From: Catalin Marinas <catalin.marinas@arm.com>
To: Quentin Perret <qperret@google.com>
Cc: kernel-team@android.com, Marc Zyngier <maz@kernel.org>,
linux-kernel@vger.kernel.org, Mike Rapoport <rppt@kernel.org>,
Will Deacon <will@kernel.org>,
kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] KVM: arm64: Prevent kmemleak from accessing pKVM memory
Date: Thu, 16 Jun 2022 18:51:02 +0100 [thread overview]
Message-ID: <YqtthvVxgQ6K0nEt@arm.com> (raw)
In-Reply-To: <20220616161135.3997786-1-qperret@google.com>
On Thu, Jun 16, 2022 at 04:11:34PM +0000, Quentin Perret wrote:
> Commit a7259df76702 ("memblock: make memblock_find_in_range method
> private") changed the API using which memory is reserved for the pKVM
> hypervisor. However, it seems that memblock_phys_alloc() differs
> from the original API in terms of kmemleak semantics -- the old one
> excluded the reserved regions from kmemleak scans when the new one
> doesn't seem to. Unfortunately, when protected KVM is enabled, all
> kernel accesses to pKVM-private memory result in a fatal exception,
> which can now happen because of kmemleak scans:
>
> $ echo scan > /sys/kernel/debug/kmemleak
> [ 34.991354] kvm [304]: nVHE hyp BUG at: [<ffff800008fa3750>] __kvm_nvhe_handle_host_mem_abort+0x270/0x290!
> [ 34.991580] kvm [304]: Hyp Offset: 0xfffe8be807e00000
> [ 34.991813] Kernel panic - not syncing: HYP panic:
> [ 34.991813] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
> [ 34.991813] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
> [ 34.991813] VCPU:0000000000000000
> [ 34.993660] CPU: 0 PID: 304 Comm: bash Not tainted 5.19.0-rc2 #102
> [ 34.994059] Hardware name: linux,dummy-virt (DT)
> [ 34.994452] Call trace:
> [ 34.994641] dump_backtrace.part.0+0xcc/0xe0
> [ 34.994932] show_stack+0x18/0x6c
> [ 34.995094] dump_stack_lvl+0x68/0x84
> [ 34.995276] dump_stack+0x18/0x34
> [ 34.995484] panic+0x16c/0x354
> [ 34.995673] __hyp_pgtable_total_pages+0x0/0x60
> [ 34.995933] scan_block+0x74/0x12c
> [ 34.996129] scan_gray_list+0xd8/0x19c
> [ 34.996332] kmemleak_scan+0x2c8/0x580
> [ 34.996535] kmemleak_write+0x340/0x4a0
> [ 34.996744] full_proxy_write+0x60/0xbc
> [ 34.996967] vfs_write+0xc4/0x2b0
> [ 34.997136] ksys_write+0x68/0xf4
> [ 34.997311] __arm64_sys_write+0x20/0x2c
> [ 34.997532] invoke_syscall+0x48/0x114
> [ 34.997779] el0_svc_common.constprop.0+0x44/0xec
> [ 34.998029] do_el0_svc+0x2c/0xc0
> [ 34.998205] el0_svc+0x2c/0x84
> [ 34.998421] el0t_64_sync_handler+0xf4/0x100
> [ 34.998653] el0t_64_sync+0x18c/0x190
> [ 34.999252] SMP: stopping secondary CPUs
> [ 35.000034] Kernel Offset: disabled
> [ 35.000261] CPU features: 0x800,00007831,00001086
> [ 35.000642] Memory Limit: none
> [ 35.001329] ---[ end Kernel panic - not syncing: HYP panic:
> [ 35.001329] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
> [ 35.001329] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
> [ 35.001329] VCPU:0000000000000000 ]---
>
> Fix this by explicitly excluding the hypervisor's memory pool from
> kmemleak like we already do for the hyp BSS.
>
> Cc: Mike Rapoport <rppt@kernel.org>
> Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private")
> Signed-off-by: Quentin Perret <qperret@google.com>
> ---
> An alternative could be to actually exclude memory allocated using
> memblock_phys_alloc_range() from kmemleak scans to revert back to the
> old behaviour. But nobody else has complained about this AFAIK, so I'd
> be inclined to keep this local to pKVM. No strong opinion.
This works for me, I haven't heard anyone else complaining.
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Quentin Perret <qperret@google.com>
Cc: Marc Zyngier <maz@kernel.org>, James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org,
kernel-team@android.com, Mike Rapoport <rppt@kernel.org>
Subject: Re: [PATCH] KVM: arm64: Prevent kmemleak from accessing pKVM memory
Date: Thu, 16 Jun 2022 18:51:02 +0100 [thread overview]
Message-ID: <YqtthvVxgQ6K0nEt@arm.com> (raw)
In-Reply-To: <20220616161135.3997786-1-qperret@google.com>
On Thu, Jun 16, 2022 at 04:11:34PM +0000, Quentin Perret wrote:
> Commit a7259df76702 ("memblock: make memblock_find_in_range method
> private") changed the API using which memory is reserved for the pKVM
> hypervisor. However, it seems that memblock_phys_alloc() differs
> from the original API in terms of kmemleak semantics -- the old one
> excluded the reserved regions from kmemleak scans when the new one
> doesn't seem to. Unfortunately, when protected KVM is enabled, all
> kernel accesses to pKVM-private memory result in a fatal exception,
> which can now happen because of kmemleak scans:
>
> $ echo scan > /sys/kernel/debug/kmemleak
> [ 34.991354] kvm [304]: nVHE hyp BUG at: [<ffff800008fa3750>] __kvm_nvhe_handle_host_mem_abort+0x270/0x290!
> [ 34.991580] kvm [304]: Hyp Offset: 0xfffe8be807e00000
> [ 34.991813] Kernel panic - not syncing: HYP panic:
> [ 34.991813] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
> [ 34.991813] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
> [ 34.991813] VCPU:0000000000000000
> [ 34.993660] CPU: 0 PID: 304 Comm: bash Not tainted 5.19.0-rc2 #102
> [ 34.994059] Hardware name: linux,dummy-virt (DT)
> [ 34.994452] Call trace:
> [ 34.994641] dump_backtrace.part.0+0xcc/0xe0
> [ 34.994932] show_stack+0x18/0x6c
> [ 34.995094] dump_stack_lvl+0x68/0x84
> [ 34.995276] dump_stack+0x18/0x34
> [ 34.995484] panic+0x16c/0x354
> [ 34.995673] __hyp_pgtable_total_pages+0x0/0x60
> [ 34.995933] scan_block+0x74/0x12c
> [ 34.996129] scan_gray_list+0xd8/0x19c
> [ 34.996332] kmemleak_scan+0x2c8/0x580
> [ 34.996535] kmemleak_write+0x340/0x4a0
> [ 34.996744] full_proxy_write+0x60/0xbc
> [ 34.996967] vfs_write+0xc4/0x2b0
> [ 34.997136] ksys_write+0x68/0xf4
> [ 34.997311] __arm64_sys_write+0x20/0x2c
> [ 34.997532] invoke_syscall+0x48/0x114
> [ 34.997779] el0_svc_common.constprop.0+0x44/0xec
> [ 34.998029] do_el0_svc+0x2c/0xc0
> [ 34.998205] el0_svc+0x2c/0x84
> [ 34.998421] el0t_64_sync_handler+0xf4/0x100
> [ 34.998653] el0t_64_sync+0x18c/0x190
> [ 34.999252] SMP: stopping secondary CPUs
> [ 35.000034] Kernel Offset: disabled
> [ 35.000261] CPU features: 0x800,00007831,00001086
> [ 35.000642] Memory Limit: none
> [ 35.001329] ---[ end Kernel panic - not syncing: HYP panic:
> [ 35.001329] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
> [ 35.001329] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
> [ 35.001329] VCPU:0000000000000000 ]---
>
> Fix this by explicitly excluding the hypervisor's memory pool from
> kmemleak like we already do for the hyp BSS.
>
> Cc: Mike Rapoport <rppt@kernel.org>
> Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private")
> Signed-off-by: Quentin Perret <qperret@google.com>
> ---
> An alternative could be to actually exclude memory allocated using
> memblock_phys_alloc_range() from kmemleak scans to revert back to the
> old behaviour. But nobody else has complained about this AFAIK, so I'd
> be inclined to keep this local to pKVM. No strong opinion.
This works for me, I haven't heard anyone else complaining.
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Quentin Perret <qperret@google.com>
Cc: Marc Zyngier <maz@kernel.org>, James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org,
kernel-team@android.com, Mike Rapoport <rppt@kernel.org>
Subject: Re: [PATCH] KVM: arm64: Prevent kmemleak from accessing pKVM memory
Date: Thu, 16 Jun 2022 18:51:02 +0100 [thread overview]
Message-ID: <YqtthvVxgQ6K0nEt@arm.com> (raw)
In-Reply-To: <20220616161135.3997786-1-qperret@google.com>
On Thu, Jun 16, 2022 at 04:11:34PM +0000, Quentin Perret wrote:
> Commit a7259df76702 ("memblock: make memblock_find_in_range method
> private") changed the API using which memory is reserved for the pKVM
> hypervisor. However, it seems that memblock_phys_alloc() differs
> from the original API in terms of kmemleak semantics -- the old one
> excluded the reserved regions from kmemleak scans when the new one
> doesn't seem to. Unfortunately, when protected KVM is enabled, all
> kernel accesses to pKVM-private memory result in a fatal exception,
> which can now happen because of kmemleak scans:
>
> $ echo scan > /sys/kernel/debug/kmemleak
> [ 34.991354] kvm [304]: nVHE hyp BUG at: [<ffff800008fa3750>] __kvm_nvhe_handle_host_mem_abort+0x270/0x290!
> [ 34.991580] kvm [304]: Hyp Offset: 0xfffe8be807e00000
> [ 34.991813] Kernel panic - not syncing: HYP panic:
> [ 34.991813] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
> [ 34.991813] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
> [ 34.991813] VCPU:0000000000000000
> [ 34.993660] CPU: 0 PID: 304 Comm: bash Not tainted 5.19.0-rc2 #102
> [ 34.994059] Hardware name: linux,dummy-virt (DT)
> [ 34.994452] Call trace:
> [ 34.994641] dump_backtrace.part.0+0xcc/0xe0
> [ 34.994932] show_stack+0x18/0x6c
> [ 34.995094] dump_stack_lvl+0x68/0x84
> [ 34.995276] dump_stack+0x18/0x34
> [ 34.995484] panic+0x16c/0x354
> [ 34.995673] __hyp_pgtable_total_pages+0x0/0x60
> [ 34.995933] scan_block+0x74/0x12c
> [ 34.996129] scan_gray_list+0xd8/0x19c
> [ 34.996332] kmemleak_scan+0x2c8/0x580
> [ 34.996535] kmemleak_write+0x340/0x4a0
> [ 34.996744] full_proxy_write+0x60/0xbc
> [ 34.996967] vfs_write+0xc4/0x2b0
> [ 34.997136] ksys_write+0x68/0xf4
> [ 34.997311] __arm64_sys_write+0x20/0x2c
> [ 34.997532] invoke_syscall+0x48/0x114
> [ 34.997779] el0_svc_common.constprop.0+0x44/0xec
> [ 34.998029] do_el0_svc+0x2c/0xc0
> [ 34.998205] el0_svc+0x2c/0x84
> [ 34.998421] el0t_64_sync_handler+0xf4/0x100
> [ 34.998653] el0t_64_sync+0x18c/0x190
> [ 34.999252] SMP: stopping secondary CPUs
> [ 35.000034] Kernel Offset: disabled
> [ 35.000261] CPU features: 0x800,00007831,00001086
> [ 35.000642] Memory Limit: none
> [ 35.001329] ---[ end Kernel panic - not syncing: HYP panic:
> [ 35.001329] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
> [ 35.001329] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
> [ 35.001329] VCPU:0000000000000000 ]---
>
> Fix this by explicitly excluding the hypervisor's memory pool from
> kmemleak like we already do for the hyp BSS.
>
> Cc: Mike Rapoport <rppt@kernel.org>
> Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private")
> Signed-off-by: Quentin Perret <qperret@google.com>
> ---
> An alternative could be to actually exclude memory allocated using
> memblock_phys_alloc_range() from kmemleak scans to revert back to the
> old behaviour. But nobody else has complained about this AFAIK, so I'd
> be inclined to keep this local to pKVM. No strong opinion.
This works for me, I haven't heard anyone else complaining.
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
next prev parent reply other threads:[~2022-06-16 17:51 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-16 16:11 [PATCH] KVM: arm64: Prevent kmemleak from accessing pKVM memory Quentin Perret
2022-06-16 16:11 ` Quentin Perret
2022-06-16 16:11 ` Quentin Perret
2022-06-16 17:51 ` Catalin Marinas [this message]
2022-06-16 17:51 ` Catalin Marinas
2022-06-16 17:51 ` Catalin Marinas
2022-06-17 8:19 ` Mike Rapoport
2022-06-17 8:19 ` Mike Rapoport
2022-06-17 8:19 ` Mike Rapoport
2022-06-17 8:21 ` Marc Zyngier
2022-06-17 8:21 ` Marc Zyngier
2022-06-17 8:21 ` Marc Zyngier
2022-06-17 8:38 ` Mike Rapoport
2022-06-17 8:38 ` Mike Rapoport
2022-06-17 8:38 ` Mike Rapoport
2022-06-17 8:45 ` Quentin Perret
2022-06-17 8:45 ` Quentin Perret
2022-06-17 8:45 ` Quentin Perret
2022-06-17 8:50 ` Marc Zyngier
2022-06-17 8:50 ` Marc Zyngier
2022-06-17 8:50 ` Marc Zyngier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YqtthvVxgQ6K0nEt@arm.com \
--to=catalin.marinas@arm.com \
--cc=kernel-team@android.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=qperret@google.com \
--cc=rppt@kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.