| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSgnlmQi_UPsugNU@willie-the-truck>
Date: Thu, 27 Nov 2025 10:27:34 +0000
From: Will Deacon <will@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Zizhi Wo <wozizhi@...weicloud.com>,
Russell King <linux@...linux.org.uk>,
Catalin Marinas <catalin.marinas@....com>, jack@...e.com,
brauner@...nel.org, hch@....de, akpm@...ux-foundation.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, linux-arm-kernel@...ts.infradead.org,
yangerkun@...wei.com, wangkefeng.wang@...wei.com,
pangliyuan1@...wei.com, xieyuanbin1@...wei.com
Subject: Re: [Bug report] hash_name() may cross page boundary and trigger
sleep in RCU context
On Wed, Nov 26, 2025 at 01:12:38PM -0800, Linus Torvalds wrote:
> On Wed, 26 Nov 2025 at 02:27, Zizhi Wo <wozizhi@...weicloud.com> wrote:
> >
> > 在 2025/11/26 17:05, Zizhi Wo 写道:
> > > We're running into the following issue on an ARM32 platform with the linux
> > > 5.10 kernel:
> > >
> > > During the execution of hash_name()->load_unaligned_zeropad(), a potential
> > > memory access beyond the PAGE boundary may occur.
>
> That is correct.
>
> However:
>
> > > This triggers a page fault,
> > > which leads to a call to do_page_fault()->mmap_read_trylock().
>
> That should *not* happen. For kernel addresses, mmap_read_trylock()
> should never trigger, much less the full mmap_read_lock().
>
> See for example the x86 fault handling in handle_page_fault():
>
> if (unlikely(fault_in_kernel_space(address))) {
> do_kern_addr_fault(regs, error_code, address);
>
> and the kernel address case never triggers the mmap lock, because
> while faults on kernel addresses can happen for various reasons, they
> are never memory mappings.
>
> I'm seeing similar logic in the arm tree, although the check is
> different. do_translation_fault() checks for TASK_SIZE.
>
> if (addr < TASK_SIZE)
> return do_page_fault(addr, fsr, regs);
>
> but it appears that there are paths to do_page_fault() that do not
> have this check, ie that do_DataAbort() function does
>
> if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs))
> return;
>
>
> and It's not immediately obvious, but that can call do_page_fault()
> too though the fsr_info[] and ifsr_info[] arrays in
> arch/arm/mm/fsr-2level.c.
>
> The arm64 case looks like it might have similar issues, but while I'm
> more familiar with arm than I _used_ to be, I do not know the
> low-level exception handling code at all, so I'm just adding Russell,
> Catalin and Will to the participants.
>
> Catalin, Will - the arm64 case uses
>
> if (is_ttbr0_addr(addr))
> return do_page_fault(far, esr, regs);
>
> instead, but like the 32-bit code that is only triggered for
> do_translation_fault(). That may all be ok, because the other cases
> seem to be "there is a TLB entry, but we lack privileges", so maybe
> will never trigger for a kernel access to a kernel area because they
> either do not exist, or we have permissions?
Right, I think the access flag / permission fault case will end up
trying to resolve the VMA for a kernel address but I can't think why
we'd ever run into one of those faults for load_unaligned_zeropad().
Valid kernel mappings are always young (AF set) and, although we can
muck around with permissions, valid mappings are always readable.
Will
Powered by blists - more mailing lists