* [PATCH] arm64: kvm: restore EL1N SP for panic
@ 2015-10-12 14:04 ` Mark Rutland
0 siblings, 0 replies; 4+ messages in thread
From: Mark Rutland @ 2015-10-12 14:04 UTC (permalink / raw)
To: linux-arm-kernel; +Cc: kvmarm
If we panic in hyp mode, we inject a call to panic() into the EL1N host
kernel. If a guest context is active, we first attempt to restore the
minimal amount of state necessary to execute the host kernel with
restore_sysregs.
However, the SP is restored as part of restore_common_regs, and so we
may return to the host's panic() function with the SP of the guest. Any
calculations based on the SP will be bogus, and any attempt to access
the stack will result in recursive data aborts.
When running Linux as a guest, the guest's EL1N SP is like to be some
valid kernel address. In this case, the host kernel may use that region
as a stack for panic(), corrupting it in the process.
Avoid the problem by restoring the host SP prior to returning to the
host. To prevent misleading backtraces in the host, the FP is zeroed at
the same time. We don't need any of the other "common" registers in
order to panic successfully.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Cc: <kvmarm@lists.cs.columbia.edu>
---
arch/arm64/kvm/hyp.S | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
index e583613..1599701 100644
--- a/arch/arm64/kvm/hyp.S
+++ b/arch/arm64/kvm/hyp.S
@@ -880,6 +880,14 @@ __kvm_hyp_panic:
bl __restore_sysregs
+ /*
+ * Make sure we have a valid host stack, and don't leave junk in the
+ * frame pointer that will give us a misleading host stack unwinding.
+ */
+ ldr x22, [x2, #CPU_GP_REG_OFFSET(CPU_SP_EL1)]
+ msr sp_el1, x22
+ mov x29, xzr
+
1: adr x0, __hyp_panic_str
adr x1, 2f
ldp x2, x3, [x1]
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] arm64: kvm: restore EL1N SP for panic
@ 2015-10-12 14:04 ` Mark Rutland
0 siblings, 0 replies; 4+ messages in thread
From: Mark Rutland @ 2015-10-12 14:04 UTC (permalink / raw)
To: linux-arm-kernel
If we panic in hyp mode, we inject a call to panic() into the EL1N host
kernel. If a guest context is active, we first attempt to restore the
minimal amount of state necessary to execute the host kernel with
restore_sysregs.
However, the SP is restored as part of restore_common_regs, and so we
may return to the host's panic() function with the SP of the guest. Any
calculations based on the SP will be bogus, and any attempt to access
the stack will result in recursive data aborts.
When running Linux as a guest, the guest's EL1N SP is like to be some
valid kernel address. In this case, the host kernel may use that region
as a stack for panic(), corrupting it in the process.
Avoid the problem by restoring the host SP prior to returning to the
host. To prevent misleading backtraces in the host, the FP is zeroed at
the same time. We don't need any of the other "common" registers in
order to panic successfully.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Cc: <kvmarm@lists.cs.columbia.edu>
---
arch/arm64/kvm/hyp.S | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/arm64/kvm/hyp.S b/arch/arm64/kvm/hyp.S
index e583613..1599701 100644
--- a/arch/arm64/kvm/hyp.S
+++ b/arch/arm64/kvm/hyp.S
@@ -880,6 +880,14 @@ __kvm_hyp_panic:
bl __restore_sysregs
+ /*
+ * Make sure we have a valid host stack, and don't leave junk in the
+ * frame pointer that will give us a misleading host stack unwinding.
+ */
+ ldr x22, [x2, #CPU_GP_REG_OFFSET(CPU_SP_EL1)]
+ msr sp_el1, x22
+ mov x29, xzr
+
1: adr x0, __hyp_panic_str
adr x1, 2f
ldp x2, x3, [x1]
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] arm64: kvm: restore EL1N SP for panic
2015-10-12 14:04 ` Mark Rutland
@ 2015-10-18 20:13 ` Christoffer Dall
-1 siblings, 0 replies; 4+ messages in thread
From: Christoffer Dall @ 2015-10-18 20:13 UTC (permalink / raw)
To: Mark Rutland; +Cc: kvmarm, linux-arm-kernel
On Mon, Oct 12, 2015 at 03:04:50PM +0100, Mark Rutland wrote:
> If we panic in hyp mode, we inject a call to panic() into the EL1N host
> kernel. If a guest context is active, we first attempt to restore the
> minimal amount of state necessary to execute the host kernel with
> restore_sysregs.
>
> However, the SP is restored as part of restore_common_regs, and so we
> may return to the host's panic() function with the SP of the guest. Any
> calculations based on the SP will be bogus, and any attempt to access
> the stack will result in recursive data aborts.
>
> When running Linux as a guest, the guest's EL1N SP is like to be some
> valid kernel address. In this case, the host kernel may use that region
> as a stack for panic(), corrupting it in the process.
>
> Avoid the problem by restoring the host SP prior to returning to the
> host. To prevent misleading backtraces in the host, the FP is zeroed at
> the same time. We don't need any of the other "common" registers in
> order to panic successfully.
>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Acked-by: Marc Zyngier <marc.zyngier@arm.com>
> Cc: Christoffer Dall <christoffer.dall@linaro.org>
> Cc: <kvmarm@lists.cs.columbia.edu>
Applied - thanks,
-Christoffer
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] arm64: kvm: restore EL1N SP for panic
@ 2015-10-18 20:13 ` Christoffer Dall
0 siblings, 0 replies; 4+ messages in thread
From: Christoffer Dall @ 2015-10-18 20:13 UTC (permalink / raw)
To: linux-arm-kernel
On Mon, Oct 12, 2015 at 03:04:50PM +0100, Mark Rutland wrote:
> If we panic in hyp mode, we inject a call to panic() into the EL1N host
> kernel. If a guest context is active, we first attempt to restore the
> minimal amount of state necessary to execute the host kernel with
> restore_sysregs.
>
> However, the SP is restored as part of restore_common_regs, and so we
> may return to the host's panic() function with the SP of the guest. Any
> calculations based on the SP will be bogus, and any attempt to access
> the stack will result in recursive data aborts.
>
> When running Linux as a guest, the guest's EL1N SP is like to be some
> valid kernel address. In this case, the host kernel may use that region
> as a stack for panic(), corrupting it in the process.
>
> Avoid the problem by restoring the host SP prior to returning to the
> host. To prevent misleading backtraces in the host, the FP is zeroed at
> the same time. We don't need any of the other "common" registers in
> order to panic successfully.
>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Acked-by: Marc Zyngier <marc.zyngier@arm.com>
> Cc: Christoffer Dall <christoffer.dall@linaro.org>
> Cc: <kvmarm@lists.cs.columbia.edu>
Applied - thanks,
-Christoffer
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-10-18 20:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-12 14:04 [PATCH] arm64: kvm: restore EL1N SP for panic Mark Rutland
2015-10-12 14:04 ` Mark Rutland
2015-10-18 20:13 ` Christoffer Dall
2015-10-18 20:13 ` Christoffer Dall
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.