Hi Hou Tao, I agree to your approach in this patch. Please see some comments below. On 1/26/2024 3:54 AM, Hou Tao wrote: > From: Hou Tao <houtao1@xxxxxxxxxx> > > When trying to use copy_from_kernel_nofault() to read vsyscall page > through a bpf program, the following oops was reported: > > BUG: unable to handle page fault for address: ffffffffff600000 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 > Oops: 0000 [#1] PREEMPT SMP PTI > CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... > RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 > ...... > Call Trace: > <TASK> > ? copy_from_kernel_nofault+0x6f/0x110 > bpf_probe_read_kernel+0x1d/0x50 > bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d > trace_call_bpf+0xc5/0x1c0 > perf_call_bpf_enter.isra.0+0x69/0xb0 > perf_syscall_enter+0x13e/0x200 > syscall_trace_enter+0x188/0x1c0 > do_syscall_64+0xb5/0xe0 > entry_SYSCALL_64_after_hwframe+0x6e/0x76 > </TASK> > ...... > ---[ end trace 0000000000000000 ]--- > > It seems the occurrence of oops depends on SMAP feature of CPU. It > happens as follow: a bpf program uses bpf_probe_read_kernel() to read > from vsyscall page, bpf_probe_read_kernel() invokes > copy_from_kernel_nofault() in turn and then invokes __get_user_asm(). > Because the vsyscall page address is not readable for kernel space, > a page fault exception is triggered accordingly, handle_page_fault() > considers the vsyscall page address as a userspace address instead of a > kernel space address, so the fix-up set-up by bpf isn't applied. Because > the CPU has SMAP feature and the access happens in kernel mode, so > page_fault_oops() is invoked and an oops happens. If these is no SMAP > feature, the fix-up set-up by bpf will be applied and > copy_from_kernel_nofault() will return -EFAULT instead. > I find this paragraph to be a bit hard to follow. I think we can minimize the reference to SMAP here since it is only helping detect cross address space accesses. How about something like the following: The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. > Considering handle_page_fault() has already considered the vsyscall page > address as a userspace address, fix the problem by disallowing vsyscall > page read for copy_from_kernel_nofault(). > I agree, following the same approach as handle_page_fault() seems reasonable. > Originally-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Reported-by: syzbot+72aa0161922eba61b50e@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@xxxxxxxxxxxxxx > Reported-by: xingwei lee <xrivendell7@xxxxxxxxx> > Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@xxxxxxxxxxxxxx > Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx> > --- > arch/x86/mm/maccess.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c > index 6993f026adec9..d9272e1db5224 100644 > --- a/arch/x86/mm/maccess.c > +++ b/arch/x86/mm/maccess.c > @@ -3,6 +3,8 @@ > #include <linux/uaccess.h> > #include <linux/kernel.h> > > +#include <asm/vsyscall.h> > + > #ifdef CONFIG_X86_64 > bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) > { > @@ -15,6 +17,13 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) > if (vaddr < TASK_SIZE_MAX + PAGE_SIZE) > return false; > > + /* Also consider the vsyscall page as userspace address. Otherwise, > + * reading the vsyscall page in copy_from_kernel_nofault() may > + * trigger an oops due to an unhandled page fault. > + */ x86 prefers a slightly different style for multi-line comments. Please refer to https://docs.kernel.org/process/maintainer-tip.html#comment-style. How about rewording the above as: /* * Reading from the vsyscall page may cause an unhandled fault in * certain cases. Though it is at an address above TASK_SIZE_MAX, it is * usually considered as a user space address. */ > + if (is_vsyscall_vaddr(vaddr)) > + return false; > + It would have been convenient if we had a common check for whether a particular address is a kernel address or not. fault_in_kernel_space() serves that purpose to an extent in other places. I thought we could rename fault_in_kernel_space() to vaddr_in_kernel_space() and use it here. But the check in copy_from_kernel_nofault_allowed() includes the user guard page as well. So the checks wouldn't exactly be the same. I am unsure of the implications if we get rid of that difference. Maybe we can leave it as-is for now unless someone else chimes in. Sohil
