Re: BUG: unable to handle kernel paging request in crypto_sha3_update

Re: BUG: unable to handle kernel paging request in crypto_sha3_update

[Herbert Xu]

On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote:
>
>   syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul);
>   res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul);
>   if (res != -1)
>     r[1] = res;
>   res = syscall(__NR_memfd_secret, /*flags=*/0ul);
>   if (res != -1)
>     r[2] = res;

So this is the key to the issue.  The whole point of memfd_secret is
to make the pages inaccessible to the kernel.  The issue is those
pages are then gifted to the kernel through sendmsg.  Somewhere
along the line someone is supposed to throw up an error about this,
or map the pages properly.  I guess neither happened which is why
we end up with a page fault.

I'll cc the memfd_secret authors to see what should catch this.

>   syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul,
>           /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2],
>           /*offset=*/0ul);
>   syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul);
>   *(uint64_t*)0x20000180 = 0;
>   *(uint32_t*)0x20000188 = 0;
>   *(uint64_t*)0x20000190 = 0x20000140;
>   *(uint64_t*)0x20000140 = 0x20000080;
>   *(uint64_t*)0x20000148 = 0xb0;
>   *(uint64_t*)0x20000198 = 1;
>   *(uint64_t*)0x200001a0 = 0;
>   *(uint64_t*)0x200001a8 = 0;
>   *(uint32_t*)0x200001b0 = 0;
>   syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul,
>           /*f=*/0x47933e2b0522cf63ul);

This is the spot where the memfd_secret pages are given to the kernel
for processing through sendmsg.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: BUG: unable to handle kernel paging request in crypto_sha3_update

[Mike Rapoport]

On Tue, Apr 02, 2024 at 04:36:11PM +0800, Herbert Xu wrote:
> On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote:
> >
> >   syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul);
> >   res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul);
> >   if (res != -1)
> >     r[1] = res;
> >   res = syscall(__NR_memfd_secret, /*flags=*/0ul);
> >   if (res != -1)
> >     r[2] = res;
> 
> So this is the key to the issue.  The whole point of memfd_secret is
> to make the pages inaccessible to the kernel.  The issue is those
> pages are then gifted to the kernel through sendmsg.  Somewhere
> along the line someone is supposed to throw up an error about this,
> or map the pages properly.  I guess neither happened which is why
> we end up with a page fault.

Yeah, there was a bug in folio_is_secretmem() that should have throw an
error about this.

David Hildenbrand sent a fix, it's in Andrew's tree

https://lore.kernel.org/all/20240326143210.291116-1-david@redhat.com
 
> I'll cc the memfd_secret authors to see what should catch this.
> 
> >   syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul,
> >           /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2],
> >           /*offset=*/0ul);
> >   syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul);
> >   *(uint64_t*)0x20000180 = 0;
> >   *(uint32_t*)0x20000188 = 0;
> >   *(uint64_t*)0x20000190 = 0x20000140;
> >   *(uint64_t*)0x20000140 = 0x20000080;
> >   *(uint64_t*)0x20000148 = 0xb0;
> >   *(uint64_t*)0x20000198 = 1;
> >   *(uint64_t*)0x200001a0 = 0;
> >   *(uint64_t*)0x200001a8 = 0;
> >   *(uint32_t*)0x200001b0 = 0;
> >   syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul,
> >           /*f=*/0x47933e2b0522cf63ul);
> 
> This is the spot where the memfd_secret pages are given to the kernel
> for processing through sendmsg.
> 
> Thanks,
> -- 
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

-- 
Sincerely yours,
Mike.

Re: BUG: unable to handle kernel paging request in crypto_sha3_update

[Andrew Morton]

On Tue, 2 Apr 2024 18:09:21 +0300 Mike Rapoport <rppt@linux.ibm.com> wrote:

> On Tue, Apr 02, 2024 at 04:36:11PM +0800, Herbert Xu wrote:
> > On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote:
> > >
> > >   syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul);
> > >   res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul);
> > >   if (res != -1)
> > >     r[1] = res;
> > >   res = syscall(__NR_memfd_secret, /*flags=*/0ul);
> > >   if (res != -1)
> > >     r[2] = res;
> > 
> > So this is the key to the issue.  The whole point of memfd_secret is
> > to make the pages inaccessible to the kernel.  The issue is those
> > pages are then gifted to the kernel through sendmsg.  Somewhere
> > along the line someone is supposed to throw up an error about this,
> > or map the pages properly.  I guess neither happened which is why
> > we end up with a page fault.
> 
> Yeah, there was a bug in folio_is_secretmem() that should have throw an
> error about this.
> 
> David Hildenbrand sent a fix, it's in Andrew's tree
> 
> https://lore.kernel.org/all/20240326143210.291116-1-david@redhat.com

I'll send "mm/secretmem: fix GUP-fast succeeding on secretmem folios"
upstream this week.

Re: BUG: unable to handle kernel paging request in crypto_sha3_update

[Herbert Xu]

On Tue, Apr 02, 2024 at 10:10:23AM -0700, Andrew Morton wrote:
> On Tue, 2 Apr 2024 18:09:21 +0300 Mike Rapoport <rppt@linux.ibm.com> wrote:
>
> > Yeah, there was a bug in folio_is_secretmem() that should have throw an
> > error about this.
> > 
> > David Hildenbrand sent a fix, it's in Andrew's tree
> > 
> > https://lore.kernel.org/all/20240326143210.291116-1-david@redhat.com
> 
> I'll send "mm/secretmem: fix GUP-fast succeeding on secretmem folios"
> upstream this week.

Thanks for the quick follow-up!
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt