From patchwork Tue Nov 15 22:26:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tip-bot2 for Thomas Gleixner X-Patchwork-Id: 20612 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2970825wru; Tue, 15 Nov 2022 14:27:26 -0800 (PST) X-Google-Smtp-Source: AA0mqf6lF2X7nd8rcxeBCPZGWZlmSnVgBxhzCQFn82Y4gVey+1hVj0omd7xM9sDakcrlLU8dGRB4 X-Received: by 2002:a17:906:b08:b0:7ad:79c0:4669 with SMTP id u8-20020a1709060b0800b007ad79c04669mr15693651ejg.395.1668551246444; Tue, 15 Nov 2022 14:27:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668551246; cv=none; d=google.com; s=arc-20160816; b=JhvM9h6S/YhtPhkv59WvnBlcGGc9eGeIeqCa4x7JbZXtZLe69pNCDKg19ejlI6QiQA C7pPk4uQSka/6xBM4oX4rpTF+JIrg7Lh/u8VvcjACjASnU7vWkAy4MbtzeFiv2yx4PEm adgMKKSY9XVO2Yur5/RPUE4vAFbUg5GbdhU0nDnfA+mzB39+faqEQFp300UMAKIqcrSm 9xKoZNKjblSEhamBRg88BE/wWdtxpacPhG9lfxhfoFzCV1xiIYDVRxOxScsWgbnimWet Rdsasoko0rFZMzTWCzk5LFYuaiDCS6KLGiUkCrKdL7lAaux/v7TfJc4RRx5Orn4uNbhg p3NA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:references:in-reply-to:cc:subject :to:reply-to:sender:from:dkim-signature:dkim-signature:date; bh=7OYuXmQLawd51qKNr64PRZ39cGPqFXSgjC1iFxxF37c=; b=SFsBL4i5lThUGMoBVRLzpvh+avo7qodrCR7cNhhhGi6FrkVnINiOPjTIUWvpQ3Jl1V rFuytatdbkRBSj/ITfT3fwMmcdbD6QJf+fT5daevy7WXjG3WiK6/hbwH36R+f0M08C09 3mi5m2ynrJri8Ql0/4ledmJgcRVPZg4cSMiEo5H0I6vmGoWUf2mLbcFXs/hJIgbWUN+1 nfBbbjy1C8Ma8Wob/fUgKCH83d/oU3+Uz4euywjasxsijai5bBiq11ucEnSmbixp4dgp qPuH1eFN79ESnsDjk7UDkKkXPbP19ek2M7E5Q3JNsYdn2Lz9nvioiO5HrHE97sU7EtmW TTKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Xbj2KfyF; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b="/lmT9rn3"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id js22-20020a17090797d600b007aed5ffeffbsi12886713ejc.78.2022.11.15.14.27.03; Tue, 15 Nov 2022 14:27:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Xbj2KfyF; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b="/lmT9rn3"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231902AbiKOW0s (ORCPT + 99 others); Tue, 15 Nov 2022 17:26:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232330AbiKOW0g (ORCPT ); Tue, 15 Nov 2022 17:26:36 -0500 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C49D93134B; Tue, 15 Nov 2022 14:26:22 -0800 (PST) Date: Tue, 15 Nov 2022 22:26:19 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1668551181; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7OYuXmQLawd51qKNr64PRZ39cGPqFXSgjC1iFxxF37c=; b=Xbj2KfyFJHZ/kRj76l3gofj0dRBxMvU32m51cSYfXOfvosHg1uyOmkRUyDmi8KLdAvboTj yK3hfgMrKKMXF753AuFx2vKA96WbDeMalPCq8LdBTnZD/vgBl4HvSP+WJQqQvZ4scdmkNv VC7gH6dil0QN1yF+aEFJlnV0gxhwCLwIpA3ZB4uwAyhRN4eQMJRqUVvAPvzqixfwIXlTBf 63in4ykEVGjZD6AamK2axkemAqtj3Xu/y5V/tNtKUqThqqZYUAt87e84qBg4y+k6ylE5Ly LhmqFO7F296g1PHEY/bM9+NTj9cMGYa5mTNSykwxjZQOTNQ5bjmv/K/DejiiwQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1668551181; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7OYuXmQLawd51qKNr64PRZ39cGPqFXSgjC1iFxxF37c=; b=/lmT9rn3OneJKE2GxJBJNntMQLAhMjORcqw2mVdfQ2GSoJKRxZUzxMPyORohDt/FaV+JD7 RhtmuADlbs/HbjBg== From: "tip-bot2 for Sean Christopherson" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/mm] x86/kasan: Populate shadow for shared chunk of the CPU entry area Cc: syzbot+8cdd16fd5a6c0565e227@syzkaller.appspotmail.com, Sean Christopherson , "Peter Zijlstra (Intel)" , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20221110203504.1985010-6-seanjc@google.com> References: <20221110203504.1985010-6-seanjc@google.com> MIME-Version: 1.0 Message-ID: <166855117928.4906.1007702732315268156.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749143316306858415?= X-GMAIL-MSGID: =?utf-8?q?1749602791820065680?= The following commit has been merged into the x86/mm branch of tip: Commit-ID: f2089aa0cd8e52564240a93ea1e4bb643c0ed34c Gitweb: https://git.kernel.org/tip/f2089aa0cd8e52564240a93ea1e4bb643c0ed34c Author: Sean Christopherson AuthorDate: Thu, 10 Nov 2022 20:35:04 Committer: Peter Zijlstra CommitterDate: Tue, 15 Nov 2022 22:30:00 +01:00 x86/kasan: Populate shadow for shared chunk of the CPU entry area Popuplate the shadow for the shared portion of the CPU entry area, i.e. the read-only IDT mapping, during KASAN initialization. A recent change modified KASAN to map the per-CPU areas on-demand, but forgot to keep a shadow for the common area that is shared amongst all CPUs. Map the common area in KASAN init instead of letting idt_map_in_cea() do the dirty work so that it Just Works in the unlikely event more shared data is shoved into the CPU entry area. The bug manifests as a not-present #PF when software attempts to lookup an IDT entry, e.g. when KVM is handling IRQs on Intel CPUs (KVM performs direct CALL to the IRQ handler to avoid the overhead of INTn): BUG: unable to handle page fault for address: fffffbc0000001d8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 16c03a067 P4D 16c03a067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 5 PID: 901 Comm: repro Tainted: G W 6.1.0-rc3+ #410 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:kasan_check_range+0xdf/0x190 vmx_handle_exit_irqoff+0x152/0x290 [kvm_intel] vcpu_run+0x1d89/0x2bd0 [kvm] kvm_arch_vcpu_ioctl_run+0x3ce/0xa70 [kvm] kvm_vcpu_ioctl+0x349/0x900 [kvm] __x64_sys_ioctl+0xb8/0xf0 do_syscall_64+0x2b/0x50 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Fixes: 9fd429c28073 ("x86/kasan: Map shadow for percpu pages on demand") Reported-by: syzbot+8cdd16fd5a6c0565e227@syzkaller.appspotmail.com Signed-off-by: Sean Christopherson Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20221110203504.1985010-6-seanjc@google.com --- arch/x86/mm/kasan_init_64.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c index afc5e12..0302491 100644 --- a/arch/x86/mm/kasan_init_64.c +++ b/arch/x86/mm/kasan_init_64.c @@ -341,7 +341,7 @@ void __init kasan_populate_shadow_for_vaddr(void *va, size_t size, int nid) void __init kasan_init(void) { - unsigned long shadow_cea_begin, shadow_cea_end; + unsigned long shadow_cea_begin, shadow_cea_per_cpu_begin, shadow_cea_end; int i; memcpy(early_top_pgt, init_top_pgt, sizeof(early_top_pgt)); @@ -384,6 +384,7 @@ void __init kasan_init(void) } shadow_cea_begin = kasan_mem_to_shadow_align_down(CPU_ENTRY_AREA_BASE); + shadow_cea_per_cpu_begin = kasan_mem_to_shadow_align_up(CPU_ENTRY_AREA_PER_CPU); shadow_cea_end = kasan_mem_to_shadow_align_up(CPU_ENTRY_AREA_BASE + CPU_ENTRY_AREA_MAP_SIZE); @@ -409,6 +410,15 @@ void __init kasan_init(void) kasan_mem_to_shadow((void *)VMALLOC_END + 1), (void *)shadow_cea_begin); + /* + * Populate the shadow for the shared portion of the CPU entry area. + * Shadows for the per-CPU areas are mapped on-demand, as each CPU's + * area is randomly placed somewhere in the 512GiB range and mapping + * the entire 512GiB range is prohibitively expensive. + */ + kasan_populate_shadow(shadow_cea_begin, + shadow_cea_per_cpu_begin, 0); + kasan_populate_early_shadow((void *)shadow_cea_end, kasan_mem_to_shadow((void *)__START_KERNEL_map));