Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1216010rwb; Thu, 10 Nov 2022 12:55:27 -0800 (PST) X-Google-Smtp-Source: AMsMyM7xvmtiUNBFRImQNvulXc0d6Kd2aIcsNRHPlYBnD6hGDH5actslq8E3YsHIhbWrwTErGMXS X-Received: by 2002:a50:ec13:0:b0:461:e3f2:38bc with SMTP id g19-20020a50ec13000000b00461e3f238bcmr3493696edr.149.1668113727696; Thu, 10 Nov 2022 12:55:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668113727; cv=none; d=google.com; s=arc-20160816; b=mu8v4eEyyXQIGS6lVcYp50jvH6Qbod88JOsmuLOmNLP4iHvYxqX3Yxkh5sQu5kXLzS d+PeJb3kkOUu2Kblf8J0DAUYoiceLvVwSfFdh+WvbfUM6eAepSn0LhB3UkUi3G+Vy9FO MCN9iQSgwZYnMPEciAcfxOJaazq+nBkXhPbOCKAgkDe3vt/BDbGx+rc5L/1xoYLK6POX 31zF8EA+HKAwAMirS1cKQU2vUfV0YQGaRc1T03m/aEpgDhUmUGItVl73ny0Ba4Z7fhMD sm+5/94E3lxJht7eK9lYLny5P/gmsnr/xrzdYB05X6OCdtVt2B77QV5COyTAzWa7cM0D Y5UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=u6Cw0ZmfOshKtE4Fs73s8CsSsDU0YsFyudltt9Q+W64=; b=SXSOfFiVI10m/XeT83QQAGaMZGXZu6QBednGI+aNlXpCFOQiX/jNbe2uvEWA7coIqA kf+uZV9y6XYIswAaXN59FYaq2jd46NSYMixFVtZdW4t9ArnG7cySgcyHfS5V8tQ3mAkm KYZpuBLrunYb4hRu0SuQ3iQVJQcMnxfZ4tS8cSh2ZEU+IR68+yOWqOKigi6lFiMeVXTY 3q9I9y/YPlDb1sRILwCV9PRatg9uW96P2l/SsY7ZayZSnSJvyp3yUxEIW35KBT914EIC TYx7qf3BgsJB7gOsjhmh79ZnQabs3g+1ebblXhmvtSuVegJRg3BgMGxmidInUvoJQzTy qC3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="F/+UCskf"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w13-20020aa7cb4d000000b00462273b6b75si508593edt.361.2022.11.10.12.55.04; Thu, 10 Nov 2022 12:55:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="F/+UCskf"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232071AbiKJUfk (ORCPT + 92 others); Thu, 10 Nov 2022 15:35:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43028 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231932AbiKJUfQ (ORCPT ); Thu, 10 Nov 2022 15:35:16 -0500 Received: from mail-pj1-x104a.google.com (mail-pj1-x104a.google.com [IPv6:2607:f8b0:4864:20::104a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE0874E41E for ; Thu, 10 Nov 2022 12:35:15 -0800 (PST) Received: by mail-pj1-x104a.google.com with SMTP id ch8-20020a17090af40800b002140ba517b6so1629980pjb.4 for ; Thu, 10 Nov 2022 12:35:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=u6Cw0ZmfOshKtE4Fs73s8CsSsDU0YsFyudltt9Q+W64=; b=F/+UCskf44ADzGslt/IGpWoJh4u6oVd2pp653aShhnTg9HGbG3ZOsV/FfEAlnWOv5l xsKVf7wW/egGgeqeM0wcau4N13Ku8o7LmHx1T3stlAJ8yJvPcQ1cBg+QcQV9iwsd2e8E HeVgQc8NwGhGuWRTVRY/EwK8DiqhRfwl3cwXbOB+JFTihHxEBUJbpnksAnzIm8pRoFIO 9hsDruJByPgnUprVEPZoDYLLHYmVnWC+FpwJdKXALBXK8nN4FiMI/iw3lGWT8Q5JcCeg E8HLRuikgjnjtYd/4ZOd0xFNDQJuJrgDYUSkmPio/aXmZjRLhsZGIDceELpbs7rsc7cf P7PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=u6Cw0ZmfOshKtE4Fs73s8CsSsDU0YsFyudltt9Q+W64=; b=LErW4KZWEDVZZ9Y/mLpinhOuYT5adKhTcDe+NO4mPd9aWlY/UJrCN3dJwkQ5XnO0Ic x7F+3preOBYIjt7ouOMBMlszSUpbpfwdTBQWtb2WyeEueQ8/+tyzHomVvn+ZX2Zgqzz+ sFDukQWoSUy5CVp42+1vDd7thstpwBu5P0n9PI8mwAHe/QgCXTB8DM0+k2q3/r1c3YKu whimpVhnnXXszJ5rd0d49jvsSjhl174H942howCjubQ4OoTdgXZuyyv1VzpVTgYDaWS2 94rdcktNAAivBNLtWxvtRZ4wF3S3UVE7WiURIwV6RrGxmox3zywkW67RhS9BHaHcuHJa 0O/g== X-Gm-Message-State: ACrzQf0VlqAdGjkqpGVV9K713CoJ5nIJfOiLfbe1tNYAuIyGPssR34ks aPDVva7LyzlHU2WAgFeM8Ec2Kh98krg= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a62:1595:0:b0:566:9f68:c0ad with SMTP id 143-20020a621595000000b005669f68c0admr3437397pfv.57.1668112515250; Thu, 10 Nov 2022 12:35:15 -0800 (PST) Reply-To: Sean Christopherson Date: Thu, 10 Nov 2022 20:35:04 +0000 In-Reply-To: <20221110203504.1985010-1-seanjc@google.com> Mime-Version: 1.0 References: <20221110203504.1985010-1-seanjc@google.com> X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog Message-ID: <20221110203504.1985010-6-seanjc@google.com> Subject: [PATCH v2 5/5] x86/kasan: Populate shadow for shared chunk of the CPU entry area From: Sean Christopherson To: Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, Andrey Ryabinin Cc: "H. Peter Anvin" , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Sean Christopherson , syzbot+ffb4f000dc2872c93f62@syzkaller.appspotmail.com, syzbot+8cdd16fd5a6c0565e227@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Popuplate the shadow for the shared portion of the CPU entry area, i.e. the read-only IDT mapping, during KASAN initialization. A recent change modified KASAN to map the per-CPU areas on-demand, but forgot to keep a shadow for the common area that is shared amongst all CPUs. Map the common area in KASAN init instead of letting idt_map_in_cea() do the dirty work so that it Just Works in the unlikely event more shared data is shoved into the CPU entry area. The bug manifests as a not-present #PF when software attempts to lookup an IDT entry, e.g. when KVM is handling IRQs on Intel CPUs (KVM performs direct CALL to the IRQ handler to avoid the overhead of INTn): BUG: unable to handle page fault for address: fffffbc0000001d8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 16c03a067 P4D 16c03a067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 5 PID: 901 Comm: repro Tainted: G W 6.1.0-rc3+ #410 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:kasan_check_range+0xdf/0x190 vmx_handle_exit_irqoff+0x152/0x290 [kvm_intel] vcpu_run+0x1d89/0x2bd0 [kvm] kvm_arch_vcpu_ioctl_run+0x3ce/0xa70 [kvm] kvm_vcpu_ioctl+0x349/0x900 [kvm] __x64_sys_ioctl+0xb8/0xf0 do_syscall_64+0x2b/0x50 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Fixes: 9fd429c28073 ("x86/kasan: Map shadow for percpu pages on demand") Reported-by: syzbot+8cdd16fd5a6c0565e227@syzkaller.appspotmail.com Cc: Andrey Ryabinin Signed-off-by: Sean Christopherson --- arch/x86/mm/kasan_init_64.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c index afc5e129ca7b..af82046348a0 100644 --- a/arch/x86/mm/kasan_init_64.c +++ b/arch/x86/mm/kasan_init_64.c @@ -341,7 +341,7 @@ void __init kasan_populate_shadow_for_vaddr(void *va, size_t size, int nid) void __init kasan_init(void) { - unsigned long shadow_cea_begin, shadow_cea_end; + unsigned long shadow_cea_begin, shadow_cea_per_cpu_begin, shadow_cea_end; int i; memcpy(early_top_pgt, init_top_pgt, sizeof(early_top_pgt)); @@ -384,6 +384,7 @@ void __init kasan_init(void) } shadow_cea_begin = kasan_mem_to_shadow_align_down(CPU_ENTRY_AREA_BASE); + shadow_cea_per_cpu_begin = kasan_mem_to_shadow_align_up(CPU_ENTRY_AREA_PER_CPU); shadow_cea_end = kasan_mem_to_shadow_align_up(CPU_ENTRY_AREA_BASE + CPU_ENTRY_AREA_MAP_SIZE); @@ -409,6 +410,15 @@ void __init kasan_init(void) kasan_mem_to_shadow((void *)VMALLOC_END + 1), (void *)shadow_cea_begin); + /* + * Populate the shadow for the shared portion of the CPU entry area. + * Shadows for the per-CPU areas are mapped on-demand, as each CPU's + * area is randomly placed somewhere in the 512GiB range and mapping + * the entire 512GiB range is prohibitively expensive. + */ + kasan_populate_early_shadow((void *)shadow_cea_begin, + (void *)shadow_cea_per_cpu_begin); + kasan_populate_early_shadow((void *)shadow_cea_end, kasan_mem_to_shadow((void *)__START_KERNEL_map)); -- 2.38.1.431.g37b22c650d-goog