From: Fuad Tabba <tabba@google.com>
To: Kalesh Singh <kaleshsingh@google.com>
Cc: will@kernel.org, maz@kernel.org, qperret@google.com,
surenb@google.com, kernel-team@android.com,
James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Mark Brown <broonie@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Peter Collingbourne <pcc@google.com>,
"Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>,
Andrew Walbran <qwandor@google.com>,
Andrew Scull <ascull@google.com>,
linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 5/8] KVM: arm64: Detect and handle hypervisor stack overflows
Date: Tue, 29 Mar 2022 09:51:05 +0100 [thread overview]
Message-ID: <CA+EHjTxkug-92zR5sr7icry8KWuksAt6PBt95QTjtkYonF7-Ng@mail.gmail.com> (raw)
In-Reply-To: <20220314200148.2695206-6-kaleshsingh@google.com>
Hi Kalesh,
On Mon, Mar 14, 2022 at 8:05 PM Kalesh Singh <kaleshsingh@google.com> wrote:
>
> The hypervisor stacks (for both nVHE Hyp mode and nVHE protected mode)
> are aligned such that any valid stack address has PAGE_SHIFT bit as 1.
> This allows us to conveniently check for overflow in the exception entry
> without corrupting any GPRs. We won't recover from a stack overflow so
> panic the hypervisor.
>
> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Tested-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Fuad Tabba <tabba@google.com>
Thanks,
/fuad
> ---
>
> Changes in v5:
> - Valid stack addresses now have PAGE_SHIFT bit as 1 instead of 0
>
> Changes in v3:
> - Remove test_sp_overflow macro, per Mark
> - Add asmlinkage attribute for hyp_panic, hyp_panic_bad_stack, per Ard
>
>
> arch/arm64/kvm/hyp/nvhe/host.S | 24 ++++++++++++++++++++++++
> arch/arm64/kvm/hyp/nvhe/switch.c | 7 ++++++-
> 2 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
> index 3d613e721a75..be6d844279b1 100644
> --- a/arch/arm64/kvm/hyp/nvhe/host.S
> +++ b/arch/arm64/kvm/hyp/nvhe/host.S
> @@ -153,6 +153,18 @@ SYM_FUNC_END(__host_hvc)
>
> .macro invalid_host_el2_vect
> .align 7
> +
> + /*
> + * Test whether the SP has overflowed, without corrupting a GPR.
> + * nVHE hypervisor stacks are aligned so that the PAGE_SHIFT bit
> + * of SP should always be 1.
> + */
> + add sp, sp, x0 // sp' = sp + x0
> + sub x0, sp, x0 // x0' = sp' - x0 = (sp + x0) - x0 = sp
> + tbz x0, #PAGE_SHIFT, .L__hyp_sp_overflow\@
> + sub x0, sp, x0 // x0'' = sp' - x0' = (sp + x0) - sp = x0
> + sub sp, sp, x0 // sp'' = sp' - x0 = (sp + x0) - x0 = sp
> +
> /* If a guest is loaded, panic out of it. */
> stp x0, x1, [sp, #-16]!
> get_loaded_vcpu x0, x1
> @@ -165,6 +177,18 @@ SYM_FUNC_END(__host_hvc)
> * been partially clobbered by __host_enter.
> */
> b hyp_panic
> +
> +.L__hyp_sp_overflow\@:
> + /*
> + * Reset SP to the top of the stack, to allow handling the hyp_panic.
> + * This corrupts the stack but is ok, since we won't be attempting
> + * any unwinding here.
> + */
> + ldr_this_cpu x0, kvm_init_params + NVHE_INIT_STACK_HYP_VA, x1
> + mov sp, x0
> +
> + bl hyp_panic_bad_stack
> + ASM_BUG()
> .endm
>
> .macro invalid_host_el1_vect
> diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
> index 6410d21d8695..703a5d3f611b 100644
> --- a/arch/arm64/kvm/hyp/nvhe/switch.c
> +++ b/arch/arm64/kvm/hyp/nvhe/switch.c
> @@ -347,7 +347,7 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
> return exit_code;
> }
>
> -void __noreturn hyp_panic(void)
> +asmlinkage void __noreturn hyp_panic(void)
> {
> u64 spsr = read_sysreg_el2(SYS_SPSR);
> u64 elr = read_sysreg_el2(SYS_ELR);
> @@ -369,6 +369,11 @@ void __noreturn hyp_panic(void)
> unreachable();
> }
>
> +asmlinkage void __noreturn hyp_panic_bad_stack(void)
> +{
> + hyp_panic();
> +}
> +
> asmlinkage void kvm_unexpected_el2_exception(void)
> {
> return __kvm_unexpected_el2_exception();
> --
> 2.35.1.723.g4982287a31-goog
>
WARNING: multiple messages have this Message-ID (diff)
From: Fuad Tabba <tabba@google.com>
To: Kalesh Singh <kaleshsingh@google.com>
Cc: kernel-team@android.com, Andrew Walbran <qwandor@google.com>,
will@kernel.org, Peter Collingbourne <pcc@google.com>,
maz@kernel.org, linux-kernel@vger.kernel.org,
"Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>,
Mark Brown <broonie@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Catalin Marinas <catalin.marinas@arm.com>,
surenb@google.com, kvmarm@lists.cs.columbia.edu,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v6 5/8] KVM: arm64: Detect and handle hypervisor stack overflows
Date: Tue, 29 Mar 2022 09:51:05 +0100 [thread overview]
Message-ID: <CA+EHjTxkug-92zR5sr7icry8KWuksAt6PBt95QTjtkYonF7-Ng@mail.gmail.com> (raw)
In-Reply-To: <20220314200148.2695206-6-kaleshsingh@google.com>
Hi Kalesh,
On Mon, Mar 14, 2022 at 8:05 PM Kalesh Singh <kaleshsingh@google.com> wrote:
>
> The hypervisor stacks (for both nVHE Hyp mode and nVHE protected mode)
> are aligned such that any valid stack address has PAGE_SHIFT bit as 1.
> This allows us to conveniently check for overflow in the exception entry
> without corrupting any GPRs. We won't recover from a stack overflow so
> panic the hypervisor.
>
> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Tested-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Fuad Tabba <tabba@google.com>
Thanks,
/fuad
> ---
>
> Changes in v5:
> - Valid stack addresses now have PAGE_SHIFT bit as 1 instead of 0
>
> Changes in v3:
> - Remove test_sp_overflow macro, per Mark
> - Add asmlinkage attribute for hyp_panic, hyp_panic_bad_stack, per Ard
>
>
> arch/arm64/kvm/hyp/nvhe/host.S | 24 ++++++++++++++++++++++++
> arch/arm64/kvm/hyp/nvhe/switch.c | 7 ++++++-
> 2 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
> index 3d613e721a75..be6d844279b1 100644
> --- a/arch/arm64/kvm/hyp/nvhe/host.S
> +++ b/arch/arm64/kvm/hyp/nvhe/host.S
> @@ -153,6 +153,18 @@ SYM_FUNC_END(__host_hvc)
>
> .macro invalid_host_el2_vect
> .align 7
> +
> + /*
> + * Test whether the SP has overflowed, without corrupting a GPR.
> + * nVHE hypervisor stacks are aligned so that the PAGE_SHIFT bit
> + * of SP should always be 1.
> + */
> + add sp, sp, x0 // sp' = sp + x0
> + sub x0, sp, x0 // x0' = sp' - x0 = (sp + x0) - x0 = sp
> + tbz x0, #PAGE_SHIFT, .L__hyp_sp_overflow\@
> + sub x0, sp, x0 // x0'' = sp' - x0' = (sp + x0) - sp = x0
> + sub sp, sp, x0 // sp'' = sp' - x0 = (sp + x0) - x0 = sp
> +
> /* If a guest is loaded, panic out of it. */
> stp x0, x1, [sp, #-16]!
> get_loaded_vcpu x0, x1
> @@ -165,6 +177,18 @@ SYM_FUNC_END(__host_hvc)
> * been partially clobbered by __host_enter.
> */
> b hyp_panic
> +
> +.L__hyp_sp_overflow\@:
> + /*
> + * Reset SP to the top of the stack, to allow handling the hyp_panic.
> + * This corrupts the stack but is ok, since we won't be attempting
> + * any unwinding here.
> + */
> + ldr_this_cpu x0, kvm_init_params + NVHE_INIT_STACK_HYP_VA, x1
> + mov sp, x0
> +
> + bl hyp_panic_bad_stack
> + ASM_BUG()
> .endm
>
> .macro invalid_host_el1_vect
> diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
> index 6410d21d8695..703a5d3f611b 100644
> --- a/arch/arm64/kvm/hyp/nvhe/switch.c
> +++ b/arch/arm64/kvm/hyp/nvhe/switch.c
> @@ -347,7 +347,7 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
> return exit_code;
> }
>
> -void __noreturn hyp_panic(void)
> +asmlinkage void __noreturn hyp_panic(void)
> {
> u64 spsr = read_sysreg_el2(SYS_SPSR);
> u64 elr = read_sysreg_el2(SYS_ELR);
> @@ -369,6 +369,11 @@ void __noreturn hyp_panic(void)
> unreachable();
> }
>
> +asmlinkage void __noreturn hyp_panic_bad_stack(void)
> +{
> + hyp_panic();
> +}
> +
> asmlinkage void kvm_unexpected_el2_exception(void)
> {
> return __kvm_unexpected_el2_exception();
> --
> 2.35.1.723.g4982287a31-goog
>
_______________________________________________
kvmarm mailing list
kvmarm@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
WARNING: multiple messages have this Message-ID (diff)
From: Fuad Tabba <tabba@google.com>
To: Kalesh Singh <kaleshsingh@google.com>
Cc: will@kernel.org, maz@kernel.org, qperret@google.com,
surenb@google.com, kernel-team@android.com,
James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
Mark Brown <broonie@kernel.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Peter Collingbourne <pcc@google.com>,
"Madhavan T. Venkataraman" <madvenka@linux.microsoft.com>,
Andrew Walbran <qwandor@google.com>,
Andrew Scull <ascull@google.com>,
linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 5/8] KVM: arm64: Detect and handle hypervisor stack overflows
Date: Tue, 29 Mar 2022 09:51:05 +0100 [thread overview]
Message-ID: <CA+EHjTxkug-92zR5sr7icry8KWuksAt6PBt95QTjtkYonF7-Ng@mail.gmail.com> (raw)
In-Reply-To: <20220314200148.2695206-6-kaleshsingh@google.com>
Hi Kalesh,
On Mon, Mar 14, 2022 at 8:05 PM Kalesh Singh <kaleshsingh@google.com> wrote:
>
> The hypervisor stacks (for both nVHE Hyp mode and nVHE protected mode)
> are aligned such that any valid stack address has PAGE_SHIFT bit as 1.
> This allows us to conveniently check for overflow in the exception entry
> without corrupting any GPRs. We won't recover from a stack overflow so
> panic the hypervisor.
>
> Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Tested-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Fuad Tabba <tabba@google.com>
Thanks,
/fuad
> ---
>
> Changes in v5:
> - Valid stack addresses now have PAGE_SHIFT bit as 1 instead of 0
>
> Changes in v3:
> - Remove test_sp_overflow macro, per Mark
> - Add asmlinkage attribute for hyp_panic, hyp_panic_bad_stack, per Ard
>
>
> arch/arm64/kvm/hyp/nvhe/host.S | 24 ++++++++++++++++++++++++
> arch/arm64/kvm/hyp/nvhe/switch.c | 7 ++++++-
> 2 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm64/kvm/hyp/nvhe/host.S b/arch/arm64/kvm/hyp/nvhe/host.S
> index 3d613e721a75..be6d844279b1 100644
> --- a/arch/arm64/kvm/hyp/nvhe/host.S
> +++ b/arch/arm64/kvm/hyp/nvhe/host.S
> @@ -153,6 +153,18 @@ SYM_FUNC_END(__host_hvc)
>
> .macro invalid_host_el2_vect
> .align 7
> +
> + /*
> + * Test whether the SP has overflowed, without corrupting a GPR.
> + * nVHE hypervisor stacks are aligned so that the PAGE_SHIFT bit
> + * of SP should always be 1.
> + */
> + add sp, sp, x0 // sp' = sp + x0
> + sub x0, sp, x0 // x0' = sp' - x0 = (sp + x0) - x0 = sp
> + tbz x0, #PAGE_SHIFT, .L__hyp_sp_overflow\@
> + sub x0, sp, x0 // x0'' = sp' - x0' = (sp + x0) - sp = x0
> + sub sp, sp, x0 // sp'' = sp' - x0 = (sp + x0) - x0 = sp
> +
> /* If a guest is loaded, panic out of it. */
> stp x0, x1, [sp, #-16]!
> get_loaded_vcpu x0, x1
> @@ -165,6 +177,18 @@ SYM_FUNC_END(__host_hvc)
> * been partially clobbered by __host_enter.
> */
> b hyp_panic
> +
> +.L__hyp_sp_overflow\@:
> + /*
> + * Reset SP to the top of the stack, to allow handling the hyp_panic.
> + * This corrupts the stack but is ok, since we won't be attempting
> + * any unwinding here.
> + */
> + ldr_this_cpu x0, kvm_init_params + NVHE_INIT_STACK_HYP_VA, x1
> + mov sp, x0
> +
> + bl hyp_panic_bad_stack
> + ASM_BUG()
> .endm
>
> .macro invalid_host_el1_vect
> diff --git a/arch/arm64/kvm/hyp/nvhe/switch.c b/arch/arm64/kvm/hyp/nvhe/switch.c
> index 6410d21d8695..703a5d3f611b 100644
> --- a/arch/arm64/kvm/hyp/nvhe/switch.c
> +++ b/arch/arm64/kvm/hyp/nvhe/switch.c
> @@ -347,7 +347,7 @@ int __kvm_vcpu_run(struct kvm_vcpu *vcpu)
> return exit_code;
> }
>
> -void __noreturn hyp_panic(void)
> +asmlinkage void __noreturn hyp_panic(void)
> {
> u64 spsr = read_sysreg_el2(SYS_SPSR);
> u64 elr = read_sysreg_el2(SYS_ELR);
> @@ -369,6 +369,11 @@ void __noreturn hyp_panic(void)
> unreachable();
> }
>
> +asmlinkage void __noreturn hyp_panic_bad_stack(void)
> +{
> + hyp_panic();
> +}
> +
> asmlinkage void kvm_unexpected_el2_exception(void)
> {
> return __kvm_unexpected_el2_exception();
> --
> 2.35.1.723.g4982287a31-goog
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-03-29 8:52 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-14 20:01 [PATCH v6 0/8] KVM: arm64: Hypervisor stack enhancements Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` [PATCH v6 1/8] KVM: arm64: Introduce hyp_alloc_private_va_range() Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:50 ` Fuad Tabba
2022-03-29 8:50 ` Fuad Tabba
2022-03-29 8:50 ` Fuad Tabba
2022-03-29 15:37 ` Kalesh Singh
2022-03-29 15:37 ` Kalesh Singh
2022-03-29 15:37 ` Kalesh Singh
2022-03-14 20:01 ` [PATCH v6 2/8] KVM: arm64: Introduce pkvm_alloc_private_va_range() Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:50 ` Fuad Tabba
2022-03-29 8:50 ` Fuad Tabba
2022-03-29 8:50 ` Fuad Tabba
2022-03-14 20:01 ` [PATCH v6 3/8] KVM: arm64: Add guard pages for KVM nVHE hypervisor stack Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:50 ` Fuad Tabba
2022-03-29 8:50 ` Fuad Tabba
2022-03-29 8:50 ` Fuad Tabba
2022-03-14 20:01 ` [PATCH v6 4/8] KVM: arm64: Add guard pages for pKVM (protected nVHE) " Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-14 20:01 ` [PATCH v6 5/8] KVM: arm64: Detect and handle hypervisor stack overflows Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:51 ` Fuad Tabba [this message]
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-14 20:01 ` [PATCH v6 6/8] KVM: arm64: Add hypervisor overflow stack Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-14 20:01 ` [PATCH v6 7/8] KVM: arm64: Unwind and dump nVHE HYP stacktrace Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-31 19:22 ` Kalesh Singh
2022-03-31 19:22 ` Kalesh Singh
2022-03-31 19:22 ` Kalesh Singh
2022-04-13 13:58 ` Mark Rutland
2022-04-13 13:58 ` Mark Rutland
2022-04-13 13:58 ` Mark Rutland
2022-04-19 17:37 ` Kalesh Singh
2022-04-19 17:37 ` Kalesh Singh
2022-04-19 17:37 ` Kalesh Singh
2022-04-21 9:00 ` Mark Rutland
2022-04-21 9:00 ` Mark Rutland
2022-04-21 9:00 ` Mark Rutland
2022-03-14 20:01 ` [PATCH v6 8/8] KVM: arm64: Symbolize the nVHE HYP backtrace Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-14 20:01 ` Kalesh Singh
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-29 8:51 ` Fuad Tabba
2022-03-28 16:55 ` [PATCH v6 0/8] KVM: arm64: Hypervisor stack enhancements Kalesh Singh
2022-03-28 16:55 ` Kalesh Singh
2022-03-28 16:55 ` Kalesh Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+EHjTxkug-92zR5sr7icry8KWuksAt6PBt95QTjtkYonF7-Ng@mail.gmail.com \
--to=tabba@google.com \
--cc=alexandru.elisei@arm.com \
--cc=ascull@google.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=kaleshsingh@google.com \
--cc=kernel-team@android.com \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=mhiramat@kernel.org \
--cc=pcc@google.com \
--cc=qperret@google.com \
--cc=qwandor@google.com \
--cc=surenb@google.com \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.