WSL2-Linux-Kernel/arch/arm
Boy.Wu 20ac71bee0 ARM: 9381/1: kasan: clear stale stack poison
[ Upstream commit c4238686f9093b98bd6245a348bcf059cdce23af ]

We found below OOB crash:

[   33.452494] ==================================================================
[   33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec
[   33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0
[   33.455515]
[   33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O       6.1.25-mainline #1
[   33.456880] Hardware name: Generic DT based system
[   33.457555]  unwind_backtrace from show_stack+0x18/0x1c
[   33.458326]  show_stack from dump_stack_lvl+0x40/0x4c
[   33.459072]  dump_stack_lvl from print_report+0x158/0x4a4
[   33.459863]  print_report from kasan_report+0x9c/0x148
[   33.460616]  kasan_report from kasan_check_range+0x94/0x1a0
[   33.461424]  kasan_check_range from memset+0x20/0x3c
[   33.462157]  memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec
[   33.463064]  refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c
[   33.464181]  tick_nohz_idle_stop_tick from do_idle+0x264/0x354
[   33.465029]  do_idle from cpu_startup_entry+0x20/0x24
[   33.465769]  cpu_startup_entry from rest_init+0xf0/0xf4
[   33.466528]  rest_init from arch_post_acpi_subsys_init+0x0/0x18
[   33.467397]
[   33.467644] The buggy address belongs to stack of task swapper/0/0
[   33.468493]  and is located at offset 112 in frame:
[   33.469172]  refresh_cpu_vm_stats.constprop.0+0x0/0x2ec
[   33.469917]
[   33.470165] This frame has 2 objects:
[   33.470696]  [32, 76) 'global_zone_diff'
[   33.470729]  [112, 276) 'global_node_diff'
[   33.471294]
[   33.472095] The buggy address belongs to the physical page:
[   33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03
[   33.473944] flags: 0x1000(reserved|zone=0)
[   33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001
[   33.475656] raw: 00000000
[   33.476050] page dumped because: kasan: bad access detected
[   33.476816]
[   33.477061] Memory state around the buggy address:
[   33.477732]  c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.478630]  c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[   33.479526] >c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1
[   33.480415]                                                ^
[   33.481195]  c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3
[   33.482088]  c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[   33.482978] ==================================================================

We find the root cause of this OOB is that arm does not clear stale stack
poison in the case of cpuidle.

This patch refer to arch/arm64/kernel/sleep.S to resolve this issue.

From cited commit [1] that explain the problem

Functions which the compiler has instrumented for KASAN place poison on
the stack shadow upon entry and remove this poison prior to returning.

In the case of cpuidle, CPUs exit the kernel a number of levels deep in
C code.  Any instrumented functions on this critical path will leave
portions of the stack shadow poisoned.

If CPUs lose context and return to the kernel via a cold path, we
restore a prior context saved in __cpu_suspend_enter are forgotten, and
we never remove the poison they placed in the stack shadow area by
functions calls between this and the actual exit of the kernel.

Thus, (depending on stackframe layout) subsequent calls to instrumented
functions may hit this stale poison, resulting in (spurious) KASAN
splats to the console.

To avoid this, clear any stale poison from the idle thread for a CPU
prior to bringing a CPU online.

From cited commit [2]

Extend to check for CONFIG_KASAN_STACK

[1] commit 0d97e6d802 ("arm64: kasan: clear stale stack poison")
[2] commit d56a9ef84b ("kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK")

Signed-off-by: Boy Wu <boy.wu@mediatek.com>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Fixes: 5615f69bc2 ("ARM: 9016/2: Initialize the mapping of KASan shadow memory")
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-05-17 11:50:57 +02:00
..
boot arm: dts: marvell: Fix maxium->maxim typo in brownstone dts 2024-04-10 16:18:34 +02:00
common
configs ARM: defconfig: drop CONFIG_DRM_RCAR_LVDS 2023-06-09 10:32:35 +02:00
crypto crypto: arm/sha - fix function cast warnings 2024-03-26 18:21:29 -04:00
include ARM: 9320/1: fix stack depot IRQ stack filter 2023-11-28 16:56:18 +00:00
kernel ARM: 9381/1: kasan: clear stale stack poison 2024-05-17 11:50:57 +02:00
lib ARM: 9321/1: memset: cast the constant byte to unsigned char 2023-11-20 11:08:23 +01:00
mach-actions
mach-alpine
mach-artpec
mach-asm9260
mach-aspeed
mach-at91 ARM: at91: pm: avoid soft resetting AC DLL 2022-11-26 09:24:34 +01:00
mach-axxia
mach-bcm
mach-berlin
mach-clps711x
mach-cns3xxx
mach-davinci ARM: 9330/1: davinci: also select PINCTRL 2024-01-25 14:52:49 -08:00
mach-digicolor
mach-dove treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-ep93xx ARM: ep93xx: Add terminator to gpiod_lookup_table 2024-03-01 13:21:48 +01:00
mach-exynos
mach-footbridge
mach-gemini
mach-highbank
mach-hisi
mach-imx ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init 2023-12-13 18:36:41 +01:00
mach-integrator
mach-iop32x
mach-ixp4xx
mach-keystone
mach-lpc18xx treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-lpc32xx treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-mediatek
mach-meson
mach-milbeaut
mach-mmp ARM: mmp: fix timer_read delay 2022-12-31 13:14:00 +01:00
mach-moxart
mach-mstar
mach-mv78xx0 treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-mvebu treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-mxs ARM: mxs: fix memory leak in mxs_machine_init() 2022-12-02 17:41:04 +01:00
mach-nomadik
mach-npcm
mach-nspire
mach-omap1 treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-omap2 ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init 2024-01-05 15:13:27 +01:00
mach-orion5x treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-oxnas
mach-pxa treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-qcom
mach-rda
mach-realtek
mach-realview
mach-rockchip
mach-rpc
mach-s3c ARM: s3c: fix s3c64xx_set_timer_source prototype 2023-03-10 09:39:01 +01:00
mach-s5pv210
mach-sa1100 ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings 2023-05-24 17:36:41 +01:00
mach-shmobile
mach-socfpga
mach-spear treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
mach-sti
mach-stm32
mach-sunxi ARM: sun9i: smp: fix return code check of of_property_match_string 2024-01-25 14:52:30 -08:00
mach-tegra
mach-uniphier
mach-ux500
mach-versatile
mach-vexpress
mach-vt8500
mach-zynq ARM: zynq: Fix refcount leak in zynq_early_slcr_init 2023-03-10 09:38:58 +01:00
mm treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) 2023-10-06 13:18:12 +02:00
net
nwfpe ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod 2023-01-12 11:58:55 +01:00
plat-omap
plat-orion
plat-pxa
plat-versatile
probes ARM: 9303/1: kprobes: avoid missing-declaration warnings 2023-07-23 13:46:46 +02:00
tools
vdso
vfp
xen arm/xen: fix xen_vcpu_info allocation alignment 2023-12-03 07:31:22 +01:00
Kbuild
Kconfig ARM: cpu: Switch to arch_cpu_finalize_init() 2023-08-08 19:58:30 +02:00
Kconfig-nommu
Kconfig.assembler
Kconfig.debug
Makefile