fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10a/0x154 lib/fault-inject.c:149 should_failslab+0xd6/0x130 mm/failslab.c:32 ================================================================== slab_pre_alloc_hook mm/slab.h:421 [inline] slab_alloc mm/slab.c:3376 [inline] __do_kmalloc mm/slab.c:3718 [inline] __kmalloc+0x2c1/0x400 mm/slab.c:3729 BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178 kmalloc include/linux/slab.h:493 [inline] kvm_io_bus_unregister_dev+0x116/0x320 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3707 Read of size 8 at addr ffff8880b401ad00 by task syz-executor156/8011 kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180 kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x446b99 RSP: 002b:00007f8e56581d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 0000000000446b99 RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004 RBP: 00000000006dbc50 R08: 0000000000000001 R09: 0000000000000031 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc5c R13: 00007f8e56581d90 R14: 0000000000000006 R15: 0000000000000004 CPU: 1 PID: 8011 Comm: syz-executor156 Not tainted 4.14.202-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430 kvm: failed to shrink bus, removing it completely kvm_vm_ioctl_unregister_coalesced_mmio+0x217/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:178 kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096 list_del corruption, ffff888099414780->prev is LIST_POISON2 (dead000000000200) vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:48! invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 8010 Comm: syz-executor156 Not tainted 4.14.202-syzkaller #0 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880b3188040 task.stack: ffff888096650000 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 entry_SYSCALL_64_after_hwframe+0x46/0xbb RSP: 0018:ffff888096657b20 EFLAGS: 00010286 RIP: 0033:0x446b99 RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246 RAX: 000000000000004e RBX: ffff888099414790 RCX: 0000000000000000 ORIG_RAX: 0000000000000010 RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed1012ccaf5a RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99 RBP: ffff888099414780 R08: 000000000000004e R09: 0000000000000000 RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004 RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031 R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c R13: ffff888099414800 R14: ffff888096657c70 R15: 0000000000000000 R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000 FS: 00007f8e565a3700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Allocated by task 8011: CR2: 00007f8719647000 CR3: 00000000a4d85000 CR4: 00000000001426f0 save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 kmalloc include/linux/slab.h:488 [inline] kzalloc include/linux/slab.h:661 [inline] kvm_vm_ioctl_register_coalesced_mmio+0x51/0x330 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:146 Call Trace: __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99 kvm_vm_ioctl+0xa81/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3087 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 kvm_iodevice_destructor include/kvm/iodev.h:73 [inline] kvm_vm_ioctl_unregister_coalesced_mmio+0x1bc/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:181 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb Freed by task 8011: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xc9/0x250 mm/slab.c:3815 kvm_iodevice_destructor include/kvm/iodev.h:73 [inline] kvm_io_bus_unregister_dev.cold+0xd8/0x101 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3719 kvm_vm_ioctl_unregister_coalesced_mmio+0x17d/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:180 kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb The buggy address belongs to the object at ffff8880b401ad00 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff8880b401ad00, ffff8880b401ad40) The buggy address belongs to the page: SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 page:ffffea0002d00680 count:1 mapcount:0 mapping:ffff8880b401a000 index:0x0 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 flags: 0xfff00000000100(slab) entry_SYSCALL_64_after_hwframe+0x46/0xbb raw: 00fff00000000100 ffff8880b401a000 0000000000000000 0000000100000020 RIP: 0033:0x446b99 raw: ffffea0002cd6fe0 ffffea0002c0bd20 ffff88813fe80340 0000000000000000 RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246 page dumped because: kasan: bad access detected ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99 Memory state around the buggy address: RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004 ffff8880b401ac00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031 ffff8880b401ac80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c >ffff8880b401ad00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000 ^ Code: ffff8880b401ad80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 19 ffff8880b401ae00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc 24 ================================================================== fe kvm: failed to shrink bus, removing it completely 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 list_del corruption, ffff888098dddf00->prev is LIST_POISON2 (dead000000000200) 40 cd cc 87 e8 83 19 24 fe 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 a0 cd cc 87 e8 6f 19 24 fe <0f> 0b 48 89 ee 48 c7 c7 60 ce cc 87 e8 5e 19 24 fe 0f 0b 90 90 RIP: __list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: ffff888096657b20 CPU: 0 PID: 8026 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0 ------------[ cut here ]------------ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 kernel BUG at lib/list_debug.c:48! Call Trace: invalid opcode: 0000 [#2] PREEMPT SMP KASAN __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 Modules linked in: fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0x10a/0x154 lib/fault-inject.c:149 should_fail_futex kernel/futex.c:309 [inline] get_futex_key+0x82a/0x1160 kernel/futex.c:573 CPU: 1 PID: 8006 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880b2fa8640 task.stack: ffff8880961f0000 futex_wake+0xc6/0x3c0 kernel/futex.c:1684 RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: 0018:ffff8880961f7b20 EFLAGS: 00010286 do_futex+0x287/0x1930 kernel/futex.c:3924 RAX: 000000000000004e RBX: ffff888098dddf10 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed1012c3ef5a RBP: ffff888098dddf00 R08: 000000000000004e R09: 0000000000000000 R10: 0000000000000000 R11: ffff8880b2fa8640 R12: dead000000000200 R13: ffff888098dddf80 R14: ffff8880961f7c70 R15: 0000000000000000 FS: 00007f8e565a3700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055c533c26160 CR3: 00000000b1b08000 CR4: 00000000001426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99 SYSC_futex kernel/futex.c:3980 [inline] SyS_futex+0x1da/0x290 kernel/futex.c:3948 kvm_iodevice_destructor include/kvm/iodev.h:73 [inline] kvm_vm_ioctl_unregister_coalesced_mmio+0x1bc/0x280 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:181 kvm_vm_ioctl+0x601/0x13e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3096 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x446b99 RSP: 002b:00007f8e56560d88 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 0000000000446b99 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000006dbc6c vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 RBP: 00000000006dbc60 R08: 0000000000000031 R09: 0000000000000031 R10: 0000000000000001 R11: 0000000000000246 R12: 00000000006dbc6c R13: 00007f8e56560d90 R14: 0000000000000004 R15: 0000000000000003 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb kvm: failed to shrink bus, removing it completely RIP: 0033:0x446b99 RSP: 002b:00007f8e565a2d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000006dbc48 RCX: 0000000000446b99 RDX: 0000000020000180 RSI: 000000004010ae68 RDI: 0000000000000004 list_del corruption, ffff888099414600->prev is LIST_POISON2 (dead000000000200) RBP: 00000000006dbc40 R08: 0000000000000001 R09: 0000000000000031 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc4c R13: 00007f8e565a2d90 R14: 0000000000000007 R15: 0000000000000000 Code: ------------[ cut here ]------------ 19 kernel BUG at lib/list_debug.c:48! 24 fe 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 40 cd cc 87 e8 83 19 24 fe 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 a0 cd cc 87 e8 6f 19 24 fe <0f> 0b 48 89 ee 48 c7 c7 60 ce cc 87 e8 5e 19 24 fe 0f 0b 90 90 RIP: __list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: ffff8880961f7b20 invalid opcode: 0000 [#3] PREEMPT SMP KASAN ---[ end trace a9ae020bfe53dbc5 ]--- Modules linked in: CPU: 0 PID: 8007 Comm: syz-executor156 Tainted: G B D 4.14.202-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880b3d1c680 task.stack: ffff8880a1d28000 RIP: 0010:__list_del_entry_valid.cold+0x37/0x55 lib/list_debug.c:48 RSP: 0018:ffff8880a1d2fb20 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888099414610 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff878bb8c0 RDI: ffffed10143a5f5a RBP: ffff888099414600 R08: 000000000000004e R09: 0000000000000000 R10: 0000000000000000 R11: ffff8880b3d1c680 R12: dead000000000200 R13: ffff888099414680 R14: ffff8880a1d2fc70 R15: 0000000000000000 FS: 00007f8e565a3700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f87196f7028 CR3: 000000009326b000 CR4: 00000000001426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry include/linux/list.h:117 [inline] list_del include/linux/list.h:125 [inline] coalesced_mmio_destructor+0x20/0x160 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:99