| Message ID | 20240619154530.163232-1-iii@linux.ibm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | kmsan: Enable on s390 | expand |
On Wed, Jun 19, 2024 at 5:45 PM Ilya Leoshkevich <iii@linux.ibm.com> wrote: > > Add a wrapper for memset() that prevents unpoisoning. This is useful > for filling memory allocator redzones. > > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Alexander Potapenko <glider@google.com> > --- > include/linux/kmsan.h | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/include/linux/kmsan.h b/include/linux/kmsan.h > index 23de1b3d6aee..5f50885f2023 100644 > --- a/include/linux/kmsan.h > +++ b/include/linux/kmsan.h > @@ -255,6 +255,14 @@ void kmsan_enable_current(void); > */ > void kmsan_disable_current(void); > > +/* > + * memset_no_sanitize_memory(): memset() without KMSAN instrumentation. > + */ Please make this a doc comment, like in the rest of the file. (Please also fix kmsan_enable_current/kmsan_disable_current in the respective patch)
On Wed, Jun 19, 2024 at 5:45 PM Ilya Leoshkevich <iii@linux.ibm.com> wrote: > > Avoid false KMSAN negatives with SLUB_DEBUG by allowing > kmsan_slab_free() to poison the freed memory, and by preventing > init_object() from unpoisoning new allocations by using __memset(). > > There are two alternatives to this approach. First, init_object() > can be marked with __no_sanitize_memory. This annotation should be used > with great care, because it drops all instrumentation from the > function, and any shadow writes will be lost. Even though this is not a > concern with the current init_object() implementation, this may change > in the future. > > Second, kmsan_poison_memory() calls may be added after memset() calls. > The downside is that init_object() is called from > free_debug_processing(), in which case poisoning will erase the > distinction between simply uninitialized memory and UAF. > > Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com> Reviewed-by: Alexander Potapenko <glider@google.com>
v4: https://lore.kernel.org/lkml/20240613153924.961511-1-iii@linux.ibm.com/ v4 -> v5: Fix the __memset() build issue. Change the attribute #defines to lowercase in order to match the existing code style. Fix the kmsan_virt_addr_valid() implementation to avoid recursion in debug builds, like it's done on x86_64 - dropped R-bs, please take another look. Add kmsan_disable_current()/kmsan_enable_current() doc; Fix the poisoned memchr_inv() value in a different way; Add the missing linux/instrumented.h #include; (Alexander P.). Patches that need review: - [PATCH 12/37] kmsan: Introduce memset_no_sanitize_memory() - [PATCH 13/37] kmsan: Support SLAB_POISON - [PATCH 17/37] mm: slub: Disable KMSAN when checking the padding bytes - [PATCH 36/37] s390/kmsan: Implement the architecture-specific functions v3: https://lore.kernel.org/lkml/20231213233605.661251-1-iii@linux.ibm.com/ v3 -> v4: Rebase. Elaborate why ftrace_ops_list_func() change is needed on x64_64 (Steven). Add a comment to the DFLTCC patch (Alexander P.). Simplify diag224(); Improve __arch_local_irq_attributes style; Use IS_ENABLED(CONFIG_KMSAN) for vmalloc area (Heiko). Align vmalloc area on _SEGMENT_SIZE (Alexander G.). v2: https://lore.kernel.org/lkml/20231121220155.1217090-1-iii@linux.ibm.com/ v2 -> v3: Drop kmsan_memmove_metadata() and strlcpy() patches; Remove kmsan_get_metadata() stub; Move kmsan_enable_current() and kmsan_disable_current() to include/linux/kmsan.h, explain why a counter is needed; Drop the memset_no_sanitize_memory() patch; Use __memset() in the SLAB_POISON patch; Add kmsan-checks.h to the DFLTCC patch; Add recursion check to the arch_kmsan_get_meta_or_null() patch (Alexander P.). Fix inline + __no_kmsan_checks issues. New patch for s390/irqflags, that resolves a lockdep warning. New patch for s390/diag, that resolves a false positive when running on an LPAR. New patch for STCCTM, same as above. New patch for check_bytes_and_report() that resolves a false positive that occurs even on Intel. v1: https://lore.kernel.org/lkml/20231115203401.2495875-1-iii@linux.ibm.com/ v1 -> v2: Add comments, sort #includes, introduce memset_no_sanitize_memory() and use it to avoid unpoisoning of redzones, change vmalloc alignment to _REGION3_SIZE, add R-bs (Alexander P.). Fix building [PATCH 28/33] s390/string: Add KMSAN support with FORTIFY_SOURCE. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202311170550.bSBo44ix-lkp@intel.com/ Hi, This series provides the minimal support for Kernel Memory Sanitizer on s390. Kernel Memory Sanitizer is clang-only instrumentation for finding accesses to uninitialized memory. The clang support for s390 has already been merged [1]. With this series, I can successfully boot s390 defconfig and debug_defconfig with kmsan.panic=1. The tool found one real s390-specific bug (fixed in master). Best regards, Ilya [1] https://reviews.llvm.org/D148596 Ilya Leoshkevich (37): ftrace: Unpoison ftrace_regs in ftrace_ops_list_func() kmsan: Make the tests compatible with kmsan.panic=1 kmsan: Disable KMSAN when DEFERRED_STRUCT_PAGE_INIT is enabled kmsan: Increase the maximum store size to 4096 kmsan: Fix is_bad_asm_addr() on arches with overlapping address spaces kmsan: Fix kmsan_copy_to_user() on arches with overlapping address spaces kmsan: Remove a useless assignment from kmsan_vmap_pages_range_noflush() kmsan: Remove an x86-specific #include from kmsan.h kmsan: Expose kmsan_get_metadata() kmsan: Export panic_on_kmsan kmsan: Allow disabling KMSAN checks for the current task kmsan: Introduce memset_no_sanitize_memory() kmsan: Support SLAB_POISON kmsan: Use ALIGN_DOWN() in kmsan_get_metadata() kmsan: Do not round up pg_data_t size mm: slub: Let KMSAN access metadata mm: slub: Disable KMSAN when checking the padding bytes mm: kfence: Disable KMSAN when checking the canary lib/zlib: Unpoison DFLTCC output buffers kmsan: Accept ranges starting with 0 on s390 s390/boot: Turn off KMSAN s390: Use a larger stack for KMSAN s390/boot: Add the KMSAN runtime stub s390/checksum: Add a KMSAN check s390/cpacf: Unpoison the results of cpacf_trng() s390/cpumf: Unpoison STCCTM output buffer s390/diag: Unpoison diag224() output buffer s390/ftrace: Unpoison ftrace_regs in kprobe_ftrace_handler() s390/irqflags: Do not instrument arch_local_irq_*() with KMSAN s390/mm: Define KMSAN metadata for vmalloc and modules s390/string: Add KMSAN support s390/traps: Unpoison the kernel_stack_overflow()'s pt_regs s390/uaccess: Add KMSAN support to put_user() and get_user() s390/uaccess: Add the missing linux/instrumented.h #include s390/unwind: Disable KMSAN checks s390/kmsan: Implement the architecture-specific functions kmsan: Enable on s390 Documentation/dev-tools/kmsan.rst | 11 ++- arch/s390/Kconfig | 1 + arch/s390/Makefile | 2 +- arch/s390/boot/Makefile | 3 + arch/s390/boot/kmsan.c | 6 ++ arch/s390/boot/startup.c | 7 ++ arch/s390/boot/string.c | 16 ++++ arch/s390/include/asm/checksum.h | 2 + arch/s390/include/asm/cpacf.h | 3 + arch/s390/include/asm/cpu_mf.h | 6 ++ arch/s390/include/asm/irqflags.h | 17 ++++- arch/s390/include/asm/kmsan.h | 59 +++++++++++++++ arch/s390/include/asm/pgtable.h | 8 ++ arch/s390/include/asm/string.h | 20 +++-- arch/s390/include/asm/thread_info.h | 2 +- arch/s390/include/asm/uaccess.h | 112 ++++++++++++++++++++-------- arch/s390/kernel/diag.c | 10 ++- arch/s390/kernel/ftrace.c | 2 + arch/s390/kernel/traps.c | 6 ++ arch/s390/kernel/unwind_bc.c | 4 + drivers/s390/char/sclp.c | 2 +- include/linux/kmsan.h | 46 ++++++++++++ include/linux/kmsan_types.h | 2 +- kernel/trace/ftrace.c | 1 + lib/zlib_dfltcc/dfltcc.h | 1 + lib/zlib_dfltcc/dfltcc_util.h | 28 +++++++ mm/Kconfig | 1 + mm/kfence/core.c | 11 ++- mm/kmsan/core.c | 1 - mm/kmsan/hooks.c | 23 ++++-- mm/kmsan/init.c | 7 +- mm/kmsan/instrumentation.c | 11 +-- mm/kmsan/kmsan.h | 9 +-- mm/kmsan/kmsan_test.c | 5 ++ mm/kmsan/report.c | 8 +- mm/kmsan/shadow.c | 9 +-- mm/slub.c | 33 ++++++-- tools/objtool/check.c | 2 + 38 files changed, 410 insertions(+), 87 deletions(-) create mode 100644 arch/s390/boot/kmsan.c create mode 100644 arch/s390/include/asm/kmsan.h