lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Ys78z1V+sR5y78i6@sirena.org.uk>
Date:   Wed, 13 Jul 2022 18:11:43 +0100
From:   Mark Brown <broonie@...nel.org>
To:     kernelci-results@...ups.io, bot@...nelci.org,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Borislav Petkov <bp@...e.de>,
        Josh Poimboeuf <jpoimboe@...nel.org>,
        Thadeu Lima de Souza Cascardo <cascardo@...onical.com>,
        stable@...r.kernel.org, gtucker@...labora.com,
        linux-kernel@...r.kernel.org
Subject: Re: stable-rc/queue/5.15 bisection: baseline.login on
 qemu_x86_64-uefi-mixed

On Wed, Jul 13, 2022 at 09:46:58AM -0700, KernelCI bot wrote:

The KernelCI bisection bot found a boot failure on x86-64 on at least a
qemu system with 32 bit EDK2 firmware triggered by a backport of upstream
commit aa3d480315ba6c30 ("x86: Use return-thunk in asm code").  The boot
fails with:

<6>[    0.324425] Calibrating delay loop (skipped), value calculated using timer frequency.. 3592.02 BogoMIPS (lpj=1796010)
<6>[    0.325417] pid_max: default: 32768 minimum: 301
<2>[    0.326744] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
<1>[    0.327415] BUG: unable to handle page fault for address: 000000000e6038c0
<1>[    0.327415] #PF: supervisor instruction fetch in kernel mode
<1>[    0.327415] #PF: error_code(0x0011) - permissions violation

...

<4>[    0.327415] Call Trace:
<4>[    0.327415]  <TASK>
<4>[    0.327415]  ? efi_set_virtual_address_map+0x65/0x103
<4>[    0.327415]  ? efi_enter_virtual_mode+0x39e/0x3f9
<4>[    0.327415]  ? start_kernel+0x5be/0x65a
<4>[    0.327415]  ? secondary_startup_64_no_verify+0xc2/0xcb
<4>[    0.327415]  </TASK>

The full boot log from a failed boot can be seen at:

	https://storage.kernelci.org/stable-rc/queue-5.15/v5.15.54-78-ga5f899726e59/x86_64/x86_64_defconfig/gcc-10/lab-baylibre/baseline-qemu_x86_64-uefi-mixed.txt

I've left the full report below with more details (including a log of
the bisection) and a tag from the bot below.  The 32 bit EFI on x86-64
combination is unfortunately a thing some physical systems do.

> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> * This automated bisection report was sent to you on the basis  *
> * that you may be involved with the breaking commit it has      *
> * found.  No manual investigation has been done to verify it,   *
> * and the root cause of the problem may be somewhere else.      *
> *                                                               *
> * If you do send a fix, please include this trailer:            *
> *   Reported-by: "kernelci.org bot" <bot@...nelci.org>          *
> *                                                               *
> * Hope this helps!                                              *
> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
> 
> stable-rc/queue/5.15 bisection: baseline.login on qemu_x86_64-uefi-mixed
> 
> Summary:
>   Start:      a5f899726e592 x86/static_call: Serialize __static_call_fixup() properly
>   Plain log:  https://storage.kernelci.org/stable-rc/queue/5.15/v5.15.54-78-ga5f899726e59/x86_64/x86_64_defconfig/gcc-10/lab-baylibre/baseline-qemu_x86_64-uefi-mixed.txt
>   HTML log:   https://storage.kernelci.org/stable-rc/queue/5.15/v5.15.54-78-ga5f899726e59/x86_64/x86_64_defconfig/gcc-10/lab-baylibre/baseline-qemu_x86_64-uefi-mixed.html
>   Result:     a02ac6ab73cc3 x86: Use return-thunk in asm code
> 
> Checks:
>   revert:     PASS
>   verify:     PASS
> 
> Parameters:
>   Tree:       stable-rc
>   URL:        https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
>   Branch:     queue/5.15
>   Target:     qemu_x86_64-uefi-mixed
>   CPU arch:   x86_64
>   Lab:        lab-baylibre
>   Compiler:   gcc-10
>   Config:     x86_64_defconfig
>   Test case:  baseline.login
> 
> Breaking commit found:
> 
> -------------------------------------------------------------------------------
> commit a02ac6ab73cc327552cb12e13b740e3c8a118bf6
> Author: Peter Zijlstra <peterz@...radead.org>
> Date:   Tue Jun 14 23:15:45 2022 +0200
> 
>     x86: Use return-thunk in asm code
>     
>     commit aa3d480315ba6c3025a60958e1981072ea37c3df upstream.
>     
>     Use the return thunk in asm code. If the thunk isn't needed, it will
>     get patched into a RET instruction during boot by apply_returns().
>     
>     Since alternatives can't handle relocations outside of the first
>     instruction, putting a 'jmp __x86_return_thunk' in one is not valid,
>     therefore carve out the memmove ERMS path into a separate label and jump
>     to it.
>     
>     Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
>     Signed-off-by: Borislav Petkov <bp@...e.de>
>     Reviewed-by: Josh Poimboeuf <jpoimboe@...nel.org>
>     Signed-off-by: Borislav Petkov <bp@...e.de>
>     [cascardo: no RANDSTRUCT_CFLAGS]
>     Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
>     Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> 
> diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
> index a2dddcc189f69..c8891d3b38d30 100644
> --- a/arch/x86/entry/vdso/Makefile
> +++ b/arch/x86/entry/vdso/Makefile
> @@ -92,6 +92,7 @@ endif
>  endif
>  
>  $(vobjs): KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_LTO) $(GCC_PLUGINS_CFLAGS) $(RETPOLINE_CFLAGS),$(KBUILD_CFLAGS)) $(CFL)
> +$(vobjs): KBUILD_AFLAGS += -DBUILD_VDSO
>  
>  #
>  # vDSO code runs in userspace and -pg doesn't help with profiling anyway.
> diff --git a/arch/x86/include/asm/linkage.h b/arch/x86/include/asm/linkage.h
> index 030907922bd07..d04e61c2f863c 100644
> --- a/arch/x86/include/asm/linkage.h
> +++ b/arch/x86/include/asm/linkage.h
> @@ -18,19 +18,27 @@
>  #define __ALIGN_STR	__stringify(__ALIGN)
>  #endif
>  
> +#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)
> +#define RET	jmp __x86_return_thunk
> +#else /* CONFIG_RETPOLINE */
>  #ifdef CONFIG_SLS
>  #define RET	ret; int3
>  #else
>  #define RET	ret
>  #endif
> +#endif /* CONFIG_RETPOLINE */
>  
>  #else /* __ASSEMBLY__ */
>  
> +#if defined(CONFIG_RETPOLINE) && !defined(__DISABLE_EXPORTS) && !defined(BUILD_VDSO)
> +#define ASM_RET	"jmp __x86_return_thunk\n\t"
> +#else /* CONFIG_RETPOLINE */
>  #ifdef CONFIG_SLS
>  #define ASM_RET	"ret; int3\n\t"
>  #else
>  #define ASM_RET	"ret\n\t"
>  #endif
> +#endif /* CONFIG_RETPOLINE */
>  
>  #endif /* __ASSEMBLY__ */
>  
> diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
> index 50ea390df7128..4b8ee3a2fcc37 100644
> --- a/arch/x86/lib/memmove_64.S
> +++ b/arch/x86/lib/memmove_64.S
> @@ -40,7 +40,7 @@ SYM_FUNC_START(__memmove)
>  	/* FSRM implies ERMS => no length checks, do the copy directly */
>  .Lmemmove_begin_forward:
>  	ALTERNATIVE "cmp $0x20, %rdx; jb 1f", "", X86_FEATURE_FSRM
> -	ALTERNATIVE "", __stringify(movq %rdx, %rcx; rep movsb; RET), X86_FEATURE_ERMS
> +	ALTERNATIVE "", "jmp .Lmemmove_erms", X86_FEATURE_ERMS
>  
>  	/*
>  	 * movsq instruction have many startup latency
> @@ -206,6 +206,11 @@ SYM_FUNC_START(__memmove)
>  	movb %r11b, (%rdi)
>  13:
>  	RET
> +
> +.Lmemmove_erms:
> +	movq %rdx, %rcx
> +	rep movsb
> +	RET
>  SYM_FUNC_END(__memmove)
>  SYM_FUNC_END_ALIAS(memmove)
>  EXPORT_SYMBOL(__memmove)
> -------------------------------------------------------------------------------
> 
> 
> Git bisection log:
> 
> -------------------------------------------------------------------------------
> git bisect start
> # good: [8bb7eca972ad531c9b149c0a51ab43a417385813] Linux 5.15
> git bisect good 8bb7eca972ad531c9b149c0a51ab43a417385813
> # bad: [a5f899726e5928dd5640ec76f6d35bbefc7d19b4] x86/static_call: Serialize __static_call_fixup() properly
> git bisect bad a5f899726e5928dd5640ec76f6d35bbefc7d19b4
> # good: [39738a2346b270e8f72f88d8856de2c167bd2899] ibmvnic: free reset-work-item when flushing
> git bisect good 39738a2346b270e8f72f88d8856de2c167bd2899
> # good: [11f5f236dbd6e685356e10f158e306e592cb70ff] kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
> git bisect good 11f5f236dbd6e685356e10f158e306e592cb70ff
> # good: [0b011b408f349e76f7903a477870051f94c7e119] tty: goldfish: Introduce gf_ioread32()/gf_iowrite32()
> git bisect good 0b011b408f349e76f7903a477870051f94c7e119
> # good: [f7fa3263079c55e2bbdcd5ff763c19b665e329ed] drm/msm: Fix double pm_runtime_disable() call
> git bisect good f7fa3263079c55e2bbdcd5ff763c19b665e329ed
> # good: [16b7cb2803bf088ed08e026f70fa9ac04f3c9800] memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash
> git bisect good 16b7cb2803bf088ed08e026f70fa9ac04f3c9800
> # good: [3b9f491386698a7e39680cb3c375e62d0cae457d] btrfs: fix use of uninitialized variable at rm device ioctl
> git bisect good 3b9f491386698a7e39680cb3c375e62d0cae457d
> # good: [445d1c4b5642518587808c59f0faec9b7b4d3fe2] x86/asm: Fix register order
> git bisect good 445d1c4b5642518587808c59f0faec9b7b4d3fe2
> # bad: [e9acb6c4a96ae59548659eca7d1c95e2ff892658] x86/bugs: Enable STIBP for JMP2RET
> git bisect bad e9acb6c4a96ae59548659eca7d1c95e2ff892658
> # good: [3319d4d152b047d01ddea3094f72d26e601a817b] x86/retpoline: Swizzle retpoline thunk
> git bisect good 3319d4d152b047d01ddea3094f72d26e601a817b
> # good: [ae13a2bad9d648d4ebf05511a9f606ca2fd27de3] x86/kvm: Fix SETcc emulation for return thunks
> git bisect good ae13a2bad9d648d4ebf05511a9f606ca2fd27de3
> # bad: [18de59c1eee14fcb121422919f51a47a449c812e] x86/entry: Avoid very early RET
> git bisect bad 18de59c1eee14fcb121422919f51a47a449c812e
> # good: [2c90fcb95d0ad54074480cf6b9c601348180da59] x86/sev: Avoid using __x86_return_thunk
> git bisect good 2c90fcb95d0ad54074480cf6b9c601348180da59
> # bad: [a02ac6ab73cc327552cb12e13b740e3c8a118bf6] x86: Use return-thunk in asm code
> git bisect bad a02ac6ab73cc327552cb12e13b740e3c8a118bf6
> # first bad commit: [a02ac6ab73cc327552cb12e13b740e3c8a118bf6] x86: Use return-thunk in asm code
> -------------------------------------------------------------------------------
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#29281): https://groups.io/g/kernelci-results/message/29281
> Mute This Topic: https://groups.io/mt/92361801/1131744
> Group Owner: kernelci-results+owner@...ups.io
> Unsubscribe: https://groups.io/g/kernelci-results/unsub [broonie@...nel.org]
> -=-=-=-=-=-=-=-=-=-=-=-
> 
> 

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ