[PATCH -next v20 17/26] riscv: prevent stack corruption by reserving task_pt_regs(p) early
Andy Chiu
andy.chiu at sifive.com
Thu May 18 09:19:40 PDT 2023
From: Greentime Hu <greentime.hu at sifive.com>
Early function calls, such as setup_vm(), relocate_enable_mmu(),
soc_early_init() etc, are free to operate on stack. However,
PT_SIZE_ON_STACK bytes at the head of the kernel stack are purposedly
reserved for the placement of per-task register context pointed by
task_pt_regs(p). Those functions may corrupt task_pt_regs if we overlap
the $sp with it. In fact, we had accidentally corrupted sstatus.VS in some
tests, treating the kernel to save V context before V was actually
allocated, resulting in a kernel panic.
Thus, we should skip PT_SIZE_ON_STACK for $sp before making C function
calls from the top-level assembly.
Co-developed-by: ShihPo Hung <shihpo.hung at sifive.com>
Signed-off-by: ShihPo Hung <shihpo.hung at sifive.com>
Co-developed-by: Vincent Chen <vincent.chen at sifive.com>
Signed-off-by: Vincent Chen <vincent.chen at sifive.com>
Signed-off-by: Greentime Hu <greentime.hu at sifive.com>
Signed-off-by: Andy Chiu <andy.chiu at sifive.com>
Reviewed-by: Conor Dooley <conor.dooley at microchip.com>
Reviewed-by: Heiko Stuebner <heiko.stuebner at vrull.eu>
Tested-by: Heiko Stuebner <heiko.stuebner at vrull.eu>
---
arch/riscv/kernel/head.S | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S
index e16bb2185d55..11c3b94c4534 100644
--- a/arch/riscv/kernel/head.S
+++ b/arch/riscv/kernel/head.S
@@ -301,6 +301,7 @@ clear_bss_done:
la tp, init_task
la sp, init_thread_union + THREAD_SIZE
XIP_FIXUP_OFFSET sp
+ addi sp, sp, -PT_SIZE_ON_STACK
#ifdef CONFIG_BUILTIN_DTB
la a0, __dtb_start
XIP_FIXUP_OFFSET a0
@@ -318,6 +319,7 @@ clear_bss_done:
/* Restore C environment */
la tp, init_task
la sp, init_thread_union + THREAD_SIZE
+ addi sp, sp, -PT_SIZE_ON_STACK
#ifdef CONFIG_KASAN
call kasan_early_init
--
2.17.1
More information about the kvm-riscv
mailing list