Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp5991977pxb; Mon, 14 Feb 2022 12:35:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJypwQtfm+ERymMi4CpnRxObT6nG8rtu+98zbFSWah8oovMKmGRTkG55/PBOZQL7VTi/Gs35 X-Received: by 2002:a05:6a00:841:: with SMTP id q1mr835404pfk.21.1644870912724; Mon, 14 Feb 2022 12:35:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644870912; cv=none; d=google.com; s=arc-20160816; b=kAwBPsJVwoTbnckBg0WdopdsklfbZ6XRqM7dHd2fC5hnut/j/axkF9lhsLFuO0CfDn CnRmDqVKQLD5J35KrUKwuDg9pqyGuAc7xPi7PbPxBMUx+tTwbgA0sB6JplJ+PgQOYtSA YScOERGzluuCkux7/Q4SL7+OE9TgPTnNZMUqrA1dW3lTlgsH+5+aVWQ9IX+W0A79k+QG Jg/1FNeq0uHlDCWkphM5b3Fpo0yv1RRX/8xSjfMlbXTtO0IUAldtswwvEyC+7PM4+XbM PYC5s6YkDwr0fAKguyKgNtT/dtl1cMc9t/BVxi0+XF1sS8y/uKvLy0ksHtM0e2gc9EcX Sblg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature; bh=A4kOISWqqTgs9cJ5mlJCNV0l/4C5CSZGXBJJpOq+rYk=; b=kWnSByyJISFYC8R6ViM51gOjWfWYraJ580hrdtsu5v4MFw6v3G2BeurAf5/PVwtwYv naTNqid9AzOPFxX57dmZt7xU4wcaIboKRRmMzjBTIxB36DBZYFRCy9fv6wsu9FJqXNF0 FLlimd5rwEFQRjzs6+fwKLmhuYKR1hCpjvGUNKe3bYAalAoDAdkNo0aStvOhlTWPI9HL r+Dt6ixnIwtViPrRYe7DRlQELHMDK1N63tqnSVMt8IMbsUN6TbGYF51/eDh6UEx6M1Gp 0oTkZBuibHOCDzzqH8LP0Y6nKoZ2vdXDQ4tAhcbpj1pVnDDdq+H/KaOwM2OVoTTCa64Y Vnvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TTjhN2oQ; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id w9si7254197plg.153.2022.02.14.12.35.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Feb 2022 12:35:12 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TTjhN2oQ; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A369414CD9B; Mon, 14 Feb 2022 12:04:43 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354898AbiBNOGy (ORCPT + 99 others); Mon, 14 Feb 2022 09:06:54 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45292 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231853AbiBNOGx (ORCPT ); Mon, 14 Feb 2022 09:06:53 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC74365A2 for ; Mon, 14 Feb 2022 06:06:45 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 89A5E60F86 for ; Mon, 14 Feb 2022 14:06:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E3150C340EE; Mon, 14 Feb 2022 14:06:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1644847604; bh=uUt6bE07NssIaYfZ1Wzc5VcSVVOyx1PQSGWXB+SwyNg=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=TTjhN2oQXHO/DPe8aypKoXxulEjAeg9gpvnVZ98AN1NH4isPapKOXXyyV6mDb7GhX SbNHHxzhjn512Ou4zrxUTjx5KIbns+zuIDsKXiDTYayIv7JPf1DVZNHVyjBOnpwlxt 5us9f6eMs18RID38v6oueyITdTp4U/j1/FtOFkWkT7K5k/03ZqjDFwFyncMlnmhQ48 3rZDqhttac1LzYsBgP2rfA6efbI6zzBKVCNe794A4bmustR8jmoBpZglhSHOJcF9R1 ZLoRcBrINUI6hx91vkfpEKw7bKZvf5oQIv0ig6WeaKAmHtYPxoTyS4yKnsASNU6xO/ T9Km6girYxw3w== Received: from sofa.misterjones.org ([185.219.108.64] helo=why.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nJc02-007nP8-LH; Mon, 14 Feb 2022 14:06:42 +0000 Date: Mon, 14 Feb 2022 14:06:41 +0000 Message-ID: <87leyd4k5q.wl-maz@kernel.org> From: Marc Zyngier To: Kalesh Singh Cc: will@kernel.org, qperret@google.com, tabba@google.com, surenb@google.com, kernel-team@android.com, Catalin Marinas , James Morse , Alexandru Elisei , Suzuki K Poulose , Ard Biesheuvel , Mark Rutland , Pasha Tatashin , Joey Gouly , Peter Collingbourne , Andrew Scull , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu Subject: Re: [PATCH 4/7] KVM: arm64: Allocate guard pages near hyp stacks In-Reply-To: <20220210224220.4076151-5-kaleshsingh@google.com> References: <20220210224220.4076151-1-kaleshsingh@google.com> <20220210224220.4076151-5-kaleshsingh@google.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/27.1 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: kaleshsingh@google.com, will@kernel.org, qperret@google.com, tabba@google.com, surenb@google.com, kernel-team@android.com, catalin.marinas@arm.com, james.morse@arm.com, alexandru.elisei@arm.com, suzuki.poulose@arm.com, ardb@kernel.org, mark.rutland@arm.com, pasha.tatashin@soleen.com, joey.gouly@arm.com, pcc@google.com, ascull@google.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 10 Feb 2022 22:41:45 +0000, Kalesh Singh wrote: > > From: Quentin Perret > > Allocate unbacked VA space underneath each stack page to ensure stack > overflows get trapped and don't corrupt memory silently. > > The stack is aligned to twice its size (PAGE_SIZE), meaning that any > valid stack address has PAGE_SHIFT bit as 0. This allows us to easily > check for overflow in the exception entry without corrupting any GPRs. > > Signed-off-by: Quentin Perret > [ Kalesh - Update commit text and comments, > refactor, add overflow handling ] > Signed-off-by: Kalesh Singh > --- > arch/arm64/kvm/hyp/nvhe/host.S | 16 ++++++++++++++++ > arch/arm64/kvm/hyp/nvhe/setup.c | 19 ++++++++++++++++++- > arch/arm64/kvm/hyp/nvhe/switch.c | 5 +++++ > 3 files changed, 39 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S > index 3d613e721a75..78e4b612ac06 100644 > --- a/arch/arm64/kvm/hyp/nvhe/host.S > +++ b/arch/arm64/kvm/hyp/nvhe/host.S > @@ -153,6 +153,10 @@ SYM_FUNC_END(__host_hvc) > > .macro invalid_host_el2_vect > .align 7 > + > + /* Test stack overflow without corrupting GPRs */ > + test_sp_overflow PAGE_SHIFT, .L__hyp_sp_overflow\@ > + I am definitely concerned with this in a system not using pKVM (which is on average 100% of the upstream users so far! ;-). This is more or less guaranteed to do the wrong thing 50% of the times, depending on the alignment of the stack. > /* If a guest is loaded, panic out of it. */ > stp x0, x1, [sp, #-16]! > get_loaded_vcpu x0, x1 > @@ -165,6 +169,18 @@ SYM_FUNC_END(__host_hvc) > * been partially clobbered by __host_enter. > */ > b hyp_panic > + > +.L__hyp_sp_overflow\@: > + /* > + * Reset SP to the top of the stack, to allow handling the hyp_panic. > + * This corrupts the stack but is ok, since we won't be attempting > + * any unwinding here. > + */ > + ldr_this_cpu x0, kvm_init_params + NVHE_INIT_STACK_HYP_VA, x1 > + mov sp, x0 > + > + bl hyp_panic_bad_stack > + ASM_BUG() > .endm > > .macro invalid_host_el1_vect > diff --git a/arch/arm64/kvm/hyp/nvhe/setup.c b/arch/arm64/kvm/hyp/nvhe/setup.c > index 99e178cf4249..114053dff228 100644 > --- a/arch/arm64/kvm/hyp/nvhe/setup.c > +++ b/arch/arm64/kvm/hyp/nvhe/setup.c > @@ -105,7 +105,24 @@ static int recreate_hyp_mappings(phys_addr_t phys, unsigned long size, > if (ret) > return ret; > > - /* Map stack pages in the 'private' VA range */ > + /* > + * Allocate 'private' VA range for stack guard pages. > + * > + * The 'private' VA range grows upward and stacks downwards, so > + * allocate the guard page first. But make sure to align the > + * stack itself with PAGE_SIZE * 2 granularity to ease overflow > + * detection in the entry assembly code. > + */ > + do { > + start = (void *)hyp_alloc_private_va_range(PAGE_SIZE); > + if (IS_ERR(start)) > + return PTR_ERR(start); > + } while (IS_ALIGNED((u64) start, PAGE_SIZE * 2)); This seems cumbersome. Can't we tweak hyp_alloc_private_va_range() to perform the required alignment? It could easily be convinced to return an address that is aligned on the size of the region, which would avoid this sort of loop. Thanks, M. -- Without deviation from the norm, progress is not possible.