[Bug 1186724] New: "kernel tried to execute NX-protected page" while deleting bluetooth HCI
https://bugzilla.suse.com/show_bug.cgi?id=1186724 Bug ID: 1186724 Summary: "kernel tried to execute NX-protected page" while deleting bluetooth HCI Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- DISCLAIMER: This was a one-time event, I can't tell whether it's reproducible. kernel 5.3.18-lp152.66-default # What was happening I am not sure exactly sure what happened at the time, but I have an educated guess. "artemis" is my private laptop which shares keyboard/video/mouse with my work laptop ("apollon") with the "barrier" KVM software. Typically at this time of the day (20:50) I get back to work, and unlock the screen saver on "apollon" ("artemis" screen is usually not locked because the barrier server disables locking). There was no activity until the following messages, which makes it likely that that happened also on the day in question (April 1st, 2021).
[362024.111857] artemis.mittagstun.de barriers[5693]: [2021-04-01T20:51:45] INFO: switch from "artemis" to "apollon" at 0,1348 [362024.416997] artemis.mittagstun.de barriers[5693]: [2021-04-01T20:51:46] INFO: switch from "apollon" to "artemis" at 3541,1486 [362035.435054] artemis.mittagstun.de systemd[4983]: Started Application launched by gnome-shell.
A bit later a monitor wakes up, all looks fine
[362035.949269] artemis.mittagstun.de /usr/lib/gdm/gdm-x-session[5011]: (II) modeset(0): EDID vendor "DEL", prod id 41116 [362035.949737] artemis.mittagstun.de /usr/lib/gdm/gdm-x-session[5011]: (II) modeset(0): Using hsync ranges from config file ... [362035.951463] artemis.mittagstun.de /usr/lib/gdm/gdm-x-session[5011]: (II) modeset(0): Modeline "1600x900"x60.0 119.00 1600 1696 1864 2128 900 901 904 932 -hsync +>
I'm positive that the system was NOT waking up from a sleep state. Wrt bluetooth, there had been some error messages ~4h earlier, nothing alarming:
[344671.880598] artemis.mittagstun.de bluetoothd[1319]: Unable to get Headset Voice gateway SDP record: Device or resource busy [344671.921654] artemis.mittagstun.de bluetoothd[1319]: connect error: Device or resource busy (16) [348731.893932] artemis.mittagstun.de bluetoothd[1319]: Unable to get io data for Headset Voice gateway: getpeername: Transport endpoint is not connected (107) [353527.936713] artemis.mittagstun.de bluetoothd[1319]: Unable to get io data for Headset Voice gateway: getpeername: Transport endpoint is not connected (107)
# "sysfs: cannot create duplicate filename" 15s later, we see the issue unfolding with an issue related to registering the bluetooth HCI in sysfs:
[362050.118483] artemis.mittagstun.de kernel: sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.0/bluetooth/hci0/hci0:256' [362050.118488] artemis.mittagstun.de kernel: CPU: 0 PID: 2888 Comm: kworker/u17:1 Not tainted 5.3.18-lp152.66-default #1 openSUSE Leap 15.2 [362050.118489] artemis.mittagstun.de kernel: Hardware name: FUJITSU LIFEBOOK S904/FJNB272, BIOS Version 1.20 07/25/2014 [362050.118515] artemis.mittagstun.de kernel: Workqueue: hci0 hci_rx_work [bluetooth] [362050.118517] artemis.mittagstun.de kernel: Call Trace: [362050.118524] artemis.mittagstun.de kernel: dump_stack+0x66/0x8b [362050.118529] artemis.mittagstun.de kernel: sysfs_warn_dup+0x56/0x70 [362050.118531] artemis.mittagstun.de kernel: sysfs_create_dir_ns+0xc9/0xe0 [362050.118535] artemis.mittagstun.de kernel: kobject_add_internal+0xad/0x2c0 [362050.118538] artemis.mittagstun.de kernel: kobject_add+0x71/0xd0 [362050.118541] artemis.mittagstun.de kernel: ? kobject_set_name_vargs+0x6f/0x90 [362050.118544] artemis.mittagstun.de kernel: device_add+0x11e/0x630 [362050.118568] artemis.mittagstun.de kernel: hci_conn_add_sysfs+0x43/0xb0 [bluetooth] [362050.118586] artemis.mittagstun.de kernel: hci_event_packet+0x15a8/0x2c50 [bluetooth] [362050.118590] artemis.mittagstun.de kernel: ? __switch_to_asm+0x34/0x70 [362050.118592] artemis.mittagstun.de kernel: ? __switch_to_asm+0x40/0x70 [362050.118594] artemis.mittagstun.de kernel: ? __switch_to_asm+0x34/0x70 [362050.118596] artemis.mittagstun.de kernel: ? __switch_to_asm+0x40/0x70 [362050.118598] artemis.mittagstun.de kernel: ? __switch_to_asm+0x34/0x70 [362050.118611] artemis.mittagstun.de kernel: ? hci_rx_work+0x189/0x350 [bluetooth] [362050.118624] artemis.mittagstun.de kernel: hci_rx_work+0x189/0x350 [bluetooth] [362050.118629] artemis.mittagstun.de kernel: process_one_work+0x1f4/0x3e0 [362050.118632] artemis.mittagstun.de kernel: worker_thread+0x2d/0x3e0 [362050.118635] artemis.mittagstun.de kernel: ? process_one_work+0x3e0/0x3e0 [362050.118636] artemis.mittagstun.de kernel: kthread+0x10d/0x130 [362050.118639] artemis.mittagstun.de kernel: ? kthread_park+0xa0/0xa0 [362050.118641] artemis.mittagstun.de kernel: ret_from_fork+0x35/0x40 [362050.118645] artemis.mittagstun.de kernel: kobject_add_internal failed for hci0:256 with -EEXIST, don't try to register things with the same name in the same directo> [362050.118647] artemis.mittagstun.de kernel: Bluetooth: hci0: failed to register connection device [362054.923495] artemis.mittagstun.de kernel: Bluetooth: hci0: failed to disable LE scan: status 0x0c
# "kernel tried to execute NX-protected page - exploit attempt?" The real problem starts now, as the bluetooth subsystem ist trying to reset the HCI. 1501 is my user ID.
[362065.479497] artemis.mittagstun.de kernel: Bluetooth: hci0: HCI reset during shutdown failed [362065.479588] artemis.mittagstun.de kernel: kernel tried to execute NX-protected page - exploit attempt? (uid: 1501) [362065.479605] artemis.mittagstun.de kernel: BUG: unable to handle page fault for address: ffff9267aa8d7158 [362065.479614] artemis.mittagstun.de kernel: #PF: supervisor instruction fetch in kernel mode [362065.479623] artemis.mittagstun.de kernel: #PF: error_code(0x0011) - permissions violation [362065.479631] artemis.mittagstun.de kernel: PGD 25fa01067 P4D 25fa01067 PUD 107562063 PMD 136c27063 PTE 800000012a8d7063 [362065.479645] artemis.mittagstun.de kernel: Oops: 0011 [#1] SMP PTI [362065.479655] artemis.mittagstun.de kernel: CPU: 1 PID: 5548 Comm: gsd-rfkill Not tainted 5.3.18-lp152.66-default #1 openSUSE Leap 15.2 [362065.479664] artemis.mittagstun.de kernel: Hardware name: FUJITSU LIFEBOOK S904/FJNB272, BIOS Version 1.20 07/25/2014 [362065.479675] artemis.mittagstun.de kernel: RIP: 0010:0xffff9267aa8d7158 [362065.479684] artemis.mittagstun.de kernel: Code: 00 00 00 01 00 00 00 00 00 00 58 71 8d aa 67 92 ff ff 38 00 00 00 05 00 00 00 90 71 8d aa 67 92 ff ff 60 00 00 00 06> [362065.479696] artemis.mittagstun.de kernel: RSP: 0018:ffffad3d8217fd18 EFLAGS: 00010282 [362065.479705] artemis.mittagstun.de kernel: RAX: ffff9267aa8d7158 RBX: ffff92698d5038d0 RCX: 00000000801e0014 [362065.479713] artemis.mittagstun.de kernel: RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9267b6e4c228 [362065.479721] artemis.mittagstun.de kernel: RBP: ffff92698d503950 R08: 0000000000000000 R09: 0000000000000001 [362065.479730] artemis.mittagstun.de kernel: R10: 0000000000000001 R11: ffff926787c53300 R12: ffff9267aab8ea68 [362065.479738] artemis.mittagstun.de kernel: R13: ffffffffc0cf4020 R14: ffff92698d504af0 R15: ffffffffc0cf4040 [362065.479747] artemis.mittagstun.de kernel: FS: 00007f228ecb9880(0000) GS:ffff926992040000(0000) knlGS:0000000000000000 [362065.479756] artemis.mittagstun.de kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [362065.479763] artemis.mittagstun.de kernel: CR2: ffff9267aa8d7158 CR3: 00000002a7ba8002 CR4: 00000000001606e0 [362065.479771] artemis.mittagstun.de kernel: Call Trace: [362065.479784] artemis.mittagstun.de kernel: ? device_del+0x97/0x3a0 [362065.479796] artemis.mittagstun.de kernel: ? hid_destroy_device+0x22/0x60 [362065.479807] artemis.mittagstun.de kernel: ? hidp_session_remove+0x48/0xb0 [hidp] [362065.479848] artemis.mittagstun.de kernel: ? l2cap_conn_del+0x9d/0x200 [bluetooth] [362065.479878] artemis.mittagstun.de kernel: ? new_settings+0x4e/0x70 [bluetooth] [362065.479906] artemis.mittagstun.de kernel: ? hci_conn_hash_flush+0x73/0xe0 [bluetooth] [362065.479932] artemis.mittagstun.de kernel: ? hci_dev_do_close+0x1f5/0x510 [bluetooth] [362065.479959] artemis.mittagstun.de kernel: ? hci_rfkill_set_block+0x4a/0x90 [bluetooth] [362065.479971] artemis.mittagstun.de kernel: ? rfkill_set_block+0x93/0x150 [rfkill] [362065.479981] artemis.mittagstun.de kernel: ? rfkill_fop_write+0xef/0x1d0 [rfkill] [362065.479991] artemis.mittagstun.de kernel: ? vfs_write+0xad/0x1b0 [362065.479999] artemis.mittagstun.de kernel: ? ksys_write+0x50/0xe0 [362065.480008] artemis.mittagstun.de kernel: ? __x64_sys_poll+0x37/0x130 [362065.480018] artemis.mittagstun.de kernel: ? do_syscall_64+0x65/0x1f0 [362065.480027] artemis.mittagstun.de kernel: ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [362065.480035] artemis.mittagstun.de kernel: Modules linked in: uinput uas usb_storage binfmt_misc cp210x loop mmc_block nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv> [362065.480095] artemis.mittagstun.de kernel: mac80211 btbcm btintel kvm hid_generic snd_hda_codec_realtek bluetooth irqbypass libarc4 snd_hda_codec_generic ledtrig_au> [362065.480226] artemis.mittagstun.de kernel: CR2: ffff9267aa8d7158 [362065.480235] artemis.mittagstun.de kernel: ---[ end trace cbb6cb70eba67992 ]---
The register dump is repeated. After this, I see XFS log messages which hint at data corruption. This will be described in another bug.
[362090.001636] artemis.mittagstun.de kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7 [362091.622962] artemis.mittagstun.de kernel: XFS (dm-0): xlog_space_left: head behind tail [362091.622973] artemis.mittagstun.de kernel: XFS (dm-0): tail_cycle = 2348, tail_bytes = 1957888 [362091.622978] artemis.mittagstun.de kernel: XFS (dm-0): GH cycle = 2348, GH bytes = 1933664 [362091.622982] artemis.mittagstun.de kernel: XFS (dm-0): xlog_space_left: head behind tail [362091.622987] artemis.mittagstun.de kernel: XFS (dm-0): tail_cycle = 2348, tail_bytes = 1957888 [362091.622991] artemis.mittagstun.de kernel: XFS (dm-0): GH cycle = 2348, GH bytes = 1933664 [362091.623082] artemis.mittagstun.de kernel: XFS (dm-0): xlog_space_left: head behind tail
-- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1186724
https://bugzilla.suse.com/show_bug.cgi?id=1186724#c1
--- Comment #1 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1186724
https://bugzilla.suse.com/show_bug.cgi?id=1186724#c2
--- Comment #2 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1186724
https://bugzilla.suse.com/show_bug.cgi?id=1186724#c3
Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1186724
https://bugzilla.suse.com/show_bug.cgi?id=1186724#c4
--- Comment #4 from Martin Wilck
might be a security bug? ;)
I was not trying to hack my own laptop :-) Overlooking your irony tag, it looks like a use-after-free. device_del klist_del(n) klist_put(n) knode_klist(n)->put(n) (called via __x86_indirect_thunk_rax()) and the put() address (also in rax!) has wrong page permissions. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1186724
https://bugzilla.suse.com/show_bug.cgi?id=1186724#c5
Takashi Iwai
https://bugzilla.suse.com/show_bug.cgi?id=1186724
https://bugzilla.suse.com/show_bug.cgi?id=1186724#c6
--- Comment #6 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1186724
https://bugzilla.suse.com/show_bug.cgi?id=1186724#c7
--- Comment #7 from Martin Wilck
participants (1)
-
bugzilla_noreply@suse.com