* Re: BUG: unable to handle kernel paging request in crypto_sha3_update [not found] <CABOYnLzjayx369ygmr0PsGYGeRpnBnaH1XPqfbispL5nAeOJ9w@mail.gmail.com> @ 2024-04-02 8:36 ` Herbert Xu 2024-04-02 15:09 ` Mike Rapoport 0 siblings, 1 reply; 4+ messages in thread From: Herbert Xu @ 2024-04-02 8:36 UTC (permalink / raw) To: xingwei lee Cc: davem, linux-crypto, linux-kernel, syzkaller-bugs, samsun1006219, Mike Rapoport, Andrew Morton, Linus Torvalds, Eric Dumazet, Jakub Kicinski, netdev On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote: > > syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul); > res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); > if (res != -1) > r[1] = res; > res = syscall(__NR_memfd_secret, /*flags=*/0ul); > if (res != -1) > r[2] = res; So this is the key to the issue. The whole point of memfd_secret is to make the pages inaccessible to the kernel. The issue is those pages are then gifted to the kernel through sendmsg. Somewhere along the line someone is supposed to throw up an error about this, or map the pages properly. I guess neither happened which is why we end up with a page fault. I'll cc the memfd_secret authors to see what should catch this. > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul, > /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2], > /*offset=*/0ul); > syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul); > *(uint64_t*)0x20000180 = 0; > *(uint32_t*)0x20000188 = 0; > *(uint64_t*)0x20000190 = 0x20000140; > *(uint64_t*)0x20000140 = 0x20000080; > *(uint64_t*)0x20000148 = 0xb0; > *(uint64_t*)0x20000198 = 1; > *(uint64_t*)0x200001a0 = 0; > *(uint64_t*)0x200001a8 = 0; > *(uint32_t*)0x200001b0 = 0; > syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul, > /*f=*/0x47933e2b0522cf63ul); This is the spot where the memfd_secret pages are given to the kernel for processing through sendmsg. Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: BUG: unable to handle kernel paging request in crypto_sha3_update 2024-04-02 8:36 ` BUG: unable to handle kernel paging request in crypto_sha3_update Herbert Xu @ 2024-04-02 15:09 ` Mike Rapoport 2024-04-02 17:10 ` Andrew Morton 0 siblings, 1 reply; 4+ messages in thread From: Mike Rapoport @ 2024-04-02 15:09 UTC (permalink / raw) To: Herbert Xu Cc: xingwei lee, davem, linux-crypto, linux-kernel, syzkaller-bugs, samsun1006219, Andrew Morton, Linus Torvalds, Eric Dumazet, Jakub Kicinski, netdev On Tue, Apr 02, 2024 at 04:36:11PM +0800, Herbert Xu wrote: > On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote: > > > > syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul); > > res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); > > if (res != -1) > > r[1] = res; > > res = syscall(__NR_memfd_secret, /*flags=*/0ul); > > if (res != -1) > > r[2] = res; > > So this is the key to the issue. The whole point of memfd_secret is > to make the pages inaccessible to the kernel. The issue is those > pages are then gifted to the kernel through sendmsg. Somewhere > along the line someone is supposed to throw up an error about this, > or map the pages properly. I guess neither happened which is why > we end up with a page fault. Yeah, there was a bug in folio_is_secretmem() that should have throw an error about this. David Hildenbrand sent a fix, it's in Andrew's tree https://lore.kernel.org/all/20240326143210.291116-1-david@redhat.com > I'll cc the memfd_secret authors to see what should catch this. > > > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul, > > /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2], > > /*offset=*/0ul); > > syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul); > > *(uint64_t*)0x20000180 = 0; > > *(uint32_t*)0x20000188 = 0; > > *(uint64_t*)0x20000190 = 0x20000140; > > *(uint64_t*)0x20000140 = 0x20000080; > > *(uint64_t*)0x20000148 = 0xb0; > > *(uint64_t*)0x20000198 = 1; > > *(uint64_t*)0x200001a0 = 0; > > *(uint64_t*)0x200001a8 = 0; > > *(uint32_t*)0x200001b0 = 0; > > syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul, > > /*f=*/0x47933e2b0522cf63ul); > > This is the spot where the memfd_secret pages are given to the kernel > for processing through sendmsg. > > Thanks, > -- > Email: Herbert Xu <herbert@gondor.apana.org.au> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- Sincerely yours, Mike. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: BUG: unable to handle kernel paging request in crypto_sha3_update 2024-04-02 15:09 ` Mike Rapoport @ 2024-04-02 17:10 ` Andrew Morton 2024-04-03 4:34 ` Herbert Xu 0 siblings, 1 reply; 4+ messages in thread From: Andrew Morton @ 2024-04-02 17:10 UTC (permalink / raw) To: Mike Rapoport Cc: Herbert Xu, xingwei lee, davem, linux-crypto, linux-kernel, syzkaller-bugs, samsun1006219, Linus Torvalds, Eric Dumazet, Jakub Kicinski, netdev On Tue, 2 Apr 2024 18:09:21 +0300 Mike Rapoport <rppt@linux.ibm.com> wrote: > On Tue, Apr 02, 2024 at 04:36:11PM +0800, Herbert Xu wrote: > > On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote: > > > > > > syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul); > > > res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); > > > if (res != -1) > > > r[1] = res; > > > res = syscall(__NR_memfd_secret, /*flags=*/0ul); > > > if (res != -1) > > > r[2] = res; > > > > So this is the key to the issue. The whole point of memfd_secret is > > to make the pages inaccessible to the kernel. The issue is those > > pages are then gifted to the kernel through sendmsg. Somewhere > > along the line someone is supposed to throw up an error about this, > > or map the pages properly. I guess neither happened which is why > > we end up with a page fault. > > Yeah, there was a bug in folio_is_secretmem() that should have throw an > error about this. > > David Hildenbrand sent a fix, it's in Andrew's tree > > https://lore.kernel.org/all/20240326143210.291116-1-david@redhat.com I'll send "mm/secretmem: fix GUP-fast succeeding on secretmem folios" upstream this week. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: BUG: unable to handle kernel paging request in crypto_sha3_update 2024-04-02 17:10 ` Andrew Morton @ 2024-04-03 4:34 ` Herbert Xu 0 siblings, 0 replies; 4+ messages in thread From: Herbert Xu @ 2024-04-03 4:34 UTC (permalink / raw) To: Andrew Morton Cc: Mike Rapoport, xingwei lee, davem, linux-crypto, linux-kernel, syzkaller-bugs, samsun1006219, Linus Torvalds, Eric Dumazet, Jakub Kicinski, netdev On Tue, Apr 02, 2024 at 10:10:23AM -0700, Andrew Morton wrote: > On Tue, 2 Apr 2024 18:09:21 +0300 Mike Rapoport <rppt@linux.ibm.com> wrote: > > > Yeah, there was a bug in folio_is_secretmem() that should have throw an > > error about this. > > > > David Hildenbrand sent a fix, it's in Andrew's tree > > > > https://lore.kernel.org/all/20240326143210.291116-1-david@redhat.com > > I'll send "mm/secretmem: fix GUP-fast succeeding on secretmem folios" > upstream this week. Thanks for the quick follow-up! -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-04-03 4:34 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CABOYnLzjayx369ygmr0PsGYGeRpnBnaH1XPqfbispL5nAeOJ9w@mail.gmail.com>
2024-04-02 8:36 ` BUG: unable to handle kernel paging request in crypto_sha3_update Herbert Xu
2024-04-02 15:09 ` Mike Rapoport
2024-04-02 17:10 ` Andrew Morton
2024-04-03 4:34 ` Herbert Xu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).