Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1034935ybi; Fri, 14 Jun 2019 07:32:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqwmBRqpYts8hnB/p9cAOJy/LRdUD3QehfNoJac0IwLXWbYaDG9sackzlSdicO4VzvmCwT7I X-Received: by 2002:aa7:818b:: with SMTP id g11mr15404036pfi.122.1560522754077; Fri, 14 Jun 2019 07:32:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560522754; cv=none; d=google.com; s=arc-20160816; b=bXfcrkoI156k42z6kJtcdAh6PcinlGzKjdreRlIu2RQbm7KVTbDZKz+J2ckyVkB90B ra7Hx4ROfTtvLe7FdepgChZz7GkGNjqq/66HZj8g2eT+oZqN4K/Qty3JzNcQ6zNRuYEX dTkQ4Bai8PdmDy8v6LpTlXLJN2V6hdfHHBUhNv3EXXl47R4OMFS6hCkIcow0Fi0UHQe3 euZ60vjJGnxbXZ7SQiMDLu4lgCKlQOA6KUOUILs9gfYB0v86MdZ3kjqMxugrJXA5NhMs mrqYDQG6FzroauZxnD/5NKy5ArXzfjxClO8MAdgaoAoXtaklEZXGpLsS9YEepbuEkjtq NQNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=wbLJHPMjxWp+B1iAx3Cp/2u31haRFK/GryuhagDKsMo=; b=THACilz6U9wQ1C9d2sKAWTDhsjJSzy3FQyf5NQG8OB+a1wHNWS3wLu8ObAht0wiMGY 56PSkhCWyLdHrf6GyKVC3A6SAjCS8HI2oO45Z+0XXW8HpoW4U7rPau6e/PP65kyq43Kf BdCeg7EghrGDFnQLWkM7mM9H4GHQhPTBQjxF/qBQjU3BsI3/1wifTQKg/pJcfisJ8isA +mLkCFkzG0rNKuu1nwyu7THYZZggbuM/CkU0ETJ7OXe6/M8cWet7gCu/5qb+esFNlal7 Gq9pccsPivTeTQqU4L/VoASPs84XvPOMxOXtDUoHbNm3/GHGkVv/WSoYatKMPu7tBbGg PAfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ba7si2438218plb.105.2019.06.14.07.32.17; Fri, 14 Jun 2019 07:32:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728281AbfFNOcG (ORCPT + 99 others); Fri, 14 Jun 2019 10:32:06 -0400 Received: from relay.sw.ru ([185.231.240.75]:37964 "EHLO relay.sw.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728074AbfFNOcG (ORCPT ); Fri, 14 Jun 2019 10:32:06 -0400 Received: from [172.16.25.12] (helo=i7.sw.ru) by relay.sw.ru with esmtp (Exim 4.92) (envelope-from ) id 1hbnEw-0006yb-Sg; Fri, 14 Jun 2019 17:31:39 +0300 From: Andrey Ryabinin To: Ingo Molnar , Thomas Gleixner , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org Cc: Alexander Potapenko , Dmitry Vyukov , "Kirill A . Shutemov" , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, Andrey Ryabinin , stable@vger.kernel.org Subject: [PATCH] x86/kasan: Fix boot with 5-level paging and KASAN Date: Fri, 14 Jun 2019 17:31:49 +0300 Message-Id: <20190614143149.2227-1-aryabinin@virtuozzo.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190612014526.jtklrc3okejm3e4t@box> References: <20190612014526.jtklrc3okejm3e4t@box> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Since commit d52888aa2753 ("x86/mm: Move LDT remap out of KASLR region on 5-level paging") kernel doesn't boot with KASAN on 5-level paging machines. The bug is actually in early_p4d_offset() and introduced by commit 12a8cc7fcf54 ("x86/kasan: Use the same shadow offset for 4- and 5-level paging") early_p4d_offset() tries to convert pgd_val(*pgd) value to physical address. This doesn't make sense because pgd_val() already contains physical address. It did work prior to commit d52888aa2753 because the result of "__pa_nodebug(pgd_val(*pgd)) & PTE_PFN_MASK" was the same as "pgd_val(*pgd) & PTE_PFN_MASK". __pa_nodebug() just set some high bit which were masked out by applying PTE_PFN_MASK. After the change of the PAGE_OFFSET offset in commit d52888aa2753 __pa_nodebug(pgd_val(*pgd)) started to return value with more high bits set and PTE_PFN_MASK wasn't enough to mask out all of them. So we've got wrong not even canonical address and crash on the attempt to dereference it. Fixes: 12a8cc7fcf54 ("x86/kasan: Use the same shadow offset for 4- and 5-level paging") Reported-by: Kirill A. Shutemov Signed-off-by: Andrey Ryabinin Cc: --- arch/x86/mm/kasan_init_64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c index 8dc0fc0b1382..296da58f3013 100644 --- a/arch/x86/mm/kasan_init_64.c +++ b/arch/x86/mm/kasan_init_64.c @@ -199,7 +199,7 @@ static inline p4d_t *early_p4d_offset(pgd_t *pgd, unsigned long addr) if (!pgtable_l5_enabled()) return (p4d_t *)pgd; - p4d = __pa_nodebug(pgd_val(*pgd)) & PTE_PFN_MASK; + p4d = pgd_val(*pgd) & PTE_PFN_MASK; p4d += __START_KERNEL_map - phys_base; return (p4d_t *)p4d + p4d_index(addr); } -- 2.21.0