From patchwork Thu Jun 16 16:11:34 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Quentin Perret <qperret@google.com>
X-Patchwork-Id: 12884419
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id F3FD5CCA47E
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 16 Jun 2022 16:13:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=Rh27CGWDZd9d7AzmaBipRb3muST7e6j9l35Of+91gfY=; b=yV+
	t45/VZOCF+25JdsaECw/cWyW6uphczbMC7jYKD64R74n9/OVmkIR7CxNGcru/S4X5wqc7DushcbgN
	0ufzzrubHuu5R3sa4OKxnsqp7gvo9wKVOk5w9liiZpZOZzu1un1iNPUynfXrcntw7PFaHU86/0Qql
	hbW8ulMsAI7ziapGkJf5L9DxpncdvEiIQLG1QAazIQ9RPWwnnBDDFhQVQKBlg6Ufe5H0zp5CjaEtT
	jN+5M66q3Ej3ealDSo9OicTiPff8dYeheZr92bjqo+E+yguV4V5qhMid+XvE69dOSDS2WjHjkM8aT
	ZhMlAm6YdFHYZ9v9rJD86PVv3GWn4pw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o1s67-003Ltm-T9; Thu, 16 Jun 2022 16:11:56 +0000
Received: from mail-ed1-x549.google.com ([2a00:1450:4864:20::549])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o1s64-003LsV-Bn
	for linux-arm-kernel@lists.infradead.org; Thu, 16 Jun 2022 16:11:53 +0000
Received: by mail-ed1-x549.google.com with SMTP id
 k21-20020aa7d2d5000000b0042dcac48313so1582867edr.8
        for <linux-arm-kernel@lists.infradead.org>;
 Thu, 16 Jun 2022 09:11:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=53//JyvI45ZhwbUaM5uI0kPNiTUxNDMI3+JeoQXZ8o4=;
        b=YgpKtggqxPMZqdyyNy5TZOKq4v/ZgAECTvJ9MUecexDW7VvvT/w53ZVEE1L8h1ljgA
         rF8olp37wfa9wFih1WFnBZ+HI8k6qsV9QtM1zFqWO3fBuZJlzjg8ZeDcS7Jwk7KKFaxr
         tDvZ5SBedshvVjQaM7oU+wvmyR7dkRmB/QEv25Kzy6Y+rq6LTQcmP8wLISO8rL3ZPbJI
         L3ILQ6/mB3poFIegOBnB9wehUIGiEb6OU5/TRDQMCn+r9I4AoNOwcwYhiYz+D1uYCkME
         HyB/56mgBp1v1JZ5bxZUgyX4IgUMrqHgDuWztE2VIsjq3Xfqig80uGG0Pkubud9kzSKT
         z/EQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=53//JyvI45ZhwbUaM5uI0kPNiTUxNDMI3+JeoQXZ8o4=;
        b=P9FWTj/0X8PieLwynV4GA++baVp8BGCCwNlNfrI0zOE+li22KdK4kLcff3pGLKYes5
         tyiCMToOB6P3fa8GHeZt0DgNmdgRSk4BrdflTcoGUr29idPp0m0kfTKLlGuSaLwIMemb
         hGLHcHK4ZUEnNskDbxiQSbMxrdeESKP2tDSudARsGIKdF8W9pvqUFAW8EI4/WYLWfiGn
         yS5X1s1rSlJw+vXP3Qr1FWfGZTS+/SOdtXTcqhNeyrFrURzp652JiAzFZB+0y4dvz3Ym
         oMFhZeKuAk42pWGhC4oM1e7gbBrvNoF/FcOl6//LOb8ZzGU8Bvhvfl6DC7cHnr/JYiis
         Fb1A==
X-Gm-Message-State: AJIora8WqosiJfSo/t1XUI7HpV6Z/bLlFZslbo7TveKZYEA/5YBq3CYj
	moe5HiHinUgnappX5Fkdf8Un2ffC5/rQ
X-Google-Smtp-Source: 
 AGRyM1shbif9S6Mz6+yjtQNX+yEPvvRmNV8IC5CdS/u7h9fH5JA9mbef03f62M/UBtxMzozBWEg/+vCZQHch
X-Received: from big-boi.c.googlers.com
 ([fda3:e722:ac3:cc00:31:98fb:c0a8:129])
 (user=qperret job=sendgmr) by 2002:a17:906:5d08:b0:6ff:8ed:db63 with SMTP id
 g8-20020a1709065d0800b006ff08eddb63mr5100969ejt.408.1655395908950; Thu, 16
 Jun 2022 09:11:48 -0700 (PDT)
Date: Thu, 16 Jun 2022 16:11:34 +0000
Message-Id: <20220616161135.3997786-1-qperret@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.36.1.476.g0c4daa206d-goog
Subject: [PATCH] KVM: arm64: Prevent kmemleak from accessing pKVM memory
From: Quentin Perret <qperret@google.com>
To: Marc Zyngier <maz@kernel.org>, James Morse <james.morse@arm.com>,
	Alexandru Elisei <alexandru.elisei@arm.com>,
 Suzuki K Poulose <suzuki.poulose@arm.com>,
	Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
	linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu,
	linux-kernel@vger.kernel.org
Cc: kernel-team@android.com, Quentin Perret <qperret@google.com>,
	Mike Rapoport <rppt@kernel.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220616_091152_441510_D0FE7D05 
X-CRM114-Status: GOOD (  14.98  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Commit a7259df76702 ("memblock: make memblock_find_in_range method
private") changed the API using which memory is reserved for the pKVM
hypervisor. However, it seems that memblock_phys_alloc() differs
from the original API in terms of kmemleak semantics -- the old one
excluded the reserved regions from kmemleak scans when the new one
doesn't seem to. Unfortunately, when protected KVM is enabled, all
kernel accesses to pKVM-private memory result in a fatal exception,
which can now happen because of kmemleak scans:

$ echo scan > /sys/kernel/debug/kmemleak
[   34.991354] kvm [304]: nVHE hyp BUG at: [<ffff800008fa3750>] __kvm_nvhe_handle_host_mem_abort+0x270/0x290!
[   34.991580] kvm [304]: Hyp Offset: 0xfffe8be807e00000
[   34.991813] Kernel panic - not syncing: HYP panic:
[   34.991813] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
[   34.991813] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
[   34.991813] VCPU:0000000000000000
[   34.993660] CPU: 0 PID: 304 Comm: bash Not tainted 5.19.0-rc2 #102
[   34.994059] Hardware name: linux,dummy-virt (DT)
[   34.994452] Call trace:
[   34.994641]  dump_backtrace.part.0+0xcc/0xe0
[   34.994932]  show_stack+0x18/0x6c
[   34.995094]  dump_stack_lvl+0x68/0x84
[   34.995276]  dump_stack+0x18/0x34
[   34.995484]  panic+0x16c/0x354
[   34.995673]  __hyp_pgtable_total_pages+0x0/0x60
[   34.995933]  scan_block+0x74/0x12c
[   34.996129]  scan_gray_list+0xd8/0x19c
[   34.996332]  kmemleak_scan+0x2c8/0x580
[   34.996535]  kmemleak_write+0x340/0x4a0
[   34.996744]  full_proxy_write+0x60/0xbc
[   34.996967]  vfs_write+0xc4/0x2b0
[   34.997136]  ksys_write+0x68/0xf4
[   34.997311]  __arm64_sys_write+0x20/0x2c
[   34.997532]  invoke_syscall+0x48/0x114
[   34.997779]  el0_svc_common.constprop.0+0x44/0xec
[   34.998029]  do_el0_svc+0x2c/0xc0
[   34.998205]  el0_svc+0x2c/0x84
[   34.998421]  el0t_64_sync_handler+0xf4/0x100
[   34.998653]  el0t_64_sync+0x18c/0x190
[   34.999252] SMP: stopping secondary CPUs
[   35.000034] Kernel Offset: disabled
[   35.000261] CPU features: 0x800,00007831,00001086
[   35.000642] Memory Limit: none
[   35.001329] ---[ end Kernel panic - not syncing: HYP panic:
[   35.001329] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
[   35.001329] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
[   35.001329] VCPU:0000000000000000 ]---

Fix this by explicitly excluding the hypervisor's memory pool from
kmemleak like we already do for the hyp BSS.

Cc: Mike Rapoport <rppt@kernel.org>
Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private")
Signed-off-by: Quentin Perret <qperret@google.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
---
An alternative could be to actually exclude memory allocated using
memblock_phys_alloc_range() from kmemleak scans to revert back to the
old behaviour. But nobody else has complained about this AFAIK, so I'd
be inclined to keep this local to pKVM. No strong opinion.
---
 arch/arm64/kvm/arm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
index 400bb0fe2745..28765bd22efb 100644
--- a/arch/arm64/kvm/arm.c
+++ b/arch/arm64/kvm/arm.c
@@ -2110,11 +2110,11 @@ static int finalize_hyp_mode(void)
 		return 0;
 
 	/*
-	 * Exclude HYP BSS from kmemleak so that it doesn't get peeked
-	 * at, which would end badly once the section is inaccessible.
-	 * None of other sections should ever be introspected.
+	 * Exclude HYP sections from kmemleak so that they don't get peeked
+	 * at, which would end badly once inaccessible.
 	 */
 	kmemleak_free_part(__hyp_bss_start, __hyp_bss_end - __hyp_bss_start);
+	kmemleak_free_part(__va(hyp_mem_base), hyp_mem_size);
 	return pkvm_drop_host_privileges();
 }