From mboxrd@z Thu Jan 1 00:00:00 1970 From: aryabinin@virtuozzo.com (Andrey Ryabinin) Date: Fri, 11 Mar 2016 16:57:30 +0300 Subject: [PATCH] arm64: kasan: Fix zero shadow mapping overriding kernel image shadow In-Reply-To: <1457636255-17427-1-git-send-email-catalin.marinas@arm.com> References: <1457636255-17427-1-git-send-email-catalin.marinas@arm.com> Message-ID: <56E2CECA.7050308@virtuozzo.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On 03/10/2016 09:57 PM, Catalin Marinas wrote: > With the 16KB and 64KB page size configurations, SWAPPER_BLOCK_SIZE is > PAGE_SIZE and ARM64_SWAPPER_USES_SECTION_MAPS is 0. Since > kimg_shadow_end is not page aligned (_end shifted by > KASAN_SHADOW_SCALE_SHIFT), the edges of previously mapped kernel image > shadow via vmemmap_populate() may be overridden by the subsequent call > to kasan_populate_zero_shadow(), leading to kernel panics like below: > > ------------------------------------------------------------------------------ > Unable to handle kernel paging request at virtual address fffffc100135068c > pgd = fffffc8009ac0000 > [fffffc100135068c] *pgd=00000009ffee0003, *pud=00000009ffee0003, *pmd=00000009ffee0003, *pte=00e0000081a00793 > Internal error: Oops: 9600004f [#1] PREEMPT SMP > Modules linked in: > CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.5.0-rc4+ #1984 > Hardware name: Juno (DT) > task: fffffe09001a0000 ti: fffffe0900200000 task.ti: fffffe0900200000 > PC is at __memset+0x4c/0x200 > LR is at kasan_unpoison_shadow+0x34/0x50 > pc : [] lr : [] pstate: 00000245 > sp : fffffe0900203db0 > x29: fffffe0900203db0 x28: 0000000000000000 > x27: 0000000000000000 x26: 0000000000000000 > x25: fffffc80099b69d0 x24: 0000000000000001 > x23: 0000000000000000 x22: 0000000000002000 > x21: dffffc8000000000 x20: 1fffff9001350a8c > x19: 0000000000002000 x18: 0000000000000008 > x17: 0000000000000147 x16: ffffffffffffffff > x15: 79746972100e041d x14: ffffff0000000000 > x13: ffff000000000000 x12: 0000000000000000 > x11: 0101010101010101 x10: 1fffffc11c000000 > x9 : 0000000000000000 x8 : fffffc100135068c > x7 : 0000000000000000 x6 : 000000000000003f > x5 : 0000000000000040 x4 : 0000000000000004 > x3 : fffffc100134f651 x2 : 0000000000000400 > x1 : 0000000000000000 x0 : fffffc100135068c > > Process swapper/0 (pid: 1, stack limit = 0xfffffe0900200020) > Call trace: > [] __memset+0x4c/0x200 > [] __asan_register_globals+0x5c/0xb0 > [] _GLOBAL__sub_I_65535_1_sunrpc_cache_lookup+0x1c/0x28 > [] kernel_init_freeable+0x104/0x274 > [] kernel_init+0x10/0xf8 > [] ret_from_fork+0x10/0x50 > ------------------------------------------------------------------------------ > > This patch aligns kimg_shadow_start and kimg_shadow_end to > SWAPPER_BLOCK_SIZE in all configurations. > > Fixes: f9040773b7bb ("arm64: move kernel image to base of vmalloc area") > Signed-off-by: Catalin Marinas Acked-by: Andrey Ryabinin