powerpc: Avoid code patching freed init sections

mikey · mpe · commit 51c3c62b58b3 · 2018-09-18T22:42:54.000+10:00
This stops us from doing code patching in init sections after they've
been freed.

In this chain:
  kvm_guest_init() -&gt;
    kvm_use_magic_page() -&gt;
      fault_in_pages_readable() -&gt;
	 __get_user() -&gt;
	   __get_user_nocheck() -&gt;
	     barrier_nospec();

We have a code patching location at barrier_nospec() and
kvm_guest_init() is an init function. This whole chain gets inlined,
so when we free the init section (hence kvm_guest_init()), this code
goes away and hence should no longer be patched.

We seen this as userspace memory corruption when using a memory
checker while doing partition migration testing on powervm (this
starts the code patching post migration via
/sys/kernel/mobility/migration). In theory, it could also happen when
using /sys/kernel/debug/powerpc/barrier_nospec.

Cc: stable@vger.kernel.org # 4.13+
Signed-off-by: Michael Neuling &lt;mikey@neuling.org&gt;
Reviewed-by: Nicholas Piggin &lt;npiggin@gmail.com&gt;
Reviewed-by: Christophe Leroy &lt;christophe.leroy@c-s.fr&gt;
Signed-off-by: Michael Ellerman &lt;mpe@ellerman.id.au&gt;
diff --git a/arch/powerpc/include/asm/setup.h b/arch/powerpc/include/asm/setup.h
@@ -9,6 +9,7 @@ extern void ppc_printk_progress(char *s, unsigned short hex);
 
 extern unsigned int rtas_data;
 extern unsigned long long memory_limit;
+extern bool init_mem_is_free;
 extern unsigned long klimit;
 extern void *zalloc_maybe_bootmem(size_t size, gfp_t mask);
 
diff --git a/arch/powerpc/lib/code-patching.c b/arch/powerpc/lib/code-patching.c
@@ -28,6 +28,12 @@ static int __patch_instruction(unsigned int *exec_addr, unsigned int instr,
 {
 	int err;
 
+	/* Make sure we aren't patching a freed init section */
+	if (init_mem_is_free && init_section_contains(exec_addr, 4)) {
+		pr_debug("Skipping init section patching addr: 0x%px\n", exec_addr);
+		return 0;
+	}
+
 	__put_user_size(instr, patch_addr, 4, err);
 	if (err)
 		return err;
diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c
@@ -63,6 +63,7 @@
 #endif
 
 unsigned long long memory_limit;
+bool init_mem_is_free;
 
 #ifdef CONFIG_HIGHMEM
 pte_t *kmap_pte;
@@ -396,6 +397,7 @@ void free_initmem(void)
 {
 	ppc_md.progress = ppc_printk_progress;
 	mark_initmem_nx();
+	init_mem_is_free = true;
 	free_initmem_default(POISON_FREE_INITMEM);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@`
`63`	`63`	`#endif`
`64`	`64`
`65`	`65`	`unsigned long long memory_limit;`
	`66`	`+bool init_mem_is_free;`
`66`	`67`
`67`	`68`	`#ifdef CONFIG_HIGHMEM`
`68`	`69`	`pte_t *kmap_pte;`
`@@ -396,6 +397,7 @@ void free_initmem(void)`
`396`	`397`	`{`
`397`	`398`	`ppc_md.progress = ppc_printk_progress;`
`398`	`399`	`mark_initmem_nx();`
	`400`	`+ init_mem_is_free = true;`
`399`	`401`	`free_initmem_default(POISON_FREE_INITMEM);`
`400`	`402`	`}`
`401`	`403`