Re: PowerPC: Random memory corruption causing kernel oops on Power11

[Stephen Smalley]

On Fri, May 29, 2026 at 11:02 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Fri, May 29, 2026 at 9:40 AM Venkat Rao Bagalkote
> <venkat88@xxxxxxxxxxxxx> wrote:
> >
> >
> > On 29/05/26 12:20 pm, Venkat Rao Bagalkote wrote:
> > > Greetings!!!
> > >
> > > Kernel 7.1.0-rc5-next-20260528 crashes randomly on IBM Power11
> > > hardware. Attached is the config file.
> > >
> > > **System:**
> > > - Hardware: IBM 9080-HEX Power11, pSeries
> > > - Broken: 7.1.0-rc5-next-20260528
> > > - Config: 64K pages, Radix MMU
> > >
> > >
> > > **Problem:**
> > > Different crash at each reboot.
> > >
> > >
> > > **Example Crash 1:**
> > >
> > > [    4.678016] BUG: Unable to handle kernel data access at
> > > 0xbffffffefec10628
> > > [    4.678112] NIP [c008000004e3c74c]
> > > xfs_dir2_block_lookup_int+0xd4/0x300 [xfs]
> > > [    4.678281] [c000000005eaf7d0] [c008000004e3c6d4]
> > > xfs_dir2_block_lookup_int+0x5c/0x300 [xfs]
> > > [    4.678363] [c000000005eaf850] [c008000004e3d56c]
> > > xfs_dir2_block_lookup+0x44/0x1e0 [xfs]
> > >
> > >
> > > **Example Crash 2:**
> > >
> > > [    6.327116] BUG: Unable to handle kernel data access at
> > > 0x762f736563697695
> > > [    6.327242] NIP [c00000000073cf34] __refill_obj_stock+0x74/0x2c0
> > > [    6.327261] [c0000013ffdbfd10] [c0000000007418b8]
> > > obj_cgroup_uncharge+0x48/0x70
> > > [    6.327271] [c0000013ffdbfd50] [c00000000062fffc]
> > > free_percpu.part.0+0x12c/0x630
> > >
> > >
> >
> > Git bisect is pointing to 54067bacb49c selinux: hooks: use __getname()
> > to allocate path buffer as the first bad commit.
> >
> >
> > # git bisect good
> > 54067bacb49caeada82b20b6bd706dca0cb99ffc is the first bad commit
> > commit 54067bacb49caeada82b20b6bd706dca0cb99ffc
> > Author: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
> > Date:   Wed May 20 11:18:56 2026 +0300
> >
> >      selinux: hooks: use __getname() to allocate path buffer
> >
> >      selinux_genfs_get_sid() allocates memory for a path with
> > __get_free_page()
> >      although there is a dedicated helper for allocation of file paths:
> >      __getname().
> >
> >      Replace __get_free_page() for allocation of a path buffer with
> > __getname().
> >
> >      Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
> >      Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> >
> >   security/selinux/hooks.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > # git bisect log
> > git bisect start
> > # status: waiting for both good and bad commits
> > # good: [e7ae89a0c97ce2b68b0983cd01eda67cf373517d] Linux 7.1-rc5
> > git bisect good e7ae89a0c97ce2b68b0983cd01eda67cf373517d
> > # status: waiting for bad commit, 1 good commit known
> > # bad: [f7af91adc230aa99e23330ecf85bc9badd9780ad] Add linux-next
> > specific files for 20260528
> > git bisect bad f7af91adc230aa99e23330ecf85bc9badd9780ad
> > # good: [7189ebc81d5e4cb4e03dc4040b07c582b95b09d5] Merge branch
> > 'nand/next' of https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git
> > git bisect good 7189ebc81d5e4cb4e03dc4040b07c582b95b09d5
> > # skip: [d22aa6f023f3fc275e1f994045a6b347288b2e5a] Merge branch
> > 'watchdog-next' of
> > https://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging.git
> > git bisect skip d22aa6f023f3fc275e1f994045a6b347288b2e5a
> > # good: [40d5349aaaae55ec62451bfacc6189cf44ce02cb] iio: adc: ti-ads1298:
> > Add parentheses around macro parameter
> > git bisect good 40d5349aaaae55ec62451bfacc6189cf44ce02cb
> > # good: [6665ab5cf8e74edba571d3d2f31e575f89373dfd] Merge branch
> > 'next-integrity' of
> > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
> > git bisect good 6665ab5cf8e74edba571d3d2f31e575f89373dfd
> > # bad: [4cc60db652df7ae5d659ec23325c341a52d065e0] Merge branch
> > 'driver-core-next' of
> > https://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core.git
> > git bisect bad 4cc60db652df7ae5d659ec23325c341a52d065e0
> > # bad: [e1d469c38defe7fcb8c6f62a2b7dbf4a103da300] Merge branch 'master'
> > of https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git
> > git bisect bad e1d469c38defe7fcb8c6f62a2b7dbf4a103da300
> > # good: [4678d11f294de0fd295a265e02955b5d1a4a2684] Merge branch into
> > tip/master: 'x86/tdx'
> > git bisect good 4678d11f294de0fd295a265e02955b5d1a4a2684
> > # bad: [9397e02d718fc52703d753f489042293cd807dd3] Merge branch 'next' of
> > https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
> > git bisect bad 9397e02d718fc52703d753f489042293cd807dd3
> > # good: [c574bdb524095d24169e229b2e3b9318c72e733a] watchdog:
> > ziirave_wdt: Use named initializers for struct i2c_device_id
> > git bisect good c574bdb524095d24169e229b2e3b9318c72e733a
> > # bad: [5568ff6b5e30c7736c24e2096e968c8785c2c245] Merge branch
> > 'for-next-tpm' of
> > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
> > git bisect bad 5568ff6b5e30c7736c24e2096e968c8785c2c245
> > # bad: [23f6b2756d28e76464c7e87850d3d4f6d8c8b365] Merge branch 'next' of
> > https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
> > git bisect bad 23f6b2756d28e76464c7e87850d3d4f6d8c8b365
> > # good: [ecf41f6218b58c72f1511e395e480f70a9f44889] selinux: reorder
> > policydb_index()
> > git bisect good ecf41f6218b58c72f1511e395e480f70a9f44889
> > # bad: [54067bacb49caeada82b20b6bd706dca0cb99ffc] selinux: hooks: use
> > __getname() to allocate path buffer
> > git bisect bad 54067bacb49caeada82b20b6bd706dca0cb99ffc
> > # good: [2f0af91353cb64b54cfee5423820d2149039338d] selinux: check for
> > simple types
> > git bisect good 2f0af91353cb64b54cfee5423820d2149039338d
> > # good: [bc3f08d1ef15ebbd32faf0b10cd9699b90b9d30c] selinux: use
> > k[mz]alloc() to allocate temporary buffers
> > git bisect good bc3f08d1ef15ebbd32faf0b10cd9699b90b9d30c
> > # first bad commit: [54067bacb49caeada82b20b6bd706dca0cb99ffc] selinux:
> > hooks: use __getname() to allocate path buffer
> >
> >
> > > If you happen to fix this, please add below tag.
> > >
> > > Reported-by: Venkat Rao Bagalkote <venkat88@xxxxxxxxxxxxx>
>
> IMHO that commit should be reverted:
> __getname()/__putname() exist for a different purpose IIUC.
> __getname() does a kmalloc(PATH_MAX...), whereas we are then calling
> dentry_path_raw(..., PAGE_SIZE) immediately afterward.
> This assumes that PATH_MAX == PAGE_SIZE.

Alternatively, I suppose we could just update the dentry_path_raw()
call to also pass PATH_MAX, but
I don't see why we want to use __getname/__putname() instead of just
direct kmalloc/kfree here so
the size of the buffer is immediately evident to the reader.