1 // SPDX-License-Identifier: GPL-2.0
2 #define DISABLE_BRANCH_PROFILING
3 #define pr_fmt(fmt) "kasan: " fmt
4 #include <linux/bootmem.h>
5 #include <linux/kasan.h>
6 #include <linux/kdebug.h>
7 #include <linux/memblock.h>
9 #include <linux/sched.h>
10 #include <linux/sched/task.h>
11 #include <linux/vmalloc.h>
13 #include <asm/e820/types.h>
14 #include <asm/pgalloc.h>
15 #include <asm/tlbflush.h>
16 #include <asm/sections.h>
17 #include <asm/pgtable.h>
18 #include <asm/cpu_entry_area.h>
20 extern struct range pfn_mapped
[E820_MAX_ENTRIES
];
22 static p4d_t tmp_p4d_table
[PTRS_PER_P4D
] __initdata
__aligned(PAGE_SIZE
);
24 static __init
void *early_alloc(size_t size
, int nid
, bool panic
)
27 return memblock_virt_alloc_try_nid(size
, size
,
28 __pa(MAX_DMA_ADDRESS
), BOOTMEM_ALLOC_ACCESSIBLE
, nid
);
30 return memblock_virt_alloc_try_nid_nopanic(size
, size
,
31 __pa(MAX_DMA_ADDRESS
), BOOTMEM_ALLOC_ACCESSIBLE
, nid
);
34 static void __init
kasan_populate_pmd(pmd_t
*pmd
, unsigned long addr
,
35 unsigned long end
, int nid
)
42 if (boot_cpu_has(X86_FEATURE_PSE
) &&
43 ((end
- addr
) == PMD_SIZE
) &&
44 IS_ALIGNED(addr
, PMD_SIZE
)) {
45 p
= early_alloc(PMD_SIZE
, nid
, false);
46 if (p
&& pmd_set_huge(pmd
, __pa(p
), PAGE_KERNEL
))
49 memblock_free(__pa(p
), PMD_SIZE
);
52 p
= early_alloc(PAGE_SIZE
, nid
, true);
53 pmd_populate_kernel(&init_mm
, pmd
, p
);
56 pte
= pte_offset_kernel(pmd
, addr
);
64 p
= early_alloc(PAGE_SIZE
, nid
, true);
65 entry
= pfn_pte(PFN_DOWN(__pa(p
)), PAGE_KERNEL
);
66 set_pte_at(&init_mm
, addr
, pte
, entry
);
67 } while (pte
++, addr
+= PAGE_SIZE
, addr
!= end
);
70 static void __init
kasan_populate_pud(pud_t
*pud
, unsigned long addr
,
71 unsigned long end
, int nid
)
79 if (boot_cpu_has(X86_FEATURE_GBPAGES
) &&
80 ((end
- addr
) == PUD_SIZE
) &&
81 IS_ALIGNED(addr
, PUD_SIZE
)) {
82 p
= early_alloc(PUD_SIZE
, nid
, false);
83 if (p
&& pud_set_huge(pud
, __pa(p
), PAGE_KERNEL
))
86 memblock_free(__pa(p
), PUD_SIZE
);
89 p
= early_alloc(PAGE_SIZE
, nid
, true);
90 pud_populate(&init_mm
, pud
, p
);
93 pmd
= pmd_offset(pud
, addr
);
95 next
= pmd_addr_end(addr
, end
);
97 kasan_populate_pmd(pmd
, addr
, next
, nid
);
98 } while (pmd
++, addr
= next
, addr
!= end
);
101 static void __init
kasan_populate_p4d(p4d_t
*p4d
, unsigned long addr
,
102 unsigned long end
, int nid
)
107 if (p4d_none(*p4d
)) {
108 void *p
= early_alloc(PAGE_SIZE
, nid
, true);
110 p4d_populate(&init_mm
, p4d
, p
);
113 pud
= pud_offset(p4d
, addr
);
115 next
= pud_addr_end(addr
, end
);
116 if (!pud_large(*pud
))
117 kasan_populate_pud(pud
, addr
, next
, nid
);
118 } while (pud
++, addr
= next
, addr
!= end
);
121 static void __init
kasan_populate_pgd(pgd_t
*pgd
, unsigned long addr
,
122 unsigned long end
, int nid
)
128 if (pgd_none(*pgd
)) {
129 p
= early_alloc(PAGE_SIZE
, nid
, true);
130 pgd_populate(&init_mm
, pgd
, p
);
133 p4d
= p4d_offset(pgd
, addr
);
135 next
= p4d_addr_end(addr
, end
);
136 kasan_populate_p4d(p4d
, addr
, next
, nid
);
137 } while (p4d
++, addr
= next
, addr
!= end
);
140 static void __init
kasan_populate_shadow(unsigned long addr
, unsigned long end
,
146 addr
= addr
& PAGE_MASK
;
147 end
= round_up(end
, PAGE_SIZE
);
148 pgd
= pgd_offset_k(addr
);
150 next
= pgd_addr_end(addr
, end
);
151 kasan_populate_pgd(pgd
, addr
, next
, nid
);
152 } while (pgd
++, addr
= next
, addr
!= end
);
155 static void __init
map_range(struct range
*range
)
160 start
= (unsigned long)kasan_mem_to_shadow(pfn_to_kaddr(range
->start
));
161 end
= (unsigned long)kasan_mem_to_shadow(pfn_to_kaddr(range
->end
));
163 kasan_populate_shadow(start
, end
, early_pfn_to_nid(range
->start
));
166 static void __init
clear_pgds(unsigned long start
,
170 /* See comment in kasan_init() */
171 unsigned long pgd_end
= end
& PGDIR_MASK
;
173 for (; start
< pgd_end
; start
+= PGDIR_SIZE
) {
174 pgd
= pgd_offset_k(start
);
176 * With folded p4d, pgd_clear() is nop, use p4d_clear()
179 if (CONFIG_PGTABLE_LEVELS
< 5)
180 p4d_clear(p4d_offset(pgd
, start
));
185 pgd
= pgd_offset_k(start
);
186 for (; start
< end
; start
+= P4D_SIZE
)
187 p4d_clear(p4d_offset(pgd
, start
));
190 static inline p4d_t
*early_p4d_offset(pgd_t
*pgd
, unsigned long addr
)
194 if (!IS_ENABLED(CONFIG_X86_5LEVEL
))
197 p4d
= __pa_nodebug(pgd_val(*pgd
)) & PTE_PFN_MASK
;
198 p4d
+= __START_KERNEL_map
- phys_base
;
199 return (p4d_t
*)p4d
+ p4d_index(addr
);
202 static void __init
kasan_early_p4d_populate(pgd_t
*pgd
,
207 p4d_t
*p4d
, p4d_entry
;
210 if (pgd_none(*pgd
)) {
211 pgd_entry
= __pgd(_KERNPG_TABLE
| __pa_nodebug(kasan_zero_p4d
));
212 set_pgd(pgd
, pgd_entry
);
215 p4d
= early_p4d_offset(pgd
, addr
);
217 next
= p4d_addr_end(addr
, end
);
222 p4d_entry
= __p4d(_KERNPG_TABLE
| __pa_nodebug(kasan_zero_pud
));
223 set_p4d(p4d
, p4d_entry
);
224 } while (p4d
++, addr
= next
, addr
!= end
&& p4d_none(*p4d
));
227 static void __init
kasan_map_early_shadow(pgd_t
*pgd
)
229 /* See comment in kasan_init() */
230 unsigned long addr
= KASAN_SHADOW_START
& PGDIR_MASK
;
231 unsigned long end
= KASAN_SHADOW_END
;
234 pgd
+= pgd_index(addr
);
236 next
= pgd_addr_end(addr
, end
);
237 kasan_early_p4d_populate(pgd
, addr
, next
);
238 } while (pgd
++, addr
= next
, addr
!= end
);
241 #ifdef CONFIG_KASAN_INLINE
242 static int kasan_die_handler(struct notifier_block
*self
,
246 if (val
== DIE_GPF
) {
247 pr_emerg("CONFIG_KASAN_INLINE enabled\n");
248 pr_emerg("GPF could be caused by NULL-ptr deref or user memory access\n");
253 static struct notifier_block kasan_die_notifier
= {
254 .notifier_call
= kasan_die_handler
,
258 void __init
kasan_early_init(void)
261 pteval_t pte_val
= __pa_nodebug(kasan_zero_page
) | __PAGE_KERNEL
| _PAGE_ENC
;
262 pmdval_t pmd_val
= __pa_nodebug(kasan_zero_pte
) | _KERNPG_TABLE
;
263 pudval_t pud_val
= __pa_nodebug(kasan_zero_pmd
) | _KERNPG_TABLE
;
264 p4dval_t p4d_val
= __pa_nodebug(kasan_zero_pud
) | _KERNPG_TABLE
;
266 for (i
= 0; i
< PTRS_PER_PTE
; i
++)
267 kasan_zero_pte
[i
] = __pte(pte_val
);
269 for (i
= 0; i
< PTRS_PER_PMD
; i
++)
270 kasan_zero_pmd
[i
] = __pmd(pmd_val
);
272 for (i
= 0; i
< PTRS_PER_PUD
; i
++)
273 kasan_zero_pud
[i
] = __pud(pud_val
);
275 for (i
= 0; IS_ENABLED(CONFIG_X86_5LEVEL
) && i
< PTRS_PER_P4D
; i
++)
276 kasan_zero_p4d
[i
] = __p4d(p4d_val
);
278 kasan_map_early_shadow(early_top_pgt
);
279 kasan_map_early_shadow(init_top_pgt
);
282 void __init
kasan_init(void)
285 void *shadow_cpu_entry_begin
, *shadow_cpu_entry_end
;
287 #ifdef CONFIG_KASAN_INLINE
288 register_die_notifier(&kasan_die_notifier
);
291 memcpy(early_top_pgt
, init_top_pgt
, sizeof(early_top_pgt
));
294 * We use the same shadow offset for 4- and 5-level paging to
295 * facilitate boot-time switching between paging modes.
296 * As result in 5-level paging mode KASAN_SHADOW_START and
297 * KASAN_SHADOW_END are not aligned to PGD boundary.
299 * KASAN_SHADOW_START doesn't share PGD with anything else.
300 * We claim whole PGD entry to make things easier.
302 * KASAN_SHADOW_END lands in the last PGD entry and it collides with
303 * bunch of things like kernel code, modules, EFI mapping, etc.
304 * We need to take extra steps to not overwrite them.
306 if (IS_ENABLED(CONFIG_X86_5LEVEL
)) {
309 ptr
= (void *)pgd_page_vaddr(*pgd_offset_k(KASAN_SHADOW_END
));
310 memcpy(tmp_p4d_table
, (void *)ptr
, sizeof(tmp_p4d_table
));
311 set_pgd(&early_top_pgt
[pgd_index(KASAN_SHADOW_END
)],
312 __pgd(__pa(tmp_p4d_table
) | _KERNPG_TABLE
));
315 load_cr3(early_top_pgt
);
318 clear_pgds(KASAN_SHADOW_START
& PGDIR_MASK
, KASAN_SHADOW_END
);
320 kasan_populate_zero_shadow((void *)(KASAN_SHADOW_START
& PGDIR_MASK
),
321 kasan_mem_to_shadow((void *)PAGE_OFFSET
));
323 for (i
= 0; i
< E820_MAX_ENTRIES
; i
++) {
324 if (pfn_mapped
[i
].end
== 0)
327 map_range(&pfn_mapped
[i
]);
330 shadow_cpu_entry_begin
= (void *)CPU_ENTRY_AREA_BASE
;
331 shadow_cpu_entry_begin
= kasan_mem_to_shadow(shadow_cpu_entry_begin
);
332 shadow_cpu_entry_begin
= (void *)round_down((unsigned long)shadow_cpu_entry_begin
,
335 shadow_cpu_entry_end
= (void *)(CPU_ENTRY_AREA_BASE
+
336 CPU_ENTRY_AREA_MAP_SIZE
);
337 shadow_cpu_entry_end
= kasan_mem_to_shadow(shadow_cpu_entry_end
);
338 shadow_cpu_entry_end
= (void *)round_up((unsigned long)shadow_cpu_entry_end
,
341 kasan_populate_zero_shadow(
342 kasan_mem_to_shadow((void *)PAGE_OFFSET
+ MAXMEM
),
343 shadow_cpu_entry_begin
);
345 kasan_populate_shadow((unsigned long)shadow_cpu_entry_begin
,
346 (unsigned long)shadow_cpu_entry_end
, 0);
348 kasan_populate_zero_shadow(shadow_cpu_entry_end
,
349 kasan_mem_to_shadow((void *)__START_KERNEL_map
));
351 kasan_populate_shadow((unsigned long)kasan_mem_to_shadow(_stext
),
352 (unsigned long)kasan_mem_to_shadow(_end
),
353 early_pfn_to_nid(__pa(_stext
)));
355 kasan_populate_zero_shadow(kasan_mem_to_shadow((void *)MODULES_END
),
356 (void *)KASAN_SHADOW_END
);
358 load_cr3(init_top_pgt
);
362 * kasan_zero_page has been used as early shadow memory, thus it may
363 * contain some garbage. Now we can clear and write protect it, since
364 * after the TLB flush no one should write to it.
366 memset(kasan_zero_page
, 0, PAGE_SIZE
);
367 for (i
= 0; i
< PTRS_PER_PTE
; i
++) {
368 pte_t pte
= __pte(__pa(kasan_zero_page
) | __PAGE_KERNEL_RO
| _PAGE_ENC
);
369 set_pte(&kasan_zero_pte
[i
], pte
);
371 /* Flush TLBs again to be sure that write protection applied. */
374 init_task
.kasan_depth
= 0;
375 pr_info("KernelAddressSanitizer initialized\n");