When we access a device memory in userspace, then perform an unaligned write to a file.
For example, we register a uio device and mmap the device, then perform an write to a
file, like that:
device_addr = mmap(device_fd);
write(file_fd, device_addr + unaligned_num, size);
We found that the infinite loop happened in generic_perform_write function:
again:
copied = copy_page_from_iter_atomic(); //copied = 0
status = ops->write_end(); //status = 0
if (status == 0)
goto again;
In copy_page_from_iter_atomic, the copyin() function finally call
__arch_copy_from_user which create an exception table entry for 'insn'.
Then when kernel handles the alignment_fault, it will not panic. As the
arm64 memory model spec said, when the address is not a multiple of the
element size, the access is unaligned. Unaligned accesses are allowed to
addresses marked as Normal, but not to Device regions. An unaligned access
to a Device region will trigger an exception (alignment fault).
do_alignment_fault
do_bad_area
__do_kernel_fault
fixup_exception
But that fixup cann't handle the unaligned copy, so the
copy_page_from_iter_atomic returns 0 and traps in loop.
Reported-by: Chen Huang <chenhuang5@xxxxxxxxxx>
