releases/4.4.110/x86-kasan-clear-kasan_zero_page-after-tlb-flush.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 69e0210fd01ff157d332102219aaf5c26ca8069b Mon Sep 17 00:00:00 2001
 From: Andrey Ryabinin <aryabinin@virtuozzo.com>
 Date: Mon, 11 Jan 2016 15:51:18 +0300
 Subject: x86/kasan: Clear kasan_zero_page after TLB flush

 From: Andrey Ryabinin <aryabinin@virtuozzo.com>

 commit 69e0210fd01ff157d332102219aaf5c26ca8069b upstream.

 Currently we clear kasan_zero_page before __flush_tlb_all(). This
 works with current implementation of native_flush_tlb[_global]()
 because it doesn't cause do any writes to kasan shadow memory.
 But any subtle change made in native_flush_tlb*() could break this.
 Also current code seems doesn't work for paravirt guests (lguest).

 Only after the TLB flush we can be sure that kasan_zero_page is not
 used as early shadow anymore (instrumented code will not write to it).
 So it should cleared it only after the TLB flush.

 Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
 Reviewed-by: Borislav Petkov <bp@suse.de>
 Cc: Andrew Morton <akpm@linux-foundation.org>
 Cc: Andy Lutomirski <luto@amacapital.net>
 Cc: Andy Lutomirski <luto@kernel.org>
 Cc: Borislav Petkov <bp@alien8.de>
 Cc: Brian Gerst <brgerst@gmail.com>
 Cc: Dave Hansen <dave.hansen@linux.intel.com>
 Cc: Denys Vlasenko <dvlasenk@redhat.com>
 Cc: H. Peter Anvin <hpa@zytor.com>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Luis R. Rodriguez <mcgrof@suse.com>
 Cc: Oleg Nesterov <oleg@redhat.com>
 Cc: Peter Zijlstra <peterz@infradead.org>
 Cc: Thomas Gleixner <tglx@linutronix.de>
 Cc: Toshi Kani <toshi.kani@hp.com>
 Cc: linux-mm@kvack.org
 Link: http://lkml.kernel.org/r/1452516679-32040-2-git-send-email-aryabinin@virtuozzo.com
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
 Cc: Jamie Iles <jamie.iles@oracle.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  arch/x86/mm/kasan_init_64.c |   11 ++++++++---
  1 file changed, 8 insertions(+), 3 deletions(-)

 --- a/arch/x86/mm/kasan_init_64.c
 +++ b/arch/x86/mm/kasan_init_64.c
 @@ -121,11 +121,16 @@ void __init kasan_init(void)
  	kasan_populate_zero_shadow(kasan_mem_to_shadow((void *)MODULES_END),
  			(void *)KASAN_SHADOW_END);

 -	memset(kasan_zero_page, 0, PAGE_SIZE);
 -
  	load_cr3(init_level4_pgt);
  	__flush_tlb_all();
 -	init_task.kasan_depth = 0;

 +	/*
 +	 * kasan_zero_page has been used as early shadow memory, thus it may
 +	 * contain some garbage. Now we can clear it, since after the TLB flush
 +	 * no one should write to it.
 +	 */
 +	memset(kasan_zero_page, 0, PAGE_SIZE);
 +
 +	init_task.kasan_depth = 0;
  	pr_info("KernelAddressSanitizer initialized\n");
  }
	From 69e0210fd01ff157d332102219aaf5c26ca8069b Mon Sep 17 00:00:00 2001
	From: Andrey Ryabinin <aryabinin@virtuozzo.com>
	Date: Mon, 11 Jan 2016 15:51:18 +0300
	Subject: x86/kasan: Clear kasan_zero_page after TLB flush

	From: Andrey Ryabinin <aryabinin@virtuozzo.com>

	commit 69e0210fd01ff157d332102219aaf5c26ca8069b upstream.

	Currently we clear kasan_zero_page before __flush_tlb_all(). This
	works with current implementation of native_flush_tlb[_global]()
	because it doesn't cause do any writes to kasan shadow memory.
	But any subtle change made in native_flush_tlb*() could break this.
	Also current code seems doesn't work for paravirt guests (lguest).

	Only after the TLB flush we can be sure that kasan_zero_page is not
	used as early shadow anymore (instrumented code will not write to it).
	So it should cleared it only after the TLB flush.

	Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
	Reviewed-by: Borislav Petkov <bp@suse.de>
	Cc: Andrew Morton <akpm@linux-foundation.org>
	Cc: Andy Lutomirski <luto@amacapital.net>
	Cc: Andy Lutomirski <luto@kernel.org>
	Cc: Borislav Petkov <bp@alien8.de>
	Cc: Brian Gerst <brgerst@gmail.com>
	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	Cc: Denys Vlasenko <dvlasenk@redhat.com>
	Cc: H. Peter Anvin <hpa@zytor.com>
	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	Cc: Luis R. Rodriguez <mcgrof@suse.com>
	Cc: Oleg Nesterov <oleg@redhat.com>
	Cc: Peter Zijlstra <peterz@infradead.org>
	Cc: Thomas Gleixner <tglx@linutronix.de>
	Cc: Toshi Kani <toshi.kani@hp.com>
	Cc: linux-mm@kvack.org
	Link: http://lkml.kernel.org/r/1452516679-32040-2-git-send-email-aryabinin@virtuozzo.com
	Signed-off-by: Ingo Molnar <mingo@kernel.org>
	Cc: Jamie Iles <jamie.iles@oracle.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	arch/x86/mm/kasan_init_64.c \| 11 ++++++++---
	1 file changed, 8 insertions(+), 3 deletions(-)

	--- a/arch/x86/mm/kasan_init_64.c
	+++ b/arch/x86/mm/kasan_init_64.c
	@@ -121,11 +121,16 @@ void __init kasan_init(void)
	kasan_populate_zero_shadow(kasan_mem_to_shadow((void *)MODULES_END),
	(void *)KASAN_SHADOW_END);

	- memset(kasan_zero_page, 0, PAGE_SIZE);
	-
	load_cr3(init_level4_pgt);
	__flush_tlb_all();
	- init_task.kasan_depth = 0;

	+ /*
	+ * kasan_zero_page has been used as early shadow memory, thus it may
	+ * contain some garbage. Now we can clear it, since after the TLB flush
	+ * no one should write to it.
	+ */
	+ memset(kasan_zero_page, 0, PAGE_SIZE);
	+
	+ init_task.kasan_depth = 0;
	pr_info("KernelAddressSanitizer initialized\n");
	}