CVE-2021-47341

In the Linux kernel, the following vulnerability has been resolved:

KVM: mmio: Fix use-after-free Read in kvmvmioctlunregistercoalesced_mmio

BUG: KASAN: use-after-free in kvmvmioctlunregistercoalescedmmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalescedmmio.c:183 Read of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269

CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 showstack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 _dumpstack lib/dumpstack.c:77 [inline] dumpstack+0x110/0x164 lib/dumpstack.c:118 printaddressdescription+0x78/0x5c8 mm/kasan/report.c:385 _kasanreport mm/kasan/report.c:545 [inline] kasanreport+0x148/0x1e4 mm/kasan/report.c:562 checkmemoryregioninline mm/kasan/generic.c:183 [inline] _asanload8+0xb4/0xbc mm/kasan/generic.c:252 kvmvmioctlunregistercoalescedmmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalescedmmio.c:183 kvmvmioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvmmain.c:3755 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl fs/ioctl.c:739 [inline] _arm64sysioctl+0xf88/0x131c fs/ioctl.c:739 _invokesyscall arch/arm64/kernel/syscall.c:36 [inline] invokesyscall arch/arm64/kernel/syscall.c:48 [inline] el0svccommon arch/arm64/kernel/syscall.c:158 [inline] doel0svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0synchandler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670

Allocated by task 4269: stacktracesave+0x80/0xb8 kernel/stacktrace.c:121 kasansavestack mm/kasan/common.c:48 [inline] kasansettrack mm/kasan/common.c:56 [inline] _kasankmalloc+0xdc/0x120 mm/kasan/common.c:461 kasankmalloc+0xc/0x14 mm/kasan/common.c:475 kmemcachealloctrace include/linux/slab.h:450 [inline] kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] kvmvmioctlregistercoalescedmmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalescedmmio.c:146 kvmvmioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvmmain.c:3746 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl fs/ioctl.c:739 [inline] _arm64sysioctl+0xf88/0x131c fs/ioctl.c:739 _invokesyscall arch/arm64/kernel/syscall.c:36 [inline] invokesyscall arch/arm64/kernel/syscall.c:48 [inline] el0svccommon arch/arm64/kernel/syscall.c:158 [inline] doel0svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0synchandler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0sync+0x140/0x180 arch/arm64/kernel/entry.S:670

Freed by task 4269: stacktracesave+0x80/0xb8 kernel/stacktrace.c:121 kasansavestack mm/kasan/common.c:48 [inline] kasansettrack+0x38/0x6c mm/kasan/common.c:56 kasansetfreeinfo+0x20/0x40 mm/kasan/generic.c:355 _kasanslabfree+0x124/0x150 mm/kasan/common.c:422 kasanslabfree+0x10/0x1c mm/kasan/common.c:431 slabfreehook mm/slub.c:1544 [inline] slabfreefreelisthook mm/slub.c:1577 [inline] slabfree mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124 coalescedmmiodestructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalescedmmio.c:102 kvmiodevicedestructor include/kvm/iodev.h:61 [inline] kvmiobusunregisterdev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvmmain.c:4374 kvmvmioctlunregistercoalescedmmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalescedmmio.c:186 kvmvmioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvmmain.c:3755 vfsioctl fs/ioctl.c:48 [inline] _dosysioctl fs/ioctl.c:753 [inline] _sesysioctl fs/ioctl.c:739 [inline] _arm64sysioctl+0xf88/0x131c fs/ioctl.c:739 _invokesyscall arch/arm64/kernel/syscall.c:36 [inline] invokesyscall arch/arm64/kernel/sys ---truncated---