riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()

In kfence_protect_page(), which kfence_unprotect() calls, we cannot send
IPIs to other CPUs to ask them to flush TLB. This may lead to those CPUs
spuriously faulting on a recently allocated kfence object despite it
being valid, leading to false positive use-after-free reports.

Fix this by calling mark_new_valid_map() so that the page fault handling
code path notices the spurious fault and flushes TLB then retries the
access.

Update the comment in handle_exception to indicate that
new_valid_map_cpus_check also handles kfence_unprotect() spurious
faults.

Note that kfence_protect() has the same stale TLB entries problem, but
that leads to false negatives, which is fine with kfence.

Cc: stable@vger.kernel.org
Reported-by: Yanko Kaneti <yaneti@declera.com>
Fixes: b3431a8bb336 ("riscv: Fix IPIs usage in kfence_protect_page()")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Link: https://patch.msgid.link/20260303-handle-kfence-protect-spurious-fault-v2-2-f80d8354d79d@iscas.ac.cn
Signed-off-by: Paul Walmsley <pjw@kernel.org>

diff --git a/arch/riscv/include/asm/kfence.h b/arch/riscv/include/asm/kfence.h
index d08bf7fb3aee610fd5475144f8a092603558abd2..29cb3a6ee113dde8ea29c6afa51be6827eed9695 100644 (file)
--- a/arch/riscv/include/asm/kfence.h
+++ b/arch/riscv/include/asm/kfence.h
@@ -6,6 +6,7 @@
 #include <linux/kfence.h>
 #include <linux/pfn.h>
 #include <asm-generic/pgalloc.h>
+#include <asm/cacheflush.h>
 #include <asm/pgtable.h>
 
 static inline bool arch_kfence_init_pool(void)
@@ -17,10 +18,12 @@ static inline bool kfence_protect_page(unsigned long addr, bool protect)
 {
        pte_t *pte = virt_to_kpte(addr);
 
-       if (protect)
+       if (protect) {
                set_pte(pte, __pte(pte_val(ptep_get(pte)) & ~_PAGE_PRESENT));
-       else
+       } else {
                set_pte(pte, __pte(pte_val(ptep_get(pte)) | _PAGE_PRESENT));
+               mark_new_valid_map();
+       }
 
        preempt_disable();
        local_flush_tlb_kernel_range(addr, addr + PAGE_SIZE);

diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index d011fb51c59a042092326a23da346d21926aa592..6c14ed7a561350e67c2efd727d8a27ce70c52fb0 100644 (file)
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
@@ -136,8 +136,10 @@ SYM_CODE_START(handle_exception)
 
 #ifdef CONFIG_64BIT
        /*
-        * The RISC-V kernel does not eagerly emit a sfence.vma after each
-        * new vmalloc mapping, which may result in exceptions:
+        * The RISC-V kernel does not flush TLBs on all CPUS after each new
+        * vmalloc mapping or kfence_unprotect(), which may result in
+        * exceptions:
+        *
         * - if the uarch caches invalid entries, the new mapping would not be
         *   observed by the page table walker and an invalidation is needed.
         * - if the uarch does not cache invalid entries, a reordered access