On Fri, Sep 29, 2017 at 12:27:41PM +0100, Will Deacon wrote: > We currently route pte translation faults via do_page_fault, which elides > the address check against TASK_SIZE before invoking the mm fault handling > code. However, this can cause issues with the path walking code in > conjunction with our word-at-a-time implementation because > load_unaligned_zeropad can end up faulting in kernel space if it reads > across a page boundary and runs into a page fault (e.g. by attempting to > read from a guard region). > > In the case of such a fault, load_unaligned_zeropad has registered a > fixup to shift the valid data and pad with zeroes, however the abort is > reported as a level 3 translation fault and we dispatch it straight to > do_page_fault, despite it being a kernel address. This results in calling > a sleeping function from atomic context: > > BUG: sleeping function called from invalid context at arch/arm64/mm/fault.c:313 > in_atomic(): 0, irqs_disabled(): 0, pid: 10290 > Internal error: Oops - BUG: 0 [#1] PREEMPT SMP > [...] > [<ffffff8e016cd0cc>] ___might_sleep+0x134/0x144 > [<ffffff8e016cd158>] __might_sleep+0x7c/0x8c > [<ffffff8e016977f0>] do_page_fault+0x140/0x330 > [<ffffff8e01681328>] do_mem_abort+0x54/0xb0 > Exception stack(0xfffffffb20247a70 to 0xfffffffb20247ba0) > [...] > [<ffffff8e016844fc>] el1_da+0x18/0x78 > [<ffffff8e017f399c>] path_parentat+0x44/0x88 > [<ffffff8e017f4c9c>] filename_parentat+0x5c/0xd8 > [<ffffff8e017f5044>] filename_create+0x4c/0x128 > [<ffffff8e017f59e4>] SyS_mkdirat+0x50/0xc8 > [<ffffff8e01684e30>] el0_svc_naked+0x24/0x28 > Code: 36380080 d5384100 f9400800 9402566d (d4210000) > ---[ end trace 2d01889f2bca9b9f ]--- > > Fix this by dispatching all translation faults to do_translation_faults, > which avoids invoking the page fault logic for faults on kernel addresses. > > Cc: <stable@xxxxxxxxxxxxxxx> > Reported-by: Ankit Jain <ankijain@xxxxxxxxxxxxxx> > Signed-off-by: Will Deacon <will.deacon@xxxxxxx> Applied. Thanks. -- Catalin