[kernel] riscv/mm: Found insecure W+X mapping at address

[pdp7]

Roman Shaposhnik (@rvs) reported in Slack:

this actually happens reliably on boot: (edited)

[   13.616195] ------------[ cut here ]------------
[   13.647751] riscv/mm: Found insecure W+X mapping at address (____ptrval____)/0xffffffdff8000000
[   13.683507] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/ptdump.c:231 note_page+0x24c/0x252
[   13.718483] Modules linked in:
[   13.748632] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.10.6+ #26

@davidlt commented:

riscv/mm: Found insecure W+X mapping at address (____ptrval___)/0xffffffdff8000000 that is somewhat fine. It's one of CONFIG STRICT checks

[pdp7]

@MichaelZhuxx @tekkamanninja please take a look

[davidlt]

It's probably CONFIG_STRICT_KERNEL_RWX. It might have been fixed in v5.11. There are still some patch being posted just recently related to CONFIG_STRICT_KERNEL_RWX. If you wan that warning gone, disable this option for now.

[rvs]

@davidlt @pdp7 -- do you know if there are builds of 5.11 (or maybe even 5.12) available on the Fedora side some place? Or should I just bite the bullet and start building the kernels myself?

[pdp7]

I believe @esmil has rebased on 5.12
https://github.com/esmil/linux/tree/starlight

[rvs]

But I take it nobody re-packaged it as a nice rpm yet, correct @pdp7 ?

[esmil]

But I take it nobody re-packaged it as a nice rpm yet, correct @pdp7 ?

I just did this:

make -j8 ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- starfive_vic7100_evb_sd_net_fedora_defconfig
make -j8 ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- nconfig # to disable CONFIG_BCMDHD because I don't know where to find fw_bcmdhd.bin and nvram.txt
make -j8 ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- rpm-pkg

..and here is the output: https://esmil.dk/starlight

[tommythorn]

quick update: my comment is out of context. The fault in mmc is probably not related to the W+X issue. I was commenting on the former.

[pdp7]

quick update: my comment is out of context. The fault in mmc is probably not related to the W+X issue. I was commenting on the former.

Sorry about that, is it related to #26?

[tommythorn]

No worries, but yes, it applied to #26.

[rvs]

Posting it here since at this point I'm suspecting everything on this current board/kernel config, but:

# rpm -i kernel-5.12.0+-1.riscv64.rpm
	package kernel-5.12.0+-1.riscv64 does not verify: Payload SHA256 ALT digest: BAD (Expected 366ad49f3cff712aaded543b013e500ba29dc6382fbfbec5692c21d85ae780c0 != c7df60dcaeb08a58dc469753fa31f6aa47c640544c0310039bee441069c7be38)

And, of course, running this off the board doesn't find anything too crazy:

$ rpm -Kv kernel-5.12.0+-1.riscv64.rpm
kernel-5.12.0+-1.riscv64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

[rvs]

Ok, this is officially crazy at this point -- I put the kernel on a USB stick and if I run md5sum on that file on the board and off the board the md5's differ :-(

[rvs]

And if anyone is curious -- it indeed appears that reading from USB on my board with a stock Fedora kernel produces random results:

[root@fedora-starfive ~]# mount /dev/sda2 /mnt
[root@fedora-starfive ~]# md5sum /mnt/kernel-5.12.0+-1.riscv64.rpm
fdfdba4264bf7a0343b355cf51559b9f  /mnt/kernel-5.12.0+-1.riscv64.rpm

AND if I plug it into a different USB socket:
[root@fedora-starfive ~]# mount /dev/sda2 /mnt
[root@fedora-starfive ~]# md5sum /mnt/kernel-5.12.0+-1.riscv64.rpm
cfa4ea2687344fbb2516637490fbb74b  /mnt/kernel-5.12.0+-1.riscv64.rpm

[rvs]

And here's some more fun with this:

[root@fedora-starfive ~]# cd /root
[root@fedora-starfive ~]# cp /mnt/kernel-5.12.0+-1.riscv64.rpm 1
[root@fedora-starfive ~]# cp /mnt/kernel-5.12.0+-1.riscv64.rpm 2
[root@fedora-starfive ~]# cmp 1 2
1 2 differ: byte 442264320, line 1690479

Welp, at least it copied quite a bit of bytes before garbage kicked in

[AlexGhiti]

The address 0xffffffdff8000000 indicates it is in the "BPF region" and taking a look at how we used to map BPF programs in 5.11 (https://elixir.bootlin.com/linux/v5.11.19/source/arch/riscv/net/bpf_jit_comp64.c#L1148 and PAGE_KERNEL_EXEC definition https://elixir.bootlin.com/linux/v5.11.19/source/arch/riscv/include/asm/pgtable.h#L103), this warning is legitimate: this has just been fixed by commit fc8504765ec5 ("riscv: bpf: Avoid breaking W^X") which landed in 5.13.

[pdp7]

And if anyone is curious -- it indeed appears that reading from USB on my board with a stock Fedora kernel produces random results:

[root@fedora-starfive ~]# mount /dev/sda2 /mnt
[root@fedora-starfive ~]# md5sum /mnt/kernel-5.12.0+-1.riscv64.rpm
fdfdba4264bf7a0343b355cf51559b9f  /mnt/kernel-5.12.0+-1.riscv64.rpm

AND if I plug it into a different USB socket:
[root@fedora-starfive ~]# mount /dev/sda2 /mnt
[root@fedora-starfive ~]# md5sum /mnt/kernel-5.12.0+-1.riscv64.rpm
cfa4ea2687344fbb2516637490fbb74b  /mnt/kernel-5.12.0+-1.riscv64.rpm

I have created a new issue in linux repo regarding USB disk corruption:
starfive-tech/linux#16

[pdp7]

FYI - @atishp04 pointed out that this patch should fix the problem:
http://lists.infradead.org/pipermail/linux-riscv/2021-May/006400.html

@esmil reported in slack that it does fix this warning

[tekkamanninja]

Great thanks for your info, we will test and add this in our kernel ASAP Drew Fustini ***@***.***> 于2021年5月17日周一 上午5:16写道：

…

FYI - @atishp04 <https://github.com/atishp04> pointed out that this patch should fix the problem: http://lists.infradead.org/pipermail/linux-riscv/2021-May/006400.html @esmil <https://github.com/esmil> reported in slack that it does fix this warning — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#27 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA63KK45TBB5OJAE6FCSH3TOAY4DANCNFSM432PGYMA> .

[pdp7]

@tekkamanninja thanks, once you pull it into the fedora kernel branch, I think this can be closed