Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp1923458lqz; Tue, 2 Apr 2024 01:36:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUzEp/mdxdnHLfQgH4bACKWufGnwMjD4sTztxg/txZQkWy5np+xSCm48KMUlmsoOf4AxUso2kkkrcBY7la8GbfsY3+/BvkdVo5MqGW6Rg== X-Google-Smtp-Source: AGHT+IG7soRm3Lqr1FREh4mglbzjbGva13Oh9YLwgzf7+juhyZRvilB8gyeXFHJm0CSId6p7RB9H X-Received: by 2002:a05:620a:a90:b0:78b:eaa5:d5f6 with SMTP id v16-20020a05620a0a9000b0078beaa5d5f6mr2793460qkg.8.1712047006176; Tue, 02 Apr 2024 01:36:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712047006; cv=pass; d=google.com; s=arc-20160816; b=KAmeIPDXLMTDJ1mAF0UQ5TG53m9q0FZxA1xiuUl2xNNPN71WCsRW3eyTYInLLpgucM sxFhcp3RN3UKPL0gBB6WbbwhMneEBzP/IvStVJQemu95g/IlCo29VSFWYLkL13fOzJKD lHOyaj8DdJEb7de3FeP5hADCC+4l93N8XiS46Tyeab840SRudLD0Nt5jin3kCEg2a+Ms K4VTw9560Q459p1eYV5R5XLDJJc8DtTP39H3OUMugtmSBmoE0SI4qlIofo92RQ1Bg6C/ P5rHTqYPV7m7Adzc8eghdG+iqETNgUixq617VDrze/l8cY5Ztm8m/I4e32RbB+wAIPDY kiNQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=vpxitRY1sp4x1ZOcLbRt0/HJl2rd0CvjNsSpW+G2JMU=; fh=xFF7SO9pCEgvf/e1H7Ulx68E6gNzdBPjENVoe/l9sM8=; b=x/gCFVjbj6wTT93uKDnrGNasSkzniSAujRc9icf8s2tKux2DFM+5Lzvab1Tob76xgw NYslVJL7E9TR03f2isDaolgbcpd0kWloqHB1TgOV91bH3KUAIseutiZZf3H/ZMYZI4FR 1qHuJg1qTwjlgaO/gy9Ce+PMoeCFFldPvj+yaUYMgVTnsZ8cJrcglTG58djftrNjfN4Y 4Xvg85+etqgtfopVwRfHu1cujz/tCqY3FNP8+X19uUuHM60NX+eIhRUH0NPudgID6Zpv iREL+3y08ANPdrlUngS/LEH61y8oy2mrIn+MBKf+aUz/RzNrBYjd2ijlTyrDQMaoTiXr yOvQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=gondor.apana.org.au dmarc=pass fromdomain=gondor.apana.org.au); spf=pass (google.com: domain of linux-crypto+bounces-3248-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3248-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=REJECT sp=QUARANTINE dis=QUARANTINE) header.from=apana.org.au Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id oq20-20020a05620a611400b00789f10fc736si11035929qkn.135.2024.04.02.01.36.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 01:36:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto+bounces-3248-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=gondor.apana.org.au dmarc=pass fromdomain=gondor.apana.org.au); spf=pass (google.com: domain of linux-crypto+bounces-3248-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-3248-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=REJECT sp=QUARANTINE dis=QUARANTINE) header.from=apana.org.au Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 8B6351C21C91 for ; Tue, 2 Apr 2024 08:36:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 20AAC47A53; Tue, 2 Apr 2024 08:36:19 +0000 (UTC) X-Original-To: linux-crypto@vger.kernel.org Received: from abb.hmeau.com (abb.hmeau.com [144.6.53.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4986E57876; Tue, 2 Apr 2024 08:36:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.6.53.87 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712046978; cv=none; b=cijWfq5iPsLYjwBonJMjTXEuZFoulWKOsW+B3AKcxrah0RseyUT6MCHulCshgmQ95icnOFtbWrpQy5+UF+er1AHgZjHRP8RZ7eUkcts2+3uKEBbPfSRrlv+vzEaKYcpmIO1sCYDQU9MP0qT1iHVKCcTxjpzZ1msziejS3Ryg9Ao= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712046978; c=relaxed/simple; bh=UB/N0cVPnf/gh5VPq0ZazBwt+QqNOI4Qfzr3vqZ49ZY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=qACvkhliKGBtfr2hAsn7Q22mpR/XFw2KfLh4tpWjtmcbb6Z4jR3rjvb+noImnylkMBpZUN+rQHiGDL5E8Xt+dqX2HnVCoJh5LUR/KF86GefZ9BktwdzspYGJViIALb6Xc0W8RDxcyTQw/ZcYEKJnC+6OY8bUBE5zHANgLDy9YIA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gondor.apana.org.au; spf=pass smtp.mailfrom=gondor.apana.org.au; arc=none smtp.client-ip=144.6.53.87 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=gondor.apana.org.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gondor.apana.org.au Received: from loth.rohan.me.apana.org.au ([192.168.167.2]) by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1rrZcY-00E0Ns-HN; Tue, 02 Apr 2024 16:35:55 +0800 Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Tue, 02 Apr 2024 16:36:11 +0800 Date: Tue, 2 Apr 2024 16:36:11 +0800 From: Herbert Xu To: xingwei lee Cc: davem@davemloft.net, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, samsun1006219@gmail.com, Mike Rapoport , Andrew Morton , Linus Torvalds , Eric Dumazet , Jakub Kicinski , netdev@vger.kernel.org Subject: Re: BUG: unable to handle kernel paging request in crypto_sha3_update Message-ID: References: Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote: > > syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul); > res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); > if (res != -1) > r[1] = res; > res = syscall(__NR_memfd_secret, /*flags=*/0ul); > if (res != -1) > r[2] = res; So this is the key to the issue. The whole point of memfd_secret is to make the pages inaccessible to the kernel. The issue is those pages are then gifted to the kernel through sendmsg. Somewhere along the line someone is supposed to throw up an error about this, or map the pages properly. I guess neither happened which is why we end up with a page fault. I'll cc the memfd_secret authors to see what should catch this. > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul, > /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2], > /*offset=*/0ul); > syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul); > *(uint64_t*)0x20000180 = 0; > *(uint32_t*)0x20000188 = 0; > *(uint64_t*)0x20000190 = 0x20000140; > *(uint64_t*)0x20000140 = 0x20000080; > *(uint64_t*)0x20000148 = 0xb0; > *(uint64_t*)0x20000198 = 1; > *(uint64_t*)0x200001a0 = 0; > *(uint64_t*)0x200001a8 = 0; > *(uint32_t*)0x200001b0 = 0; > syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul, > /*f=*/0x47933e2b0522cf63ul); This is the spot where the memfd_secret pages are given to the kernel for processing through sendmsg. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt