Got the following report while fuzzing 4.9.47. It seems that this bug has been reported by Dmitry Vyukov [https://lkml.org/lkml/2017/1/27/828] But I still can reproduce the bug on latest Ubuntu1604 (4.4.0-94-generic)
PoC: https://gist.githubusercontent.com/dvyukov/34114444518fa22baff19ae204cc46a6/raw/7826cbcd1cbc472dfa4972fe56371df3c94b70c7/gistfile1.txt ======================================================================================= BUG: KASAN: use-after-free in __list_add include/linux/list.h:43 [inline] at addr ffff88007ab9dc80 BUG: KASAN: use-after-free in list_add include/linux/list.h:63 [inline] at addr ffff88007ab9dc80 BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x3a3/0x420 virt/lib/irqbypass.c:217 at addr ffff88007ab9dc80 Write of size 8 by task syz-executor4/2970 CPU: 0 PID: 2970 Comm: syz-executor4 Tainted: G B 4.9.47 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 ffff8800760df9c0 ffffffff81ad97d9 ffff88007f803080 ffff88007ab9db80 ffff88007ab9dd80 ffff88007ab9da00 ffff8800760df9e8 ffffffff8153892c ffff8800760dfa78 ffff88007f803080 ffff8800776f7d20 ffff8800760dfa68 Call Trace: [<ffffffff81ad97d9>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81ad97d9>] dump_stack+0x83/0xba lib/dump_stack.c:51 [<ffffffff8153892c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [<ffffffff81538bc0>] print_address_description mm/kasan/report.c:198 [inline] [<ffffffff81538bc0>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:287 [<ffffffff815390ee>] kasan_report mm/kasan/report.c:309 [inline] [<ffffffff815390ee>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:335 [<ffffffff82e70a43>] __list_add include/linux/list.h:43 [inline] [<ffffffff82e70a43>] list_add include/linux/list.h:63 [inline] [<ffffffff82e70a43>] irq_bypass_register_consumer+0x3a3/0x420 virt/lib/irqbypass.c:217 [<ffffffff81063d25>] kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:417 [inline] [<ffffffff81063d25>] kvm_irqfd+0x1095/0x1840 arch/x86/kvm/../../../virt/kvm/eventfd.c:572 [<ffffffff8105b19c>] kvm_vm_ioctl+0x2bc/0x1580 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2999 [<ffffffff815a1f2c>] vfs_ioctl fs/ioctl.c:43 [inline] [<ffffffff815a1f2c>] do_vfs_ioctl+0x18c/0xf80 fs/ioctl.c:679 [<ffffffff815a2daf>] SYSC_ioctl fs/ioctl.c:694 [inline] [<ffffffff815a2daf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [<ffffffff82e85577>] entry_SYSCALL_64_fastpath+0x1a/0xa9 Object at ffff88007ab9db80, in cache kmalloc-512 size: 512 Allocated: PID = 2970 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x46/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace include/linux/slab.h:391 [inline] kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:296 [inline] kvm_irqfd+0xbd/0x1840 arch/x86/kvm/../../../virt/kvm/eventfd.c:572 kvm_vm_ioctl+0x2bc/0x1580 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2999 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x18c/0xf80 fs/ioctl.c:679 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 entry_SYSCALL_64_fastpath+0x1a/0xa9 Freed: PID = 1098 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x46/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xa0/0x150 mm/slub.c:3878 irqfd_shutdown+0x137/0x1a0 arch/x86/kvm/../../../virt/kvm/eventfd.c:148 process_one_work+0x87c/0x1170 kernel/workqueue.c:2096 worker_thread+0xed/0x14e0 kernel/workqueue.c:2230 kthread+0x220/0x2a0 kernel/kthread.c:211 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:433 Memory state around the buggy address: ffff88007ab9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88007ab9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88007ab9dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88007ab9dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88007ab9dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc -- Regards, idaifish
