lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1d10cd73-2ae7-42d5-a318-2f9facc42bbe@alu.unizg.hr>
Date: Mon, 18 Mar 2024 20:47:26 +0100
From: Mirsad Todorovac <mirsad.todorovac@....unizg.hr>
To: x86@...nel.org
Cc: Sean Christopherson <seanjc@...gle.com>,
 Paolo Bonzini <pbonzini@...hat.com>, Thomas Gleixner <tglx@...utronix.de>,
 Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
 Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>,
 linux-kernel@...r.kernel.org, Fuad Tabba <tabba@...gle.com>,
 Marc Zyngier <maz@...nel.org>, Shaoqin Huang <shahuang@...hat.com>,
 David Matlack <dmatlack@...gle.com>, Josh Poimboeuf <jpoimboe@...nel.org>,
 Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
 Peter Zijlstra <peterz@...radead.org>, Breno Leitao <leitao@...ian.org>,
 kvm@...r.kernel.org
Subject: [BUG net-next] arch/x86/kernel/cpu/bugs.c:2935: "Unpatched return
 thunk in use. This should not happen!" [STACKTRACE]

Hi,

With the latest net-next v6.8-5204-g237bb5f7f7f5 kernel, while running kselftest, there was this
trap and stacktrace:

This is a vanilla net-next tree kernel, only changes to tools/testing/sefltests Makefile make the
build mark it as "dirty".

The message was apparently introduced with this patch: https://lore.kernel.org/lkml/20240207185328.GEZcPRqPsNInRXyNMj@fat_crate.local/

Here is the stacktrace:

Mar 18 19:46:35 defiant kernel: [ 1859.134913] ------------[ cut here ]------------
Mar 18 19:46:35 defiant kernel: [ 1859.134916] Unpatched return thunk in use. This should not happen!
Mar 18 19:46:35 defiant kernel: [ 1859.134919] WARNING: CPU: 30 PID: 80103 at arch/x86/kernel/cpu/bugs.c:2935 __warn_thunk (/home/marvin/linux/kernel/net-next/arch/x86/kernel/cpu/bugs.c:2935 (discriminator 3))
Mar 18 19:46:35 defiant kernel: [ 1859.134925] Modules linked in: ir_rcmm_decoder ir_imon_decoder ir_sharp_decoder ir_rc6_decoder ir_sanyo_decoder ir_nec_decoder ir_sony_decoder ir_jvc_decoder ir_rc5_decoder rc_loopback gpio_sim macvlan act_gact cls_flower sch_ingress bridge stp llc bonding tls xfrm_user nf_tables nfnetlink nvme_fabrics binfmt_misc amd_atl intel_rapl_msr nls_iso8859_1 intel_rapl_common snd_hda_codec_realtek snd_hda_codec_generic amdgpu snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm edac_mce_amd crct10dif_pclmul polyval_clmulni snd_seq_midi polyval_generic snd_seq_midi_event ghash_clmulni_intel sha512_ssse3 amdxcp sha256_ssse3 snd_rawmidi drm_exec sha1_ssse3 gpu_sched aesni_intel drm_buddy drm_suballoc_helper crypto_simd drm_ttm_helper cryptd snd_seq ttm joydev snd_seq_device rapl input_leds drm_display_helper snd_timer cec snd wmi_bmof drm_kms_helper k10temp ccp soundcore i2c_algo_bit mac_hid tcp_bbr sch_fq msr parport_pc ppdev lp parport fuse drm efi_pstore ip_tables
Mar 18 19:46:35 defiant kernel: [ 1859.134985]  x_tables autofs4 btrfs blake2b_generic xor raid6_pq libcrc32c hid_generic nvme nvme_core ahci i2c_piix4 crc32_pclmul r8169 nvme_auth xhci_pci libahci xhci_pci_renesas realtek video wmi gpio_amdpt [last unloaded: gpio_mockup]
Mar 18 19:46:35 defiant kernel: [ 1859.135002] CPU: 30 PID: 80103 Comm: cpuid_test Not tainted 6.8.0-net-next-km-05204-g237bb5f7f7f5-dirty #3
Mar 18 19:46:35 defiant kernel: [ 1859.135004] Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
Mar 18 19:46:35 defiant kernel: [ 1859.135005] RIP: 0010:__warn_thunk (/home/marvin/linux/kernel/net-next/arch/x86/kernel/cpu/bugs.c:2935 (discriminator 3))
Mar 18 19:46:35 defiant kernel: [ 1859.135008] Code: 50 9b 0f 01 83 e3 01 74 0e 48 8b 5d f8 c9 31 f6 31 ff e9 0e 9f 3b 01 48 c7 c7 28 62 1d b9 c6 05 f2 d6 6b 02 01 e8 60 af 07 00 <0f> 0b 48 8b 5d f8 c9 31 f6 31 ff e9 eb 9e 3b 01 90 90 90 90 90 90
All code
========
    0:	50                   	push   %rax
    1:	9b                   	fwait
    2:	0f 01 83 e3 01 74 0e 	sgdt   0xe7401e3(%rbx)
    9:	48 8b 5d f8          	mov    -0x8(%rbp),%rbx
    d:	c9                   	leave
    e:	31 f6                	xor    %esi,%esi
   10:	31 ff                	xor    %edi,%edi
   12:	e9 0e 9f 3b 01       	jmp    0x13b9f25
   17:	48 c7 c7 28 62 1d b9 	mov    $0xffffffffb91d6228,%rdi
   1e:	c6 05 f2 d6 6b 02 01 	movb   $0x1,0x26bd6f2(%rip)        # 0x26bd717
   25:	e8 60 af 07 00       	call   0x7af8a
   2a:*	0f 0b                	ud2    		<-- trapping instruction
   2c:	48 8b 5d f8          	mov    -0x8(%rbp),%rbx
   30:	c9                   	leave
   31:	31 f6                	xor    %esi,%esi
   33:	31 ff                	xor    %edi,%edi
   35:	e9 eb 9e 3b 01       	jmp    0x13b9f25
   3a:	90                   	nop
   3b:	90                   	nop
   3c:	90                   	nop
   3d:	90                   	nop
   3e:	90                   	nop
   3f:	90                   	nop

Code starting with the faulting instruction
===========================================
    0:	0f 0b                	ud2
    2:	48 8b 5d f8          	mov    -0x8(%rbp),%rbx
    6:	c9                   	leave
    7:	31 f6                	xor    %esi,%esi
    9:	31 ff                	xor    %edi,%edi
    b:	e9 eb 9e 3b 01       	jmp    0x13b9efb
   10:	90                   	nop
   11:	90                   	nop
   12:	90                   	nop
   13:	90                   	nop
   14:	90                   	nop
   15:	90                   	nop
Mar 18 19:46:35 defiant kernel: [ 1859.135009] RSP: 0018:ffffb9f8c652bc70 EFLAGS: 00010046
Mar 18 19:46:35 defiant kernel: [ 1859.135011] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
Mar 18 19:46:35 defiant kernel: [ 1859.135012] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
Mar 18 19:46:35 defiant kernel: [ 1859.135013] RBP: ffffb9f8c652bc78 R08: 0000000000000000 R09: 0000000000000000
Mar 18 19:46:35 defiant kernel: [ 1859.135014] R10: 0000000000000000 R11: 0000000000000000 R12: ffff998e369f1c78
Mar 18 19:46:35 defiant kernel: [ 1859.135015] R13: 0000000000000000 R14: 0000000000000000 R15: ffff998e369f23f8
Mar 18 19:46:35 defiant kernel: [ 1859.135016] FS:  000071f68c680740(0000) GS:ffff999b18900000(0000) knlGS:0000000000000000
Mar 18 19:46:35 defiant kernel: [ 1859.135017] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Mar 18 19:46:35 defiant kernel: [ 1859.135018] CR2: 0000000000000000 CR3: 000000032c828000 CR4: 0000000000f50ef0
Mar 18 19:46:35 defiant kernel: [ 1859.135019] PKRU: 55555554
Mar 18 19:46:35 defiant kernel: [ 1859.135020] Call Trace:
Mar 18 19:46:35 defiant kernel: [ 1859.135021]  <TASK>
Mar 18 19:46:35 defiant kernel: [ 1859.135022] ? show_regs (/home/marvin/linux/kernel/net-next/arch/x86/kernel/dumpstack.c:479)
Mar 18 19:46:35 defiant kernel: [ 1859.135026] ? __warn_thunk (/home/marvin/linux/kernel/net-next/arch/x86/kernel/cpu/bugs.c:2935 (discriminator 3))
Mar 18 19:46:35 defiant kernel: [ 1859.135028] ? __warn (/home/marvin/linux/kernel/net-next/kernel/panic.c:677)
Mar 18 19:46:35 defiant kernel: [ 1859.135030] ? __warn_thunk (/home/marvin/linux/kernel/net-next/arch/x86/kernel/cpu/bugs.c:2935 (discriminator 3))
Mar 18 19:46:35 defiant kernel: [ 1859.135032] ? report_bug (/home/marvin/linux/kernel/net-next/lib/bug.c:201 /home/marvin/linux/kernel/net-next/lib/bug.c:219)
Mar 18 19:46:35 defiant kernel: [ 1859.135036] ? irq_work_queue (/home/marvin/linux/kernel/net-next/kernel/irq_work.c:119)
Mar 18 19:46:35 defiant kernel: [ 1859.135040] ? handle_bug (/home/marvin/linux/kernel/net-next/arch/x86/kernel/traps.c:218)
Mar 18 19:46:35 defiant kernel: [ 1859.135043] ? exc_invalid_op (/home/marvin/linux/kernel/net-next/arch/x86/kernel/traps.c:260 (discriminator 1))
Mar 18 19:46:35 defiant kernel: [ 1859.135045] ? asm_exc_invalid_op (/home/marvin/linux/kernel/net-next/./arch/x86/include/asm/idtentry.h:621)
Mar 18 19:46:35 defiant kernel: [ 1859.135050] ? __warn_thunk (/home/marvin/linux/kernel/net-next/arch/x86/kernel/cpu/bugs.c:2935 (discriminator 3))
Mar 18 19:46:35 defiant kernel: [ 1859.135053] warn_thunk_thunk (/home/marvin/linux/kernel/net-next/arch/x86/entry/entry.S:48)
Mar 18 19:46:35 defiant kernel: [ 1859.135057] svm_vcpu_enter_exit (/home/marvin/linux/kernel/net-next/./include/linux/kvm_host.h:543 /home/marvin/linux/kernel/net-next/arch/x86/kvm/svm/svm.c:4115)
Mar 18 19:46:35 defiant kernel: [ 1859.135059] svm_vcpu_run (/home/marvin/linux/kernel/net-next/./arch/x86/include/asm/cpufeature.h:171 /home/marvin/linux/kernel/net-next/arch/x86/kvm/svm/svm.c:4182)
Mar 18 19:46:35 defiant kernel: [ 1859.135062] kvm_arch_vcpu_ioctl_run (/home/marvin/linux/kernel/net-next/arch/x86/kvm/x86.c:10981 /home/marvin/linux/kernel/net-next/arch/x86/kvm/x86.c:11184 /home/marvin/linux/kernel/net-next/arch/x86/kvm/x86.c:11410)
Mar 18 19:46:35 defiant kernel: [ 1859.135065] ? call_rcu (/home/marvin/linux/kernel/net-next/kernel/rcu/tree.c:2839)
Mar 18 19:46:35 defiant kernel: [ 1859.135068] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135070] ? put_object (/home/marvin/linux/kernel/net-next/mm/kmemleak.c:549)
Mar 18 19:46:35 defiant kernel: [ 1859.135074] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135076] ? kmemleak_free (/home/marvin/linux/kernel/net-next/mm/kmemleak.c:1109)
Mar 18 19:46:35 defiant kernel: [ 1859.135078] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135080] kvm_vcpu_ioctl (/home/marvin/linux/kernel/net-next/arch/x86/kvm/../../../virt/kvm/kvm_main.c:4447)
Mar 18 19:46:35 defiant kernel: [ 1859.135083] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135085] ? kvm_vcpu_ioctl (/home/marvin/linux/kernel/net-next/arch/x86/kvm/../../../virt/kvm/kvm_main.c:4610)
Mar 18 19:46:35 defiant kernel: [ 1859.135087] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135089] ? do_syscall_64 (/home/marvin/linux/kernel/net-next/./arch/x86/include/asm/cpufeature.h:171 /home/marvin/linux/kernel/net-next/arch/x86/entry/common.c:98)
Mar 18 19:46:35 defiant kernel: [ 1859.135092] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135093] ? trace_hardirqs_on (/home/marvin/linux/kernel/net-next/kernel/trace/trace_preemptirq.c:58)
Mar 18 19:46:35 defiant kernel: [ 1859.135097] __x64_sys_ioctl (/home/marvin/linux/kernel/net-next/fs/ioctl.c:51 /home/marvin/linux/kernel/net-next/fs/ioctl.c:904 /home/marvin/linux/kernel/net-next/fs/ioctl.c:890 /home/marvin/linux/kernel/net-next/fs/ioctl.c:890)
Mar 18 19:46:35 defiant kernel: [ 1859.135101] do_syscall_64 (/home/marvin/linux/kernel/net-next/arch/x86/entry/common.c:52 /home/marvin/linux/kernel/net-next/arch/x86/entry/common.c:83)
Mar 18 19:46:35 defiant kernel: [ 1859.135103] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135105] ? do_syscall_64 (/home/marvin/linux/kernel/net-next/./arch/x86/include/asm/cpufeature.h:171 /home/marvin/linux/kernel/net-next/arch/x86/entry/common.c:98)
Mar 18 19:46:35 defiant kernel: [ 1859.135106] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135108] ? irqentry_exit (/home/marvin/linux/kernel/net-next/kernel/entry/common.c:361)
Mar 18 19:46:35 defiant kernel: [ 1859.135110] ? srso_alias_return_thunk (/home/marvin/linux/kernel/net-next/arch/x86/lib/retpoline.S:181)
Mar 18 19:46:35 defiant kernel: [ 1859.135112] ? exc_page_fault (/home/marvin/linux/kernel/net-next/arch/x86/mm/fault.c:1567)
Mar 18 19:46:35 defiant kernel: [ 1859.135114] entry_SYSCALL_64_after_hwframe (/home/marvin/linux/kernel/net-next/arch/x86/entry/entry_64.S:129)
Mar 18 19:46:35 defiant kernel: [ 1859.135115] RIP: 0033:0x71f68c51a94f
Mar 18 19:46:35 defiant kernel: [ 1859.135135] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
All code
========
    0:	00 48 89             	add    %cl,-0x77(%rax)
    3:	44 24 18             	rex.R and $0x18,%al
    6:	31 c0                	xor    %eax,%eax
    8:	48 8d 44 24 60       	lea    0x60(%rsp),%rax
    d:	c7 04 24 10 00 00 00 	movl   $0x10,(%rsp)
   14:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
   19:	48 8d 44 24 20       	lea    0x20(%rsp),%rax
   1e:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
   23:	b8 10 00 00 00       	mov    $0x10,%eax
   28:	0f 05                	syscall
   2a:*	41 89 c0             	mov    %eax,%r8d		<-- trapping instruction
   2d:	3d 00 f0 ff ff       	cmp    $0xfffff000,%eax
   32:	77 1f                	ja     0x53
   34:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
   39:	64                   	fs
   3a:	48                   	rex.W
   3b:	2b                   	.byte 0x2b
   3c:	04 25                	add    $0x25,%al
   3e:	28 00                	sub    %al,(%rax)

Code starting with the faulting instruction
===========================================
    0:	41 89 c0             	mov    %eax,%r8d
    3:	3d 00 f0 ff ff       	cmp    $0xfffff000,%eax
    8:	77 1f                	ja     0x29
    a:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
    f:	64                   	fs
   10:	48                   	rex.W
   11:	2b                   	.byte 0x2b
   12:	04 25                	add    $0x25,%al
   14:	28 00                	sub    %al,(%rax)
Mar 18 19:46:35 defiant kernel: [ 1859.135137] RSP: 002b:00007ffd0f928bd0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
Mar 18 19:46:35 defiant kernel: [ 1859.135138] RAX: ffffffffffffffda RBX: 0000000028af2880 RCX: 000071f68c51a94f
Mar 18 19:46:35 defiant kernel: [ 1859.135139] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000007
Mar 18 19:46:35 defiant kernel: [ 1859.135140] RBP: 000071f68c6806c0 R08: 0000000000000000 R09: 0000000000000001
Mar 18 19:46:35 defiant kernel: [ 1859.135141] R10: 000000000000001f R11: 0000000000000246 R12: 0000000028af2880
Mar 18 19:46:35 defiant kernel: [ 1859.135142] R13: 0000000000000041 R14: 0000000000427e18 R15: 000071f68c6e3040
Mar 18 19:46:35 defiant kernel: [ 1859.135146]  </TASK>
Mar 18 19:46:35 defiant kernel: [ 1859.135146] ---[ end trace 0000000000000000 ]---

Hope this helps.

Best regards,
Mirsad Todorovac

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ