Re: [REGRESSION] NULL pointer dereference on ARM (AT91SAM9G25) during compaction

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Russell,

On 2025/2/11 01:03, Russell King (Oracle) wrote:
On Mon, Feb 10, 2025 at 05:49:38PM +0100, Ezra Buehler wrote:
When running vanilla Linux 6.13 or newer (6.14-rc2) on the
AT91SAM9G25-based GARDENA smart Gateway, we are seeing a NULL pointer
dereference resulting in a kernel panic. The culprit seems to be commit
fc9c45b71f43 ("arm: adjust_pte() usepte_offset_map_rw_nolock()").
Reverting the commit apparently fixes the issue.

The blamed commit is buggy:

arch/arm/include/asm/tlbflush.h:
#define update_mmu_cache(vma, addr, ptep) \
         update_mmu_cache_range(NULL, vma, addr, ptep, 1)

So vmf can be NULL. This didn't used to matter before this commit,
because vmf was not used by ARM's update_mmu_cache_range(). However,
the commit introduced a dereference of it, which now causes a NULL
point dereference.

Not sure what the correct solution is, but at a guess, both:

	if (ptl != vmf->ptl)

need to become:

	if (!vmf || ptl != vmf->ptl)

No, we can't do that, because without using split PTE locks, we would
use shared mm->page_table_lock, which would create a deadlock.

But it seems that we cannot simply bring back do_pte_lock() and
do_pte_unlock()? In make_coherent(), we traverse the vmas and exclude
the same vma, but different vmas may also map to the same PTE page,
right? In this case, we still cannot directly hold the pte lock.
But this part of code is quite old, maybe I missed something?

Thanks,
Qi


but I haven't checked wha tthe locking context actually is here
(I've been out of MM stuff too long to know this off the top of my
head.)





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux