From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
To: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"luto@kernel.org" <luto@kernel.org>,
"bp@alien8.de" <bp@alien8.de>
Cc: "sam@gentoo.org" <sam@gentoo.org>,
"andreas@gaisler.com" <andreas@gaisler.com>,
"nadav.amit@gmail.com" <nadav.amit@gmail.com>,
"anthony.yznaga@oracle.com" <anthony.yznaga@oracle.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux_dti@icloud.com" <linux_dti@icloud.com>,
"will.deacon@arm.com" <will.deacon@arm.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"sparclinux@vger.kernel.org" <sparclinux@vger.kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"ast@kernel.org" <ast@kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"kristen@linux.intel.com" <kristen@linux.intel.com>
Subject: Re: [PATCH v5 18/23] bpf: Use vmalloc special flag
Date: Tue, 12 Aug 2025 20:59:12 +0200 [thread overview]
Message-ID: <c69487a248eb5660aa817fdbb0f9a10d770feab6.camel@physik.fu-berlin.de> (raw)
In-Reply-To: <7e4dfc01e132196d3ff10df18622252a8455d1b8.camel@intel.com>
On Tue, 2025-08-12 at 18:49 +0000, Edgecombe, Rick P wrote:
> On Tue, 2025-08-12 at 20:37 +0200, John Paul Adrian Glaubitz wrote:
> > That could be true. I knew about the patch in [1] but I didn't think of applying it.
> >
> > FWIW, the crashes we're seeing on recent kernel versions look like this:
> >
> > [ 40.992851] \|/ ____ \|/
> > [ 40.992851] "@'/ .. \`@"
> > [ 40.992851] /_| \__/ |_\
> > [ 40.992851] \__U_/
> > [ 41.186220] (udev-worker)(88): Kernel illegal instruction [#1]
>
> Possibly re-using some stale TLB executable VA which's page now has other data
> in it.
Makes sense given the memory is actually zero'd out.
> > [ 41.262910] CPU: 0 UID: 0 PID: 88 Comm: (udev-worker) Tainted: G W 6.12.0+ #25
> > [ 41.376151] Tainted: [W]=WARN
> > [ 41.415025] TSTATE: 0000004411001607 TPC: 00000000101c21c0 TNPC: 00000000101c21c4 Y: 00000000 Tainted: G W
> > [ 41.563717] TPC: <ehci_init_driver+0x0/0x160 [ehci_hcd]>
> > [ 41.633584] g0: 00000000012005b8 g1: 00000000100a1800 g2: 0000000010206000 g3: 00000000101de000
> > [ 41.747962] g4: fff000000a5af380 g5: 0000000000000000 g6: fff000000aac8000 g7: 0000000000000e7b
> > [ 41.862338] o0: 0000000010060118 o1: 000000001020a000 o2: fff000000aa30ce0 o3: 0000000000000e7a
> > [ 41.976728] o4: 00000000ff000000 o5: 00ff000000000000 sp: fff000000aacb091 ret_pc: 00000000101de028
> > [ 42.095768] RPC: <ehci_pci_init+0x28/0x2000 [ehci_pci]>
> > [ 42.164394] l0: 0000000000000000 l1: 0000000100043fff l2: ffffffffff800000 l3: 0000000000800000
> > [ 42.278768] l4: fff00000001c8008 l5: 0000000000000000 l6: 00000000013358e0 l7: 0000000001002800
> > [ 42.393143] i0: ffffffffffffffed i1: 00000000004db8d8 i2: 0000000000000000 i3: fff000000aa304e0
> > [ 42.507517] i4: 0000000001127250 i5: 0000000010060000 i6: fff000000aacb141 i7: 0000000000427d90
> > [ 42.621893] I7: <do_one_initcall+0x30/0x200>
> > [ 42.677931] Call Trace:
> > [ 42.709953] [<0000000000427d90>] do_one_initcall+0x30/0x200
> > [ 42.783158] [<00000000004db908>] do_init_module+0x48/0x240
> > [ 42.855214] [<00000000004dd82c>] load_module+0x19cc/0x1f20
> > [ 42.927270] [<00000000004ddf8c>] init_module_from_file+0x6c/0xa0
> > [ 43.006189] [<00000000004de1e4>] sys_finit_module+0x1c4/0x2c0
> > [ 43.081677] [<0000000000406174>] linux_sparc_syscall+0x34/0x44
> > [ 43.158307] Disabling lock debugging due to kernel taint
> > [ 43.228077] Caller[0000000000427d90]: do_one_initcall+0x30/0x200
> > [ 43.306995] Caller[00000000004db908]: do_init_module+0x48/0x240
> > [ 43.384772] Caller[00000000004dd82c]: load_module+0x19cc/0x1f20
> > [ 43.462544] Caller[00000000004ddf8c]: init_module_from_file+0x6c/0xa0
> > [ 43.547184] Caller[00000000004de1e4]: sys_finit_module+0x1c4/0x2c0
> > [ 43.628389] Caller[0000000000406174]: linux_sparc_syscall+0x34/0x44
> > [ 43.710741] Caller[fff000010480e2fc]: 0xfff000010480e2fc
> > [ 43.780508] Instruction DUMP:
> > [ 43.780511] 00000000
> > [ 43.819394] 00000000
> > [ 43.850273] 00000000
> > [ 43.881153] <00000000>
> > [ 43.912036] 00000000
> > [ 43.942917] 00000000
> > [ 43.973797] 00000000
> > [ 44.004678] 00000000
> > [ 44.035561] 00000000
> > [ 44.066443]
> >
> > Do you have any suggestion what to bisect?
>
> This does look like kernel range TLB flush related. Not sure how it's related to
> userspace huge pages. Perhaps the userspace range TLB flush has issues to? Or
> the TLB flush asm needs to be fixed in this another sparc variant?
The patch you previously linked actually fixed this particular SPARC variant which
is sun4u, i.e. the non-hypervisor variant with sun4v being the hypervisor one.
I was already thinking that the fix in d3c976c14ad8 was possible incomplete.
> So far two issues were found with that patch and they were both rare
> architectures with broken kernel TLB flushes. Kernel TLB flushes can actually
> not be required for a long time, so probably the bug normally looked like
> unexplained crashes after days. The VM_FLUSH_RESET_PERMS just made them show up
> earlier in a bisectable way.
Yeah, I think that could actually be the case.
I wonder whether I can revert both d3c976c14ad8 and a74ad5e660a9 on a current
tree and see if that fixes the bug.
Adrian
--
.''`. John Paul Adrian Glaubitz
: :' : Debian Developer
`. `' Physicist
`- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
next prev parent reply other threads:[~2025-08-12 18:59 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-26 0:11 [PATCH v5 00/23] x86: text_poke() fixes and executable lockdowns Nadav Amit
2019-04-26 0:11 ` [PATCH v5 01/23] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Nadav Amit
2019-04-26 0:11 ` [PATCH v5 02/23] x86/jump_label: Use text_poke_early() during early init Nadav Amit
2019-04-26 0:11 ` [PATCH v5 03/23] x86/mm: Introduce temporary mm structs Nadav Amit
2019-04-26 0:11 ` [PATCH v5 04/23] x86/mm: Save debug registers when loading a temporary mm Nadav Amit
2019-04-26 0:11 ` [PATCH v5 05/23] fork: Provide a function for copying init_mm Nadav Amit
2019-04-26 0:11 ` [PATCH v5 06/23] x86/alternative: Initialize temporary mm for patching Nadav Amit
2019-04-26 0:11 ` [PATCH v5 07/23] x86/alternative: Use temporary mm for text poking Nadav Amit
2019-04-26 0:11 ` [PATCH v5 08/23] x86/kgdb: Avoid redundant comparison of patched code Nadav Amit
2019-04-26 0:11 ` [PATCH v5 09/23] x86/ftrace: Set trampoline pages as executable Nadav Amit
2019-04-26 0:11 ` [PATCH v5 10/23] x86/kprobes: Set instruction page " Nadav Amit
2019-04-26 0:11 ` [PATCH v5 11/23] x86/module: Avoid breaking W^X while loading modules Nadav Amit
2019-04-26 0:11 ` [PATCH v5 12/23] x86/jump-label: Remove support for custom poker Nadav Amit
2019-04-26 0:11 ` [PATCH v5 13/23] x86/alternative: Remove the return value of text_poke_*() Nadav Amit
2019-04-26 0:11 ` [PATCH v5 14/23] x86/mm/cpa: Add set_direct_map_ functions Nadav Amit
2019-04-26 16:40 ` Linus Torvalds
2019-04-26 16:43 ` Nadav Amit
2019-04-26 0:11 ` [PATCH v5 15/23] mm: Make hibernate handle unmapped pages Nadav Amit
2019-04-26 0:11 ` [PATCH v5 16/23] vmalloc: Add flag for free of special permsissions Nadav Amit
2019-04-26 0:11 ` [PATCH v5 17/23] modules: Use vmalloc special flag Nadav Amit
2019-04-26 0:11 ` [PATCH v5 18/23] bpf: " Nadav Amit
2025-08-12 16:43 ` John Paul Adrian Glaubitz
2025-08-12 18:03 ` Edgecombe, Rick P
2025-08-12 18:37 ` John Paul Adrian Glaubitz
2025-08-12 18:49 ` Edgecombe, Rick P
2025-08-12 18:59 ` John Paul Adrian Glaubitz [this message]
2019-04-26 0:11 ` [PATCH v5 19/23] x86/ftrace: " Nadav Amit
2019-04-26 0:11 ` [PATCH v5 20/23] x86/kprobes: " Nadav Amit
2019-04-26 0:11 ` [PATCH v5 21/23] x86/alternative: Comment about module removal races Nadav Amit
2019-04-26 0:11 ` [PATCH v5 22/23] mm/tlb: Provide default nmi_uaccess_okay() Nadav Amit
2019-04-26 0:11 ` [PATCH v5 23/23] bpf: Fail bpf_probe_write_user() while mm is switched Nadav Amit
2019-04-26 12:36 ` [PATCH v5 00/23] x86: text_poke() fixes and executable lockdowns Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c69487a248eb5660aa817fdbb0f9a10d770feab6.camel@physik.fu-berlin.de \
--to=glaubitz@physik.fu-berlin.de \
--cc=akpm@linux-foundation.org \
--cc=andreas@gaisler.com \
--cc=anthony.yznaga@oracle.com \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kristen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux_dti@icloud.com \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=sam@gentoo.org \
--cc=sparclinux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox