In the Linux kernel, the following vulnerability has been resolved:
KVM: mmio: Fix use-after-free Read in kvm_vm_ioctl_unregister_coalesced_mmio
BUG: KASAN: use-after-free in kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 Read of size 8 at addr ffff0000c03a2500 by task syz-executor083/4269
CPU: 5 PID: 4269 Comm: syz-executor083 Not tainted 5.10.0 #7 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132 show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x110/0x164 lib/dump_stack.c:118 print_address_description+0x78/0x5c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report+0x148/0x1e4 mm/kasan/report.c:562 check_memory_region_inline mm/kasan/generic.c:183 [inline] __asan_load8+0xb4/0xbc mm/kasan/generic.c:252 kvm_vm_ioctl_unregister_coalesced_mmio+0x7c/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:183 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
Allocated by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461 kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475 kmem_cache_alloc_trace include/linux/slab.h:450 [inline] kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:664 [inline] kvm_vm_ioctl_register_coalesced_mmio+0x78/0x1cc arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:146 kvm_vm_ioctl+0x7e8/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3746 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/syscall.c:48 [inline] el0_svc_common arch/arm64/kernel/syscall.c:158 [inline] do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:220 el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367 el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383 el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
Freed by task 4269: stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121 kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x38/0x6c mm/kasan/common.c:56 kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355 __kasan_slab_free+0x124/0x150 mm/kasan/common.c:422 kasan_slab_free+0x10/0x1c mm/kasan/common.c:431 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook mm/slub.c:1577 [inline] slab_free mm/slub.c:3142 [inline] kfree+0x104/0x38c mm/slub.c:4124 coalesced_mmio_destructor+0x94/0xa4 arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:102 kvm_iodevice_destructor include/kvm/iodev.h:61 [inline] kvm_io_bus_unregister_dev+0x248/0x280 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4374 kvm_vm_ioctl_unregister_coalesced_mmio+0x158/0x1ec arch/arm64/kvm/../../../virt/kvm/coalesced_mmio.c:186 kvm_vm_ioctl+0xe30/0x14c4 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:3755 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __arm64_sys_ioctl+0xf88/0x131c fs/ioctl.c:739 __invoke_syscall arch/arm64/kernel/syscall.c:36 [inline] invoke_syscall arch/arm64/kernel/sys —truncated—
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Linux | Ubuntu | focal | * |
| Linux | Ubuntu | upstream | * |
| Linux-allwinner-5.19 | Ubuntu | jammy | * |
| Linux-allwinner-5.19 | Ubuntu | upstream | * |
| Linux-aws | Ubuntu | focal | * |
| Linux-aws | Ubuntu | upstream | * |
| Linux-aws-5.0 | Ubuntu | bionic | * |
| Linux-aws-5.0 | Ubuntu | esm-infra/bionic | * |
| Linux-aws-5.0 | Ubuntu | upstream | * |
| Linux-aws-5.11 | Ubuntu | focal | * |
| Linux-aws-5.11 | Ubuntu | upstream | * |
| Linux-aws-5.13 | Ubuntu | focal | * |
| Linux-aws-5.13 | Ubuntu | upstream | * |
| Linux-aws-5.15 | Ubuntu | upstream | * |
| Linux-aws-5.19 | Ubuntu | jammy | * |
| Linux-aws-5.19 | Ubuntu | upstream | * |
| Linux-aws-5.3 | Ubuntu | bionic | * |
| Linux-aws-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-aws-5.3 | Ubuntu | upstream | * |
| Linux-aws-5.4 | Ubuntu | bionic | * |
| Linux-aws-5.4 | Ubuntu | upstream | * |
| Linux-aws-5.8 | Ubuntu | focal | * |
| Linux-aws-5.8 | Ubuntu | upstream | * |
| Linux-aws-6.2 | Ubuntu | jammy | * |
| Linux-aws-6.2 | Ubuntu | upstream | * |
| Linux-aws-6.5 | Ubuntu | upstream | * |
| Linux-aws-6.8 | Ubuntu | upstream | * |
| Linux-aws-fips | Ubuntu | trusty | * |
| Linux-aws-fips | Ubuntu | upstream | * |
| Linux-aws-fips | Ubuntu | xenial | * |
| Linux-aws-hwe | Ubuntu | upstream | * |
| Linux-azure | Ubuntu | bionic | * |
| Linux-azure | Ubuntu | esm-infra/bionic | * |
| Linux-azure | Ubuntu | focal | * |
| Linux-azure | Ubuntu | upstream | * |
| Linux-azure-4.15 | Ubuntu | upstream | * |
| Linux-azure-5.11 | Ubuntu | focal | * |
| Linux-azure-5.11 | Ubuntu | upstream | * |
| Linux-azure-5.13 | Ubuntu | focal | * |
| Linux-azure-5.13 | Ubuntu | upstream | * |
| Linux-azure-5.15 | Ubuntu | upstream | * |
| Linux-azure-5.19 | Ubuntu | jammy | * |
| Linux-azure-5.19 | Ubuntu | upstream | * |
| Linux-azure-5.3 | Ubuntu | bionic | * |
| Linux-azure-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-azure-5.3 | Ubuntu | upstream | * |
| Linux-azure-5.4 | Ubuntu | bionic | * |
| Linux-azure-5.4 | Ubuntu | upstream | * |
| Linux-azure-5.8 | Ubuntu | focal | * |
| Linux-azure-5.8 | Ubuntu | upstream | * |
| Linux-azure-6.2 | Ubuntu | jammy | * |
| Linux-azure-6.2 | Ubuntu | upstream | * |
| Linux-azure-6.5 | Ubuntu | upstream | * |
| Linux-azure-6.8 | Ubuntu | upstream | * |
| Linux-azure-edge | Ubuntu | bionic | * |
| Linux-azure-edge | Ubuntu | esm-infra/bionic | * |
| Linux-azure-edge | Ubuntu | upstream | * |
| Linux-azure-fde | Ubuntu | focal | * |
| Linux-azure-fde | Ubuntu | upstream | * |
| Linux-azure-fde-5.15 | Ubuntu | upstream | * |
| Linux-azure-fde-5.19 | Ubuntu | jammy | * |
| Linux-azure-fde-5.19 | Ubuntu | upstream | * |
| Linux-azure-fde-6.2 | Ubuntu | jammy | * |
| Linux-azure-fde-6.2 | Ubuntu | upstream | * |
| Linux-azure-fips | Ubuntu | trusty | * |
| Linux-azure-fips | Ubuntu | upstream | * |
| Linux-azure-fips | Ubuntu | xenial | * |
| Linux-bluefield | Ubuntu | focal | * |
| Linux-bluefield | Ubuntu | upstream | * |
| Linux-fips | Ubuntu | fips-updates/focal | * |
| Linux-fips | Ubuntu | upstream | * |
| Linux-gcp | Ubuntu | bionic | * |
| Linux-gcp | Ubuntu | esm-infra/bionic | * |
| Linux-gcp | Ubuntu | focal | * |
| Linux-gcp | Ubuntu | upstream | * |
| Linux-gcp-4.15 | Ubuntu | upstream | * |
| Linux-gcp-5.11 | Ubuntu | focal | * |
| Linux-gcp-5.11 | Ubuntu | upstream | * |
| Linux-gcp-5.13 | Ubuntu | focal | * |
| Linux-gcp-5.13 | Ubuntu | upstream | * |
| Linux-gcp-5.15 | Ubuntu | upstream | * |
| Linux-gcp-5.19 | Ubuntu | jammy | * |
| Linux-gcp-5.19 | Ubuntu | upstream | * |
| Linux-gcp-5.3 | Ubuntu | bionic | * |
| Linux-gcp-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-gcp-5.3 | Ubuntu | upstream | * |
| Linux-gcp-5.4 | Ubuntu | bionic | * |
| Linux-gcp-5.4 | Ubuntu | upstream | * |
| Linux-gcp-5.8 | Ubuntu | focal | * |
| Linux-gcp-5.8 | Ubuntu | upstream | * |
| Linux-gcp-6.2 | Ubuntu | jammy | * |
| Linux-gcp-6.2 | Ubuntu | upstream | * |
| Linux-gcp-6.5 | Ubuntu | upstream | * |
| Linux-gcp-6.8 | Ubuntu | upstream | * |
| Linux-gcp-fips | Ubuntu | trusty | * |
| Linux-gcp-fips | Ubuntu | upstream | * |
| Linux-gcp-fips | Ubuntu | xenial | * |
| Linux-gke | Ubuntu | focal | * |
| Linux-gke | Ubuntu | upstream | * |
| Linux-gke | Ubuntu | xenial | * |
| Linux-gke-4.15 | Ubuntu | bionic | * |
| Linux-gke-4.15 | Ubuntu | esm-infra/bionic | * |
| Linux-gke-4.15 | Ubuntu | upstream | * |
| Linux-gke-5.15 | Ubuntu | focal | * |
| Linux-gke-5.15 | Ubuntu | upstream | * |
| Linux-gke-5.4 | Ubuntu | bionic | * |
| Linux-gke-5.4 | Ubuntu | esm-infra/bionic | * |
| Linux-gke-5.4 | Ubuntu | upstream | * |
| Linux-gkeop | Ubuntu | focal | * |
| Linux-gkeop | Ubuntu | upstream | * |
| Linux-gkeop-5.15 | Ubuntu | upstream | * |
| Linux-gkeop-5.4 | Ubuntu | bionic | * |
| Linux-gkeop-5.4 | Ubuntu | esm-infra/bionic | * |
| Linux-gkeop-5.4 | Ubuntu | upstream | * |
| Linux-hwe | Ubuntu | bionic | * |
| Linux-hwe | Ubuntu | esm-infra/bionic | * |
| Linux-hwe | Ubuntu | upstream | * |
| Linux-hwe-5.11 | Ubuntu | focal | * |
| Linux-hwe-5.11 | Ubuntu | upstream | * |
| Linux-hwe-5.13 | Ubuntu | focal | * |
| Linux-hwe-5.13 | Ubuntu | upstream | * |
| Linux-hwe-5.15 | Ubuntu | upstream | * |
| Linux-hwe-5.19 | Ubuntu | jammy | * |
| Linux-hwe-5.19 | Ubuntu | upstream | * |
| Linux-hwe-5.4 | Ubuntu | bionic | * |
| Linux-hwe-5.4 | Ubuntu | upstream | * |
| Linux-hwe-5.8 | Ubuntu | focal | * |
| Linux-hwe-5.8 | Ubuntu | upstream | * |
| Linux-hwe-6.2 | Ubuntu | jammy | * |
| Linux-hwe-6.2 | Ubuntu | upstream | * |
| Linux-hwe-6.5 | Ubuntu | upstream | * |
| Linux-hwe-6.8 | Ubuntu | upstream | * |
| Linux-hwe-edge | Ubuntu | esm-infra/bionic | * |
| Linux-hwe-edge | Ubuntu | esm-infra/xenial | * |
| Linux-hwe-edge | Ubuntu | upstream | * |
| Linux-hwe-edge | Ubuntu | xenial | * |
| Linux-ibm | Ubuntu | focal | * |
| Linux-ibm | Ubuntu | mantic | * |
| Linux-ibm | Ubuntu | upstream | * |
| Linux-ibm-5.15 | Ubuntu | upstream | * |
| Linux-ibm-5.4 | Ubuntu | upstream | * |
| Linux-intel | Ubuntu | upstream | * |
| Linux-intel-5.13 | Ubuntu | focal | * |
| Linux-intel-5.13 | Ubuntu | upstream | * |
| Linux-intel-iot-realtime | Ubuntu | upstream | * |
| Linux-intel-iotg | Ubuntu | upstream | * |
| Linux-intel-iotg-5.15 | Ubuntu | upstream | * |
| Linux-iot | Ubuntu | upstream | * |
| Linux-kvm | Ubuntu | focal | * |
| Linux-kvm | Ubuntu | upstream | * |
| Linux-laptop | Ubuntu | upstream | * |
| Linux-lowlatency | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-5.15 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-5.19 | Ubuntu | jammy | * |
| Linux-lowlatency-hwe-5.19 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-6.2 | Ubuntu | jammy | * |
| Linux-lowlatency-hwe-6.2 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-6.5 | Ubuntu | upstream | * |
| Linux-lowlatency-hwe-6.8 | Ubuntu | upstream | * |
| Linux-lts-xenial | Ubuntu | upstream | * |
| Linux-nvidia | Ubuntu | upstream | * |
| Linux-nvidia-6.2 | Ubuntu | jammy | * |
| Linux-nvidia-6.2 | Ubuntu | upstream | * |
| Linux-nvidia-6.5 | Ubuntu | upstream | * |
| Linux-nvidia-6.8 | Ubuntu | upstream | * |
| Linux-nvidia-lowlatency | Ubuntu | upstream | * |
| Linux-oem | Ubuntu | bionic | * |
| Linux-oem | Ubuntu | esm-infra/bionic | * |
| Linux-oem | Ubuntu | upstream | * |
| Linux-oem | Ubuntu | xenial | * |
| Linux-oem-5.10 | Ubuntu | focal | * |
| Linux-oem-5.10 | Ubuntu | upstream | * |
| Linux-oem-5.13 | Ubuntu | focal | * |
| Linux-oem-5.13 | Ubuntu | upstream | * |
| Linux-oem-5.14 | Ubuntu | focal | * |
| Linux-oem-5.14 | Ubuntu | upstream | * |
| Linux-oem-5.17 | Ubuntu | jammy | * |
| Linux-oem-5.17 | Ubuntu | upstream | * |
| Linux-oem-5.6 | Ubuntu | focal | * |
| Linux-oem-5.6 | Ubuntu | upstream | * |
| Linux-oem-6.0 | Ubuntu | jammy | * |
| Linux-oem-6.0 | Ubuntu | upstream | * |
| Linux-oem-6.1 | Ubuntu | jammy | * |
| Linux-oem-6.1 | Ubuntu | upstream | * |
| Linux-oem-6.5 | Ubuntu | upstream | * |
| Linux-oem-6.8 | Ubuntu | upstream | * |
| Linux-oracle | Ubuntu | focal | * |
| Linux-oracle | Ubuntu | upstream | * |
| Linux-oracle-5.0 | Ubuntu | bionic | * |
| Linux-oracle-5.0 | Ubuntu | esm-infra/bionic | * |
| Linux-oracle-5.0 | Ubuntu | upstream | * |
| Linux-oracle-5.11 | Ubuntu | focal | * |
| Linux-oracle-5.11 | Ubuntu | upstream | * |
| Linux-oracle-5.13 | Ubuntu | focal | * |
| Linux-oracle-5.13 | Ubuntu | upstream | * |
| Linux-oracle-5.15 | Ubuntu | upstream | * |
| Linux-oracle-5.3 | Ubuntu | bionic | * |
| Linux-oracle-5.3 | Ubuntu | esm-infra/bionic | * |
| Linux-oracle-5.3 | Ubuntu | upstream | * |
| Linux-oracle-5.4 | Ubuntu | bionic | * |
| Linux-oracle-5.4 | Ubuntu | upstream | * |
| Linux-oracle-5.8 | Ubuntu | focal | * |
| Linux-oracle-5.8 | Ubuntu | upstream | * |
| Linux-oracle-6.5 | Ubuntu | upstream | * |
| Linux-oracle-6.8 | Ubuntu | upstream | * |
| Linux-raspi | Ubuntu | focal | * |
| Linux-raspi | Ubuntu | upstream | * |
| Linux-raspi-5.4 | Ubuntu | bionic | * |
| Linux-raspi-5.4 | Ubuntu | upstream | * |
| Linux-raspi-realtime | Ubuntu | upstream | * |
| Linux-raspi2 | Ubuntu | bionic | * |
| Linux-raspi2 | Ubuntu | focal | * |
| Linux-raspi2 | Ubuntu | upstream | * |
| Linux-raspi2 | Ubuntu | xenial | * |
| Linux-realtime | Ubuntu | jammy | * |
| Linux-realtime | Ubuntu | upstream | * |
| Linux-riscv | Ubuntu | focal | * |
| Linux-riscv | Ubuntu | jammy | * |
| Linux-riscv | Ubuntu | upstream | * |
| Linux-riscv-5.11 | Ubuntu | focal | * |
| Linux-riscv-5.11 | Ubuntu | upstream | * |
| Linux-riscv-5.15 | Ubuntu | upstream | * |
| Linux-riscv-5.19 | Ubuntu | jammy | * |
| Linux-riscv-5.19 | Ubuntu | upstream | * |
| Linux-riscv-5.8 | Ubuntu | focal | * |
| Linux-riscv-5.8 | Ubuntu | upstream | * |
| Linux-riscv-6.5 | Ubuntu | upstream | * |
| Linux-riscv-6.8 | Ubuntu | upstream | * |
| Linux-starfive | Ubuntu | upstream | * |
| Linux-starfive-5.19 | Ubuntu | jammy | * |
| Linux-starfive-5.19 | Ubuntu | upstream | * |
| Linux-starfive-6.2 | Ubuntu | jammy | * |
| Linux-starfive-6.2 | Ubuntu | upstream | * |
| Linux-starfive-6.5 | Ubuntu | upstream | * |
| Linux-xilinx-zynqmp | Ubuntu | upstream | * |