This is related to perf not tracing.
-- Steve On Tue, 09 Jan 2024 08:34:15 +0800 "Ubisectech Sirius" <[email protected]> wrote: > Dear concerned. > Greetings! > We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. > Recently, our team has discovered a issue in Linux kernel 6.7.0-g0dd3ee311255. > technical details: > 1. Issue Description: possible deadlock in __perf_install_in_context > 2. Stack Dump: > [ 158.488994][ T8029] Call Trace: > [ 158.489411][ T8029] <TASK> > arch/x86/events/intel/../perf_event.h:1166 arch/x86/events/intel/core.c:2799) > [ 158.498427][ T8029] x86_pmu_start (arch/x86/events/core.c:1516) > [ 158.499034][ T8029] x86_pmu_enable (arch/x86/events/core.c:1331 > (discriminator 2)) > [ 158.499601][ T8029] perf_ctx_enable (kernel/events/core.c:703 > (discriminator 2)) > [ 158.500171][ T8029] ctx_resched (kernel/events/core.c:2741) > [ 158.500733][ T8029] __perf_install_in_context (kernel/events/core.c:2807) > [ 158.502106][ T8029] remote_function (kernel/events/core.c:92 > kernel/events/core.c:72) > [ 158.503364][ T8029] generic_exec_single (kernel/smp.c:134 (discriminator 3) > kernel/smp.c:404 (discriminator 3)) > [ 158.503995][ T8029] smp_call_function_single (kernel/smp.c:647) > (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 > ./arch/x86/include/asm/irqflags.h:135 lib/percpu_counter.c:102) > [ 158.512958][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.515717][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.518483][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.519281][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.519991][ T8029] RIP: 0033:0x7f04a0c9cf29 > [ 158.520536][ T8029] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 > 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 > <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 > All code > ======== > 0: 00 c3 add %al,%bl > 2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) > 9: 00 00 00 > c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) > 11: 48 89 f8 mov %rdi,%rax > 14: 48 89 f7 mov %rsi,%rdi > 17: 48 89 d6 mov %rdx,%rsi > 1a: 48 89 ca mov %rcx,%rdx > 1d: 4d 89 c2 mov %r8,%r10 > 20: 4d 89 c8 mov %r9,%r8 > 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 > 28: 0f 05 syscall > 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction > 30: 73 01 jae 0x33 > 32: c3 ret > 33: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f71 > 3a: f7 d8 neg %eax > 3c: 64 89 01 mov %eax,%fs:(%rcx) > 3f: 48 rex.W > Code starting with the faulting instruction > =========================================== > 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax > 6: 73 01 jae 0x9 > 8: c3 ret > 9: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f47 > 10: f7 d8 neg %eax > 12: 64 89 01 mov %eax,%fs:(%rcx) > 15: 48 rex.W > [ 158.522837][ T8029] RSP: 002b:00007ffe5f1174b8 EFLAGS: 00000246 ORIG_RAX: > 000000000000012a > [ 158.523848][ T8029] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: > 00007f04a0c9cf29 > [ 158.524797][ T8029] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 0000000020004740 > [ 158.525738][ T8029] RBP: 00007ffe5f1174c0 R08: 0000000000000000 R09: > 00007ffe5f1174f0 > [ 158.526717][ T8029] R10: 00000000ffffffff R11: 0000000000000246 R12: > 00005597d067d180 > [ 158.527661][ T8029] R13: 0000000000000000 R14: 0000000000000000 R15: > 0000000000000000 > [ 158.528611][ T8029] </TASK> > [ 158.530059][ T8029] > [ 158.530364][ T8029] ====================================================== > [ 158.531146][ T8029] WARNING: possible circular locking dependency detected > [ 158.531881][ T8029] 6.7.0-g0dd3ee311255 #6 Not tainted > [ 158.532457][ T8029] ------------------------------------------------------ > [ 158.533256][ T8029] poc/8029 is trying to acquire lock: > [ 158.533880][ T8029] ffff88801ca53018 (&ctx->lock){....}-{2:2}, at: > __perf_event_task_sched_out (kernel/events/core.c:3573 > kernel/events/core.c:3676) > [ 158.535067][ T8029] > [ 158.535067][ T8029] but task is already holding lock: > [ 158.535925][ T8029] ffff88802d23c758 (&rq->__lock){-.-.}-{2:2}, at: > raw_spin_rq_lock_nested (kernel/sched/core.c:574) > [ 158.537001][ T8029] > [ 158.537001][ T8029] which lock already depends on the new lock. > [ 158.537001][ T8029] > [ 158.538196][ T8029] > [ 158.538196][ T8029] the existing dependency chain (in reverse order) is: > [ 158.539200][ T8029] > [ 158.539200][ T8029] -> #3 (&rq->__lock){-.-.}-{2:2}: > [ 158.540081][ T8029] _raw_spin_lock_nested (kernel/locking/spinlock.c:379) > [ 158.540772][ T8029] raw_spin_rq_lock_nested (kernel/sched/core.c:574) > [ 158.541471][ T8029] task_fork_fair (kernel/sched/sched.h:1222 > kernel/sched/sched.h:1581 kernel/sched/sched.h:1664 kernel/sched/fair.c:12586) > [ 158.542092][ T8029] sched_cgroup_fork (kernel/sched/core.c:4814) > [ 158.542772][ T8029] copy_process (./include/linux/timekeeping.h:154 > kernel/fork.c:2619) > [ 158.543413][ T8029] kernel_clone (./include/linux/random.h:26 > kernel/fork.c:2908) > [ 158.544017][ T8029] user_mode_thread (kernel/fork.c:2976) > [ 158.544648][ T8029] rest_init (init/main.c:695) > [ 158.545223][ T8029] arch_call_rest_init+0x13/0x30 > [ 158.545874][ T8029] start_kernel (init/main.c:1023 (discriminator 1)) > [ 158.546503][ T8029] x86_64_start_reservations (arch/x86/kernel/head64.c:543) > [ 158.547244][ T8029] x86_64_start_kernel > (./arch/x86/include/asm/page_64.h:26 arch/x86/kernel/head64.c:326 > arch/x86/kernel/head64.c:492) > [ 158.547901][ T8029] secondary_startup_64_no_verify > (arch/x86/kernel/head_64.S:448) > [ 158.548696][ T8029] > [ 158.548696][ T8029] -> #2 (&p->pi_lock){-.-.}-{2:2}: > [ 158.549576][ T8029] _raw_spin_lock_irqsave > (./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) > [ 158.550281][ T8029] try_to_wake_up (kernel/sched/core.c:4049 > kernel/sched/core.c:4228) > [ 158.550914][ T8029] up (kernel/locking/semaphore.c:192) > [ 158.551412][ T8029] console_unlock (kernel/printk/printk.c:341 > kernel/printk/printk.c:2706 kernel/printk/printk.c:3038) > [ 158.552055][ T8029] vga_remove_vgacon (drivers/pci/vgaarb.c:188 > drivers/pci/vgaarb.c:167) > [ 158.552697][ T8029] aperture_remove_conflicting_pci_devices > (drivers/video/aperture.c:331 drivers/video/aperture.c:374) > [ 158.553573][ T8029] bochs_pci_probe (drivers/gpu/drm/tiny/bochs.c:652) > [ 158.554202][ T8029] local_pci_probe (drivers/pci/pci-driver.c:325) > [ 158.554857][ T8029] pci_device_probe (drivers/pci/pci-driver.c:392 > drivers/pci/pci-driver.c:417 drivers/pci/pci-driver.c:460) > [ 158.555510][ T8029] really_probe (drivers/base/dd.c:579 > drivers/base/dd.c:658) > [ 158.556123][ T8029] __driver_probe_device (drivers/base/dd.c:800) > [ 158.556829][ T8029] driver_probe_device (drivers/base/dd.c:831) > [ 158.557499][ T8029] __driver_attach (drivers/base/dd.c:1217) > [ 158.558136][ T8029] bus_for_each_dev (drivers/base/bus.c:367) > [ 158.558788][ T8029] bus_add_driver (drivers/base/bus.c:674) > [ 158.559410][ T8029] driver_register (drivers/base/driver.c:247) > [ 158.560040][ T8029] bochs_pci_driver_init (./include/drm/drm_module.h:69 > drivers/gpu/drm/tiny/bochs.c:735) > [ 158.560701][ T8029] do_one_initcall (init/main.c:1236) > [ 158.561337][ T8029] kernel_init_freeable (init/main.c:1297 init/main.c:1314 > init/main.c:1333 init/main.c:1551) > [ 158.562031][ T8029] kernel_init (init/main.c:1443) > [ 158.562638][ T8029] ret_from_fork (arch/x86/kernel/process.c:153) > [ 158.563246][ T8029] ret_from_fork_asm (arch/x86/entry/entry_64.S:250) > [ 158.563890][ T8029] > [ 158.563890][ T8029] -> #1 ((console_sem).lock){-...}-{2:2}: > [ 158.564853][ T8029] _raw_spin_lock_irqsave > (./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) > [ 158.565559][ T8029] down_trylock (kernel/locking/semaphore.c:140) > [ 158.566152][ T8029] __down_trylock_console_sem (kernel/printk/printk.c:323) > [ 158.566924][ T8029] console_trylock (kernel/printk/printk.c:2659 > kernel/printk/printk.c:2654) > [ 158.567564][ T8029] vprintk_emit (kernel/printk/printk.c:1923 > kernel/printk/printk.c:2302) > [ 158.568171][ T8029] vprintk (kernel/printk/printk_safe.c:45) > [ 158.568714][ T8029] _printk (kernel/printk/printk.c:2323) > [ 158.569258][ T8029] ex_handler_msr (arch/x86/mm/extable.c:180 > (discriminator 9)) > [ 158.569890][ T8029] fixup_exception (arch/x86/mm/extable.c:283) > [ 158.570540][ T8029] gp_try_fixup_and_notify.constprop.0 > (arch/x86/kernel/traps.c:616) > [ 158.571389][ T8029] exc_general_protection (arch/x86/kernel/traps.c:676 > arch/x86/kernel/traps.c:642) > [ 158.572110][ T8029] asm_exc_general_protection > (./arch/x86/include/asm/idtentry.h:564) > [ 158.572839][ T8029] intel_pmu_enable_event (./arch/x86/include/asm/msr.h:94 > ./arch/x86/include/asm/msr.h:145 ./arch/x86/include/asm/msr.h:262 > arch/x86/events/intel/../perf_event.h:1166 arch/x86/events/intel/core.c:2799) > [ 158.573546][ T8029] x86_pmu_start (arch/x86/events/core.c:1516) > [ 158.574171][ T8029] x86_pmu_enable (arch/x86/events/core.c:1331 > (discriminator 2)) > [ 158.574815][ T8029] perf_ctx_enable (kernel/events/core.c:703 > (discriminator 2)) > [ 158.575456][ T8029] ctx_resched (kernel/events/core.c:2741) > [ 158.576066][ T8029] __perf_install_in_context (kernel/events/core.c:2807) > [ 158.576808][ T8029] remote_function (kernel/events/core.c:92 > kernel/events/core.c:72) > [ 158.577436][ T8029] generic_exec_single (kernel/smp.c:134 (discriminator 3) > kernel/smp.c:404 (discriminator 3)) > [ 158.578101][ T8029] smp_call_function_single (kernel/smp.c:647) > [ 158.578830][ T8029] task_function_call (kernel/events/core.c:122) > [ 158.579492][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.580214][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.580959][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.581579][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.582351][ T8029] > [ 158.582351][ T8029] -> #0 (&ctx->lock){....}-{2:2}: > [ 158.583241][ T8029] __lock_acquire (kernel/locking/lockdep.c:3135 > kernel/locking/lockdep.c:3253 kernel/locking/lockdep.c:3869 > kernel/locking/lockdep.c:5137) > [ 158.583894][ T8029] lock_acquire (kernel/locking/lockdep.c:467 > kernel/locking/lockdep.c:5756 kernel/locking/lockdep.c:5719) > [ 158.584526][ T8029] _raw_spin_lock (./include/linux/spinlock_api_smp.h:134 > kernel/locking/spinlock.c:154) > [ 158.585149][ T8029] __perf_event_task_sched_out (kernel/events/core.c:3573 > kernel/events/core.c:3676) > [ 158.585907][ T8029] __schedule (./include/linux/perf_event.h:1487 > kernel/sched/core.c:5180 kernel/sched/core.c:5323 kernel/sched/core.c:6688) > [ 158.586497][ T8029] preempt_schedule_common > (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 > ./include/linux/thread_info.h:184 ./include/linux/sched.h:2263 > kernel/sched/core.c:6873) > [ 158.587239][ T8029] preempt_schedule_thunk (arch/x86/entry/thunk_64.S:45) > [ 158.587916][ T8029] smp_call_function_single (kernel/smp.c:652 > (discriminator 1)) > [ 158.588639][ T8029] task_function_call (kernel/events/core.c:122) > [ 158.589292][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.590011][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.590784][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.591396][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.592162][ T8029] > [ 158.592162][ T8029] other info that might help us debug this: > [ 158.592162][ T8029] > [ 158.593338][ T8029] Chain exists of: > [ 158.593338][ T8029] &ctx->lock --> &p->pi_lock --> &rq->__lock > [ 158.593338][ T8029] > [ 158.594749][ T8029] Possible unsafe locking scenario: > [ 158.594749][ T8029] > [ 158.595614][ T8029] CPU0 CPU1 > [ 158.596252][ T8029] ---- ---- > [ 158.596886][ T8029] lock(&rq->__lock); > [ 158.597394][ T8029] lock(&p->pi_lock); > [ 158.598194][ T8029] lock(&rq->__lock); > [ 158.598992][ T8029] lock(&ctx->lock); > [ 158.599485][ T8029] > [ 158.599485][ T8029] *** DEADLOCK *** > [ 158.599485][ T8029] > [ 158.600436][ T8029] 3 locks held by poc/8029: > [ 158.600984][ T8029] #0: ffff8880130270a0 > (&sig->exec_update_lock){++++}-{3:3}, at: __do_sys_perf_event_open > (kernel/events/core.c:12538) > [ 158.602327][ T8029] #1: ffff88801ca530a8 (&ctx->mutex){+.+.}-{3:3}, at: > __do_sys_perf_event_open (kernel/events/core.c:12563) > [ 158.603589][ T8029] #2: ffff88802d23c758 (&rq->__lock){-.-.}-{2:2}, at: > raw_spin_rq_lock_nested (kernel/sched/core.c:574) > [ 158.604791][ T8029] > [ 158.604791][ T8029] stack backtrace: > [ 158.605497][ T8029] CPU: 0 PID: 8029 Comm: poc Not tainted > 6.7.0-g0dd3ee311255 #6 > [ 158.606410][ T8029] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.15.0-1 04/01/2014 > [ 158.607495][ T8029] Call Trace: > [ 158.607906][ T8029] <TASK> > [ 158.608265][ T8029] dump_stack_lvl (lib/dump_stack.c:107) > [ 158.608830][ T8029] check_noncircular (kernel/locking/lockdep.c:2187) > [ 158.612990][ T8029] __lock_acquire (kernel/locking/lockdep.c:3135 > kernel/locking/lockdep.c:3253 kernel/locking/lockdep.c:3869 > kernel/locking/lockdep.c:5137) > [ 158.614337][ T8029] lock_acquire (kernel/locking/lockdep.c:467 > kernel/locking/lockdep.c:5756 kernel/locking/lockdep.c:5719) > [ 158.618163][ T8029] _raw_spin_lock (./include/linux/spinlock_api_smp.h:134 > kernel/locking/spinlock.c:154) > [ 158.619483][ T8029] __perf_event_task_sched_out (kernel/events/core.c:3573 > kernel/events/core.c:3676) > [ 158.621454][ T8029] __schedule (./include/linux/perf_event.h:1487 > kernel/sched/core.c:5180 kernel/sched/core.c:5323 kernel/sched/core.c:6688) > [ 158.625012][ T8029] preempt_schedule_common > (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 > ./include/linux/thread_info.h:184 ./include/linux/sched.h:2263 > kernel/sched/core.c:6873) > [ 158.625654][ T8029] preempt_schedule_thunk (arch/x86/entry/thunk_64.S:45) > [ 158.627659][ T8029] smp_call_function_single (kernel/smp.c:652 > (discriminator 1)) > [ 158.633418][ T8029] task_function_call (kernel/events/core.c:122) > [ 158.635669][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.638010][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.640419][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.640903][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.641502][ T8029] RIP: 0033:0x7f04a0c9cf29 > [ 158.641956][ T8029] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 > 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 > <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 > All code > ======== > 0: 00 c3 add %al,%bl > 2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) > 9: 00 00 00 > c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) > 11: 48 89 f8 mov %rdi,%rax > 14: 48 89 f7 mov %rsi,%rdi > 17: 48 89 d6 mov %rdx,%rsi > 1a: 48 89 ca mov %rcx,%rdx > 1d: 4d 89 c2 mov %r8,%r10 > 20: 4d 89 c8 mov %r9,%r8 > 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 > 28: 0f 05 syscall > 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction > 30: 73 01 jae 0x33 > 32: c3 ret > 33: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f71 > 3a: f7 d8 neg %eax > 3c: 64 89 01 mov %eax,%fs:(%rcx) > 3f: 48 rex.W > Code starting with the faulting instruction > =========================================== > 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax > 6: 73 01 jae 0x9 > 8: c3 ret > 9: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f47 > 10: f7 d8 neg %eax > 12: 64 89 01 mov %eax,%fs:(%rcx) > 15: 48 rex.W > [ 158.644020][ T8029] RSP: 002b:00007ffe5f1174b8 EFLAGS: 00000246 ORIG_RAX: > 000000000000012a > [ 158.644916][ T8029] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: > 00007f04a0c9cf29 > [ 158.645760][ T8029] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 0000000020004740 > [ 158.646592][ T8029] RBP: 00007ffe5f1174c0 R08: 0000000000000000 R09: > 00007ffe5f1174f0 > [ 158.647474][ T8029] R10: 00000000ffffffff R11: 0000000000000246 R12: > 00005597d067d180 > [ 158.648341][ T8029] R13: 0000000000000000 R14: 0000000000000000 R15: > 0000000000000000 > [ 158.649159][ T8029] </TASK> > root@test-h2-pc:~/1900/workdir/new_zero_day_crashes/4c1dceb01dec061b63593f149cf10429fa012309# > vi out > root@test-h2-pc:~/1900/workdir/new_zero_day_crashes/4c1dceb01dec061b63593f149cf10429fa012309# > cat out > [ 158.488994][ T8029] Call Trace: > [ 158.489411][ T8029] <TASK> > [ 158.498427][ T8029] x86_pmu_start (arch/x86/events/core.c:1516) > [ 158.499034][ T8029] x86_pmu_enable (arch/x86/events/core.c:1331 > (discriminator 2)) > [ 158.499601][ T8029] perf_ctx_enable (kernel/events/core.c:703 > (discriminator 2)) > [ 158.500171][ T8029] ctx_resched (kernel/events/core.c:2741) > [ 158.500733][ T8029] __perf_install_in_context (kernel/events/core.c:2807) > [ 158.502106][ T8029] remote_function (kernel/events/core.c:92 > kernel/events/core.c:72) > [ 158.503364][ T8029] generic_exec_single (kernel/smp.c:134 (discriminator 3) > kernel/smp.c:404 (discriminator 3)) > [ 158.503995][ T8029] smp_call_function_single (kernel/smp.c:647) > [ 158.510408][ T8029] task_function_call (kernel/events/core.c:122) > [ 158.512958][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.515717][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.518483][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.519281][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.519991][ T8029] RIP: 0033:0x7f04a0c9cf29 > [ 158.520536][ T8029] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 > 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 > <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 > All code > ======== > 0: 00 c3 add %al,%bl > 2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) > 9: 00 00 00 > c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) > 11: 48 89 f8 mov %rdi,%rax > 14: 48 89 f7 mov %rsi,%rdi > 17: 48 89 d6 mov %rdx,%rsi > 1a: 48 89 ca mov %rcx,%rdx > 1d: 4d 89 c2 mov %r8,%r10 > 20: 4d 89 c8 mov %r9,%r8 > 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 > 28: 0f 05 syscall > 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction > 30: 73 01 jae 0x33 > 32: c3 ret > 33: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f71 > 3a: f7 d8 neg %eax > 3c: 64 89 01 mov %eax,%fs:(%rcx) > 3f: 48 rex.W > Code starting with the faulting instruction > =========================================== > 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax > 6: 73 01 jae 0x9 > 8: c3 ret > 9: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f47 > 10: f7 d8 neg %eax > 12: 64 89 01 mov %eax,%fs:(%rcx) > 15: 48 rex.W > [ 158.522837][ T8029] RSP: 002b:00007ffe5f1174b8 EFLAGS: 00000246 ORIG_RAX: > 000000000000012a > [ 158.523848][ T8029] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: > 00007f04a0c9cf29 > [ 158.524797][ T8029] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 0000000020004740 > [ 158.525738][ T8029] RBP: 00007ffe5f1174c0 R08: 0000000000000000 R09: > 00007ffe5f1174f0 > [ 158.526717][ T8029] R10: 00000000ffffffff R11: 0000000000000246 R12: > 00005597d067d180 > [ 158.527661][ T8029] R13: 0000000000000000 R14: 0000000000000000 R15: > 0000000000000000 > [ 158.528611][ T8029] </TASK> > [ 158.530059][ T8029] > [ 158.530364][ T8029] ====================================================== > [ 158.531146][ T8029] WARNING: possible circular locking dependency detected > [ 158.531881][ T8029] 6.7.0-g0dd3ee311255 #6 Not tainted > [ 158.532457][ T8029] ------------------------------------------------------ > [ 158.533256][ T8029] poc/8029 is trying to acquire lock: > [ 158.533880][ T8029] ffff88801ca53018 (&ctx->lock){....}-{2:2}, at: > __perf_event_task_sched_out (kernel/events/core.c:3573 > kernel/events/core.c:3676) > [ 158.535067][ T8029] > [ 158.535067][ T8029] but task is already holding lock: > [ 158.535925][ T8029] ffff88802d23c758 (&rq->__lock){-.-.}-{2:2}, at: > raw_spin_rq_lock_nested (kernel/sched/core.c:574) > [ 158.537001][ T8029] > [ 158.537001][ T8029] which lock already depends on the new lock. > [ 158.537001][ T8029] > [ 158.538196][ T8029] > [ 158.538196][ T8029] the existing dependency chain (in reverse order) is: > [ 158.539200][ T8029] > [ 158.539200][ T8029] -> #3 (&rq->__lock){-.-.}-{2:2}: > [ 158.540081][ T8029] _raw_spin_lock_nested (kernel/locking/spinlock.c:379) > [ 158.540772][ T8029] raw_spin_rq_lock_nested (kernel/sched/core.c:574) > [ 158.541471][ T8029] task_fork_fair (kernel/sched/sched.h:1222 > kernel/sched/sched.h:1581 kernel/sched/sched.h:1664 kernel/sched/fair.c:12586) > [ 158.542092][ T8029] sched_cgroup_fork (kernel/sched/core.c:4814) > [ 158.542772][ T8029] copy_process (./include/linux/timekeeping.h:154 > kernel/fork.c:2619) > [ 158.543413][ T8029] kernel_clone (./include/linux/random.h:26 > kernel/fork.c:2908) > [ 158.544017][ T8029] user_mode_thread (kernel/fork.c:2976) > [ 158.544648][ T8029] rest_init (init/main.c:695) > [ 158.545223][ T8029] arch_call_rest_init+0x13/0x30 > [ 158.545874][ T8029] start_kernel (init/main.c:1023 (discriminator 1)) > [ 158.546503][ T8029] x86_64_start_reservations (arch/x86/kernel/head64.c:543) > [ 158.547244][ T8029] x86_64_start_kernel > (./arch/x86/include/asm/page_64.h:26 arch/x86/kernel/head64.c:326 > arch/x86/kernel/head64.c:492) > [ 158.547901][ T8029] secondary_startup_64_no_verify > (arch/x86/kernel/head_64.S:448) > [ 158.548696][ T8029] > [ 158.548696][ T8029] -> #2 (&p->pi_lock){-.-.}-{2:2}: > [ 158.549576][ T8029] _raw_spin_lock_irqsave > (./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) > [ 158.550281][ T8029] try_to_wake_up (kernel/sched/core.c:4049 > kernel/sched/core.c:4228) > [ 158.550914][ T8029] up (kernel/locking/semaphore.c:192) > [ 158.551412][ T8029] console_unlock (kernel/printk/printk.c:341 > kernel/printk/printk.c:2706 kernel/printk/printk.c:3038) > [ 158.552055][ T8029] vga_remove_vgacon (drivers/pci/vgaarb.c:188 > drivers/pci/vgaarb.c:167) > [ 158.552697][ T8029] aperture_remove_conflicting_pci_devices > (drivers/video/aperture.c:331 drivers/video/aperture.c:374) > [ 158.553573][ T8029] bochs_pci_probe (drivers/gpu/drm/tiny/bochs.c:652) > [ 158.554202][ T8029] local_pci_probe (drivers/pci/pci-driver.c:325) > [ 158.554857][ T8029] pci_device_probe (drivers/pci/pci-driver.c:392 > drivers/pci/pci-driver.c:417 drivers/pci/pci-driver.c:460) > [ 158.555510][ T8029] really_probe (drivers/base/dd.c:579 > drivers/base/dd.c:658) > [ 158.556123][ T8029] __driver_probe_device (drivers/base/dd.c:800) > [ 158.556829][ T8029] driver_probe_device (drivers/base/dd.c:831) > [ 158.557499][ T8029] __driver_attach (drivers/base/dd.c:1217) > [ 158.558136][ T8029] bus_for_each_dev (drivers/base/bus.c:367) > [ 158.558788][ T8029] bus_add_driver (drivers/base/bus.c:674) > [ 158.559410][ T8029] driver_register (drivers/base/driver.c:247) > [ 158.560040][ T8029] bochs_pci_driver_init (./include/drm/drm_module.h:69 > drivers/gpu/drm/tiny/bochs.c:735) > [ 158.560701][ T8029] do_one_initcall (init/main.c:1236) > [ 158.561337][ T8029] kernel_init_freeable (init/main.c:1297 init/main.c:1314 > init/main.c:1333 init/main.c:1551) > [ 158.562031][ T8029] kernel_init (init/main.c:1443) > [ 158.562638][ T8029] ret_from_fork (arch/x86/kernel/process.c:153) > [ 158.563246][ T8029] ret_from_fork_asm (arch/x86/entry/entry_64.S:250) > [ 158.563890][ T8029] > [ 158.563890][ T8029] -> #1 ((console_sem).lock){-...}-{2:2}: > [ 158.564853][ T8029] _raw_spin_lock_irqsave > (./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) > [ 158.565559][ T8029] down_trylock (kernel/locking/semaphore.c:140) > [ 158.566152][ T8029] __down_trylock_console_sem (kernel/printk/printk.c:323) > [ 158.566924][ T8029] console_trylock (kernel/printk/printk.c:2659 > kernel/printk/printk.c:2654) > [ 158.567564][ T8029] vprintk_emit (kernel/printk/printk.c:1923 > kernel/printk/printk.c:2302) > [ 158.568171][ T8029] vprintk (kernel/printk/printk_safe.c:45) > [ 158.568714][ T8029] _printk (kernel/printk/printk.c:2323) > [ 158.569258][ T8029] ex_handler_msr (arch/x86/mm/extable.c:180 > (discriminator 9)) > [ 158.569890][ T8029] fixup_exception (arch/x86/mm/extable.c:283) > [ 158.570540][ T8029] gp_try_fixup_and_notify.constprop.0 > (arch/x86/kernel/traps.c:616) > [ 158.571389][ T8029] exc_general_protection (arch/x86/kernel/traps.c:676 > arch/x86/kernel/traps.c:642) > [ 158.572110][ T8029] asm_exc_general_protection > (./arch/x86/include/asm/idtentry.h:564) > [ 158.572839][ T8029] intel_pmu_enable_event (./arch/x86/include/asm/msr.h:94 > ./arch/x86/include/asm/msr.h:145 ./arch/x86/include/asm/msr.h:262 > arch/x86/events/intel/../perf_event.h:1166 arch/x86/events/intel/core.c:2799) > [ 158.573546][ T8029] x86_pmu_start (arch/x86/events/core.c:1516) > [ 158.574171][ T8029] x86_pmu_enable (arch/x86/events/core.c:1331 > (discriminator 2)) > [ 158.574815][ T8029] perf_ctx_enable (kernel/events/core.c:703 > (discriminator 2)) > [ 158.575456][ T8029] ctx_resched (kernel/events/core.c:2741) > [ 158.576066][ T8029] __perf_install_in_context (kernel/events/core.c:2807) > [ 158.576808][ T8029] remote_function (kernel/events/core.c:92 > kernel/events/core.c:72) > [ 158.577436][ T8029] generic_exec_single (kernel/smp.c:134 (discriminator 3) > kernel/smp.c:404 (discriminator 3)) > [ 158.578101][ T8029] smp_call_function_single (kernel/smp.c:647) > [ 158.578830][ T8029] task_function_call (kernel/events/core.c:122) > [ 158.579492][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.580214][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.580959][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.581579][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.582351][ T8029] > [ 158.582351][ T8029] -> #0 (&ctx->lock){....}-{2:2}: > [ 158.583241][ T8029] __lock_acquire (kernel/locking/lockdep.c:3135 > kernel/locking/lockdep.c:3253 kernel/locking/lockdep.c:3869 > kernel/locking/lockdep.c:5137) > [ 158.583894][ T8029] lock_acquire (kernel/locking/lockdep.c:467 > kernel/locking/lockdep.c:5756 kernel/locking/lockdep.c:5719) > [ 158.584526][ T8029] _raw_spin_lock (./include/linux/spinlock_api_smp.h:134 > kernel/locking/spinlock.c:154) > [ 158.585149][ T8029] __perf_event_task_sched_out (kernel/events/core.c:3573 > kernel/events/core.c:3676) > [ 158.585907][ T8029] __schedule (./include/linux/perf_event.h:1487 > kernel/sched/core.c:5180 kernel/sched/core.c:5323 kernel/sched/core.c:6688) > [ 158.586497][ T8029] preempt_schedule_common > (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 > ./include/linux/thread_info.h:184 ./include/linux/sched.h:2263 > kernel/sched/core.c:6873) > [ 158.587239][ T8029] preempt_schedule_thunk (arch/x86/entry/thunk_64.S:45) > [ 158.587916][ T8029] smp_call_function_single (kernel/smp.c:652 > (discriminator 1)) > [ 158.588639][ T8029] task_function_call (kernel/events/core.c:122) > [ 158.589292][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.590011][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.590784][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.591396][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.592162][ T8029] > [ 158.592162][ T8029] other info that might help us debug this: > [ 158.592162][ T8029] > [ 158.593338][ T8029] Chain exists of: > [ 158.593338][ T8029] &ctx->lock --> &p->pi_lock --> &rq->__lock > [ 158.593338][ T8029] > [ 158.594749][ T8029] Possible unsafe locking scenario: > [ 158.594749][ T8029] > [ 158.595614][ T8029] CPU0 CPU1 > [ 158.596252][ T8029] ---- ---- > [ 158.596886][ T8029] lock(&rq->__lock); > [ 158.597394][ T8029] lock(&p->pi_lock); > [ 158.598194][ T8029] lock(&rq->__lock); > [ 158.598992][ T8029] lock(&ctx->lock); > [ 158.599485][ T8029] > [ 158.599485][ T8029] *** DEADLOCK *** > [ 158.599485][ T8029] > [ 158.600436][ T8029] 3 locks held by poc/8029: > [ 158.600984][ T8029] #0: ffff8880130270a0 > (&sig->exec_update_lock){++++}-{3:3}, at: __do_sys_perf_event_open > (kernel/events/core.c:12538) > [ 158.602327][ T8029] #1: ffff88801ca530a8 (&ctx->mutex){+.+.}-{3:3}, at: > __do_sys_perf_event_open (kernel/events/core.c:12563) > [ 158.603589][ T8029] #2: ffff88802d23c758 (&rq->__lock){-.-.}-{2:2}, at: > raw_spin_rq_lock_nested (kernel/sched/core.c:574) > [ 158.604791][ T8029] > [ 158.604791][ T8029] stack backtrace: > [ 158.605497][ T8029] CPU: 0 PID: 8029 Comm: poc Not tainted > 6.7.0-g0dd3ee311255 #6 > [ 158.606410][ T8029] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.15.0-1 04/01/2014 > [ 158.607495][ T8029] Call Trace: > [ 158.607906][ T8029] <TASK> > [ 158.608265][ T8029] dump_stack_lvl (lib/dump_stack.c:107) > [ 158.608830][ T8029] check_noncircular (kernel/locking/lockdep.c:2187) > [ 158.612990][ T8029] __lock_acquire (kernel/locking/lockdep.c:3135 > kernel/locking/lockdep.c:3253 kernel/locking/lockdep.c:3869 > kernel/locking/lockdep.c:5137) > [ 158.614337][ T8029] lock_acquire (kernel/locking/lockdep.c:467 > kernel/locking/lockdep.c:5756 kernel/locking/lockdep.c:5719) > [ 158.618163][ T8029] _raw_spin_lock (./include/linux/spinlock_api_smp.h:134 > kernel/locking/spinlock.c:154) > [ 158.619483][ T8029] __perf_event_task_sched_out (kernel/events/core.c:3573 > kernel/events/core.c:3676) > [ 158.621454][ T8029] __schedule (./include/linux/perf_event.h:1487 > kernel/sched/core.c:5180 kernel/sched/core.c:5323 kernel/sched/core.c:6688) > [ 158.625012][ T8029] preempt_schedule_common > (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 > ./include/linux/thread_info.h:184 ./include/linux/sched.h:2263 > kernel/sched/core.c:6873) > [ 158.625654][ T8029] preempt_schedule_thunk (arch/x86/entry/thunk_64.S:45) > [ 158.627659][ T8029] smp_call_function_single (kernel/smp.c:652 > (discriminator 1)) > [ 158.633418][ T8029] task_function_call (kernel/events/core.c:122) > [ 158.635669][ T8029] perf_install_in_context (kernel/events/core.c:2909 > (discriminator 1)) > [ 158.638010][ T8029] __do_sys_perf_event_open (kernel/events/core.c:1443 > kernel/events/core.c:12747) > [ 158.640419][ T8029] do_syscall_64 (arch/x86/entry/common.c:52 > arch/x86/entry/common.c:83) > [ 158.640903][ T8029] entry_SYSCALL_64_after_hwframe > (arch/x86/entry/entry_64.S:129) > [ 158.641502][ T8029] RIP: 0033:0x7f04a0c9cf29 > [ 158.641956][ T8029] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 > 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 > <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 37 8f 0d 00 f7 d8 64 89 01 48 > All code > ======== > 0: 00 c3 add %al,%bl > 2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) > 9: 00 00 00 > c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) > 11: 48 89 f8 mov %rdi,%rax > 14: 48 89 f7 mov %rsi,%rdi > 17: 48 89 d6 mov %rdx,%rsi > 1a: 48 89 ca mov %rcx,%rdx > 1d: 4d 89 c2 mov %r8,%r10 > 20: 4d 89 c8 mov %r9,%r8 > 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 > 28: 0f 05 syscall > 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction > 30: 73 01 jae 0x33 > 32: c3 ret > 33: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f71 > 3a: f7 d8 neg %eax > 3c: 64 89 01 mov %eax,%fs:(%rcx) > 3f: 48 rex.W > Code starting with the faulting instruction > =========================================== > 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax > 6: 73 01 jae 0x9 > 8: c3 ret > 9: 48 8b 0d 37 8f 0d 00 mov 0xd8f37(%rip),%rcx # 0xd8f47 > 10: f7 d8 neg %eax > 12: 64 89 01 mov %eax,%fs:(%rcx) > 15: 48 rex.W > [ 158.644020][ T8029] RSP: 002b:00007ffe5f1174b8 EFLAGS: 00000246 ORIG_RAX: > 000000000000012a > [ 158.644916][ T8029] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: > 00007f04a0c9cf29 > [ 158.645760][ T8029] RDX: 0000000000000000 RSI: 0000000000000000 RDI: > 0000000020004740 > [ 158.646592][ T8029] RBP: 00007ffe5f1174c0 R08: 0000000000000000 R09: > 00007ffe5f1174f0 > [ 158.647474][ T8029] R10: 00000000ffffffff R11: 0000000000000246 R12: > 00005597d067d180 > [ 158.648341][ T8029] R13: 0000000000000000 R14: 0000000000000000 R15: > 0000000000000000 > [ 158.649159][ T8029] </TASK> > 3. Attachment description: Attached to the email were a POC file of the > vulnerability and a configuration my Linux kernel. > Thank you for taking the time to read this email and we look forward to > working with you further. > Ubisectech Sirius Team > Web: www.ubisectech.com > Email: [email protected]
