| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250609220934.2c3ed98ba8c624fc7cb45172@kernel.org> Date: Mon, 9 Jun 2025 22:09:34 +0900 From: Masami Hiramatsu (Google) <mhiramat@...nel.org> To: Naresh Kamboju <naresh.kamboju@...aro.org> Cc: open list <linux-kernel@...r.kernel.org>, Linux trace kernel <linux-trace-kernel@...r.kernel.org>, lkft-triage@...ts.linaro.org, Stephen Rothwell <sfr@...b.auug.org.au>, Masami Hiramatsu <mhiramat@...nel.org>, Arnd Bergmann <arnd@...db.de>, Dan Carpenter <dan.carpenter@...aro.org>, Anders Roxell <anders.roxell@...aro.org> Subject: Re: next-20250605: Test regression: qemu-x86_64-compat mode ltp tracing Oops int3 kernel panic On Thu, 5 Jun 2025 17:12:10 +0530 Naresh Kamboju <naresh.kamboju@...aro.org> wrote: > Regressions found on qemu-x86_64 with compat mode (64-bit kernel > running on 32-bit userspace) while running LTP tracing test suite > on Linux next-20250605 tag kernel. > > Regressions found on > - LTP tracing > > Regression Analysis: > - New regression? Yes > - Reproducible? Intermittent > > Test regression: qemu-x86_64-compat mode ltp tracing Oops int3 kernel panic > > Reported-by: Linux Kernel Functional Testing <lkft@...aro.org> > > ## Test log > ftrace-stress-test: <12>[ 21.971153] /usr/local/bin/kirk[277]: > starting test ftrace-stress-test (ftrace_stress_test.sh 90) > <4>[ 58.997439] Oops: int3: 0000 [#1] SMP PTI > <4>[ 58.998089] CPU: 0 UID: 0 PID: 323 Comm: sh Not tainted > 6.15.0-next-20250605 #1 PREEMPT(voluntary) > <4>[ 58.998152] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), > BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > <4>[ 58.998260] RIP: 0010:_raw_spin_lock+0x5/0x50 Interesting. This hits a stray int3 for ftrace on _raw_spin_lock. Here is the compiled code of _raw_spin_lock. ffffffff825daa00 <_raw_spin_lock>: ffffffff825daa00: f3 0f 1e fa endbr64 ffffffff825daa04: e8 47 a6 d5 fe call ffffffff81335050 <__fentry__> Since int3 exception happens after decoded int3 (1 byte), the RIP `_raw_spin_lock+0x05` is not an instruction boundary. > <4>[ 58.998563] Code: 5d e9 ff 12 00 00 66 66 2e 0f 1f 84 00 00 00 > 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 > 0f 1e fa 0f <1f> 44 00 00 55 48 89 e5 53 48 89 fb bf 01 00 00 00 e8 15 > 12 e4 fe And the call is already modified back to a 5-bytes nop when we dump the code. Thus it may hit the intermediate int3 for transforming code. e8 47 a6 d5 fe (first step) cc 47 a6 d5 fe (second step) cc 1f 44 00 00 <- hit? (third step) 0f 1f 44 00 00 <- handle int3 It is very unlikely scenario (and I'm not sure qemu can correctly emulate it.) But if a CPU hits the int3 (cc) on _raw_spin_lock()+0x4 before anoter CPU' runs third step in smp_text_poke_batch_finish(), and before the CPU runs smp_text_poke_int3_handler(), the CPU' runs the thrid step and sets text_poke_array_refs 0, the smp_text_poke_int3_handler() returns 0 and causes the same problem. <CPU0> <CPU1> Start smp_text_poke_batch_finish(). Finish second step. Hit int3 (*) Finish third step. Run smp_text_poke_sync_each_cpu().(**) Clear text_poke_array_refs[cpu0] Start smp_text_poke_int3_handler() Failed to get text_poke_array_refs[cpu0] Oops: int3 But as I said it is very unlikely, because as far as I know; (*) smp_text_poke_int3_handler() is called directly from exc_int3() which is a kind of NMI, so other interrupt should not run. (**) In the third step, smp_text_poke_batch_finish() sends IPI for sync core after removing int3. Thus any int3 exception handling should be finished. Is this bug reproducible easier recently? Thanks, -- Masami Hiramatsu (Google) <mhiramat@...nel.org>
Powered by blists - more mailing lists