Skip to content

Commit

Permalink
x86/alternatives: Disable KASAN in apply_alternatives()
Browse files Browse the repository at this point in the history 
Fei has reported that KASAN triggers during apply_alternatives() on
a 5-level paging machine:

	BUG: KASAN: out-of-bounds in rcu_is_watching()
	Read of size 4 at addr ff110003ee6419a0 by task swapper/0/0
	...
	__asan_load4()
	rcu_is_watching()
	trace_hardirqs_on()
	text_poke_early()
	apply_alternatives()
	...

On machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57)
gets patched. It includes KASAN code, where KASAN_SHADOW_START depends on
__VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled().

KASAN gets confused when apply_alternatives() patches the
KASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START
static, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue.

Fix it for real by disabling KASAN while the kernel is patching alternatives.

[ mingo: updated the changelog ]

Fixes: 6657fca ("x86/mm: Allow to boot without LA57 if CONFIG_X86_5LEVEL=y")
Reported-by: Fei Yang <[email protected]>
Signed-off-by: Kirill A. Shutemov <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Acked-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: [email protected]
Link: https://lore.kernel.org/r/[email protected]
  • Loading branch information
@kiryl
kiryl authored and Ingo Molnar committed Oct 12, 2023
1 parent f454b18 commit d35652a
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions arch/x86/kernel/alternative.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,17 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,
u8 insn_buff[MAX_PATCH_LEN];

DPRINTK(ALT, "alt table %px, -> %px", start, end);

/*
* In the case CONFIG_X86_5LEVEL=y, KASAN_SHADOW_START is defined using
* cpu_feature_enabled(X86_FEATURE_LA57) and is therefore patched here.
* During the process, KASAN becomes confused seeing partial LA57
* conversion and triggers a false-positive out-of-bound report.
*
* Disable KASAN until the patching is complete.
*/
kasan_disable_current();

/*
* The scan order should be from start to end. A later scanned
* alternative code can overwrite previously scanned alternative code.
Expand Down Expand Up @@ -452,6 +463,8 @@ void __init_or_module noinline apply_alternatives(struct alt_instr *start,

text_poke_early(instr, insn_buff, insn_buff_sz);
}

kasan_enable_current();
}

static inline bool is_jcc32(struct insn *insn)
Expand Down

0 comments on commit d35652a

Please sign in to comment.