From owner-freebsd-bugs@freebsd.org  Sun Feb 23 20:26:50 2020
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 33C0C247A7D
 for <freebsd-bugs@mailman.nyi.freebsd.org>;
 Sun, 23 Feb 2020 20:26:50 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 48QcDT6XvPz3yfG
 for <freebsd-bugs@freebsd.org>; Sun, 23 Feb 2020 20:26:49 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id DA768247A7C; Sun, 23 Feb 2020 20:26:49 +0000 (UTC)
Delivered-To: bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D89C4247A7B
 for <bugs@mailman.nyi.freebsd.org>; Sun, 23 Feb 2020 20:26:49 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48QcDT3Q2zz3ydG
 for <bugs@FreeBSD.org>; Sun, 23 Feb 2020 20:26:49 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 593161A10D
 for <bugs@FreeBSD.org>; Sun, 23 Feb 2020 20:26:49 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 01NKQnST013514
 for <bugs@FreeBSD.org>; Sun, 23 Feb 2020 20:26:49 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 01NKQn30013513
 for bugs@FreeBSD.org; Sun, 23 Feb 2020 20:26:49 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 244351] [7] Kernel panic observed while plugging the UFS USB
 drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE r354233 and FreeBSD
 12.1-STABLE r358121
Date: Sun, 23 Feb 2020 20:26:49 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: neerajpal09@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-244351-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2020 20:26:50 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244351

            Bug ID: 244351
           Summary: [7] Kernel panic observed while plugging the UFS USB
                    drive on FreeBSD13-CURRENT, FreeBSD 12.1-RELEASE
                    r354233 and FreeBSD 12.1-STABLE r358121
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: neerajpal09@gmail.com

Created attachment 211873
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D211873&action=
=3Dedit
Contains PoC UFS image and detailed logs includes 13-current, 12.1-release =
and
12.1-stable

Hi there,

Kernel Panic is observed while mounting the usb drive which contains malici=
ous
UFS filesystem image.

But if the automount is configured or user has ability to mount the usb dri=
ve
then during mount kernel panic occurs.

No user authentication and interaction is needed in case of automount is
configured, tested with "/etc/fstab".

Just flash the attached UFS image to usb drive and plug the usb drive to
FreeBSD 13-CURRENT, 12.1-RELEASE, or 12.1-STABLE, then mount it.

[Kernel Log - FreeBSD 13-CURRENT]

freebsd dumped core - see /var/crash/vmcore.4

Wed Feb 19 18:50:05 UTC 2020

FreeBSD freebsd 13.0-CURRENT FreeBSD 13.0-CURRENT #0: Wed Feb 19 01:58:08 U=
TC
2020     root@freebsd:/usr/obj/usr/src/amd64.amd64/sys/GENERIC  amd64

panic: usermode va fffffdffb39cb000

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain condition=
s.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: usermode va fffffdffb39cb000
cpuid =3D 0
time =3D 1582138127
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0039f1d=
3d0
vpanic() at vpanic+0x185/frame 0xfffffe0039f1d430
panic() at panic+0x43/frame 0xfffffe0039f1d490
pmap_pinit0() at pmap_pinit0/frame 0xfffffe0039f1d4a0
allocbuf() at allocbuf+0x1fc/frame 0xfffffe0039f1d500
getblkx() at getblkx+0x6d9/frame 0xfffffe0039f1d5d0
getblk() at getblk+0x22/frame 0xfffffe0039f1d600
ffs_mount() at ffs_mount+0x1be0/frame 0xfffffe0039f1d7b0
vfs_domount() at vfs_domount+0x83c/frame 0xfffffe0039f1d9e0
vfs_donmount() at vfs_donmount+0x911/frame 0xfffffe0039f1da80
sys_nmount() at sys_nmount+0x69/frame 0xfffffe0039f1dac0
amd64_syscall() at amd64_syscall+0x168/frame 0xfffffe0039f1dbf0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0039f1dbf0
--- syscall (378, FreeBSD ELF64, sys_nmount), rip =3D 0x8002f7a1a, rsp =3D
0x7fffffffd3b8, rbp =3D 0x7fffffffd920 ---
KDB: enter: panic
Uptime: 6m53s
Dumping 262 out of 4062 MB:..7%..13%..25%..31%..43%..55%..61%..74%..86%..92%


[Attachments]
+ UFS filesystem image
+ detailed logs from FreeBSD 13-CURRENT, 12.1-RELEASE, and 12.1-STABLE.

--=20
You are receiving this mail because:
You are the assignee for the bug.=