torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code
0d60fd5032
linux/arch/powerpc/lib
History
Christophe Leroy d262a192d3 powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC 
Erhard reported the following KASAN hit while booting his PowerMac G4
with a KASAN-enabled kernel 6.13-rc6:

  BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8
  Write of size 8 at addr f1000000 by task chronyd/1293

  CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G        W          6.13.0-rc6-PMacG4 #2
  Tainted: [W]=WARN
  Hardware name: PowerMac3,6 7455 0x80010303 PowerMac
  Call Trace:
  [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)
  [c24375b0] [c0504998] print_report+0xdc/0x504
  [c2437610] [c050475c] kasan_report+0xf8/0x108
  [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c
  [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8
  [c24376c0] [c004c014] patch_instructions+0x15c/0x16c
  [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c
  [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac
  [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec
  [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478
  [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14
  [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4
  [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890
  [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420
  [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c
  --- interrupt: c00 at 0x5a1274
  NIP:  005a1274 LR: 006a3b3c CTR: 005296c8
  REGS: c2437f40 TRAP: 0c00   Tainted: G        W           (6.13.0-rc6-PMacG4)
  MSR:  0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI>  CR: 24004422  XER: 00000000

  GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932
  GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57
  GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002
  GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001
  NIP [005a1274] 0x5a1274
  LR [006a3b3c] 0x6a3b3c
  --- interrupt: c00

  The buggy address belongs to the virtual mapping at
   [f1000000, f1002000) created by:
   text_area_cpu_up+0x20/0x190

  The buggy address belongs to the physical page:
  page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30
  flags: 0x80000000(zone=2)
  raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001
  raw: 00000000
  page dumped because: kasan: bad access detected

  Memory state around the buggy address:
   f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
             ^
   f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  ==================================================================

f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not
initialised hence not supposed to be used yet.

Powerpc text patching infrastructure allocates a virtual memory area
using get_vm_area() and flags it as VM_ALLOC. But that flag is meant
to be used for vmalloc() and vmalloc() allocated memory is not
supposed to be used before a call to __vmalloc_node_range() which is
never called for that area.

That went undetected until commit e4137f0881 ("mm, kasan, kmsan:
instrument copy_from/to_kernel_nofault")

The area allocated by text_area_cpu_up() is not vmalloc memory, it is
mapped directly on demand when needed by map_kernel_page(). There is
no VM flag corresponding to such usage, so just pass no flag. That way
the area will be unpoisonned and usable immediately.

Reported-by: Erhard Furtner <erhard_f@mailbox.org>
Closes: https://lore.kernel.org/all/20250112135832.57c92322@yea/
Fixes: 37bc3e5fd7 ("powerpc/lib/code-patching: Use alternate map for patch_instruction()")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/06621423da339b374f48c0886e3a5db18e896be8.1739342693.git.christophe.leroy@csgroup.eu
2025-02-12 14:38:13 +05:30
..
checksum_32.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
checksum_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
checksum_wrappers.c net: unexport csum_and_copy_{from,to}_user 2022-04-29 14:37:59 -07:00
code-patching.c powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC 2025-02-12 14:38:13 +05:30
copy_32.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
copy_mc_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
copypage_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
copypage_power7.S powerpc/64s: Move dcbt/dcbtst sequence into a macro 2024-03-03 23:05:21 +11:00
copyuser_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
copyuser_power7.S powerpc/64s: Move dcbt/dcbtst sequence into a macro 2024-03-03 23:05:21 +11:00
crc32-glue.c powerpc/crc32: expose CRC32 functions through lib 2024-12-01 17:23:01 -08:00
crc32-vpmsum_core.S powerpc/crc32: expose CRC32 functions through lib 2024-12-01 17:23:01 -08:00
crc32c-vpmsum_asm.S powerpc/crc32: expose CRC32 functions through lib 2024-12-01 17:23:01 -08:00
crc-t10dif-glue.c powerpc/crc-t10dif: expose CRC-T10DIF function through lib 2024-12-01 17:23:13 -08:00
crct10dif-vpmsum_asm.S powerpc/crc-t10dif: expose CRC-T10DIF function through lib 2024-12-01 17:23:13 -08:00
crtsavres.S powerpc/vdso32: Fix use of crtsavres for PPC64 2024-09-20 19:06:19 +10:00
div64.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
error-inject.c powerpc/64s: avoid reloading (H)SRR registers if they are still valid 2021-06-25 00:06:55 +10:00
feature-fixups-test.S powerpc: Test prefixed instructions in feature fixups 2020-05-19 00:11:02 +10:00
feature-fixups.c asm-generic: introduce text-patching.h 2024-11-07 14:25:15 -08:00
hweight_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
ldstfp.S powerpc updates for 5.3 2019-07-13 16:08:36 -07:00
locks.c powerpc/pseries: Move some PAPR paravirt functions to their own file 2020-07-26 23:34:26 +10:00
Makefile powerpc/crc-t10dif: expose CRC-T10DIF function through lib 2024-12-01 17:23:13 -08:00
mem_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
memcmp_32.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
memcmp_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
memcpy_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
memcpy_power7.S powerpc/64s: Move dcbt/dcbtst sequence into a macro 2024-03-03 23:05:21 +11:00
pmem.c powerpc: Remove memcpy_page_flushcache() 2023-03-29 23:53:02 +11:00
qspinlock.c powerpc/qspinlock: Fix deadlock in MCS queue 2024-08-29 15:12:51 +10:00
quad.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
restart_table.c powerpc/64s: add a table of implicit soft-masked addresses 2021-06-30 22:21:20 +10:00
rheap.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
sstep.c powerpc/sstep: make emulate_vsx_load and emulate_vsx_store static 2024-11-14 14:17:36 +11:00
string_32.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
string_64.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
string.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
strlen_32.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
test_emulate_step_exec_instr.S powerpc: add definition for pt_regs offset within an interrupt frame 2022-12-02 17:54:08 +11:00
test_emulate_step.c asm-generic: introduce text-patching.h 2024-11-07 14:25:15 -08:00
test-code-patching.c asm-generic: introduce text-patching.h 2024-11-07 14:25:15 -08:00
vmx-helper.c powerpc: Large user copy aware of full:rt:lazy preemption 2024-12-19 14:21:08 +05:30
xor_vmx_glue.c lib/xor: make xor prototypes more friendly to compiler vectorization 2022-02-11 20:39:39 +11:00
xor_vmx.c lib/xor: make xor prototypes more friendly to compiler vectorization 2022-02-11 20:39:39 +11:00
xor_vmx.h lib/xor: make xor prototypes more friendly to compiler vectorization 2022-02-11 20:39:39 +11:00