DISCLAIMER: This was a one-time event, I can't tell whether it's reproducible.
kernel 5.3.18-lp152.66-default
# What was happening
I am not sure exactly sure what happened at the time, but I have an educated
guess.
"artemis" is my private laptop which shares keyboard/video/mouse with my work
laptop ("apollon") with the "barrier" KVM software. Typically at this time
of the day (20:50) I get back to work, and unlock the screen saver on "apollon"
("artemis" screen is usually not locked because the barrier server disables
locking). There was no activity until the following messages, which makes it
likely that that happened also on the day in question (April 1st, 2021).
> [362024.111857] artemis.mittagstun.de barriers[5693]: [2021-04-01T20:51:45] INFO: switch from "artemis" to "apollon" at 0,1348
> [362024.416997] artemis.mittagstun.de barriers[5693]: [2021-04-01T20:51:46] INFO: switch from "apollon" to "artemis" at 3541,1486
> [362035.435054] artemis.mittagstun.de systemd[4983]: Started Application launched by gnome-shell.
A bit later a monitor wakes up, all looks fine
> [362035.949269] artemis.mittagstun.de /usr/lib/gdm/gdm-x-session[5011]: (II) modeset(0): EDID vendor "DEL", prod id 41116
> [362035.949737] artemis.mittagstun.de /usr/lib/gdm/gdm-x-session[5011]: (II) modeset(0): Using hsync ranges from config file
> ...
> [362035.951463] artemis.mittagstun.de /usr/lib/gdm/gdm-x-session[5011]: (II) modeset(0): Modeline "1600x900"x60.0 119.00 1600 1696 1864 2128 900 901 904 932 -hsync +>
I'm positive that the system was NOT waking up from a sleep state.
Wrt bluetooth, there had been some error messages ~4h earlier, nothing
alarming:
> [344671.880598] artemis.mittagstun.de bluetoothd[1319]: Unable to get Headset Voice gateway SDP record: Device or resource busy
> [344671.921654] artemis.mittagstun.de bluetoothd[1319]: connect error: Device or resource busy (16)
> [348731.893932] artemis.mittagstun.de bluetoothd[1319]: Unable to get io data for Headset Voice gateway: getpeername: Transport endpoint is not connected (107)
> [353527.936713] artemis.mittagstun.de bluetoothd[1319]: Unable to get io data for Headset Voice gateway: getpeername: Transport endpoint is not connected (107)
# "sysfs: cannot create duplicate filename"
15s later, we see the issue unfolding with an issue related to registering the
bluetooth HCI in sysfs:
> [362050.118483] artemis.mittagstun.de kernel: sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.0/bluetooth/hci0/hci0:256'
> [362050.118488] artemis.mittagstun.de kernel: CPU: 0 PID: 2888 Comm: kworker/u17:1 Not tainted 5.3.18-lp152.66-default #1 openSUSE Leap 15.2
> [362050.118489] artemis.mittagstun.de kernel: Hardware name: FUJITSU LIFEBOOK S904/FJNB272, BIOS Version 1.20 07/25/2014
> [362050.118515] artemis.mittagstun.de kernel: Workqueue: hci0 hci_rx_work [bluetooth]
> [362050.118517] artemis.mittagstun.de kernel: Call Trace:
> [362050.118524] artemis.mittagstun.de kernel: dump_stack+0x66/0x8b
> [362050.118529] artemis.mittagstun.de kernel: sysfs_warn_dup+0x56/0x70
> [362050.118531] artemis.mittagstun.de kernel: sysfs_create_dir_ns+0xc9/0xe0
> [362050.118535] artemis.mittagstun.de kernel: kobject_add_internal+0xad/0x2c0
> [362050.118538] artemis.mittagstun.de kernel: kobject_add+0x71/0xd0
> [362050.118541] artemis.mittagstun.de kernel: ? kobject_set_name_vargs+0x6f/0x90
> [362050.118544] artemis.mittagstun.de kernel: device_add+0x11e/0x630
> [362050.118568] artemis.mittagstun.de kernel: hci_conn_add_sysfs+0x43/0xb0 [bluetooth]
> [362050.118586] artemis.mittagstun.de kernel: hci_event_packet+0x15a8/0x2c50 [bluetooth]
> [362050.118590] artemis.mittagstun.de kernel: ? __switch_to_asm+0x34/0x70
> [362050.118592] artemis.mittagstun.de kernel: ? __switch_to_asm+0x40/0x70
> [362050.118594] artemis.mittagstun.de kernel: ? __switch_to_asm+0x34/0x70
> [362050.118596] artemis.mittagstun.de kernel: ? __switch_to_asm+0x40/0x70
> [362050.118598] artemis.mittagstun.de kernel: ? __switch_to_asm+0x34/0x70
> [362050.118611] artemis.mittagstun.de kernel: ? hci_rx_work+0x189/0x350 [bluetooth]
> [362050.118624] artemis.mittagstun.de kernel: hci_rx_work+0x189/0x350 [bluetooth]
> [362050.118629] artemis.mittagstun.de kernel: process_one_work+0x1f4/0x3e0
> [362050.118632] artemis.mittagstun.de kernel: worker_thread+0x2d/0x3e0
> [362050.118635] artemis.mittagstun.de kernel: ? process_one_work+0x3e0/0x3e0
> [362050.118636] artemis.mittagstun.de kernel: kthread+0x10d/0x130
> [362050.118639] artemis.mittagstun.de kernel: ? kthread_park+0xa0/0xa0
> [362050.118641] artemis.mittagstun.de kernel: ret_from_fork+0x35/0x40
> [362050.118645] artemis.mittagstun.de kernel: kobject_add_internal failed for hci0:256 with -EEXIST, don't try to register things with the same name in the same directo>
> [362050.118647] artemis.mittagstun.de kernel: Bluetooth: hci0: failed to register connection device
> [362054.923495] artemis.mittagstun.de kernel: Bluetooth: hci0: failed to disable LE scan: status 0x0c
# "kernel tried to execute NX-protected page - exploit attempt?"
The real problem starts now, as the bluetooth subsystem ist trying to reset the
HCI.
1501 is my user ID.
> [362065.479497] artemis.mittagstun.de kernel: Bluetooth: hci0: HCI reset during shutdown failed
> [362065.479588] artemis.mittagstun.de kernel: kernel tried to execute NX-protected page - exploit attempt? (uid: 1501)
> [362065.479605] artemis.mittagstun.de kernel: BUG: unable to handle page fault for address: ffff9267aa8d7158
> [362065.479614] artemis.mittagstun.de kernel: #PF: supervisor instruction fetch in kernel mode
> [362065.479623] artemis.mittagstun.de kernel: #PF: error_code(0x0011) - permissions violation
> [362065.479631] artemis.mittagstun.de kernel: PGD 25fa01067 P4D 25fa01067 PUD 107562063 PMD 136c27063 PTE 800000012a8d7063
> [362065.479645] artemis.mittagstun.de kernel: Oops: 0011 [#1] SMP PTI
> [362065.479655] artemis.mittagstun.de kernel: CPU: 1 PID: 5548 Comm: gsd-rfkill Not tainted 5.3.18-lp152.66-default #1 openSUSE Leap 15.2
> [362065.479664] artemis.mittagstun.de kernel: Hardware name: FUJITSU LIFEBOOK S904/FJNB272, BIOS Version 1.20 07/25/2014
> [362065.479675] artemis.mittagstun.de kernel: RIP: 0010:0xffff9267aa8d7158
> [362065.479684] artemis.mittagstun.de kernel: Code: 00 00 00 01 00 00 00 00 00 00 58 71 8d aa 67 92 ff ff 38 00 00 00 05 00 00 00 90 71 8d aa 67 92 ff ff 60 00 00 00 06>
> [362065.479696] artemis.mittagstun.de kernel: RSP: 0018:ffffad3d8217fd18 EFLAGS: 00010282
> [362065.479705] artemis.mittagstun.de kernel: RAX: ffff9267aa8d7158 RBX: ffff92698d5038d0 RCX: 00000000801e0014
> [362065.479713] artemis.mittagstun.de kernel: RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9267b6e4c228
> [362065.479721] artemis.mittagstun.de kernel: RBP: ffff92698d503950 R08: 0000000000000000 R09: 0000000000000001
> [362065.479730] artemis.mittagstun.de kernel: R10: 0000000000000001 R11: ffff926787c53300 R12: ffff9267aab8ea68
> [362065.479738] artemis.mittagstun.de kernel: R13: ffffffffc0cf4020 R14: ffff92698d504af0 R15: ffffffffc0cf4040
> [362065.479747] artemis.mittagstun.de kernel: FS: 00007f228ecb9880(0000) GS:ffff926992040000(0000) knlGS:0000000000000000
> [362065.479756] artemis.mittagstun.de kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [362065.479763] artemis.mittagstun.de kernel: CR2: ffff9267aa8d7158 CR3: 00000002a7ba8002 CR4: 00000000001606e0
> [362065.479771] artemis.mittagstun.de kernel: Call Trace:
> [362065.479784] artemis.mittagstun.de kernel: ? device_del+0x97/0x3a0
> [362065.479796] artemis.mittagstun.de kernel: ? hid_destroy_device+0x22/0x60
> [362065.479807] artemis.mittagstun.de kernel: ? hidp_session_remove+0x48/0xb0 [hidp]
> [362065.479848] artemis.mittagstun.de kernel: ? l2cap_conn_del+0x9d/0x200 [bluetooth]
> [362065.479878] artemis.mittagstun.de kernel: ? new_settings+0x4e/0x70 [bluetooth]
> [362065.479906] artemis.mittagstun.de kernel: ? hci_conn_hash_flush+0x73/0xe0 [bluetooth]
> [362065.479932] artemis.mittagstun.de kernel: ? hci_dev_do_close+0x1f5/0x510 [bluetooth]
> [362065.479959] artemis.mittagstun.de kernel: ? hci_rfkill_set_block+0x4a/0x90 [bluetooth]
> [362065.479971] artemis.mittagstun.de kernel: ? rfkill_set_block+0x93/0x150 [rfkill]
> [362065.479981] artemis.mittagstun.de kernel: ? rfkill_fop_write+0xef/0x1d0 [rfkill]
> [362065.479991] artemis.mittagstun.de kernel: ? vfs_write+0xad/0x1b0
> [362065.479999] artemis.mittagstun.de kernel: ? ksys_write+0x50/0xe0
> [362065.480008] artemis.mittagstun.de kernel: ? __x64_sys_poll+0x37/0x130
> [362065.480018] artemis.mittagstun.de kernel: ? do_syscall_64+0x65/0x1f0
> [362065.480027] artemis.mittagstun.de kernel: ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [362065.480035] artemis.mittagstun.de kernel: Modules linked in: uinput uas usb_storage binfmt_misc cp210x loop mmc_block nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv>
> [362065.480095] artemis.mittagstun.de kernel: mac80211 btbcm btintel kvm hid_generic snd_hda_codec_realtek bluetooth irqbypass libarc4 snd_hda_codec_generic ledtrig_au>
> [362065.480226] artemis.mittagstun.de kernel: CR2: ffff9267aa8d7158
> [362065.480235] artemis.mittagstun.de kernel: ---[ end trace cbb6cb70eba67992 ]---
The register dump is repeated.
After this, I see XFS log messages which hint at data corruption. This will be
described in another bug.
> [362090.001636] artemis.mittagstun.de kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
> [362091.622962] artemis.mittagstun.de kernel: XFS (dm-0): xlog_space_left: head behind tail
> [362091.622973] artemis.mittagstun.de kernel: XFS (dm-0): tail_cycle = 2348, tail_bytes = 1957888
> [362091.622978] artemis.mittagstun.de kernel: XFS (dm-0): GH cycle = 2348, GH bytes = 1933664
> [362091.622982] artemis.mittagstun.de kernel: XFS (dm-0): xlog_space_left: head behind tail
> [362091.622987] artemis.mittagstun.de kernel: XFS (dm-0): tail_cycle = 2348, tail_bytes = 1957888
> [362091.622991] artemis.mittagstun.de kernel: XFS (dm-0): GH cycle = 2348, GH bytes = 1933664
> [362091.623082] artemis.mittagstun.de kernel: XFS (dm-0): xlog_space_left: head behind tail