Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On Sat, May 26, 2018 at 11:24:01AM +0200, Dmitry Vyukov wrote: > On Sun, May 13, 2018 at 8:21 AM, Eric Biggers wrote: > > On Thu, Apr 05, 2018 at 08:15:24PM -0700, Eric Biggers wrote: > >> On Mon, Jan 29, 2018 at 01:29:48PM +0800, Tianyu Lan wrote: > >> > > >> > > >> > On 1/27/2018 7:27 AM, Eric B

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On Sun, May 13, 2018 at 8:21 AM, Eric Biggers wrote: > On Thu, Apr 05, 2018 at 08:15:24PM -0700, Eric Biggers wrote: >> On Mon, Jan 29, 2018 at 01:29:48PM +0800, Tianyu Lan wrote: >> > >> > >> > On 1/27/2018 7:27 AM, Eric Biggers wrote: >> > > On Sat, Dec 16, 2017 at 04:37:02PM +0800, Lan, Tianyu

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On Thu, Apr 05, 2018 at 08:15:24PM -0700, Eric Biggers wrote: > On Mon, Jan 29, 2018 at 01:29:48PM +0800, Tianyu Lan wrote: > > > > > > On 1/27/2018 7:27 AM, Eric Biggers wrote: > > > On Sat, Dec 16, 2017 at 04:37:02PM +0800, Lan, Tianyu wrote: > > > > The root cause is that kvm_irqfd_assign() an

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On Mon, Jan 29, 2018 at 01:29:48PM +0800, Tianyu Lan wrote: > > > On 1/27/2018 7:27 AM, Eric Biggers wrote: > > On Sat, Dec 16, 2017 at 04:37:02PM +0800, Lan, Tianyu wrote: > > > The root cause is that kvm_irqfd_assign() and kvm_irqfd_deassign() can't > > > be run in parallel. Some data structure

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On 1/27/2018 7:27 AM, Eric Biggers wrote: On Sat, Dec 16, 2017 at 04:37:02PM +0800, Lan, Tianyu wrote: The root cause is that kvm_irqfd_assign() and kvm_irqfd_deassign() can't be run in parallel. Some data structure(e.g, irqfd->consumer) will be crashed because irqfd may be freed in deassign p

Re: Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On Sat, Dec 16, 2017 at 04:37:02PM +0800, Lan, Tianyu wrote: > The root cause is that kvm_irqfd_assign() and kvm_irqfd_deassign() can't > be run in parallel. Some data structure(e.g, irqfd->consumer) will be > crashed because irqfd may be freed in deassign path before they are used > in assign path

Re: Re: KASAN: use-after-free Write in irq_bypass_register_consumer

The root cause is that kvm_irqfd_assign() and kvm_irqfd_deassign() can't be run in parallel. Some data structure(e.g, irqfd->consumer) will be crashed because irqfd may be freed in deassign path before they are used in assign path. The other data maybe used in deassign path before initialization.

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

I reproduced the issue. Will have a look. -- Best regards Tianyu Lan 2017-12-15 18:14 GMT+08:00 syzbot : > syzkaller has found reproducer for the following crash on > 82bcf1def3b5f1251177ad47c44f7e17af039b4b > git://git.cmpxchg.org/linux-mmots.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .c

Re: KASAN: use-after-free Write in irq_bypass_register_consumer

On Mon, Oct 30, 2017 at 10:12 PM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > cd4175b11685b11c40e31a03e05084cc212b0649 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is