| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHk-=wjA20ear0hDOvUS7g5-A=YAUifphcf-iFJ1pach0=3ubw@mail.gmail.com>
Date: Fri, 28 Nov 2025 17:35:37 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Zizhi Wo <wozizhi@...weicloud.com>
Cc: "Russell King (Oracle)" <linux@...linux.org.uk>, Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>, jack@...e.com, brauner@...nel.org, hch@....de,
akpm@...ux-foundation.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-mm@...ck.org,
linux-arm-kernel@...ts.infradead.org, yangerkun@...wei.com,
wangkefeng.wang@...wei.com, pangliyuan1@...wei.com, xieyuanbin1@...wei.com,
Al Viro <viro@...iv.linux.org.uk>
Subject: Re: [Bug report] hash_name() may cross page boundary and trigger
sleep in RCU context
On Fri, 28 Nov 2025 at 17:01, Zizhi Wo <wozizhi@...weicloud.com> wrote:
>
> Thank you for your answer. In fact, this solution is similar to the one
> provided by Al.
Hmm. I'm not seeing the replies from Al for some reason. Maybe he didn't cc me.
> It has an additional check to determine reg:
>
> if (unlikely(addr > TASK_SIZE) && !user_mode(regs))
> goto no_context;
>
> I'd like to ask if this "regs" examination also needs to be brought
> along?
That seems unnecessary.
Yes, in this case the original problem you reported with sleeping in
an RCU region was triggered by a kernel access, and a user-space
access would never have caused any such issues.
So checking for !user_mode(regs) isn't exactly *wrong*.
But while it isn't wrong, I think it's also kind of pointless.
Because regardless of whether it's a kernel or user space access, an
access outside TASK_SIZE shouldn't be associated with a valid user
space context, so the code might as well just go to the "no_context"
label directly.
That said, somebody should definitely double-check me - because I
think arm also did the vdso trick at high addresses that i386 used to
do, so there is the fake VDSO thing up there.
But if you get a page fault on that, it's not going to be fixed up, so
even if user space can access it, there's no point in looking that
fake vm area up for page faults.
I think.
> I'm even thinking if we directly have the corresponding processing
> replaced by do_translation_fault(), is that also correct?
>
> ```
> - { do_page_fault, SIGSEGV, SEGV_MAPERR, "page
> translation fault" },
> + { do_translation_fault, SIGSEGV, SEGV_MAPERR, "page
> translation fault" },
I think that might break kprobes.
Looking around, I think my patch might also be a bit broken: I think
it might be better to move it further down to below the check for
FSR_LNX_PF.
But somebody who knows the exact arm page fault handling better than
me should verify both that and my VDSO gate page thinking.
Linus
Powered by blists - more mailing lists