From: Omar Sandoval <osandov@fb.com>
I found that on x86, copy_to_kernel_nofault() still faults on addresses
outside of the kernel address range (including NULL):
# echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
# echo g > /proc/sysrq-trigger
...
[15]kdb> mm 0 1234
[ 94.652476] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 94.652481] #PF: supervisor write access in kernel mode
[ 94.652483] #PF: error_code(0x0002) - not-present page
[ 94.652485] PGD 0 P4D 0
[ 94.652489] Oops: Oops: 0002 [#1] PREEMPT SMP PTI
[ 94.652493] CPU: 15 UID: 0 PID: 619 Comm: bash Not tainted 6.11.0-rc6 #11
[ 94.652497] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 94.652498] RIP: 0010:copy_to_kernel_nofault+0x1c/0x90
[ 94.652505] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 65 48 8b 0d 14 9d 72 4c 83 81 04 1b 00 00 01 48 83 fa 07 76 18 48 8b 06 <48> 89 07 48 83 ea 08 48 83 c7 08 48 83 c6 08 48 83 fa 07 77 e8 48
[ 94.652507] RSP: 0018:ffffa4a640b1fa48 EFLAGS: 00010002
[ 94.652509] RAX: 00000000000004d2 RBX: 0000000000000003 RCX: ffff8a8251020000
[ 94.652510] RDX: 0000000000000008 RSI: ffffa4a640b1fa68 RDI: 0000000000000000
[ 94.652512] RBP: 0000000000000000 R08: ffffa4a640b1f9f0 R09: ffffa4a640b1f9f8
[ 94.652513] R10: 000000000000000a R11: f000000000000000 R12: 0000000000000000
[ 94.652515] R13: 00000000000004d2 R14: 0000000000000000 R15: ffff8a8251020000
[ 94.652518] FS: 00007fa9c15f6b80(0000) GS:ffff8a895f7c0000(0000) knlGS:0000000000000000
[ 94.652520] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 94.652521] CR2: 0000000000000000 CR3: 000000010ff72004 CR4: 0000000000770ef0
[ 94.652522] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 94.652523] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 94.652524] PKRU: 55555554
[ 94.652525] Call Trace:
[ 94.652528] <TASK>
[ 94.652534] ? __die+0x24/0x70
[ 94.652538] ? page_fault_oops+0x15a/0x480
[ 94.652543] ? kdb_msg_write.part.0+0x3e/0xb0
[ 94.652547] ? vkdb_printf+0x1a6/0x8b0
[ 94.652550] ? exc_page_fault+0x72/0x160
[ 94.652555] ? asm_exc_page_fault+0x26/0x30
[ 94.652564] ? copy_to_kernel_nofault+0x1c/0x90
[ 94.652566] kdb_putarea_size+0x15/0x80
[ 94.652570] kdb_putword+0x72/0xc0
[ 94.652573] kdb_mm+0xdc/0x130
[ 94.652576] kdb_parse+0x2b7/0x6c0
[ 94.652578] ? kdb_getstr+0x40a/0x910
[ 94.652581] kdb_main_loop+0x4a0/0xa40
[ 94.652584] ? module_event+0x10/0x10
[ 94.652590] kdb_stub+0x1ae/0x3f0
[ 94.652594] kgdb_cpu_enter+0x2a8/0x5f0
[ 94.652599] kgdb_handle_exception+0xbd/0x100
[ 94.652605] __kgdb_notify+0x30/0xd0
[ 94.652610] kgdb_notify+0x15/0x30
[ 94.652612] notifier_call_chain+0x5b/0xd0
[ 94.652618] notify_die+0x53/0x80
[ 94.652622] exc_int3+0xf9/0x130
[ 94.652626] asm_exc_int3+0x39/0x40
Note that copy_to_kernel_nofault() uses pagefault_disable(), but it
still faults. This is because with Supervisor Mode Access Prevention
(SMAP) enabled, do_user_addr_fault() Oopses on a fault for a user
address from kernel space _before_ checking faulthandler_disabled().
copy_from_kernel_nofault() avoids this by checking that the address is
in the kernel before doing the actual memory access. Do the same in
copy_to_kernel_nofault() so that we get an error as expected:
# echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
# echo g > /proc/sysrq-trigger
...
[17]kdb> mm 0 1234
kdb_putarea_size: Bad address 0x0
diag: -21: Invalid address
Signed-off-by: Omar Sandoval <osandov@fb.com>
---
mm/maccess.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mm/maccess.c b/mm/maccess.c
index 72e9c03ea37f..d67dee51a1cc 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -61,6 +61,9 @@ long copy_to_kernel_nofault(void *dst, const void *src, size_t size)
if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
align = (unsigned long)dst | (unsigned long)src;
+ if (!copy_kernel_nofault_allowed(dst, size))
+ return -ERANGE;
+
pagefault_disable();
if (!(align & 7))
copy_to_kernel_nofault_loop(dst, src, size, u64, Efault);
--
2.46.0Hi,
Le 02/09/2024 à 07:31, Omar Sandoval a écrit :
> [Vous ne recevez pas souvent de courriers de osandov@osandov.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]
>
> From: Omar Sandoval <osandov@fb.com>
>
> I found that on x86, copy_to_kernel_nofault() still faults on addresses
> outside of the kernel address range (including NULL):
>
> # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
> # echo g > /proc/sysrq-trigger
> ...
> [15]kdb> mm 0 1234
> [ 94.652476] BUG: kernel NULL pointer dereference, address: 0000000000000000
...
>
> Note that copy_to_kernel_nofault() uses pagefault_disable(), but it
> still faults. This is because with Supervisor Mode Access Prevention
> (SMAP) enabled, do_user_addr_fault() Oopses on a fault for a user
> address from kernel space _before_ checking faulthandler_disabled().
>
> copy_from_kernel_nofault() avoids this by checking that the address is
> in the kernel before doing the actual memory access. Do the same in
> copy_to_kernel_nofault() so that we get an error as expected:
>
> # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
> # echo g > /proc/sysrq-trigger
> ...
> [17]kdb> mm 0 1234
> kdb_putarea_size: Bad address 0x0
> diag: -21: Invalid address
>
> Signed-off-by: Omar Sandoval <osandov@fb.com>
> ---
> mm/maccess.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mm/maccess.c b/mm/maccess.c
> index 72e9c03ea37f..d67dee51a1cc 100644
> --- a/mm/maccess.c
> +++ b/mm/maccess.c
> @@ -61,6 +61,9 @@ long copy_to_kernel_nofault(void *dst, const void *src, size_t size)
> if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
> align = (unsigned long)dst | (unsigned long)src;
>
> + if (!copy_kernel_nofault_allowed(dst, size))
> + return -ERANGE;
> +
> pagefault_disable();
> if (!(align & 7))
> copy_to_kernel_nofault_loop(dst, src, size, u64, Efault);
> --
> 2.46.0
>
This patch leads to the following errors on ppc64le_defconfig:
[ 2.423930][ T1] Running code patching self-tests ...
[ 2.428912][ T1] code-patching: test failed at line 395
[ 2.429085][ T1] code-patching: test failed at line 398
[ 2.429561][ T1] code-patching: test failed at line 432
[ 2.429679][ T1] code-patching: test failed at line 435
This seems to be linked to commit c28c15b6d28a ("powerpc/code-patching:
Use temporary mm for Radix MMU"), copy_from_kernel_nofault_allowed()
returns false for the patching area.
Christophe
On Wed, Sep 04, 2024 at 09:50:56AM +0200, Christophe Leroy wrote:
> Hi,
>
> Le 02/09/2024 à 07:31, Omar Sandoval a écrit :
> > [Vous ne recevez pas souvent de courriers de osandov@osandov.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]
> >
> > From: Omar Sandoval <osandov@fb.com>
> >
> > I found that on x86, copy_to_kernel_nofault() still faults on addresses
> > outside of the kernel address range (including NULL):
> >
> > # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
> > # echo g > /proc/sysrq-trigger
> > ...
> > [15]kdb> mm 0 1234
> > [ 94.652476] BUG: kernel NULL pointer dereference, address: 0000000000000000
> ...
> >
> > Note that copy_to_kernel_nofault() uses pagefault_disable(), but it
> > still faults. This is because with Supervisor Mode Access Prevention
> > (SMAP) enabled, do_user_addr_fault() Oopses on a fault for a user
> > address from kernel space _before_ checking faulthandler_disabled().
> >
> > copy_from_kernel_nofault() avoids this by checking that the address is
> > in the kernel before doing the actual memory access. Do the same in
> > copy_to_kernel_nofault() so that we get an error as expected:
> >
> > # echo ttyS0 > /sys/module/kgdboc/parameters/kgdboc
> > # echo g > /proc/sysrq-trigger
> > ...
> > [17]kdb> mm 0 1234
> > kdb_putarea_size: Bad address 0x0
> > diag: -21: Invalid address
> >
> > Signed-off-by: Omar Sandoval <osandov@fb.com>
> > ---
> > mm/maccess.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/mm/maccess.c b/mm/maccess.c
> > index 72e9c03ea37f..d67dee51a1cc 100644
> > --- a/mm/maccess.c
> > +++ b/mm/maccess.c
> > @@ -61,6 +61,9 @@ long copy_to_kernel_nofault(void *dst, const void *src, size_t size)
> > if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
> > align = (unsigned long)dst | (unsigned long)src;
> >
> > + if (!copy_kernel_nofault_allowed(dst, size))
> > + return -ERANGE;
> > +
> > pagefault_disable();
> > if (!(align & 7))
> > copy_to_kernel_nofault_loop(dst, src, size, u64, Efault);
> > --
> > 2.46.0
> >
>
> This patch leads to the following errors on ppc64le_defconfig:
>
> [ 2.423930][ T1] Running code patching self-tests ...
> [ 2.428912][ T1] code-patching: test failed at line 395
> [ 2.429085][ T1] code-patching: test failed at line 398
> [ 2.429561][ T1] code-patching: test failed at line 432
> [ 2.429679][ T1] code-patching: test failed at line 435
>
> This seems to be linked to commit c28c15b6d28a ("powerpc/code-patching: Use
> temporary mm for Radix MMU"), copy_from_kernel_nofault_allowed() returns
> false for the patching area.
Thanks for testing. This patch isn't worth the trouble, so we can drop
it.
Thanks,
Omar
© 2016 - 2025 Red Hat, Inc.