syzbot

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
kvm: failed to shrink bus, removing it completely
==================================================================
BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
Read of size 8 at addr ffff8880a3fa4a00 by task syz-executor303/8118

CPU: 0 PID: 8118 Comm: syz-executor303 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 kvm_vm_ioctl_unregister_coalesced_mmio+0x25a/0x2c0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178
 kvm_vm_ioctl+0x532/0x1700 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3276
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f0647b6d759
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd5619c6e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f0647b6d759
RDX: 00000000200000c0 RSI: 000000004010ae68 RDI: 0000000000000004
RBP: 00007ffd5619c6f0 R08: 0000000000000001 R09: 00007f0647b30031
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8118:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 kvm_vm_ioctl_register_coalesced_mmio+0x51/0x350 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:146
 kvm_vm_ioctl+0xc63/0x1700 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3267
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8118:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 kvm_iodevice_destructor include/kvm/iodev.h:73 [inline]
 kvm_io_bus_unregister_dev.cold+0xf0/0x110 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3899
 kvm_vm_ioctl_unregister_coalesced_mmio+0x1be/0x2c0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180
 kvm_vm_ioctl+0x532/0x1700 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3276
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a3fa4a00
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff8880a3fa4a00, ffff8880a3fa4a40)
The buggy address belongs to the page:
page:ffffea00028fe900 count:1 mapcount:0 mapping:ffff88813bff0340 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002919108 ffffea00028cf188 ffff88813bff0340
raw: 0000000000000000 ffff8880a3fa4000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a3fa4900: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a3fa4980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>ffff8880a3fa4a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff8880a3fa4a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff8880a3fa4b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================