lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <81cd1d38-8856-4b27-921d-839d9e385942@oracle.com>
Date: Wed, 21 May 2025 21:10:58 +0200
From: Alexandre Chartre <alexandre.chartre@...cle.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable@...r.kernel.org,
        Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>
Cc: alexandre.chartre@...cle.com, patches@...ts.linux.dev,
        linux-kernel@...r.kernel.org, torvalds@...ux-foundation.org,
        akpm@...ux-foundation.org, linux@...ck-us.net, shuah@...nel.org,
        patches@...nelci.org, lkft-triage@...ts.linaro.org, pavel@...x.de,
        jonathanh@...dia.com, f.fainelli@...il.com, sudipm.mukherjee@...il.com,
        srw@...dewatkins.net, rwarsow@....de, conor@...nel.org,
        hargar@...rosoft.com, broonie@...nel.org
Subject: Re: [PATCH 5.15 00/59] 5.15.184-rc1 review


On 5/20/25 15:49, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.184 release.
> There are 59 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 22 May 2025 12:57:37 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.184-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

It's crashing at boot for me when the ITS mitigation is used (tested on Icelake):

[  OK  ] Started udev Coldplug all Devices.
          Starting udev Wait for Complete Device Initialization...
[    3.567527] BUG: unable to handle page fault for address: ff4fa48f82b9a000
[    3.575207] #PF: supervisor write access in kernel mode
[    3.581040] #PF: error_code(0x0003) - permissions violation
[    3.587262] PGD 1007f401067 P4D 1007f402067 PUD 3024b3063 PMD 302b99063 PTE 8000000302b9a161
[    3.596685] Oops: 0003 [#1] SMP NOPTI
[    3.600775] CPU: 73 PID: 1672 Comm: systemd-udevd Not tainted 5.15.184-rc1.its.1.el8.dev.x86_64 #1
[    3.610779] Hardware name: Oracle Corporation ORACLE SERVER X9-2c/TLA,MB TRAY,X9-2c, BIOS 66110100 07/17/2024
[    3.621848] RIP: 0010:clear_page_erms+0x7/0x10
[    3.626813] Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 e9 13 7f a5 00 0f 1f 00 b9 00 10 00 00 31 c0 <f3> aa e9 02 7f a5 00 cc cc 48 85 ff 0f 84 e5 00 00 00 0f b6 0f 4c
[    3.647774] RSP: 0000:ff63a55d1b8f3cb8 EFLAGS: 00010246
[    3.653608] RAX: 0000000000000000 RBX: ff63a55d1b8f3d38 RCX: 0000000000001000
[    3.661565] RDX: ffc82ea4cc0ae680 RSI: ff4fa48d971b1fc0 RDI: ff4fa48f82b9a000
[    3.669529] RBP: ff4fa50cfffd5d80 R08: ffc82ea4cc0ae6c0 R09: 0000000000000000
[    3.677496] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[    3.685460] R13: 0000000000000901 R14: 0000000000000000 R15: 000000000002414b
[    3.693425] FS:  00007f525eb73280(0000) GS:ff4fa50affc40000(0000) knlGS:0000000000000000
[    3.702451] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.708864] CR2: ff4fa48f82b9a000 CR3: 0000000401476006 CR4: 0000000000771ee0
[    3.716830] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    3.724796] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    3.732753] PKRU: 55555554
[    3.735773] Call Trace:
[    3.738504]  <TASK>
[    3.740847]  kernel_init_free_pages.part.0+0x46/0x70
[    3.746394]  get_page_from_freelist+0x3df/0x510
[    3.751453]  ? do_set_pte+0xa5/0x100
[    3.755446]  __alloc_pages+0x19a/0x350
[    3.759631]  pte_alloc_one+0x14/0x50
[    3.763623]  do_read_fault+0x12d/0x160
[    3.767802]  do_fault+0x9a/0x2e0
[    3.771403]  __handle_mm_fault+0x3e8/0x6c0
[    3.775978]  handle_mm_fault+0xcf/0x2c0
[    3.780261]  do_user_addr_fault+0x1d2/0x680
[    3.784932]  exc_page_fault+0x68/0x140
[    3.789119]  asm_exc_page_fault+0x22/0x30
[    3.793598] RIP: 0033:0x557a550175bd
[    3.797591] Code: Unable to access opcode bytes at RIP 0x557a55017593.
[    3.804878] RSP: 002b:00007ffd57006600 EFLAGS: 00010206
[    3.810710] RAX: 0000000000000000 RBX: 0000557a6a620e40 RCX: 00007f525da098b8
[    3.818676] RDX: 0000000000000003 RSI: 00007f525da09908 RDI: 0000000000000003
[    3.826642] RBP: 00007ffd570067d0 R08: 0000000000000000 R09: 000000000000000a
[    3.834607] R10: 00007f525eb73280 R11: 0000000000000206 R12: 0000557a6a620f00
[    3.842573] R13: 0000557a6a6b76d0 R14: 0000000000000000 R15: 0000557a6a6b87d0
[    3.850533]  </TASK>
[    3.852972] Modules linked in: psample pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls cxgb3i cxgb3 mdio libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
[    3.879765] CR2: ff4fa48f82b9a000
[    3.883463] ---[ end trace 5c8bb91d889112a9 ]---
[    4.498240] RIP: 0010:clear_page_erms+0x7/0x10
[    4.503205] Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 e9 13 7f a5 00 0f 1f 00 b9 00 10 00 00 31 c0 <f3> aa e9 02 7f a5 00 cc cc 48 85 ff 0f 84 e5 00 00 00 0f b6 0f 4c
[    4.524155] RSP: 0000:ff63a55d1b8f3cb8 EFLAGS: 00010246
[    4.529978] RAX: 0000000000000000 RBX: ff63a55d1b8f3d38 RCX: 0000000000001000
[    4.537945] RDX: ffc82ea4cc0ae680 RSI: ff4fa48d971b1fc0 RDI: ff4fa48f82b9a000
[    4.545910] RBP: ff4fa50cfffd5d80 R08: ffc82ea4cc0ae6c0 R09: 0000000000000000
[    4.553874] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[    4.561840] R13: 0000000000000901 R14: 0000000000000000 R15: 000000000002414b
[    4.569798] FS:  00007f525eb73280(0000) GS:ff4fa50affc40000(0000) knlGS:0000000000000000
[    4.578831] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    4.585235] CR2: 0000557a55017593 CR3: 0000000401476006 CR4: 0000000000771ee0
[    4.593202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    4.601158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    4.609122] PKRU: 55555554
[    4.612143] Kernel panic - not syncing: Fatal exception
[    4.618980] Kernel Offset: 0x39e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[    4.686287] ---[ end Kernel panic - not syncing: Fatal exception ]---

There's no problem when disabling the ITS mitigation.

It looks the problem comes from pages allocated for dynamic thunks for modules, and
this patch appears to fix the problem:

diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index 43ec73da66d8b..9ca6973e56547 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -460,6 +460,8 @@ void its_free_mod(struct module *mod)
  
         for (i = 0; i < mod->its_num_pages; i++) {
                 void *page = mod->its_page_array[i];
+               set_memory_nx((unsigned long)page, 1);
+               set_memory_rw((unsigned long)page, 1);
                 module_memfree(page);
         }
         kfree(mod->its_page_array);

I don't know the exact underlying issue but I suspect that the kernel doesn't
correctly handle pages freed without the write permission, and restoring page
permissions to rw (instead of rox) before freeing prevent the problem.

alex.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ