← Back to team overview

kernel-packages team mailing list archive

[Bug 1534054] [NEW] use-after-free found by KASAN in blk_mq_register_disk

 

Public bug reported:

The error message can be observed in the dmesg when the guest VM booted
with v3.13.0-65 with KASAN enabled.

==================================================================
BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr ffff8801ec247400
Read of size 8 by task swapper/0/1
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Slab 0xffffea0007b091c0 objects=128 used=128 fp=0x          (null) flags=0x2ffff0000000080
INFO: Object 0xffff8801ec247400 @offset=1024 fp=0xffff8801ec247420

Bytes b4 ffff8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff  ..q.......y.....
Object ffff8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c   t$...../virtual
Object ffff8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00  /bdi/253:0......
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B         3.13.0-65-generic #105
Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014
 ffffea0007b091c0 ffff8801ec0cb9a8 ffffffff81a6ce35 ffff8801ef001c00
 ffff8801ec0cb9d8 ffffffff81244aed ffff8801ef001c00 ffffea0007b091c0
 ffff8801ec247400 ffff8801ef79ac98 ffff8801ec0cba00 ffffffff8124ac36
Call Trace:
 [<ffffffff81a6ce35>] dump_stack+0x45/0x56
 [<ffffffff81244aed>] print_trailer+0xfd/0x170
 [<ffffffff8124ac36>] object_err+0x36/0x40
 [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
 [<ffffffff81319427>] ? sysfs_get+0x17/0x50
 [<ffffffff814dee6b>] ? kobject_add_internal+0x29b/0x4a0
 [<ffffffff8124d260>] kasan_report+0x40/0x50
 [<ffffffff81696f00>] ? dev_printk_emit+0x20/0x40
 [<ffffffff814ae7c3>] ? blk_mq_register_disk+0x193/0x260
 [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
 [<ffffffff814ae7c3>] blk_mq_register_disk+0x193/0x260
 [<ffffffff814a1572>] blk_register_queue+0xd2/0x170
 [<ffffffff814b24cf>] add_disk+0x31f/0x720
 [<ffffffff816ced9a>] virtblk_probe+0x58a/0x980
 [<ffffffff816cd4c0>] ? virtblk_restore+0x100/0x100
 [<ffffffff81601b8e>] virtio_dev_probe+0x1be/0x280
 [<ffffffff8169d620>] ? __device_attach+0x70/0x70
 [<ffffffff8169d0d2>] driver_probe_device+0xe2/0x5c0
 [<ffffffff8169d620>] ? __device_attach+0x70/0x70
 [<ffffffff8169d6e3>] __driver_attach+0xc3/0xd0
 [<ffffffff8169a355>] bus_for_each_dev+0x95/0xe0
 [<ffffffff8169c89b>] driver_attach+0x2b/0x30
 [<ffffffff8169c298>] bus_add_driver+0x268/0x360
 [<ffffffff8169dfe3>] driver_register+0xd3/0x1a0
 [<ffffffff8218e4b9>] ? loop_init+0x14b/0x14b
 [<ffffffff8160213c>] register_virtio_driver+0x3c/0x60
 [<ffffffff8218e50c>] init+0x53/0x80
 [<ffffffff8100212a>] do_one_initcall+0xda/0x1a0
 [<ffffffff8213816b>] kernel_init_freeable+0x1eb/0x27e
 [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
 [<ffffffff81a5bcde>] kernel_init+0xe/0x130
 [<ffffffff81a83028>] ret_from_fork+0x58/0x90
 [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
Memory state around the buggy address:
 ffff8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801ec247400: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Incomplete


** Tags: trusty

** Description changed:

+ The error message can be observed in the dmesg when the guest VM booted
+ with v3.13.0-65 with KASAN enabled.
+ 
  ==================================================================
  BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr ffff8801ec247400
  Read of size 8 by task swapper/0/1
  =============================================================================
  BUG kmalloc-32 (Not tainted): kasan: bad access detected
  -----------------------------------------------------------------------------
  
  Disabling lock debugging due to kernel taint
  INFO: Slab 0xffffea0007b091c0 objects=128 used=128 fp=0x          (null) flags=0x2ffff0000000080
  INFO: Object 0xffff8801ec247400 @offset=1024 fp=0xffff8801ec247420
  
  Bytes b4 ffff8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff  ..q.......y.....
  Object ffff8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c   t$...../virtual
  Object ffff8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00  /bdi/253:0......
  CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B         3.13.0-65-generic #105
  Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014
-  ffffea0007b091c0 ffff8801ec0cb9a8 ffffffff81a6ce35 ffff8801ef001c00
-  ffff8801ec0cb9d8 ffffffff81244aed ffff8801ef001c00 ffffea0007b091c0
-  ffff8801ec247400 ffff8801ef79ac98 ffff8801ec0cba00 ffffffff8124ac36
+  ffffea0007b091c0 ffff8801ec0cb9a8 ffffffff81a6ce35 ffff8801ef001c00
+  ffff8801ec0cb9d8 ffffffff81244aed ffff8801ef001c00 ffffea0007b091c0
+  ffff8801ec247400 ffff8801ef79ac98 ffff8801ec0cba00 ffffffff8124ac36
  Call Trace:
-  [<ffffffff81a6ce35>] dump_stack+0x45/0x56
-  [<ffffffff81244aed>] print_trailer+0xfd/0x170
-  [<ffffffff8124ac36>] object_err+0x36/0x40
-  [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
-  [<ffffffff81319427>] ? sysfs_get+0x17/0x50
-  [<ffffffff814dee6b>] ? kobject_add_internal+0x29b/0x4a0
-  [<ffffffff8124d260>] kasan_report+0x40/0x50
-  [<ffffffff81696f00>] ? dev_printk_emit+0x20/0x40
-  [<ffffffff814ae7c3>] ? blk_mq_register_disk+0x193/0x260
-  [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
-  [<ffffffff814ae7c3>] blk_mq_register_disk+0x193/0x260
-  [<ffffffff814a1572>] blk_register_queue+0xd2/0x170
-  [<ffffffff814b24cf>] add_disk+0x31f/0x720
-  [<ffffffff816ced9a>] virtblk_probe+0x58a/0x980
-  [<ffffffff816cd4c0>] ? virtblk_restore+0x100/0x100
-  [<ffffffff81601b8e>] virtio_dev_probe+0x1be/0x280
-  [<ffffffff8169d620>] ? __device_attach+0x70/0x70
-  [<ffffffff8169d0d2>] driver_probe_device+0xe2/0x5c0
-  [<ffffffff8169d620>] ? __device_attach+0x70/0x70
-  [<ffffffff8169d6e3>] __driver_attach+0xc3/0xd0
-  [<ffffffff8169a355>] bus_for_each_dev+0x95/0xe0
-  [<ffffffff8169c89b>] driver_attach+0x2b/0x30
-  [<ffffffff8169c298>] bus_add_driver+0x268/0x360
-  [<ffffffff8169dfe3>] driver_register+0xd3/0x1a0
-  [<ffffffff8218e4b9>] ? loop_init+0x14b/0x14b
-  [<ffffffff8160213c>] register_virtio_driver+0x3c/0x60
-  [<ffffffff8218e50c>] init+0x53/0x80
-  [<ffffffff8100212a>] do_one_initcall+0xda/0x1a0
-  [<ffffffff8213816b>] kernel_init_freeable+0x1eb/0x27e
-  [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
-  [<ffffffff81a5bcde>] kernel_init+0xe/0x130
-  [<ffffffff81a83028>] ret_from_fork+0x58/0x90
-  [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
+  [<ffffffff81a6ce35>] dump_stack+0x45/0x56
+  [<ffffffff81244aed>] print_trailer+0xfd/0x170
+  [<ffffffff8124ac36>] object_err+0x36/0x40
+  [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
+  [<ffffffff81319427>] ? sysfs_get+0x17/0x50
+  [<ffffffff814dee6b>] ? kobject_add_internal+0x29b/0x4a0
+  [<ffffffff8124d260>] kasan_report+0x40/0x50
+  [<ffffffff81696f00>] ? dev_printk_emit+0x20/0x40
+  [<ffffffff814ae7c3>] ? blk_mq_register_disk+0x193/0x260
+  [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
+  [<ffffffff814ae7c3>] blk_mq_register_disk+0x193/0x260
+  [<ffffffff814a1572>] blk_register_queue+0xd2/0x170
+  [<ffffffff814b24cf>] add_disk+0x31f/0x720
+  [<ffffffff816ced9a>] virtblk_probe+0x58a/0x980
+  [<ffffffff816cd4c0>] ? virtblk_restore+0x100/0x100
+  [<ffffffff81601b8e>] virtio_dev_probe+0x1be/0x280
+  [<ffffffff8169d620>] ? __device_attach+0x70/0x70
+  [<ffffffff8169d0d2>] driver_probe_device+0xe2/0x5c0
+  [<ffffffff8169d620>] ? __device_attach+0x70/0x70
+  [<ffffffff8169d6e3>] __driver_attach+0xc3/0xd0
+  [<ffffffff8169a355>] bus_for_each_dev+0x95/0xe0
+  [<ffffffff8169c89b>] driver_attach+0x2b/0x30
+  [<ffffffff8169c298>] bus_add_driver+0x268/0x360
+  [<ffffffff8169dfe3>] driver_register+0xd3/0x1a0
+  [<ffffffff8218e4b9>] ? loop_init+0x14b/0x14b
+  [<ffffffff8160213c>] register_virtio_driver+0x3c/0x60
+  [<ffffffff8218e50c>] init+0x53/0x80
+  [<ffffffff8100212a>] do_one_initcall+0xda/0x1a0
+  [<ffffffff8213816b>] kernel_init_freeable+0x1eb/0x27e
+  [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
+  [<ffffffff81a5bcde>] kernel_init+0xe/0x130
+  [<ffffffff81a83028>] ret_from_fork+0x58/0x90
+  [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
  Memory state around the buggy address:
-  ffff8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-  ffff8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  ffff8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  ffff8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  >ffff8801ec247400: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
-                    ^
-  ffff8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-  ffff8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                    ^
+  ffff8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  ffff8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ==================================================================

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1534054

Title:
  use-after-free found by KASAN in blk_mq_register_disk

Status in linux package in Ubuntu:
  Incomplete

Bug description:
  The error message can be observed in the dmesg when the guest VM
  booted with v3.13.0-65 with KASAN enabled.

  ==================================================================
  BUG: KASan: use after free in blk_mq_register_disk+0x193/0x260 at addr ffff8801ec247400
  Read of size 8 by task swapper/0/1
  =============================================================================
  BUG kmalloc-32 (Not tainted): kasan: bad access detected
  -----------------------------------------------------------------------------

  Disabling lock debugging due to kernel taint
  INFO: Slab 0xffffea0007b091c0 objects=128 used=128 fp=0x          (null) flags=0x2ffff0000000080
  INFO: Object 0xffff8801ec247400 @offset=1024 fp=0xffff8801ec247420

  Bytes b4 ffff8801ec2473f0: 00 ac 71 ef 01 88 ff ff 00 ac 79 ef 01 88 ff ff  ..q.......y.....
  Object ffff8801ec247400: 20 74 24 ec 01 88 ff ff 2f 76 69 72 74 75 61 6c   t$...../virtual
  Object ffff8801ec247410: 2f 62 64 69 2f 32 35 33 3a 30 00 00 00 00 00 00  /bdi/253:0......
  CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B         3.13.0-65-generic #105
  Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_111955-batsu 04/01/2014
   ffffea0007b091c0 ffff8801ec0cb9a8 ffffffff81a6ce35 ffff8801ef001c00
   ffff8801ec0cb9d8 ffffffff81244aed ffff8801ef001c00 ffffea0007b091c0
   ffff8801ec247400 ffff8801ef79ac98 ffff8801ec0cba00 ffffffff8124ac36
  Call Trace:
   [<ffffffff81a6ce35>] dump_stack+0x45/0x56
   [<ffffffff81244aed>] print_trailer+0xfd/0x170
   [<ffffffff8124ac36>] object_err+0x36/0x40
   [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
   [<ffffffff81319427>] ? sysfs_get+0x17/0x50
   [<ffffffff814dee6b>] ? kobject_add_internal+0x29b/0x4a0
   [<ffffffff8124d260>] kasan_report+0x40/0x50
   [<ffffffff81696f00>] ? dev_printk_emit+0x20/0x40
   [<ffffffff814ae7c3>] ? blk_mq_register_disk+0x193/0x260
   [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
   [<ffffffff814ae7c3>] blk_mq_register_disk+0x193/0x260
   [<ffffffff814a1572>] blk_register_queue+0xd2/0x170
   [<ffffffff814b24cf>] add_disk+0x31f/0x720
   [<ffffffff816ced9a>] virtblk_probe+0x58a/0x980
   [<ffffffff816cd4c0>] ? virtblk_restore+0x100/0x100
   [<ffffffff81601b8e>] virtio_dev_probe+0x1be/0x280
   [<ffffffff8169d620>] ? __device_attach+0x70/0x70
   [<ffffffff8169d0d2>] driver_probe_device+0xe2/0x5c0
   [<ffffffff8169d620>] ? __device_attach+0x70/0x70
   [<ffffffff8169d6e3>] __driver_attach+0xc3/0xd0
   [<ffffffff8169a355>] bus_for_each_dev+0x95/0xe0
   [<ffffffff8169c89b>] driver_attach+0x2b/0x30
   [<ffffffff8169c298>] bus_add_driver+0x268/0x360
   [<ffffffff8169dfe3>] driver_register+0xd3/0x1a0
   [<ffffffff8218e4b9>] ? loop_init+0x14b/0x14b
   [<ffffffff8160213c>] register_virtio_driver+0x3c/0x60
   [<ffffffff8218e50c>] init+0x53/0x80
   [<ffffffff8100212a>] do_one_initcall+0xda/0x1a0
   [<ffffffff8213816b>] kernel_init_freeable+0x1eb/0x27e
   [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
   [<ffffffff81a5bcde>] kernel_init+0xe/0x130
   [<ffffffff81a83028>] ret_from_fork+0x58/0x90
   [<ffffffff81a5bcd0>] ? rest_init+0x80/0x80
  Memory state around the buggy address:
   ffff8801ec247300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   ffff8801ec247380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  >ffff8801ec247400: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
                     ^
   ffff8801ec247480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   ffff8801ec247500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ==================================================================

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1534054/+subscriptions


Follow ups