From owner-freebsd-bugs@freebsd.org  Sun Feb 23 19:58:12 2020
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 931F0246CA9
 for <freebsd-bugs@mailman.nyi.freebsd.org>;
 Sun, 23 Feb 2020 19:58:12 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 48QbbS2560z4H2D
 for <freebsd-bugs@freebsd.org>; Sun, 23 Feb 2020 19:58:12 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 45ABE246CA7; Sun, 23 Feb 2020 19:58:12 +0000 (UTC)
Delivered-To: bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 454EC246CA6
 for <bugs@mailman.nyi.freebsd.org>; Sun, 23 Feb 2020 19:58:12 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48QbbR1mLnz4H20
 for <bugs@FreeBSD.org>; Sun, 23 Feb 2020 19:58:11 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9649119B52
 for <bugs@FreeBSD.org>; Sun, 23 Feb 2020 19:58:10 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 01NJwABt016523
 for <bugs@FreeBSD.org>; Sun, 23 Feb 2020 19:58:10 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 01NJwAsQ016522
 for bugs@FreeBSD.org; Sun, 23 Feb 2020 19:58:10 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 244344] [2] Kernel panic observed while plugging the UFS USB
 drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD
 12.1-STABLE r358121
Date: Sun, 23 Feb 2020 19:58:10 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: neerajpal09@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-244344-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2020 19:58:12 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244344

            Bug ID: 244344
           Summary: [2] Kernel panic observed while plugging the UFS USB
                    drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE
                    r354233 and FreeBSD 12.1-STABLE r358121
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: neerajpal09@gmail.com

Created attachment 211868
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D211868&action=
=3Dedit
Contains PoC UFS image and detailed logs includes 13-current, 12.1-release =
and
12.1-stable

Hi there,

Kernel Panic is observed while attaching the usb drive which contains malic=
ious
UFS filesystem image. No user authentication and interaction is needed.

Just flash the attached UFS image to usb drive and plug the usb drive to
FreeBSD 13-CURRENT, 12.1-RELEASE, or 12.1-STABLE.


[Kernel Log - FreeBSD 13-CURRENT (UAF)]

freebsd dumped core - see /var/crash/vmcore.2

Fri Feb 21 07:01:11 UTC 2020

FreeBSD freebsd 13.0-CURRENT FreeBSD 13.0-CURRENT #3: Thu Feb 20
03:35:37 UTC 2020
root@freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

panic: Most recently used by GEOM

GNU gdb (GDB) 8.3.1 [GDB v8.3.1 for FreeBSD]
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.htm=
l>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd13.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...
Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...

Unread portion of the kernel message buffer:
Superblock check-hash failed: recorded check-hash 0x9dafc69a !=3D
computed check-hash 0x7ccaabd4 (Ignored)
Memory modified after free 0xfffffe003a559000(65528) val=3D4 @ 0xfffffe003a=
559000
panic: Most recently used by GEOM

cpuid =3D 1
time =3D 1582268274
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe002c779=
750
vpanic() at vpanic+0x185/frame 0xfffffe002c7797b0
panic() at panic+0x43/frame 0xfffffe002c779810
mtrash_ctor() at mtrash_ctor+0x7e/frame 0xfffffe002c779830
item_ctor() at item_ctor+0x2cb/frame 0xfffffe002c779890
uma_zalloc_arg() at uma_zalloc_arg+0x144/frame 0xfffffe002c7798e0
malloc() at malloc+0x99/frame 0xfffffe002c779930
g_read_data() at g_read_data+0x82/frame 0xfffffe002c779970
g_use_g_read_data() at g_use_g_read_data+0x35/frame 0xfffffe002c779990
ffs_sbget() at ffs_sbget+0x24f/frame 0xfffffe002c779a00
g_label_ufs_taste_common() at g_label_ufs_taste_common+0x79/frame
0xfffffe002c779a40
g_label_taste() at g_label_taste+0x2ac/frame 0xfffffe002c779b50
g_new_provider_event() at g_new_provider_event+0xaa/frame 0xfffffe002c779b70
g_run_events() at g_run_events+0x176/frame 0xfffffe002c779bb0
fork_exit() at fork_exit+0x80/frame 0xfffffe002c779bf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe002c779bf0
--- trap 0, rip =3D 0, rsp =3D 0, rbp =3D 0 ---
KDB: enter: panic
Uptime: 6m11s
Dumping 264 out of 4062 MB:..7%..13%..25%..31%..43%..55%..61%..73%..85%..91%

[Attachments]
+ UFS filesystem image
+ detailed logs from FreeBSD 13-CURRENT, 12.1-RELEASE, and 12.1-STABLE.

--=20
You are receiving this mail because:
You are the assignee for the bug.=