Hello, The following program triggers use-after-free in kvm_irq_delivery_to_apic_fast: https://gist.githubusercontent.com/dvyukov/68a25fb4f8f48807fb7cdf3ebbb84e58/raw/b7b85810a1070c93387ece6d2388da8dbe937452/gistfile1.txt On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11). ================================================================== BUG: KASAN: use-after-free in kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 at addr ffff88003da49610 Read of size 8 by task a.out/2749 CPU: 1 PID: 2749 Comm: a.out Not tainted 4.9.0-rc4+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003be37740 ffffffff81c2e46b ffff88003e816d40 ffff88003da495f8 ffff88003da49788 0000000000000000 ffff88003be37768 ffffffff8165ab9c ffffed0007b492c2 ffffed0007b492c2 ffff88003e816d40 ffff88003be377e8 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81c2e46b>] dump_stack+0xb3/0x118 lib/dump_stack.c:51 [<ffffffff8165ab9c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [< inline >] kasan_report_error mm/kasan/report.c:283 [<ffffffff8165aed1>] kasan_report+0x231/0x500 mm/kasan/report.c:303 [<ffffffff8165b214>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:329 [<ffffffff8112092a>] kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 arch/x86/kvm/lapic.c:824 [<ffffffff8112e3f2>] kvm_irq_delivery_to_apic+0x132/0x9a0 arch/x86/kvm/irq_comm.c:72 [<ffffffff8112ed71>] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157 [<ffffffff81070961>] kvm_send_userspace_msi+0x201/0x280 arch/x86/kvm/../../../virt/kvm/irqchip.c:74 [<ffffffff810668a5>] kvm_vm_ioctl+0xba5/0x1670 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679 [< inline >] SYSC_ioctl fs/ioctl.c:694 [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:209 Object at ffff88003da495f8, in cache anon_vma_chain size: 80 Allocated: PID = 2683 [ 140.731021] [<ffffffff811abb36>] save_stack_trace+0x16/0x20 [ 140.731021] [<ffffffff81659ee6>] save_stack+0x46/0xd0 [ 140.731021] [<ffffffff8165a15d>] kasan_kmalloc+0xad/0xe0 [ 140.731021] [<ffffffff8165a6c2>] kasan_slab_alloc+0x12/0x20 [ 140.731021] [<ffffffff816552ec>] kmem_cache_alloc+0xbc/0x260 [ 140.731021] [<ffffffff8160f746>] anon_vma_prepare+0xb6/0x530 [ 140.731021] [<ffffffff815ea4f4>] handle_mm_fault+0x17d4/0x1e70 [ 140.731021] [<ffffffff8120fbf8>] __do_page_fault+0x4f8/0xae0 [ 140.731021] [<ffffffff812102a3>] trace_do_page_fault+0x93/0x450 [ 140.731021] [<ffffffff81202ba4>] do_async_page_fault+0x14/0x70 [ 140.731021] [<ffffffff831f1f78>] async_page_fault+0x28/0x30 Freed: PID = 2683 [ 140.731021] [<ffffffff811abb36>] save_stack_trace+0x16/0x20 [ 140.731021] [<ffffffff81659ee6>] save_stack+0x46/0xd0 [ 140.731021] [<ffffffff8165a741>] kasan_slab_free+0x71/0xb0 [ 140.731021] [<ffffffff816562a5>] kmem_cache_free+0xb5/0x2d0 [ 140.731021] [<ffffffff8160e4ac>] unlink_anon_vmas+0x12c/0x700 [ 140.731021] [<ffffffff815e1c1d>] free_pgtables+0x1bd/0x3b0 [ 140.731021] [<ffffffff815fe0c2>] exit_mmap+0x212/0x3d0 [ 140.731021] [<ffffffff812345c5>] mmput+0x95/0x300 [ 140.731021] [<ffffffff8124885d>] do_exit+0x71d/0x2bc0 [ 140.731021] [<ffffffff8124efa8>] do_group_exit+0x108/0x330 [ 140.731021] [<ffffffff8124f1ed>] SyS_exit_group+0x1d/0x20 [ 140.731021] [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2 Memory state around the buggy address: ffff88003da49500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003da49580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb >ffff88003da49600: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ^ ffff88003da49680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003da49700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Sometimes it also crashes with slab-out-of-bounds report: BUG: KASAN: slab-out-of-bounds in kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 at addr ffff88003d9ca750 Read of size 8 by task syz-executor/22923 CPU: 0 PID: 22923 Comm: syz-executor Not tainted 4.9.0-rc4+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff880067d8f740 ffffffff81c2e46b ffff88003e9fafc0 ffff88003d9ca5d8 ffff88003d9ca7a8 0000000000000000 ffff880067d8f768 ffffffff8165ab9c ffffed0007b394ea ffffed0007b394ea ffff88003e9fafc0 ffff880067d8f7e8 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff81c2e46b>] dump_stack+0xb3/0x118 lib/dump_stack.c:51 [<ffffffff8165ab9c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [< inline >] kasan_report_error mm/kasan/report.c:283 [<ffffffff8165aed1>] kasan_report+0x231/0x500 mm/kasan/report.c:303 [<ffffffff8165b214>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:329 [<ffffffff8112092a>] kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 arch/x86/kvm/lapic.c:824 [<ffffffff8112e3f2>] kvm_irq_delivery_to_apic+0x132/0x9a0 arch/x86/kvm/irq_comm.c:72 [<ffffffff8112ed71>] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157 [<ffffffff81070961>] kvm_send_userspace_msi+0x201/0x280 arch/x86/kvm/../../../virt/kvm/irqchip.c:74 [<ffffffff810668a5>] kvm_vm_ioctl+0xba5/0x1670 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679 [< inline >] SYSC_ioctl fs/ioctl.c:694 [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2 Object at ffff88003d9ca5d8, in cache kernfs_node_cache size: 152 Allocated: PID = 1 [ 1582.592315] [<ffffffff811abb36>] save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 [ 1582.592315] [<ffffffff81659ee6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495 [ 1582.592315] [< inline >] set_track mm/kasan/kasan.c:507 [ 1582.592315] [<ffffffff8165a15d>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 1582.592315] [<ffffffff8165a6c2>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 [ 1582.592315] [< inline >] slab_post_alloc_hook mm/slab.h:417 [ 1582.592315] [< inline >] slab_alloc_node mm/slub.c:2708 [ 1582.592315] [< inline >] slab_alloc mm/slub.c:2716 [ 1582.592315] [<ffffffff816552ec>] kmem_cache_alloc+0xbc/0x260 mm/slub.c:2721 [ 1582.592315] [< inline >] kmem_cache_zalloc include/linux/slab.h:626 [ 1582.592315] [<ffffffff817f298c>] __kernfs_new_node+0x6c/0x2b0 fs/kernfs/dir.c:619 [ 1582.592315] [<ffffffff817f5ed0>] kernfs_new_node+0x80/0xe0 fs/kernfs/dir.c:651 [ 1582.592315] [<ffffffff817f680d>] kernfs_create_dir_ns+0x3d/0x130 fs/kernfs/dir.c:923 [ 1582.592315] [< inline >] kernfs_create_dir include/linux/kernfs.h:467 [ 1582.592315] [<ffffffff817ff113>] internal_create_group+0x113/0x9b0 fs/sysfs/group.c:124 [ 1582.592315] [<ffffffff817ff9cf>] sysfs_create_group+0x1f/0x30 fs/sysfs/group.c:156 [ 1582.592315] [< inline >] kernel_add_sysfs_param kernel/params.c:851 [ 1582.592315] [< inline >] param_sysfs_builtin kernel/params.c:888 [ 1582.592315] [<ffffffff83f727d3>] param_sysfs_init+0x31d/0x38c kernel/params.c:1009 [ 1582.592315] [<ffffffff81000560>] do_one_initcall+0xa0/0x230 init/main.c:778 [ 1582.592315] [< inline >] do_initcall_level init/main.c:844 [ 1582.592315] [< inline >] do_initcalls init/main.c:852 [ 1582.592315] [< inline >] do_basic_setup init/main.c:870 [ 1582.592315] [<ffffffff83f2fcac>] kernel_init_freeable+0x48d/0x546 init/main.c:1017 [ 1582.592315] [<ffffffff831dc9c3>] kernel_init+0x13/0x180 init/main.c:943 [ 1582.592315] [<ffffffff831f102a>] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433 I am also getting GPFs in this function: general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 25060 Comm: syz-executor Not tainted 4.9.0-rc4+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003ca02dc0 task.stack: ffff88003bd20000 RIP: 0010:[<ffffffff8111fb8b>] [< inline >] kvm_apic_set_irq arch/x86/kvm/lapic.c:493 RIP: 0010:[<ffffffff8111fb8b>] [<ffffffff8111fb8b>] kvm_irq_delivery_to_apic_fast+0x45b/0x1210 arch/x86/kvm/lapic.c:828 RSP: 0018:ffff88003bd27808 EFLAGS: 00010a07 RAX: 896f75003880d045 RBX: dffffc0000000000 RCX: ffffc90000b65000 RDX: 112deea007101a84 RSI: 0000000000000004 RDI: 896f75003880d425 RBP: ffff88003bd278e8 R08: 0000000000000023 R09: 0000000000000000 R10: ffffffff84da2600 R11: 1ffff100077a4ed2 R12: 0000000000000002 R13: ffff88003bd27978 R14: ffff88003bd27a70 R15: ffffffff81e5f63b FS: 00007f4746517700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000003bc6d000 CR4: 00000000000026f0 DR0: 0000000000011000 DR1: 000000000000f000 DR2: 0000000000010000 DR3: 000000000000f000 DR6: 00000000ffff0ff3 DR7: 0000000000000400 Stack: ffffffff8111f813 ffffffff813382ce ffff88003ec21580 1ffff100077a4f0c ffffed00077a4f4f ffff88003bd27a7a ffff88003d780490 ffff88003bd27880 0000000000000000 ffff88003d7804a0 0000000000000000 0000000041b58ab3 Call Trace: [<ffffffff8112e3f2>] kvm_irq_delivery_to_apic+0x132/0x9a0 arch/x86/kvm/irq_comm.c:72 [<ffffffff8112ed71>] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157 [<ffffffff81070961>] kvm_send_userspace_msi+0x201/0x280 arch/x86/kvm/../../../virt/kvm/irqchip.c:74 [<ffffffff810668a5>] kvm_vm_ioctl+0xba5/0x1670 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679 [< inline >] SYSC_ioctl fs/ioctl.c:694 [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2 Code: bf 98 00 00 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 09 0d 00 00 49 8b 87 98 00 00 00 48 8d b8 e0 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 1a 00 0f 85 f4 0c 00 00 4c 8b 90 e0 03 00 00 48 8b 85 40 RIP [< inline >] kvm_apic_set_irq arch/x86/kvm/lapic.c:493 RIP [<ffffffff8111fb8b>] kvm_irq_delivery_to_apic_fast+0x45b/0x1210 arch/x86/kvm/lapic.c:828 RSP <ffff88003bd27808> ---[ end trace a99d569255e525d1 ]--- -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
