From: Christoffer Dall <christoffer.dall@linaro.org>
To: Paolo Bonzini <pbonzini@redhat.com>,
kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Cc: Marc Zyngier <marc.zyngier@arm.com>
Subject: [PULL 17/21] arm64: kvm: restore EL1N SP for panic
Date: Wed, 4 Nov 2015 15:49:56 +0100 [thread overview]
Message-ID: <1446648600-27297-18-git-send-email-christoffer.dall@linaro.org> (raw)
In-Reply-To: <1446648600-27297-1-git-send-email-christoffer.dall@linaro.org>
From: Mark Rutland <mark.rutland@arm.com>
If we panic in hyp mode, we inject a call to panic() into the EL1N host
kernel. If a guest context is active, we first attempt to restore the
minimal amount of state necessary to execute the host kernel with
restore_sysregs.
However, the SP is restored as part of restore_common_regs, and so we
may return to the host's panic() function with the SP of the guest. Any
calculations based on the SP will be bogus, and any attempt to access
the stack will result in recursive data aborts.
When running Linux as a guest, the guest's EL1N SP is like to be some
valid kernel address. In this case, the host kernel may use that region
as a stack for panic(), corrupting it in the process.
Avoid the problem by restoring the host SP prior to returning to the
host. To prevent misleading backtraces in the host, the FP is zeroed at
the same time. We don't need any of the other "common" registers in
order to panic successfully.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Cc: <kvmarm@lists.cs.columbia.edu>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
---
arch/arm64/kvm/hyp.S | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
index e583613..1599701 100644
--- a/arch/arm64/kvm/hyp.S
+++ b/arch/arm64/kvm/hyp.S
@@ -880,6 +880,14 @@ __kvm_hyp_panic:
bl __restore_sysregs
+ /*
+ * Make sure we have a valid host stack, and don't leave junk in the
+ * frame pointer that will give us a misleading host stack unwinding.
+ */
+ ldr x22, [x2, #CPU_GP_REG_OFFSET(CPU_SP_EL1)]
+ msr sp_el1, x22
+ mov x29, xzr
+
1: adr x0, __hyp_panic_str
adr x1, 2f
ldp x2, x3, [x1]
--
2.1.2.330.g565301e.dirty
WARNING: multiple messages have this Message-ID (diff)
From: christoffer.dall@linaro.org (Christoffer Dall)
To: linux-arm-kernel@lists.infradead.org
Subject: [PULL 17/21] arm64: kvm: restore EL1N SP for panic
Date: Wed, 4 Nov 2015 15:49:56 +0100 [thread overview]
Message-ID: <1446648600-27297-18-git-send-email-christoffer.dall@linaro.org> (raw)
In-Reply-To: <1446648600-27297-1-git-send-email-christoffer.dall@linaro.org>
From: Mark Rutland <mark.rutland@arm.com>
If we panic in hyp mode, we inject a call to panic() into the EL1N host
kernel. If a guest context is active, we first attempt to restore the
minimal amount of state necessary to execute the host kernel with
restore_sysregs.
However, the SP is restored as part of restore_common_regs, and so we
may return to the host's panic() function with the SP of the guest. Any
calculations based on the SP will be bogus, and any attempt to access
the stack will result in recursive data aborts.
When running Linux as a guest, the guest's EL1N SP is like to be some
valid kernel address. In this case, the host kernel may use that region
as a stack for panic(), corrupting it in the process.
Avoid the problem by restoring the host SP prior to returning to the
host. To prevent misleading backtraces in the host, the FP is zeroed at
the same time. We don't need any of the other "common" registers in
order to panic successfully.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Cc: <kvmarm@lists.cs.columbia.edu>
Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
---
arch/arm64/kvm/hyp.S | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
index e583613..1599701 100644
--- a/arch/arm64/kvm/hyp.S
+++ b/arch/arm64/kvm/hyp.S
@@ -880,6 +880,14 @@ __kvm_hyp_panic:
bl __restore_sysregs
+ /*
+ * Make sure we have a valid host stack, and don't leave junk in the
+ * frame pointer that will give us a misleading host stack unwinding.
+ */
+ ldr x22, [x2, #CPU_GP_REG_OFFSET(CPU_SP_EL1)]
+ msr sp_el1, x22
+ mov x29, xzr
+
1: adr x0, __hyp_panic_str
adr x1, 2f
ldp x2, x3, [x1]
--
2.1.2.330.g565301e.dirty
next prev parent reply other threads:[~2015-11-04 14:49 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-04 14:49 [PULL 00/21] KVM/ARM Changes for v4.4-rc1 Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 01/21] KVM: Add kvm_arch_vcpu_{un}blocking callbacks Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 02/21] arm/arm64: KVM: arch_timer: Only schedule soft timer on vcpu_block Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 03/21] arm/arm64: KVM: vgic: Factor out level irq processing on guest exit Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 04/21] arm/arm64: KVM: Implement GICD_ICFGR as RO for PPIs Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 05/21] arm/arm64: KVM: Use appropriate define in VGIC reset code Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 06/21] arm/arm64: KVM: Add forwarded physical interrupts documentation Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 07/21] arm/arm64: KVM: Rework the arch timer to use level-triggered semantics Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 08/21] arm/arm64: KVM: Support edge-triggered forwarded interrupts Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 09/21] arm/arm64: KVM : Enable vhost device selection under KVM config menu Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 10/21] KVM: arm/arm64: rename pause into power_off Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 11/21] KVM: arm/arm64: check power_off in kvm_arch_vcpu_runnable Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 12/21] KVM: arm/arm64: check power_off in critical section before VCPU run Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 13/21] KVM: arm/arm64: implement kvm_arm_[halt,resume]_guest Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 14/21] KVM: arm/arm64: Fix vGIC documentation Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 15/21] arm/arm64: KVM: Improve kvm_exit tracepoint Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 16/21] arm/arm64: KVM: Add tracepoints for vgic and timer Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall [this message]
2015-11-04 14:49 ` [PULL 17/21] arm64: kvm: restore EL1N SP for panic Christoffer Dall
2015-11-04 14:49 ` [PULL 18/21] KVM: arm: Do not indent the arguments of DECLARE_BITMAP Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 19/21] KVM: arm/arm64: Optimize away redundant LR tracking Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:49 ` [PULL 20/21] KVM: arm/arm64: Clean up vgic_retire_lr() and surroundings Christoffer Dall
2015-11-04 14:49 ` Christoffer Dall
2015-11-04 14:50 ` [PULL 21/21] KVM: arm/arm64: Merge vgic_set_lr() and vgic_sync_lr_elrsr() Christoffer Dall
2015-11-04 14:50 ` Christoffer Dall
2015-11-04 15:28 ` [PULL 00/21] KVM/ARM Changes for v4.4-rc1 Paolo Bonzini
2015-11-04 15:28 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1446648600-27297-18-git-send-email-christoffer.dall@linaro.org \
--to=christoffer.dall@linaro.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=marc.zyngier@arm.com \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.