On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote: > > syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul); > res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); > if (res != -1) > r[1] = res; > res = syscall(__NR_memfd_secret, /*flags=*/0ul); > if (res != -1) > r[2] = res; So this is the key to the issue. The whole point of memfd_secret is to make the pages inaccessible to the kernel. The issue is those pages are then gifted to the kernel through sendmsg. Somewhere along the line someone is supposed to throw up an error about this, or map the pages properly. I guess neither happened which is why we end up with a page fault. I'll cc the memfd_secret authors to see what should catch this. > syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul, > /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2], > /*offset=*/0ul); > syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul); > *(uint64_t*)0x20000180 = 0; > *(uint32_t*)0x20000188 = 0; > *(uint64_t*)0x20000190 = 0x20000140; > *(uint64_t*)0x20000140 = 0x20000080; > *(uint64_t*)0x20000148 = 0xb0; > *(uint64_t*)0x20000198 = 1; > *(uint64_t*)0x200001a0 = 0; > *(uint64_t*)0x200001a8 = 0; > *(uint32_t*)0x200001b0 = 0; > syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul, > /*f=*/0x47933e2b0522cf63ul); This is the spot where the memfd_secret pages are given to the kernel for processing through sendmsg. Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt