lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <b4baa935-5ddd-42ce-add4-811ed74c2be7@kzalloc.com>
Date: Wed, 23 Jul 2025 20:36:33 +0900
From: Yunseong Kim <ysk@...lloc.com>
To: Will Deacon <will@...nel.org>, Mark Rutland <mark.rutland@....com>,
 Yeoreum Yun <yeoreum.yun@....com>
Cc: Austin Kim <austindh.kim@...il.com>, Michelle Jin <shjy180909@...il.com>,
 linux-arm-kernel@...ts.infradead.org, linux-perf-users@...r.kernel.org,
 linux-kernel@...r.kernel.org, syzkaller@...glegroups.com
Subject: [BUG] arm_pmuv3: Invalid PMEV index and lockup triggered via
 perf_event_open

Hi,

While testing the 6.16.0-rc2 kernel on an AArch64 QEMU environment on the, I
encountered a warning followed by a soft lockup that seems to be triggered by a
bad PMU index access and a circular locking dependency. This was observed during
perf_event_open() execution triggered by syzkaller.

Here's a summary of the issue:

---

WARNING: possible circular locking dependency detected

 Chain exists of:
   console_owner --> &rq->__lock --> &ctx->lock

  Possible unsafe locking scenario:

        CPU0                    CPU1
        ----                    ----
   lock(&ctx->lock);
                                lock(&rq->__lock);
                                lock(&ctx->lock);
   lock(console_owner);

---

And this happens while the system is handling a perf event overflow and trying to
update PMU counters or start/stop events.

Environment:
- Kernel: v6.16.0-rc2
- Platform: QEMU aarch64 (KVM enabled Radxa's Orion6 platform.)
- Arm64 PMU focused kernel fuzzing with perf_event_open, based on syzkaller
- No additional modules loaded

The issue is reproducible, and for detailed reproduction steps, please refer to
Link: https://lore.kernel.org/lkml/20250723104359.364547-5-ysk@kzalloc.com/

I’ve attached the original log from the lockup as well as the decoded version.

Best regards,
Yunseong Kim
View attachment "dec-arm64-pmu-lockup-v6.16-rc2.log" of type "text/plain" (134495 bytes)

View attachment "arm64-pmu-lockup-v6.16-rc2.txt" of type "text/plain" (105590 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ