| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHk-=wh+cFLLi2x6u61pvL07phSyHPVBTo9Lac2uuqK4eRG_=w@mail.gmail.com>
Date: Fri, 28 Nov 2025 09:06:50 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: "Russell King (Oracle)" <linux@...linux.org.uk>
Cc: Zizhi Wo <wozizhi@...weicloud.com>, Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>, jack@...e.com, brauner@...nel.org, hch@....de,
akpm@...ux-foundation.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
linux-arm-kernel@...ts.infradead.org, yangerkun@...wei.com,
wangkefeng.wang@...wei.com, pangliyuan1@...wei.com, xieyuanbin1@...wei.com
Subject: Re: [Bug report] hash_name() may cross page boundary and trigger
sleep in RCU context
On Thu, 27 Nov 2025 at 02:58, Russell King (Oracle)
<linux@...linux.org.uk> wrote:
>
> Ha!
>
> As said elsewhere, it looks like 32-bit ARM has been missing updates to
> the fault handler since pre-git history - this was modelled in the dim
> and distant i386 handling, and it just hasn't kept up.
I actually have this dim memory of having seen something along these
lines before, and I just had never realized how it could happen,
because that call to do_page_fault() in do_translation_fault()
visually *looks* like the only call-site, and so that
if (addr < TASK_SIZE)
return do_page_fault(addr, fsr, regs);
looks like it does everything correctly. That "do_page_fault()"
function is static to the arch/arm/mm/fault.c file, and that's the
only place that appears to call it.
The operative word being "appears".
Becuse I had never before realized that that fault.c then also does that
#include "fsr-2level.c"
and then that do_page_fault() function is exposed through those
fsr_info[] operation arrays.
Anyway, I don't think that the ARM fault handling is all *that* bad.
Sure, it might be worth double-checking, but it *has* been converted
to the generic accounting helpers a few years ago and to the stack
growing fixes.
I think the fix here may be as simple as this trivial patch:
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 2bc828a1940c..27024ec2d46d 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -277,6 +277,10 @@ do_page_fault(unsigned long addr, ...
if (interrupts_enabled(regs))
local_irq_enable();
+ /* non-user address faults never have context */
+ if (addr >= TASK_SIZE)
+ goto no_context;
+
/*
* If we're in an interrupt or have no user
* context, we must not take the fault..
but I really haven't thought much about it.
> I'm debating whether an entire rewrite would be appropriate
I don't think it's necessarily all that big of a deal. Yeah, this is
old code, and yeah, it could probably be cleaned up a bit, but at the
same time, "old and crusty" also means "fairly well tested". This
whole fault on a kernel address is a fairly unusual case, and as
mentioned, I *think* the above fix is sufficient.
Zizhi Wo - can you confirm that that patch (whitespace-damaged, but
simple enough to just do manually) fixes things for your test-case?
Linus
Powered by blists - more mailing lists