• Mark Rutland's avatar
    KVM: arm/arm64: vgic: Ensure bitmaps are long enough · ce77d313
    Mark Rutland authored
    commit 236cf17c upstream.
    
    When we allocate bitmaps in vgic_vcpu_init_maps, we divide the number of
    bits we need by 8 to figure out how many bytes to allocate. However,
    bitmap elements are always accessed as unsigned longs, and if we didn't
    happen to allocate a size such that size % sizeof(unsigned long) == 0,
    bitmap accesses may go past the end of the allocation.
    
    When using KASAN (which does byte-granular access checks), this results
    in a continuous stream of BUGs whenever these bitmaps are accessed:
    
    =============================================================================
    BUG kmalloc-128 (Tainted: G    B          ): kasan: bad access detected
    -----------------------------------------------------------------------------
    
    INFO: Allocated in vgic_init.part.25+0x55c/0x990 age=7493 cpu=3 pid=1730
    INFO: Slab 0xffffffbde6d5da40 objects=16 used=15 fp=0xffffffc935769700 flags=0x4000000000000080
    INFO: Object 0xffffffc935769500 @offset=1280 fp=0x          (null)
    
    Bytes b4 ffffffc9357694f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Object ffffffc935769570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Padding ffffffc9357695b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Padding ffffffc9357695c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Padding ffffffc9357695d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Padding ffffffc9357695e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    Padding ffffffc9357695f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    CPU: 3 PID: 1740 Comm: kvm-vcpu-0 Tainted: G    B           4.4.0+ #17
    Hardware name: ARM Juno development board (r1) (DT)
    Call trace:
    [<ffffffc00008e770>] dump_backtrace+0x0/0x280
    [<ffffffc00008ea04>] show_stack+0x14/0x20
    [<ffffffc000726360>] dump_stack+0x100/0x188
    [<ffffffc00030d324>] print_trailer+0xfc/0x168
    [<ffffffc000312294>] object_err+0x3c/0x50
    [<ffffffc0003140fc>] kasan_report_error+0x244/0x558
    [<ffffffc000314548>] __asan_report_load8_noabort+0x48/0x50
    [<ffffffc000745688>] __bitmap_or+0xc0/0xc8
    [<ffffffc0000d9e44>] kvm_vgic_flush_hwstate+0x1bc/0x650
    [<ffffffc0000c514c>] kvm_arch_vcpu_ioctl_run+0x2ec/0xa60
    [<ffffffc0000b9a6c>] kvm_vcpu_ioctl+0x474/0xa68
    [<ffffffc00036b7b0>] do_vfs_ioctl+0x5b8/0xcb0
    [<ffffffc00036bf34>] SyS_ioctl+0x8c/0xa0
    [<ffffffc000086cb0>] el0_svc_naked+0x24/0x28
    Memory state around the buggy address:
     ffffffc935769400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffffffc935769480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    >ffffffc935769500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                       ^
     ffffffc935769580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffffffc935769600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
    ==================================================================
    
    Fix the issue by always allocating a multiple of sizeof(unsigned long),
    as we do elsewhere in the vgic code.
    
    Fixes: c1bfb577 ("arm/arm64: KVM: vgic: switch to dynamic allocation")
    Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
    Acked-by: default avatarChristoffer Dall <christoffer.dall@linaro.org>
    Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
    Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
    ce77d313
vgic.c 54.9 KB