* BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 @ 2018-04-22 10:47 Jan Kiszka 2018-04-22 19:06 ` Mark Rutland 0 siblings, 1 reply; 6+ messages in thread From: Jan Kiszka @ 2018-04-22 10:47 UTC (permalink / raw) To: linux-arm-kernel Hi, this can be triggered simply by running # echo 0 > /sys/devices/system/cpu/cpu3/online # echo 1 > /sys/devices/system/cpu/cpu3/online [ 455.904854] ================================================================== [ 455.906108] BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 [ 455.906668] Read of size 4 at addr ffff200008e3a9d8 by task swapper/3/0 [ 455.907122] [ 455.907647] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.17.0-rc1-00257-gbf20b92a3b12 #76 [ 455.908158] Hardware name: linux,dummy-virt (DT) [ 455.908802] Call trace: [ 455.909126] dump_backtrace+0x0/0x230 [ 455.909522] show_stack+0x14/0x20 [ 455.909848] dump_stack+0xa8/0xcc [ 455.910180] print_address_description+0x13c/0x250 [ 455.910576] kasan_report+0x254/0x328 [ 455.910985] __asan_load4+0x88/0xb0 [ 455.911326] unmap_kernel_at_el0+0x70/0x1a0 [ 455.911702] __verify_local_cpu_caps+0x78/0x178 [ 455.912098] verify_local_cpu_caps+0x4c/0x60 [ 455.912509] check_local_cpu_capabilities+0x64/0x158 [ 455.912955] secondary_start_kernel+0x178/0x260 [ 455.913366] [ 455.913586] The buggy address belongs to the variable: [ 455.914026] kpti_safe_list.26846+0x18/0x1460 [ 455.914382] [ 455.914606] Memory state around the buggy address: [ 455.915349] ffff200008e3a880: 00 00 00 01 fa fa fa fa 00 00 04 fa fa fa fa fa [ 455.915942] ffff200008e3a900: 03 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa [ 455.916483] >ffff200008e3a980: 00 00 00 06 fa fa fa fa 00 00 00 fa fa fa fa fa [ 455.917077] ^ [ 455.917539] ffff200008e3aa00: 00 00 00 00 00 00 00 05 fa fa fa fa 00 00 00 00 [ 455.918055] ffff200008e3aa80: 00 00 00 00 03 fa fa fa fa fa fa fa 00 00 00 00 [ 455.918579] ================================================================== Issue is new with 4.17-rc. Can provide .config if needed. Device was qemu-system-aarch64. Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180422/07601f35/attachment-0001.sig> ^ permalink raw reply [flat|nested] 6+ messages in thread
* BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 2018-04-22 10:47 BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 Jan Kiszka @ 2018-04-22 19:06 ` Mark Rutland 2018-04-23 5:00 ` Jan Kiszka 0 siblings, 1 reply; 6+ messages in thread From: Mark Rutland @ 2018-04-22 19:06 UTC (permalink / raw) To: linux-arm-kernel On Sun, Apr 22, 2018 at 12:47:57PM +0200, Jan Kiszka wrote: > Hi, > > this can be triggered simply by running > > # echo 0 > /sys/devices/system/cpu/cpu3/online > # echo 1 > /sys/devices/system/cpu/cpu3/online > > [ 455.904854] ================================================================== > [ 455.906108] BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 > [ 455.906668] Read of size 4 at addr ffff200008e3a9d8 by task swapper/3/0 It looks like we miss a sentinel in kpti_safe_list. Does the below help? Mark. ---->8---- >From ade322407e3d6d1f50e558ebd50d2c1c7bd811c2 Mon Sep 17 00:00:00 2001 From: Mark Rutland <mark.rutland@arm.com> Date: Sun, 22 Apr 2018 19:58:08 +0100 Subject: [PATCH] arm64: add sentinel to kpti_safe_list We're missing a sentinel entry in kpti_safe_list. Thus is_midr_in_range_list() can walk past the end of kpti_safe_list. Depending on the contents of memory, this could erroneously match a CPU's MIDR, cause a data abort, or other bad outcomes. Add the sentinel entry to avoid this. Fixes: be5b299830c63ed7 ("arm64: capabilities: Add support for checks based on a list of MIDRs") Signed-off-by: Mark Rutland <mark.rutland@arm.com> Reported-by: Jan Kiszka <jan.kiszka@web.de> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Suzuki K Poulose <suzuki.poulose@arm.com> Cc: Will Deacon <will.deacon@arm.com> --- arch/arm64/kernel/cpufeature.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index 536d572e5596..9d1b06d67c53 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -868,6 +868,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, static const struct midr_range kpti_safe_list[] = { MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2), MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN), + { /* sentinel */ } }; char const *str = "command line option"; -- 2.11.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 2018-04-22 19:06 ` Mark Rutland @ 2018-04-23 5:00 ` Jan Kiszka 2018-04-23 10:29 ` Mark Rutland 0 siblings, 1 reply; 6+ messages in thread From: Jan Kiszka @ 2018-04-23 5:00 UTC (permalink / raw) To: linux-arm-kernel On 2018-04-22 21:06, Mark Rutland wrote: > On Sun, Apr 22, 2018 at 12:47:57PM +0200, Jan Kiszka wrote: >> Hi, >> >> this can be triggered simply by running >> >> # echo 0 > /sys/devices/system/cpu/cpu3/online >> # echo 1 > /sys/devices/system/cpu/cpu3/online >> >> [ 455.904854] ================================================================== >> [ 455.906108] BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 >> [ 455.906668] Read of size 4 at addr ffff200008e3a9d8 by task swapper/3/0 > > It looks like we miss a sentinel in kpti_safe_list. > > Does the below help? > > Mark. > > ---->8---- > From ade322407e3d6d1f50e558ebd50d2c1c7bd811c2 Mon Sep 17 00:00:00 2001 > From: Mark Rutland <mark.rutland@arm.com> > Date: Sun, 22 Apr 2018 19:58:08 +0100 > Subject: [PATCH] arm64: add sentinel to kpti_safe_list > > We're missing a sentinel entry in kpti_safe_list. Thus is_midr_in_range_list() > can walk past the end of kpti_safe_list. Depending on the contents of memory, > this could erroneously match a CPU's MIDR, cause a data abort, or other bad > outcomes. > > Add the sentinel entry to avoid this. > > Fixes: be5b299830c63ed7 ("arm64: capabilities: Add support for checks based on a list of MIDRs") > Signed-off-by: Mark Rutland <mark.rutland@arm.com> > Reported-by: Jan Kiszka <jan.kiszka@web.de> > Cc: Catalin Marinas <catalin.marinas@arm.com> > Cc: Suzuki K Poulose <suzuki.poulose@arm.com> > Cc: Will Deacon <will.deacon@arm.com> > --- > arch/arm64/kernel/cpufeature.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c > index 536d572e5596..9d1b06d67c53 100644 > --- a/arch/arm64/kernel/cpufeature.c > +++ b/arch/arm64/kernel/cpufeature.c > @@ -868,6 +868,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, > static const struct midr_range kpti_safe_list[] = { > MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2), > MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN), > + { /* sentinel */ } > }; > char const *str = "command line option"; > > Jep, all fine now! Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180423/362dbe8e/attachment.sig> ^ permalink raw reply [flat|nested] 6+ messages in thread
* BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 2018-04-23 5:00 ` Jan Kiszka @ 2018-04-23 10:29 ` Mark Rutland 2018-04-23 10:33 ` Jan Kiszka 0 siblings, 1 reply; 6+ messages in thread From: Mark Rutland @ 2018-04-23 10:29 UTC (permalink / raw) To: linux-arm-kernel On Mon, Apr 23, 2018 at 07:00:52AM +0200, Jan Kiszka wrote: > On 2018-04-22 21:06, Mark Rutland wrote: > > Does the below help? > > From ade322407e3d6d1f50e558ebd50d2c1c7bd811c2 Mon Sep 17 00:00:00 2001 > > From: Mark Rutland <mark.rutland@arm.com> > > Date: Sun, 22 Apr 2018 19:58:08 +0100 > > Subject: [PATCH] arm64: add sentinel to kpti_safe_list > > > > We're missing a sentinel entry in kpti_safe_list. Thus is_midr_in_range_list() > > can walk past the end of kpti_safe_list. Depending on the contents of memory, > > this could erroneously match a CPU's MIDR, cause a data abort, or other bad > > outcomes. > > > > Add the sentinel entry to avoid this. > > > > Fixes: be5b299830c63ed7 ("arm64: capabilities: Add support for checks based on a list of MIDRs") > > Signed-off-by: Mark Rutland <mark.rutland@arm.com> > > Reported-by: Jan Kiszka <jan.kiszka@web.de> > > Cc: Catalin Marinas <catalin.marinas@arm.com> > > Cc: Suzuki K Poulose <suzuki.poulose@arm.com> > > Cc: Will Deacon <will.deacon@arm.com> > > --- > > arch/arm64/kernel/cpufeature.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c > > index 536d572e5596..9d1b06d67c53 100644 > > --- a/arch/arm64/kernel/cpufeature.c > > +++ b/arch/arm64/kernel/cpufeature.c > > @@ -868,6 +868,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, > > static const struct midr_range kpti_safe_list[] = { > > MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2), > > MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN), > > + { /* sentinel */ } > > }; > > char const *str = "command line option"; > > > > > > Jep, all fine now! Cool. Can I take that as a Tested-by? Mark. ^ permalink raw reply [flat|nested] 6+ messages in thread
* BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 2018-04-23 10:29 ` Mark Rutland @ 2018-04-23 10:33 ` Jan Kiszka 2018-04-23 10:39 ` Mark Rutland 0 siblings, 1 reply; 6+ messages in thread From: Jan Kiszka @ 2018-04-23 10:33 UTC (permalink / raw) To: linux-arm-kernel On 2018-04-23 12:29, Mark Rutland wrote: > On Mon, Apr 23, 2018 at 07:00:52AM +0200, Jan Kiszka wrote: >> On 2018-04-22 21:06, Mark Rutland wrote: > >>> Does the below help? > >>> From ade322407e3d6d1f50e558ebd50d2c1c7bd811c2 Mon Sep 17 00:00:00 2001 >>> From: Mark Rutland <mark.rutland@arm.com> >>> Date: Sun, 22 Apr 2018 19:58:08 +0100 >>> Subject: [PATCH] arm64: add sentinel to kpti_safe_list >>> >>> We're missing a sentinel entry in kpti_safe_list. Thus is_midr_in_range_list() >>> can walk past the end of kpti_safe_list. Depending on the contents of memory, >>> this could erroneously match a CPU's MIDR, cause a data abort, or other bad >>> outcomes. >>> >>> Add the sentinel entry to avoid this. >>> >>> Fixes: be5b299830c63ed7 ("arm64: capabilities: Add support for checks based on a list of MIDRs") >>> Signed-off-by: Mark Rutland <mark.rutland@arm.com> >>> Reported-by: Jan Kiszka <jan.kiszka@web.de> >>> Cc: Catalin Marinas <catalin.marinas@arm.com> >>> Cc: Suzuki K Poulose <suzuki.poulose@arm.com> >>> Cc: Will Deacon <will.deacon@arm.com> >>> --- >>> arch/arm64/kernel/cpufeature.c | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c >>> index 536d572e5596..9d1b06d67c53 100644 >>> --- a/arch/arm64/kernel/cpufeature.c >>> +++ b/arch/arm64/kernel/cpufeature.c >>> @@ -868,6 +868,7 @@ static bool unmap_kernel_at_el0(const struct arm64_cpu_capabilities *entry, >>> static const struct midr_range kpti_safe_list[] = { >>> MIDR_ALL_VERSIONS(MIDR_CAVIUM_THUNDERX2), >>> MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN), >>> + { /* sentinel */ } >>> }; >>> char const *str = "command line option"; >>> >>> >> >> Jep, all fine now! > > Cool. Can I take that as a Tested-by? Yes, sorry: Tested-by: Jan Kiszka <jan.kiszka@siemens.com> Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20180423/650bd2e9/attachment.sig> ^ permalink raw reply [flat|nested] 6+ messages in thread
* BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 2018-04-23 10:33 ` Jan Kiszka @ 2018-04-23 10:39 ` Mark Rutland 0 siblings, 0 replies; 6+ messages in thread From: Mark Rutland @ 2018-04-23 10:39 UTC (permalink / raw) To: linux-arm-kernel On Mon, Apr 23, 2018 at 12:33:17PM +0200, Jan Kiszka wrote: > On 2018-04-23 12:29, Mark Rutland wrote: > > On Mon, Apr 23, 2018 at 07:00:52AM +0200, Jan Kiszka wrote: > >> On 2018-04-22 21:06, Mark Rutland wrote: > > > >>> Does the below help? [...] > >> Jep, all fine now! > > > > Cool. Can I take that as a Tested-by? > > Yes, sorry: > > Tested-by: Jan Kiszka <jan.kiszka@siemens.com> > > Jan Cheers! I'll fix up the reported-by address likewise, and send this out as a patch. Thanks, Mark. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-04-23 10:39 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-04-22 10:47 BUG: KASAN: global-out-of-bounds in unmap_kernel_at_el0+0x70/0x1a0 Jan Kiszka 2018-04-22 19:06 ` Mark Rutland 2018-04-23 5:00 ` Jan Kiszka 2018-04-23 10:29 ` Mark Rutland 2018-04-23 10:33 ` Jan Kiszka 2018-04-23 10:39 ` Mark Rutland
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox