From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B7AFAC4707B for ; Fri, 12 Jan 2024 00:12:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:Cc:To: From:Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=a17WanBnW81jGDi+eHmQlBiIhJeM2v2WJNK7Dzfmroc=; b=H9qw3uGHNBS6/D vxfAvF3eZnZejfY8adbIweJes2YrV5qHYnFBRQgaCRMI/UhX9VP/0SCR6r4m7hLCfjYFfu8GkIgh/ +oTGqyLi94e8ZgO0HlJkcXejKd3JCSGAe849GQxQvCXWGy7+SvJaIksPX2nr0B1xtWVFbdckyMGof yUE4736ZLfJnNokShfspxOzzP72wi4DFRGhcKzCYF37awLCyONswhDbIZgdqMaLZC26Q7l0p5Qbv5 GDHMuC4BtgfOVyQH4VT7rPsoy99XB53f2CoYTCNff6nYeJqGdTRCOOCmP0is48ko1x2CQa26pcHir n8d3Ywcyvyo/75z+0AYg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1rO592-001XD3-12; Fri, 12 Jan 2024 00:11:32 +0000 Received: from mail-pf1-x42a.google.com ([2607:f8b0:4864:20::42a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1rO58z-001XCT-0i for linux-arm-kernel@lists.infradead.org; Fri, 12 Jan 2024 00:11:30 +0000 Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-6d9344f30caso4062848b3a.1 for ; Thu, 11 Jan 2024 16:11:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1705018288; x=1705623088; darn=lists.infradead.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=gUzroInxJ/qxc41psF+jE0k+2jB9ABec+QI+QT5ZHv0=; b=iN/MerdsRfd8hQpjAlhDdWrBGjj4ohgY+SEzODl5jB9Qh5CpV5kfXhpMr28QCZc41e 3/QPkoTgMiDQ2+LALb2znUSmWyIzPlk+yE6RvXhVB5LdtXA4lF86gytaOqC2E8G3+HwM Dn+zdxuCCD02UQN35iKp7sB7PhWrOiVbjxly0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705018288; x=1705623088; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gUzroInxJ/qxc41psF+jE0k+2jB9ABec+QI+QT5ZHv0=; b=KHvcNoUgpX+VX/H0eH605d2S3Gr0PgRMgghBmM1ECiAHDsEULWsWD6YSlqcozutZk4 f2ZRFJ2LefcKKVR5J+pZ1m8Rd53kWjcb/SZU1OHiGbwcxDoj7XQ+WCwUZlXwVg7Z7p5D S1JGsRK8tcaWtUQaiFddOQGiJDaPEWDmwy/yAMXUJtYUn3d91YBCtCwcCMw4hagWnTiI EbxKGazNycnejCF7cObTvRf8IUv2ezd9uGmvf/IgISykoemTNsQMYmv/dXkFHrxtmy/N 42jsmbgI1AQlTv3Z4g4o3A2y80JZHG6yw9FG7/5k0aI0WCmP5gDOK9sz5jS+r/T1T6uf KqVQ== X-Gm-Message-State: AOJu0YxOMf2lXZ6NqeHruBdRGitOpTCRWzsaUyz5Bs1M3hakJZPPqt98 8rmdxs2i1UCR4t2izA7eTPIhKH3ouLY4t/dvO+4b0kutUw== X-Google-Smtp-Source: AGHT+IFfxQI8NbOfutR9Br6//MSC6ewSiTD/8kUeH0o5/hbGsTD7P4RdTaliOJ6rIAIfpz75kDslNQ== X-Received: by 2002:a05:6a00:1745:b0:6d8:e153:f884 with SMTP id j5-20020a056a00174500b006d8e153f884mr139395pfc.30.1705018288389; Thu, 11 Jan 2024 16:11:28 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id s12-20020a62e70c000000b006da13be8bd6sm1833192pfh.133.2024.01.11.16.11.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 16:11:27 -0800 (PST) Date: Thu, 11 Jan 2024 16:11:27 -0800 From: Kees Cook To: Russell King , Ard Biesheuvel Cc: Mark Brown , Zhen Lei , linux-arm-kernel@lists.infradead.org Subject: CPU stalls when handling PAN emulation? Message-ID: <202401111544.18EBB6AA@keescook> MIME-Version: 1.0 Content-Disposition: inline X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240111_161129_283803_4B00E0EB X-CRM114-Status: GOOD ( 13.60 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi, Mark noticed that LKDTM's EXEC_USERSPACE test[1] (which trips the PAN emulation, CONFIG_CPU_SW_DOMAIN_PAN=y, on 32-bit arm) appears to be creating a situation that leads to a CPU stall. make_task_dead() reports: note: ...[NNN] exited with preempt_count 1 which isn't seen with other Oopses (like EXEC_RODATA). (They do also both report: "note: ...[NNN] exited with irqs disabled" too, but this seems survivable.) I note that the ACCESS_USERSPACE test does _not_ have this problem. ACCESS_USERSPACE (survivable) starts with: lkdtm: Performing direct entry ACCESS_USERSPACE lkdtm: attempting bad read at 76f44000 8<--- cut here --- Unhandled fault: page domain fault (0x01b) at 0x76f44000 EXEC_USERSPACE (leads to CPU stall) starts with: lkdtm: Performing direct entry EXEC_USERSPACE lkdtm: attempting ok execution at 8075bf18 lkdtm: attempting bad execution at 76f6f000 Unhandled prefetch abort: page domain fault (0x01b) at 0x76f6f000 8<--- cut here --- Unhandled fault: page domain fault (0x01b) at 0x76f6f000 So they're both getting caught by the Domain stuff, but there looks to be a second fault for EXEC_USERSPACE. (more below) For the CPU stall to appear there (at least) needs to be a second Oops. As an example, if I run EXEC_USERSPACE and then EXEC_RODATA, the latter stops sending to the console very quickly, reporting only the very start of the Oops: lkdtm: Performing direct entry EXEC_USERSPACE lkdtm: attempting ok execution at 8075bf18 lkdtm: attempting bad execution at 76f10000 Unhandled prefetch abort: page domain fault (0x01b) at 0x76f10000 8<--- cut here --- Unhandled fault: page domain fault (0x01b) at 0x76f10000 [76f10000] *pgd=44f6e835, *pte=469a455f, *ppte=469a4c7e Internal error: : 1b [#1] SMP ARM Modules linked in: ... Stack: (0xf0959d10 to 0xf095a000) ... copy_from_kernel_nofault from is_valid_bugaddr+0x40/0x84 r7:f0959e08 r6:76f10000 r5:81a60000 r4:00000000 is_valid_bugaddr from report_bug+0x4c/0x1b8 r4:80e84f4c report_bug from die+0xb4/0x2f0 r10:8100a3dc r9:80f0ead0 r8:60070193 r7:81a60000 r6:0000001b r5:80cf5e1c r4:f0959e08 die from arm_notify_die+0x54/0x58 r10:81a60000 r9:81a60000 r8:80fab2ec r7:80f0ffc8 r6:f0959e08 r5:76f10000 r4:0000001b arm_notify_die from do_PrefetchAbort+0x90/0x98 do_PrefetchAbort from __pabt_svc+0x5c/0xa0 Exception stack(0xf0959e08 to 0xf0959e50) r7:f0959e3c r6:ffffffff r5:60070013 r4:76f10000 lkdtm_EXEC_USERSPACE from lkdtm_do_action+0x2c/0x4c r4:84fc6000 lkdtm_do_action from direct_entry+0x130/0x150 ... ---[ end trace 0000000000000000 ]--- note: cat[1271] exited with irqs disabled note: cat[1271] exited with preempt_count 1 lkdtm: Performing direct entry EXEC_RODATA lkdtm: attempting ok execution at 8075bf18 lkdtm: attempting bad execution at 80b42118 8<--- cut here --- Unable to handle kernel paging request at virtual address 80b42118 when execute [80b42118] *pgd=40a1940e(bad) ****nothing else**** Here the 2 crashes in EXEC_USERSPACE are visible. Does anyone see something obvious in the exception handling that might cause this? I'm not sure what to do next to figure out what's going wrong. Any help greatly appreciated! :) -Kees [1] To run an LKDTM test, build with CONFIG_LKDTM=y, mount debugfs and do: echo "EXEC_USERSPACE" | cat >/sys/kernel/debug/provoke-crash/DIRECT (The pipe to cat is to avoid killing your shell on Oopses and BUGs.) To list all available tests: cat /sys/kernel/debug/provoke-crash/DIRECT -- Kees Cook _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel