Hi Russell, On 2025/2/11 01:03, Russell King (Oracle) wrote:
On Mon, Feb 10, 2025 at 05:49:38PM +0100, Ezra Buehler wrote:When running vanilla Linux 6.13 or newer (6.14-rc2) on the AT91SAM9G25-based GARDENA smart Gateway, we are seeing a NULL pointer dereference resulting in a kernel panic. The culprit seems to be commit fc9c45b71f43 ("arm: adjust_pte() usepte_offset_map_rw_nolock()"). Reverting the commit apparently fixes the issue.The blamed commit is buggy: arch/arm/include/asm/tlbflush.h: #define update_mmu_cache(vma, addr, ptep) \ update_mmu_cache_range(NULL, vma, addr, ptep, 1) So vmf can be NULL. This didn't used to matter before this commit, because vmf was not used by ARM's update_mmu_cache_range(). However, the commit introduced a dereference of it, which now causes a NULL point dereference. Not sure what the correct solution is, but at a guess, both: if (ptl != vmf->ptl) need to become: if (!vmf || ptl != vmf->ptl)
No, we can't do that, because without using split PTE locks, we would use shared mm->page_table_lock, which would create a deadlock. But it seems that we cannot simply bring back do_pte_lock() and do_pte_unlock()? In make_coherent(), we traverse the vmas and exclude the same vma, but different vmas may also map to the same PTE page, right? In this case, we still cannot directly hold the pte lock. But this part of code is quite old, maybe I missed something? Thanks, Qi
but I haven't checked wha tthe locking context actually is here (I've been out of MM stuff too long to know this off the top of my head.)
