mirror of
https://github.com/torvalds/linux.git
synced 2026-05-30 10:04:04 +02:00
38e989d504
The kexec sequence invokes enter_vmx_ops() via copy_page() with the MMU
disabled. In this context, code must not rely on normal virtual address
translations or trigger page faults.
With KASAN enabled, functions get instrumented and may access shadow
memory using regular address translation. When executed with the MMU
off, this can lead to page faults (bad_page_fault) from which the
kernel cannot recover in the kexec path, resulting in a hang.
The kexec path sets preempt_count to HARDIRQ_OFFSET before entering
the MMU-off copy sequence.
current_thread_info()->preempt_count = HARDIRQ_OFFSET
kexec_sequence(..., copy_with_mmu_off = 1)
-> kexec_copy_flush(image)
copy_segments()
-> copy_page(dest, addr)
bl enter_vmx_ops()
if (in_interrupt())
return 0
beq .Lnonvmx_copy
Since kexec sets preempt_count to HARDIRQ_OFFSET, in_interrupt()
evaluates to true and enter_vmx_ops() returns early.
As in_interrupt() (and preempt_count()) are always inlined, mark
enter_vmx_ops() with __no_sanitize_address to avoid KASAN
instrumentation and shadow memory access with MMU disabled, helping
kexec boot fine with KASAN enabled.
Reported-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Tested-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20260407124349.1698552-2-sourabhjain@linux.ibm.com
85 lines
2.1 KiB
C
85 lines
2.1 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
*
|
|
* Copyright (C) IBM Corporation, 2011
|
|
*
|
|
* Authors: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
|
|
* Anton Blanchard <anton@au.ibm.com>
|
|
*/
|
|
#include <linux/uaccess.h>
|
|
#include <linux/hardirq.h>
|
|
#include <asm/switch_to.h>
|
|
|
|
int enter_vmx_usercopy(void)
|
|
{
|
|
if (in_interrupt())
|
|
return 0;
|
|
|
|
preempt_disable();
|
|
/*
|
|
* We need to disable page faults as they can call schedule and
|
|
* thus make us lose the VMX context. So on page faults, we just
|
|
* fail which will cause a fallback to the normal non-vmx copy.
|
|
*/
|
|
pagefault_disable();
|
|
|
|
enable_kernel_altivec();
|
|
|
|
return 1;
|
|
}
|
|
EXPORT_SYMBOL(enter_vmx_usercopy);
|
|
|
|
/*
|
|
* This function must return 0 because we tail call optimise when calling
|
|
* from __copy_tofrom_user_power7 which returns 0 on success.
|
|
*/
|
|
int exit_vmx_usercopy(void)
|
|
{
|
|
disable_kernel_altivec();
|
|
pagefault_enable();
|
|
preempt_enable_no_resched();
|
|
/*
|
|
* Must never explicitly call schedule (including preempt_enable())
|
|
* while in a kuap-unlocked user copy, because the AMR register will
|
|
* not be saved and restored across context switch. However preempt
|
|
* kernels need to be preempted as soon as possible if need_resched is
|
|
* set and we are preemptible. The hack here is to schedule a
|
|
* decrementer to fire here and reschedule for us if necessary.
|
|
*/
|
|
if (need_irq_preemption() && need_resched())
|
|
set_dec(1);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(exit_vmx_usercopy);
|
|
|
|
/*
|
|
* Can be called from kexec copy_page() path with MMU off. The kexec
|
|
* code sets preempt_count to HARDIRQ_OFFSET so we return early here.
|
|
* Since in_interrupt() is always inline, __no_sanitize_address on this
|
|
* function is sufficient to avoid KASAN shadow memory accesses in real
|
|
* mode.
|
|
*/
|
|
int __no_sanitize_address enter_vmx_ops(void)
|
|
{
|
|
if (in_interrupt())
|
|
return 0;
|
|
|
|
preempt_disable();
|
|
|
|
enable_kernel_altivec();
|
|
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
* All calls to this function will be optimised into tail calls. We are
|
|
* passed a pointer to the destination which we return as required by a
|
|
* memcpy implementation.
|
|
*/
|
|
void *exit_vmx_ops(void *dest)
|
|
{
|
|
disable_kernel_altivec();
|
|
preempt_enable();
|
|
return dest;
|
|
}
|