Re: PowerPC: Random memory corruption causing kernel oops on Power11

[Stephen Smalley]

On Fri, May 29, 2026 at 9:40 AM Venkat Rao Bagalkote
<venkat88@xxxxxxxxxxxxx> wrote:
>
>
> On 29/05/26 12:20 pm, Venkat Rao Bagalkote wrote:
> > Greetings!!!
> >
> > Kernel 7.1.0-rc5-next-20260528 crashes randomly on IBM Power11
> > hardware. Attached is the config file.
> >
> > **System:**
> > - Hardware: IBM 9080-HEX Power11, pSeries
> > - Broken: 7.1.0-rc5-next-20260528
> > - Config: 64K pages, Radix MMU
> >
> >
> > **Problem:**
> > Different crash at each reboot.
> >
> >
> > **Example Crash 1:**
> >
> > [    4.678016] BUG: Unable to handle kernel data access at
> > 0xbffffffefec10628
> > [    4.678112] NIP [c008000004e3c74c]
> > xfs_dir2_block_lookup_int+0xd4/0x300 [xfs]
> > [    4.678281] [c000000005eaf7d0] [c008000004e3c6d4]
> > xfs_dir2_block_lookup_int+0x5c/0x300 [xfs]
> > [    4.678363] [c000000005eaf850] [c008000004e3d56c]
> > xfs_dir2_block_lookup+0x44/0x1e0 [xfs]
> >
> >
> > **Example Crash 2:**
> >
> > [    6.327116] BUG: Unable to handle kernel data access at
> > 0x762f736563697695
> > [    6.327242] NIP [c00000000073cf34] __refill_obj_stock+0x74/0x2c0
> > [    6.327261] [c0000013ffdbfd10] [c0000000007418b8]
> > obj_cgroup_uncharge+0x48/0x70
> > [    6.327271] [c0000013ffdbfd50] [c00000000062fffc]
> > free_percpu.part.0+0x12c/0x630
> >
> >
>
> Git bisect is pointing to 54067bacb49c selinux: hooks: use __getname()
> to allocate path buffer as the first bad commit.
>
>
> # git bisect good
> 54067bacb49caeada82b20b6bd706dca0cb99ffc is the first bad commit
> commit 54067bacb49caeada82b20b6bd706dca0cb99ffc
> Author: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
> Date:   Wed May 20 11:18:56 2026 +0300
>
>      selinux: hooks: use __getname() to allocate path buffer
>
>      selinux_genfs_get_sid() allocates memory for a path with
> __get_free_page()
>      although there is a dedicated helper for allocation of file paths:
>      __getname().
>
>      Replace __get_free_page() for allocation of a path buffer with
> __getname().
>
>      Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
>      Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
>
>   security/selinux/hooks.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> # git bisect log
> git bisect start
> # status: waiting for both good and bad commits
> # good: [e7ae89a0c97ce2b68b0983cd01eda67cf373517d] Linux 7.1-rc5
> git bisect good e7ae89a0c97ce2b68b0983cd01eda67cf373517d
> # status: waiting for bad commit, 1 good commit known
> # bad: [f7af91adc230aa99e23330ecf85bc9badd9780ad] Add linux-next
> specific files for 20260528
> git bisect bad f7af91adc230aa99e23330ecf85bc9badd9780ad
> # good: [7189ebc81d5e4cb4e03dc4040b07c582b95b09d5] Merge branch
> 'nand/next' of https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git
> git bisect good 7189ebc81d5e4cb4e03dc4040b07c582b95b09d5
> # skip: [d22aa6f023f3fc275e1f994045a6b347288b2e5a] Merge branch
> 'watchdog-next' of
> https://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
> git bisect skip d22aa6f023f3fc275e1f994045a6b347288b2e5a
> # good: [40d5349aaaae55ec62451bfacc6189cf44ce02cb] iio: adc: ti-ads1298:
> Add parentheses around macro parameter
> git bisect good 40d5349aaaae55ec62451bfacc6189cf44ce02cb
> # good: [6665ab5cf8e74edba571d3d2f31e575f89373dfd] Merge branch
> 'next-integrity' of
> https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
> git bisect good 6665ab5cf8e74edba571d3d2f31e575f89373dfd
> # bad: [4cc60db652df7ae5d659ec23325c341a52d065e0] Merge branch
> 'driver-core-next' of
> https://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git
> git bisect bad 4cc60db652df7ae5d659ec23325c341a52d065e0
> # bad: [e1d469c38defe7fcb8c6f62a2b7dbf4a103da300] Merge branch 'master'
> of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
> git bisect bad e1d469c38defe7fcb8c6f62a2b7dbf4a103da300
> # good: [4678d11f294de0fd295a265e02955b5d1a4a2684] Merge branch into
> tip/master: 'x86/tdx'
> git bisect good 4678d11f294de0fd295a265e02955b5d1a4a2684
> # bad: [9397e02d718fc52703d753f489042293cd807dd3] Merge branch 'next' of
> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
> git bisect bad 9397e02d718fc52703d753f489042293cd807dd3
> # good: [c574bdb524095d24169e229b2e3b9318c72e733a] watchdog:
> ziirave_wdt: Use named initializers for struct i2c_device_id
> git bisect good c574bdb524095d24169e229b2e3b9318c72e733a
> # bad: [5568ff6b5e30c7736c24e2096e968c8785c2c245] Merge branch
> 'for-next-tpm' of
> https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
> git bisect bad 5568ff6b5e30c7736c24e2096e968c8785c2c245
> # bad: [23f6b2756d28e76464c7e87850d3d4f6d8c8b365] Merge branch 'next' of
> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
> git bisect bad 23f6b2756d28e76464c7e87850d3d4f6d8c8b365
> # good: [ecf41f6218b58c72f1511e395e480f70a9f44889] selinux: reorder
> policydb_index()
> git bisect good ecf41f6218b58c72f1511e395e480f70a9f44889
> # bad: [54067bacb49caeada82b20b6bd706dca0cb99ffc] selinux: hooks: use
> __getname() to allocate path buffer
> git bisect bad 54067bacb49caeada82b20b6bd706dca0cb99ffc
> # good: [2f0af91353cb64b54cfee5423820d2149039338d] selinux: check for
> simple types
> git bisect good 2f0af91353cb64b54cfee5423820d2149039338d
> # good: [bc3f08d1ef15ebbd32faf0b10cd9699b90b9d30c] selinux: use
> k[mz]alloc() to allocate temporary buffers
> git bisect good bc3f08d1ef15ebbd32faf0b10cd9699b90b9d30c
> # first bad commit: [54067bacb49caeada82b20b6bd706dca0cb99ffc] selinux:
> hooks: use __getname() to allocate path buffer
>
>
> > If you happen to fix this, please add below tag.
> >
> > Reported-by: Venkat Rao Bagalkote <venkat88@xxxxxxxxxxxxx>

IMHO that commit should be reverted:
__getname()/__putname() exist for a different purpose IIUC.
__getname() does a kmalloc(PATH_MAX...), whereas we are then calling
dentry_path_raw(..., PAGE_SIZE) immediately afterward.
This assumes that PATH_MAX == PAGE_SIZE.