mirror of
https://github.com/torvalds/linux.git
synced 2025-11-04 10:40:15 +02:00
528a4ab453
Since scs allocation is moved to vmalloc region, the
shadow stack is protected by kasan_posion_vmalloc.
However, the vfree_atomic operation needs to access
its context for scs_free process and causes kasan error
as the dump info below.
This patch Adds kasan_unpoison_vmalloc() before vfree_atomic,
which aligns to the prior flow as using kmem_cache.
The vmalloc region will go back posioned in the following
vumap() operations.
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in llist_add_batch+0x60/0xd4
Write of size 8 at addr ffff8000100b9000 by task kthreadd/2
CPU: 0 PID: 2 Comm: kthreadd Not tainted 5.15.0-rc2-11681-g92477dd1faa6-dirty #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x43c
show_stack+0x1c/0x2c
dump_stack_lvl+0x68/0x84
print_address_description+0x80/0x394
kasan_report+0x180/0x1dc
__asan_report_store8_noabort+0x48/0x58
llist_add_batch+0x60/0xd4
vfree_atomic+0x60/0xe0
scs_free+0x1dc/0x1fc
scs_release+0xa4/0xd4
free_task+0x30/0xe4
__put_task_struct+0x1ec/0x2e0
delayed_put_task_struct+0x5c/0xa0
rcu_do_batch+0x62c/0x8a0
rcu_core+0x60c/0xc14
rcu_core_si+0x14/0x24
__do_softirq+0x19c/0x68c
irq_exit+0x118/0x2dc
handle_domain_irq+0xcc/0x134
gic_handle_irq+0x7c/0x1bc
call_on_irq_stack+0x40/0x70
do_interrupt_handler+0x78/0x9c
el1_interrupt+0x34/0x60
el1h_64_irq_handler+0x1c/0x2c
el1h_64_irq+0x78/0x7c
_raw_spin_unlock_irqrestore+0x40/0xcc
sched_fork+0x4f0/0xb00
copy_process+0xacc/0x3648
kernel_clone+0x168/0x534
kernel_thread+0x13c/0x1b0
kthreadd+0x2bc/0x400
ret_from_fork+0x10/0x20
Memory state around the buggy address:
ffff8000100b8f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff8000100b8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffff8000100b9000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffff8000100b9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffff8000100b9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Suggested-by: Kuan-Ying Lee <kuan-ying.lee@mediatek.com>
Acked-by: Will Deacon <will@kernel.org>
Tested-by: Will Deacon <will@kernel.org>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Yee Lee <yee.lee@mediatek.com>
Fixes: a2abe7cbd8 ("scs: switch to vmapped shadow stacks")
Link: https://lore.kernel.org/r/20210930081619.30091-1-yee.lee@mediatek.com
Signed-off-by: Will Deacon <will@kernel.org>
154 lines
2.8 KiB
C
154 lines
2.8 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* Shadow Call Stack support.
|
|
*
|
|
* Copyright (C) 2019 Google LLC
|
|
*/
|
|
|
|
#include <linux/cpuhotplug.h>
|
|
#include <linux/kasan.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/scs.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/vmstat.h>
|
|
|
|
static void __scs_account(void *s, int account)
|
|
{
|
|
struct page *scs_page = vmalloc_to_page(s);
|
|
|
|
mod_node_page_state(page_pgdat(scs_page), NR_KERNEL_SCS_KB,
|
|
account * (SCS_SIZE / SZ_1K));
|
|
}
|
|
|
|
/* Matches NR_CACHED_STACKS for VMAP_STACK */
|
|
#define NR_CACHED_SCS 2
|
|
static DEFINE_PER_CPU(void *, scs_cache[NR_CACHED_SCS]);
|
|
|
|
static void *__scs_alloc(int node)
|
|
{
|
|
int i;
|
|
void *s;
|
|
|
|
for (i = 0; i < NR_CACHED_SCS; i++) {
|
|
s = this_cpu_xchg(scs_cache[i], NULL);
|
|
if (s) {
|
|
kasan_unpoison_vmalloc(s, SCS_SIZE);
|
|
memset(s, 0, SCS_SIZE);
|
|
return s;
|
|
}
|
|
}
|
|
|
|
return __vmalloc_node_range(SCS_SIZE, 1, VMALLOC_START, VMALLOC_END,
|
|
GFP_SCS, PAGE_KERNEL, 0, node,
|
|
__builtin_return_address(0));
|
|
}
|
|
|
|
void *scs_alloc(int node)
|
|
{
|
|
void *s;
|
|
|
|
s = __scs_alloc(node);
|
|
if (!s)
|
|
return NULL;
|
|
|
|
*__scs_magic(s) = SCS_END_MAGIC;
|
|
|
|
/*
|
|
* Poison the allocation to catch unintentional accesses to
|
|
* the shadow stack when KASAN is enabled.
|
|
*/
|
|
kasan_poison_vmalloc(s, SCS_SIZE);
|
|
__scs_account(s, 1);
|
|
return s;
|
|
}
|
|
|
|
void scs_free(void *s)
|
|
{
|
|
int i;
|
|
|
|
__scs_account(s, -1);
|
|
|
|
/*
|
|
* We cannot sleep as this can be called in interrupt context,
|
|
* so use this_cpu_cmpxchg to update the cache, and vfree_atomic
|
|
* to free the stack.
|
|
*/
|
|
|
|
for (i = 0; i < NR_CACHED_SCS; i++)
|
|
if (this_cpu_cmpxchg(scs_cache[i], 0, s) == NULL)
|
|
return;
|
|
|
|
kasan_unpoison_vmalloc(s, SCS_SIZE);
|
|
vfree_atomic(s);
|
|
}
|
|
|
|
static int scs_cleanup(unsigned int cpu)
|
|
{
|
|
int i;
|
|
void **cache = per_cpu_ptr(scs_cache, cpu);
|
|
|
|
for (i = 0; i < NR_CACHED_SCS; i++) {
|
|
vfree(cache[i]);
|
|
cache[i] = NULL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
void __init scs_init(void)
|
|
{
|
|
cpuhp_setup_state(CPUHP_BP_PREPARE_DYN, "scs:scs_cache", NULL,
|
|
scs_cleanup);
|
|
}
|
|
|
|
int scs_prepare(struct task_struct *tsk, int node)
|
|
{
|
|
void *s = scs_alloc(node);
|
|
|
|
if (!s)
|
|
return -ENOMEM;
|
|
|
|
task_scs(tsk) = task_scs_sp(tsk) = s;
|
|
return 0;
|
|
}
|
|
|
|
static void scs_check_usage(struct task_struct *tsk)
|
|
{
|
|
static unsigned long highest;
|
|
|
|
unsigned long *p, prev, curr = highest, used = 0;
|
|
|
|
if (!IS_ENABLED(CONFIG_DEBUG_STACK_USAGE))
|
|
return;
|
|
|
|
for (p = task_scs(tsk); p < __scs_magic(tsk); ++p) {
|
|
if (!READ_ONCE_NOCHECK(*p))
|
|
break;
|
|
used += sizeof(*p);
|
|
}
|
|
|
|
while (used > curr) {
|
|
prev = cmpxchg_relaxed(&highest, curr, used);
|
|
|
|
if (prev == curr) {
|
|
pr_info("%s (%d): highest shadow stack usage: %lu bytes\n",
|
|
tsk->comm, task_pid_nr(tsk), used);
|
|
break;
|
|
}
|
|
|
|
curr = prev;
|
|
}
|
|
}
|
|
|
|
void scs_release(struct task_struct *tsk)
|
|
{
|
|
void *s = task_scs(tsk);
|
|
|
|
if (!s)
|
|
return;
|
|
|
|
WARN(task_scs_end_corrupted(tsk),
|
|
"corrupted shadow stack detected when freeing task\n");
|
|
scs_check_usage(tsk);
|
|
scs_free(s);
|
|
}
|