Created attachment 236928 [details] malicious disk image that causes a page fault in g_llvm_free_vg() during taste In llvm_textconf_decode(): /* basic checking */ if (vg->vg_extentsize == 0) goto bad; md->md_vg = vg; LIST_INSERT_HEAD(&vg_list, vg, vg_next); G_LLVM_DEBUG(3, "vg: name=%s uuid=%s", vg->vg_name, vg->vg_uuid); return(0); bad: g_llvm_free_vg(vg); return (-1); This means g_llvm_free_vg(vg) can be called without vg having been inserted into the list. But the latter calls LIST_REMOVE(vg, vg_next) unconditionally. I've attached a demo: # kldload geom_linux_lvm # mdconfig -f taste62b.img panic: Fatal page fault at 0xffffffc08b604da6: 0000000000000000 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1d6 do_trap_supervisor() at do_trap_supervisor+0x76 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval = 0 g_llvm_free_vg() at g_llvm_free_vg+0xc4 llvm_textconf_decode() at llvm_textconf_decode+0x4f4 g_llvm_read_md() at g_llvm_read_md+0x214 g_llvm_taste() at g_llvm_taste+0xd0 g_new_provider_event() at g_new_provider_event+0xb8 one_event() at one_event+0x102 g_run_events() at g_run_events+0x8a g_event_procbody() at g_event_procbody+0x56 fork_exit() at fork_exit+0x80 fork_trampoline() at fork_trampoline+0xa FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #197 main-n250931-18f03443a230-dirty: Wed Sep 28 17:36:45 EDT 2022 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
Something similar will happen if GRAB_INT() fails in llvm_textconf_decode().
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=56279238b03a0ccef245b22fff7679fe35cffccc commit 56279238b03a0ccef245b22fff7679fe35cffccc Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-10-17 14:25:38 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-10-17 15:19:05 +0000 geom_linux_lvm: Avoid removing from vg_list before inserting PR: 266693 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week sys/geom/linux_lvm/g_linux_lvm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2d7b5953dd90430c065014b748ac0e6217bff9d7 commit 2d7b5953dd90430c065014b748ac0e6217bff9d7 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-10-17 14:25:38 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-10-24 13:18:07 +0000 geom_linux_lvm: Avoid removing from vg_list before inserting PR: 266693 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week (cherry picked from commit 56279238b03a0ccef245b22fff7679fe35cffccc) sys/geom/linux_lvm/g_linux_lvm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=0da34087c41cd3a64a5c07edfe373395bc29857f commit 0da34087c41cd3a64a5c07edfe373395bc29857f Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-10-17 14:25:38 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-10-24 13:17:59 +0000 geom_linux_lvm: Avoid removing from vg_list before inserting PR: 266693 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 1 week (cherry picked from commit 56279238b03a0ccef245b22fff7679fe35cffccc) sys/geom/linux_lvm/g_linux_lvm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)