[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2bf06faa-a0a7-4dee-90cd-a054b4e4c947@gmail.com>
Date: Tue, 24 Oct 2023 15:15:54 +0700
From: Bagas Sanjaya <bagasdotme@...il.com>
To: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Networking <netdev@...r.kernel.org>,
Linux Memory Management List <linux-mm@...ck.org>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Benjamin Poirier <bpoirier@...e.de>,
Tom Herbert <therbert@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
CM76 <cmaff76@...il.com>
Subject: Fwd: kernel tried to execute NX-protected page - exploit attempt?
(uid: 0) (qbittorrent with tx-nocache-copy)
Hi,
I notice a regression report on Bugzilla [1]. Quoting from it:
> I believe this is also an issue with the Broadcom bnx2 drivers since it only seem to happen when I enable "tx-nocache-copy" in ethtool.
>
> The issue started when I was running Mainline/stable Kernel v6.5.x on another machine, after google-ing a bit I landed on an article from redhat that pointed at the possibility of an issue caused by a failing hardware. I was renting the server, so I didn't bother to fill a bug report and assumed it was the server that was going bad. But then it happened again on my other server as soon as I switched the bittorrent client to the same I was using on that other server. I turned "tx-nocache-copy" off and ran mainline kernel v6.5 (on Ubuntu 23.04) for a day or two without issue. After that I switched the kernel back to Ubuntu's kernel (v6.2) and the server ran for a couple more days without issue. Two days ago I turned "tx-nocache-copy" on again out of curiosity (kernel v6.2), and the server didn't run into any issue with this setting set to on. This morning I upgraded to Ubuntu 23.10 that runs their version of Kernel v6.5. The kernel panicked and server rebooted a couple of hours later.
>
>
> The issue seem to be triggered with a certain configuration of applications, I've ran Mainline/stable kernel 6.5.x since its release (and before that v6.4.x) with the rtorrent bittorrent client and "tx-nocache-copy" turned on, the kernel didn't run into any issue for weeks until I switched to another bittorrent client (qbittorrent) last week. It doesn't seem to matter when it happens, the kernel can Opps when the client is downloading a single small sized torrent to when it's downloading multiple torrents at the same time.
>
>
> I tried to use the crash utiliy to get the backtrace but it doesn't seem to work correctly. I get "crash: invalid structure member offset: module_core_size FILE: kernel.c LINE: 3781 FUNCTION: module_init()" when I try to load the kernel dump.
>
> The kernel panic happens with 6.5.x Mainline/stable kernel as well as the 6.5 kernel that comes with ubuntu 23.10.
>
> The bittorrent clients run as systemd services with normal user privileges and "ProtectKernelModules=yes" "NoNewPrivileges=yes" set in the systemd service.
>
> I joined the full dmesg as attachement, and I can send the kdump generated kernel dump file if needed.
>
>
> ------------------------
> [12090.273551] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
> [12090.273577] BUG: unable to handle page fault for address: ffff9441c9734458
> [12090.273590] #PF: supervisor instruction fetch in kernel mode
> [12090.273602] #PF: error_code(0x0011) - permissions violation
> [12090.273614] PGD 157401067 P4D 157401067 PUD 23ffff067 PMD 108a81063 PTE 8000000109734063
> [12090.273632] Oops: 0011 [#1] PREEMPT SMP PTI
> [12090.273643] CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Not tainted 6.5.0-9-generic #9-Ubuntu
> [12090.273658] Hardware name: Dell Inc. PowerEdge R210 II/03X6X0, BIOS 2.10.0 05/24/2018
> [12090.273674] RIP: 0010:0xffff9441c9734458
> [12090.273694] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 58 44 73 c9 41 94 ff ff 00 00 00 00 00 00
> [12090.273723] RSP: 0018:ffffb3c380138980 EFLAGS: 00010282
> [12090.273734] RAX: ffff9441c9734458 RBX: ffff9441c9734400 RCX: 0000000000000000
> [12090.273746] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9441c9734400
> [12090.273758] RBP: ffffb3c380138990 R08: 0000000000000000 R09: 0000000000000000
> [12090.273771] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9441c9734400
> [12090.273783] R13: 00000000000005dc R14: ffff9441c49dda00 R15: ffffffff9e55ec40
> [12090.273795] FS: 0000000000000000(0000) GS:ffff9442f7c40000(0000) knlGS:0000000000000000
> [12090.273811] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [12090.273823] CR2: ffff9441c9734458 CR3: 0000000155a3a006 CR4: 00000000001706e0
> [12090.273837] Call Trace:
> [12090.273845] <IRQ>
> [12090.273851] ? show_regs+0x6d/0x80
> [12090.273864] ? __die+0x24/0x80
> [12090.273873] ? page_fault_oops+0x99/0x1b0
> [12090.273884] ? kernelmode_fixup_or_oops+0xb2/0x140
> [12090.273896] ? __bad_area_nosemaphore+0x1a5/0x2c0
> [12090.273908] ? bad_area_nosemaphore+0x16/0x30
> [12090.273918] ? do_kern_addr_fault+0x7b/0xa0
> [12090.273927] ? exc_page_fault+0x1a4/0x1b0
> [12090.273939] ? asm_exc_page_fault+0x27/0x30
> [12090.273952] ? skb_release_head_state+0x27/0xb0
> [12090.273964] consume_skb+0x33/0xf0
> [12090.273973] tcp_mtu_probe+0x565/0x5d0
> [12090.273984] tcp_write_xmit+0x579/0xab0
> [12090.273994] __tcp_push_pending_frames+0x37/0x110
> [12090.274005] tcp_rcv_established+0x264/0x730
> [12090.274015] ? security_sock_rcv_skb+0x39/0x60
> [12090.274027] tcp_v4_do_rcv+0x169/0x2a0
> [12090.274037] tcp_v4_rcv+0xd92/0xe00
> [12090.274046] ? raw_v4_input+0xaa/0x240
> [12090.274056] ip_protocol_deliver_rcu+0x3c/0x210
> [12090.274068] ip_local_deliver_finish+0x77/0xa0
> [12090.274078] ip_local_deliver+0x6e/0x120
> [12090.274089] ? __pfx_ip_local_deliver_finish+0x10/0x10
> [12090.274369] ip_sublist_rcv_finish+0x6f/0x80
> [12090.274638] ip_sublist_rcv+0x171/0x220
> [12090.274931] ? __pfx_ip_rcv_finish+0x10/0x10
> [12090.275201] ip_list_rcv+0x102/0x140
> [12090.275459] __netif_receive_skb_list_core+0x22d/0x250
> [12090.275714] netif_receive_skb_list_internal+0x1a3/0x2d0
> [12090.275967] napi_complete_done+0x74/0x1c0
> [12090.276218] bnx2_poll_msix+0xa1/0xe0 [bnx2]
> [12090.276468] __napi_poll+0x33/0x1f0
> [12090.276708] net_rx_action+0x181/0x2e0
> [12090.276943] __do_softirq+0xd9/0x346
> [12090.277172] ? handle_irq_event+0x52/0x80
> [12090.277393] ? handle_edge_irq+0xda/0x250
> [12090.277604] __irq_exit_rcu+0x75/0xa0
> [12090.277812] irq_exit_rcu+0xe/0x20
> [12090.278015] common_interrupt+0xa4/0xb0
> [12090.278217] </IRQ>
> [12090.278411] <TASK>
> [12090.278602] asm_common_interrupt+0x27/0x40
> [12090.278798] RIP: 0010:cpuidle_enter_state+0xda/0x730
> [12090.278992] Code: 11 04 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 26 bb 02 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 0a 0f 83 17 05 00 00
> [12090.279402] RSP: 0018:ffffb3c3800cbe18 EFLAGS: 00000246
> [12090.279612] RAX: 0000000000000000 RBX: ffff9442f7c7ec00 RCX: 0000000000000000
> [12090.279827] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
> [12090.280042] RBP: ffffb3c3800cbe68 R08: 0000000000000000 R09: 0000000000000000
> [12090.280259] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff9d0d24a0
> [12090.280478] R13: 0000000000000003 R14: 0000000000000003 R15: 00000afefc75867b
> [12090.280698] ? cpuidle_enter_state+0xca/0x730
> [12090.280918] ? finish_task_switch.isra.0+0x89/0x2b0
> [12090.281142] cpuidle_enter+0x2e/0x50
> [12090.281363] call_cpuidle+0x23/0x60
> [12090.281583] cpuidle_idle_call+0x11d/0x190
> [12090.281804] do_idle+0x82/0xf0
> [12090.282022] cpu_startup_entry+0x1d/0x20
> [12090.282240] start_secondary+0x129/0x160
> [12090.282460] secondary_startup_64_no_verify+0x17e/0x18b
> [12090.282685] </TASK>
> [12090.282902] Modules linked in: tcp_diag inet_diag ip6table_filter ip6_tables xt_LOG nf_log_syslog xt_recent xt_limit xt_tcpudp xt_conntrack iptable_filter xt_CT xt_set iptable_raw bpfilter ip_set_hash_ip ip_set_hash_net ip_set_hash_ipport ip_set_list_set ip_set_bitmap_port ip_set_hash_netiface ip_set nfnetlink binfmt_misc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel aesni_intel crypto_simd cryptd rapl intel_cstate ipmi_ssif mgag200 drm_shmem_helper cfg80211 input_leds drm_kms_helper dcdbas at24 i2c_i801 lpc_ich i2c_smbus ie31200_edac acpi_ipmi i2c_algo_bit ipmi_si ipmi_devintf ipmi_msghandler sch_fq tcp_bbr nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c drm efi_pstore dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul ahci mpt3sas libahci raid_class bnx2 scsi_transport_sas wmi
> [12090.285082] CR2: ffff9441c9734458
> ----
Later, the reporter (Cc'ed) narrowed down the culprit range:
> Probably has nothing to do with the Broadcom bnx2 driver. The server crashed with "tx-nocache-copy" set to off.
>
> I added the dmesg as attachment, the backtrace and kmem of the RIP address are below.
>
> I ran qbittorrent on a different server with the same hardware config back in June this year, the server was running Mainline/Stable kernel version 6.3.x then 6.4.0 and the server never rebooted once.
See Bugzilla for the full thread and attached dmesg logs.
Anyway, I'm adding this regression to regzbot:
#regzbot introduced: v6.4..v6.5 https://bugzilla.kernel.org/show_bug.cgi?id=218033
#regzbot title: kernel panic when downloading torrent with qbittorrent with tx-nocache-copy on
Thanks.
[1]: https://bugzilla.kernel.org/show_bug.cgi?id=218033
--
An old man doll... just what I always wanted! - Clara
Powered by blists - more mailing lists