From patchwork Wed Sep 21 21:43:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chris Stillson X-Patchwork-Id: 1680856 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=kvm-riscv-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=biMMxDha; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rivosinc-com.20210112.gappssmtp.com header.i=@rivosinc-com.20210112.gappssmtp.com header.a=rsa-sha256 header.s=20210112 header.b=RhfYoTnr; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MXsdD5DTzz1ypX for ; Thu, 22 Sep 2022 07:54:24 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=mryWvJovzq9y5YFqYStNf6pCCrl7Zn5G5TnbA5GBDDs=; b=biMMxDhak6NoOy S6+Dazr629F5YhpQ2B6NpFqKsZBgy5ZdRSFUqR+yPF+J7ew/xVdp5RlvFRlWu/v9xGoeHL1UjE7x9 UepHbZNAhJLXZts+/l5ziWdfVUtYPlhJjs9Uv6ByJ72lSpgys/HuO6cElEmoyIzadc/t94sSAu64d 9AXtyGJdeIiqUud6fNiCcBBEzIfAjWWZUhvnanr7TxCFr5UXsGVX49azCFAAVabiwo7RLsKshS4tU Wym9UH9jm8cBksjTAHLSCKus6PBqY5DXguFGdblAAMoeVVxf++9tYG9EJ5JFfNpQzyCLTGuZjJajR +tfjojZZdyTqay8Lq/Jw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1ob7fg-00CnRN-M4; Wed, 21 Sep 2022 21:54:20 +0000 Received: from mail-pg1-x536.google.com ([2607:f8b0:4864:20::536]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1ob7fd-00CnOu-Q5 for kvm-riscv@lists.infradead.org; Wed, 21 Sep 2022 21:54:19 +0000 Received: by mail-pg1-x536.google.com with SMTP id f193so7305589pgc.0 for ; Wed, 21 Sep 2022 14:54:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date; bh=LZQfptf+iYOUQ8McXiQWO1D3Z3+wk/s8KlPsiOQszMo=; b=RhfYoTnryrjb79R3/4iMGX9oI85rhi0a7dzTk51q64kz9gEqhe2p5ESqWV3tIBXz50 uGHQtxX7hluodH7zvyGl8al/gWSP/rTiT6N6TeglXZu4dAjFzTqPApL9AO9CQdZHoLPT ZyQUdJjpTJNhlFoKlRFyLC94IlojQaiPXHoRgQ7Kl3vH0RkKJ3hxasZgTptuNfEPgM7d LxLo3vHGhfKQ1HUb+0RtJcFF/CyWPEqZ2f36nxpQzhYo0AGUXXRGVljzrXu8rK1yYnA3 3R3d/8IC7JHkQlkuCchFxb9vFZPWuEFR7C8yAyp5FNKLD2jJVQe/FHZLeDc5U0fgX60n NsvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date; bh=LZQfptf+iYOUQ8McXiQWO1D3Z3+wk/s8KlPsiOQszMo=; b=syS4trxlJPDEUaypJuuOehqMQ/Q+pguV5tJr+/wADHzdWrxkcPx5NBADBpnVdDulYZ vWMjFInYgJ6vlClTIvnbJzApAVTa2ySIGynO4TmE2VeABlH1SHFFeVcalCLeiqic8QS2 qOEKRsZFjxXoXtC1g+PMpD/6luTppSK05Ql80O/FVQjirvwIKUcuwonU/imX6loPFIFE ndYlKH5Aa8gjgwTYivzRuDeHwpD6QtR/Iq+to1jGjvUs4X9JUYizceKoRh0X4TjMg5E4 6okg5G3sbPTxJS4nKUp5xWulXGqxVxNGDnDjtbeneksPdrqKMvcr9Ep+jWkRbpO0uaI2 VFWg== X-Gm-Message-State: ACrzQf0FUfHls7gifUFxpeQ+Ms2CmkJ486LqtmEQx6xGLxCx3YZWhHvB GvCYSEXqqmJG/BLmyQ8yORuTZA== X-Google-Smtp-Source: AMsMyM7qUvsQuumknYRC0jab4HbLRHrOOrTRgBYsQ9Z3D5uB1vAZBfsFyBHuw07wvdsd7OPncjzKyw== X-Received: by 2002:a62:17d1:0:b0:54d:87d5:249e with SMTP id 200-20020a6217d1000000b0054d87d5249emr381182pfx.14.1663797253833; Wed, 21 Sep 2022 14:54:13 -0700 (PDT) Received: from stillson.ba.rivosinc.com ([66.220.2.162]) by smtp.gmail.com with ESMTPSA id k7-20020aa79727000000b005484d133127sm2634536pfg.129.2022.09.21.14.54.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Sep 2022 14:54:13 -0700 (PDT) From: Chris Stillson To: Cc: Greentime Hu , ShihPo Hung , Vincent Chen , Paul Walmsley , Palmer Dabbelt , Albert Ou , Eric Biederman , Kees Cook , Anup Patel , Atish Patra , Oleg Nesterov , Heinrich Schuchardt , Guo Ren , Chris Stillson , Mayuresh Chitale , Paolo Bonzini , Alexandre Ghiti , Qinglin Pan , Arnd Bergmann , Heiko Stuebner , Jisheng Zhang , Dao Lu , Sunil V L , Nick Knight , Han-Kuan Chen , Liao Chang , Changbin Du , Li Zhengyu , Ard Biesheuvel , Tsukasa OI , Yury Norov , Frederic Weisbecker , "Paul E. McKenney" , Mark Rutland , Vitaly Wool , Myrtle Shah , Catalin Marinas , Mark Brown , Will Deacon , Alexey Dobriyan , Huacai Chen , Janosch Frank , Christian Brauner , Evgenii Stepanov , Colin Cross , Eugene Syromiatnikov , Peter Collingbourne , Andrew Morton , Barret Rhoden , Suren Baghdasaryan , Davidlohr Bueso , linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, kvm@vger.kernel.org, kvm-riscv@lists.infradead.org Subject: [PATCH v12 14/17] riscv: Fix a kernel panic issue if $s2 is set to a specific value before entering Linux Date: Wed, 21 Sep 2022 14:43:56 -0700 Message-Id: <20220921214439.1491510-14-stillson@rivosinc.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220921214439.1491510-1-stillson@rivosinc.com> References: <20220921214439.1491510-1-stillson@rivosinc.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220921_145417_854539_0C3F35EA X-CRM114-Status: GOOD ( 18.89 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Greentime Hu Panic log: [ 0.018707] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 0.023060] Oops [#1] [ 0.023214] Modules linked in: [ 0.023725] CPU: 0 PID: 0 Comm: swapper [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:536 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: kvm-riscv@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "kvm-riscv" Errors-To: kvm-riscv-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Greentime Hu Panic log: [ 0.018707] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 0.023060] Oops [#1] [ 0.023214] Modules linked in: [ 0.023725] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.14.0 #33 [ 0.023955] Hardware name: SiFive,FU800 (DT) [ 0.024150] epc : __vstate_save+0x1c/0x48 [ 0.024654] ra : arch_dup_task_struct+0x70/0x108 [ 0.024815] epc : ffffffff80005ad8 ra : ffffffff800035a8 sp : ffffffff81203d50 [ 0.025020] gp : ffffffff812e8290 tp : ffffffff8120bdc0 t0 : 0000000000000000 [ 0.025216] t1 : 0000000000000000 t2 : 0000000000000000 s0 : ffffffff81203d80 [ 0.025424] s1 : ffffffff8120bdc0 a0 : ffffffff8120c820 a1 : 0000000000000000 [ 0.025659] a2 : 0000000000001000 a3 : 0000000000000000 a4 : 0000000000000600 [ 0.025869] a5 : ffffffff8120cdc0 a6 : ffffffe00160b400 a7 : ffffffff80a1fe60 [ 0.026069] s2 : ffffffe0016b8000 s3 : ffffffff81204000 s4 : 0000000000004000 [ 0.026267] s5 : 0000000000000000 s6 : ffffffe0016b8000 s7 : ffffffe0016b9000 [ 0.026475] s8 : ffffffff81203ee0 s9 : 0000000000800300 s10: ffffffff812e9088 [ 0.026689] s11: ffffffd004008000 t3 : 0000000000000000 t4 : 0000000000000100 [ 0.026900] t5 : 0000000000000600 t6 : ffffffe00167bcc4 [ 0.027057] status: 8000000000000720 badaddr: 0000000000000000 cause: 000000000000000f [ 0.027344] [] __vstate_save+0x1c/0x48 [ 0.027567] [] copy_process+0x266/0x11a0 [ 0.027739] [] kernel_clone+0x90/0x2aa [ 0.027915] [] kernel_thread+0x76/0x92 [ 0.028075] [] rest_init+0x26/0xfc [ 0.028242] [] arch_call_rest_init+0x10/0x18 [ 0.028423] [] start_kernel+0x5ce/0x5fe [ 0.029188] ---[ end trace 9a59af33f7ba3df4 ]--- [ 0.029479] Kernel panic - not syncing: Attempted to kill the idle task! [ 0.029907] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]--- The NULL pointer accessing caused the kernel panic. There is a NULL pointer is because in vstate_save() function it will check (regs->status & SR_VS) == SR_VS_DIRTY and this is true, but it shouldn't be true because vector is not used here. Since vector is not used, datap won't be allocated so it is NULL. The reason why regs->status is set to a wrong value is because pt_regs->status is put in stack and it is polluted after setup_vm() called. In prologue of setup_vm(), we can observe it will save s2 to stack however s2 is meaningless here because the caller is assembly code and s2 is just some value from previous stage. The compiler will base on calling convention to save the register to stack. Then 0x80008638 in s2 is saved to stack. It might be any value. In this failure case it is 0x80008638 and it will accidentally cause SR_VS_DIRTY to call the vstate_save() function. (gdb) info addr setup_vm Symbol "setup_vm" is a function at address 0xffffffff80802c8a. (gdb) va2pa 0xffffffff80802c8a $64 = 0x80a02c8a (gdb) x/10i 0x80a02c8a 0x80a02c8a: addi sp,sp,-48 0x80a02c8c: li a3,-1 0x80a02c8e: auipc a5,0xff7fd 0x80a02c92: addi a5,a5,882 0x80a02c96: sd s0,32(sp) 0x80a02c98: sd s2,16(sp) <-- store to stack After returning from setup_vm() (gdb) x/20i 0x0000000080201138 0x80201138: mv a0,s1 0x8020113a: auipc ra,0x802 0x8020113e: jalr -1200(ra) <-- jump to setup_vm() 0x80201142: auipc a0,0xa03 (gdb) p/x $sp $70 = 0x81404000 (gdb) p/x *(struct pt_regs*)($sp-0x120) $71 = { epc = 0x0, ra = 0x0, sp = 0x0, gp = 0x0, tp = 0x0, t0 = 0x0, t1 = 0x0, t2 = 0x0, s0 = 0x0, s1 = 0x0, a0 = 0x0, a1 = 0x0, a2 = 0x0, a3 = 0x81403f90, a4 = 0x80c04000, a5 = 0x1, a6 = 0xffffffff81337000, a7 = 0x81096700, s2 = 0x81400000, s3 = 0xffffffff81200000, s4 = 0x81403fd0, s5 = 0x80a02c6c, s6 = 0x8000000000006800, s7 = 0x0, s8 = 0xfffffffffffffff3, s9 = 0x80c01000, s10 = 0x81096700, s11 = 0x82200000, t3 = 0x81404000, t4 = 0x80a02dea, t5 = 0x0, t6 = 0x82200000, status = 0x80008638, <- Wrong value in stack!!! badaddr = 0x82200000, cause = 0x0, orig_a0 = 0x80201142 } (gdb) p/x $pc $72 = 0x80201142 (gdb) p/x sizeof(struct pt_regs) $73 = 0x120 Co-developed-by: ShihPo Hung Signed-off-by: ShihPo Hung Co-developed-by: Vincent Chen Signed-off-by: Vincent Chen Signed-off-by: Greentime Hu --- arch/riscv/kernel/head.S | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S index 2c81ca42ec4e..c7effef23f41 100644 --- a/arch/riscv/kernel/head.S +++ b/arch/riscv/kernel/head.S @@ -301,6 +301,7 @@ clear_bss_done: la tp, init_task la sp, init_thread_union + THREAD_SIZE XIP_FIXUP_OFFSET sp + addi sp, sp, -PT_SIZE #ifdef CONFIG_BUILTIN_DTB la a0, __dtb_start XIP_FIXUP_OFFSET a0 @@ -318,6 +319,7 @@ clear_bss_done: /* Restore C environment */ la tp, init_task la sp, init_thread_union + THREAD_SIZE + addi sp, sp, -PT_SIZE #ifdef CONFIG_KASAN call kasan_early_init