Dmitry Vyukov
unread,Nov 12, 2016, 12:12:33 AM11/12/16Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Alex Williamson, Paolo Bonzini, KVM list, LKML, Steve Rutherford, syzkaller
Hello,
While running syzkaller fuzzer I got the following use-after-free report.
On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11)
BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x3d1/0x420
at addr ffff88003b5d8820
Write of size 8 by task syz-executor/25573
CPU: 0 PID: 25573 Comm: syz-executor Not tainted 4.9.0-rc4+ #46
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006caaf9e0 ffffffff81c2d79b ffff88003e80ccc0 ffff88003b5d86b8
ffff88003b5d89f0 0000000000000001 ffff88006caafa08 ffffffff8165ab9c
ffffed00076bb104 ffffed00076bb104 ffff88003e80ccc0 ffff88006caafa88
Call Trace:
[<ffffffff8165b2b7>] __asan_report_store8_noabort+0x17/0x20
mm/kasan/report.c:334
[< inline >] list_add include/linux/list.h:43
[<ffffffff831d16d1>] irq_bypass_register_consumer+0x3d1/0x420
virt/lib/irqbypass.c:217
[< inline >] kvm_irqfd_assign
arch/x86/kvm/../../../virt/kvm/eventfd.c:417
[<ffffffff8106e3ea>] kvm_irqfd+0x109a/0x18a0
arch/x86/kvm/../../../virt/kvm/eventfd.c:572
[<ffffffff81065797>] kvm_vm_ioctl+0x2e7/0x1670
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2996
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816af6fc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b063f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831e9dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Object at ffff88003b5d86b8, in cache kmalloc-512 size: 512
Allocated:
PID = 25573
[ 359.255946] [< inline >] kzalloc include/linux/slab.h:636
[ 359.255946] [< inline >] kvm_irqfd_assign
arch/x86/kvm/../../../virt/kvm/eventfd.c:296
[ 359.255946] [<ffffffff8106d3f7>] kvm_irqfd+0xa7/0x18a0
arch/x86/kvm/../../../virt/kvm/eventfd.c:572
[ 359.255946] [<ffffffff81065797>] kvm_vm_ioctl+0x2e7/0x1670
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2996
[ 359.255946] [< inline >] vfs_ioctl fs/ioctl.c:43
[ 359.255946] [<ffffffff816af6fc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[ 359.255946] [< inline >] SYSC_ioctl fs/ioctl.c:694
[ 359.255946] [<ffffffff816b063f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[ 359.255946] [<ffffffff831e9dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 1057
[ 359.255946] [<ffffffff8165696a>] kfree+0xea/0x2c0 mm/slub.c:3871
[ 359.255946] [<ffffffff8106d16d>] irqfd_shutdown+0x13d/0x1a0
arch/x86/kvm/../../../virt/kvm/eventfd.c:148
[ 359.255946] [<ffffffff8129175c>] process_one_work+0x9fc/0x1900
kernel/workqueue.c:2096
[ 359.255946] [<ffffffff8129274f>] worker_thread+0xef/0x1480
kernel/workqueue.c:2230
[ 359.386293] [<ffffffff812a5a94>] kthread+0x244/0x2d0 kernel/kthread.c:209
[ 359.387074] [<ffffffff831ea02a>] ret_from_fork+0x2a/0x40
arch/x86/entry/entry_64.S:433