On 5/20/25 15:49, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 5.15.184 release. There are 59 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Thu, 22 May 2025 12:57:37 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.184-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below.
thanks,
greg k-h
It's crashing at boot for me when the ITS mitigation is used (tested on Icelake):
[ OK ] Started udev Coldplug all Devices. Starting udev Wait for Complete Device Initialization... [ 3.567527] BUG: unable to handle page fault for address: ff4fa48f82b9a000 [ 3.575207] #PF: supervisor write access in kernel mode [ 3.581040] #PF: error_code(0x0003) - permissions violation [ 3.587262] PGD 1007f401067 P4D 1007f402067 PUD 3024b3063 PMD 302b99063 PTE 8000000302b9a161 [ 3.596685] Oops: 0003 [#1] SMP NOPTI [ 3.600775] CPU: 73 PID: 1672 Comm: systemd-udevd Not tainted 5.15.184-rc1.its.1.el8.dev.x86_64 #1 [ 3.610779] Hardware name: Oracle Corporation ORACLE SERVER X9-2c/TLA,MB TRAY,X9-2c, BIOS 66110100 07/17/2024 [ 3.621848] RIP: 0010:clear_page_erms+0x7/0x10 [ 3.626813] Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 e9 13 7f a5 00 0f 1f 00 b9 00 10 00 00 31 c0 <f3> aa e9 02 7f a5 00 cc cc 48 85 ff 0f 84 e5 00 00 00 0f b6 0f 4c [ 3.647774] RSP: 0000:ff63a55d1b8f3cb8 EFLAGS: 00010246 [ 3.653608] RAX: 0000000000000000 RBX: ff63a55d1b8f3d38 RCX: 0000000000001000 [ 3.661565] RDX: ffc82ea4cc0ae680 RSI: ff4fa48d971b1fc0 RDI: ff4fa48f82b9a000 [ 3.669529] RBP: ff4fa50cfffd5d80 R08: ffc82ea4cc0ae6c0 R09: 0000000000000000 [ 3.677496] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 3.685460] R13: 0000000000000901 R14: 0000000000000000 R15: 000000000002414b [ 3.693425] FS: 00007f525eb73280(0000) GS:ff4fa50affc40000(0000) knlGS:0000000000000000 [ 3.702451] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.708864] CR2: ff4fa48f82b9a000 CR3: 0000000401476006 CR4: 0000000000771ee0 [ 3.716830] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.724796] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.732753] PKRU: 55555554 [ 3.735773] Call Trace: [ 3.738504] <TASK> [ 3.740847] kernel_init_free_pages.part.0+0x46/0x70 [ 3.746394] get_page_from_freelist+0x3df/0x510 [ 3.751453] ? do_set_pte+0xa5/0x100 [ 3.755446] __alloc_pages+0x19a/0x350 [ 3.759631] pte_alloc_one+0x14/0x50 [ 3.763623] do_read_fault+0x12d/0x160 [ 3.767802] do_fault+0x9a/0x2e0 [ 3.771403] __handle_mm_fault+0x3e8/0x6c0 [ 3.775978] handle_mm_fault+0xcf/0x2c0 [ 3.780261] do_user_addr_fault+0x1d2/0x680 [ 3.784932] exc_page_fault+0x68/0x140 [ 3.789119] asm_exc_page_fault+0x22/0x30 [ 3.793598] RIP: 0033:0x557a550175bd [ 3.797591] Code: Unable to access opcode bytes at RIP 0x557a55017593. [ 3.804878] RSP: 002b:00007ffd57006600 EFLAGS: 00010206 [ 3.810710] RAX: 0000000000000000 RBX: 0000557a6a620e40 RCX: 00007f525da098b8 [ 3.818676] RDX: 0000000000000003 RSI: 00007f525da09908 RDI: 0000000000000003 [ 3.826642] RBP: 00007ffd570067d0 R08: 0000000000000000 R09: 000000000000000a [ 3.834607] R10: 00007f525eb73280 R11: 0000000000000206 R12: 0000557a6a620f00 [ 3.842573] R13: 0000557a6a6b76d0 R14: 0000000000000000 R15: 0000557a6a6b87d0 [ 3.850533] </TASK> [ 3.852972] Modules linked in: psample pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls cxgb3i cxgb3 mdio libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi [ 3.879765] CR2: ff4fa48f82b9a000 [ 3.883463] ---[ end trace 5c8bb91d889112a9 ]--- [ 4.498240] RIP: 0010:clear_page_erms+0x7/0x10 [ 4.503205] Code: 48 89 47 18 48 89 47 20 48 89 47 28 48 89 47 30 48 89 47 38 48 8d 7f 40 75 d9 90 e9 13 7f a5 00 0f 1f 00 b9 00 10 00 00 31 c0 <f3> aa e9 02 7f a5 00 cc cc 48 85 ff 0f 84 e5 00 00 00 0f b6 0f 4c [ 4.524155] RSP: 0000:ff63a55d1b8f3cb8 EFLAGS: 00010246 [ 4.529978] RAX: 0000000000000000 RBX: ff63a55d1b8f3d38 RCX: 0000000000001000 [ 4.537945] RDX: ffc82ea4cc0ae680 RSI: ff4fa48d971b1fc0 RDI: ff4fa48f82b9a000 [ 4.545910] RBP: ff4fa50cfffd5d80 R08: ffc82ea4cc0ae6c0 R09: 0000000000000000 [ 4.553874] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 4.561840] R13: 0000000000000901 R14: 0000000000000000 R15: 000000000002414b [ 4.569798] FS: 00007f525eb73280(0000) GS:ff4fa50affc40000(0000) knlGS:0000000000000000 [ 4.578831] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4.585235] CR2: 0000557a55017593 CR3: 0000000401476006 CR4: 0000000000771ee0 [ 4.593202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4.601158] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4.609122] PKRU: 55555554 [ 4.612143] Kernel panic - not syncing: Fatal exception [ 4.618980] Kernel Offset: 0x39e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 4.686287] ---[ end Kernel panic - not syncing: Fatal exception ]---
There's no problem when disabling the ITS mitigation.
It looks the problem comes from pages allocated for dynamic thunks for modules, and this patch appears to fix the problem:
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c index 43ec73da66d8b..9ca6973e56547 100644 --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -460,6 +460,8 @@ void its_free_mod(struct module *mod)
for (i = 0; i < mod->its_num_pages; i++) { void *page = mod->its_page_array[i]; + set_memory_nx((unsigned long)page, 1); + set_memory_rw((unsigned long)page, 1); module_memfree(page); } kfree(mod->its_page_array);
I don't know the exact underlying issue but I suspect that the kernel doesn't correctly handle pages freed without the write permission, and restoring page permissions to rw (instead of rox) before freeing prevent the problem.
alex.