From patchwork Fri Oct 18 09:42:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Potapenko X-Patchwork-Id: 11198005 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 87E2614ED for ; Fri, 18 Oct 2019 09:44:16 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 3930120820 for ; Fri, 18 Oct 2019 09:44:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="nVsd/7GZ" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3930120820 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id A2BAB8E002F; Fri, 18 Oct 2019 05:44:14 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 9B3618E0003; Fri, 18 Oct 2019 05:44:14 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8C9398E002F; Fri, 18 Oct 2019 05:44:14 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0201.hostedemail.com [216.40.44.201]) by kanga.kvack.org (Postfix) with ESMTP id 6B3268E0003 for ; Fri, 18 Oct 2019 05:44:14 -0400 (EDT) Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id 18CE81833A387 for ; Fri, 18 Oct 2019 09:44:14 +0000 (UTC) X-FDA: 76056419628.22.steam76_7c309015b5847 X-Spam-Summary: 2,0,0,dc3638953bbfb999,d41d8cd98f00b204,3bimpxqykcbk5a723g5dd5a3.1dba7cjm-bb9kz19.dg5@flex--glider.bounces.google.com,:glider@google.com:tglx@linutronix.de:akpm@linux-foundation.org:vegard.nossum@oracle.com:dvyukov@google.com:,RULES_HIT:1:2:41:152:355:379:541:800:960:973:988:989:1260:1277:1313:1314:1345:1359:1431:1437:1516:1518:1593:1594:1605:1730:1747:1777:1792:1801:2194:2199:2393:2553:2559:2562:2904:3138:3139:3140:3141:3142:3152:3165:3865:3866:3867:3868:3870:3871:3872:3874:4052:4250:4321:4605:5007:6119:6120:6261:6653:7774:7901:7903:7974:8660:9040:9969:11026:11232:11473:11657:11658:11914:12043:12296:12297:12438:12555:12895:12986:13148:13230:13846:13972:14096:14097:14394:14659:21080:21325:21365:21433:21444:21451:21611:21618:21795:21966:30012:30029:30045:30051:30054:30064:30075:30079:30090,0,RBL:209.85.221.73:@flex--glider.bounces.google.com:.lbl8.mailshell.net-62.18.175.100 66.100.201.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bu lk,SPF:f X-HE-Tag: steam76_7c309015b5847 X-Filterd-Recvd-Size: 12205 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) by imf44.hostedemail.com (Postfix) with ESMTP for ; Fri, 18 Oct 2019 09:44:13 +0000 (UTC) Received: by mail-wr1-f73.google.com with SMTP id 67so2337820wrm.18 for ; Fri, 18 Oct 2019 02:44:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=pIdz3x8cMAyK43UPY4qmclMLWD5VH7R63+cqj8NLHSY=; b=nVsd/7GZWrAF/GMFP65yjViKbDKwTNUh2zUjbJo8cQ6r+yTqb2371eSpQony/hXz0K UmJ70SJtnp3jWiQrfQAlu1IlA4Pk/YKd7RV99efreQeHcVNyqMcBH1VhqDgtOeTPf6lZ uSL8ztnBiMmrhPeCc1/VX2ukHcwVZi5ipFoGGlCgQFOOpe+KwPD7IeZIzT6HVyi87BX6 DAdte/Le6iRu/a5eLAZZbQiJMLXO6DhXpBp3zWjfPC9bZ+YlWVKfQLILFyJo6yZ7M6Ps BUgmtvq6gVHyeloVWR1PCqQnFLrkVIiuIEIFpAboXGRqihtDaMWGO2xaXH9pX+OrC1+n uHXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=pIdz3x8cMAyK43UPY4qmclMLWD5VH7R63+cqj8NLHSY=; b=LPZ5fFp07GzSVTtcEouzugYMDam1AR1LOzMYNEIPtuHPYvRAE25eaNujhRYsJdO3DK tDNpF36/t+fynzlSqu2f+i0GgvQiknP1cy0gx/Govzpm44KBL0OJUAFNyt2GIk2IyX+U BLMBeneSEPop1T3hrbIUYd1X4Rl/iqR9Mx6mhuhmlgDMzeF+Dpaj0O7AWB1KxWhwQAdj t6FlDt4ZE4fFw3uVxuw8NCdT4s91aanO0K3ij/iL4dd6eq44aDA3d+6vZCXczVG4IPNs cdVbcgWOBqw1VhEaOWCPgfyjnReOUBE1m56WjjAMQIoIbxYN/4dAGr6nj6KDnvSN3uB5 PKBw== X-Gm-Message-State: APjAAAVzVyDtQhmVUZvI3QzbdLg+iCbGP5UXmgrF5PISuMiLpOWkb/XR r/KOp01Ap4TMj/vbXnbGT6yuc3B9e3E= X-Google-Smtp-Source: APXvYqyump5TE9t7gzzwPyZAg/gm2iZb1lG5Gbd/75jKjHxjg52xSZqoNoKvpd+JVR4+KtmURwA0GO8ikrE= X-Received: by 2002:adf:bd8f:: with SMTP id l15mr6825618wrh.362.1571391852125; Fri, 18 Oct 2019 02:44:12 -0700 (PDT) Date: Fri, 18 Oct 2019 11:42:58 +0200 In-Reply-To: <20191018094304.37056-1-glider@google.com> Message-Id: <20191018094304.37056-21-glider@google.com> Mime-Version: 1.0 References: <20191018094304.37056-1-glider@google.com> X-Mailer: git-send-email 2.23.0.866.gb869b98d4c-goog Subject: [PATCH RFC v1 20/26] kmsan: disable instrumentation of certain functions From: glider@google.com To: Alexander Potapenko Cc: Thomas Gleixner , Andrew Morton , Vegard Nossum , Dmitry Vyukov , linux-mm@kvack.org X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Some functions are called from handwritten assembly, and therefore don't have their arguments' metadata fully set up by the instrumentation code. Mark them with __no_sanitize_memory to avoid false positives from spreading further. Certain functions perform task switching, so that the value of |current| is different as they proceed. Because KMSAN state pointer is only read once at the beginning of the function, touching it after |current| has changed may be dangerous. Signed-off-by: Alexander Potapenko To: Alexander Potapenko Cc: Thomas Gleixner Cc: Andrew Morton Cc: Vegard Nossum Cc: Dmitry Vyukov Cc: linux-mm@kvack.org --- Change-Id: I684d23dac5a22eb0a4cea71993cb934302b17cea --- arch/x86/entry/common.c | 1 + arch/x86/include/asm/irq_regs.h | 1 + arch/x86/include/asm/syscall_wrapper.h | 1 + arch/x86/kernel/apic/apic.c | 2 ++ arch/x86/kernel/dumpstack_64.c | 1 + arch/x86/kernel/process_64.c | 5 +++++ arch/x86/kernel/traps.c | 12 ++++++++++-- arch/x86/kernel/uprobes.c | 7 ++++++- kernel/profile.c | 1 + kernel/sched/core.c | 11 +++++++++++ 10 files changed, 39 insertions(+), 3 deletions(-) diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c index 3f8e22615812..0dd5b2acb355 100644 --- a/arch/x86/entry/common.c +++ b/arch/x86/entry/common.c @@ -275,6 +275,7 @@ __visible inline void syscall_return_slowpath(struct pt_regs *regs) } #ifdef CONFIG_X86_64 +__no_sanitize_memory __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs) { struct thread_info *ti; diff --git a/arch/x86/include/asm/irq_regs.h b/arch/x86/include/asm/irq_regs.h index 187ce59aea28..d65a00bd6f02 100644 --- a/arch/x86/include/asm/irq_regs.h +++ b/arch/x86/include/asm/irq_regs.h @@ -14,6 +14,7 @@ DECLARE_PER_CPU(struct pt_regs *, irq_regs); +__no_sanitize_memory static inline struct pt_regs *get_irq_regs(void) { return __this_cpu_read(irq_regs); diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h index e046a405743d..43910ce1b53b 100644 --- a/arch/x86/include/asm/syscall_wrapper.h +++ b/arch/x86/include/asm/syscall_wrapper.h @@ -159,6 +159,7 @@ ALLOW_ERROR_INJECTION(__x64_sys##name, ERRNO); \ static long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\ + __no_sanitize_memory \ asmlinkage long __x64_sys##name(const struct pt_regs *regs) \ { \ return __se_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\ diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c index 9e2dd2b296cd..43a1edd919ea 100644 --- a/arch/x86/kernel/apic/apic.c +++ b/arch/x86/kernel/apic/apic.c @@ -1118,6 +1118,8 @@ static void local_apic_timer_interrupt(void) * [ if a single-CPU system runs an SMP kernel then we call the local * interrupt as well. Thus we cannot inline the local irq ... ] */ +/* TODO(glider): |regs| is uninitialized, so is |*regs|. */ +__no_sanitize_memory __visible void __irq_entry smp_apic_timer_interrupt(struct pt_regs *regs) { struct pt_regs *old_regs = set_irq_regs(regs); diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c index 753b8cfe8b8a..ba883d282a43 100644 --- a/arch/x86/kernel/dumpstack_64.c +++ b/arch/x86/kernel/dumpstack_64.c @@ -143,6 +143,7 @@ static bool in_irq_stack(unsigned long *stack, struct stack_info *info) return true; } +__no_sanitize_memory int get_stack_info(unsigned long *stack, struct task_struct *task, struct stack_info *info, unsigned long *visit_mask) { diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index af64519b2695..27649ee3dbf8 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -500,6 +500,11 @@ void compat_start_thread(struct pt_regs *regs, u32 new_ip, u32 new_sp) * Kprobes not supported here. Set the probe on schedule instead. * Function graph tracer not supported too. */ +/* + * TODO(glider): __switch_to() does weird things with tasks, don't report + * anything here (also avoid touching the KMSAN state). + */ +__no_sanitize_memory __visible __notrace_funcgraph struct task_struct * __switch_to(struct task_struct *prev_p, struct task_struct *next_p) { diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 4bb0f8447112..a94282d1f60b 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -618,7 +618,10 @@ NOKPROBE_SYMBOL(do_int3); * Help handler running on a per-cpu (IST or entry trampoline) stack * to switch to the normal thread stack if the interrupted code was in * user mode. The actual stack switch is done in entry_64.S + * + * This function switches the registers - don't instrument it with KMSAN! */ +__no_sanitize_memory asmlinkage __visible notrace struct pt_regs *sync_regs(struct pt_regs *eregs) { struct pt_regs *regs = (struct pt_regs *)this_cpu_read(cpu_current_top_of_stack) - 1; @@ -634,6 +637,11 @@ struct bad_iret_stack { }; asmlinkage __visible notrace +/* + * Dark magic happening here, let's not instrument this function. + * Also avoid copying any metadata by using raw __memmove(). + */ +__no_sanitize_memory struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) { /* @@ -648,10 +656,10 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s) (struct bad_iret_stack *)this_cpu_read(cpu_tss_rw.x86_tss.sp0) - 1; /* Copy the IRET target to the new stack. */ - memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8); + __memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8); /* Copy the remainder of the stack from the current stack. */ - memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip)); + __memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip)); BUG_ON(!user_mode(&new_stack->regs)); return new_stack; diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c index 8cd745ef8c7b..bcd4bf5a909f 100644 --- a/arch/x86/kernel/uprobes.c +++ b/arch/x86/kernel/uprobes.c @@ -8,6 +8,7 @@ * Jim Keniston */ #include +#include #include #include #include @@ -997,9 +998,13 @@ int arch_uprobe_post_xol(struct arch_uprobe *auprobe, struct pt_regs *regs) int arch_uprobe_exception_notify(struct notifier_block *self, unsigned long val, void *data) { struct die_args *args = data; - struct pt_regs *regs = args->regs; + struct pt_regs *regs; int ret = NOTIFY_DONE; + kmsan_unpoison_shadow(args, sizeof(*args)); + regs = args->regs; + if (regs) + kmsan_unpoison_shadow(regs, sizeof(*regs)); /* We are only interested in userspace traps */ if (regs && !user_mode(regs)) return NOTIFY_DONE; diff --git a/kernel/profile.c b/kernel/profile.c index af7c94bf5fa1..835a5b66d1a4 100644 --- a/kernel/profile.c +++ b/kernel/profile.c @@ -399,6 +399,7 @@ void profile_hits(int type, void *__pc, unsigned int nr_hits) } EXPORT_SYMBOL_GPL(profile_hits); +__no_sanitize_memory void profile_tick(int type) { struct pt_regs *regs = get_irq_regs(); diff --git a/kernel/sched/core.c b/kernel/sched/core.c index dd05a378631a..951d19d217d7 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -475,6 +475,8 @@ void wake_q_add_safe(struct wake_q_head *head, struct task_struct *task) put_task_struct(task); } +/* TODO(glider): context switching here. */ +__no_sanitize_memory void wake_up_q(struct wake_q_head *head) { struct wake_q_node *node = head->first; @@ -3180,6 +3182,8 @@ prepare_task_switch(struct rq *rq, struct task_struct *prev, * past. prev == current is still correct but we need to recalculate this_rq * because prev may have moved to another CPU. */ +/* TODO(glider): |current| changes here. */ +__no_sanitize_memory static struct rq *finish_task_switch(struct task_struct *prev) __releases(rq->lock) { @@ -3986,6 +3990,8 @@ pick_next_task(struct rq *rq, struct task_struct *prev, struct rq_flags *rf) * * WARNING: must be called with preemption disabled! */ +/* TODO(glider): |current| changes here. */ +__no_sanitize_memory static void __sched notrace __schedule(bool preempt) { struct task_struct *prev, *next; @@ -4605,6 +4611,8 @@ int task_prio(const struct task_struct *p) * * Return: 1 if the CPU is currently idle. 0 otherwise. */ +/* TODO(glider): nothing to report here. */ +__no_sanitize_memory int idle_cpu(int cpu) { struct rq *rq = cpu_rq(cpu); @@ -6544,6 +6552,7 @@ static struct kmem_cache *task_group_cache __read_mostly; DECLARE_PER_CPU(cpumask_var_t, load_balance_mask); DECLARE_PER_CPU(cpumask_var_t, select_idle_mask); +__no_sanitize_memory void __init sched_init(void) { unsigned long ptr = 0; @@ -6716,6 +6725,8 @@ static inline int preempt_count_equals(int preempt_offset) return (nested == preempt_offset); } +/* TODO(glider): the args are most certainly initialized. */ +__no_sanitize_memory void __might_sleep(const char *file, int line, int preempt_offset) { /*