc194507563478137b4314a59d with gcc (GCC) 8.1.0 kernel signature: 2adbfed941f59a3b4ec789aa61c81858335d1df6 all runs: OK # git bisect good 65a5bf1c790039dc194507563478137b4314a59d Bisecting: 441 revisions left to test after this (roughly 9 steps) [0058b0a506e40d9a2c62015fe92eb64a44d78cd9] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 0058b0a506e40d9a2c62015fe92eb64a44d78cd9 with gcc (GCC) 8.1.0 kernel signature: 84978ef79e69c891ee9336b422b90211fe620dbb run #0: crashed: general protection fault in kvm_coalesced_mmio_init run #1: crashed: INFO: task hung in synchronize_rcu run #2: crashed: INFO: task hung in synchronize_rcu run #3: crashed: INFO: task hung in synchronize_rcu run #4: crashed: INFO: task hung in synchronize_rcu run #5: crashed: INFO: task hung in synchronize_rcu run #6: crashed: INFO: task hung in synchronize_rcu run #7: crashed: INFO: task hung in synchronize_rcu run #8: crashed: INFO: task hung in synchronize_rcu run #9: crashed: INFO: task hung in synchronize_rcu # git bisect bad 0058b0a506e40d9a2c62015fe92eb64a44d78cd9 Bisecting: 272 revisions left to test after this (roughly 8 steps) [9d2345057538bb97b1e556508ad69983f446462f] Merge tag 'hwmon-for-v5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging testing commit 9d2345057538bb97b1e556508ad69983f446462f with gcc (GCC) 8.1.0 kernel signature: ac2be5ae22084a5744c4fa8aab5653c86a22f849 all runs: crashed: INFO: task hung in synchronize_rcu # git bisect bad 9d2345057538bb97b1e556508ad69983f446462f Bisecting: 136 revisions left to test after this (roughly 7 steps) [451fe015b2857de3d8027ef606284a205e177724] ixgbe: Remove duplicate clear_bit() call testing commit 451fe015b2857de3d8027ef606284a205e177724 with gcc (GCC) 8.1.0 kernel signature: 3b938a3a4af9fc08199888a5030cc9de1983118b all runs: OK # git bisect good 451fe015b2857de3d8027ef606284a205e177724 Bisecting: 64 revisions left to test after this (roughly 6 steps) [e5897c7d2e6507ac2423455bada21c8a6b005db6] Merge tag 'riscv/for-v5.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux testing commit e5897c7d2e6507ac2423455bada21c8a6b005db6 with gcc (GCC) 8.1.0 kernel signature: a68f1e124bf399780905b05fb709829e856a05cc run #0: crashed: general protection fault in kvm_coalesced_mmio_init run #1: crashed: INFO: task hung in synchronize_rcu run #2: crashed: INFO: task hung in synchronize_rcu run #3: crashed: INFO: task hung in synchronize_rcu run #4: crashed: INFO: task hung in synchronize_rcu run #5: crashed: INFO: task hung in synchronize_rcu run #6: crashed: INFO: task hung in synchronize_rcu run #7: crashed: INFO: task hung in synchronize_rcu run #8: crashed: INFO: task hung in synchronize_rcu run #9: crashed: INFO: task hung in synchronize_rcu # git bisect bad e5897c7d2e6507ac2423455bada21c8a6b005db6 Bisecting: 37 revisions left to test after this (roughly 5 steps) [146162449186f95bf123f59fa57a2c28a8a075e5] Merge tag 'drm-fixes-2019-11-01' of git://anongit.freedesktop.org/drm/drm testing commit 146162449186f95bf123f59fa57a2c28a8a075e5 with gcc (GCC) 8.1.0 kernel signature: 4692a06cb72c398d13041bfadd68608f38502e85 all runs: OK # git bisect good 146162449186f95bf123f59fa57a2c28a8a075e5 Bisecting: 19 revisions left to test after this (roughly 4 steps) [b2a18c25c73f30316eb356e915f4c9cc58ec42fc] Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit b2a18c25c73f30316eb356e915f4c9cc58ec42fc with gcc (GCC) 8.1.0 kernel signature: f1ac1b27ce9a99d1166cd735cac7337e6309831b run #0: crashed: general protection fault in kvm_coalesced_mmio_init run #1: crashed: INFO: task hung in synchronize_rcu run #2: crashed: INFO: task hung in synchronize_rcu run #3: crashed: INFO: task hung in synchronize_rcu run #4: crashed: INFO: task hung in synchronize_rcu run #5: crashed: INFO: task hung in synchronize_rcu run #6: crashed: INFO: task hung in synchronize_rcu run #7: crashed: INFO: task hung in synchronize_rcu run #8: crashed: INFO: task hung in synchronize_rcu run #9: crashed: INFO: task hung in synchronize_rcu # git bisect bad b2a18c25c73f30316eb356e915f4c9cc58ec42fc Bisecting: 6 revisions left to test after this (roughly 3 steps) [d540c398db780271a81690eeb2bbc61876c37904] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit d540c398db780271a81690eeb2bbc61876c37904 with gcc (GCC) 8.1.0 kernel signature: ae00d219f50016edf0c8c846ddad6b2892c45e14 all runs: crashed: INFO: task hung in synchronize_rcu # git bisect bad d540c398db780271a81690eeb2bbc61876c37904 Bisecting: 5 revisions left to test after this (roughly 3 steps) [e059770cb1cdfbcbe3f1748f76005861cc79dd1a] arm64: Brahma-B53 is SSB and spectre v2 safe testing commit e059770cb1cdfbcbe3f1748f76005861cc79dd1a with gcc (GCC) 8.1.0 kernel signature: 906f1c0fca629506eb53923ac4711cef14d2cce5 all runs: OK # git bisect good e059770cb1cdfbcbe3f1748f76005861cc79dd1a Bisecting: 2 revisions left to test after this (roughly 2 steps) [9167ab79936206118cc60e47dcb926c3489f3bd5] KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active testing commit 9167ab79936206118cc60e47dcb926c3489f3bd5 with gcc (GCC) 8.1.0 kernel signature: 84b24ac94cbf0d0d31e313fc3bf90598427b3240 run #0: crashed: general protection fault in kvm_coalesced_mmio_init run #1: crashed: INFO: task hung in synchronize_rcu run #2: crashed: INFO: task hung in synchronize_rcu run #3: crashed: INFO: task hung in synchronize_rcu run #4: crashed: INFO: task hung in synchronize_rcu run #5: crashed: INFO: task hung in synchronize_rcu run #6: crashed: INFO: task hung in synchronize_rcu run #7: crashed: INFO: task hung in synchronize_rcu run #8: crashed: INFO: task hung in synchronize_rcu run #9: crashed: INFO: task hung in synchronize_rcu # git bisect bad 9167ab79936206118cc60e47dcb926c3489f3bd5 Bisecting: 0 revisions left to test after this (roughly 1 step) [a97b0e773e492ae319a7e981e98962a1060215f9] kvm: call kvm_arch_destroy_vm if vm creation fails testing commit a97b0e773e492ae319a7e981e98962a1060215f9 with gcc (GCC) 8.1.0 kernel signature: 75416644bc71fca9a14743bda3aa469fb2a47e31 all runs: crashed: INFO: task hung in synchronize_rcu # git bisect bad a97b0e773e492ae319a7e981e98962a1060215f9 Bisecting: 0 revisions left to test after this (roughly 0 steps) [9121923c457d1d8667a6e3a67302c29e5c5add6b] kvm: Allocate memslots and buses before calling kvm_arch_init_vm testing commit 9121923c457d1d8667a6e3a67302c29e5c5add6b with gcc (GCC) 8.1.0 kernel signature: 760e464c01c8a0d062e55027b9ba5659382047a3 all runs: crashed: general protection fault in kvm_coalesced_mmio_init # git bisect bad 9121923c457d1d8667a6e3a67302c29e5c5add6b 9121923c457d1d8667a6e3a67302c29e5c5add6b is the first bad commit commit 9121923c457d1d8667a6e3a67302c29e5c5add6b Author: Jim Mattson Date: Thu Oct 24 16:03:26 2019 -0700 kvm: Allocate memslots and buses before calling kvm_arch_init_vm This reorganization will allow us to call kvm_arch_destroy_vm in the event that kvm_create_vm fails after calling kvm_arch_init_vm. Suggested-by: Junaid Shahid Signed-off-by: Jim Mattson Reviewed-by: Junaid Shahid Signed-off-by: Paolo Bonzini virt/kvm/kvm_main.c | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) parent commit 671ddc700fd08b94967b1e2a937020e30c838609 wasn't tested testing commit 671ddc700fd08b94967b1e2a937020e30c838609 with gcc (GCC) 8.1.0 kernel signature: f08f149610c7290156eab17e4e00e34ab897a6a4 culprit signature: 760e464c01c8a0d062e55027b9ba5659382047a3 parent signature: f08f149610c7290156eab17e4e00e34ab897a6a4 revisions tested: 18, total time: 4h24m1.28124175s (build: 1h51m25.187443053s, test: 2h31m20.616964005s) first bad commit: 9121923c457d1d8667a6e3a67302c29e5c5add6b kvm: Allocate memslots and buses before calling kvm_arch_init_vm cc: ["jmattson@google.com" "junaids@google.com" "pbonzini@redhat.com"] crash: general protection fault in kvm_coalesced_mmio_init kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 13007 Comm: syz-executor.4 Not tainted 5.4.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvm_coalesced_mmio_init+0x5d/0x110 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:121 Code: 00 48 01 d0 48 ba 00 00 00 00 80 88 ff ff 48 c1 f8 06 48 89 f9 48 c1 e0 0c 48 c1 e9 03 48 01 d0 48 ba 00 00 00 00 00 fc ff df <80> 3c 11 00 0f 85 8e 00 00 00 48 89 83 d8 96 00 00 48 c7 c2 60 9a RSP: 0018:ffff88808c59fc08 EFLAGS: 00010286 RAX: ffff888091a09000 RBX: 0000000000000000 RCX: 00000000000012db RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000096d8 RBP: ffff88808c59fc20 R08: ffffed1015d26b7d R09: ffffed1015d26b7d R10: ffffed1015d26b7c R11: ffff8880ae935be3 R12: ffffffff88989220 R13: dffffc0000000000 R14: 1ffff110118b3f8f R15: 0000000000000000 FS: 00007f3005df2700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd1ace9238 CR3: 00000000a4ef0000 CR4: 00000000001426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3446 [inline] kvm_dev_ioctl+0x781/0x1490 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3494 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x196/0x1150 fs/ioctl.c:696 ksys_ioctl+0x62/0x90 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x6e/0xb0 fs/ioctl.c:718 do_syscall_64+0xca/0x5d0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a919 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f3005df1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919 RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3005df26d4 R13: 00000000004c3ce8 R14: 00000000004d9390 R15: 00000000ffffffff Modules linked in: ---[ end trace b1bd833e75fffe32 ]--- RIP: 0010:kvm_coalesced_mmio_init+0x5d/0x110 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:121 Code: 00 48 01 d0 48 ba 00 00 00 00 80 88 ff ff 48 c1 f8 06 48 89 f9 48 c1 e0 0c 48 c1 e9 03 48 01 d0 48 ba 00 00 00 00 00 fc ff df <80> 3c 11 00 0f 85 8e 00 00 00 48 89 83 d8 96 00 00 48 c7 c2 60 9a RSP: 0018:ffff88808c59fc08 EFLAGS: 00010286 RAX: ffff888091a09000 RBX: 0000000000000000 RCX: 00000000000012db RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000096d8 RBP: ffff88808c59fc20 R08: ffffed1015d26b7d R09: ffffed1015d26b7d R10: ffffed1015d26b7c R11: ffff8880ae935be3 R12: ffffffff88989220 R13: dffffc0000000000 R14: 1ffff110118b3f8f R15: 0000000000000000 FS: 00007f3005df2700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd584363000 CR3: 00000000a4ef0000 CR4: 00000000001426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400