Dmitry Vyukov
unread,Mar 23, 2017, 8:33:46 AM3/23/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Paolo Bonzini, Radim Krčmář, KVM list, LKML, Steve Rutherford, James Mattson, Xiao Guangrong, Haozhong Zhang, Wanpeng Li, P J P, syzkaller
Hello,
I've got the following report while running syzkaller fuzzer on
093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Note the preceding injected
kmalloc failure, most likely it's the root cause.
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 0 PID: 14650 Comm: syz-executor2 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x1b8/0x28d lib/dump_stack.c:52
fail_dump lib/fault-inject.c:45 [inline]
should_fail+0x78a/0x870 lib/fault-inject.c:154
should_failslab+0xec/0x120 mm/failslab.c:31
slab_pre_alloc_hook mm/slab.h:434 [inline]
slab_alloc mm/slab.c:3394 [inline]
__do_kmalloc mm/slab.c:3734 [inline]
__kmalloc+0x220/0x730 mm/slab.c:3745
kmalloc include/linux/slab.h:495 [inline]
kvm_io_bus_unregister_dev+0x1a2/0x300
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3594
kvm_free_pit+0x58/0x110 arch/x86/kvm/i8254.c:727
kvm_arch_sync_events+0x35/0x40 arch/x86/kvm/x86.c:8078
kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:727 [inline]
kvm_put_kvm+0x27f/0xa70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:761
kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:772
__fput+0x327/0x7f0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:245
task_work_run+0x1a4/0x270 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x24d/0x2d0 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
syscall_return_slowpath+0x3bd/0x460 arch/x86/entry/common.c:260
entry_SYSCALL_64_fastpath+0xc0/0xc2
RIP: 0033:0x445b79
RSP: 002b:00007f6e094bc858 EFLAGS: 00000292 ORIG_RAX: 0000000000000021
RAX: 000000000000001c RBX: 0000000000708000 RCX: 0000000000445b79
RDX: 0000000000000000 RSI: 000000000000001c RDI: 000000000000001b
RBP: 0000000000000430 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 00000000006de4f0
R13: 000000000000001c R14: 0000000000000000 R15: 000000000000001b
==================================================================
BUG: KASAN: use-after-free in kvm_io_bus_destroy
include/kvm/iodev.h:72 [inline] at addr ffff88003bfb7d40
BUG: KASAN: use-after-free in kvm_destroy_vm
arch/x86/kvm/../../../virt/kvm/kvm_main.c:733 [inline] at addr
ffff88003bfb7d40
BUG: KASAN: use-after-free in kvm_put_kvm+0x932/0xa70
arch/x86/kvm/../../../virt/kvm/kvm_main.c:761 at addr ffff88003bfb7d40
Read of size 8 by task syz-executor2/14650
CPU: 0 PID: 14650 Comm: syz-executor2 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x1b8/0x28d lib/dump_stack.c:52
kasan_object_err+0x1c/0x70 mm/kasan/report.c:166
print_address_description mm/kasan/report.c:210 [inline]
kasan_report_error mm/kasan/report.c:294 [inline]
kasan_report.part.2+0x1be/0x480 mm/kasan/report.c:316
kasan_report mm/kasan/report.c:337 [inline]
__asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:337
kvm_io_bus_destroy include/kvm/iodev.h:72 [inline]
kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:733 [inline]
kvm_put_kvm+0x932/0xa70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:761
kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:772
__fput+0x327/0x7f0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:245
task_work_run+0x1a4/0x270 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x24d/0x2d0 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
syscall_return_slowpath+0x3bd/0x460 arch/x86/entry/common.c:260
entry_SYSCALL_64_fastpath+0xc0/0xc2
RIP: 0033:0x445b79
RSP: 002b:00007f6e094bc858 EFLAGS: 00000292 ORIG_RAX: 0000000000000021
RAX: 000000000000001c RBX: 0000000000708000 RCX: 0000000000445b79
RDX: 0000000000000000 RSI: 000000000000001c RDI: 000000000000001b
RBP: 0000000000000430 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 00000000006de4f0
R13: 000000000000001c R14: 0000000000000000 R15: 000000000000001b
Object at ffff88003bfb7d40, in cache kmalloc-512 size: 512
Allocated:
PID = 14650
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:517
set_track mm/kasan/kasan.c:529 [inline]
kasan_kmalloc+0xbc/0xf0 mm/kasan/kasan.c:620
kmem_cache_alloc_trace+0x11a/0x720 mm/slab.c:3638
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:663 [inline]
kvm_create_pit+0xc2/0x8b0 arch/x86/kvm/i8254.c:656
kvm_arch_vm_ioctl+0x1339/0x2190 arch/x86/kvm/x86.c:4058
kvm_vm_ioctl+0x20f/0x1c60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3113
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1af/0x16d0 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 14650
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:517
set_track mm/kasan/kasan.c:529 [inline]
kasan_slab_free+0x81/0xc0 mm/kasan/kasan.c:593
__cache_free mm/slab.c:3514 [inline]
kfree+0xd7/0x250 mm/slab.c:3831
kvm_free_pit+0xe0/0x110 arch/x86/kvm/i8254.c:733
kvm_arch_sync_events+0x35/0x40 arch/x86/kvm/x86.c:8078
kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:727 [inline]
kvm_put_kvm+0x27f/0xa70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:761
kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:772
__fput+0x327/0x7f0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:245
task_work_run+0x1a4/0x270 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x24d/0x2d0 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
syscall_return_slowpath+0x3bd/0x460 arch/x86/entry/common.c:260
entry_SYSCALL_64_fastpath+0xc0/0xc2
Memory state around the buggy address:
ffff88003bfb7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88003bfb7c80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff88003bfb7d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff88003bfb7d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88003bfb7e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================