Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752554AbcLKGqg (ORCPT ); Sun, 11 Dec 2016 01:46:36 -0500 Received: from mail-lf0-f50.google.com ([209.85.215.50]:36538 "EHLO mail-lf0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751798AbcLKGqe (ORCPT ); Sun, 11 Dec 2016 01:46:34 -0500 MIME-Version: 1.0 From: Dmitry Vyukov Date: Sun, 11 Dec 2016 07:46:12 +0100 Message-ID: Subject: kvm: use-after-free in process_srcu To: Steve Rutherford , Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , KVM list , LKML Cc: syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5583 Lines: 104 Hello, I am getting the following use-after-free reports while running syzkaller fuzzer. On commit 318c8932ddec5c1c26a4af0f3c053784841c598e (Dec 7). Unfortunately it is not reproducible, but all reports look sane and very similar, so I would assume that it is some hard to trigger race. In all cases the use-after-free offset within struct kvm is 344 bytes. This points to srcu field, which starts at 208 with size 360 (I have some debug configs enabled). BUG: KASAN: use-after-free in process_srcu+0x27a/0x280 at addr ffff88005e29a418 Read of size 8 by task kworker/3:1/1496 CPU: 3 PID: 1496 Comm: kworker/3:1 Not tainted 4.9.0-rc8+ #78 Hardware name: Google Google/Google, BIOS Google 01/01/2011 Workqueue: events_power_efficient process_srcu ffff88006b1df3a0 ffffffff8348fb59 ffffffff00000003 1ffff1000d63be07 ffffed000d63bdff 0000000041b58ab3 ffffffff8957cf20 ffffffff8348f86b ffff8800668dc440 ffffffff8816c000 1ffff1000d63be18 dffffc0000000000 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x2ee/0x3f5 lib/dump_stack.c:51 [] kasan_object_err+0x21/0x70 mm/kasan/report.c:163 [< inline >] print_address_description mm/kasan/report.c:201 [< inline >] kasan_report_error mm/kasan/report.c:285 [] kasan_report+0x1a1/0x440 mm/kasan/report.c:305 [] __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:331 [< inline >] rcu_batch_empty kernel/rcu/srcu.c:64 [< inline >] rcu_batch_dequeue kernel/rcu/srcu.c:75 [< inline >] srcu_invoke_callbacks kernel/rcu/srcu.c:624 [] process_srcu+0x27a/0x280 kernel/rcu/srcu.c:672 [] process_one_work+0xb40/0x1ba0 kernel/workqueue.c:2096 [] worker_thread+0x214/0x18a0 kernel/workqueue.c:2230 [] kthread+0x328/0x3e0 kernel/kthread.c:209 [] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433 Object at ffff88005e29a2c0, in cache kmalloc-16384 size: 16384 Allocated: PID = 13066 [ 376.024345] [] save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:57 [ 376.024345] [] save_stack+0x43/0xd0 mm/kasan/kasan.c:495 [ 376.024345] [< inline >] set_track mm/kasan/kasan.c:507 [ 376.024345] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [ 376.024345] [] kmem_cache_alloc_trace+0x12c/0x710 mm/slab.c:3635 [ 376.024345] [< inline >] kvm_arch_alloc_vm include/linux/slab.h:490 [ 376.024345] [< inline >] kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:610 [ 376.024345] [< inline >] kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3164 [ 376.024345] [] kvm_dev_ioctl+0x1b5/0x1100 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3208 [ 376.024345] [< inline >] vfs_ioctl fs/ioctl.c:43 [ 376.024345] [] do_vfs_ioctl+0x1c4/0x1630 fs/ioctl.c:679 [ 376.024345] [< inline >] SYSC_ioctl fs/ioctl.c:694 [ 376.024345] [] SyS_ioctl+0x94/0xc0 fs/ioctl.c:685 [ 376.024345] [] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 13064 [ 376.024345] [] save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:57 [ 376.024345] [] save_stack+0x43/0xd0 mm/kasan/kasan.c:495 [ 376.024345] [< inline >] set_track mm/kasan/kasan.c:507 [ 376.024345] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:571 [ 376.024345] [< inline >] __cache_free mm/slab.c:3511 [ 376.024345] [] kfree+0xc8/0x2a0 mm/slab.c:3828 [ 376.024345] [< inline >] kvm_arch_free_vm include/linux/kvm_host.h:774 [ 376.024345] [< inline >] kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:739 [ 376.024345] [] kvm_put_kvm+0x489/0x5f0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:754 [ 376.024345] [] kvm_vm_release+0x47/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:765 [ 376.024345] [] __fput+0x34e/0x910 fs/file_table.c:208 [ 376.024345] [] ____fput+0x1a/0x20 fs/file_table.c:244 [ 376.024345] [] task_work_run+0x1a0/0x280 kernel/task_work.c:116 [ 376.024345] [< inline >] exit_task_work include/linux/task_work.h:21 [ 376.024345] [] do_exit+0x1842/0x2650 kernel/exit.c:828 [ 376.024345] [] do_group_exit+0x14e/0x420 kernel/exit.c:932 [ 376.024345] [] get_signal+0x663/0x1880 kernel/signal.c:2307 [ 376.024345] [] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807 [ 376.024345] [] exit_to_usermode_loop+0x1ea/0x2d0 arch/x86/entry/common.c:156 [ 376.024345] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [ 376.024345] [] syscall_return_slowpath+0x4d3/0x570 arch/x86/entry/common.c:259 [ 376.024345] [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff88005e29a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88005e29a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88005e29a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88005e29a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88005e29a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================