Currently, vmalloc space is backed by the early shadow page. This
means that kasan is incompatible with VMAP_STACK, and it also provides
a hurdle for architectures that do not have a dedicated module space
(like powerpc64).
This series provides a mechanism to back vmalloc space with real,
dynamically allocated memory. I have only wired up x86, because that's
the only currently supported arch I can work with easily, but it's
very easy to wire up other architectures.
This has been discussed before in the context of VMAP_STACK:
- https://bugzilla.kernel.org/show_bug.cgi?id=202009
- https://lkml.org/lkml/2018/7/22/198
- https://lkml.org/lkml/2019/7/19/822
In terms of implementation details:
Most mappings in vmalloc space are small, requiring less than a full
page of shadow space. Allocating a full shadow page per mapping would
therefore be wasteful. Furthermore, to ensure that different mappings
use different shadow pages, mappings would have to be aligned to
KASAN_SHADOW_SCALE_SIZE * PAGE_SIZE.
Instead, share backing space across multiple mappings. Allocate
a backing page the first time a mapping in vmalloc space uses a
particular page of the shadow region. Keep this page around
regardless of whether the mapping is later freed - in the mean time
the page could have become shared by another vmalloc mapping.
This can in theory lead to unbounded memory growth, but the vmalloc
allocator is pretty good at reusing addresses, so the practical memory
usage appears to grow at first but then stay fairly stable.
If we run into practical memory exhaustion issues, I'm happy to
consider hooking into the book-keeping that vmap does, but I am not
convinced that it will be an issue.
v1: https://lore.kernel.org/linux-mm/[email protected]/
v2: https://lore.kernel.org/linux-mm/[email protected]/
Address review comments:
- Patch 1: use kasan_unpoison_shadow's built-in handling of
ranges that do not align to a full shadow byte
- Patch 3: prepopulate pgds rather than faulting things in
v3: Address comments from Mark Rutland:
- kasan_populate_vmalloc is a better name
- handle concurrency correctly
- various nits and cleanups
- relax module alignment in KASAN_VMALLOC case
Daniel Axtens (3):
kasan: support backing vmalloc space with real shadow memory
fork: support VMAP_STACK with KASAN_VMALLOC
x86/kasan: support KASAN_VMALLOC
Documentation/dev-tools/kasan.rst | 60 ++++++++++++++++++++++
arch/Kconfig | 9 ++--
arch/x86/Kconfig | 1 +
arch/x86/mm/kasan_init_64.c | 61 +++++++++++++++++++++++
include/linux/kasan.h | 16 ++++++
include/linux/moduleloader.h | 2 +-
kernel/fork.c | 4 ++
lib/Kconfig.kasan | 16 ++++++
lib/test_kasan.c | 26 ++++++++++
mm/kasan/common.c | 83 +++++++++++++++++++++++++++++++
mm/kasan/generic_report.c | 3 ++
mm/kasan/kasan.h | 1 +
mm/vmalloc.c | 15 +++++-
13 files changed, 291 insertions(+), 6 deletions(-)
--
2.20.1
Supporting VMAP_STACK with KASAN_VMALLOC is straightforward:
- clear the shadow region of vmapped stacks when swapping them in
- tweak Kconfig to allow VMAP_STACK to be turned on with KASAN
Reviewed-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Daniel Axtens <[email protected]>
---
arch/Kconfig | 9 +++++----
kernel/fork.c | 4 ++++
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index a7b57dd42c26..e791196005e1 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -825,16 +825,17 @@ config HAVE_ARCH_VMAP_STACK
config VMAP_STACK
default y
bool "Use a virtually-mapped stack"
- depends on HAVE_ARCH_VMAP_STACK && !KASAN
+ depends on HAVE_ARCH_VMAP_STACK
+ depends on !KASAN || KASAN_VMALLOC
---help---
Enable this if you want the use virtually-mapped kernel stacks
with guard pages. This causes kernel stack overflows to be
caught immediately rather than causing difficult-to-diagnose
corruption.
- This is presently incompatible with KASAN because KASAN expects
- the stack to map directly to the KASAN shadow map using a formula
- that is incorrect if the stack is in vmalloc space.
+ To use this with KASAN, the architecture must support backing
+ virtual mappings with real shadow memory, and KASAN_VMALLOC must
+ be enabled.
config ARCH_OPTIONAL_KERNEL_RWX
def_bool n
diff --git a/kernel/fork.c b/kernel/fork.c
index d8ae0f1b4148..ce3150fe8ff2 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -94,6 +94,7 @@
#include <linux/livepatch.h>
#include <linux/thread_info.h>
#include <linux/stackleak.h>
+#include <linux/kasan.h>
#include <asm/pgtable.h>
#include <asm/pgalloc.h>
@@ -215,6 +216,9 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
if (!s)
continue;
+ /* Clear the KASAN shadow of the stack. */
+ kasan_unpoison_shadow(s->addr, THREAD_SIZE);
+
/* Clear stale pointers from reused stack. */
memset(s->addr, 0, THREAD_SIZE);
--
2.20.1
Hook into vmalloc and vmap, and dynamically allocate real shadow
memory to back the mappings.
Most mappings in vmalloc space are small, requiring less than a full
page of shadow space. Allocating a full shadow page per mapping would
therefore be wasteful. Furthermore, to ensure that different mappings
use different shadow pages, mappings would have to be aligned to
KASAN_SHADOW_SCALE_SIZE * PAGE_SIZE.
Instead, share backing space across multiple mappings. Allocate
a backing page the first time a mapping in vmalloc space uses a
particular page of the shadow region. Keep this page around
regardless of whether the mapping is later freed - in the mean time
the page could have become shared by another vmalloc mapping.
This can in theory lead to unbounded memory growth, but the vmalloc
allocator is pretty good at reusing addresses, so the practical memory
usage grows at first but then stays fairly stable.
This requires architecture support to actually use: arches must stop
mapping the read-only zero page over portion of the shadow region that
covers the vmalloc space and instead leave it unmapped.
This allows KASAN with VMAP_STACK, and will be needed for architectures
that do not have a separate module space (e.g. powerpc64, which I am
currently working on). It also allows relaxing the module alignment
back to PAGE_SIZE.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=202009
Signed-off-by: Daniel Axtens <[email protected]>
---
v2: let kasan_unpoison_shadow deal with ranges that do not use a
full shadow byte.
v3: relax module alignment
rename to kasan_populate_vmalloc which is a much better name
deal with concurrency correctly
---
Documentation/dev-tools/kasan.rst | 60 ++++++++++++++++++++++
include/linux/kasan.h | 16 ++++++
include/linux/moduleloader.h | 2 +-
lib/Kconfig.kasan | 16 ++++++
lib/test_kasan.c | 26 ++++++++++
mm/kasan/common.c | 83 +++++++++++++++++++++++++++++++
mm/kasan/generic_report.c | 3 ++
mm/kasan/kasan.h | 1 +
mm/vmalloc.c | 15 +++++-
9 files changed, 220 insertions(+), 2 deletions(-)
diff --git a/Documentation/dev-tools/kasan.rst b/Documentation/dev-tools/kasan.rst
index b72d07d70239..35fda484a672 100644
--- a/Documentation/dev-tools/kasan.rst
+++ b/Documentation/dev-tools/kasan.rst
@@ -215,3 +215,63 @@ brk handler is used to print bug reports.
A potential expansion of this mode is a hardware tag-based mode, which would
use hardware memory tagging support instead of compiler instrumentation and
manual shadow memory manipulation.
+
+What memory accesses are sanitised by KASAN?
+--------------------------------------------
+
+The kernel maps memory in a number of different parts of the address
+space. This poses something of a problem for KASAN, which requires
+that all addresses accessed by instrumented code have a valid shadow
+region.
+
+The range of kernel virtual addresses is large: there is not enough
+real memory to support a real shadow region for every address that
+could be accessed by the kernel.
+
+By default
+~~~~~~~~~~
+
+By default, architectures only map real memory over the shadow region
+for the linear mapping (and potentially other small areas). For all
+other areas - such as vmalloc and vmemmap space - a single read-only
+page is mapped over the shadow area. This read-only shadow page
+declares all memory accesses as permitted.
+
+This presents a problem for modules: they do not live in the linear
+mapping, but in a dedicated module space. By hooking in to the module
+allocator, KASAN can temporarily map real shadow memory to cover
+them. This allows detection of invalid accesses to module globals, for
+example.
+
+This also creates an incompatibility with ``VMAP_STACK``: if the stack
+lives in vmalloc space, it will be shadowed by the read-only page, and
+the kernel will fault when trying to set up the shadow data for stack
+variables.
+
+CONFIG_KASAN_VMALLOC
+~~~~~~~~~~~~~~~~~~~~
+
+With ``CONFIG_KASAN_VMALLOC``, KASAN can cover vmalloc space at the
+cost of greater memory usage. Currently this is only supported on x86.
+
+This works by hooking into vmalloc and vmap, and dynamically
+allocating real shadow memory to back the mappings.
+
+Most mappings in vmalloc space are small, requiring less than a full
+page of shadow space. Allocating a full shadow page per mapping would
+therefore be wasteful. Furthermore, to ensure that different mappings
+use different shadow pages, mappings would have to be aligned to
+``KASAN_SHADOW_SCALE_SIZE * PAGE_SIZE``.
+
+Instead, we share backing space across multiple mappings. We allocate
+a backing page the first time a mapping in vmalloc space uses a
+particular page of the shadow region. We keep this page around
+regardless of whether the mapping is later freed - in the mean time
+this page could have become shared by another vmalloc mapping.
+
+This can in theory lead to unbounded memory growth, but the vmalloc
+allocator is pretty good at reusing addresses, so the practical memory
+usage grows at first but then stays fairly stable.
+
+This allows ``VMAP_STACK`` support on x86, and enables support of
+architectures that do not have a fixed module region.
diff --git a/include/linux/kasan.h b/include/linux/kasan.h
index cc8a03cc9674..ec81113fcee4 100644
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -70,8 +70,18 @@ struct kasan_cache {
int free_meta_offset;
};
+/*
+ * These functions provide a special case to support backing module
+ * allocations with real shadow memory. With KASAN vmalloc, the special
+ * case is unnecessary, as the work is handled in the generic case.
+ */
+#ifndef CONFIG_KASAN_VMALLOC
int kasan_module_alloc(void *addr, size_t size);
void kasan_free_shadow(const struct vm_struct *vm);
+#else
+static inline int kasan_module_alloc(void *addr, size_t size) { return 0; }
+static inline void kasan_free_shadow(const struct vm_struct *vm) {}
+#endif
int kasan_add_zero_shadow(void *start, unsigned long size);
void kasan_remove_zero_shadow(void *start, unsigned long size);
@@ -194,4 +204,10 @@ static inline void *kasan_reset_tag(const void *addr)
#endif /* CONFIG_KASAN_SW_TAGS */
+#ifdef CONFIG_KASAN_VMALLOC
+void kasan_populate_vmalloc(unsigned long requested_size, struct vm_struct *area);
+#else
+static inline void kasan_populate_vmalloc(unsigned long requested_size, struct vm_struct *area) {}
+#endif
+
#endif /* LINUX_KASAN_H */
diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
index 5229c18025e9..ca92aea8a6bd 100644
--- a/include/linux/moduleloader.h
+++ b/include/linux/moduleloader.h
@@ -91,7 +91,7 @@ void module_arch_cleanup(struct module *mod);
/* Any cleanup before freeing mod->module_init */
void module_arch_freeing_init(struct module *mod);
-#ifdef CONFIG_KASAN
+#if defined(CONFIG_KASAN) && !defined(CONFIG_KASAN_VMALLOC)
#include <linux/kasan.h>
#define MODULE_ALIGN (PAGE_SIZE << KASAN_SHADOW_SCALE_SHIFT)
#else
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
index 4fafba1a923b..a320dc2e9317 100644
--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -6,6 +6,9 @@ config HAVE_ARCH_KASAN
config HAVE_ARCH_KASAN_SW_TAGS
bool
+config HAVE_ARCH_KASAN_VMALLOC
+ bool
+
config CC_HAS_KASAN_GENERIC
def_bool $(cc-option, -fsanitize=kernel-address)
@@ -135,6 +138,19 @@ config KASAN_S390_4_LEVEL_PAGING
to 3TB of RAM with KASan enabled). This options allows to force
4-level paging instead.
+config KASAN_VMALLOC
+ bool "Back mappings in vmalloc space with real shadow memory"
+ depends on KASAN && HAVE_ARCH_KASAN_VMALLOC
+ help
+ By default, the shadow region for vmalloc space is the read-only
+ zero page. This means that KASAN cannot detect errors involving
+ vmalloc space.
+
+ Enabling this option will hook in to vmap/vmalloc and back those
+ mappings with real shadow memory allocated on demand. This allows
+ for KASAN to detect more sorts of errors (and to support vmapped
+ stacks), but at the cost of higher memory usage.
+
config TEST_KASAN
tristate "Module for testing KASAN for bug detection"
depends on m && KASAN
diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index b63b367a94e8..d375246f5f96 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -18,6 +18,7 @@
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/uaccess.h>
+#include <linux/vmalloc.h>
/*
* Note: test functions are marked noinline so that their names appear in
@@ -709,6 +710,30 @@ static noinline void __init kmalloc_double_kzfree(void)
kzfree(ptr);
}
+#ifdef CONFIG_KASAN_VMALLOC
+static noinline void __init vmalloc_oob(void)
+{
+ void *area;
+
+ pr_info("vmalloc out-of-bounds\n");
+
+ /*
+ * We have to be careful not to hit the guard page.
+ * The MMU will catch that and crash us.
+ */
+ area = vmalloc(3000);
+ if (!area) {
+ pr_err("Allocation failed\n");
+ return;
+ }
+
+ ((volatile char *)area)[3100];
+ vfree(area);
+}
+#else
+static void __init vmalloc_oob(void) {}
+#endif
+
static int __init kmalloc_tests_init(void)
{
/*
@@ -752,6 +777,7 @@ static int __init kmalloc_tests_init(void)
kasan_strings();
kasan_bitops();
kmalloc_double_kzfree();
+ vmalloc_oob();
kasan_restore_multi_shot(multishot);
diff --git a/mm/kasan/common.c b/mm/kasan/common.c
index 2277b82902d8..e1a748c3f3db 100644
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -568,6 +568,7 @@ void kasan_kfree_large(void *ptr, unsigned long ip)
/* The object will be poisoned by page_alloc. */
}
+#ifndef CONFIG_KASAN_VMALLOC
int kasan_module_alloc(void *addr, size_t size)
{
void *ret;
@@ -603,6 +604,7 @@ void kasan_free_shadow(const struct vm_struct *vm)
if (vm->flags & VM_KASAN)
vfree(kasan_mem_to_shadow(vm->addr));
}
+#endif
extern void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned long ip);
@@ -722,3 +724,84 @@ static int __init kasan_memhotplug_init(void)
core_initcall(kasan_memhotplug_init);
#endif
+
+#ifdef CONFIG_KASAN_VMALLOC
+void kasan_populate_vmalloc(unsigned long requested_size, struct vm_struct *area)
+{
+ unsigned long shadow_alloc_start, shadow_alloc_end;
+ unsigned long addr;
+ unsigned long page;
+ pgd_t *pgdp;
+ p4d_t *p4dp;
+ pud_t *pudp;
+ pmd_t *pmdp;
+ pte_t *ptep;
+ pte_t pte;
+
+ shadow_alloc_start = ALIGN_DOWN(
+ (unsigned long)kasan_mem_to_shadow(area->addr),
+ PAGE_SIZE);
+ shadow_alloc_end = ALIGN(
+ (unsigned long)kasan_mem_to_shadow(area->addr + area->size),
+ PAGE_SIZE);
+
+ addr = shadow_alloc_start;
+ do {
+ pgdp = pgd_offset_k(addr);
+ p4dp = p4d_alloc(&init_mm, pgdp, addr);
+ pudp = pud_alloc(&init_mm, p4dp, addr);
+ pmdp = pmd_alloc(&init_mm, pudp, addr);
+ ptep = pte_alloc_kernel(pmdp, addr);
+
+ /*
+ * The pte may not be none if we allocated the page earlier to
+ * use part of it for another allocation.
+ *
+ * Because we only ever add to the vmalloc shadow pages and
+ * never free any, we can optimise here by checking for the pte
+ * presence outside the lock. It's OK to race with another
+ * allocation here because we do the 'real' test under the lock.
+ * This just allows us to save creating/freeing the new shadow
+ * page in the common case.
+ */
+ if (!pte_none(*ptep))
+ continue;
+
+ /*
+ * We're probably going to need to populate the shadow.
+ * Allocate and poision the shadow page now, outside the lock.
+ */
+ page = __get_free_page(GFP_KERNEL);
+ memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
+ pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
+
+ spin_lock(&init_mm.page_table_lock);
+ if (pte_none(*ptep)) {
+ set_pte_at(&init_mm, addr, ptep, pte);
+ page = 0;
+ }
+ spin_unlock(&init_mm.page_table_lock);
+
+ /* catch the case where we raced and don't need the page */
+ if (page)
+ free_page(page);
+ } while (addr += PAGE_SIZE, addr != shadow_alloc_end);
+
+ kasan_unpoison_shadow(area->addr, requested_size);
+
+ /*
+ * We have to poison the remainder of the allocation each time, not
+ * just when the shadow page is first allocated, because vmalloc may
+ * reuse addresses, and an early large allocation would cause us to
+ * miss OOBs in future smaller allocations.
+ *
+ * The alternative is to poison the shadow on vfree()/vunmap(). We
+ * don't because the unmapping the virtual addresses should be
+ * sufficient to find most UAFs.
+ */
+ requested_size = round_up(requested_size, KASAN_SHADOW_SCALE_SIZE);
+ kasan_poison_shadow(area->addr + requested_size,
+ area->size - requested_size,
+ KASAN_VMALLOC_INVALID);
+}
+#endif
diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c
index 36c645939bc9..2d97efd4954f 100644
--- a/mm/kasan/generic_report.c
+++ b/mm/kasan/generic_report.c
@@ -86,6 +86,9 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
case KASAN_ALLOCA_RIGHT:
bug_type = "alloca-out-of-bounds";
break;
+ case KASAN_VMALLOC_INVALID:
+ bug_type = "vmalloc-out-of-bounds";
+ break;
}
return bug_type;
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index 014f19e76247..8b1f2fbc780b 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -25,6 +25,7 @@
#endif
#define KASAN_GLOBAL_REDZONE 0xFA /* redzone for global variable */
+#define KASAN_VMALLOC_INVALID 0xF9 /* unallocated space in vmapped page */
/*
* Stack redzone shadow values
diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 4fa8d84599b0..406097ff8ced 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -2012,6 +2012,15 @@ static void setup_vmalloc_vm(struct vm_struct *vm, struct vmap_area *va,
va->vm = vm;
va->flags |= VM_VM_AREA;
spin_unlock(&vmap_area_lock);
+
+ /*
+ * If we are in vmalloc space we need to cover the shadow area with
+ * real memory. If we come here through VM_ALLOC, this is done
+ * by a higher level function that has access to the true size,
+ * which might not be a full page.
+ */
+ if (is_vmalloc_addr(vm->addr) && !(vm->flags & VM_ALLOC))
+ kasan_populate_vmalloc(vm->size, vm);
}
static void clear_vm_uninitialized_flag(struct vm_struct *vm)
@@ -2483,6 +2492,8 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
if (!addr)
return NULL;
+ kasan_populate_vmalloc(real_size, area);
+
/*
* In this function, newly allocated vm_struct has VM_UNINITIALIZED
* flag. It means that vm_struct is not fully initialized.
@@ -3324,9 +3335,11 @@ struct vm_struct **pcpu_get_vm_areas(const unsigned long *offsets,
spin_unlock(&vmap_area_lock);
/* insert all vm's */
- for (area = 0; area < nr_vms; area++)
+ for (area = 0; area < nr_vms; area++) {
setup_vmalloc_vm(vms[area], vas[area], VM_ALLOC,
pcpu_get_vm_areas);
+ kasan_populate_vmalloc(sizes[area], vms[area]);
+ }
kfree(vas);
return vms;
--
2.20.1
In the case where KASAN directly allocates memory to back vmalloc
space, don't map the early shadow page over it.
We prepopulate pgds/p4ds for the range that would otherwise be empty.
This is required to get it synced to hardware on boot, allowing the
lower levels of the page tables to be filled dynamically.
Acked-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Daniel Axtens <[email protected]>
---
v2: move from faulting in shadow pgds to prepopulating
---
arch/x86/Kconfig | 1 +
arch/x86/mm/kasan_init_64.c | 61 +++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 222855cc0158..40562cc3771f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -134,6 +134,7 @@ config X86
select HAVE_ARCH_JUMP_LABEL
select HAVE_ARCH_JUMP_LABEL_RELATIVE
select HAVE_ARCH_KASAN if X86_64
+ select HAVE_ARCH_KASAN_VMALLOC if X86_64
select HAVE_ARCH_KGDB
select HAVE_ARCH_MMAP_RND_BITS if MMU
select HAVE_ARCH_MMAP_RND_COMPAT_BITS if MMU && COMPAT
diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
index 296da58f3013..2f57c4ddff61 100644
--- a/arch/x86/mm/kasan_init_64.c
+++ b/arch/x86/mm/kasan_init_64.c
@@ -245,6 +245,52 @@ static void __init kasan_map_early_shadow(pgd_t *pgd)
} while (pgd++, addr = next, addr != end);
}
+static void __init kasan_shallow_populate_p4ds(pgd_t *pgd,
+ unsigned long addr,
+ unsigned long end,
+ int nid)
+{
+ p4d_t *p4d;
+ unsigned long next;
+ void *p;
+
+ p4d = p4d_offset(pgd, addr);
+ do {
+ next = p4d_addr_end(addr, end);
+
+ if (p4d_none(*p4d)) {
+ p = early_alloc(PAGE_SIZE, nid, true);
+ p4d_populate(&init_mm, p4d, p);
+ }
+ } while (p4d++, addr = next, addr != end);
+}
+
+static void __init kasan_shallow_populate_pgds(void *start, void *end)
+{
+ unsigned long addr, next;
+ pgd_t *pgd;
+ void *p;
+ int nid = early_pfn_to_nid((unsigned long)start);
+
+ addr = (unsigned long)start;
+ pgd = pgd_offset_k(addr);
+ do {
+ next = pgd_addr_end(addr, (unsigned long)end);
+
+ if (pgd_none(*pgd)) {
+ p = early_alloc(PAGE_SIZE, nid, true);
+ pgd_populate(&init_mm, pgd, p);
+ }
+
+ /*
+ * we need to populate p4ds to be synced when running in
+ * four level mode - see sync_global_pgds_l4()
+ */
+ kasan_shallow_populate_p4ds(pgd, addr, next, nid);
+ } while (pgd++, addr = next, addr != (unsigned long)end);
+}
+
+
#ifdef CONFIG_KASAN_INLINE
static int kasan_die_handler(struct notifier_block *self,
unsigned long val,
@@ -352,9 +398,24 @@ void __init kasan_init(void)
shadow_cpu_entry_end = (void *)round_up(
(unsigned long)shadow_cpu_entry_end, PAGE_SIZE);
+ /*
+ * If we're in full vmalloc mode, don't back vmalloc space with early
+ * shadow pages. Instead, prepopulate pgds/p4ds so they are synced to
+ * the global table and we can populate the lower levels on demand.
+ */
+#ifdef CONFIG_KASAN_VMALLOC
+ kasan_shallow_populate_pgds(
+ kasan_mem_to_shadow((void *)PAGE_OFFSET + MAXMEM),
+ kasan_mem_to_shadow((void *)VMALLOC_END));
+
+ kasan_populate_early_shadow(
+ kasan_mem_to_shadow((void *)VMALLOC_END + 1),
+ shadow_cpu_entry_begin);
+#else
kasan_populate_early_shadow(
kasan_mem_to_shadow((void *)PAGE_OFFSET + MAXMEM),
shadow_cpu_entry_begin);
+#endif
kasan_populate_shadow((unsigned long)shadow_cpu_entry_begin,
(unsigned long)shadow_cpu_entry_end, 0);
--
2.20.1
Hi Daniel,
This is looking really good!
I spotted a few more things we need to deal with, so I've suggested some
(not even compile-tested) code for that below. Mostly that's just error
handling, and using helpers to avoid things getting too verbose.
On Wed, Jul 31, 2019 at 05:15:48PM +1000, Daniel Axtens wrote:
> +void kasan_populate_vmalloc(unsigned long requested_size, struct vm_struct *area)
> +{
> + unsigned long shadow_alloc_start, shadow_alloc_end;
> + unsigned long addr;
> + unsigned long page;
> + pgd_t *pgdp;
> + p4d_t *p4dp;
> + pud_t *pudp;
> + pmd_t *pmdp;
> + pte_t *ptep;
> + pte_t pte;
> +
> + shadow_alloc_start = ALIGN_DOWN(
> + (unsigned long)kasan_mem_to_shadow(area->addr),
> + PAGE_SIZE);
> + shadow_alloc_end = ALIGN(
> + (unsigned long)kasan_mem_to_shadow(area->addr + area->size),
> + PAGE_SIZE);
> +
> + addr = shadow_alloc_start;
> + do {
> + pgdp = pgd_offset_k(addr);
> + p4dp = p4d_alloc(&init_mm, pgdp, addr);
> + pudp = pud_alloc(&init_mm, p4dp, addr);
> + pmdp = pmd_alloc(&init_mm, pudp, addr);
> + ptep = pte_alloc_kernel(pmdp, addr);
> +
> + /*
> + * The pte may not be none if we allocated the page earlier to
> + * use part of it for another allocation.
> + *
> + * Because we only ever add to the vmalloc shadow pages and
> + * never free any, we can optimise here by checking for the pte
> + * presence outside the lock. It's OK to race with another
> + * allocation here because we do the 'real' test under the lock.
> + * This just allows us to save creating/freeing the new shadow
> + * page in the common case.
> + */
> + if (!pte_none(*ptep))
> + continue;
> +
> + /*
> + * We're probably going to need to populate the shadow.
> + * Allocate and poision the shadow page now, outside the lock.
> + */
> + page = __get_free_page(GFP_KERNEL);
> + memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
> + pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
> +
> + spin_lock(&init_mm.page_table_lock);
> + if (pte_none(*ptep)) {
> + set_pte_at(&init_mm, addr, ptep, pte);
> + page = 0;
> + }
> + spin_unlock(&init_mm.page_table_lock);
> +
> + /* catch the case where we raced and don't need the page */
> + if (page)
> + free_page(page);
> + } while (addr += PAGE_SIZE, addr != shadow_alloc_end);
> +
From looking at this for a while, there are a few more things we should
sort out:
* We need to handle allocations failing. I think we can get most of that
by using apply_to_page_range() to allocate the tables for us.
* Between poisoning the page and updating the page table, we need an
smp_wmb() to ensure that the poison is visible to other CPUs, similar
to what __pte_alloc() and friends do when allocating new tables.
* We can use the split pmd locks (used by both x86 and arm64) to
minimize contention on the init_mm ptl. As apply_to_page_range()
doesn't pass the corresponding pmd in, we'll have to re-walk the table
in the callback, but I suspect that's better than having all vmalloc
operations contend on the same ptl.
I think it would make sense to follow the style of the __alloc_p??
functions and factor out the actual initialization into a helper like:
static int __kasan_populate_vmalloc_pte(pmd_t *pmdp, pte_t *ptep)
{
unsigned long page;
spinlock_t *ptl;
pte_t pte;
page = __get_free_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
pte = pfn_pte(page_to_pfn(page), PAGE_KERNEL);
/*
* Ensure poisoning is visible before the shadow is made visible
* to other CPUs.
*/
smp_wmb();
ptl = pmd_lock(&init_mm, pmdp);
if (likely(pte_none(*ptep))) {
set_pte(ptep, pte)
page = 0;
}
spin_unlock(ptl);
if (page)
free_page(page);
return 0;
}
... with the apply_to_page_range() callback looking a bit like
alloc_p??(), grabbing the pmd for its ptl.
static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, void *unused)
{
pgd_t *pgdp;
p4d_t *p4dp;
pud_t *pudp;
pmd_t *pmdp;
if (likely(!pte_none(*ptep)))
return 0;
pgdp = pgd_offset_k(addr);
p4dp = p4d_offset(pgdp, addr)
pudp = pud_pffset(p4dp, addr);
pmdp = pmd_offset(pudp, addr);
return __kasan_populate_vmalloc_pte(pmdp, ptep);
}
... and the main function looking something like:
int kasan_populate_vmalloc(...)
{
unsigned long shadow_start, shadow_size;
unsigned long addr;
int ret;
// calculate shadow bounds here
ret = apply_to_page_range(&init_mm, shadow_start, shadow_size,
kasan_populate_vmalloc_pte, NULL);
if (ret)
return ret;
...
// unpoison the new allocation here
}
> + kasan_unpoison_shadow(area->addr, requested_size);
> +
> + /*
> + * We have to poison the remainder of the allocation each time, not
> + * just when the shadow page is first allocated, because vmalloc may
> + * reuse addresses, and an early large allocation would cause us to
> + * miss OOBs in future smaller allocations.
> + *
> + * The alternative is to poison the shadow on vfree()/vunmap(). We
> + * don't because the unmapping the virtual addresses should be
> + * sufficient to find most UAFs.
> + */
> + requested_size = round_up(requested_size, KASAN_SHADOW_SCALE_SIZE);
> + kasan_poison_shadow(area->addr + requested_size,
> + area->size - requested_size,
> + KASAN_VMALLOC_INVALID);
> +}
Is it painful to do the unpoison in the vfree/vunmap paths? I haven't
looked, so I might have missed something that makes that nasty.
If it's possible, I think it would be preferable to do so. It would be
consistent with the non-vmalloc KASAN cases. IIUC in that case we only
need the requested size here (and not the vmap_area), so we could just
take start and size as arguments.
Thanks,
Mark.
On Thu, Aug 08, 2019 at 02:50:37PM +0100, Mark Rutland wrote:
> Hi Daniel,
>
> This is looking really good!
>
> I spotted a few more things we need to deal with, so I've suggested some
> (not even compile-tested) code for that below. Mostly that's just error
> handling, and using helpers to avoid things getting too verbose.
FWIW, I had a quick go at that, and I've pushed the (corrected) results
to my git repo, along with an initial stab at arm64 support (which is
currently broken):
https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kasan/vmalloc
Thanks,
Mark.
On Thu, Aug 08, 2019 at 06:43:25PM +0100, Mark Rutland wrote:
> On Thu, Aug 08, 2019 at 02:50:37PM +0100, Mark Rutland wrote:
> > Hi Daniel,
> >
> > This is looking really good!
> >
> > I spotted a few more things we need to deal with, so I've suggested some
> > (not even compile-tested) code for that below. Mostly that's just error
> > handling, and using helpers to avoid things getting too verbose.
>
> FWIW, I had a quick go at that, and I've pushed the (corrected) results
> to my git repo, along with an initial stab at arm64 support (which is
> currently broken):
>
> https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kasan/vmalloc
I've fixed my arm64 patch now, and that appears to work in basic tests
(example below), so I'll throw my arm64 Syzkaller instance at that today
to shake out anything major that we've missed or that I've botched.
I'm very excited to see this!
Are you happy to pick up my modified patch 1 for v4?
Thanks,
Mark.
# echo STACK_GUARD_PAGE_LEADING > DIRECT
[ 107.453162] lkdtm: Performing direct entry STACK_GUARD_PAGE_LEADING
[ 107.454672] lkdtm: attempting bad read from page below current stack
[ 107.456672] ==================================================================
[ 107.457929] BUG: KASAN: vmalloc-out-of-bounds in lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
[ 107.459398] Read of size 1 at addr ffff20001515ffff by task sh/214
[ 107.460864]
[ 107.461271] CPU: 0 PID: 214 Comm: sh Not tainted 5.3.0-rc3-00004-g84f902ca9396-dirty #7
[ 107.463101] Hardware name: linux,dummy-virt (DT)
[ 107.464407] Call trace:
[ 107.464951] dump_backtrace+0x0/0x1e8
[ 107.465781] show_stack+0x14/0x20
[ 107.466824] dump_stack+0xbc/0xf4
[ 107.467780] print_address_description+0x60/0x33c
[ 107.469221] __kasan_report+0x140/0x1a0
[ 107.470388] kasan_report+0xc/0x18
[ 107.471439] __asan_load1+0x4c/0x58
[ 107.472428] lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
[ 107.473908] lkdtm_do_action+0x40/0x50
[ 107.475255] direct_entry+0x128/0x1b0
[ 107.476348] full_proxy_write+0x90/0xc8
[ 107.477595] __vfs_write+0x54/0xa8
[ 107.478780] vfs_write+0xd0/0x230
[ 107.479762] ksys_write+0xc4/0x170
[ 107.480738] __arm64_sys_write+0x40/0x50
[ 107.481888] el0_svc_common.constprop.0+0xc0/0x1c0
[ 107.483240] el0_svc_handler+0x34/0x88
[ 107.484211] el0_svc+0x8/0xc
[ 107.484996]
[ 107.485429]
[ 107.485895] Memory state around the buggy address:
[ 107.487107] ffff20001515fe80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
[ 107.489162] ffff20001515ff00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
[ 107.491157] >ffff20001515ff80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
[ 107.493193] ^
[ 107.494973] ffff200015160000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 107.497103] ffff200015160080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 107.498795] ==================================================================
[ 107.500495] Disabling lock debugging due to kernel taint
[ 107.503212] Unable to handle kernel paging request at virtual address ffff20001515ffff
[ 107.505177] Mem abort info:
[ 107.505797] ESR = 0x96000007
[ 107.506554] Exception class = DABT (current EL), IL = 32 bits
[ 107.508031] SET = 0, FnV = 0
[ 107.508547] EA = 0, S1PTW = 0
[ 107.509125] Data abort info:
[ 107.509704] ISV = 0, ISS = 0x00000007
[ 107.510388] CM = 0, WnR = 0
[ 107.511089] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041c65000
[ 107.513221] [ffff20001515ffff] pgd=00000000bdfff003, pud=00000000bdffe003, pmd=00000000aa31e003, pte=0000000000000000
[ 107.515915] Internal error: Oops: 96000007 [#1] PREEMPT SMP
[ 107.517295] Modules linked in:
[ 107.518074] CPU: 0 PID: 214 Comm: sh Tainted: G B 5.3.0-rc3-00004-g84f902ca9396-dirty #7
[ 107.520755] Hardware name: linux,dummy-virt (DT)
[ 107.522208] pstate: 60400005 (nZCv daif +PAN -UAO)
[ 107.523670] pc : lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
[ 107.525176] lr : lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
[ 107.526809] sp : ffff200015167b90
[ 107.527856] x29: ffff200015167b90 x28: ffff800002294740
[ 107.529728] x27: 0000000000000000 x26: 0000000000000000
[ 107.531523] x25: ffff200015167df0 x24: ffff2000116e8400
[ 107.533234] x23: ffff200015160000 x22: dfff200000000000
[ 107.534694] x21: ffff040002a2cf7a x20: ffff2000116e9ee0
[ 107.536238] x19: 1fffe40002a2cf7a x18: 0000000000000000
[ 107.537699] x17: 0000000000000000 x16: 0000000000000000
[ 107.539288] x15: 0000000000000000 x14: 0000000000000000
[ 107.540584] x13: 0000000000000000 x12: ffff10000d672bb9
[ 107.541920] x11: 1ffff0000d672bb8 x10: ffff10000d672bb8
[ 107.543438] x9 : 1ffff0000d672bb8 x8 : dfff200000000000
[ 107.545008] x7 : ffff10000d672bb9 x6 : ffff80006b395dc0
[ 107.546570] x5 : 0000000000000001 x4 : dfff200000000000
[ 107.547936] x3 : ffff20001113274c x2 : 0000000000000007
[ 107.549121] x1 : eb957a6c7b3ab400 x0 : 0000000000000000
[ 107.550220] Call trace:
[ 107.551017] lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
[ 107.552288] lkdtm_do_action+0x40/0x50
[ 107.553302] direct_entry+0x128/0x1b0
[ 107.554290] full_proxy_write+0x90/0xc8
[ 107.555332] __vfs_write+0x54/0xa8
[ 107.556278] vfs_write+0xd0/0x230
[ 107.557000] ksys_write+0xc4/0x170
[ 107.557834] __arm64_sys_write+0x40/0x50
[ 107.558980] el0_svc_common.constprop.0+0xc0/0x1c0
[ 107.560111] el0_svc_handler+0x34/0x88
[ 107.560936] el0_svc+0x8/0xc
[ 107.561580] Code: 91140280 97ded9e3 d10006e0 97e4672e (385ff2e1)
[ 107.563208] ---[ end trace 9e69aa587e1dc0cc ]---
On Wed, Jul 31, 2019 at 05:15:48PM +1000, Daniel Axtens wrote:
> Hook into vmalloc and vmap, and dynamically allocate real shadow
> memory to back the mappings.
>
> Most mappings in vmalloc space are small, requiring less than a full
> page of shadow space. Allocating a full shadow page per mapping would
> therefore be wasteful. Furthermore, to ensure that different mappings
> use different shadow pages, mappings would have to be aligned to
> KASAN_SHADOW_SCALE_SIZE * PAGE_SIZE.
>
> Instead, share backing space across multiple mappings. Allocate
> a backing page the first time a mapping in vmalloc space uses a
> particular page of the shadow region. Keep this page around
> regardless of whether the mapping is later freed - in the mean time
> the page could have become shared by another vmalloc mapping.
>
> This can in theory lead to unbounded memory growth, but the vmalloc
> allocator is pretty good at reusing addresses, so the practical memory
> usage grows at first but then stays fairly stable.
>
> This requires architecture support to actually use: arches must stop
> mapping the read-only zero page over portion of the shadow region that
> covers the vmalloc space and instead leave it unmapped.
>
> This allows KASAN with VMAP_STACK, and will be needed for architectures
> that do not have a separate module space (e.g. powerpc64, which I am
> currently working on). It also allows relaxing the module alignment
> back to PAGE_SIZE.
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=202009
> Signed-off-by: Daniel Axtens <[email protected]>
>
> ---
Acked-by: Vasily Gorbik <[email protected]>
I've added s390 specific kasan init part and the whole thing looks good!
Unfortunately I also had to make additional changes in s390 code, so
s390 part would go later through s390 tree. But looking forward seeing
your patch series upstream.
On Thu, Aug 08, 2019 at 02:50:37PM +0100, Mark Rutland wrote:
> From looking at this for a while, there are a few more things we should
> sort out:
> * We can use the split pmd locks (used by both x86 and arm64) to
> minimize contention on the init_mm ptl. As apply_to_page_range()
> doesn't pass the corresponding pmd in, we'll have to re-walk the table
> in the callback, but I suspect that's better than having all vmalloc
> operations contend on the same ptl.
Just to point out: I was wrong about this. We don't initialise the split
pmd locks for the kernel page tables, so we have to use the init_mm ptl.
I've fixed that up in my kasan/vmalloc branch as below, which works for
me on arm64 (with another patch to prevent arm64 from using early shadow
for the vmalloc area).
Thanks,
Mark.
----
static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr, void *unused)
{
unsigned long page;
pte_t pte;
if (likely(!pte_none(*ptep)))
return 0;
page = __get_free_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
/*
* Ensure poisoning is visible before the shadow is made visible
* to other CPUs.
*/
smp_wmb();
spin_lock(&init_mm.page_table_lock);
if (likely(pte_none(*ptep))) {
set_pte_at(&init_mm, addr, ptep, pte);
page = 0;
}
spin_unlock(&init_mm.page_table_lock);
if (page)
free_page(page);
return 0;
}
int kasan_populate_vmalloc(unsigned long requested_size, struct vm_struct *area)
{
unsigned long shadow_start, shadow_end;
int ret;
shadow_start = (unsigned long)kasan_mem_to_shadow(area->addr);
shadow_start = ALIGN_DOWN(shadow_start, PAGE_SIZE);
shadow_end = (unsigned long)kasan_mem_to_shadow(area->addr + area->size),
shadow_end = ALIGN(shadow_end, PAGE_SIZE);
ret = apply_to_page_range(&init_mm, shadow_start,
shadow_end - shadow_start,
kasan_populate_vmalloc_pte, NULL);
if (ret)
return ret;
kasan_unpoison_shadow(area->addr, requested_size);
/*
* We have to poison the remainder of the allocation each time, not
* just when the shadow page is first allocated, because vmalloc may
* reuse addresses, and an early large allocation would cause us to
* miss OOBs in future smaller allocations.
*
* The alternative is to poison the shadow on vfree()/vunmap(). We
* don't because the unmapping the virtual addresses should be
* sufficient to find most UAFs.
*/
requested_size = round_up(requested_size, KASAN_SHADOW_SCALE_SIZE);
kasan_poison_shadow(area->addr + requested_size,
area->size - requested_size,
KASAN_VMALLOC_INVALID);
return 0;
}
Mark Rutland <[email protected]> writes:
> On Thu, Aug 08, 2019 at 06:43:25PM +0100, Mark Rutland wrote:
>> On Thu, Aug 08, 2019 at 02:50:37PM +0100, Mark Rutland wrote:
>> > Hi Daniel,
>> >
>> > This is looking really good!
>> >
>> > I spotted a few more things we need to deal with, so I've suggested some
>> > (not even compile-tested) code for that below. Mostly that's just error
>> > handling, and using helpers to avoid things getting too verbose.
>>
>> FWIW, I had a quick go at that, and I've pushed the (corrected) results
>> to my git repo, along with an initial stab at arm64 support (which is
>> currently broken):
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git/log/?h=kasan/vmalloc
>
> I've fixed my arm64 patch now, and that appears to work in basic tests
> (example below), so I'll throw my arm64 Syzkaller instance at that today
> to shake out anything major that we've missed or that I've botched.
>
> I'm very excited to see this!
>
> Are you happy to pick up my modified patch 1 for v4?
Thanks, I'll do that.
I'll also have a crack at poisioning on free - I know I did that in an
early draft and then dropped it, so I don't think it was painful at all.
Regards,
Daniel
>
> Thanks,
> Mark.
>
> # echo STACK_GUARD_PAGE_LEADING > DIRECT
> [ 107.453162] lkdtm: Performing direct entry STACK_GUARD_PAGE_LEADING
> [ 107.454672] lkdtm: attempting bad read from page below current stack
> [ 107.456672] ==================================================================
> [ 107.457929] BUG: KASAN: vmalloc-out-of-bounds in lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.459398] Read of size 1 at addr ffff20001515ffff by task sh/214
> [ 107.460864]
> [ 107.461271] CPU: 0 PID: 214 Comm: sh Not tainted 5.3.0-rc3-00004-g84f902ca9396-dirty #7
> [ 107.463101] Hardware name: linux,dummy-virt (DT)
> [ 107.464407] Call trace:
> [ 107.464951] dump_backtrace+0x0/0x1e8
> [ 107.465781] show_stack+0x14/0x20
> [ 107.466824] dump_stack+0xbc/0xf4
> [ 107.467780] print_address_description+0x60/0x33c
> [ 107.469221] __kasan_report+0x140/0x1a0
> [ 107.470388] kasan_report+0xc/0x18
> [ 107.471439] __asan_load1+0x4c/0x58
> [ 107.472428] lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.473908] lkdtm_do_action+0x40/0x50
> [ 107.475255] direct_entry+0x128/0x1b0
> [ 107.476348] full_proxy_write+0x90/0xc8
> [ 107.477595] __vfs_write+0x54/0xa8
> [ 107.478780] vfs_write+0xd0/0x230
> [ 107.479762] ksys_write+0xc4/0x170
> [ 107.480738] __arm64_sys_write+0x40/0x50
> [ 107.481888] el0_svc_common.constprop.0+0xc0/0x1c0
> [ 107.483240] el0_svc_handler+0x34/0x88
> [ 107.484211] el0_svc+0x8/0xc
> [ 107.484996]
> [ 107.485429]
> [ 107.485895] Memory state around the buggy address:
> [ 107.487107] ffff20001515fe80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
> [ 107.489162] ffff20001515ff00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
> [ 107.491157] >ffff20001515ff80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
> [ 107.493193] ^
> [ 107.494973] ffff200015160000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 107.497103] ffff200015160080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 107.498795] ==================================================================
> [ 107.500495] Disabling lock debugging due to kernel taint
> [ 107.503212] Unable to handle kernel paging request at virtual address ffff20001515ffff
> [ 107.505177] Mem abort info:
> [ 107.505797] ESR = 0x96000007
> [ 107.506554] Exception class = DABT (current EL), IL = 32 bits
> [ 107.508031] SET = 0, FnV = 0
> [ 107.508547] EA = 0, S1PTW = 0
> [ 107.509125] Data abort info:
> [ 107.509704] ISV = 0, ISS = 0x00000007
> [ 107.510388] CM = 0, WnR = 0
> [ 107.511089] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041c65000
> [ 107.513221] [ffff20001515ffff] pgd=00000000bdfff003, pud=00000000bdffe003, pmd=00000000aa31e003, pte=0000000000000000
> [ 107.515915] Internal error: Oops: 96000007 [#1] PREEMPT SMP
> [ 107.517295] Modules linked in:
> [ 107.518074] CPU: 0 PID: 214 Comm: sh Tainted: G B 5.3.0-rc3-00004-g84f902ca9396-dirty #7
> [ 107.520755] Hardware name: linux,dummy-virt (DT)
> [ 107.522208] pstate: 60400005 (nZCv daif +PAN -UAO)
> [ 107.523670] pc : lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.525176] lr : lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.526809] sp : ffff200015167b90
> [ 107.527856] x29: ffff200015167b90 x28: ffff800002294740
> [ 107.529728] x27: 0000000000000000 x26: 0000000000000000
> [ 107.531523] x25: ffff200015167df0 x24: ffff2000116e8400
> [ 107.533234] x23: ffff200015160000 x22: dfff200000000000
> [ 107.534694] x21: ffff040002a2cf7a x20: ffff2000116e9ee0
> [ 107.536238] x19: 1fffe40002a2cf7a x18: 0000000000000000
> [ 107.537699] x17: 0000000000000000 x16: 0000000000000000
> [ 107.539288] x15: 0000000000000000 x14: 0000000000000000
> [ 107.540584] x13: 0000000000000000 x12: ffff10000d672bb9
> [ 107.541920] x11: 1ffff0000d672bb8 x10: ffff10000d672bb8
> [ 107.543438] x9 : 1ffff0000d672bb8 x8 : dfff200000000000
> [ 107.545008] x7 : ffff10000d672bb9 x6 : ffff80006b395dc0
> [ 107.546570] x5 : 0000000000000001 x4 : dfff200000000000
> [ 107.547936] x3 : ffff20001113274c x2 : 0000000000000007
> [ 107.549121] x1 : eb957a6c7b3ab400 x0 : 0000000000000000
> [ 107.550220] Call trace:
> [ 107.551017] lkdtm_STACK_GUARD_PAGE_LEADING+0x88/0xb4
> [ 107.552288] lkdtm_do_action+0x40/0x50
> [ 107.553302] direct_entry+0x128/0x1b0
> [ 107.554290] full_proxy_write+0x90/0xc8
> [ 107.555332] __vfs_write+0x54/0xa8
> [ 107.556278] vfs_write+0xd0/0x230
> [ 107.557000] ksys_write+0xc4/0x170
> [ 107.557834] __arm64_sys_write+0x40/0x50
> [ 107.558980] el0_svc_common.constprop.0+0xc0/0x1c0
> [ 107.560111] el0_svc_handler+0x34/0x88
> [ 107.560936] el0_svc+0x8/0xc
> [ 107.561580] Code: 91140280 97ded9e3 d10006e0 97e4672e (385ff2e1)
> [ 107.563208] ---[ end trace 9e69aa587e1dc0cc ]---