Re: static_key_enable_cpuslocked(): static key 'security_hook_active_locked_down_0+0x0/0x10' used before call to jump_label_init()

From: Borislav Petkov
Date: Tue Jul 30 2024 - 09:45:10 EST

On Tue, Jul 30, 2024 at 01:34:19PM +0200, Borislav Petkov wrote:
> Hi,
>
> this is with today's linux-next:
>
> ...
>
> 09:44:13 [console-expect]#kexec -e
> 09:44:13 kexec -e
> 09:44:16 ^[[?2004l^M[ 0.000000] Linux version 6.11.0-rc1-next-20240730-1722324631886 (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #1 SMP PREEMPT_DYNAMIC Tue Jul 30 07:40:55 UTC 2024
> 09:44:16 [ 0.000000] ------------[ cut here ]------------
> 09:44:16 [ 0.000000] WARNING: CPU: 0 PID: 0 at kernel/static_call_inline.c:153 __static_call_update+0x1c6/0x220
> 09:44:16 [ 0.000000] Modules linked in:
> 09:44:16 [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.11.0-rc1-next-20240730-1722324631886 #1
> 09:44:16 [ 0.000000] RIP: 0010:__static_call_update+0x1c6/0x220
> 09:44:16 [ 0.000000] Code: 87 5b eb d9 00 a8 01 0f 85 6c ff ff ff 4c 89 ee 48 c7 c7 e0 fb a2 8c c6 05 44 63 2b 02 01 e8 b1 00 d9 ff 0f 0b e9 4f ff ff ff <0f> 0b 48 c7 c7 40 fc 40 8d e8 dc 52 e1 00 e8 a7 23 d9 ff 48 8b 45
> 09:44:16 [ 0.000000] RSP: 0000:ffffffff8d203dd0 EFLAGS: 00010046 ORIG_RAX: 0000000000000000
> 09:44:16 [ 0.000000] RAX: 0000000000000000 RBX: ffffffff8b7e3250 RCX: 000000006690cbe9
> 09:44:16 [ 0.000000] RDX: 0000000000000000 RSI: ffffffff8dbae58c RDI: ffffffff8d2867a0
> 09:44:16 [ 0.000000] RBP: ffffffff8d203e38 R08: 00000000ff6690cb R09: 2035353a30343a37
> 09:44:16 [ 0.000000] R10: 3230322043545520 R11: 35353a30343a3730 R12: ffffffff8c17a180
> 09:44:16 [ 0.000000] R13: ffffffff8c48db10 R14: ffffffff8d4c7030 R15: 0000000000000000
> 09:44:16 [ 0.000000] FS: 0000000000000000(0000) GS:ffffffff8d69c000(0000) knlGS:0000000000000000
> 09:44:16 [ 0.000000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> 09:44:16 [ 0.000000] CR2: ff1100007047d000 CR3: 00000000745c2000 CR4: 00000000000010b0
> 09:44:16 [ 0.000000] Call Trace:
> 09:44:16 [ 0.000000] <TASK>
> 09:44:16 [ 0.000000] ? show_regs+0x6d/0x80
> 09:44:16 [ 0.000000] ? __warn+0x91/0x140
> 09:44:16 [ 0.000000] ? __static_call_update+0x1c6/0x220
> 09:44:16 [ 0.000000] ? report_bug+0x193/0x1a0
> 09:44:16 [ 0.000000] ? __pfx_lockdown_is_locked_down+0x10/0x10
> 09:44:16 [ 0.000000] ? early_fixup_exception+0xa6/0xd0
> 09:44:16 [ 0.000000] ? do_early_exception+0x27/0x70
> 09:44:16 [ 0.000000] ? __SCT__lsm_static_call_bpf_token_capable_11+0x8/0x8
> 09:44:17 [ 0.000000] ? early_idt_handler_common+0x2f/0x3a
> 09:44:17 [ 0.000000] ? __SCT__lsm_static_call_bpf_token_capable_11+0x8/0x8
> 09:44:17 [ 0.000000] ? __pfx_lockdown_is_locked_down+0x10/0x10
> 09:44:17 [ 0.000000] ? __static_call_update+0x1c6/0x220
> 09:44:17 [ 0.000000] ? __pfx_lockdown_is_locked_down+0x10/0x10
> 09:44:17 [ 0.000000] ? vprintk_emit+0xb5/0x410
> 09:44:17 [ 0.000000] security_add_hooks+0xbd/0x150
> 09:44:17 [ 0.000000] lockdown_lsm_init+0x25/0x30
> 09:44:17 [ 0.000000] initialize_lsm+0x38/0x90
> 09:44:17 [ 0.000000] early_security_init+0x36/0x70
> 09:44:17 [ 0.000000] start_kernel+0x5f/0xb50
> 09:44:17 [ 0.000000] x86_64_start_reservations+0x1c/0x30
> 09:44:17 [ 0.000000] x86_64_start_kernel+0xbf/0x110
> 09:44:17 [ 0.000000] ? setup_ghcb+0x12/0x130
> 09:44:17 [ 0.000000] common_startup_64+0x13e/0x141
> 09:44:17 [ 0.000000] </TASK>
> 09:44:17 [ 0.000000] ---[ end trace 0000000000000000 ]---
> 09:44:17 [ 0.000000] ------------[ cut here ]------------
> 09:44:17 [ 0.000000] static_key_enable_cpuslocked(): static key 'security_hook_active_locked_down_0+0x0/0x10' used before call to jump_label_init()

It says so directly here:


start_kernel:

....

early_security_init(); <----
setup_arch(&command_line);
setup_boot_config();
setup_command_line(command_line);
setup_nr_cpu_ids();
setup_per_cpu_areas();
smp_prepare_boot_cpu(); /* arch-specific boot-cpu hooks */
early_numa_node_init();
boot_cpu_hotplug_init();

pr_notice("Kernel command line: %s\n", saved_command_line);
/* parameters may set static keys */
jump_label_init(); <---


That can't work this way.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette