Re: PowerPC: Random memory corruption causing kernel oops on Power11
From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: 2026-05-29 15:19:19
Also in:
lkml, selinux
On Fri, May 29, 2026 at 11:02 AM Stephen Smalley [off-list ref] wrote:
On Fri, May 29, 2026 at 9:40 AM Venkat Rao Bagalkote [off-list ref] wrote:quoted
On 29/05/26 12:20 pm, Venkat Rao Bagalkote wrote:quoted
Greetings!!! Kernel 7.1.0-rc5-next-20260528 crashes randomly on IBM Power11 hardware. Attached is the config file. **System:** - Hardware: IBM 9080-HEX Power11, pSeries - Broken: 7.1.0-rc5-next-20260528 - Config: 64K pages, Radix MMU **Problem:** Different crash at each reboot. **Example Crash 1:** [ 4.678016] BUG: Unable to handle kernel data access at 0xbffffffefec10628 [ 4.678112] NIP [c008000004e3c74c] xfs_dir2_block_lookup_int+0xd4/0x300 [xfs] [ 4.678281] [c000000005eaf7d0] [c008000004e3c6d4] xfs_dir2_block_lookup_int+0x5c/0x300 [xfs] [ 4.678363] [c000000005eaf850] [c008000004e3d56c] xfs_dir2_block_lookup+0x44/0x1e0 [xfs] **Example Crash 2:** [ 6.327116] BUG: Unable to handle kernel data access at 0x762f736563697695 [ 6.327242] NIP [c00000000073cf34] __refill_obj_stock+0x74/0x2c0 [ 6.327261] [c0000013ffdbfd10] [c0000000007418b8] obj_cgroup_uncharge+0x48/0x70 [ 6.327271] [c0000013ffdbfd50] [c00000000062fffc] free_percpu.part.0+0x12c/0x630Git bisect is pointing to 54067bacb49c selinux: hooks: use __getname() to allocate path buffer as the first bad commit. # git bisect good 54067bacb49caeada82b20b6bd706dca0cb99ffc is the first bad commit commit 54067bacb49caeada82b20b6bd706dca0cb99ffc Author: Mike Rapoport (Microsoft) [off-list ref] Date: Wed May 20 11:18:56 2026 +0300 selinux: hooks: use __getname() to allocate path buffer selinux_genfs_get_sid() allocates memory for a path with __get_free_page() although there is a dedicated helper for allocation of file paths: __getname(). Replace __get_free_page() for allocation of a path buffer with __getname(). Signed-off-by: Mike Rapoport (Microsoft) [off-list ref] Signed-off-by: Paul Moore [off-list ref] security/selinux/hooks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) # git bisect log git bisect start # status: waiting for both good and bad commits # good: [e7ae89a0c97ce2b68b0983cd01eda67cf373517d] Linux 7.1-rc5 git bisect good e7ae89a0c97ce2b68b0983cd01eda67cf373517d # status: waiting for bad commit, 1 good commit known # bad: [f7af91adc230aa99e23330ecf85bc9badd9780ad] Add linux-next specific files for 20260528 git bisect bad f7af91adc230aa99e23330ecf85bc9badd9780ad # good: [7189ebc81d5e4cb4e03dc4040b07c582b95b09d5] Merge branch 'nand/next' of https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git git bisect good 7189ebc81d5e4cb4e03dc4040b07c582b95b09d5 # skip: [d22aa6f023f3fc275e1f994045a6b347288b2e5a] Merge branch 'watchdog-next' of https://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git git bisect skip d22aa6f023f3fc275e1f994045a6b347288b2e5a # good: [40d5349aaaae55ec62451bfacc6189cf44ce02cb] iio: adc: ti-ads1298: Add parentheses around macro parameter git bisect good 40d5349aaaae55ec62451bfacc6189cf44ce02cb # good: [6665ab5cf8e74edba571d3d2f31e575f89373dfd] Merge branch 'next-integrity' of https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity git bisect good 6665ab5cf8e74edba571d3d2f31e575f89373dfd # bad: [4cc60db652df7ae5d659ec23325c341a52d065e0] Merge branch 'driver-core-next' of https://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git git bisect bad 4cc60db652df7ae5d659ec23325c341a52d065e0 # bad: [e1d469c38defe7fcb8c6f62a2b7dbf4a103da300] Merge branch 'master' of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git git bisect bad e1d469c38defe7fcb8c6f62a2b7dbf4a103da300 # good: [4678d11f294de0fd295a265e02955b5d1a4a2684] Merge branch into tip/master: 'x86/tdx' git bisect good 4678d11f294de0fd295a265e02955b5d1a4a2684 # bad: [9397e02d718fc52703d753f489042293cd807dd3] Merge branch 'next' of https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git git bisect bad 9397e02d718fc52703d753f489042293cd807dd3 # good: [c574bdb524095d24169e229b2e3b9318c72e733a] watchdog: ziirave_wdt: Use named initializers for struct i2c_device_id git bisect good c574bdb524095d24169e229b2e3b9318c72e733a # bad: [5568ff6b5e30c7736c24e2096e968c8785c2c245] Merge branch 'for-next-tpm' of https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git git bisect bad 5568ff6b5e30c7736c24e2096e968c8785c2c245 # bad: [23f6b2756d28e76464c7e87850d3d4f6d8c8b365] Merge branch 'next' of https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git git bisect bad 23f6b2756d28e76464c7e87850d3d4f6d8c8b365 # good: [ecf41f6218b58c72f1511e395e480f70a9f44889] selinux: reorder policydb_index() git bisect good ecf41f6218b58c72f1511e395e480f70a9f44889 # bad: [54067bacb49caeada82b20b6bd706dca0cb99ffc] selinux: hooks: use __getname() to allocate path buffer git bisect bad 54067bacb49caeada82b20b6bd706dca0cb99ffc # good: [2f0af91353cb64b54cfee5423820d2149039338d] selinux: check for simple types git bisect good 2f0af91353cb64b54cfee5423820d2149039338d # good: [bc3f08d1ef15ebbd32faf0b10cd9699b90b9d30c] selinux: use k[mz]alloc() to allocate temporary buffers git bisect good bc3f08d1ef15ebbd32faf0b10cd9699b90b9d30c # first bad commit: [54067bacb49caeada82b20b6bd706dca0cb99ffc] selinux: hooks: use __getname() to allocate path bufferquoted
If you happen to fix this, please add below tag. Reported-by: Venkat Rao Bagalkote <redacted>IMHO that commit should be reverted: __getname()/__putname() exist for a different purpose IIUC. __getname() does a kmalloc(PATH_MAX...), whereas we are then calling dentry_path_raw(..., PAGE_SIZE) immediately afterward. This assumes that PATH_MAX == PAGE_SIZE.
Alternatively, I suppose we could just update the dentry_path_raw() call to also pass PATH_MAX, but I don't see why we want to use __getname/__putname() instead of just direct kmalloc/kfree here so the size of the buffer is immediately evident to the reader.