[Kernel-packages] [Bug 1534054] Re: use-after-free found by KASAN in blk_mq_register_disk
** Changed in: linux (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1534054 Title: use-after-free found by KASAN in blk_mq_register_disk Status in linux package in Ubuntu: Confirmed Bug description: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. The failing VM was running on a host with kernel 3.13.0-66-generic (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0. Hosts' seabios: 1.7.5-1ubuntu1~cloud0 The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and 0 G ephemeral disk. Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled and "slub_debug=PU,kmalloc-32" in kernel command line. == BUG: KASan: out of bounds access in blk_mq_register_disk+0x193/0x260 at addr 8801f43f4d90 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Allocated in blk_mq_init_hw_queues+0x778/0x920 age=5 cpu=1 pid=1 __slab_alloc+0x4f8/0x560 __kmalloc_node+0xad/0x310 blk_mq_init_hw_queues+0x778/0x920 blk_mq_init_queue+0x5f7/0x6c0 virtblk_probe+0x207/0x980 virtio_dev_probe+0x1be/0x280 driver_probe_device+0xe2/0x5c0 __driver_attach+0xc3/0xd0 bus_for_each_dev+0x95/0xe0 driver_attach+0x2b/0x30 bus_add_driver+0x268/0x360 driver_register+0xd3/0x1a0 register_virtio_driver+0x3c/0x60 init+0x53/0x80 do_one_initcall+0xda/0x1a0 kernel_init_freeable+0x1eb/0x27e INFO: Freed in kzfree+0x2d/0x40 age=13 cpu=0 pid=8 __slab_free+0x2ab/0x3f0 kfree+0x161/0x170 kzfree+0x2d/0x40 aa_free_task_context+0x5d/0xa0 apparmor_cred_free+0x24/0x40 security_cred_free+0x2b/0x30 put_cred_rcu+0x38/0x140 rcu_nocb_kthread+0x25a/0x410 kthread+0x101/0x120 ret_from_fork+0x58/0x90 INFO: Slab 0xea0007d0fd00 objects=23 used=21 fp=0x8801f43f52d0 flags=0x2004080 INFO: Object 0x8801f43f4d70 @offset=3440 fp=0x8801f43f5830 Bytes b4 8801f43f4d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Object 8801f43f4d70: 00 ac 61 f7 01 88 ff ff 00 ac 69 f7 01 88 ff ff ..a...i. Object 8801f43f4d80: 00 ac 71 f7 01 88 ff ff 00 ac 79 f7 01 88 ff ff ..q...y. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014 ea0007d0fd00 8801f40cf9a8 81a6ce35 8801f7001c00 8801f40cf9d8 81244aed 8801f7001c00 ea0007d0fd00 8801f43f4d70 8801f779ac98 8801f40cfa00 8124ac36 Call Trace: [] dump_stack+0x45/0x56 [] print_trailer+0xfd/0x170 [] object_err+0x36/0x40 [] kasan_report_error+0x1e9/0x3a0 [] ? sysfs_get+0x17/0x50 [] ? kobject_add_internal+0x29b/0x4a0 [] kasan_report+0x40/0x50 [] ? dev_printk_emit+0x20/0x40 [] ? blk_mq_register_disk+0x193/0x260 [] __asan_load8+0x69/0xa0 [] blk_mq_register_disk+0x193/0x260 [] blk_register_queue+0xd2/0x170 [] add_disk+0x31f/0x720 [] virtblk_probe+0x58a/0x980 [] ? virtblk_restore+0x100/0x100 [] virtio_dev_probe+0x1be/0x280 [] ? __device_attach+0x70/0x70 [] driver_probe_device+0xe2/0x5c0 [] ? __device_attach+0x70/0x70 [] __driver_attach+0xc3/0xd0 [] bus_for_each_dev+0x95/0xe0 [] driver_attach+0x2b/0x30 [] bus_add_driver+0x268/0x360 [] driver_register+0xd3/0x1a0 [] ? loop_init+0x14b/0x14b [] register_virtio_driver+0x3c/0x60 [] init+0x53/0x80 [] do_one_initcall+0xda/0x1a0 [] kernel_init_freeable+0x1eb/0x27e [] ? rest_init+0x80/0x80 [] kernel_init+0xe/0x130 [] ret_from_fork+0x58/0x90 [] ? rest_init+0x80/0x80 Memory state around the buggy address: 8801f43f4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801f43f4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 >8801f43f4d80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ 8801f43f4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801f43f4e80: fc fc fc fc fc fc fc fc fc 00 00 00 00 fc fc fc == To
[Kernel-packages] [Bug 1534054] Re: use-after-free found by KASAN in blk_mq_register_disk
** Description changed: + We are trying to debug the kernel using KASAN and we found that when a + VM is booting in our cloud, on the virtualised kernel, there is a use- + after-free access that should not be there. + + Here is the trace from KASAN: + The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled. == BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Slab 0xea0007b091c0 objects=128 used=128 fp=0x (null) flags=0x280 INFO: Object 0x8801ec247400 @offset=1024 fp=0x8801ec247420 Bytes b4 8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff ..q...y. Object 8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c t$./virtual Object 8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00 /bdi/253:0.. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014 ea0007b091c0 8801ec0cb9a8 81a6ce35 8801ef001c00 8801ec0cb9d8 81244aed 8801ef001c00 ea0007b091c0 8801ec247400 8801ef79ac98 8801ec0cba00 8124ac36 Call Trace: [] dump_stack+0x45/0x56 [] print_trailer+0xfd/0x170 [] object_err+0x36/0x40 [] kasan_report_error+0x1e9/0x3a0 [] ? sysfs_get+0x17/0x50 [] ? kobject_add_internal+0x29b/0x4a0 [] kasan_report+0x40/0x50 [] ? dev_printk_emit+0x20/0x40 [] ? blk_mq_register_disk+0x193/0x260 [] __asan_load8+0x69/0xa0 [] blk_mq_register_disk+0x193/0x260 [] blk_register_queue+0xd2/0x170 [] add_disk+0x31f/0x720 [] virtblk_probe+0x58a/0x980 [] ? virtblk_restore+0x100/0x100 [] virtio_dev_probe+0x1be/0x280 [] ? __device_attach+0x70/0x70 [] driver_probe_device+0xe2/0x5c0 [] ? __device_attach+0x70/0x70 [] __driver_attach+0xc3/0xd0 [] bus_for_each_dev+0x95/0xe0 [] driver_attach+0x2b/0x30 [] bus_add_driver+0x268/0x360 [] driver_register+0xd3/0x1a0 [] ? loop_init+0x14b/0x14b [] register_virtio_driver+0x3c/0x60 [] init+0x53/0x80 [] do_one_initcall+0xda/0x1a0 [] kernel_init_freeable+0x1eb/0x27e [] ? rest_init+0x80/0x80 [] kernel_init+0xe/0x130 [] ret_from_fork+0x58/0x90 [] ? rest_init+0x80/0x80 Memory state around the buggy address: 8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8801ec247400: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ^ 8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc == ** Tags added: sts -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1534054 Title: use-after-free found by KASAN in blk_mq_register_disk Status in linux package in Ubuntu: Incomplete Bug description: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. Here is the trace from KASAN: The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled. == BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Slab 0xea0007b091c0 objects=128 used=128 fp=0x (null) flags=0x280 INFO: Object 0x8801ec247400 @offset=1024 fp=0x8801ec247420 Bytes b4 8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff ..q...y. Object 8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c t$./virtual Object 8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00 /bdi/253:0.. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014
[Kernel-packages] [Bug 1534054] Re: use-after-free found by KASAN in blk_mq_register_disk
** Description changed: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. - Here is the trace from KASAN: + The failing VM was running on a host with kernel 3.13.0-66-generic + (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0 + + Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled. == BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Slab 0xea0007b091c0 objects=128 used=128 fp=0x (null) flags=0x280 INFO: Object 0x8801ec247400 @offset=1024 fp=0x8801ec247420 Bytes b4 8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff ..q...y. Object 8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c t$./virtual Object 8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00 /bdi/253:0.. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014 ea0007b091c0 8801ec0cb9a8 81a6ce35 8801ef001c00 8801ec0cb9d8 81244aed 8801ef001c00 ea0007b091c0 8801ec247400 8801ef79ac98 8801ec0cba00 8124ac36 Call Trace: [] dump_stack+0x45/0x56 [] print_trailer+0xfd/0x170 [] object_err+0x36/0x40 [] kasan_report_error+0x1e9/0x3a0 [] ? sysfs_get+0x17/0x50 [] ? kobject_add_internal+0x29b/0x4a0 [] kasan_report+0x40/0x50 [] ? dev_printk_emit+0x20/0x40 [] ? blk_mq_register_disk+0x193/0x260 [] __asan_load8+0x69/0xa0 [] blk_mq_register_disk+0x193/0x260 [] blk_register_queue+0xd2/0x170 [] add_disk+0x31f/0x720 [] virtblk_probe+0x58a/0x980 [] ? virtblk_restore+0x100/0x100 [] virtio_dev_probe+0x1be/0x280 [] ? __device_attach+0x70/0x70 [] driver_probe_device+0xe2/0x5c0 [] ? __device_attach+0x70/0x70 [] __driver_attach+0xc3/0xd0 [] bus_for_each_dev+0x95/0xe0 [] driver_attach+0x2b/0x30 [] bus_add_driver+0x268/0x360 [] driver_register+0xd3/0x1a0 [] ? loop_init+0x14b/0x14b [] register_virtio_driver+0x3c/0x60 [] init+0x53/0x80 [] do_one_initcall+0xda/0x1a0 [] kernel_init_freeable+0x1eb/0x27e [] ? rest_init+0x80/0x80 [] kernel_init+0xe/0x130 [] ret_from_fork+0x58/0x90 [] ? rest_init+0x80/0x80 Memory state around the buggy address: 8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8801ec247400: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ^ 8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc == ** Description changed: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. The failing VM was running on a host with kernel 3.13.0-66-generic (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0 + + The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and + 0 G ephemeral disk. Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled. == BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Slab 0xea0007b091c0 objects=128 used=128 fp=0x (null) flags=0x280 INFO: Object 0x8801ec247400 @offset=1024 fp=0x8801ec247420 Bytes b4 8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff ..q...y. Object 8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c t$./virtual Object 8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00 /bdi/253:0.. CPU: 0 PID: 1 Comm: swap
[Kernel-packages] [Bug 1534054] Re: use-after-free found by KASAN in blk_mq_register_disk
** Description changed: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. The failing VM was running on a host with kernel 3.13.0-66-generic - (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0 + (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0. Hosts' + seabios: 1.7.5-1ubuntu1~cloud0 The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and 0 G ephemeral disk. Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled. == BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Slab 0xea0007b091c0 objects=128 used=128 fp=0x (null) flags=0x280 INFO: Object 0x8801ec247400 @offset=1024 fp=0x8801ec247420 Bytes b4 8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff ..q...y. Object 8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c t$./virtual Object 8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00 /bdi/253:0.. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014 ea0007b091c0 8801ec0cb9a8 81a6ce35 8801ef001c00 8801ec0cb9d8 81244aed 8801ef001c00 ea0007b091c0 8801ec247400 8801ef79ac98 8801ec0cba00 8124ac36 Call Trace: [] dump_stack+0x45/0x56 [] print_trailer+0xfd/0x170 [] object_err+0x36/0x40 [] kasan_report_error+0x1e9/0x3a0 [] ? sysfs_get+0x17/0x50 [] ? kobject_add_internal+0x29b/0x4a0 [] kasan_report+0x40/0x50 [] ? dev_printk_emit+0x20/0x40 [] ? blk_mq_register_disk+0x193/0x260 [] __asan_load8+0x69/0xa0 [] blk_mq_register_disk+0x193/0x260 [] blk_register_queue+0xd2/0x170 [] add_disk+0x31f/0x720 [] virtblk_probe+0x58a/0x980 [] ? virtblk_restore+0x100/0x100 [] virtio_dev_probe+0x1be/0x280 [] ? __device_attach+0x70/0x70 [] driver_probe_device+0xe2/0x5c0 [] ? __device_attach+0x70/0x70 [] __driver_attach+0xc3/0xd0 [] bus_for_each_dev+0x95/0xe0 [] driver_attach+0x2b/0x30 [] bus_add_driver+0x268/0x360 [] driver_register+0xd3/0x1a0 [] ? loop_init+0x14b/0x14b [] register_virtio_driver+0x3c/0x60 [] init+0x53/0x80 [] do_one_initcall+0xda/0x1a0 [] kernel_init_freeable+0x1eb/0x27e [] ? rest_init+0x80/0x80 [] kernel_init+0xe/0x130 [] ret_from_fork+0x58/0x90 [] ? rest_init+0x80/0x80 Memory state around the buggy address: 8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8801ec247400: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ^ 8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc == -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1534054 Title: use-after-free found by KASAN in blk_mq_register_disk Status in linux package in Ubuntu: Incomplete Bug description: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. The failing VM was running on a host with kernel 3.13.0-66-generic (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0. Hosts' seabios: 1.7.5-1ubuntu1~cloud0 The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and 0 G ephemeral disk. Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled. == BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: S
[Kernel-packages] [Bug 1534054] Re: use-after-free found by KASAN in blk_mq_register_disk
** Changed in: linux (Ubuntu) Assignee: (unassigned) => Gavin Guo (mimi0213kimo) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1534054 Title: use-after-free found by KASAN in blk_mq_register_disk Status in linux package in Ubuntu: Incomplete Bug description: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. The failing VM was running on a host with kernel 3.13.0-66-generic (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0. Hosts' seabios: 1.7.5-1ubuntu1~cloud0 The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and 0 G ephemeral disk. Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled. == BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Slab 0xea0007b091c0 objects=128 used=128 fp=0x (null) flags=0x280 INFO: Object 0x8801ec247400 @offset=1024 fp=0x8801ec247420 Bytes b4 8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff ..q...y. Object 8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c t$./virtual Object 8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00 /bdi/253:0.. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014 ea0007b091c0 8801ec0cb9a8 81a6ce35 8801ef001c00 8801ec0cb9d8 81244aed 8801ef001c00 ea0007b091c0 8801ec247400 8801ef79ac98 8801ec0cba00 8124ac36 Call Trace: [] dump_stack+0x45/0x56 [] print_trailer+0xfd/0x170 [] object_err+0x36/0x40 [] kasan_report_error+0x1e9/0x3a0 [] ? sysfs_get+0x17/0x50 [] ? kobject_add_internal+0x29b/0x4a0 [] kasan_report+0x40/0x50 [] ? dev_printk_emit+0x20/0x40 [] ? blk_mq_register_disk+0x193/0x260 [] __asan_load8+0x69/0xa0 [] blk_mq_register_disk+0x193/0x260 [] blk_register_queue+0xd2/0x170 [] add_disk+0x31f/0x720 [] virtblk_probe+0x58a/0x980 [] ? virtblk_restore+0x100/0x100 [] virtio_dev_probe+0x1be/0x280 [] ? __device_attach+0x70/0x70 [] driver_probe_device+0xe2/0x5c0 [] ? __device_attach+0x70/0x70 [] __driver_attach+0xc3/0xd0 [] bus_for_each_dev+0x95/0xe0 [] driver_attach+0x2b/0x30 [] bus_add_driver+0x268/0x360 [] driver_register+0xd3/0x1a0 [] ? loop_init+0x14b/0x14b [] register_virtio_driver+0x3c/0x60 [] init+0x53/0x80 [] do_one_initcall+0xda/0x1a0 [] kernel_init_freeable+0x1eb/0x27e [] ? rest_init+0x80/0x80 [] kernel_init+0xe/0x130 [] ret_from_fork+0x58/0x90 [] ? rest_init+0x80/0x80 Memory state around the buggy address: 8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8801ec247400: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ^ 8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc == To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534054/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1534054] Re: use-after-free found by KASAN in blk_mq_register_disk
** Description changed: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. The failing VM was running on a host with kernel 3.13.0-66-generic (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0. Hosts' seabios: 1.7.5-1ubuntu1~cloud0 The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and 0 G ephemeral disk. Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted - with v3.13.0-65 with KASAN enabled. + with v3.13.0-65 with KASAN enabled and "slub_debug=PU,kmalloc-32" in + kernel command line. == - BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr 8801ec247400 + BUG: KASan: out of bounds access in blk_mq_register_disk+0x193/0x260 at addr 8801f43f4d90 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint - INFO: Slab 0xea0007b091c0 objects=128 used=128 fp=0x (null) flags=0x280 - INFO: Object 0x8801ec247400 @offset=1024 fp=0x8801ec247420 - - Bytes b4 8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff ..q...y. - Object 8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c t$./virtual - Object 8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00 /bdi/253:0.. + INFO: Allocated in blk_mq_init_hw_queues+0x778/0x920 age=5 cpu=1 pid=1 + __slab_alloc+0x4f8/0x560 + __kmalloc_node+0xad/0x310 + blk_mq_init_hw_queues+0x778/0x920 + blk_mq_init_queue+0x5f7/0x6c0 + virtblk_probe+0x207/0x980 + virtio_dev_probe+0x1be/0x280 + driver_probe_device+0xe2/0x5c0 + __driver_attach+0xc3/0xd0 + bus_for_each_dev+0x95/0xe0 + driver_attach+0x2b/0x30 + bus_add_driver+0x268/0x360 + driver_register+0xd3/0x1a0 + register_virtio_driver+0x3c/0x60 + init+0x53/0x80 + do_one_initcall+0xda/0x1a0 + kernel_init_freeable+0x1eb/0x27e + INFO: Freed in kzfree+0x2d/0x40 age=13 cpu=0 pid=8 + __slab_free+0x2ab/0x3f0 + kfree+0x161/0x170 + kzfree+0x2d/0x40 + aa_free_task_context+0x5d/0xa0 + apparmor_cred_free+0x24/0x40 + security_cred_free+0x2b/0x30 + put_cred_rcu+0x38/0x140 + rcu_nocb_kthread+0x25a/0x410 + kthread+0x101/0x120 + ret_from_fork+0x58/0x90 + INFO: Slab 0xea0007d0fd00 objects=23 used=21 fp=0x8801f43f52d0 flags=0x2004080 + INFO: Object 0x8801f43f4d70 @offset=3440 fp=0x8801f43f5830 + Bytes b4 8801f43f4d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + Object 8801f43f4d70: 00 ac 61 f7 01 88 ff ff 00 ac 69 f7 01 88 ff ff ..a...i. + Object 8801f43f4d80: 00 ac 71 f7 01 88 ff ff 00 ac 79 f7 01 88 ff ff ..q...y. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014 - ea0007b091c0 8801ec0cb9a8 81a6ce35 8801ef001c00 - 8801ec0cb9d8 81244aed 8801ef001c00 ea0007b091c0 - 8801ec247400 8801ef79ac98 8801ec0cba00 8124ac36 + ea0007d0fd00 8801f40cf9a8 81a6ce35 8801f7001c00 + 8801f40cf9d8 81244aed 8801f7001c00 ea0007d0fd00 + 8801f43f4d70 8801f779ac98 8801f40cfa00 8124ac36 Call Trace: - [] dump_stack+0x45/0x56 - [] print_trailer+0xfd/0x170 - [] object_err+0x36/0x40 - [] kasan_report_error+0x1e9/0x3a0 - [] ? sysfs_get+0x17/0x50 - [] ? kobject_add_internal+0x29b/0x4a0 - [] kasan_report+0x40/0x50 - [] ? dev_printk_emit+0x20/0x40 - [] ? blk_mq_register_disk+0x193/0x260 - [] __asan_load8+0x69/0xa0 - [] blk_mq_register_disk+0x193/0x260 - [] blk_register_queue+0xd2/0x170 - [] add_disk+0x31f/0x720 - [] virtblk_probe+0x58a/0x980 - [] ? virtblk_restore+0x100/0x100 - [] virtio_dev_probe+0x1be/0x280 - [] ? __device_attach+0x70/0x70 - [] driver_probe_device+0xe2/0x5c0 - [] ? __device_attach+0x70/0x70 - [] __driver_attach+0xc3/0xd0 - [] bus_for_each_dev+0x95/0xe0 - [] driver_attach+0x2b/0x30 - [] bus_add_driver+0x268/0x360 - [] driver_register+0xd3/0x1a0 - [] ? loop_init+0x14b/0x14b - [] register_virtio_driver+0x3c/0x60 - [] init+0x53/0x80 - [] do_one_initcall+0xda/0x1a0 - [] kernel_init_freeable+0x1eb/0x27e - [] ? rest_init+0x80/0x80 - [] kernel_init+0xe/0x130 - [] ret_from_fork+0x58/0x90 - [] ? rest_init+0x80/0x80 + [] dump_st
[Kernel-packages] [Bug 1534054] Re: use-after-free found by KASAN in blk_mq_register_disk
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1534054 Title: use-after-free found by KASAN in blk_mq_register_disk Status in linux package in Ubuntu: Confirmed Bug description: We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use- after-free access that should not be there. The failing VM was running on a host with kernel 3.13.0-66-generic (trusty). Hosts' qemu version: 1:2.2+dfsg-5expubuntu9.3~cloud0. Hosts' seabios: 1.7.5-1ubuntu1~cloud0 The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and 0 G ephemeral disk. Here is the trace from KASAN (from the VM): The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled and "slub_debug=PU,kmalloc-32" in kernel command line. == BUG: KASan: out of bounds access in blk_mq_register_disk+0x193/0x260 at addr 8801f43f4d90 Read of size 8 by task swapper/0/1 = BUG kmalloc-32 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Allocated in blk_mq_init_hw_queues+0x778/0x920 age=5 cpu=1 pid=1 __slab_alloc+0x4f8/0x560 __kmalloc_node+0xad/0x310 blk_mq_init_hw_queues+0x778/0x920 blk_mq_init_queue+0x5f7/0x6c0 virtblk_probe+0x207/0x980 virtio_dev_probe+0x1be/0x280 driver_probe_device+0xe2/0x5c0 __driver_attach+0xc3/0xd0 bus_for_each_dev+0x95/0xe0 driver_attach+0x2b/0x30 bus_add_driver+0x268/0x360 driver_register+0xd3/0x1a0 register_virtio_driver+0x3c/0x60 init+0x53/0x80 do_one_initcall+0xda/0x1a0 kernel_init_freeable+0x1eb/0x27e INFO: Freed in kzfree+0x2d/0x40 age=13 cpu=0 pid=8 __slab_free+0x2ab/0x3f0 kfree+0x161/0x170 kzfree+0x2d/0x40 aa_free_task_context+0x5d/0xa0 apparmor_cred_free+0x24/0x40 security_cred_free+0x2b/0x30 put_cred_rcu+0x38/0x140 rcu_nocb_kthread+0x25a/0x410 kthread+0x101/0x120 ret_from_fork+0x58/0x90 INFO: Slab 0xea0007d0fd00 objects=23 used=21 fp=0x8801f43f52d0 flags=0x2004080 INFO: Object 0x8801f43f4d70 @offset=3440 fp=0x8801f43f5830 Bytes b4 8801f43f4d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Object 8801f43f4d70: 00 ac 61 f7 01 88 ff ff 00 ac 69 f7 01 88 ff ff ..a...i. Object 8801f43f4d80: 00 ac 71 f7 01 88 ff ff 00 ac 79 f7 01 88 ff ff ..q...y. CPU: 0 PID: 1 Comm: swapper/0 Tainted: GB 3.13.0-65-generic #105 Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014 ea0007d0fd00 8801f40cf9a8 81a6ce35 8801f7001c00 8801f40cf9d8 81244aed 8801f7001c00 ea0007d0fd00 8801f43f4d70 8801f779ac98 8801f40cfa00 8124ac36 Call Trace: [] dump_stack+0x45/0x56 [] print_trailer+0xfd/0x170 [] object_err+0x36/0x40 [] kasan_report_error+0x1e9/0x3a0 [] ? sysfs_get+0x17/0x50 [] ? kobject_add_internal+0x29b/0x4a0 [] kasan_report+0x40/0x50 [] ? dev_printk_emit+0x20/0x40 [] ? blk_mq_register_disk+0x193/0x260 [] __asan_load8+0x69/0xa0 [] blk_mq_register_disk+0x193/0x260 [] blk_register_queue+0xd2/0x170 [] add_disk+0x31f/0x720 [] virtblk_probe+0x58a/0x980 [] ? virtblk_restore+0x100/0x100 [] virtio_dev_probe+0x1be/0x280 [] ? __device_attach+0x70/0x70 [] driver_probe_device+0xe2/0x5c0 [] ? __device_attach+0x70/0x70 [] __driver_attach+0xc3/0xd0 [] bus_for_each_dev+0x95/0xe0 [] driver_attach+0x2b/0x30 [] bus_add_driver+0x268/0x360 [] driver_register+0xd3/0x1a0 [] ? loop_init+0x14b/0x14b [] register_virtio_driver+0x3c/0x60 [] init+0x53/0x80 [] do_one_initcall+0xda/0x1a0 [] kernel_init_freeable+0x1eb/0x27e [] ? rest_init+0x80/0x80 [] kernel_init+0xe/0x130 [] ret_from_fork+0x58/0x90 [] ? rest_init+0x80/0x80 Memory state around the buggy address: 8801f43f4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801f43f4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 >8801f43f4d80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ 8801f43f4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8801f43f4e80: fc fc fc fc fc fc fc fc fc 00 00 00 00 fc fc fc ==
