Re: Bug: Write fault blocked by KUAP! (kernel 6.2-rc6, Talos II)
From: Benjamin Gray <hidden>
Date: 2023-02-03 02:04:08
On Fri, 2023-02-03 at 00:46 +0100, Erhard F. wrote:
quoted hunk ↗ jump to hunk
Happened during boot: [...] Creating 6 MTD partitions on "flash@0": 0x000000000000-0x000004000000 : "PNOR" 0x000001b21000-0x000003921000 : "BOOTKERNEL" 0x000003a44000-0x000003a68000 : "CAPP" 0x000003a88000-0x000003a89000 : "VERSION" 0x000003a89000-0x000003ac9000 : "IMA_CATALOG" 0x000003e10000-0x000004000000 : "BOOTKERNFW" BTRFS info: devid 1 device path /dev/root changed to /dev/nvme0n1p3 scanned by systemd-udevd (387) Kernel attempted to write user page (aa55c280000) - exploit attempt? (uid: 0) ------------[ cut here ]------------ Bug: Write fault blocked by KUAP! WARNING: CPU: 11 PID: 404 at arch/powerpc/mm/fault.c:228 ___do_page_fault+0x794/0x920 Modules linked in: drm_ttm_helper ttm drm_display_helper ofpart ghash_generic(+) drm_kms_helper vmx_crypto(+) powernv_flash ibmpowernv gf128mul syscopyarea sysfillrect hwmon mtd at24(+) sysimgblt usb_common regmap_i2c opal_prd pkcs8_key_parser zram zsmalloc powernv_cpufreq drm fuse drm_panel_orientation_quirks backlight configfs CPU: 11 PID: 404 Comm: systemd-udevd Tainted: G T 6.2.0-rc6-P9 #2 Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV NIP: c0000000000579c4 LR: c0000000000579c0 CTR: 0000000000000000 REGS: c000000023b57280 TRAP: 0700 Tainted: G T (6.2.0-rc6-P9) MSR: 9000000000029032 <SF,HV,EE,ME,IR,DR,RI> CR: 44242242 XER: 00000000 CFAR: c0000000000b6d54 IRQMASK: 3 GPR00: 0000000000000000 c000000023b57520 c000000000e7cc00 0000000000000000 GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 c0000007fbfdcf00 aaaaaaaaaaaaaaab c00800000ce2ed98 GPR16: c00800000ce44d00 c00800000ce33fd8 c00800000bd97d08 c00800000bd29c80 GPR20: c00800000bd97e48 c00800000bd98f48 000000000002dd98 c000000023545500 GPR24: 00000aa55c27fffc 00000aa55c27f000 0000000002000000 c000000023545500 GPR28: 0000000000000300 c000000000d80470 00000aa55c280000 c000000023b57630 NIP [c0000000000579c4] ___do_page_fault+0x794/0x920 LR [c0000000000579c0] ___do_page_fault+0x790/0x920 Call Trace: [c000000023b57520] [c0000000000579c0] ___do_page_fault+0x790/0x920 (unreliable) [c000000023b575d0] [c000000000057bac] do_page_fault+0x5c/0x170 [c000000023b57600] [c0000000000088d8] data_access_common_virt+0x198/0x1f0--- interrupt: 300 at __patch_instruction+0x50/0x70NIP: c000000000064670 LR: c000000000064c2c CTR: c000000000048ee0 REGS: c000000023b57630 TRAP: 0300 Tainted: G T (6.2.0-rc6-P9) MSR: 900000000280b032 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI> CR: 24222244 XER: 00000000 CFAR: c00000000006462c DAR: 00000aa55c280000 DSISR: 42000000 IRQMASK: 1 GPR00: 0000000000000000 c000000023b578d0 c000000000e7cc00 c00800000ce33ffc GPR04: 041ae13000000000 00000aa55c27fffc 0000000000000000 0000000000000000 GPR08: 0000000000000000 00000000041ae130 0000000000000001 0000000000000000 GPR12: 0000000000000000 c0000007fbfdcf00 aaaaaaaaaaaaaaab c00800000ce2ed98 GPR16: c00800000ce44d00 c00800000ce33fd8 c00800000bd97d08 c00800000bd29c80 GPR20: c00800000bd97e48 c00800000bd98f48 000000000002dd98 c000000023545500 GPR24: 00000aa55c27fffc 00000aa55c27f000 041ae13000000000 c0000000012e1400 GPR28: 0000000000000000 c00800000ce33ffc c000000004a813f8 00000000000251bd NIP [c000000000064670] __patch_instruction+0x50/0x70 LR [c000000000064c2c] patch_instruction+0x13c/0x280--- interrupt: 300[c000000023b578d0] [c000000000064bd8] patch_instruction+0xe8/0x280 (unreliable) [c000000023b57950] [c000000000049314] apply_relocate_add+0x9f4/0xb50 [c000000023b57a70] [c000000000172cbc] load_module+0x20fc/0x2a00 [c000000023b57c00] [c0000000001738c8] __do_sys_finit_module+0xc8/0x180 [c000000023b57ce0] [c00000000002ae90] system_call_exception+0x130/0x2d0 [c000000023b57e50] [c00000000000c070] system_call_vectored_common+0xf0/0x280--- interrupt: 3000 at 0x3fffa31d5a28NIP: 00003fffa31d5a28 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000023b57e80 TRAP: 3000 Tainted: G T (6.2.0-rc6-P9) MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 48222244 XER: 00000000 IRQMASK: 0 GPR00: 0000000000000161 00003ffff9bf99f0 00003fffa32d7200 000000000000000d GPR04: 00003fffa3375029 0000000000000000 000000000000000d 0000000000000000 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fffa379c7e0 0000000000000000 000000012cb4a805 GPR16: 0000000040000000 0000000020000000 000000012cb4bcc9 00003fffa366da07 GPR20: 0000000000000000 000000015a588320 0000000020000000 0000000000000000 GPR24: 0000000020000000 0000000000000000 0000000000000000 000000015a561eb0 GPR28: 00003fffa3375029 0000000000020000 0000000000000000 000000015a58cc20 NIP [00003fffa31d5a28] 0x3fffa31d5a28 LR [0000000000000000] 0x0--- interrupt: 3000Code: e87f0100 48094161 60000000 2c230000 4182fefc 418e00b8 3c82ffee 388442a8 3c62ffee 38634398 4805f315 60000000 <0fe00000> fb210078 60000000 e93d0650 ---[ end trace 0000000000000000 ]--- BTRFS: device label g5_sta devid 1 transid 55729 /dev/nvme0n1p5 scanned by systemd-udevd (467) BTRFS: device label g4_musl devid 1 transid 64188 /dev/nvme0n1p8 scanned by systemd-udevd (425) BTRFS: device label aux_p9 devid 1 transid 155143 /dev/nvme0n1p9 scanned by systemd-udevd (472) BTRFS: device label g5_musl devid 1 transid 71824 /dev/nvme0n1p6 scanned by systemd-udevd (402) [...] Regards, Erhard
Do you have a QEMU command to boot this? I tried with
qemu-system-ppc64 --nographic --vga none --kernel ./vmlinux
But it crashes immediately on booting the kernel (same using KVM on
Power9).
I was concerned this might be caused by the new temporary mm context
for code patching, which does use userspace addresses for the patching,
but it should have failed much earlier if it was that simple. There's a
lot of patching that goes on before starting userspace.
FWIW, I see the config has the experimental
CONFIG_PPC64_BIG_ENDIAN_ELF_ABI_V2 set.