From: Kalesh Singh <kaleshsingh@google.com>
To: unlisted-recipients:; (no To-header on input)
Cc: will@kernel.org, maz@kernel.org, qperret@google.com,
tabba@google.com, surenb@google.com, kernel-team@android.com,
Kalesh Singh <kaleshsingh@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Ard Biesheuvel <ardb@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Joey Gouly <joey.gouly@arm.com>,
Peter Collingbourne <pcc@google.com>,
Andrew Scull <ascull@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Zenghui Yu <yuzenghui@huawei.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu
Subject: [PATCH v2 6/9] KVM: arm64: Detect and handle hypervisor stack overflows
Date: Tue, 22 Feb 2022 08:51:07 -0800 [thread overview]
Message-ID: <20220222165212.2005066-7-kaleshsingh@google.com> (raw)
In-Reply-To: <20220222165212.2005066-1-kaleshsingh@google.com>
The hypervisor stacks (for both nVHE Hyp mode and nVHE protected mode)
are aligned to twice their size (PAGE_SIZE), meaning that any valid stack
address has PAGE_SHIFT bit as 0. This allows us to conveniently check for
overflow in the exception entry without corrupting any GPRs. We won't
recover from a stack overflow so panic the hypervisor.
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
---
arch/arm64/kvm/hyp/nvhe/host.S | 16 ++++++++++++++++
arch/arm64/kvm/hyp/nvhe/switch.c | 5 +++++
2 files changed, 21 insertions(+)
diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
index 3d613e721a75..78e4b612ac06 100644
--- a/arch/arm64/kvm/hyp/nvhe/host.S
+++ b/arch/arm64/kvm/hyp/nvhe/host.S
@@ -153,6 +153,10 @@ SYM_FUNC_END(__host_hvc)
.macro invalid_host_el2_vect
.align 7
+
+ /* Test stack overflow without corrupting GPRs */
+ test_sp_overflow PAGE_SHIFT, .L__hyp_sp_overflow\@
+
/* If a guest is loaded, panic out of it. */
stp x0, x1, [sp, #-16]!
get_loaded_vcpu x0, x1
@@ -165,6 +169,18 @@ SYM_FUNC_END(__host_hvc)
* been partially clobbered by __host_enter.
*/
b hyp_panic
+
+.L__hyp_sp_overflow\@:
+ /*
+ * Reset SP to the top of the stack, to allow handling the hyp_panic.
+ * This corrupts the stack but is ok, since we won't be attempting
+ * any unwinding here.
+ */
+ ldr_this_cpu x0, kvm_init_params + NVHE_INIT_STACK_HYP_VA, x1
+ mov sp, x0
+
+ bl hyp_panic_bad_stack
+ ASM_BUG()
.endm
.macro invalid_host_el1_vect
diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
index 6410d21d8695..5a2e1ab79913 100644
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -369,6 +369,11 @@ void __noreturn hyp_panic(void)
unreachable();
}
+void __noreturn hyp_panic_bad_stack(void)
+{
+ hyp_panic();
+}
+
asmlinkage void kvm_unexpected_el2_exception(void)
{
return __kvm_unexpected_el2_exception();
--
2.35.1.473.g83b2b277ed-goog
WARNING: multiple messages have this Message-ID (diff)
From: Kalesh Singh <kaleshsingh@google.com>
Cc: will@kernel.org, maz@kernel.org, qperret@google.com,
tabba@google.com, surenb@google.com, kernel-team@android.com,
Kalesh Singh <kaleshsingh@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Ard Biesheuvel <ardb@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Pasha Tatashin <pasha.tatashin@soleen.com>,
Joey Gouly <joey.gouly@arm.com>,
Peter Collingbourne <pcc@google.com>,
Andrew Scull <ascull@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Zenghui Yu <yuzenghui@huawei.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, kvmarm@lists.cs.columbia.edu
Subject: [PATCH v2 6/9] KVM: arm64: Detect and handle hypervisor stack overflows
Date: Tue, 22 Feb 2022 08:51:07 -0800 [thread overview]
Message-ID: <20220222165212.2005066-7-kaleshsingh@google.com> (raw)
In-Reply-To: <20220222165212.2005066-1-kaleshsingh@google.com>
The hypervisor stacks (for both nVHE Hyp mode and nVHE protected mode)
are aligned to twice their size (PAGE_SIZE), meaning that any valid stack
address has PAGE_SHIFT bit as 0. This allows us to conveniently check for
overflow in the exception entry without corrupting any GPRs. We won't
recover from a stack overflow so panic the hypervisor.
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
---
arch/arm64/kvm/hyp/nvhe/host.S | 16 ++++++++++++++++
arch/arm64/kvm/hyp/nvhe/switch.c | 5 +++++
2 files changed, 21 insertions(+)
diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
index 3d613e721a75..78e4b612ac06 100644
--- a/arch/arm64/kvm/hyp/nvhe/host.S
+++ b/arch/arm64/kvm/hyp/nvhe/host.S
@@ -153,6 +153,10 @@ SYM_FUNC_END(__host_hvc)
.macro invalid_host_el2_vect
.align 7
+
+ /* Test stack overflow without corrupting GPRs */
+ test_sp_overflow PAGE_SHIFT, .L__hyp_sp_overflow\@
+
/* If a guest is loaded, panic out of it. */
stp x0, x1, [sp, #-16]!
get_loaded_vcpu x0, x1
@@ -165,6 +169,18 @@ SYM_FUNC_END(__host_hvc)
* been partially clobbered by __host_enter.
*/
b hyp_panic
+
+.L__hyp_sp_overflow\@:
+ /*
+ * Reset SP to the top of the stack, to allow handling the hyp_panic.
+ * This corrupts the stack but is ok, since we won't be attempting
+ * any unwinding here.
+ */
+ ldr_this_cpu x0, kvm_init_params + NVHE_INIT_STACK_HYP_VA, x1
+ mov sp, x0
+
+ bl hyp_panic_bad_stack
+ ASM_BUG()
.endm
.macro invalid_host_el1_vect
diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
index 6410d21d8695..5a2e1ab79913 100644
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -369,6 +369,11 @@ void __noreturn hyp_panic(void)
unreachable();
}
+void __noreturn hyp_panic_bad_stack(void)
+{
+ hyp_panic();
+}
+
asmlinkage void kvm_unexpected_el2_exception(void)
{
return __kvm_unexpected_el2_exception();
--
2.35.1.473.g83b2b277ed-goog
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Kalesh Singh <kaleshsingh@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Joey Gouly <joey.gouly@arm.com>,
Kalesh Singh <kaleshsingh@google.com>,
will@kernel.org, kvmarm@lists.cs.columbia.edu, maz@kernel.org,
linux-arm-kernel@lists.infradead.org, kernel-team@android.com,
Pasha Tatashin <pasha.tatashin@soleen.com>,
surenb@google.com, Peter Collingbourne <pcc@google.com>,
linux-kernel@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH v2 6/9] KVM: arm64: Detect and handle hypervisor stack overflows
Date: Tue, 22 Feb 2022 08:51:07 -0800 [thread overview]
Message-ID: <20220222165212.2005066-7-kaleshsingh@google.com> (raw)
In-Reply-To: <20220222165212.2005066-1-kaleshsingh@google.com>
The hypervisor stacks (for both nVHE Hyp mode and nVHE protected mode)
are aligned to twice their size (PAGE_SIZE), meaning that any valid stack
address has PAGE_SHIFT bit as 0. This allows us to conveniently check for
overflow in the exception entry without corrupting any GPRs. We won't
recover from a stack overflow so panic the hypervisor.
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
---
arch/arm64/kvm/hyp/nvhe/host.S | 16 ++++++++++++++++
arch/arm64/kvm/hyp/nvhe/switch.c | 5 +++++
2 files changed, 21 insertions(+)
diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
index 3d613e721a75..78e4b612ac06 100644
--- a/arch/arm64/kvm/hyp/nvhe/host.S
+++ b/arch/arm64/kvm/hyp/nvhe/host.S
@@ -153,6 +153,10 @@ SYM_FUNC_END(__host_hvc)
.macro invalid_host_el2_vect
.align 7
+
+ /* Test stack overflow without corrupting GPRs */
+ test_sp_overflow PAGE_SHIFT, .L__hyp_sp_overflow\@
+
/* If a guest is loaded, panic out of it. */
stp x0, x1, [sp, #-16]!
get_loaded_vcpu x0, x1
@@ -165,6 +169,18 @@ SYM_FUNC_END(__host_hvc)
* been partially clobbered by __host_enter.
*/
b hyp_panic
+
+.L__hyp_sp_overflow\@:
+ /*
+ * Reset SP to the top of the stack, to allow handling the hyp_panic.
+ * This corrupts the stack but is ok, since we won't be attempting
+ * any unwinding here.
+ */
+ ldr_this_cpu x0, kvm_init_params + NVHE_INIT_STACK_HYP_VA, x1
+ mov sp, x0
+
+ bl hyp_panic_bad_stack
+ ASM_BUG()
.endm
.macro invalid_host_el1_vect
diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
index 6410d21d8695..5a2e1ab79913 100644
--- a/arch/arm64/kvm/hyp/nvhe/switch.c
+++ b/arch/arm64/kvm/hyp/nvhe/switch.c
@@ -369,6 +369,11 @@ void __noreturn hyp_panic(void)
unreachable();
}
+void __noreturn hyp_panic_bad_stack(void)
+{
+ hyp_panic();
+}
+
asmlinkage void kvm_unexpected_el2_exception(void)
{
return __kvm_unexpected_el2_exception();
--
2.35.1.473.g83b2b277ed-goog
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
next prev parent reply other threads:[~2022-02-22 16:59 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-22 16:51 [PATCH v2 0/9] KVM: arm64: Hypervisor stack enhancements Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` [PATCH v2 1/9] KVM: arm64: Introduce hyp_alloc_private_va_range() Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 18:53 ` Mark Rutland
2022-02-22 18:53 ` Mark Rutland
2022-02-22 18:53 ` Mark Rutland
2022-02-22 16:51 ` [PATCH v2 2/9] KVM: arm64: Introduce pkvm_alloc_private_va_range() Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` [PATCH v2 3/9] KVM: arm64: Add guard pages for KVM nVHE hypervisor stack Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` [PATCH v2 4/9] KVM: arm64: Add guard pages for pKVM (protected nVHE) " Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 18:55 ` Mark Rutland
2022-02-22 18:55 ` Mark Rutland
2022-02-22 18:55 ` Mark Rutland
2022-02-22 20:30 ` Kalesh Singh
2022-02-22 20:30 ` Kalesh Singh
2022-02-22 20:30 ` Kalesh Singh
2022-02-22 16:51 ` [PATCH v2 5/9] arm64: asm: Introduce test_sp_overflow macro Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 18:32 ` Mark Rutland
2022-02-22 18:32 ` Mark Rutland
2022-02-22 18:32 ` Mark Rutland
2022-02-22 20:20 ` Kalesh Singh
2022-02-22 20:20 ` Kalesh Singh
2022-02-22 20:20 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh [this message]
2022-02-22 16:51 ` [PATCH v2 6/9] KVM: arm64: Detect and handle hypervisor stack overflows Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-23 2:04 ` kernel test robot
2022-02-23 2:04 ` kernel test robot
2022-02-23 2:04 ` kernel test robot
2022-02-23 9:05 ` kernel test robot
2022-02-23 9:05 ` kernel test robot
2022-02-23 9:05 ` kernel test robot
2022-02-23 9:16 ` Marc Zyngier
2022-02-23 9:16 ` Marc Zyngier
2022-02-23 9:16 ` Marc Zyngier
2022-02-23 9:16 ` Marc Zyngier
2022-02-23 12:34 ` [kbuild-all] " Philip Li
2022-02-23 12:34 ` Philip Li
2022-02-23 12:34 ` Philip Li
2022-02-23 12:54 ` Marc Zyngier
2022-02-23 12:54 ` Marc Zyngier
2022-02-23 12:54 ` [kbuild-all] " Marc Zyngier
2022-02-23 12:54 ` Marc Zyngier
2022-02-23 12:56 ` Ard Biesheuvel
2022-02-23 12:56 ` Ard Biesheuvel
2022-02-23 12:56 ` [kbuild-all] " Ard Biesheuvel
2022-02-23 12:56 ` Ard Biesheuvel
2022-02-24 10:39 ` Marc Zyngier
2022-02-24 10:39 ` Marc Zyngier
2022-02-24 10:39 ` [kbuild-all] " Marc Zyngier
2022-02-24 10:39 ` Marc Zyngier
2022-02-25 2:12 ` Chen, Rong A
2022-02-25 2:12 ` Chen, Rong A
2022-02-25 2:12 ` Chen, Rong A
2022-02-25 3:11 ` Kalesh Singh
2022-02-25 3:11 ` Kalesh Singh
2022-02-25 3:11 ` [kbuild-all] " Kalesh Singh
2022-02-25 3:11 ` Kalesh Singh
2022-02-25 15:31 ` Marc Zyngier
2022-02-25 15:31 ` Marc Zyngier
2022-02-25 15:31 ` [kbuild-all] " Marc Zyngier
2022-02-25 15:31 ` Marc Zyngier
2022-02-25 15:38 ` Ard Biesheuvel
2022-02-25 15:38 ` Ard Biesheuvel
2022-02-25 15:38 ` [kbuild-all] " Ard Biesheuvel
2022-02-25 15:38 ` Ard Biesheuvel
2022-02-22 16:51 ` [PATCH v2 7/9] KVM: arm64: Add hypervisor overflow stack Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` [PATCH v2 8/9] KVM: arm64: Unwind and dump nVHE HYP stacktrace Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` [PATCH v2 9/9] KVM: arm64: Symbolize the nVHE HYP backtrace Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
2022-02-22 16:51 ` Kalesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220222165212.2005066-7-kaleshsingh@google.com \
--to=kaleshsingh@google.com \
--cc=alexandru.elisei@arm.com \
--cc=ardb@kernel.org \
--cc=ascull@google.com \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=joey.gouly@arm.com \
--cc=kernel-team@android.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=pasha.tatashin@soleen.com \
--cc=pbonzini@redhat.com \
--cc=pcc@google.com \
--cc=qperret@google.com \
--cc=surenb@google.com \
--cc=suzuki.poulose@arm.com \
--cc=tabba@google.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.