use-after-free found by KASAN in blk_mq_register_disk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
Medium
|
Gavin Guo |
Bug Description
We are trying to debug the kernel using KASAN and we found that when a VM is booting in our cloud, on the virtualised kernel, there is a use-after-free access that should not be there.
The failing VM was running on a host with kernel 3.13.0-66-generic (trusty). Hosts' qemu version: 1:2.2+dfsg-
The flavour of this VM is 4 CPUs, 8G RAM, 80G of root disk, 0 G swap and 0 G ephemeral disk.
Here is the trace from KASAN (from the VM):
The error message can be observed in the dmesg when the guest VM booted with v3.13.0-65 with KASAN enabled and "slub_debug=
=======
BUG: KASan: out of bounds access in blk_mq_
Read of size 8 by task swapper/0/1
=======
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-------
Disabling lock debugging due to kernel taint
INFO: Allocated in blk_mq_
INFO: Freed in kzfree+0x2d/0x40 age=13 cpu=0 pid=8
INFO: Slab 0xffffea0007d0fd00 objects=23 used=21 fp=0xffff8801f4
INFO: Object 0xffff8801f43f4d70 @offset=3440 fp=0xffff8801f4
Bytes b4 ffff8801f43f4d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff8801f43f4d70: 00 ac 61 f7 01 88 ff ff 00 ac 69 f7 01 88 ff ff ..a.......i.....
Object ffff8801f43f4d80: 00 ac 71 f7 01 88 ff ff 00 ac 79 f7 01 88 ff ff ..q.......y.....
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 3.13.0-65-generic #105
Hardware name: OpenStack Foundation OpenStack Nova, BIOS 1.7.5-20150310_
ffffea0007d0fd00 ffff8801f40cf9a8 ffffffff81a6ce35 ffff8801f7001c00
ffff8801f40cf9d8 ffffffff81244aed ffff8801f7001c00 ffffea0007d0fd00
ffff8801f43f4d70 ffff8801f779ac98 ffff8801f40cfa00 ffffffff8124ac36
Call Trace:
[<ffffffff81a6
[<ffffffff8124
[<ffffffff8124
[<ffffffff8124
[<ffffffff8131
[<ffffffff814d
[<ffffffff8124
[<ffffffff8169
[<ffffffff814a
[<ffffffff8124
[<ffffffff814a
[<ffffffff814a
[<ffffffff814b
[<ffffffff816c
[<ffffffff816c
[<ffffffff8160
[<ffffffff8169
[<ffffffff8169
[<ffffffff8169
[<ffffffff8169
[<ffffffff8169
[<ffffffff8169
[<ffffffff8169
[<ffffffff8169
[<ffffffff8218
[<ffffffff8160
[<ffffffff8218
[<ffffffff8100
[<ffffffff8213
[<ffffffff81a5
[<ffffffff81a5
[<ffffffff81a8
[<ffffffff81a5
Memory state around the buggy address:
ffff8801f43f4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801f43f4d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00
>ffff8801f43f4d80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801f43f4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801f43f4e80: fc fc fc fc fc fc fc fc fc 00 00 00 00 fc fc fc
=======
description: | updated |
description: | updated |
tags: | added: sts |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
assignee: | nobody → Gavin Guo (mimi0213kimo) |
description: | updated |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1534054
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.