[kvm-unit-tests PATCH 1/8] x86: Avoid top-most page for vmalloc on x86-64

[kvm-unit-tests PATCH 1/8] x86: Avoid top-most page for vmalloc on x86-64

[Mathias Krause]

[resend with kvm@ on cc]

On 23.06.25 06:50, Chao Gao wrote:
> On Fri, Jun 20, 2025 at 05:39:05PM +0200, Mathias Krause wrote:
>> The x86-64 implementation of setup_mmu() doesn't initialize 'vfree_top'
>> and leaves it at its zero-value. This isn't wrong per se, however, it
>> leads to odd configurations when the first vmalloc/vmap page gets
>> allocated. It'll be the very last page in the virtual address space --
>> which is an interesting corner case -- but its boundary will probably
>> wrap. It does so for CET's shadow stack, at least, which loads the
>> shadow stack pointer with the base address of the mapped page plus its
>> size, i.e. 0xffffffff_fffff000 + 4096, which wraps to 0x0.
>>
>> The CPU seems to handle such configurations just fine. However, it feels
>> odd to set the shadow stack pointer to "NULL".
> 
> Not sure if adjusting this is necessary. As a unit test, exercising this corner
> case might be beneficial. But I don't have a strong opinion. So,

Yeah, I have ambivalent opinions about it too (testing the corner case).
However, the under-/overflowing aspect of it feels like a bug to me.

> Reviewed-by: Chao Gao <chao.gao@intel.com>
> 
>>
>> To avoid the wrapping, ignore the top most page by initializing
>> 'vfree_top' to just one page below.
> 
> Nit: this makes the comment in test_lam_sup() stale, specifically "KUT
> initializes vfree_top to 0 for X86_64". So, that comment needs an update.

Ahh, good catch! I'll fix that one in the next version.

Thanks,
Mathias

[kvm-unit-tests PATCH 0/8] x86: CET fixes and enhancements

[Mathias Krause]

Hi,

I'm playing with the CET virtualization patch set[1] and was looking at
the CET tests and noticed a few obvious issues with it (flushing the
wrong address) as well as some missing parts (testing far rets).

[1] https://lore.kernel.org/kvm/20240219074733.122080-1-weijiang.yang@intel.com/

Below is a small series with fixes and cleanups.

Please apply!

Thanks,
Mathias


Mathias Krause (8):
  x86: Avoid top-most page for vmalloc on x86-64
  x86/cet: Fix flushing shadow stack mapping
  x86/cet: Use NONCANONICAL for non-canonical address
  x86/cet: Make shadow stack less fragile
  x86/cet: Avoid unnecessary function pointer casts
  x86/cet: Simplify IBT test
  x86/cet: Track and verify #CP error code
  x86/cet: Test far returns too

 lib/x86/vm.c |  2 ++
 x86/cet.c    | 81 ++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 64 insertions(+), 19 deletions(-)

-- 
2.47.2

[kvm-unit-tests PATCH 1/8] x86: Avoid top-most page for vmalloc on x86-64

[Mathias Krause]

The x86-64 implementation of setup_mmu() doesn't initialize 'vfree_top'
and leaves it at its zero-value. This isn't wrong per se, however, it
leads to odd configurations when the first vmalloc/vmap page gets
allocated. It'll be the very last page in the virtual address space --
which is an interesting corner case -- but its boundary will probably
wrap. It does so for CET's shadow stack, at least, which loads the
shadow stack pointer with the base address of the mapped page plus its
size, i.e. 0xffffffff_fffff000 + 4096, which wraps to 0x0.

The CPU seems to handle such configurations just fine. However, it feels
odd to set the shadow stack pointer to "NULL".

To avoid the wrapping, ignore the top most page by initializing
'vfree_top' to just one page below.

Signed-off-by: Mathias Krause <minipli@grsecurity.net>
---
 lib/x86/vm.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/x86/vm.c b/lib/x86/vm.c
index 90f73fbb2dfd..27e7bb4004ef 100644
--- a/lib/x86/vm.c
+++ b/lib/x86/vm.c
@@ -191,6 +191,8 @@ void *setup_mmu(phys_addr_t end_of_memory, void *opt_mask)
         end_of_memory = (1ul << 32);  /* map mmio 1:1 */
 
     setup_mmu_range(cr3, 0, end_of_memory);
+    /* skip the last page for out-of-bound and wrap-around reasons */
+    init_alloc_vpage((void *)(~(PAGE_SIZE - 1)));
 #else
     setup_mmu_range(cr3, 0, (2ul << 30));
     setup_mmu_range(cr3, 3ul << 30, (1ul << 30));
-- 
2.47.2

Re: [kvm-unit-tests PATCH 1/8] x86: Avoid top-most page for vmalloc on x86-64

[Chao Gao]

On Fri, Jun 20, 2025 at 05:39:05PM +0200, Mathias Krause wrote:
>The x86-64 implementation of setup_mmu() doesn't initialize 'vfree_top'
>and leaves it at its zero-value. This isn't wrong per se, however, it
>leads to odd configurations when the first vmalloc/vmap page gets
>allocated. It'll be the very last page in the virtual address space --
>which is an interesting corner case -- but its boundary will probably
>wrap. It does so for CET's shadow stack, at least, which loads the
>shadow stack pointer with the base address of the mapped page plus its
>size, i.e. 0xffffffff_fffff000 + 4096, which wraps to 0x0.
>
>The CPU seems to handle such configurations just fine. However, it feels
>odd to set the shadow stack pointer to "NULL".

Not sure if adjusting this is necessary. As a unit test, exercising this corner
case might be beneficial. But I don't have a strong opinion. So,

Reviewed-by: Chao Gao <chao.gao@intel.com>

>
>To avoid the wrapping, ignore the top most page by initializing
>'vfree_top' to just one page below.

Nit: this makes the comment in test_lam_sup() stale, specifically "KUT
initializes vfree_top to 0 for X86_64". So, that comment needs an update.