Commit 4c132d1d844a ("x86/futex: Remove .fixup usage") introduced a new
extable fixup type, EX_TYPE_EFAULT_REG, and commit 4c132d1d844a
("x86/futex: Remove .fixup usage") updated the extable fixup type for
copy-from-user operations, changing it from EX_TYPE_UACCESS to
EX_TYPE_EFAULT_REG. The error context for copy-from-user operations no
longer functions as an in-kernel recovery context. Consequently, the error
context for copy-from-user operations no longer functions as an in-kernel
recovery context, resulting in kernel panics with the message: "Machine
check: Data load in unrecoverable area of kernel."
The critical aspect is identifying whether the error context involves a
read from user memory. We do not care about the ex-type if we know its a
MOV reading from userspace. is_copy_from_user() return true when both of
the following conditions are met:
- the current instruction is copy
- source address is user memory
So, use is_copy_from_user() to determin if a context is copy user directly.
Fixes: 4c132d1d844a ("x86/futex: Remove .fixup usage")
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
---
arch/x86/kernel/cpu/mce/severity.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
index dac4d64dfb2a..cb021058165f 100644
--- a/arch/x86/kernel/cpu/mce/severity.c
+++ b/arch/x86/kernel/cpu/mce/severity.c
@@ -300,13 +300,12 @@ static noinstr int error_context(struct mce *m, struct pt_regs *regs)
copy_user = is_copy_from_user(regs);
instrumentation_end();
- switch (fixup_type) {
- case EX_TYPE_UACCESS:
- if (!copy_user)
- return IN_KERNEL;
- m->kflags |= MCE_IN_KERNEL_COPYIN;
- fallthrough;
+ if (copy_user) {
+ m->kflags |= MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_COPYIN;
+ return IN_KERNEL_RECOV
+ }
+ switch (fixup_type) {
case EX_TYPE_FAULT_MCE_SAFE:
case EX_TYPE_DEFAULT_MCE_SAFE:
m->kflags |= MCE_IN_KERNEL_RECOV;
--
2.39.3Hi Shuai,
kernel test robot noticed the following build errors:
[auto build test ERROR on akpm-mm/mm-everything]
url: https://github.com/intel-lab-lkp/linux/commits/Shuai-Xue/x86-mce-Use-is_copy_from_user-to-determine-copy-from-user-context/20250306-101505
base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/r/20250306021031.5538-2-xueshuai%40linux.alibaba.com
patch subject: [PATCH v3 1/3] x86/mce: Use is_copy_from_user() to determine copy-from-user context
config: i386-buildonly-randconfig-005-20250307 (https://download.01.org/0day-ci/archive/20250307/202503071115.uNkoVksh-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250307/202503071115.uNkoVksh-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202503071115.uNkoVksh-lkp@intel.com/
All errors (new ones prefixed by >>):
arch/x86/kernel/cpu/mce/severity.c: In function 'error_context':
>> arch/x86/kernel/cpu/mce/severity.c:305:39: error: expected ';' before '}' token
305 | return IN_KERNEL_RECOV
| ^
| ;
306 | }
| ~
vim +305 arch/x86/kernel/cpu/mce/severity.c
274
275 /*
276 * If mcgstatus indicated that ip/cs on the stack were
277 * no good, then "m->cs" will be zero and we will have
278 * to assume the worst case (IN_KERNEL) as we actually
279 * have no idea what we were executing when the machine
280 * check hit.
281 * If we do have a good "m->cs" (or a faked one in the
282 * case we were executing in VM86 mode) we can use it to
283 * distinguish an exception taken in user from from one
284 * taken in the kernel.
285 */
286 static noinstr int error_context(struct mce *m, struct pt_regs *regs)
287 {
288 int fixup_type;
289 bool copy_user;
290
291 if ((m->cs & 3) == 3)
292 return IN_USER;
293
294 if (!mc_recoverable(m->mcgstatus))
295 return IN_KERNEL;
296
297 /* Allow instrumentation around external facilities usage. */
298 instrumentation_begin();
299 fixup_type = ex_get_fixup_type(m->ip);
300 copy_user = is_copy_from_user(regs);
301 instrumentation_end();
302
303 if (copy_user) {
304 m->kflags |= MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_COPYIN;
> 305 return IN_KERNEL_RECOV
306 }
307
308 switch (fixup_type) {
309 case EX_TYPE_FAULT_MCE_SAFE:
310 case EX_TYPE_DEFAULT_MCE_SAFE:
311 m->kflags |= MCE_IN_KERNEL_RECOV;
312 return IN_KERNEL_RECOV;
313
314 default:
315 return IN_KERNEL;
316 }
317 }
318
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Shuai,
kernel test robot noticed the following build errors:
[auto build test ERROR on akpm-mm/mm-everything]
url: https://github.com/intel-lab-lkp/linux/commits/Shuai-Xue/x86-mce-Use-is_copy_from_user-to-determine-copy-from-user-context/20250306-101505
base: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/r/20250306021031.5538-2-xueshuai%40linux.alibaba.com
patch subject: [PATCH v3 1/3] x86/mce: Use is_copy_from_user() to determine copy-from-user context
config: i386-buildonly-randconfig-002-20250307 (https://download.01.org/0day-ci/archive/20250307/202503071154.xQpKARjN-lkp@intel.com/config)
compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250307/202503071154.xQpKARjN-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202503071154.xQpKARjN-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from arch/x86/kernel/cpu/mce/severity.c:16:
In file included from arch/x86/include/asm/traps.h:6:
In file included from include/linux/kprobes.h:28:
In file included from include/linux/ftrace.h:13:
In file included from include/linux/kallsyms.h:13:
In file included from include/linux/mm.h:2321:
include/linux/vmstat.h:518:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
518 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
>> arch/x86/kernel/cpu/mce/severity.c:305:25: error: expected ';' after return statement
305 | return IN_KERNEL_RECOV
| ^
| ;
1 warning and 1 error generated.
vim +305 arch/x86/kernel/cpu/mce/severity.c
274
275 /*
276 * If mcgstatus indicated that ip/cs on the stack were
277 * no good, then "m->cs" will be zero and we will have
278 * to assume the worst case (IN_KERNEL) as we actually
279 * have no idea what we were executing when the machine
280 * check hit.
281 * If we do have a good "m->cs" (or a faked one in the
282 * case we were executing in VM86 mode) we can use it to
283 * distinguish an exception taken in user from from one
284 * taken in the kernel.
285 */
286 static noinstr int error_context(struct mce *m, struct pt_regs *regs)
287 {
288 int fixup_type;
289 bool copy_user;
290
291 if ((m->cs & 3) == 3)
292 return IN_USER;
293
294 if (!mc_recoverable(m->mcgstatus))
295 return IN_KERNEL;
296
297 /* Allow instrumentation around external facilities usage. */
298 instrumentation_begin();
299 fixup_type = ex_get_fixup_type(m->ip);
300 copy_user = is_copy_from_user(regs);
301 instrumentation_end();
302
303 if (copy_user) {
304 m->kflags |= MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_COPYIN;
> 305 return IN_KERNEL_RECOV
306 }
307
308 switch (fixup_type) {
309 case EX_TYPE_FAULT_MCE_SAFE:
310 case EX_TYPE_DEFAULT_MCE_SAFE:
311 m->kflags |= MCE_IN_KERNEL_RECOV;
312 return IN_KERNEL_RECOV;
313
314 default:
315 return IN_KERNEL;
316 }
317 }
318
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
> diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
> index dac4d64dfb2a..cb021058165f 100644
> --- a/arch/x86/kernel/cpu/mce/severity.c
> +++ b/arch/x86/kernel/cpu/mce/severity.c
> @@ -300,13 +300,12 @@ static noinstr int error_context(struct mce *m, struct pt_regs *regs)
> copy_user = is_copy_from_user(regs);
> instrumentation_end();
>
> - switch (fixup_type) {
> - case EX_TYPE_UACCESS:
> - if (!copy_user)
> - return IN_KERNEL;
> - m->kflags |= MCE_IN_KERNEL_COPYIN;
> - fallthrough;
> + if (copy_user) {
> + m->kflags |= MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_COPYIN;
You have " MCE_IN_KERNEL_COPYIN" twice here.
> + return IN_KERNEL_RECOV
> + }
>
> + switch (fixup_type) {
> case EX_TYPE_FAULT_MCE_SAFE:
> case EX_TYPE_DEFAULT_MCE_SAFE:
> m->kflags |= MCE_IN_KERNEL_RECOV;
> --
-Tony
在 2025/3/7 02:15, Luck, Tony 写道:
>> diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
>> index dac4d64dfb2a..cb021058165f 100644
>> --- a/arch/x86/kernel/cpu/mce/severity.c
>> +++ b/arch/x86/kernel/cpu/mce/severity.c
>> @@ -300,13 +300,12 @@ static noinstr int error_context(struct mce *m, struct pt_regs *regs)
>> copy_user = is_copy_from_user(regs);
>> instrumentation_end();
>>
>> - switch (fixup_type) {
>> - case EX_TYPE_UACCESS:
>> - if (!copy_user)
>> - return IN_KERNEL;
>> - m->kflags |= MCE_IN_KERNEL_COPYIN;
>> - fallthrough;
>> + if (copy_user) {
>> + m->kflags |= MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_COPYIN;
>
> You have " MCE_IN_KERNEL_COPYIN" twice here.
Sorry for this noise, please ignore this version,
I resend a new ready version, please see:
https://lore.kernel.org/linux-mm/20250307054404.73877-1-xueshuai@linux.alibaba.com/
Thanks
Shuai
在 2025/3/7 02:15, Luck, Tony 写道:
>> diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
>> index dac4d64dfb2a..cb021058165f 100644
>> --- a/arch/x86/kernel/cpu/mce/severity.c
>> +++ b/arch/x86/kernel/cpu/mce/severity.c
>> @@ -300,13 +300,12 @@ static noinstr int error_context(struct mce *m, struct pt_regs *regs)
>> copy_user = is_copy_from_user(regs);
>> instrumentation_end();
>>
>> - switch (fixup_type) {
>> - case EX_TYPE_UACCESS:
>> - if (!copy_user)
>> - return IN_KERNEL;
>> - m->kflags |= MCE_IN_KERNEL_COPYIN;
>> - fallthrough;
>> + if (copy_user) {
>> + m->kflags |= MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_COPYIN;
>
> You have " MCE_IN_KERNEL_COPYIN" twice here.
Sorry, I forgot to format a new patch and send a old version.
The corrected one:
---
arch/x86/kernel/cpu/mce/severity.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
index dac4d64dfb2a..2235a7477436 100644
--- a/arch/x86/kernel/cpu/mce/severity.c
+++ b/arch/x86/kernel/cpu/mce/severity.c
@@ -300,13 +300,12 @@ static noinstr int error_context(struct mce *m, struct pt_regs *regs)
copy_user = is_copy_from_user(regs);
instrumentation_end();
- switch (fixup_type) {
- case EX_TYPE_UACCESS:
- if (!copy_user)
- return IN_KERNEL;
- m->kflags |= MCE_IN_KERNEL_COPYIN;
- fallthrough;
+ if (copy_user) {
+ m->kflags |= MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_RECOV;
+ return IN_KERNEL_RECOV;
+ }
+ switch (fixup_type) {
case EX_TYPE_FAULT_MCE_SAFE:
case EX_TYPE_DEFAULT_MCE_SAFE:
m->kflags |= MCE_IN_KERNEL_RECOV;
Will fix it in next version.
Thanks.
Shuai
© 2016 - 2026 Red Hat, Inc.