91 lines
3.1 KiB
Diff
91 lines
3.1 KiB
Diff
From 5e806505660ca40376088d44e1720ddee3c953f5 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <5e806505660ca40376088d44e1720ddee3c953f5.1601675153.git.zanussi@kernel.org>
|
|
In-Reply-To: <5b5a156f9808b1acf1205606e03da117214549ea.1601675151.git.zanussi@kernel.org>
|
|
References: <5b5a156f9808b1acf1205606e03da117214549ea.1601675151.git.zanussi@kernel.org>
|
|
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|
Date: Fri, 18 Oct 2019 13:04:15 +0200
|
|
Subject: [PATCH 310/333] Revert "ARM: Initialize split page table locks for
|
|
vector page"
|
|
Origin: https://www.kernel.org/pub/linux/kernel/projects/rt/4.19/older/patches-4.19.148-rt64.tar.xz
|
|
|
|
[ Upstream commit 247074c44d8c3e619dfde6404a52295d8d671d38 ]
|
|
|
|
I'm dropping this patch, with its original description:
|
|
|
|
|ARM: Initialize split page table locks for vector page
|
|
|
|
|
|Without this patch, ARM can not use SPLIT_PTLOCK_CPUS if
|
|
|PREEMPT_RT_FULL=y because vectors_user_mapping() creates a
|
|
|VM_ALWAYSDUMP mapping of the vector page (address 0xffff0000), but no
|
|
|ptl->lock has been allocated for the page. An attempt to coredump
|
|
|that page will result in a kernel NULL pointer dereference when
|
|
|follow_page() attempts to lock the page.
|
|
|
|
|
|The call tree to the NULL pointer dereference is:
|
|
|
|
|
| do_notify_resume()
|
|
| get_signal_to_deliver()
|
|
| do_coredump()
|
|
| elf_core_dump()
|
|
| get_dump_page()
|
|
| __get_user_pages()
|
|
| follow_page()
|
|
| pte_offset_map_lock() <----- a #define
|
|
| ...
|
|
| rt_spin_lock()
|
|
|
|
|
|The underlying problem is exposed by mm-shrink-the-page-frame-to-rt-size.patch.
|
|
|
|
The patch named mm-shrink-the-page-frame-to-rt-size.patch was dropped
|
|
from the RT queue once the SPLIT_PTLOCK_CPUS feature (in a slightly
|
|
different shape) went upstream (somewhere between v3.12 and v3.14).
|
|
|
|
I can see that the patch still allocates a lock which wasn't there
|
|
before. However I can't trigger a kernel oops like described in the
|
|
patch by triggering a coredump.
|
|
|
|
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
|
|
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
|
|
---
|
|
arch/arm/kernel/process.c | 24 ------------------------
|
|
1 file changed, 24 deletions(-)
|
|
|
|
diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
|
|
index 8d3c7ce34c24..82ab015bf42b 100644
|
|
--- a/arch/arm/kernel/process.c
|
|
+++ b/arch/arm/kernel/process.c
|
|
@@ -324,30 +324,6 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
|
|
}
|
|
|
|
#ifdef CONFIG_MMU
|
|
-/*
|
|
- * CONFIG_SPLIT_PTLOCK_CPUS results in a page->ptl lock. If the lock is not
|
|
- * initialized by pgtable_page_ctor() then a coredump of the vector page will
|
|
- * fail.
|
|
- */
|
|
-static int __init vectors_user_mapping_init_page(void)
|
|
-{
|
|
- struct page *page;
|
|
- unsigned long addr = 0xffff0000;
|
|
- pgd_t *pgd;
|
|
- pud_t *pud;
|
|
- pmd_t *pmd;
|
|
-
|
|
- pgd = pgd_offset_k(addr);
|
|
- pud = pud_offset(pgd, addr);
|
|
- pmd = pmd_offset(pud, addr);
|
|
- page = pmd_page(*(pmd));
|
|
-
|
|
- pgtable_page_ctor(page);
|
|
-
|
|
- return 0;
|
|
-}
|
|
-late_initcall(vectors_user_mapping_init_page);
|
|
-
|
|
#ifdef CONFIG_KUSER_HELPERS
|
|
/*
|
|
* The vectors page is always readable from user space for the
|
|
--
|
|
2.17.1
|
|
|