* [PATCH] arm64: fault: Route pte translation faults via do_translation_fault
@ 2017-09-29 11:27 ` Will Deacon
0 siblings, 0 replies; 4+ messages in thread
From: Will Deacon @ 2017-09-29 11:27 UTC (permalink / raw)
To: catalin.marinas; +Cc: linux-arm-kernel, Will Deacon, stable
We currently route pte translation faults via do_page_fault, which elides
the address check against TASK_SIZE before invoking the mm fault handling
code. However, this can cause issues with the path walking code in
conjunction with our word-at-a-time implementation because
load_unaligned_zeropad can end up faulting in kernel space if it reads
across a page boundary and runs into a page fault (e.g. by attempting to
read from a guard region).
In the case of such a fault, load_unaligned_zeropad has registered a
fixup to shift the valid data and pad with zeroes, however the abort is
reported as a level 3 translation fault and we dispatch it straight to
do_page_fault, despite it being a kernel address. This results in calling
a sleeping function from atomic context:
BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313
in_atomic(): 0, irqs_disabled(): 0, pid: 10290
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[...]
[<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144
[<ffffff8e016cd158>] __might_sleep+0x7c/0x8c
[<ffffff8e016977f0>] do_page_fault+0x140/0x330
[<ffffff8e01681328>] do_mem_abort+0x54/0xb0
Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0)
[...]
[<ffffff8e016844fc>] el1_da+0x18/0x78
[<ffffff8e017f399c>] path_parentat+0x44/0x88
[<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8
[<ffffff8e017f5044>] filename_create+0x4c/0x128
[<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8
[<ffffff8e01684e30>] el0_svc_naked+0x24/0x28
Code: 36380080 d5384100 f9400800 9402566d (d4210000)
---[ end trace 2d01889f2bca9b9f ]---
Fix this by dispatching all translation faults to do_translation_faults,
which avoids invoking the page fault logic for faults on kernel addresses.
Cc: <stable@vger.kernel.org>
Reported-by: Ankit Jain <ankijain@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
---
arch/arm64/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 89993c4be1be..2069e9bc0fca 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -651,7 +651,7 @@ static const struct fault_info fault_info[] = {
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 0 translation fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation fault" },
- { do_page_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
{ do_bad, SIGBUS, 0, "unknown 8" },
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 access flag fault" },
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 access flag fault" },
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] arm64: fault: Route pte translation faults via do_translation_fault
@ 2017-09-29 11:27 ` Will Deacon
0 siblings, 0 replies; 4+ messages in thread
From: Will Deacon @ 2017-09-29 11:27 UTC (permalink / raw)
To: linux-arm-kernel
We currently route pte translation faults via do_page_fault, which elides
the address check against TASK_SIZE before invoking the mm fault handling
code. However, this can cause issues with the path walking code in
conjunction with our word-at-a-time implementation because
load_unaligned_zeropad can end up faulting in kernel space if it reads
across a page boundary and runs into a page fault (e.g. by attempting to
read from a guard region).
In the case of such a fault, load_unaligned_zeropad has registered a
fixup to shift the valid data and pad with zeroes, however the abort is
reported as a level 3 translation fault and we dispatch it straight to
do_page_fault, despite it being a kernel address. This results in calling
a sleeping function from atomic context:
BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313
in_atomic(): 0, irqs_disabled(): 0, pid: 10290
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[...]
[<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144
[<ffffff8e016cd158>] __might_sleep+0x7c/0x8c
[<ffffff8e016977f0>] do_page_fault+0x140/0x330
[<ffffff8e01681328>] do_mem_abort+0x54/0xb0
Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0)
[...]
[<ffffff8e016844fc>] el1_da+0x18/0x78
[<ffffff8e017f399c>] path_parentat+0x44/0x88
[<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8
[<ffffff8e017f5044>] filename_create+0x4c/0x128
[<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8
[<ffffff8e01684e30>] el0_svc_naked+0x24/0x28
Code: 36380080 d5384100 f9400800 9402566d (d4210000)
---[ end trace 2d01889f2bca9b9f ]---
Fix this by dispatching all translation faults to do_translation_faults,
which avoids invoking the page fault logic for faults on kernel addresses.
Cc: <stable@vger.kernel.org>
Reported-by: Ankit Jain <ankijain@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
---
arch/arm64/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 89993c4be1be..2069e9bc0fca 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -651,7 +651,7 @@ static const struct fault_info fault_info[] = {
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 0 translation fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation fault" },
- { do_page_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation fault" },
{ do_bad, SIGBUS, 0, "unknown 8" },
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 1 access flag fault" },
{ do_page_fault, SIGSEGV, SEGV_ACCERR, "level 2 access flag fault" },
--
2.1.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] arm64: fault: Route pte translation faults via do_translation_fault
2017-09-29 11:27 ` Will Deacon
@ 2017-09-29 15:47 ` Catalin Marinas
-1 siblings, 0 replies; 4+ messages in thread
From: Catalin Marinas @ 2017-09-29 15:47 UTC (permalink / raw)
To: Will Deacon; +Cc: stable, linux-arm-kernel
On Fri, Sep 29, 2017 at 12:27:41PM +0100, Will Deacon wrote:
> We currently route pte translation faults via do_page_fault, which elides
> the address check against TASK_SIZE before invoking the mm fault handling
> code. However, this can cause issues with the path walking code in
> conjunction with our word-at-a-time implementation because
> load_unaligned_zeropad can end up faulting in kernel space if it reads
> across a page boundary and runs into a page fault (e.g. by attempting to
> read from a guard region).
>
> In the case of such a fault, load_unaligned_zeropad has registered a
> fixup to shift the valid data and pad with zeroes, however the abort is
> reported as a level 3 translation fault and we dispatch it straight to
> do_page_fault, despite it being a kernel address. This results in calling
> a sleeping function from atomic context:
>
> BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313
> in_atomic(): 0, irqs_disabled(): 0, pid: 10290
> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
> [...]
> [<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144
> [<ffffff8e016cd158>] __might_sleep+0x7c/0x8c
> [<ffffff8e016977f0>] do_page_fault+0x140/0x330
> [<ffffff8e01681328>] do_mem_abort+0x54/0xb0
> Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0)
> [...]
> [<ffffff8e016844fc>] el1_da+0x18/0x78
> [<ffffff8e017f399c>] path_parentat+0x44/0x88
> [<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8
> [<ffffff8e017f5044>] filename_create+0x4c/0x128
> [<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8
> [<ffffff8e01684e30>] el0_svc_naked+0x24/0x28
> Code: 36380080 d5384100 f9400800 9402566d (d4210000)
> ---[ end trace 2d01889f2bca9b9f ]---
>
> Fix this by dispatching all translation faults to do_translation_faults,
> which avoids invoking the page fault logic for faults on kernel addresses.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: Ankit Jain <ankijain@codeaurora.org>
> Signed-off-by: Will Deacon <will.deacon@arm.com>
Applied. Thanks.
--
Catalin
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] arm64: fault: Route pte translation faults via do_translation_fault
@ 2017-09-29 15:47 ` Catalin Marinas
0 siblings, 0 replies; 4+ messages in thread
From: Catalin Marinas @ 2017-09-29 15:47 UTC (permalink / raw)
To: linux-arm-kernel
On Fri, Sep 29, 2017 at 12:27:41PM +0100, Will Deacon wrote:
> We currently route pte translation faults via do_page_fault, which elides
> the address check against TASK_SIZE before invoking the mm fault handling
> code. However, this can cause issues with the path walking code in
> conjunction with our word-at-a-time implementation because
> load_unaligned_zeropad can end up faulting in kernel space if it reads
> across a page boundary and runs into a page fault (e.g. by attempting to
> read from a guard region).
>
> In the case of such a fault, load_unaligned_zeropad has registered a
> fixup to shift the valid data and pad with zeroes, however the abort is
> reported as a level 3 translation fault and we dispatch it straight to
> do_page_fault, despite it being a kernel address. This results in calling
> a sleeping function from atomic context:
>
> BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313
> in_atomic(): 0, irqs_disabled(): 0, pid: 10290
> Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
> [...]
> [<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144
> [<ffffff8e016cd158>] __might_sleep+0x7c/0x8c
> [<ffffff8e016977f0>] do_page_fault+0x140/0x330
> [<ffffff8e01681328>] do_mem_abort+0x54/0xb0
> Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0)
> [...]
> [<ffffff8e016844fc>] el1_da+0x18/0x78
> [<ffffff8e017f399c>] path_parentat+0x44/0x88
> [<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8
> [<ffffff8e017f5044>] filename_create+0x4c/0x128
> [<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8
> [<ffffff8e01684e30>] el0_svc_naked+0x24/0x28
> Code: 36380080 d5384100 f9400800 9402566d (d4210000)
> ---[ end trace 2d01889f2bca9b9f ]---
>
> Fix this by dispatching all translation faults to do_translation_faults,
> which avoids invoking the page fault logic for faults on kernel addresses.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: Ankit Jain <ankijain@codeaurora.org>
> Signed-off-by: Will Deacon <will.deacon@arm.com>
Applied. Thanks.
--
Catalin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-09-29 15:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-29 11:27 [PATCH] arm64: fault: Route pte translation faults via do_translation_fault Will Deacon
2017-09-29 11:27 ` Will Deacon
2017-09-29 15:47 ` Catalin Marinas
2017-09-29 15:47 ` Catalin Marinas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.