| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251203014800.4988-1-xieyuanbin1@huawei.com>
Date: Wed, 3 Dec 2025 09:48:00 +0800
From: Xie Yuanbin <xieyuanbin1@...wei.com>
To: <torvalds@...ux-foundation.org>, <linux@...linux.org.uk>
CC: <akpm@...ux-foundation.org>, <brauner@...nel.org>,
<catalin.marinas@....com>, <hch@....de>, <jack@...e.com>,
<linux-arm-kernel@...ts.infradead.org>, <linux-fsdevel@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>,
<pangliyuan1@...wei.com>, <wangkefeng.wang@...wei.com>, <will@...nel.org>,
<wozizhi@...weicloud.com>, <xieyuanbin1@...wei.com>, <yangerkun@...wei.com>
Subject: [Bug report] hash_name() may cross page boundary and trigger sleep in RCU context
On Tue, 2 Dec 2025 14:07:25 -0800, Linus Torvalds wrote:
> On Tue, 2 Dec 2025 at 04:43, Russell King (Oracle)
> <linux@...linux.org.uk> wrote:
>>
>> What I'm thinking is to address both of these by handling kernel space
>> page faults (which will be permission or PTE-not-present) separately
>> (not even build tested):
>
> That patch looks sane to me.
>
> But I also didn't build test it, just scanned it visually ;)
That patch removes harden_branch_predictor() from __do_user_fault(), and
moves it to do_page_fault()->do_kernel_address_page_fault().
This resolves previously mentioned kernel warning issue. However,
__do_user_fault() is not only called by do_page_fault(), it is
alse called by do_bad_area(), do_sect_fault() and do_translation_fault().
So I think that some harden_branch_predictor() is missing on other paths.
According to my tests, when CONFIG_ARM_LPAE=n, harden_branch_predictor()
will never be called anymore, even if a user program trys to access the
kernel address.
Or perhaps I've misunderstood something, could you please point it out?
Thank you very much.
What about something like this (The patch has been tested):
```patch
diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 2bc828a1940c..af86198631c5 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -183,9 +183,11 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig,
{
struct task_struct *tsk = current;
- if (addr > TASK_SIZE)
+ if (addr >= TASK_SIZE)
harden_branch_predictor();
+ local_irq_enable();
+
#ifdef CONFIG_DEBUG_USER
if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) ||
((user_debug & UDBG_BUS) && (sig == SIGBUS))) {
@@ -272,6 +274,24 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
if (kprobe_page_fault(regs, fsr))
return 0;
+ if (unlikely(addr >= TASK_SIZE)) {
+ /*
+ * Fault from user mode for a kernel space address. User mode
+ * should not be faulting in kernel space, which includes the
+ * vector/khelper page. Handle the Spectre issues while
+ * interrupts are still disabled, then send a SIGSEGV. Note
+ * that __do_user_fault() will enable interrupts.
+ *
+ * Fault from kernel mode. Jump to __do_kernel_fault()->
+ * fixup_exception() directly, without getting mm lock and
+ * finding vma. The interrupts are not enabled but it will be
+ * good, just like what do_translation_fault() and
+ * do_bad_area() does.
+ */
+ fault = 0;
+ code = SEGV_MAPERR;
+ goto bad_area;
+ }
/* Enable interrupts if they were enabled in the parent context. */
if (interrupts_enabled(regs))
```
Thanks very much!
Powered by blists - more mailing lists