From patchwork Fri Jul  1 14:22:56 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Potapenko <glider@google.com>
X-Patchwork-Id: 12903388
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CAF6EC433EF
	for <linux-mm@archiver.kernel.org>; Fri,  1 Jul 2022 14:24:44 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 66E7D6B0085; Fri,  1 Jul 2022 10:24:44 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 61EBE6B0087; Fri,  1 Jul 2022 10:24:44 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4992C6B0088; Fri,  1 Jul 2022 10:24:44 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com
 [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 3A5666B0085
	for <linux-mm@kvack.org>; Fri,  1 Jul 2022 10:24:44 -0400 (EDT)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay11.hostedemail.com (Postfix) with ESMTP id 21A778054E
	for <linux-mm@kvack.org>; Fri,  1 Jul 2022 14:24:44 +0000 (UTC)
X-FDA: 79638752088.21.0ACF71F
Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com
 [209.85.208.73])
	by imf28.hostedemail.com (Postfix) with ESMTP id BB16AC0038
	for <linux-mm@kvack.org>; Fri,  1 Jul 2022 14:24:43 +0000 (UTC)
Received: by mail-ed1-f73.google.com with SMTP id
 z17-20020a05640235d100b0043762b1e1e3so1878359edc.21
        for <linux-mm@kvack.org>; Fri, 01 Jul 2022 07:24:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=j/MMQ3wL35Ri2ZE1mUjRi1/flHRltTweDkn7/EP9qns=;
        b=A0D6vxcEEYdG93cr58BEviQfu68kGt3tEP1iTrR6OH1MbSU/Ast73yd8+4vsdcPmvE
         F7ExVCd/cNsiCCMmB9SmZydBoWkU9FpwlqoBDrui/aoc2LQ1w9cfWSsiQe9fPTxl7POg
         NM5QDGCVrMNlDXqg+DOl6IQHgm2+D05loxFr7+rCszfrFODm8mVgsHCH0aSVcLkJQe7T
         kky823TWf9SifhaporOMyAr0TbyadwLpD+GGYZT4yExEPXSeAb92kGyVv5kZ7CV8ymNw
         QQyd/Be2e/kfhOwudlyywf9K4wuV9loKYMofj2XGSkbkbiUtOPenyfcrmjx9kiJdXq0B
         iddA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=j/MMQ3wL35Ri2ZE1mUjRi1/flHRltTweDkn7/EP9qns=;
        b=be5wZT5OF0tGq3xC64I6+y09IY6Un5oeud50ZMMrKbH/KvJAXDoa8ZU75XsNCB4e42
         x23I0y18mjiAO/RNgbQ6WRwOyRMGUkBhTFdAEjPi31ntRIpz0zZqqQcDjhjat9Q46tUf
         RkOizK3XU9djhNZcBw3wwY+bUt7dObY2iHzxk6SanEJSIvD/0RfXqDJWuDpfRkhGwLOo
         ni+eBf07R/atNPU3IZHId+74h6QDYz2jOwF3yeI+S9xYyY8qyphF1UKFuegZ69Xb+TYQ
         vbjoth0r+fFFa6CCcN+BVu9k140TCBiE+eX+eDw2QC3UgTU7sTFAFSqK4DE99GWQhIZ4
         M/Wg==
X-Gm-Message-State: AJIora8RGF5Nhlbm3LZuddoKRW15ZqMPGo16zvqZzKgVL0oc7U6Q1uEJ
	gHa9uRlzymlyjwzFyVSFg0m+p8EZVKo=
X-Google-Smtp-Source: 
 AGRyM1tW+YFwdIUQ0n4BqBxiWtFhSDA/V1RYi8OfYlcWw4L6Ky6njb01crp74wyk5/Ql1YeiQo29PS5mWtc=
X-Received: from glider.muc.corp.google.com
 ([2a00:79e0:9c:201:a6f5:f713:759c:abb6])
 (user=glider job=sendgmr) by 2002:a17:906:9b86:b0:6fe:d37f:b29d with SMTP id
 dd6-20020a1709069b8600b006fed37fb29dmr14586176ejc.327.1656685482242; Fri, 01
 Jul 2022 07:24:42 -0700 (PDT)
Date: Fri,  1 Jul 2022 16:22:56 +0200
In-Reply-To: <20220701142310.2188015-1-glider@google.com>
Message-Id: <20220701142310.2188015-32-glider@google.com>
Mime-Version: 1.0
References: <20220701142310.2188015-1-glider@google.com>
X-Mailer: git-send-email 2.37.0.rc0.161.g10f37bed90-goog
Subject: [PATCH v4 31/45] security: kmsan: fix interoperability with
 auto-initialization
From: Alexander Potapenko <glider@google.com>
To: glider@google.com
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
 Alexei Starovoitov <ast@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
 Andrey Konovalov <andreyknvl@google.com>,
	Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
 Borislav Petkov <bp@alien8.de>,
	Christoph Hellwig <hch@lst.de>, Christoph Lameter <cl@linux.com>,
 David Rientjes <rientjes@google.com>,
	Dmitry Vyukov <dvyukov@google.com>, Eric Dumazet <edumazet@google.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Herbert Xu <herbert@gondor.apana.org.au>,
	Ilya Leoshkevich <iii@linux.ibm.com>, Ingo Molnar <mingo@redhat.com>,
 Jens Axboe <axboe@kernel.dk>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>, Kees Cook <keescook@chromium.org>,
	Marco Elver <elver@google.com>, Mark Rutland <mark.rutland@arm.com>,
	Matthew Wilcox <willy@infradead.org>, "Michael S. Tsirkin" <mst@redhat.com>,
 Pekka Enberg <penberg@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>, Petr Mladek <pmladek@suse.com>,
	Steven Rostedt <rostedt@goodmis.org>, Thomas Gleixner <tglx@linutronix.de>,
	Vasily Gorbik <gor@linux.ibm.com>, Vegard Nossum <vegard.nossum@oracle.com>,
	Vlastimil Babka <vbabka@suse.cz>, kasan-dev@googlegroups.com,
 linux-mm@kvack.org,
	linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org
ARC-Authentication-Results: i=1;
	imf28.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=A0D6vxcE;
	spf=pass (imf28.hostedemail.com: domain of
 3qgO_YgYKCMkv0xst6v33v0t.r310x29C-11zAprz.36v@flex--glider.bounces.google.com
 designates 209.85.208.73 as permitted sender)
 smtp.mailfrom=3qgO_YgYKCMkv0xst6v33v0t.r310x29C-11zAprz.36v@flex--glider.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1656685483;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=j/MMQ3wL35Ri2ZE1mUjRi1/flHRltTweDkn7/EP9qns=;
	b=C7/ODWx9dpbOZimGvmh+XO/4KEhbLIR+Fv6TfWahQirZdVYws51ubwXLpcR86e/7cjEx3P
	Z2j0K1TQtAUnjYpB/o2jhKf20CgWvnWY1mhTIqyKxcAl63yCC5/jxR/yxIESOv8PE4CTOf
	E7kQAHLRTaY+3UROjfM3mDHzlE1WKFw=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1656685483; a=rsa-sha256;
	cv=none;
	b=5wf1XynCcKziqkYbO+0ubjF6rJ6FxU2HofSB1FyelbPhhBKSx/Mk573BHbpUhIQ+M0RcAx
	43SdCqFD0ey+guIp25DGj2SnvfhXSAzYLJVBGem3BrYOxgz8hXCg7GqlenkZgPBbfI8ldS
	EnshHLHjpY3rxHXRullodou3tMH7uJM=
X-Stat-Signature: 1je4mwbpf6965dmbmqtw1fambr4h8otz
X-Rspamd-Queue-Id: BB16AC0038
Authentication-Results: imf28.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=A0D6vxcE;
	spf=pass (imf28.hostedemail.com: domain of
 3qgO_YgYKCMkv0xst6v33v0t.r310x29C-11zAprz.36v@flex--glider.bounces.google.com
 designates 209.85.208.73 as permitted sender)
 smtp.mailfrom=3qgO_YgYKCMkv0xst6v33v0t.r310x29C-11zAprz.36v@flex--glider.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspamd-Server: rspam12
X-Rspam-User: 
X-HE-Tag: 1656685483-103415
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Heap and stack initialization is great, but not when we are trying
uses of uninitialized memory. When the kernel is built with KMSAN,
having kernel memory initialization enabled may introduce false
negatives.

We disable CONFIG_INIT_STACK_ALL_PATTERN and CONFIG_INIT_STACK_ALL_ZERO
under CONFIG_KMSAN, making it impossible to auto-initialize stack
variables in KMSAN builds. We also disable CONFIG_INIT_ON_ALLOC_DEFAULT_ON
and CONFIG_INIT_ON_FREE_DEFAULT_ON to prevent accidental use of heap
auto-initialization.

We however still let the users enable heap auto-initialization at
boot-time (by setting init_on_alloc=1 or init_on_free=1), in which case
a warning is printed.

Signed-off-by: Alexander Potapenko <glider@google.com>
---
Link: https://linux-review.googlesource.com/id/I86608dd867018683a14ae1870f1928ad925f42e9
---
 mm/page_alloc.c            | 4 ++++
 security/Kconfig.hardening | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index e8d5a0b2a3264..3a0a5e204df7a 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -854,6 +854,10 @@ void init_mem_debugging_and_hardening(void)
 	else
 		static_branch_disable(&init_on_free);
 
+	if (IS_ENABLED(CONFIG_KMSAN) &&
+	    (_init_on_alloc_enabled_early || _init_on_free_enabled_early))
+		pr_info("mem auto-init: please make sure init_on_alloc and init_on_free are disabled when running KMSAN\n");
+
 #ifdef CONFIG_DEBUG_PAGEALLOC
 	if (!debug_pagealloc_enabled())
 		return;
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index bd2aabb2c60f9..2739a6776454e 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -106,6 +106,7 @@ choice
 	config INIT_STACK_ALL_PATTERN
 		bool "pattern-init everything (strongest)"
 		depends on CC_HAS_AUTO_VAR_INIT_PATTERN
+		depends on !KMSAN
 		help
 		  Initializes everything on the stack (including padding)
 		  with a specific debug value. This is intended to eliminate
@@ -124,6 +125,7 @@ choice
 	config INIT_STACK_ALL_ZERO
 		bool "zero-init everything (strongest and safest)"
 		depends on CC_HAS_AUTO_VAR_INIT_ZERO
+		depends on !KMSAN
 		help
 		  Initializes everything on the stack (including padding)
 		  with a zero value. This is intended to eliminate all
@@ -218,6 +220,7 @@ config STACKLEAK_RUNTIME_DISABLE
 
 config INIT_ON_ALLOC_DEFAULT_ON
 	bool "Enable heap memory zeroing on allocation by default"
+	depends on !KMSAN
 	help
 	  This has the effect of setting "init_on_alloc=1" on the kernel
 	  command line. This can be disabled with "init_on_alloc=0".
@@ -230,6 +233,7 @@ config INIT_ON_ALLOC_DEFAULT_ON
 
 config INIT_ON_FREE_DEFAULT_ON
 	bool "Enable heap memory zeroing on free by default"
+	depends on !KMSAN
 	help
 	  This has the effect of setting "init_on_free=1" on the kernel
 	  command line. This can be disabled with "init_on_free=0".