From: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>
To: "glaubitz@physik.fu-berlin.de" <glaubitz@physik.fu-berlin.de>,
"peterz@infradead.org" <peterz@infradead.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"luto@kernel.org" <luto@kernel.org>,
"bp@alien8.de" <bp@alien8.de>
Cc: "sam@gentoo.org" <sam@gentoo.org>,
"andreas@gaisler.com" <andreas@gaisler.com>,
"nadav.amit@gmail.com" <nadav.amit@gmail.com>,
"anthony.yznaga@oracle.com" <anthony.yznaga@oracle.com>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux_dti@icloud.com" <linux_dti@icloud.com>,
"will.deacon@arm.com" <will.deacon@arm.com>,
"deneen.t.dock@intel.com" <deneen.t.dock@intel.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"sparclinux@vger.kernel.org" <sparclinux@vger.kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"ast@kernel.org" <ast@kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"kristen@linux.intel.com" <kristen@linux.intel.com>
Subject: Re: [PATCH v5 18/23] bpf: Use vmalloc special flag
Date: Tue, 12 Aug 2025 18:49:43 +0000 [thread overview]
Message-ID: <7e4dfc01e132196d3ff10df18622252a8455d1b8.camel@intel.com> (raw)
In-Reply-To: <49b112b80b211ae05b5f3c36a55f67041783f51e.camel@physik.fu-berlin.de>
On Tue, 2025-08-12 at 20:37 +0200, John Paul Adrian Glaubitz wrote:
> That could be true. I knew about the patch in [1] but I didn't think of applying it.
>
> FWIW, the crashes we're seeing on recent kernel versions look like this:
>
> [ 40.992851] \|/ ____ \|/
> [ 40.992851] "@'/ .. \`@"
> [ 40.992851] /_| \__/ |_\
> [ 40.992851] \__U_/
> [ 41.186220] (udev-worker)(88): Kernel illegal instruction [#1]
Possibly re-using some stale TLB executable VA which's page now has other data
in it.
> [ 41.262910] CPU: 0 UID: 0 PID: 88 Comm: (udev-worker) Tainted: G W 6.12.0+ #25
> [ 41.376151] Tainted: [W]=WARN
> [ 41.415025] TSTATE: 0000004411001607 TPC: 00000000101c21c0 TNPC: 00000000101c21c4 Y: 00000000 Tainted: G W
> [ 41.563717] TPC: <ehci_init_driver+0x0/0x160 [ehci_hcd]>
> [ 41.633584] g0: 00000000012005b8 g1: 00000000100a1800 g2: 0000000010206000 g3: 00000000101de000
> [ 41.747962] g4: fff000000a5af380 g5: 0000000000000000 g6: fff000000aac8000 g7: 0000000000000e7b
> [ 41.862338] o0: 0000000010060118 o1: 000000001020a000 o2: fff000000aa30ce0 o3: 0000000000000e7a
> [ 41.976728] o4: 00000000ff000000 o5: 00ff000000000000 sp: fff000000aacb091 ret_pc: 00000000101de028
> [ 42.095768] RPC: <ehci_pci_init+0x28/0x2000 [ehci_pci]>
> [ 42.164394] l0: 0000000000000000 l1: 0000000100043fff l2: ffffffffff800000 l3: 0000000000800000
> [ 42.278768] l4: fff00000001c8008 l5: 0000000000000000 l6: 00000000013358e0 l7: 0000000001002800
> [ 42.393143] i0: ffffffffffffffed i1: 00000000004db8d8 i2: 0000000000000000 i3: fff000000aa304e0
> [ 42.507517] i4: 0000000001127250 i5: 0000000010060000 i6: fff000000aacb141 i7: 0000000000427d90
> [ 42.621893] I7: <do_one_initcall+0x30/0x200>
> [ 42.677931] Call Trace:
> [ 42.709953] [<0000000000427d90>] do_one_initcall+0x30/0x200
> [ 42.783158] [<00000000004db908>] do_init_module+0x48/0x240
> [ 42.855214] [<00000000004dd82c>] load_module+0x19cc/0x1f20
> [ 42.927270] [<00000000004ddf8c>] init_module_from_file+0x6c/0xa0
> [ 43.006189] [<00000000004de1e4>] sys_finit_module+0x1c4/0x2c0
> [ 43.081677] [<0000000000406174>] linux_sparc_syscall+0x34/0x44
> [ 43.158307] Disabling lock debugging due to kernel taint
> [ 43.228077] Caller[0000000000427d90]: do_one_initcall+0x30/0x200
> [ 43.306995] Caller[00000000004db908]: do_init_module+0x48/0x240
> [ 43.384772] Caller[00000000004dd82c]: load_module+0x19cc/0x1f20
> [ 43.462544] Caller[00000000004ddf8c]: init_module_from_file+0x6c/0xa0
> [ 43.547184] Caller[00000000004de1e4]: sys_finit_module+0x1c4/0x2c0
> [ 43.628389] Caller[0000000000406174]: linux_sparc_syscall+0x34/0x44
> [ 43.710741] Caller[fff000010480e2fc]: 0xfff000010480e2fc
> [ 43.780508] Instruction DUMP:
> [ 43.780511] 00000000
> [ 43.819394] 00000000
> [ 43.850273] 00000000
> [ 43.881153] <00000000>
> [ 43.912036] 00000000
> [ 43.942917] 00000000
> [ 43.973797] 00000000
> [ 44.004678] 00000000
> [ 44.035561] 00000000
> [ 44.066443]
>
> Do you have any suggestion what to bisect?
This does look like kernel range TLB flush related. Not sure how it's related to
userspace huge pages. Perhaps the userspace range TLB flush has issues to? Or
the TLB flush asm needs to be fixed in this another sparc variant?
So far two issues were found with that patch and they were both rare
architectures with broken kernel TLB flushes. Kernel TLB flushes can actually
not be required for a long time, so probably the bug normally looked like
unexplained crashes after days. The VM_FLUSH_RESET_PERMS just made them show up
earlier in a bisectable way.
next prev parent reply other threads:[~2025-08-12 18:49 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-26 0:11 [PATCH v5 00/23] x86: text_poke() fixes and executable lockdowns Nadav Amit
2019-04-26 0:11 ` [PATCH v5 01/23] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Nadav Amit
2019-04-26 0:11 ` [PATCH v5 02/23] x86/jump_label: Use text_poke_early() during early init Nadav Amit
2019-04-26 0:11 ` [PATCH v5 03/23] x86/mm: Introduce temporary mm structs Nadav Amit
2019-04-26 0:11 ` [PATCH v5 04/23] x86/mm: Save debug registers when loading a temporary mm Nadav Amit
2019-04-26 0:11 ` [PATCH v5 05/23] fork: Provide a function for copying init_mm Nadav Amit
2019-04-26 0:11 ` [PATCH v5 06/23] x86/alternative: Initialize temporary mm for patching Nadav Amit
2019-04-26 0:11 ` [PATCH v5 07/23] x86/alternative: Use temporary mm for text poking Nadav Amit
2019-04-26 0:11 ` [PATCH v5 08/23] x86/kgdb: Avoid redundant comparison of patched code Nadav Amit
2019-04-26 0:11 ` [PATCH v5 09/23] x86/ftrace: Set trampoline pages as executable Nadav Amit
2019-04-26 0:11 ` [PATCH v5 10/23] x86/kprobes: Set instruction page " Nadav Amit
2019-04-26 0:11 ` [PATCH v5 11/23] x86/module: Avoid breaking W^X while loading modules Nadav Amit
2019-04-26 0:11 ` [PATCH v5 12/23] x86/jump-label: Remove support for custom poker Nadav Amit
2019-04-26 0:11 ` [PATCH v5 13/23] x86/alternative: Remove the return value of text_poke_*() Nadav Amit
2019-04-26 0:11 ` [PATCH v5 14/23] x86/mm/cpa: Add set_direct_map_ functions Nadav Amit
2019-04-26 16:40 ` Linus Torvalds
2019-04-26 16:43 ` Nadav Amit
2019-04-26 0:11 ` [PATCH v5 15/23] mm: Make hibernate handle unmapped pages Nadav Amit
2019-04-26 0:11 ` [PATCH v5 16/23] vmalloc: Add flag for free of special permsissions Nadav Amit
2019-04-26 0:11 ` [PATCH v5 17/23] modules: Use vmalloc special flag Nadav Amit
2019-04-26 0:11 ` [PATCH v5 18/23] bpf: " Nadav Amit
2025-08-12 16:43 ` John Paul Adrian Glaubitz
2025-08-12 18:03 ` Edgecombe, Rick P
2025-08-12 18:37 ` John Paul Adrian Glaubitz
2025-08-12 18:49 ` Edgecombe, Rick P [this message]
2025-08-12 18:59 ` John Paul Adrian Glaubitz
2019-04-26 0:11 ` [PATCH v5 19/23] x86/ftrace: " Nadav Amit
2019-04-26 0:11 ` [PATCH v5 20/23] x86/kprobes: " Nadav Amit
2019-04-26 0:11 ` [PATCH v5 21/23] x86/alternative: Comment about module removal races Nadav Amit
2019-04-26 0:11 ` [PATCH v5 22/23] mm/tlb: Provide default nmi_uaccess_okay() Nadav Amit
2019-04-26 0:11 ` [PATCH v5 23/23] bpf: Fail bpf_probe_write_user() while mm is switched Nadav Amit
2019-04-26 12:36 ` [PATCH v5 00/23] x86: text_poke() fixes and executable lockdowns Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e4dfc01e132196d3ff10df18622252a8455d1b8.camel@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=akpm@linux-foundation.org \
--cc=andreas@gaisler.com \
--cc=anthony.yznaga@oracle.com \
--cc=ast@kernel.org \
--cc=bp@alien8.de \
--cc=daniel@iogearbox.net \
--cc=dave.hansen@linux.intel.com \
--cc=deneen.t.dock@intel.com \
--cc=glaubitz@physik.fu-berlin.de \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kristen@linux.intel.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux_dti@icloud.com \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=sam@gentoo.org \
--cc=sparclinux@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).