[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <620f68b0-4fe0-4e3e-856a-dedb4bcdf3a7@redhat.com>
Date: Fri, 22 Mar 2024 22:08:11 +0100
From: David Hildenbrand <david@...hat.com>
To: Miklos Szeredi <miklos@...redi.hu>
Cc: xingwei lee <xrivendell7@...il.com>, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, samsun1006219@...il.com,
syzkaller-bugs@...glegroups.com, linux-mm <linux-mm@...ck.org>,
Mike Rapoport <rppt@...nel.org>
Subject: Re: BUG: unable to handle kernel paging request in fuse_copy_do
On 22.03.24 20:46, Miklos Szeredi wrote:
> On Fri, 22 Mar 2024 at 16:41, David Hildenbrand <david@...hat.com> wrote:
>
>> But at least the vmsplice() just seems to work. Which is weird, because
>> GUP-fast should not apply (page not faulted in?)
>
> But it is faulted in, and that indeed seems to be the root cause.
secretmem mmap() won't populate the page tables. So it's not faulted in yet.
When we GUP via vmsplice, GUP-fast should not find it in the page tables
and fallback to slow GUP.
There, we seem to pass check_vma_flags(), trigger faultin_page() to
fault it in, and then find it via follow_page_mask().
.. and I wonder how we manage to skip check_vma_flags(), or otherwise
managed to GUP it.
vmsplice() should, in theory, never succeed here.
Weird :/
> Improved repro:
>
> #define _GNU_SOURCE
>
> #include <fcntl.h>
> #include <unistd.h>
> #include <stdio.h>
> #include <errno.h>
> #include <sys/mman.h>
> #include <sys/syscall.h>
>
> int main(void)
> {
> int fd1, fd2;
> int pip[2];
> struct iovec iov;
> char *addr;
> int ret;
>
> fd1 = syscall(__NR_memfd_secret, 0);
> addr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_SHARED, fd1, 0);
> ftruncate(fd1, 7);
> addr[0] = 1; /* fault in page */
> pipe(pip);
> iov.iov_base = addr;
> iov.iov_len = 0x50;
> ret = vmsplice(pip[1], &iov, 1, 0);
> if (ret == -1 && errno == EFAULT) {
> printf("Success\n");
> return 0;
> }
>
> fd2 = open("/tmp/repro-secretmem.test", O_RDWR | O_CREAT, 0x600);
> splice(pip[0], NULL, fd2, NULL, 0x50, 0);
>
> return 0;
> }
>
--
Cheers,
David / dhildenb
Powered by blists - more mailing lists