lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250904232952.GA875818@ax162>
Date: Thu, 4 Sep 2025 16:29:52 -0700
From: Nathan Chancellor <nathan@...nel.org>
To: Borislav Petkov <bp@...en8.de>
Cc: kernel test robot <oliver.sang@...el.com>,
	Borislav Petkov <bp@...nel.org>, oe-lkp@...ts.linux.dev,
	lkp@...el.com, linux-doc@...r.kernel.org,
	linux-kernel@...r.kernel.org, X86 ML <x86@...nel.org>,
	"Chang S. Bae" <chang.seok.bae@...el.com>,
	Sohil Mehta <sohil.mehta@...el.com>,
	Ryusuke Konishi <konishi.ryusuke@...il.com>,
	linux-nilfs@...r.kernel.org
Subject: Re: [PATCH -v1 1/2] x86/microcode: Add microcode= cmdline parsing

Hi Boris and the Intel folks,

+ Ryusuke and linux-nilfs

On Thu, Sep 04, 2025 at 01:37:52PM +0200, Borislav Petkov wrote:
> On Tue, Sep 02, 2025 at 04:45:12PM +0800, kernel test robot wrote:
> > 
> > 
> > Hello,
> > 
> > 
> > this could be a noise, we didn't see the relation between the patch with the
> > issue we observed. however, we rebuild the kernels for both this commit and
> > parent 3 times.
> > (
> > our bot chose 894af4a1cde61c as the parent as below
> > * 19f370d45aceea x86/microcode: Add microcode= cmdline parsing
> > * 894af4a1cde61c (tip/x86/core, peterz-queue/x86/core) objtool: Validate kCFI calls
> > )
> > 
> > and for each rerun of both this commit and parent, we run more times, but the
> > issue is still quite persistent while parent keeps clean:
> > 
> > =========================================================================================
> > tbox_group/testcase/rootfs/kconfig/compiler/runtime/group/nr_groups:
> >   vm-snb/trinity/debian-11.1-i386-20220923.cgz/x86_64-randconfig-006-20250826/clang-20/300s/group-01/5
> > 
> > 894af4a1cde61c34 19f370d45aceea5ab4c52e3afa0
> > ---------------- ---------------------------
> >        fail:runs  %reproduction    fail:runs
> >            |             |             |
> >            :200         74%         149:200   last_state.is_incomplete_run
> >            :200         74%         147:200   last_state.running
> >            :200         75%         150:200   dmesg.CFI_failure_at_kobj_attr_show
> >            :200         75%         150:200   dmesg.Kernel_panic-not_syncing:Fatal_exception
> >            :200         75%         150:200   dmesg.Oops:invalid_opcode:#[##]KASAN
> >            :200         75%         150:200   dmesg.RIP:kobj_attr_show
> >            :200         75%         150:200   dmesg.boot_failures
> > 
> > so we just follow our report rule to still report this results FYI.
> > 
> > if it's really irrelevant, sorry maybe our env issues (though we still cannot
> > figure out for now). and if you can help us to figure out the potential problem
> > from our dmesg in below link, it will be very apprecidated!
> 
> Yeah, I don't know what you did here but building with that .config, I can't
> even boot that kernel in a VM because doing:
> 
> qemu-... -kernel bzImage ...
> 
> sends me into grub and asks me to select the default kernel.
> 
> And my qemu script boots arbitrary kernels just fine.

Does your QEMU boot via UEFI? This configuration has

  # CONFIG_EFI is not set

so if I try to boot QEMU via OVMF, I get:

  BdsDxe: failed to load Boot0002 "UEFI Non-Block Boot Device" from VenMedia(1428F772-B64A-441E-B8C3-9EBDD7F893C7): Not Found
  BdsDxe: No bootable option or device was found.
  BdsDxe: Press any key to enter the Boot Manager Menu.

Turning on CONFIG_EFI and CONFIG_EFI_STUB is enough for me to boot this
configuration.

> Also, I used clang-20 from here:
> 
> https://mirrors.edge.kernel.org/pub/tools/llvm/
> 
> and version 20.1.8 took something like ~10(!) minutes to link vmlinux with
> that config. Just FYI for Nathan, maybe something's weird there.

Looks like this configuration has

  CONFIG_LTO_CLANG_FULL=y

so that's not too surprising :) turning that off or making it

  CONFIG_LTO_CLANG_THIN=y

should be much quicker.

> > below is full report.
> 
> Leaving it in.

As for the actual report...

I ran 200 boots using our simple Buildroot initrd and QEMU wrapper
script [1] and saw no issues, however...

[1]: https://github.com/ClangBuiltLinux/boot-utils

> > kernel test robot noticed "CFI_failure_at_kobj_attr_show" on:
> > 
> > commit: 19f370d45aceea5ab4c52e3afa00226fb99c3fc8 ("[PATCH -v1 1/2] x86/microcode: Add microcode= cmdline parsing")
> > url: https://github.com/intel-lab-lkp/linux/commits/Borislav-Petkov/x86-microcode-Add-microcode-cmdline-parsing/20250820-215624
> > base: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git 894af4a1cde61c3401f237184fb770f72ff12df8
> > patch link: https://lore.kernel.org/all/20250820135043.19048-2-bp@kernel.org/
> > patch subject: [PATCH -v1 1/2] x86/microcode: Add microcode= cmdline parsing
> > 
> > in testcase: trinity
> > version: trinity-i386-abe9de86-1_20230429
> > with following parameters:
> > 
> > 	runtime: 300s
> > 	group: group-01
> > 	nr_groups: 5
> > 
> > 
> > 
> > config: x86_64-randconfig-006-20250826
> > compiler: clang-20
> > test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
> > 
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> > 
> > 
> > 
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@...el.com>
> > | Closes: https://lore.kernel.org/oe-lkp/202509021646.bc78d9ef-lkp@intel.com
> > 
> > 
> > The kernel config and materials to reproduce are available at:
> > https://download.01.org/0day-ci/archive/20250902/202509021646.bc78d9ef-lkp@intel.com
> > 
> > 
> > [  453.382281][ T7761] CFI failure at kobj_attr_show+0x59/0x80 (target: nilfs_feature_revision_show+0x0/0x30; expected type: 0x1b8aae92)

I am surprised that this was not reproducible at 894af4a1cde61c34 for
the Intel folks because it does for me assuming I actually try to read
that file (maybe trinity was not hitting it on the older revision?):

  $ cat /sys/fs/nilfs2/features/revision
  [    6.975426][  T150] CFI failure at kobj_attr_show+0x59/0x80 (target: nilfs_feature_revision_show+0x0/0x30; expected type: 0xed60cafc)
  [    6.976822][  T150] Oops: invalid opcode: 0000 [#1] KASAN
  [    6.977407][  T150] CPU: 0 UID: 0 PID: 150 Comm: cat Not tainted 6.17.0-rc2-00016-g894af4a1cde6 #1 NONE
  [    6.978432][  T150] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
  [    6.979752][  T150] RIP: 0010:kobj_attr_show+0x59/0x80
  [    6.980321][  T150] Code: 08 00 74 08 4c 89 e7 e8 05 6b d6 fb 4d 8b 1c 24 4d 85 db 74 1f 4c 89 ff 4c 89 f6 48 89 da 41 ba 04 35 9f 12 45 03 53 f1 74 02 <0f> 0b 41 ff d3 0f 1f 00 eb 07 48 c7 c0 fb ff ff ff 5b 41 5c 41 5e
  [    6.982456][  T150] RSP: 0018:ffa0000000e17b28 EFLAGS: 00010216
  [    6.983163][  T150] RAX: 1ffffffff3753765 RBX: ff11000109eca000 RCX: dffffc0000000000
  [    6.984012][  T150] RDX: ff11000109eca000 RSI: ffffffff9ba9bb00 RDI: ff11000100b4f250
  [    6.984900][  T150] RBP: ffa0000000e17b48 R08: ff11000109ecafff R09: ff11000109eca000
  [    6.985830][  T150] R10: 000000007b3f6fc3 R11: ffffffff9541ea80 R12: ffffffff9ba9bb28
  [    6.986658][  T150] R13: 1fe2200020fdfe80 R14: ffffffff9ba9bb00 R15: ff11000100b4f250
  [    6.987542][  T150] FS:  00007f4818d2b740(0000) GS:0000000000000000(0000) knlGS:0000000000000000
  [    6.988508][  T150] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [    6.989241][  T150] CR2: 00007f481899a000 CR3: 0000000109f3b002 CR4: 0000000000371eb0
  [    6.990120][  T150] Call Trace:
  [    6.990498][  T150]  <TASK>
  [    6.990867][  T150]  sysfs_kf_seq_show+0x2a6/0x390
  [    6.991410][  T150]  ? __cfi_kobj_attr_show+0x10/0x10
  [    6.992015][  T150]  kernfs_seq_show+0x104/0x15b
  [    6.992542][  T150]  seq_read_iter+0x580/0xe2b
  [    6.993076][  T150]  kernfs_fop_read_iter+0x137/0x470
  [    6.993650][  T150]  new_sync_read+0x27e/0x365
  [    6.994185][  T150]  vfs_read+0x1e8/0x46b
  [    6.994650][  T150]  ksys_read+0xc2/0x170
  [    6.995129][  T150]  __x64_sys_read+0x7f/0x90
  [    6.995631][  T150]  ? entry_SYSCALL_64_after_hwframe+0x6b/0x73
  [    6.996299][  T150]  x64_sys_call+0x2589/0x2cdb
  [    6.996843][  T150]  do_syscall_64+0x89/0xfa0
  [    6.997343][  T150]  ? irqentry_exit+0x33/0x70
  [    6.997882][  T150]  ? exc_page_fault+0x96/0xe0
  [    6.998400][  T150]  entry_SYSCALL_64_after_hwframe+0x6b/0x73
  [    6.999068][  T150] RIP: 0033:0x7f4818dc11ce
  [    6.999564][  T150] Code: 4d 89 d8 e8 64 be 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
  [    7.001627][  T150] RSP: 002b:00007ffc2d325600 EFLAGS: 00000202 ORIG_RAX: 0000000000000000
  [    7.002558][  T150] RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f4818dc11ce
  [    7.003443][  T150] RDX: 0000000000040000 RSI: 00007f481899b000 RDI: 0000000000000003
  [    7.004363][  T150] RBP: 00007ffc2d325610 R08: 0000000000000000 R09: 0000000000000000
  [    7.005260][  T150] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000040000
  [    7.006143][  T150] R13: 00007f481899b000 R14: 0000000000000003 R15: 0000000000000000
  [    7.007027][  T150]  </TASK>
  [    7.007411][  T150] Modules linked in:
  [    7.007994][  T150] ---[ end trace 0000000000000000 ]---
  [    7.008711][  T150] RIP: 0010:kobj_attr_show+0x59/0x80
  [    7.009430][  T150] Code: 08 00 74 08 4c 89 e7 e8 05 6b d6 fb 4d 8b 1c 24 4d 85 db 74 1f 4c 89 ff 4c 89 f6 48 89 da 41 ba 04 35 9f 12 45 03 53 f1 74 02 <0f> 0b 41 ff d3 0f 1f 00 eb 07 48 c7 c0 fb ff ff ff 5b 41 5c 41 5e
  [    7.011712][  T150] RSP: 0018:ffa0000000e17b28 EFLAGS: 00010216
  [    7.012369][  T150] RAX: 1ffffffff3753765 RBX: ff11000109eca000 RCX: dffffc0000000000
  [    7.013214][  T150] RDX: ff11000109eca000 RSI: ffffffff9ba9bb00 RDI: ff11000100b4f250
  [    7.014202][  T150] RBP: ffa0000000e17b48 R08: ff11000109ecafff R09: ff11000109eca000
  [    7.015201][  T150] R10: 000000007b3f6fc3 R11: ffffffff9541ea80 R12: ffffffff9ba9bb28
  [    7.016202][  T150] R13: 1fe2200020fdfe80 R14: ffffffff9ba9bb00 R15: ff11000100b4f250
  [    7.017212][  T150] FS:  00007f4818d2b740(0000) GS:0000000000000000(0000) knlGS:0000000000000000
  [    7.018332][  T150] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [    7.019154][  T150] CR2: 00007f481899a000 CR3: 0000000109f3b002 CR4: 0000000000371eb0
  [    7.020147][  T150] Kernel panic - not syncing: Fatal exception
  [    7.020837][  T150] Kernel Offset: 0x12e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

The fix should be something like the following, which resolves the issue
for me.

  nilfs_sysfs_init() ->
    kset_create_and_add() ->
      kset_create()

has

  kset->kobj.ktype = &kset_ktype

which is

  static const struct kobj_type kset_ktype = {
    .sysfs_ops      = &kobj_sysfs_ops,
    .release        = kset_release,
    .get_ownership  = kset_get_ownership,
  };

Note the kobj_sysfs_ops.

  const struct sysfs_ops kobj_sysfs_ops = {
    .show   = kobj_attr_show,
    .store  = kobj_attr_store,
  };

nilfs_feature_attr_group is added to the nilfs_kset->kobj via
sysfs_create_group(), where the kernfs_ops for each file in
nilfs_feature_attr_group becomes

  sysfs_create_group() ->
    internal_create_group() ->
      create_files() ->
        sysfs_add_file_mode_ns() ->
          ops = &sysfs_file_kfops_rw;
          __kernfs_create_file() ->
            kn->attr.ops = ops;

  static const struct kernfs_ops sysfs_file_kfops_rw = {
    .seq_show = sysfs_kf_seq_show,
    .write    = sysfs_kf_write,
  };

sysfs_kf_seq_show() calls kobj_attr_show() via

  const struct sysfs_ops *ops = sysfs_file_ops(of->kn);
  ...
  count = ops->show(kobj, of->kn->priv, buf);

kobj_attr_show() calls one of the nilfs_feature_*_show() functions via
after casting to 'struct kobj_attribute':

  kattr = container_of(attr, struct kobj_attribute, attr);
  if (kattr->show)
    ret = kattr->show(kobj, kattr, buf);

  struct kobj_attribute {
    struct attribute attr;
    ssize_t (*show)(struct kobject *kobj, struct kobj_attribute *attr,
            char *buf);
    ssize_t (*store)(struct kobject *kobj, struct kobj_attribute *attr,
            const char *buf, size_t count);
  };

So the types of nilfs_feature_*_show() need to match
kobj_attribute->show() to avoid triggering CFI here.

Cheers,
Nathan

diff --git a/fs/nilfs2/sysfs.c b/fs/nilfs2/sysfs.c
index 14868a3dd592..bc52afbfc5c7 100644
--- a/fs/nilfs2/sysfs.c
+++ b/fs/nilfs2/sysfs.c
@@ -1075,7 +1075,7 @@ void nilfs_sysfs_delete_device_group(struct the_nilfs *nilfs)
  ************************************************************************/
 
 static ssize_t nilfs_feature_revision_show(struct kobject *kobj,
-					    struct attribute *attr, char *buf)
+					    struct kobj_attribute *attr, char *buf)
 {
 	return sysfs_emit(buf, "%d.%d\n",
 			NILFS_CURRENT_REV, NILFS_MINOR_REV);
@@ -1087,7 +1087,7 @@ static const char features_readme_str[] =
 	"(1) revision\n\tshow current revision of NILFS file system driver.\n";
 
 static ssize_t nilfs_feature_README_show(struct kobject *kobj,
-					 struct attribute *attr,
+					 struct kobj_attribute *attr,
 					 char *buf)
 {
 	return sysfs_emit(buf, features_readme_str);
diff --git a/fs/nilfs2/sysfs.h b/fs/nilfs2/sysfs.h
index 78a87a016928..d370cd5cce3f 100644
--- a/fs/nilfs2/sysfs.h
+++ b/fs/nilfs2/sysfs.h
@@ -50,16 +50,16 @@ struct nilfs_sysfs_dev_subgroups {
 	struct completion sg_segments_kobj_unregister;
 };
 
-#define NILFS_COMMON_ATTR_STRUCT(name) \
+#define NILFS_KOBJ_ATTR_STRUCT(name) \
 struct nilfs_##name##_attr { \
 	struct attribute attr; \
-	ssize_t (*show)(struct kobject *, struct attribute *, \
+	ssize_t (*show)(struct kobject *, struct kobj_attribute *, \
 			char *); \
-	ssize_t (*store)(struct kobject *, struct attribute *, \
+	ssize_t (*store)(struct kobject *, struct kobj_attribute *, \
 			 const char *, size_t); \
 }
 
-NILFS_COMMON_ATTR_STRUCT(feature);
+NILFS_KOBJ_ATTR_STRUCT(feature);
 
 #define NILFS_DEV_ATTR_STRUCT(name) \
 struct nilfs_##name##_attr { \

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ