KASAN: use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio
11 views
Skip to first unread message
syzbot
Oct 24, 2020, 12:43:18 PM10/24/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=119485b4500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa386e02ca459165
dashboard link: https://syzkaller.appspot.com/bug?extid=41e0a5eed02e2971ae90
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+41e0a5...@syzkaller.appspotmail.com
kvm: failed to shrink bus, removing it completely
==================================================================
BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
Read of size 8 at addr ffff8880a98ecb00 by task syz-executor.3/25808
CPU: 0 PID: 25808 Comm: syz-executor.3 Not tainted 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45de59
RSP: 002b:00007f0f84a88c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000000126c0 RCX: 000000000045de59
RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004
RBP: 00007f0f84a88ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdfe4fb38f R14: 00007f0f84a899c0 R15: 000000000118bf2c
Allocated by task 25808:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
kvm_vm_ioctl_register_coalesced_mmio+0x51/0x330 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:146
kvm_vm_ioctl+0xa81/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3087
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 25808:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
kvm_io_bus_unregister_dev.cold+0xd8/0x101 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3719
kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880a98ecb00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff8880a98ecb00, ffff8880a98ecb40)
The buggy address belongs to the page:
page:ffffea0002a63b00 count:1 mapcount:0 mapping:ffff8880a98ec000 index:0xffff8880a98ecb80
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880a98ec000 ffff8880a98ecb80 000000010000001f
raw: ffffea0002c03e60 ffffea00025ebb20 ffff88813fe80340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a98eca00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff8880a98eca80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>ffff8880a98ecb00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8880a98ecb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a98ecc00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=119485b4500000
kernel config: https://syzkaller.appspot.com/x/.config?x=fa386e02ca459165
dashboard link: https://syzkaller.appspot.com/bug?extid=41e0a5eed02e2971ae90
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+41e0a5...@syzkaller.appspotmail.com
kvm: failed to shrink bus, removing it completely
==================================================================
BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
Read of size 8 at addr ffff8880a98ecb00 by task syz-executor.3/25808
CPU: 0 PID: 25808 Comm: syz-executor.3 Not tainted 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45de59
RSP: 002b:00007f0f84a88c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000000126c0 RCX: 000000000045de59
RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004
RBP: 00007f0f84a88ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdfe4fb38f R14: 00007f0f84a899c0 R15: 000000000118bf2c
Allocated by task 25808:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
kvm_vm_ioctl_register_coalesced_mmio+0x51/0x330 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:146
kvm_vm_ioctl+0xa81/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3087
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 25808:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
kvm_io_bus_unregister_dev.cold+0xd8/0x101 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3719
kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880a98ecb00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff8880a98ecb00, ffff8880a98ecb40)
The buggy address belongs to the page:
page:ffffea0002a63b00 count:1 mapcount:0 mapping:ffff8880a98ec000 index:0xffff8880a98ecb80
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880a98ec000 ffff8880a98ecb80 000000010000001f
raw: ffffea0002c03e60 ffffea00025ebb20 ffff88813fe80340 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a98eca00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff8880a98eca80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>ffff8880a98ecb00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8880a98ecb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a98ecc00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Oct 24, 2020, 12:58:17 PM10/24/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16bdc1f8500000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1060e040500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+41e0a5...@syzkaller.appspotmail.com
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10a/0x154 lib/fault-inject.c:149
should_failslab+0xd6/0x130 mm/failslab.c:32
==================================================================
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc+0x2c1/0x400 mm/slab.c:3729
kvm_io_bus_unregister_dev+0x116/0x320 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3707
Read of size 8 at addr ffff8880b401ad00 by task syz-executor156/8011
kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x446b99
RSP: 002b:00007f8e56581d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446b99
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc5c
R13: 00007f8e56581d90 R14: 0000000000000006 R15: 0000000000000004
CPU: 1 PID: 8011 Comm: syz-executor156 Not tainted 4.14.202-syzkaller #0
kernel BUG at lib/list_debug.c:48!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8010 Comm: syz-executor156 Not tainted 4.14.202-syzkaller #0
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 0018:ffff888096657b20 EFLAGS: 00010286
RIP: 0033:0x446b99
RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246
RAX: 000000000000004e RBX: ffff888099414790 RCX: 0000000000000000
ORIG_RAX: 0000000000000010
RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed1012ccaf5a
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99
RBP: ffff888099414780 R08: 000000000000004e R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: ffff888099414800 R14: ffff888096657c70 R15: 0000000000000000
R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000
FS: 00007f8e565a3700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Allocated by task 8011:
CR2: 00007f8719647000 CR3: 00000000a4d85000 CR4: 00000000001426f0
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
__list_del_entry include/linux/list.h:117 [inline]
list_del include/linux/list.h:125 [inline]
coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99
kvm_vm_ioctl_unregister_coalesced_mmio+0x1bc/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:181
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 8011:
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880b401ad00
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
flags: 0xfff00000000100(slab)
entry_SYSCALL_64_after_hwframe+0x46/0xbb
raw: 00fff00000000100 ffff8880b401a000 0000000000000000 0000000100000020
RIP: 0033:0x446b99
raw: ffffea0002cd6fe0 ffffea0002c0bd20 ffff88813fe80340 0000000000000000
RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99
RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031
ffff8880b401ac80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
>ffff8880b401ad00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000
^
Code:
ffff8880b401ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
19
ffff8880b401ae00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
24
==================================================================
fe
list_del corruption, ffff888098dddf00->prev is LIST_POISON2 (dead000000000200)
40 cd cc 87 e8 83 19 24 fe 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 a0 cd cc 87 e8 6f 19 24 fe <0f> 0b 48 89 ee 48 c7 c7 60 ce cc 87 e8 5e 19 24 fe 0f 0b 90 90
RIP: __list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: ffff888096657b20
CPU: 0 PID: 8026 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0
------------[ cut here ]------------
Call Trace:
invalid opcode: 0000 [#2] PREEMPT SMP KASAN
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10a/0x154 lib/fault-inject.c:149
should_fail_futex kernel/futex.c:309 [inline]
get_futex_key+0x82a/0x1160 kernel/futex.c:573
CPU: 1 PID: 8006 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0
futex_wake+0xc6/0x3c0 kernel/futex.c:1684
RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48
RSP: 0018:ffff8880961f7b20 EFLAGS: 00010286
do_futex+0x287/0x1930 kernel/futex.c:3924
RAX: 000000000000004e RBX: ffff888098dddf10 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed1012c3ef5a
RBP: ffff888098dddf00 R08: 000000000000004e R09: 0000000000000000
R10: 0000000000000000 R11: ffff8880b2fa8640 R12: dead000000000200
R13: ffff888098dddf80 R14: ffff8880961f7c70 R15: 0000000000000000
FS: 00007f8e565a3700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c533c26160 CR3: 00000000b1b08000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:117 [inline]
list_del include/linux/list.h:125 [inline]
coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99
SYSC_futex kernel/futex.c:3980 [inline]
SyS_futex+0x1da/0x290 kernel/futex.c:3948
kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
kvm_vm_ioctl_unregister_coalesced_mmio+0x1bc/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:181
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x446b99
RSP: 002b:00007f8e56560d88 EFLAGS: 00000246
ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446b99
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000006dbc6c
R10: 0000000000000001 R11: 0000000000000246 R12: 00000000006dbc6c
R13: 00007f8e56560d90 R14: 0000000000000004 R15: 0000000000000003
RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99
RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000
Code:
------------[ cut here ]------------
19
kernel BUG at lib/list_debug.c:48!
24 fe 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 40 cd cc 87 e8 83 19 24 fe 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 a0 cd cc 87 e8 6f 19 24 fe <0f> 0b 48 89 ee 48 c7 c7 60 ce cc 87 e8 5e 19 24 fe 0f 0b 90 90
RIP: __list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: ffff8880961f7b20
invalid opcode: 0000 [#3] PREEMPT SMP KASAN
---[ end trace a9ae020bfe53dbc5 ]---
Modules linked in:
CPU: 0 PID: 8007 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0
RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48
RSP: 0018:ffff8880a1d2fb20 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888099414610 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed10143a5f5a
RBP: ffff888099414600 R08: 000000000000004e R09: 0000000000000000
R10: 0000000000000000 R11: ffff8880b3d1c680 R12: dead000000000200
R13: ffff888099414680 R14: ffff8880a1d2fc70 R15: 0000000000000000
FS: 00007f8e565a3700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87196f7028 CR3: 000000009326b000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:117 [inline]
list_del include/linux/list.h:125 [inline]
coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99
HEAD commit: 5b7a52cd Linux 4.14.202
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=fa386e02ca459165
dashboard link: https://syzkaller.appspot.com/bug?extid=41e0a5eed02e2971ae90
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10915840500000
dashboard link: https://syzkaller.appspot.com/bug?extid=41e0a5eed02e2971ae90
compiler: gcc (GCC) 10.1.0-syz 20200507
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1060e040500000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+41e0a5...@syzkaller.appspotmail.com
should_fail.cold+0x10a/0x154 lib/fault-inject.c:149
should_failslab+0xd6/0x130 mm/failslab.c:32
==================================================================
slab_pre_alloc_hook mm/slab.h:421 [inline]
slab_alloc mm/slab.c:3376 [inline]
__do_kmalloc mm/slab.c:3718 [inline]
__kmalloc+0x2c1/0x400 mm/slab.c:3729
BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
kmalloc include/linux/slab.h:493 [inline]
kvm_io_bus_unregister_dev+0x116/0x320 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3707
Read of size 8 at addr ffff8880b401ad00 by task syz-executor156/8011
kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 002b:00007f8e56581d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446b99
RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004
RBP: 00000000006dbc50 R08: 0000000000000001 R09: 0000000000000031
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc5c
R13: 00007f8e56581d90 R14: 0000000000000006 R15: 0000000000000004
CPU: 1 PID: 8011 Comm: syz-executor156 Not tainted 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
kvm: failed to shrink bus, removing it completely
kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
list_del corruption, ffff888099414780->prev is LIST_POISON2 (dead000000000200)
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
------------[ cut here ]------------
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
kernel BUG at lib/list_debug.c:48!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 8010 Comm: syz-executor156 Not tainted 4.14.202-syzkaller #0
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b3188040 task.stack: ffff888096650000
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RSP: 0018:ffff888096657b20 EFLAGS: 00010286
RIP: 0033:0x446b99
RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246
RAX: 000000000000004e RBX: ffff888099414790 RCX: 0000000000000000
ORIG_RAX: 0000000000000010
RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed1012ccaf5a
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99
RBP: ffff888099414780 R08: 000000000000004e R09: 0000000000000000
RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004
RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031
R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: ffff888099414800 R14: ffff888096657c70 R15: 0000000000000000
R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000
FS: 00007f8e565a3700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Allocated by task 8011:
CR2: 00007f8719647000 CR3: 00000000a4d85000 CR4: 00000000001426f0
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
kvm_vm_ioctl_register_coalesced_mmio+0x51/0x330 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:146
Call Trace:
kzalloc include/linux/slab.h:661 [inline]
kvm_vm_ioctl_register_coalesced_mmio+0x51/0x330 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:146
__list_del_entry include/linux/list.h:117 [inline]
list_del include/linux/list.h:125 [inline]
coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99
kvm_vm_ioctl+0xa81/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3087
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
kvm_vm_ioctl_unregister_coalesced_mmio+0x1bc/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:181
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 8011:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
kvm_io_bus_unregister_dev.cold+0xd8/0x101 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3719
kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
kvm_io_bus_unregister_dev.cold+0xd8/0x101 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3719
kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8880b401ad00
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff8880b401ad00, ffff8880b401ad40)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
page:ffffea0002d00680 count:1 mapcount:0 mapping:ffff8880b401a000 index:0x0
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
flags: 0xfff00000000100(slab)
entry_SYSCALL_64_after_hwframe+0x46/0xbb
raw: 00fff00000000100 ffff8880b401a000 0000000000000000 0000000100000020
RIP: 0033:0x446b99
raw: ffffea0002cd6fe0 ffffea0002c0bd20 ffff88813fe80340 0000000000000000
RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246
page dumped because: kasan: bad access detected
ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99
Memory state around the buggy address:
RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004
ffff8880b401ac00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031
ffff8880b401ac80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
>ffff8880b401ad00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000
^
Code:
ffff8880b401ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
19
ffff8880b401ae00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
24
==================================================================
fe
kvm: failed to shrink bus, removing it completely
0f 0b 4c 89 ea 48 89 ee 48 c7 c7
list_del corruption, ffff888098dddf00->prev is LIST_POISON2 (dead000000000200)
40 cd cc 87 e8 83 19 24 fe 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 a0 cd cc 87 e8 6f 19 24 fe <0f> 0b 48 89 ee 48 c7 c7 60 ce cc 87 e8 5e 19 24 fe 0f 0b 90 90
RIP: __list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: ffff888096657b20
CPU: 0 PID: 8026 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0
------------[ cut here ]------------
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
kernel BUG at lib/list_debug.c:48!
Call Trace:
invalid opcode: 0000 [#2] PREEMPT SMP KASAN
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
Modules linked in:
dump_stack+0x1b2/0x283 lib/dump_stack.c:58
fail_dump lib/fault-inject.c:51 [inline]
should_fail.cold+0x10a/0x154 lib/fault-inject.c:149
should_fail_futex kernel/futex.c:309 [inline]
get_futex_key+0x82a/0x1160 kernel/futex.c:573
CPU: 1 PID: 8006 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b2fa8640 task.stack: ffff8880961f0000
futex_wake+0xc6/0x3c0 kernel/futex.c:1684
RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48
RSP: 0018:ffff8880961f7b20 EFLAGS: 00010286
do_futex+0x287/0x1930 kernel/futex.c:3924
RAX: 000000000000004e RBX: ffff888098dddf10 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed1012c3ef5a
RBP: ffff888098dddf00 R08: 000000000000004e R09: 0000000000000000
R10: 0000000000000000 R11: ffff8880b2fa8640 R12: dead000000000200
R13: ffff888098dddf80 R14: ffff8880961f7c70 R15: 0000000000000000
FS: 00007f8e565a3700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c533c26160 CR3: 00000000b1b08000 CR4: 00000000001426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:117 [inline]
list_del include/linux/list.h:125 [inline]
coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99
SYSC_futex kernel/futex.c:3980 [inline]
SyS_futex+0x1da/0x290 kernel/futex.c:3948
kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
kvm_vm_ioctl_unregister_coalesced_mmio+0x1bc/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:181
kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x446b99
RSP: 002b:00007f8e56560d88 EFLAGS: 00000246
ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446b99
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000006dbc6c
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
RBP: 00000000006dbc60 R08: 0000000000000031 R09: 0000000000000031
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
R10: 0000000000000001 R11: 0000000000000246 R12: 00000000006dbc6c
R13: 00007f8e56560d90 R14: 0000000000000004 R15: 0000000000000003
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
kvm: failed to shrink bus, removing it completely
RIP: 0033:0x446b99
RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99
RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004
list_del corruption, ffff888099414600->prev is LIST_POISON2 (dead000000000200)
RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c
R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000
Code:
------------[ cut here ]------------
19
kernel BUG at lib/list_debug.c:48!
24 fe 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 40 cd cc 87 e8 83 19 24 fe 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 a0 cd cc 87 e8 6f 19 24 fe <0f> 0b 48 89 ee 48 c7 c7 60 ce cc 87 e8 5e 19 24 fe 0f 0b 90 90
RIP: __list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: ffff8880961f7b20
invalid opcode: 0000 [#3] PREEMPT SMP KASAN
---[ end trace a9ae020bfe53dbc5 ]---
Modules linked in:
CPU: 0 PID: 8007 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b3d1c680 task.stack: ffff8880a1d28000
RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48
RSP: 0018:ffff8880a1d2fb20 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888099414610 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed10143a5f5a
RBP: ffff888099414600 R08: 000000000000004e R09: 0000000000000000
R10: 0000000000000000 R11: ffff8880b3d1c680 R12: dead000000000200
R13: ffff888099414680 R14: ffff8880a1d2fc70 R15: 0000000000000000
FS: 00007f8e565a3700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f87196f7028 CR3: 000000009326b000 CR4: 00000000001426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__list_del_entry include/linux/list.h:117 [inline]
list_del include/linux/list.h:125 [inline]
coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99
Reply all
Reply to author
Forward
0 new messages