)]}' { "commit": "2f2183243f52a8ee77eecba4796316606701d101", "tree": "a5817337c297f3ec08603dc710034e632bfc64c5", "parents": [ "ce39d473d1edd6914e1eed097deb0c0612baa8f6" ], "author": { "name": "Mark Rutland", "email": "mark.rutland@arm.com", "time": "Tue Nov 30 12:18:49 2021 +0000" }, "committer": { "name": "Will Deacon", "email": "will@kernel.org", "time": "Thu Dec 02 10:17:12 2021 +0000" }, "message": "arm64: kexec: use __pa_symbol(empty_zero_page)\n\nIn machine_kexec_post_load() we use __pa() on `empty_zero_page`, so that\nwe can use the physical address during arm64_relocate_new_kernel() to\nswitch TTBR1 to a new set of tables. While `empty_zero_page` is part of\nthe old kernel, we won\u0027t clobber it until after this switch, so using it\nis benign.\n\nHowever, `empty_zero_page` is part of the kernel image rather than a\nlinear map address, so it is not correct to use __pa(x), and we should\ninstead use __pa_symbol(x) or __pa(lm_alias(x)). Otherwise, when the\nkernel is built with DEBUG_VIRTUAL, we\u0027ll encounter splats as below, as\nI\u0027ve seen when fuzzing v5.16-rc3 with Syzkaller:\n\n| ------------[ cut here ]------------\n| virt_to_phys used for non-linear address: 000000008492561a (empty_zero_page+0x0/0x1000)\n| WARNING: CPU: 3 PID: 11492 at arch/arm64/mm/physaddr.c:15 __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12\n| CPU: 3 PID: 11492 Comm: syz-executor.0 Not tainted 5.16.0-rc3-00001-g48bd452a045c #1\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE\u003d--)\n| pc : __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12\n| lr : __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12\n| sp : ffff80001af17bb0\n| x29: ffff80001af17bb0 x28: ffff1cc65207b400 x27: ffffb7828730b120\n| x26: 0000000000000e11 x25: 0000000000000000 x24: 0000000000000001\n| x23: ffffb7828963e000 x22: ffffb78289644000 x21: 0000600000000000\n| x20: 000000000000002d x19: 0000b78289644000 x18: 0000000000000000\n| x17: 74706d6528206131 x16: 3635323934383030 x15: 303030303030203a\n| x14: 1ffff000035e2eb8 x13: ffff6398d53f4f0f x12: 1fffe398d53f4f0e\n| x11: 1fffe398d53f4f0e x10: ffff6398d53f4f0e x9 : ffffb7827c6f76dc\n| x8 : ffff1cc6a9fa7877 x7 : 0000000000000001 x6 : ffff6398d53f4f0f\n| x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff1cc66f2a99c0\n| x2 : 0000000000040000 x1 : d7ce7775b09b5d00 x0 : 0000000000000000\n| Call trace:\n| __virt_to_phys+0x120/0x1c0 arch/arm64/mm/physaddr.c:12\n| machine_kexec_post_load+0x284/0x670 arch/arm64/kernel/machine_kexec.c:150\n| do_kexec_load+0x570/0x670 kernel/kexec.c:155\n| __do_sys_kexec_load kernel/kexec.c:250 [inline]\n| __se_sys_kexec_load kernel/kexec.c:231 [inline]\n| __arm64_sys_kexec_load+0x1d8/0x268 kernel/kexec.c:231\n| __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]\n| invoke_syscall+0x90/0x2e0 arch/arm64/kernel/syscall.c:52\n| el0_svc_common.constprop.2+0x1e4/0x2f8 arch/arm64/kernel/syscall.c:142\n| do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:181\n| el0_svc+0x60/0x248 arch/arm64/kernel/entry-common.c:603\n| el0t_64_sync_handler+0x90/0xb8 arch/arm64/kernel/entry-common.c:621\n| el0t_64_sync+0x180/0x184 arch/arm64/kernel/entry.S:572\n| irq event stamp: 2428\n| hardirqs last enabled at (2427): [\u003cffffb7827c6f2308\u003e] __up_console_sem+0xf0/0x118 kernel/printk/printk.c:255\n| hardirqs last disabled at (2428): [\u003cffffb7828223df98\u003e] el1_dbg+0x28/0x80 arch/arm64/kernel/entry-common.c:375\n| softirqs last enabled at (2424): [\u003cffffb7827c411c00\u003e] softirq_handle_end kernel/softirq.c:401 [inline]\n| softirqs last enabled at (2424): [\u003cffffb7827c411c00\u003e] __do_softirq+0xa28/0x11e4 kernel/softirq.c:587\n| softirqs last disabled at (2417): [\u003cffffb7827c59015c\u003e] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]\n| softirqs last disabled at (2417): [\u003cffffb7827c59015c\u003e] invoke_softirq kernel/softirq.c:439 [inline]\n| softirqs last disabled at (2417): [\u003cffffb7827c59015c\u003e] __irq_exit_rcu kernel/softirq.c:636 [inline]\n| softirqs last disabled at (2417): [\u003cffffb7827c59015c\u003e] irq_exit_rcu+0x53c/0x688 kernel/softirq.c:648\n| ---[ end trace 0ca578534e7ca938 ]---\n\nWith or without DEBUG_VIRTUAL __pa() will fall back to __kimg_to_phys()\nfor non-linear addresses, and will happen to do the right thing in this\ncase, even with the warning. But we should not depend upon this, and to\nkeep the warning useful we should fix this case.\n\nFix this issue by using __pa_symbol(), which handles kernel image\naddresses (and checks its input is a kernel image address). This matches\nwhat we do elsewhere, e.g. in arch/arm64/include/asm/pgtable.h:\n\n| #define ZERO_PAGE(vaddr) phys_to_page(__pa_symbol(empty_zero_page))\n\nFixes: 3744b5280e67 (\"arm64: kexec: install a copy of the linear-map\")\nSigned-off-by: Mark Rutland \u003cmark.rutland@arm.com\u003e\nCc: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nCc: James Morse \u003cjames.morse@arm.com\u003e\nCc: Pasha Tatashin \u003cpasha.tatashin@soleen.com\u003e\nCc: Will Deacon \u003cwill@kernel.org\u003e\nReviewed-by: Pasha Tatashin \u003cpasha.tatashin@soleen.com\u003e\nLink: https://lore.kernel.org/r/20211130121849.3319010-1-mark.rutland@arm.com\nSigned-off-by: Will Deacon \u003cwill@kernel.org\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "1038494135c8cef847829ebcf43b6fa58d596770", "old_mode": 33188, "old_path": "arch/arm64/kernel/machine_kexec.c", "new_id": "6fb31c117ebe08cab0898cd9a8ca552e3c4a7026", "new_mode": 33188, "new_path": "arch/arm64/kernel/machine_kexec.c" } ] }