From patchwork Sun Apr 22 19:06:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 10355813 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DFD246023A for ; Sun, 22 Apr 2018 19:07:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD57A28927 for ; Sun, 22 Apr 2018 19:07:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C11AA28964; Sun, 22 Apr 2018 19:07:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 425C228927 for ; Sun, 22 Apr 2018 19:07:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=aJ+oMErWwhGFyGL7Tc+LKg4g32n8iDymBylkxtFp/so=; b=noqapPnPbJwnTq jWUoFNFvMvxMol8YTXrD6eBgVvYqzHx6ptTKm2gzbM2C2J4NvjCZFmU9XGrMit6ztKxFm+l/wjlKp VlhgMrsLBNQv+udA3pWIL64eur1gx3HZU0JYKValBKZmsaFi3NZ0cJNMAbxzevim5Kz9uMXeRim/+ ZLtNacgjQ5ANQ3kMfDHVkmZyeIoYwWmP/CYwANxvFU4ZgUiY5RpaBYbNcb1C/EeblwUTC4UMLPyZQ pV/LDdLaLcQ0EgodX+BffY0vBOeEi36Ex62Y7DGfVlEOA9w69MHzgwoS40V0uH6j2BvLt8/xghC8g 3rprQvtyoDafRujGXaxw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fAKKG-00083a-0U; Sun, 22 Apr 2018 19:07:04 +0000 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70] helo=foss.arm.com) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fAKKB-0007zH-Ge for linux-arm-kernel@lists.infradead.org; Sun, 22 Apr 2018 19:07:00 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DB9421435; Sun, 22 Apr 2018 12:06:46 -0700 (PDT) Received: from salmiak (usa-sjc-mx-foss1.foss.arm.com [217.140.101.70]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 6C4543F487; Sun, 22 Apr 2018 12:06:45 -0700 (PDT) Date: Sun, 22 Apr 2018 20:06:39 +0100 From: Mark Rutland To: Jan Kiszka Subject: Re: BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 Message-ID: <20180422190639.lyfvgnzapo2mrpu6@salmiak> References: <97d99ad9-c5cf-a4d2-126a-2b39ffead0b3@web.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <97d99ad9-c5cf-a4d2-126a-2b39ffead0b3@web.de> User-Agent: NeoMutt/20170113 (1.7.2) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180422_120659_573116_B7CE8D1C X-CRM114-Status: GOOD ( 18.84 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: catalin.marinas@arm.com, will.deacon@arm.com, Linux Kernel Mailing List , linux-arm-kernel , suzuki.poulose@arm.com Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP On Sun, Apr 22, 2018 at 12:47:57PM +0200, Jan Kiszka wrote: > Hi, > > this can be triggered simply by running > > # echo 0 > /sys/devices/system/cpu/cpu3/online > # echo 1 > /sys/devices/system/cpu/cpu3/online > > [ 455.904854] ================================================================== > [ 455.906108] BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 > [ 455.906668] Read of size 4 at addr ffff200008e3a9d8 by task swapper/3/0 It looks like we miss a sentinel in kpti_safe_list. Does the below help? Mark. ---->8---- From ade322407e3d6d1f50e558ebd50d2c1c7bd811c2 Mon Sep 17 00:00:00 2001 From: Mark Rutland Date: Sun, 22 Apr 2018 19:58:08 +0100 Subject: [PATCH] arm64: add sentinel to kpti_safe_list We're missing a sentinel entry in kpti_safe_list. Thus is_midr_in_range_list() can walk past the end of kpti_safe_list. Depending on the contents of memory, this could erroneously match a CPU's MIDR, cause a data abort, or other bad outcomes. Add the sentinel entry to avoid this. Fixes: be5b299830c63ed7 ("arm64: capabilities: Add support for checks based on a list of MIDRs") Signed-off-by: Mark Rutland Reported-by: Jan Kiszka Cc: Catalin Marinas Cc: Suzuki K Poulose Cc: Will Deacon Tested-by: Jan Kiszka --- arch/arm64/kernel/cpufeature.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 536d572e5596..9d1b06d67c53 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -868,6 +868,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, static const struct midr_range kpti_safe_list[] = { MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2), MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN), + { /* sentinel */ } }; char const *str = "command line option";