syzbot


KASAN: use-after-free Read in __schedule

Status: fixed on 2018/02/14 17:41
Subsystems: kvm
[Documentation on labels]
Reported-by: syzbot+1ab0ab6049e3e38c56d313bd2982bbf6b007ad6c@syzkaller.appspotmail.com
Fix commit: 8dbfb2bf1bb3 KVM: x86: don't forget vcpu_put() in kvm_arch_vcpu_ioctl_set_sregs()
First crash: 2351d, last: 2349d
Duplicate bugs (3)
duplicates (3):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
general protection fault in finish_task_switch mm C 266 2349d 2351d 0/26 closed as dup on 2017/12/22 08:26
KASAN: use-after-free Write in preempt_notifier_register kvm 7 2349d 2351d 0/26 closed as dup on 2017/12/21 01:28
general protection fault in __schedule mm C 722 2349d 2351d 0/26 closed as dup on 2017/12/21 00:34
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in __schedule 3 1520d 1547d 0/2 auto-closed as invalid on 2020/07/28 03:17
linux-4.19 KASAN: use-after-free Read in __schedule 1 1184d 1184d 0/1 auto-closed as invalid on 2021/06/29 13:25
linux-4.19 KASAN: use-after-free Read in __schedule (2) 1 860d 860d 0/1 auto-closed as invalid on 2022/05/18 22:28
upstream KASAN: use-after-free Read in __schedule (2) kvm C done 961 1907d 2126d 13/26 fixed on 2019/11/20 22:01

Sample crash report:
kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
==================================================================
BUG: KASAN: use-after-free in __fire_sched_out_preempt_notifiers kernel/sched/core.c:2550 [inline]
BUG: KASAN: use-after-free in fire_sched_out_preempt_notifiers kernel/sched/core.c:2558 [inline]
BUG: KASAN: use-after-free in prepare_task_switch kernel/sched/core.c:2594 [inline]
BUG: KASAN: use-after-free in context_switch kernel/sched/core.c:2765 [inline]
BUG: KASAN: use-after-free in __schedule+0xda3/0x2060 kernel/sched/core.c:3376
Read of size 8 at addr ffff8801c8100058 by task syzkaller468202/3160

CPU: 0 PID: 3160 Comm: syzkaller468202 Not tainted 4.15.0-rc4-mm1+ #47
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:355 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:413
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:434
 __fire_sched_out_preempt_notifiers kernel/sched/core.c:2550 [inline]
 fire_sched_out_preempt_notifiers kernel/sched/core.c:2558 [inline]
 prepare_task_switch kernel/sched/core.c:2594 [inline]
 context_switch kernel/sched/core.c:2765 [inline]
 __schedule+0xda3/0x2060 kernel/sched/core.c:3376
 preempt_schedule_common+0x22/0x60 kernel/sched/core.c:3515
 _cond_resched+0x1d/0x30 kernel/sched/core.c:4852
 __wait_for_common kernel/sched/completion.c:107 [inline]
 wait_for_common kernel/sched/completion.c:123 [inline]
 wait_for_completion+0xa5/0x770 kernel/sched/completion.c:144
 __synchronize_srcu+0x1ad/0x260 kernel/rcu/srcutree.c:925
 synchronize_srcu_expedited kernel/rcu/srcutree.c:950 [inline]
 synchronize_srcu+0x1a3/0x570 kernel/rcu/srcutree.c:1001
 kvm_page_track_unregister_notifier+0x186/0x270 arch/x86/kvm/page_track.c:213
 kvm_mmu_uninit_vm+0x1c/0x20 arch/x86/kvm/mmu.c:5053
 kvm_arch_destroy_vm+0x73b/0x980 arch/x86/kvm/x86.c:8418
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:729 [inline]
 kvm_put_kvm+0x695/0xde0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:750
 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:761
 __fput+0x327/0x7e0 fs/file_table.c:209
 ____fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ad0 kernel/exit.c:869
 do_group_exit+0x149/0x400 kernel/exit.c:972
 SYSC_exit_group kernel/exit.c:983 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:981
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x43ed88
RSP: 002b:00007fff23181a48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 000000000043ed88
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000006ca018 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ab0
R13: 0000000000401b40 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3160:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
 kmem_cache_zalloc include/linux/slab.h:695 [inline]
 vmx_create_vcpu+0xc4/0x2f20 arch/x86/kvm/vmx.c:9819
 kvm_arch_vcpu_create+0x12c/0x1a0 arch/x86/kvm/x86.c:7884
 kvm_vm_ioctl_create_vcpu arch/x86/kvm/../../../virt/kvm/kvm_main.c:2446 [inline]
 kvm_vm_ioctl+0x48b/0x1c60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2944
 vfs_ioctl fs/ioctl.c:46 [inline]
 do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
 entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 3160:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3485 [inline]
 kmem_cache_free+0x83/0x2a0 mm/slab.c:3743
 vmx_free_vcpu+0x1ee/0x260 arch/x86/kvm/vmx.c:9813
 kvm_arch_vcpu_free arch/x86/kvm/x86.c:7870 [inline]
 kvm_free_vcpus arch/x86/kvm/x86.c:8317 [inline]
 kvm_arch_destroy_vm+0x4a2/0x980 arch/x86/kvm/x86.c:8416
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:729 [inline]
 kvm_put_kvm+0x695/0xde0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:750
 kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:761
 __fput+0x327/0x7e0 fs/file_table.c:209
 ____fput+0x15/0x20 fs/file_table.c:243
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ad0 kernel/exit.c:869
 do_group_exit+0x149/0x400 kernel/exit.c:972
 SYSC_exit_group kernel/exit.c:983 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:981
 entry_SYSCALL_64_fastpath+0x1f/0x96

The buggy address belongs to the object at ffff8801c8100040
 which belongs to the cache kvm_vcpu of size 23872
The buggy address is located 24 bytes inside of
 23872-byte region [ffff8801c8100040, ffff8801c8105d80)
The buggy address belongs to the page:
page:ffffea0007204000 count:1 mapcount:0 mapping:ffff8801c8100040 index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c8100040 0000000000000000 0000000100000001
raw: ffff8801d6431e48 ffff8801d6431e48 ffff8801d64270c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c80fff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801c80fff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801c8100000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801c8100080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c8100100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (145):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/21 19:09 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 17:40 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 16:06 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 14:03 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 12:55 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 12:42 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 12:09 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 11:46 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 11:24 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 10:54 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 10:23 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 10:02 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/21 09:17 mmots 75aa5540627f 90a46995 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/20 22:36 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 19:45 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 18:09 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 17:14 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 15:56 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 15:40 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 15:25 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 15:01 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 14:49 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 14:36 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 14:19 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/20 14:07 linux-next 7dc9f647127d 90a46995 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/21 20:03 mmots 75aa5540627f eaadba98 .config console log report syz ci-upstream-mmots-kasan-gce
2017/12/22 01:05 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/22 00:35 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/22 00:29 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/22 00:09 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/22 00:07 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 23:57 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 23:51 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 22:54 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 22:48 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 22:28 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 22:08 mmots 75aa5540627f 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 21:28 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 21:20 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 21:09 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 21:04 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 20:15 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 19:48 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 19:45 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 19:44 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 19:27 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 19:24 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 18:50 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 18:34 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 18:07 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 18:04 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 17:47 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 17:41 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 17:31 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 17:29 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 16:33 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 16:29 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 16:25 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 15:59 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 13:34 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 13:33 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 13:19 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 13:06 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 13:04 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 12:57 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
2017/12/21 12:48 mmots 75aa5540627f eaadba98 .config console log report ci-upstream-mmots-kasan-gce
* Struck through repros no longer work on HEAD.