[PATCH 0/3] ARM: fix hash_name() and branch predictor issues

Tue Dec 9 00:56:27 PST 2025

Hi, Russell!

TL; DR:
patch1 and patch2 with compilation error fixed:

Tested-by: Xie Yuanbin <xieyuanbin1 at huawei.com>

patch3:
The simple test case passed, but the syzkaller test (the original
scenario that triggered the branch predictor issue) is still running.
The syzkaller test is better to run for a day.

All patches with compilation error fixed:

Reviewed-by: Xie Yuanbin <xieyuanbin1 at huawei.com>


Detailed Description:

On Tue, 9 Dec 2025 10:52:16 +0800, Xie Yuanbin wrote:
> On Mon, 8 Dec 2025 16:47:24 +0000, Russell King wrote:
>> Also, would you mind giving ASAP some tested-by/reviewed-by for these
>> patches so they can be pushed out to linux-next for a bit of testing
>> there pelase? I'm on vacation from Thursday, so time is very short
>> to get these out - if we're not ready by Wednesday, then it'll be the
>> new year, possibly after the 11th January, before I can do anything
>> further (medical stuff.)
>>
>> Thanks.
>
> As mentioned in the previous email, this(these patches) should be the
> best solution, I think. And I have carefully read the three patches, so:
>
> Reviewed-by: Xie Yuanbin <xieyuanbin1 at huawei.com>
>
> As for testing, I can perform some simple tests myself, and I am trying
> to let the testing team to help with some further testing, like
> syzkaller.

Your first patch caused a compilation error: is_permission_fault() is not
defined. I fixed it with this patch:
```patch

diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
index 2bc828a1940c..7082ba87e886 100644
--- a/arch/arm/mm/fault.c
+++ b/arch/arm/mm/fault.c
@@ -143,6 +143,21 @@ static void die_kernel_fault(const char *msg, struct mm_struct *mm,
 	make_task_dead(SIGKILL);
 }

+static inline bool is_permission_fault(unsigned int fsr)
+{
+#ifdef CONFIG_MMU
+	int fs = fsr_fs(fsr);
+#ifdef CONFIG_ARM_LPAE
+	if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
+		return true;
+#else
+	if (fs == FS_L1_PERM || fs == FS_L2_PERM)
+		return true;
+#endif
+#endif
+	return false;
+}
+
 /*
  * Oops.  The kernel tried to access some page that wasn't present.
  */
@@ -225,19 +240,6 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
 }

 #ifdef CONFIG_MMU
-static inline bool is_permission_fault(unsigned int fsr)
-{
-	int fs = fsr_fs(fsr);
-#ifdef CONFIG_ARM_LPAE
-	if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL)
-		return true;
-#else
-	if (fs == FS_L1_PERM || fs == FS_L2_PERM)
-		return true;
-#endif
-	return false;
-}
-
 #ifdef CONFIG_CPU_TTBR0_PAN
 static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs)
 {
```
With the compilation error fixing patch first, and then your three
patches, and then Liyuan's patch:
Link: https://lore.kernel.org/20251127025848.363992-1-pangliyuan1@huawei.com
The current testing situation is as follows:

1. About the hash_name() fault issue:
Simple test case:
Link: https://lore.kernel.org/20251127140109.191657-1-xieyuanbin1@huawei.com
that can trigger this issue, as well as the original scenario which
trigger this issue, have passed the tests.

So patch1 and patch2:

Tested-by: Xie Yuanbin <xieyuanbin1 at huawei.com>

2. About the branch predictor issue:
Simple test cases (Link same as above) that can trigger this issue, has
passed the tests. However, the original scenario which trigger the issue
is the syzkaller test, which might take some time, possibly around a day.

