From nobody Sun Apr 19 12:25:37 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6CDCEC43334
	for <linux-kernel@archiver.kernel.org>; Fri,  1 Jul 2022 02:35:32 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233872AbiGACfb (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 30 Jun 2022 22:35:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33404 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233818AbiGACfU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 Jun 2022 22:35:20 -0400
X-Greylist: delayed 459 seconds by postgrey-1.37 at lindbergh.monkeyblade.net;
 Thu, 30 Jun 2022 19:35:04 PDT
Received: from mail4.tencent.com (mail12.tencent.com [61.241.47.121])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6104464D71
        for <linux-kernel@vger.kernel.org>;
 Thu, 30 Jun 2022 19:35:04 -0700 (PDT)
Received: from EX-SZ018.tencent.com (unknown [10.28.6.39])
        by mail4.tencent.com (Postfix) with ESMTP id 763EB64D89;
        Fri,  1 Jul 2022 10:27:22 +0800 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tencent.com;
        s=s202002; t=1656642442;
        bh=hOumafnbFthRKnMSoqvzPmDkJbBf9FyR9c+E6SBh4Nw=;
        h=From:To:Subject:Date;
        b=d2eJ30+W5r5ds+qh4a+YhCVY3j07oJJ6FpeCalr8ZkHErIcLLadeJeuhQ1IvBMcJK
         kN7nn6QituoMFgZS27o31c9C8Av5McmUZbfdYUnJsmx+P+2Fns86wUSPqYhKJVfSJG
         H0dRz2c3a/q4bxdE+Y55W52yLglZeFTvP9KNZkxk=
Received: from EX-SZ002.tencent.com (10.28.6.14) by EX-SZ018.tencent.com
 (10.28.6.39) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 1 Jul 2022
 10:27:18 +0800
Received: from EX-SZ006.tencent.com (10.28.6.30) by EX-SZ002.tencent.com
 (10.28.6.14) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 1 Jul 2022
 10:27:17 +0800
Received: from EX-SZ006.tencent.com ([fe80::a84e:872e:7c90:2930]) by
 EX-SZ006.tencent.com ([fe80::a84e:872e:7c90:2930%2]) with mapi id
 15.01.2242.008; Fri, 1 Jul 2022 10:27:17 +0800
From: =?gb2312?B?aGFpYmluemhhbmco1cW6o7HzKQ==?= <haibinzhang@tencent.com>
To: Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>,
        Ard Biesheuvel <ardb@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        "linux-arm-kernel@lists.infradead.org"
        <linux-arm-kernel@lists.infradead.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: [PATCH] arm64: fix oops in concurrently setting insn_emulation
 sysctls
Thread-Topic: [PATCH] arm64: fix oops in concurrently setting insn_emulation
 sysctls
Thread-Index: AQHYjPIVshOi9CmPrUqeRqqEIT98RQ==
Date: Fri, 1 Jul 2022 02:27:17 +0000
Message-ID: <6C55A58E-6F30-4EDD-B943-421226DBC4AD@tencent.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.99.17.23]
Content-ID: <999E871D873A274F97854FD169000B87@tencent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

How to reproduce:
    launch two shell executions:
       #!/bin/bash
       while [ 1 ];
       do
           echo 1 > /proc/sys/abi/swp
       done

Oops info:
    Unable to handle kernel NULL pointer dereference at virtual address 000=
0000000000010
    Internal error: Oops: 96000006 [#1] SMP
    Call trace:
    update_insn_emulation_mode+0xc0/0x148
    emulation_proc_handler+0x64/0xb8
    proc_sys_call_handler+0x9c/0xf8
    proc_sys_write+0x18/0x20
    __vfs_write+0x20/0x48
    vfs_write+0xe4/0x1d0
    ksys_write+0x70/0xf8
    __arm64_sys_write+0x20/0x28
    el0_svc_common.constprop.0+0x7c/0x1c0
    el0_svc_handler+0x2c/0xa0
    el0_svc+0x8/0x200

emulation_proc_handler changes table->data for proc_dointvec_minmax
and so it isn't allowed to reenter before restoring table->data,
which isn't right now.
To fix this issue, Add mutal exclusion covering related code section.

Signed-off-by: Haibin Zhang <haibinzhang@tencent.com>
---
 arch/arm64/kernel/armv8_deprecated.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8=
_deprecated.c
index 6875a16..c519792 100644
--- a/arch/arm64/kernel/armv8_deprecated.c
+++ b/arch/arm64/kernel/armv8_deprecated.c
@@ -207,8 +207,12 @@ static int emulation_proc_handler(struct ctl_table *ta=
ble, int write,
 				  loff_t *ppos)
 {
 	int ret =3D 0;
-	struct insn_emulation *insn =3D (struct insn_emulation *) table->data;
-	enum insn_emulation_mode prev_mode =3D insn->current_mode;
+	struct insn_emulation *insn;
+	enum insn_emulation_mode prev_mode;
+
+	raw_spin_lock(&insn_emulation_lock);
+	insn =3D (struct insn_emulation *) table->data;
+	prev_mode =3D insn->current_mode;
=20
 	table->data =3D &insn->current_mode;
 	ret =3D proc_dointvec_minmax(table, write, buffer, lenp, ppos);
@@ -224,6 +228,7 @@ static int emulation_proc_handler(struct ctl_table *tab=
le, int write,
 	}
 ret:
 	table->data =3D insn;
+	raw_spin_unlock(&insn_emulation_lock);
 	return ret;
 }
=20
--=20
1.8.3.1