github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
6fbdea5772
linux/kernel
History
Yee Lee d788d16fed FROMGIT: scs: Release kasan vmalloc poison in scs_free process 
Since scs allocation is moved to vmalloc region, the
shadow stack is protected by kasan_posion_vmalloc.
However, the vfree_atomic operation needs to access
its context for scs_free process and causes kasan error
as the dump info below.

This patch Adds kasan_unpoison_vmalloc() before vfree_atomic,
which aligns to the prior flow as using kmem_cache.
The vmalloc region will go back posioned in the following
vumap() operations.

 ==================================================================
 BUG: KASAN: vmalloc-out-of-bounds in llist_add_batch+0x60/0xd4
 Write of size 8 at addr ffff8000100b9000 by task kthreadd/2

 CPU: 0 PID: 2 Comm: kthreadd Not tainted 5.15.0-rc2-11681-g92477dd1faa6-dirty #1
 Hardware name: linux,dummy-virt (DT)
 Call trace:
  dump_backtrace+0x0/0x43c
  show_stack+0x1c/0x2c
  dump_stack_lvl+0x68/0x84
  print_address_description+0x80/0x394
  kasan_report+0x180/0x1dc
  __asan_report_store8_noabort+0x48/0x58
  llist_add_batch+0x60/0xd4
  vfree_atomic+0x60/0xe0
  scs_free+0x1dc/0x1fc
  scs_release+0xa4/0xd4
  free_task+0x30/0xe4
  __put_task_struct+0x1ec/0x2e0
  delayed_put_task_struct+0x5c/0xa0
  rcu_do_batch+0x62c/0x8a0
  rcu_core+0x60c/0xc14
  rcu_core_si+0x14/0x24
  __do_softirq+0x19c/0x68c
  irq_exit+0x118/0x2dc
  handle_domain_irq+0xcc/0x134
  gic_handle_irq+0x7c/0x1bc
  call_on_irq_stack+0x40/0x70
  do_interrupt_handler+0x78/0x9c
  el1_interrupt+0x34/0x60
  el1h_64_irq_handler+0x1c/0x2c
  el1h_64_irq+0x78/0x7c
  _raw_spin_unlock_irqrestore+0x40/0xcc
  sched_fork+0x4f0/0xb00
  copy_process+0xacc/0x3648
  kernel_clone+0x168/0x534
  kernel_thread+0x13c/0x1b0
  kthreadd+0x2bc/0x400
  ret_from_fork+0x10/0x20

 Memory state around the buggy address:
  ffff8000100b8f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  ffff8000100b8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 >ffff8000100b9000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                    ^
  ffff8000100b9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  ffff8000100b9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ==================================================================

Bug: 201711661
(cherry picked from commit 528a4ab453
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/ for-next/scs)
Change-Id: I0980e9df3fdff37ebfb9f873174d60f30c00230a
Suggested-by: Kuan-Ying Lee <kuan-ying.lee@mediatek.com>
Acked-by: Will Deacon <will@kernel.org>
Tested-by: Will Deacon <will@kernel.org>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Yee Lee <yee.lee@mediatek.com>
Fixes: a2abe7cbd8 ("scs: switch to vmapped shadow stacks")
Link: https://lore.kernel.org/r/20210930081619.30091-1-yee.lee@mediatek.com
Signed-off-by: Will Deacon <will@kernel.org>
2021-10-04 15:44:53 +00:00
..
bpf ANDROID: syscall_check: add vendor hook for bpf syscall 2021-07-09 13:48:53 +00:00
cgroup ANDROID: Export memcg functions to allow module to add new files 2021-07-12 18:53:29 +00:00
configs
debug kgdb: fix to kill breakpoints on initmem after boot 2021-03-04 11:38:46 +01:00
dma UPSTREAM: swiotlb: manipulate orig_addr when tlb_addr has offset 2021-07-06 16:30:01 +00:00
entry x86/entry: Move nmi entry/exit into common code 2021-03-17 17:06:36 +01:00
events Merge 5.10.36 into android12-5.10 2021-05-13 14:22:11 +02:00
gcov gcov: re-fix clang-11+ support 2021-04-14 08:41:58 +02:00
irq FROMGIT: irqdomain: Export irq_domain_disconnect_hierarchy() 2021-08-25 00:41:42 +00:00
kcsan kcsan: Fix debugfs initcall return type 2021-05-26 12:06:54 +02:00
livepatch kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
locking Merge 5.10.40 into android12-5.10 2021-05-27 08:36:46 +02:00
power ANDROID: power: Add vendor hook to qos for GKI purpose. 2021-06-23 14:36:23 +00:00
printk ANDROID: logbuf: Add new logbuf vendor hook to support pr_cont() 2021-06-29 17:25:52 +00:00
rcu FROMGIT: rcu: Fix stall-warning deadlock due to non-release of rcu_node ->lock 2021-08-18 15:05:21 +00:00
sched ANDROID: scheduler: export task_sched_runtime 2021-08-16 20:48:25 +00:00
time FROMGIT: timer_list: Print name of per-cpu wakeup device 2021-06-04 18:33:43 +01:00
trace UPSTREAM: tracing: Fix NULL pointer dereference in start_creating 2021-09-20 19:02:31 +05:30
.gitignore kbuild: update config_data.gz only when the content of .config is changed 2021-05-11 14:47:37 +02:00
acct.c kernel: acct.c: fix some kernel-doc nits 2020-10-16 11:11:19 -07:00
async.c
audit_fsnotify.c fsnotify: generalize handle_inode_event() 2020-12-30 11:54:18 +01:00
audit_tree.c fsnotify: generalize handle_inode_event() 2020-12-30 11:54:18 +01:00
audit_watch.c fsnotify: generalize handle_inode_event() 2020-12-30 11:54:18 +01:00
audit.c audit: Remove redundant null check 2020-08-26 09:10:39 -04:00
audit.h audit: change unnecessary globals into statics 2020-08-17 20:26:58 -04:00
auditfilter.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
auditsc.c audit/stable-5.9 PR 20200803 2020-08-04 14:20:26 -07:00
backtracetest.c treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() 2020-07-30 11:15:58 -07:00
bounds.c
capability.c LSM: Signal to SafeSetID when setting group IDs 2020-10-13 09:17:34 -07:00
cfi.c ANDROID: cfi: explicitly clear diag in __cfi_slowpath 2021-09-02 08:55:56 +00:00
compat.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
configs.c
context_tracking.c
cpu_pm.c notifier: Fix broken error handling pattern 2020-09-01 09:58:03 +02:00
cpu.c ANDROID: abi_gki_aarch64_qcom: Add symbols for 32bit execve 2021-06-07 21:59:49 +00:00
crash_core.c kdump: append kernel build-id string to VMCOREINFO 2020-08-12 10:58:01 -07:00
crash_dump.c
cred.c ANDROID: kernel: Add vendor hook in creds 2021-03-15 15:37:57 +00:00
delayacct.c
dma.c
exec_domain.c
exit.c ANDROID: vendor_hooks: Add hooks for memory when debug 2021-03-19 04:54:07 +00:00
extable.c
fail_function.c fail_function: Remove a redundant mutex unlock 2020-11-19 11:58:16 -08:00
fork.c ANDROID: GKI: Export put_task_stack symbol 2021-07-14 09:14:16 +00:00
freezer.c ANDROID: freezer: Add vendor hook to freezer for GKI purpose. 2021-06-07 16:07:44 +00:00
futex.c Merge 5.10.36 into android12-5.10 2021-05-13 14:22:11 +02:00
gen_kheaders.sh
groups.c LSM: Signal to SafeSetID when setting group IDs 2020-10-13 09:17:34 -07:00
hung_task.c FROMLIST: freezer: Add frozen_or_skipped() helper function 2021-06-02 15:42:01 +00:00
iomem.c
irq_work.c ANDROID: Sched: Export scheduler symbols needed by vendor modules 2020-12-03 16:50:04 +00:00
jump_label.c static_call: Fix static_call_update() sanity check 2021-03-25 09:04:18 +01:00
kallsyms.c ANDROID: kallsyms: cfi: strip hashes from static functions 2021-01-14 16:31:46 +00:00
kcmp.c exec: Transform exec_update_mutex into a rw_semaphore 2021-01-09 13:46:24 +01:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c kcov: make some symbols static 2020-08-12 10:58:02 -07:00
kexec_core.c kernel: kexec: remove the lock operation of system_transition_mutex 2021-02-03 23:28:37 +01:00
kexec_elf.c
kexec_file.c kernel: kexec_file: fix error return code of kexec_calculate_store_digests() 2021-05-19 10:13:09 +02:00
kexec_internal.h
kexec.c LSM: Introduce kernel_post_load_data() hook 2020-10-05 13:37:03 +02:00
kheaders.c
kmod.c kmod: remove redundant "be an" in the comment 2020-08-12 10:58:01 -07:00
kprobes.c kprobes: Fix to delay the kprobes jump optimization 2021-03-04 11:38:35 +01:00
ksysfs.c
kthread.c FROMLIST: kthread: Fix kthread_mod_delayed_work vs kthread_cancel_delayed_work_sync race 2021-05-24 17:29:02 +00:00
latencytop.c
Makefile kbuild: update config_data.gz only when the content of .config is changed 2021-05-11 14:47:37 +02:00
module_signature.c module: harden ELF info handling 2021-03-25 09:04:11 +01:00
module_signing.c module: harden ELF info handling 2021-03-25 09:04:11 +01:00
module-internal.h
module.c ANDROID: debug_symbols: Add android_debug_for_each_module 2021-07-15 13:59:25 -07:00
notifier.c notifier: Fix broken error handling pattern 2020-09-01 09:58:03 +02:00
nsproxy.c
padata.c padata: fix possible padata_works_lock deadlock 2020-09-04 17:51:55 +10:00
panic.c panic: don't dump stack twice on warn 2020-11-14 11:26:04 -08:00
params.c params: Replace zero-length array with flexible-array member 2020-10-29 17:22:59 -05:00
pid_namespace.c kernel/: fix repeated words in comments 2020-10-16 11:11:19 -07:00
pid.c Merge 5.10.6 into android12-5.10 2021-01-13 10:28:55 +01:00
profile.c
ptrace.c ptrace: make ptrace() fail if the tracee changed its pid unexpectedly 2021-05-26 12:06:49 +02:00
range.c kernel.h: split out min()/max() et al. helpers 2020-10-16 11:11:19 -07:00
reboot.c Merge e28c0d7c92 ("Merge branch 'akpm' (patches from Andrew)") into android-mainline 2020-11-15 14:37:09 +01:00
regset.c regset: kill ->get() 2020-07-27 14:31:12 -04:00
relay.c kernel/relay.c: drop unneeded initialization 2020-10-16 11:11:22 -07:00
resource.c kernel/resource: make walk_mem_res() find all busy IORESOURCE_MEM resources 2021-05-19 10:13:09 +02:00
rseq.c
scftorture.c scftorture: Add cond_resched() to test loop 2020-08-24 18:38:38 -07:00
scs.c FROMGIT: scs: Release kasan vmalloc poison in scs_free process 2021-10-04 15:44:53 +00:00
seccomp.c Merge 5.10.42 into android12-5.10 2021-06-03 18:47:38 +02:00
signal.c ANDROID: signal: Add vendor hook for memory reaping 2021-06-03 20:59:15 +00:00
smp.c ANDROID: Fix kernelci warnings for indentation in smp.c 2021-07-06 21:17:01 +00:00
smpboot.c kthread: Extract KTHREAD_IS_PER_CPU 2021-02-07 15:37:17 +01:00
smpboot.h
softirq.c ANDROID: softirq: Export irq_handler_exit tracepoint 2020-12-21 17:48:06 +00:00
stackleak.c stackleak: let stack_erasing_sysctl take a kernel pointer buffer 2020-09-19 13:13:39 -07:00
stacktrace.c ANDROID: stacktrace: export stack_trace_save_tsk/regs 2021-04-13 13:18:04 +00:00
static_call.c static_call: Align static_call_is_init() patching condition 2021-04-07 15:00:06 +02:00
stop_machine.c ANDROID: stop_machine: stop_one_cpu_async 2020-12-08 19:07:21 +00:00
sys_ni.c mm/madvise: introduce process_madvise() syscall: an external memory hinting API 2020-10-18 09:27:10 -07:00
sys.c BACKPORT: arm64: Introduce prctl(PR_PAC_{SET,GET}_ENABLED_KEYS) 2021-07-14 20:52:05 -07:00
sysctl-test.c
sysctl.c FROMLIST: mm: compaction: support triggering of proactive compaction by user 2021-06-17 14:15:58 -07:00
task_work.c FROMGIT: kasan: record task_work_add() call stack 2021-03-24 15:09:18 -07:00
taskstats.c taskstats: move specifying netlink policy back to ops 2020-10-02 19:11:12 -07:00
test_kprobes.c
torture.c
tracepoint.c ANDROID: vendor_hooks: Allow multiple attachments to restricted hooks 2021-03-31 09:08:06 +00:00
tsacct.c
ucount.c
uid16.c
uid16.h
umh.c usermodehelper: reset umask to default before executing user process 2020-10-06 10:31:52 -07:00
up.c smp: Fix smp_call_function_single_async prototype 2021-05-14 09:50:46 +02:00
user_namespace.c Revert "Revert "capabilities: require CAP_SETFCAP to map uid 0"" 2021-05-21 13:17:04 -07:00
user-return-notifier.c
user.c ANDROID: user: Add vendor hook to user for GKI purpose 2021-06-10 01:35:22 +00:00
usermode_driver.c bpf: Fix umd memory leak in copy_process() 2021-03-30 14:32:03 +02:00
utsname_sysctl.c
utsname.c
watch_queue.c watch_queue: Limit the number of watches a user can hold 2020-08-17 09:39:18 -07:00
watchdog_hld.c
watchdog.c Merge 5.10.38 into android12-5.10 2021-05-20 15:35:25 +02:00
workqueue_internal.h
workqueue.c Merge 5.10.30 into android12-5.10 2021-04-15 14:23:41 +02:00