Bug: Write fault blocked by KUAP! (kernel 6.2-rc6, Talos II)

Benjamin Gray bgray at linux.ibm.com
Fri Feb 3 13:02:59 AEDT 2023


On Fri, 2023-02-03 at 00:46 +0100, Erhard F. wrote:
> Happened during boot:
> 
> [...]
> Creating 6 MTD partitions on "flash at 0":
> 0x000000000000-0x000004000000 : "PNOR"
> 0x000001b21000-0x000003921000 : "BOOTKERNEL"
> 0x000003a44000-0x000003a68000 : "CAPP"
> 0x000003a88000-0x000003a89000 : "VERSION"
> 0x000003a89000-0x000003ac9000 : "IMA_CATALOG"
> 0x000003e10000-0x000004000000 : "BOOTKERNFW"
> BTRFS info: devid 1 device path /dev/root changed to /dev/nvme0n1p3
> scanned by systemd-udevd (387)
> Kernel attempted to write user page (aa55c280000) - exploit attempt?
> (uid: 0)
> ------------[ cut here ]------------
> Bug: Write fault blocked by KUAP!
> WARNING: CPU: 11 PID: 404 at arch/powerpc/mm/fault.c:228
> ___do_page_fault+0x794/0x920
> Modules linked in: drm_ttm_helper ttm drm_display_helper ofpart
> ghash_generic(+) drm_kms_helper vmx_crypto(+) powernv_flash
> ibmpowernv gf128mul syscopyarea sysfillrect hwmon mtd at24(+)
> sysimgblt usb_common regmap_i2c opal_prd pkcs8_key_parser zram
> zsmalloc powernv_cpufreq drm fuse drm_panel_orientation_quirks
> backlight configfs
> CPU: 11 PID: 404 Comm: systemd-udevd Tainted: G                T 
> 6.2.0-rc6-P9 #2
> Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0
> PowerNV
> NIP:  c0000000000579c4 LR: c0000000000579c0 CTR: 0000000000000000
> REGS: c000000023b57280 TRAP: 0700   Tainted: G                T  
> (6.2.0-rc6-P9)
> MSR:  9000000000029032 <SF,HV,EE,ME,IR,DR,RI>  CR: 44242242  XER:
> 00000000
> CFAR: c0000000000b6d54 IRQMASK: 3 
> GPR00: 0000000000000000 c000000023b57520 c000000000e7cc00
> 0000000000000000 
> GPR04: 0000000000000000 0000000000000000 0000000000000000
> 0000000000000000 
> GPR08: 0000000000000000 0000000000000000 0000000000000000
> 0000000000000000 
> GPR12: 0000000000000000 c0000007fbfdcf00 aaaaaaaaaaaaaaab
> c00800000ce2ed98 
> GPR16: c00800000ce44d00 c00800000ce33fd8 c00800000bd97d08
> c00800000bd29c80 
> GPR20: c00800000bd97e48 c00800000bd98f48 000000000002dd98
> c000000023545500 
> GPR24: 00000aa55c27fffc 00000aa55c27f000 0000000002000000
> c000000023545500 
> GPR28: 0000000000000300 c000000000d80470 00000aa55c280000
> c000000023b57630 
> NIP [c0000000000579c4] ___do_page_fault+0x794/0x920
> LR [c0000000000579c0] ___do_page_fault+0x790/0x920
> Call Trace:
> [c000000023b57520] [c0000000000579c0] ___do_page_fault+0x790/0x920
> (unreliable)
> [c000000023b575d0] [c000000000057bac] do_page_fault+0x5c/0x170
> [c000000023b57600] [c0000000000088d8]
> data_access_common_virt+0x198/0x1f0
> --- interrupt: 300 at __patch_instruction+0x50/0x70
> NIP:  c000000000064670 LR: c000000000064c2c CTR: c000000000048ee0
> REGS: c000000023b57630 TRAP: 0300   Tainted: G                T  
> (6.2.0-rc6-P9)
> MSR:  900000000280b032 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI>  CR:
> 24222244  XER: 00000000
> CFAR: c00000000006462c DAR: 00000aa55c280000 DSISR: 42000000 IRQMASK:
> 1 
> GPR00: 0000000000000000 c000000023b578d0 c000000000e7cc00
> c00800000ce33ffc 
> GPR04: 041ae13000000000 00000aa55c27fffc 0000000000000000
> 0000000000000000 
> GPR08: 0000000000000000 00000000041ae130 0000000000000001
> 0000000000000000 
> GPR12: 0000000000000000 c0000007fbfdcf00 aaaaaaaaaaaaaaab
> c00800000ce2ed98 
> GPR16: c00800000ce44d00 c00800000ce33fd8 c00800000bd97d08
> c00800000bd29c80 
> GPR20: c00800000bd97e48 c00800000bd98f48 000000000002dd98
> c000000023545500 
> GPR24: 00000aa55c27fffc 00000aa55c27f000 041ae13000000000
> c0000000012e1400 
> GPR28: 0000000000000000 c00800000ce33ffc c000000004a813f8
> 00000000000251bd 
> NIP [c000000000064670] __patch_instruction+0x50/0x70
> LR [c000000000064c2c] patch_instruction+0x13c/0x280
> --- interrupt: 300
> [c000000023b578d0] [c000000000064bd8] patch_instruction+0xe8/0x280
> (unreliable)
> [c000000023b57950] [c000000000049314] apply_relocate_add+0x9f4/0xb50
> [c000000023b57a70] [c000000000172cbc] load_module+0x20fc/0x2a00
> [c000000023b57c00] [c0000000001738c8]
> __do_sys_finit_module+0xc8/0x180
> [c000000023b57ce0] [c00000000002ae90]
> system_call_exception+0x130/0x2d0
> [c000000023b57e50] [c00000000000c070]
> system_call_vectored_common+0xf0/0x280
> --- interrupt: 3000 at 0x3fffa31d5a28
> NIP:  00003fffa31d5a28 LR: 0000000000000000 CTR: 0000000000000000
> REGS: c000000023b57e80 TRAP: 3000   Tainted: G                T  
> (6.2.0-rc6-P9)
> MSR:  900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI>  CR:
> 48222244  XER: 00000000
> IRQMASK: 0 
> GPR00: 0000000000000161 00003ffff9bf99f0 00003fffa32d7200
> 000000000000000d 
> GPR04: 00003fffa3375029 0000000000000000 000000000000000d
> 0000000000000000 
> GPR08: 0000000000000000 0000000000000000 0000000000000000
> 0000000000000000 
> GPR12: 0000000000000000 00003fffa379c7e0 0000000000000000
> 000000012cb4a805 
> GPR16: 0000000040000000 0000000020000000 000000012cb4bcc9
> 00003fffa366da07 
> GPR20: 0000000000000000 000000015a588320 0000000020000000
> 0000000000000000 
> GPR24: 0000000020000000 0000000000000000 0000000000000000
> 000000015a561eb0 
> GPR28: 00003fffa3375029 0000000000020000 0000000000000000
> 000000015a58cc20 
> NIP [00003fffa31d5a28] 0x3fffa31d5a28
> LR [0000000000000000] 0x0
> --- interrupt: 3000
> Code: e87f0100 48094161 60000000 2c230000 4182fefc 418e00b8 3c82ffee
> 388442a8 3c62ffee 38634398 4805f315 60000000 <0fe00000> fb210078
> 60000000 e93d0650 
> ---[ end trace 0000000000000000 ]---
> BTRFS: device label g5_sta devid 1 transid 55729 /dev/nvme0n1p5
> scanned by systemd-udevd (467)
> BTRFS: device label g4_musl devid 1 transid 64188 /dev/nvme0n1p8
> scanned by systemd-udevd (425)
> BTRFS: device label aux_p9 devid 1 transid 155143 /dev/nvme0n1p9
> scanned by systemd-udevd (472)
> BTRFS: device label g5_musl devid 1 transid 71824 /dev/nvme0n1p6
> scanned by systemd-udevd (402)
> [...]
> 
> Regards,
> Erhard

Do you have a QEMU command to boot this? I tried with
   
    qemu-system-ppc64 --nographic --vga none --kernel ./vmlinux

But it crashes immediately on booting the kernel (same using KVM on
Power9).

I was concerned this might be caused by the new temporary mm context
for code patching, which does use userspace addresses for the patching,
but it should have failed much earlier if it was that simple. There's a
lot of patching that goes on before starting userspace.

FWIW, I see the config has the experimental
CONFIG_PPC64_BIG_ENDIAN_ELF_ABI_V2 set.


More information about the Linuxppc-dev mailing list