From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0E815C43334 for ; Fri, 17 Jun 2022 08:21:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=7Wq/m7TlfSq93eXqOpchyCpWfhxVSBtJ0ZsNx2xSq7s=; b=STK+PeWqRfvqNT AcpaqMMghuviEKlDnKvjAFhIyjujoq+trUwpfj6BvKXEOzYiV6w1kUYfwrh8Y2nKLvU74fLdgQLid 045PGrg3CxM/x5Cz9+oGYir9xJL1/GDcGnQaLI1j6R9iHuk76HjLlzSgcrqJsDb4hZWJG0jQ8HcQU iK4e7xIuhfbDBbCZvG2GMSBejz6uc95MP7vHZhCID1rYNGQxhTb0NRVbcLqLtlBXQ3tqR9f5ghbos pB2Lv1komAHZkGLBqHBnqQGwhPckCYJWH+ltmK1FjeRxU1vYm9UIxd4MurmMlCLkE2t2286EbLzEV lr/XGSxlsE4JllTt6K+A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1o27D8-006GAn-F6; Fri, 17 Jun 2022 08:20:10 +0000 Received: from ams.source.kernel.org ([145.40.68.75]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1o27D2-006G6E-TW for linux-arm-kernel@lists.infradead.org; Fri, 17 Jun 2022 08:20:07 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 83470B827A5; Fri, 17 Jun 2022 08:20:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 63FCCC3411B; Fri, 17 Jun 2022 08:19:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1655453999; bh=E98ek2nAdjr2+1dOqswVNwmAjmNqZLUSnkA74Yi2Hdk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IoAJ8yqUpL4PW8mFre9W/ARVGh+cjwFG7I4N+Uqj4se+L/2W7RuLg82tkg4wVAoW+ EBPh9scg7wsMU0oGmwRBhqfFYxY0vsvP7+9YYecRMEre/4n1r8DTPuEQXT5mym/nbM SHCCOftaMBhC322Lft5RkiqBwdJYswmp0hZrcW298eqjzGMcMe79W1o2qfkq/IkUDU HGQkiSic5QyQcRiXS7Y3U/boS13lyVLRhzEnaEL5cSyKdekE3tr6kCa0ZRCFdpkhXn imwS9iwiwUirlaqrznkZ0SIVMyz8+GLuW61qkY4LFIgZioH8e5jXS+EmH1zliiw9SX JvXkp9UJoVwnQ== Date: Fri, 17 Jun 2022 11:19:49 +0300 From: Mike Rapoport To: Quentin Perret Cc: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH] KVM: arm64: Prevent kmemleak from accessing pKVM memory Message-ID: References: <20220616161135.3997786-1-qperret@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220616161135.3997786-1-qperret@google.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220617_012005_310921_DB348FBD X-CRM114-Status: GOOD ( 28.95 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Jun 16, 2022 at 04:11:34PM +0000, Quentin Perret wrote: > Commit a7259df76702 ("memblock: make memblock_find_in_range method > private") changed the API using which memory is reserved for the pKVM > hypervisor. However, it seems that memblock_phys_alloc() differs > from the original API in terms of kmemleak semantics -- the old one > excluded the reserved regions from kmemleak scans when the new one > doesn't seem to. Unfortunately, when protected KVM is enabled, all I'd rather say that memblock_find_in_range() didn't inform kmemleak about the reserved regions, while memblock_phys_alloc() does. > kernel accesses to pKVM-private memory result in a fatal exception, > which can now happen because of kmemleak scans: > > $ echo scan > /sys/kernel/debug/kmemleak > [ 34.991354] kvm [304]: nVHE hyp BUG at: [] __kvm_nvhe_handle_host_mem_abort+0x270/0x290! > [ 34.991580] kvm [304]: Hyp Offset: 0xfffe8be807e00000 > [ 34.991813] Kernel panic - not syncing: HYP panic: > [ 34.991813] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800 > [ 34.991813] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000 > [ 34.991813] VCPU:0000000000000000 > [ 34.993660] CPU: 0 PID: 304 Comm: bash Not tainted 5.19.0-rc2 #102 > [ 34.994059] Hardware name: linux,dummy-virt (DT) > [ 34.994452] Call trace: > [ 34.994641] dump_backtrace.part.0+0xcc/0xe0 > [ 34.994932] show_stack+0x18/0x6c > [ 34.995094] dump_stack_lvl+0x68/0x84 > [ 34.995276] dump_stack+0x18/0x34 > [ 34.995484] panic+0x16c/0x354 > [ 34.995673] __hyp_pgtable_total_pages+0x0/0x60 > [ 34.995933] scan_block+0x74/0x12c > [ 34.996129] scan_gray_list+0xd8/0x19c > [ 34.996332] kmemleak_scan+0x2c8/0x580 > [ 34.996535] kmemleak_write+0x340/0x4a0 > [ 34.996744] full_proxy_write+0x60/0xbc > [ 34.996967] vfs_write+0xc4/0x2b0 > [ 34.997136] ksys_write+0x68/0xf4 > [ 34.997311] __arm64_sys_write+0x20/0x2c > [ 34.997532] invoke_syscall+0x48/0x114 > [ 34.997779] el0_svc_common.constprop.0+0x44/0xec > [ 34.998029] do_el0_svc+0x2c/0xc0 > [ 34.998205] el0_svc+0x2c/0x84 > [ 34.998421] el0t_64_sync_handler+0xf4/0x100 > [ 34.998653] el0t_64_sync+0x18c/0x190 > [ 34.999252] SMP: stopping secondary CPUs > [ 35.000034] Kernel Offset: disabled > [ 35.000261] CPU features: 0x800,00007831,00001086 > [ 35.000642] Memory Limit: none > [ 35.001329] ---[ end Kernel panic - not syncing: HYP panic: > [ 35.001329] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800 > [ 35.001329] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000 > [ 35.001329] VCPU:0000000000000000 ]--- > > Fix this by explicitly excluding the hypervisor's memory pool from > kmemleak like we already do for the hyp BSS. > > Cc: Mike Rapoport > Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private") > Signed-off-by: Quentin Perret > --- > An alternative could be to actually exclude memory allocated using > memblock_phys_alloc_range() from kmemleak scans to revert back to the > old behaviour. This would be wrong because memblock_phys_alloc() does allocate memory and unless there is a good reason to exclude it from kmemleak. > But nobody else has complained about this AFAIK, so I'd be inclined to > keep this local to pKVM. No strong opinion. Yes, please :) An alternative to excluding this memory from kmemleak is to allocate it using memblock_phys_alloc_range(size, align, 0, MEMBLOCK_ALLOC_NOLEAKTRACE) then it won't be added to kmemleak at the first place. > --- > arch/arm64/kvm/arm.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c > index 400bb0fe2745..28765bd22efb 100644 > --- a/arch/arm64/kvm/arm.c > +++ b/arch/arm64/kvm/arm.c > @@ -2110,11 +2110,11 @@ static int finalize_hyp_mode(void) > return 0; > > /* > - * Exclude HYP BSS from kmemleak so that it doesn't get peeked > - * at, which would end badly once the section is inaccessible. > - * None of other sections should ever be introspected. > + * Exclude HYP sections from kmemleak so that they don't get peeked > + * at, which would end badly once inaccessible. > */ > kmemleak_free_part(__hyp_bss_start, __hyp_bss_end - __hyp_bss_start); > + kmemleak_free_part(__va(hyp_mem_base), hyp_mem_size); > return pkvm_drop_host_privileges(); > } > > -- > 2.36.1.476.g0c4daa206d-goog > -- Sincerely yours, Mike. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel