riscv: prevent pt_regs corruption for secondary idle threads

sm-sc · mehmetb0 · commit 96eb790c86b8 · 2024-11-08T16:26:29.000+03:00
Top of the kernel thread stack should be reserved for pt_regs. However this is not the case for the idle threads of the secondary boot harts. Their stacks overlap with their pt_regs, so both may get corrupted. Similar issue has been fixed for the primary hart, see c7cdd96 ("riscv: prevent stack corruption by reserving task_pt_regs(p) early"). However that fix was not propagated to the secondary harts. The problem has been noticed in some CPU hotplug tests with V enabled. The function smp_callin stored several registers on stack, corrupting top of pt_regs structure including status field. As a result, kernel attempted to save or restore inexistent V context. Fixes: 9a2451f ("RISC-V: Avoid using per cpu array for ordered booting") Fixes: 2875fe0 ("RISC-V: Add cpu_ops and modify default booting method") Signed-off-by: Sergey Matyukevich <sergey.matyukevich@syntacore.com> Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com> Link: https://lore.kernel.org/r/20240523084327.2013211-1-geomatsi@gmail.com Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com> (backported from commit a638b04) [koichiroden: Sparse HART id support added many changes on upstream: (https://lore.kernel.org/all/20220120090918.2646626-1-atishp@rivosinc.com/) and the primary fix commmit a638b04 depends on them. Directly conflicting commits from the series are as follows: 9a2451f ("RISC-V: Avoid using per cpu array for ordered booting") c78f94f ("RISC-V: Use __cpu_up_stack/task_pointer only for spinwait method") We opted not to backport the entire series, minimizing changes around the primary security fix. This indicates that the fix is needed only for __cpu_up_stack_pointer, which still serves dual purposes for both spinwait and ordered methods, without supporting Sparse HART id.] CVE-2024-38667 Signed-off-by: Koichiro Den <koichiro.den@canonical.com> Acked-by: Mehmet Basaran <mehmet.basaran@canonical.com> Acked-by: Guoqing Jiang <guoqing.jiang@canonical.com> Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
diff --git a/arch/riscv/kernel/cpu_ops.c b/arch/riscv/kernel/cpu_ops.c
@@ -28,8 +28,7 @@ void cpu_update_secondary_bootdata(unsigned int cpuid,
 
 	/* Make sure tidle is updated */
 	smp_mb();
-	WRITE_ONCE(__cpu_up_stack_pointer[hartid],
-		   task_stack_page(tidle) + THREAD_SIZE);
+	WRITE_ONCE(__cpu_up_stack_pointer[hartid], task_pt_regs(tidle));
 	WRITE_ONCE(__cpu_up_task_pointer[hartid], tidle);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,7 @@ void cpu_update_secondary_bootdata(unsigned int cpuid,`
`28`	`28`
`29`	`29`	`/* Make sure tidle is updated */`
`30`	`30`	`smp_mb();`
`31`		`- WRITE_ONCE(__cpu_up_stack_pointer[hartid],`
`32`		`- task_stack_page(tidle) + THREAD_SIZE);`
	`31`	`+ WRITE_ONCE(__cpu_up_stack_pointer[hartid], task_pt_regs(tidle));`
`33`	`32`	`WRITE_ONCE(__cpu_up_task_pointer[hartid], tidle);`
`34`	`33`	`}`
`35`	`34`