From patchwork Fri Aug 11 15:18:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 13351009 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B575AEB64DD for ; Fri, 11 Aug 2023 15:20:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: Mime-Version:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=vbFbZn4pw993t1Mac0qKAI6cBAj9B7uKPr6z5YCvR/U=; b=3wQ vyFO10u1OdDrDEvsLoxHFrTV233zh03q3uDln6yqvqg3niirmMjHZ6EpJW65zZPJUez8TAfh7k6LL 9JvkrBqHNL71WqdNj9J9N6/NvayCyjtw3K179YZjjqr6CSIPTUD514GGgz/fA+0P3O1SHnIW4SJp9 FBaFBWxPgxCjauQ8cUSVOZvfcj0tBmh6nhHYqq1l2JR4Ee7hu2CwjJU048qAvuP++RofyDyBqXpI3 yTpoWSg1tpsknZSijY/P9iPsVvE7dMwqzVshZ5eJFDILjtxq7hwHU/JXNreTH8dptAvLg++h8fJzR jbusqnZp92h6CQU9EHYR4r+grNG6L9A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qUTvp-00AwMV-21; Fri, 11 Aug 2023 15:20:05 +0000 Received: from mail-yw1-x114a.google.com ([2607:f8b0:4864:20::114a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qUTvm-00AwJO-24 for linux-arm-kernel@lists.infradead.org; Fri, 11 Aug 2023 15:20:04 +0000 Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-5897d05e878so25195667b3.3 for ; Fri, 11 Aug 2023 08:19:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691767198; x=1692371998; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=1vaThr58cHhzt3vCJBdqBIs2Yl/3Z2jvMp4OgQvCHVc=; b=5xqJ+9vOp2nrO/mxnyBJ/b/1HWLsgBT1IHmI50RXMG+v00b5fp1vs2Rwd8BJ+9On+a Q4jl5SsKlofCJHbO3RpNFGWeldC2dgdOf7WiBs7B3msfJcvntjhupdIzPNHiuqPJVz+z R/HdlzmM4cQEmJpgDlmTthNmGG/KyvuF0gdplPRvM4udG74+d0udlvizD0YfOPv0Opv2 3tPbceoZMBOxCBuYZR9Iewa4BKkdIHfl4kSzyUUw34WMnBaidreMjrhu73PoE0V1Y3HY Lo9Pzzu3F/0G/X2jav91I9Oukq8tP4eQTMYHi0nGsMKpFT4HL5VWbyKeiy/SS6PBE/G+ bSHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691767198; x=1692371998; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=1vaThr58cHhzt3vCJBdqBIs2Yl/3Z2jvMp4OgQvCHVc=; b=FD7+1oXXe4FR+GZBCa5RejTxlhI0EBZBznaFJT1RCY4K2zqdrO3Cv3h889gos9UFFM Geg6gDJzUqcOgZ8XnDM7YPSkpchmzBaL/os+EtSY5r7FPlsLYT5CILEW0hlnpWj6AMo6 lKRia8s71SG3vN97pq47EVzuxyo6W6ZXcKFIxAC7GOTm8/n0VHARieHYujGKGlCWrFZy nB0p8zRSFXJoOdoG6UUZtbdHVlov3VIHF/x+kQoUyyz7gzZstao5083GIZt2WuEEYieJ bOg5nJ6Y4t86ehyy0Cr8l8AZwO07gCR8aG7wLVgP+yta/KHUZM1ipcIXUtnhuN/P3eFr 1A8g== X-Gm-Message-State: AOJu0YzQ1iO84DjWQqHCc2jLib3P1z4IVCVxxetITkQlhJrnO7zHUGPR sC3DOMl9ZZO3ogYx8Xkd1KgYbwCLHQ== X-Google-Smtp-Source: AGHT+IHOFdGW52whxAtpTQwrYswR+9FGN+f7HEI1ais6Hmme/G/bIwskagiWtjT5lu9yqzqehThNh6eXAg== X-Received: from elver.muc.corp.google.com ([2a00:79e0:9c:201:8dc0:5176:6fda:46a0]) (user=elver job=sendgmr) by 2002:a81:451d:0:b0:589:9d51:c8c0 with SMTP id s29-20020a81451d000000b005899d51c8c0mr41482ywa.2.1691767197794; Fri, 11 Aug 2023 08:19:57 -0700 (PDT) Date: Fri, 11 Aug 2023 17:18:38 +0200 Mime-Version: 1.0 X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Message-ID: <20230811151847.1594958-1-elver@google.com> Subject: [PATCH v4 1/4] compiler_types: Introduce the Clang __preserve_most function attribute From: Marco Elver To: elver@google.com, Andrew Morton , Kees Cook Cc: Guenter Roeck , Peter Zijlstra , Mark Rutland , Steven Rostedt , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Arnd Bergmann , Greg Kroah-Hartman , Paul Moore , James Morris , "Serge E. Hallyn" , Nathan Chancellor , Nick Desaulniers , Tom Rix , Miguel Ojeda , Sami Tolvanen , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, llvm@lists.linux.dev, Dmitry Vyukov , Alexander Potapenko , kasan-dev@googlegroups.com, linux-toolchains@vger.kernel.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230811_082002_684723_CE2690BA X-CRM114-Status: GOOD ( 20.37 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org [1]: "On X86-64 and AArch64 targets, this attribute changes the calling convention of a function. The preserve_most calling convention attempts to make the code in the caller as unintrusive as possible. This convention behaves identically to the C calling convention on how arguments and return values are passed, but it uses a different set of caller/callee-saved registers. This alleviates the burden of saving and recovering a large register set before and after the call in the caller. If the arguments are passed in callee-saved registers, then they will be preserved by the callee across the call. This doesn't apply for values returned in callee-saved registers. * On X86-64 the callee preserves all general purpose registers, except for R11. R11 can be used as a scratch register. Floating-point registers (XMMs/YMMs) are not preserved and need to be saved by the caller. * On AArch64 the callee preserve all general purpose registers, except x0-X8 and X16-X18." [1] https://clang.llvm.org/docs/AttributeReference.html#preserve-most Introduce the attribute to compiler_types.h as __preserve_most. Use of this attribute results in better code generation for calls to very rarely called functions, such as error-reporting functions, or rarely executed slow paths. Beware that the attribute conflicts with instrumentation calls inserted on function entry which do not use __preserve_most themselves. Notably, function tracing which assumes the normal C calling convention for the given architecture. Where the attribute is supported, __preserve_most will imply notrace. It is recommended to restrict use of the attribute to functions that should or already disable tracing. Note: The additional preprocessor check against architecture should not be necessary if __has_attribute() only returns true where supported; also see https://github.com/ClangBuiltLinux/linux/issues/1908. But until __has_attribute() does the right thing, we also guard by known-supported architectures to avoid build warnings on other architectures. The attribute may be supported by a future GCC version (see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110899). Signed-off-by: Marco Elver Reviewed-by: Miguel Ojeda Reviewed-by: Nick Desaulniers Acked-by: Steven Rostedt (Google) Acked-by: Mark Rutland --- v4: * Guard attribute based on known-supported architectures to avoid compiler warnings about the attribute being ignored. v3: * Quote more from LLVM documentation about which registers are callee/caller with preserve_most. * Code comment to restrict use where tracing is meant to be disabled. v2: * Imply notrace, to avoid any conflicts with tracing which is inserted on function entry. See added comments. --- include/linux/compiler_types.h | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h index 547ea1ff806e..c523c6683789 100644 --- a/include/linux/compiler_types.h +++ b/include/linux/compiler_types.h @@ -106,6 +106,34 @@ static inline void __chk_io_ptr(const volatile void __iomem *ptr) { } #define __cold #endif +/* + * On x86-64 and arm64 targets, __preserve_most changes the calling convention + * of a function to make the code in the caller as unintrusive as possible. This + * convention behaves identically to the C calling convention on how arguments + * and return values are passed, but uses a different set of caller- and callee- + * saved registers. + * + * The purpose is to alleviates the burden of saving and recovering a large + * register set before and after the call in the caller. This is beneficial for + * rarely taken slow paths, such as error-reporting functions that may be called + * from hot paths. + * + * Note: This may conflict with instrumentation inserted on function entry which + * does not use __preserve_most or equivalent convention (if in assembly). Since + * function tracing assumes the normal C calling convention, where the attribute + * is supported, __preserve_most implies notrace. It is recommended to restrict + * use of the attribute to functions that should or already disable tracing. + * + * Optional: not supported by gcc. + * + * clang: https://clang.llvm.org/docs/AttributeReference.html#preserve-most + */ +#if __has_attribute(__preserve_most__) && (defined(CONFIG_X86_64) || defined(CONFIG_ARM64)) +# define __preserve_most notrace __attribute__((__preserve_most__)) +#else +# define __preserve_most +#endif + /* Builtins */ /* From patchwork Fri Aug 11 15:18:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 13351010 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A12E2EB64DD for ; Fri, 11 Aug 2023 15:20:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: References:Mime-Version:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=ltrHttqa8vGJLc/RB2v9Dflhvp1BN4ntmf1eXT3qC54=; b=ozu8/sNLTFwc+VCAgiBrNbUzuo ZtFFiZU5zdz/meNteX6JuEzdwq6Q0S1B7ELLqQLdX/aOg9mGajDZx8F00aLnJShdjHfyxcIJfcrpP 6c9VurHY2G5BHh5JTxdvisupQI8oxa+18Q7N4ziiTtiPpumY4yBGSJKTNT8UWNqSMQ5Ba/5JkD+2M yB+TWjRXJZy1/89jAXvBSDlcvVwvrsZiLNwxF+DqtHQpe/vV1lwKbXYP42J6pSO9NL5t2Mli/aHLY TqLOqY/yOWaDIc5BxyVPsanXpIRgT8eLuF+xYJizMCVzIKnHCH1WDH2Tb8/bjMpZ1YO2UsT1f1Ph+ yo8YqJeQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qUTvv-00AwP2-1b; Fri, 11 Aug 2023 15:20:11 +0000 Received: from mail-yb1-xb4a.google.com ([2607:f8b0:4864:20::b4a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qUTvp-00AwKL-0i for linux-arm-kernel@lists.infradead.org; Fri, 11 Aug 2023 15:20:07 +0000 Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-d27ac992539so2033897276.3 for ; Fri, 11 Aug 2023 08:20:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691767201; x=1692372001; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=vr1U486Irq718Y5Vjn28mDb0feV+v+GYGzM/Kj2uczY=; b=m1/D3Wz2gi9Cs3OHDg7iK6vUaVmjXR/mBEkssZ6eiDX4uK2cf5n12+/DqBceY9qgAr 9c5mIs9OODdG0vj3Z1SdlT0fcTpSrTZNrf/sOTYryKqshqCTGV356GH4eUt6zYsDL6Y7 dhMd/RtYG371nzP2IXzmFytLbc22DzMJFtuwlKSf8hoJMP1OexW4RlZQDVTt3UVia3+H pDSddYYq+Gn5j6jgcFealLLycpGh3wDmyJdE0k4/jmlKu4U6VgcoLiWmdS/kwl9mu3qH lOvk1dXUz8tGeXyNfGd+iGsp/NUCifEEp+7HMAhvrl9Lr4g/6LKr5IJiM6YpAahM049Y ri8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691767201; x=1692372001; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vr1U486Irq718Y5Vjn28mDb0feV+v+GYGzM/Kj2uczY=; b=SGrLGJpnIzJspi9l6x6zj3XOqEU1B1FsqRQgWEmb1WgAjEcoTdSHsi3AJ7Vhqelld3 7AxYPxJvi1VOM4tnqPIR07eBv2REOTZ71NqLbt6sNg6fek68zoNciq+AM/IEKzOUEK3p qmsNW8lzIPLrPsAaleiM9rCLYqwWUDRw5rntc2QqwSmeMH2dDL/mxm2q9C2AUYB1+iWz 9lE1ecBcSiKFvD+M9ZrGp9HZQE8+9P7Ma0FSDM1EUE/qX8dV/5q5nHI78JM8rs/03Bgj q6KzXhMndkjMfOaNsaB304F0DKpOCrJmviAOoPAb8I6/W88UByoGrCYjNSo64QbaOTL+ 2sfA== X-Gm-Message-State: AOJu0Yzj5kGZKa9IWp6hOHKKJ8uT/lg8McpYLWupU08av6YFsbNDV/eQ wh+3kSN+M37kOA/Yw8dVn3xlxS0T7g== X-Google-Smtp-Source: AGHT+IE1ZLq4HueLWE6jbB2RlK4FqkKfdhzzoJrlx4qj6MjWBU1TM0fjy97D10E3vXrsojL+UjJkhk8T/Q== X-Received: from elver.muc.corp.google.com ([2a00:79e0:9c:201:8dc0:5176:6fda:46a0]) (user=elver job=sendgmr) by 2002:a25:b190:0:b0:d06:cbd:1f3e with SMTP id h16-20020a25b190000000b00d060cbd1f3emr33009ybj.3.1691767200863; Fri, 11 Aug 2023 08:20:00 -0700 (PDT) Date: Fri, 11 Aug 2023 17:18:39 +0200 In-Reply-To: <20230811151847.1594958-1-elver@google.com> Mime-Version: 1.0 References: <20230811151847.1594958-1-elver@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Message-ID: <20230811151847.1594958-2-elver@google.com> Subject: [PATCH v4 2/4] list_debug: Introduce inline wrappers for debug checks From: Marco Elver To: elver@google.com, Andrew Morton , Kees Cook Cc: Guenter Roeck , Peter Zijlstra , Mark Rutland , Steven Rostedt , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Arnd Bergmann , Greg Kroah-Hartman , Paul Moore , James Morris , "Serge E. Hallyn" , Nathan Chancellor , Nick Desaulniers , Tom Rix , Miguel Ojeda , Sami Tolvanen , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, llvm@lists.linux.dev, Dmitry Vyukov , Alexander Potapenko , kasan-dev@googlegroups.com, linux-toolchains@vger.kernel.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230811_082005_276900_C8641DD1 X-CRM114-Status: GOOD ( 13.73 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Turn the list debug checking functions __list_*_valid() into inline functions that wrap the out-of-line functions. Care is taken to ensure the inline wrappers are always inlined, so that additional compiler instrumentation (such as sanitizers) does not result in redundant outlining. This change is preparation for performing checks in the inline wrappers. No functional change intended. Signed-off-by: Marco Elver --- v3: * Rename ___list_*_valid() to __list_*_valid_or_report(). * Some documentation. --- arch/arm64/kvm/hyp/nvhe/list_debug.c | 6 ++--- include/linux/list.h | 37 +++++++++++++++++++++++++--- lib/list_debug.c | 11 ++++----- 3 files changed, 41 insertions(+), 13 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/list_debug.c b/arch/arm64/kvm/hyp/nvhe/list_debug.c index d68abd7ea124..16266a939a4c 100644 --- a/arch/arm64/kvm/hyp/nvhe/list_debug.c +++ b/arch/arm64/kvm/hyp/nvhe/list_debug.c @@ -26,8 +26,8 @@ static inline __must_check bool nvhe_check_data_corruption(bool v) /* The predicates checked here are taken from lib/list_debug.c. */ -bool __list_add_valid(struct list_head *new, struct list_head *prev, - struct list_head *next) +bool __list_add_valid_or_report(struct list_head *new, struct list_head *prev, + struct list_head *next) { if (NVHE_CHECK_DATA_CORRUPTION(next->prev != prev) || NVHE_CHECK_DATA_CORRUPTION(prev->next != next) || @@ -37,7 +37,7 @@ bool __list_add_valid(struct list_head *new, struct list_head *prev, return true; } -bool __list_del_entry_valid(struct list_head *entry) +bool __list_del_entry_valid_or_report(struct list_head *entry) { struct list_head *prev, *next; diff --git a/include/linux/list.h b/include/linux/list.h index f10344dbad4d..130c6a1bb45c 100644 --- a/include/linux/list.h +++ b/include/linux/list.h @@ -39,10 +39,39 @@ static inline void INIT_LIST_HEAD(struct list_head *list) } #ifdef CONFIG_DEBUG_LIST -extern bool __list_add_valid(struct list_head *new, - struct list_head *prev, - struct list_head *next); -extern bool __list_del_entry_valid(struct list_head *entry); +/* + * Performs the full set of list corruption checks before __list_add(). + * On list corruption reports a warning, and returns false. + */ +extern bool __list_add_valid_or_report(struct list_head *new, + struct list_head *prev, + struct list_head *next); + +/* + * Performs list corruption checks before __list_add(). Returns false if a + * corruption is detected, true otherwise. + */ +static __always_inline bool __list_add_valid(struct list_head *new, + struct list_head *prev, + struct list_head *next) +{ + return __list_add_valid_or_report(new, prev, next); +} + +/* + * Performs the full set of list corruption checks before __list_del_entry(). + * On list corruption reports a warning, and returns false. + */ +extern bool __list_del_entry_valid_or_report(struct list_head *entry); + +/* + * Performs list corruption checks before __list_del_entry(). Returns false if a + * corruption is detected, true otherwise. + */ +static __always_inline bool __list_del_entry_valid(struct list_head *entry) +{ + return __list_del_entry_valid_or_report(entry); +} #else static inline bool __list_add_valid(struct list_head *new, struct list_head *prev, diff --git a/lib/list_debug.c b/lib/list_debug.c index d98d43f80958..2def33b1491f 100644 --- a/lib/list_debug.c +++ b/lib/list_debug.c @@ -17,8 +17,8 @@ * attempt). */ -bool __list_add_valid(struct list_head *new, struct list_head *prev, - struct list_head *next) +bool __list_add_valid_or_report(struct list_head *new, struct list_head *prev, + struct list_head *next) { if (CHECK_DATA_CORRUPTION(prev == NULL, "list_add corruption. prev is NULL.\n") || @@ -37,9 +37,9 @@ bool __list_add_valid(struct list_head *new, struct list_head *prev, return true; } -EXPORT_SYMBOL(__list_add_valid); +EXPORT_SYMBOL(__list_add_valid_or_report); -bool __list_del_entry_valid(struct list_head *entry) +bool __list_del_entry_valid_or_report(struct list_head *entry) { struct list_head *prev, *next; @@ -65,6 +65,5 @@ bool __list_del_entry_valid(struct list_head *entry) return false; return true; - } -EXPORT_SYMBOL(__list_del_entry_valid); +EXPORT_SYMBOL(__list_del_entry_valid_or_report); From patchwork Fri Aug 11 15:18:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 13351011 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 73D19C0015E for ; Fri, 11 Aug 2023 15:20:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: References:Mime-Version:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=yFpKyIlq2zxXErN2v77D0wZiB3KOeJ92ZoRghZ5e/vU=; b=myCHyT80IbtSms2A0F5ibcl6j0 SqzB4Iwk8TKsaGUHOBC4e6Z1nBp/ccR4J4ltUvLROiWAUB4DiJGTam8NCFRy0lkUShxrLJBX45dn1 6Hj0IUiV6+2k6o8da2nE+RyI6wcVaYM5/aOJv0+U/9i86JLcvIb0lY9whJSaCV8+E3tdzhUDUePOj sNAa+XysYm9okzIOoCVgdLln7nQa35QcXZDV+Pv9WHixrdunTaNrLjjFbFj0N6xVG1DE0dBIhxq// reMfTMl6DbrceLSkRDNjnVtU4OFymZH0rWZA3Vprq+e5eLea+w2LlnxbSW2AXMKRXLItgEjonE8HQ 2q28mclA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qUTvu-00AwOb-2z; Fri, 11 Aug 2023 15:20:10 +0000 Received: from mail-yw1-x1149.google.com ([2607:f8b0:4864:20::1149]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qUTvo-00AwLL-2g for linux-arm-kernel@lists.infradead.org; Fri, 11 Aug 2023 15:20:07 +0000 Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-5897d05e878so25196467b3.3 for ; Fri, 11 Aug 2023 08:20:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691767203; x=1692372003; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=rS381it9UYEeasrqdhU1KJ8J8i5NBjxji31IXhusmao=; b=0RjpBwJrzgeXin8kd9VtD/TpU1nO0tcnVnWiPRnWJoK9gi3W5Fg17hl+vXwGvZIljA kw8SYfOFFrVtiwVd106RhSppMOs83UI6jMHkcmrnrIgaJxZdlxMhfJyAr8GCU3y6+nRK L8PIVzltiILW5EDqGGpJsGbZwk71qplFSuYLVkEeO+w0bczy0xma9S2JYaqb/1hkIA0C vFFFSfZlravJtrce4iZRMd1snq50pCpYGo2O0El3h0g/o7A0GwA9VQmPvrvWLWSrYNMy 6/Dlz+aYuCsIUd8Jn4oTJ8CINC4Vrydfkk3C4zVOJR7hpfY9gSJU/fu7SIjfaYxgbvqd CJjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691767203; x=1692372003; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rS381it9UYEeasrqdhU1KJ8J8i5NBjxji31IXhusmao=; b=KAP31ss8ZWAkNkULV6h38Hm9lQU5AyR4GMd/lDjosGATLJJn7IqPOOJYRHVL8v8ocr Av0NWa9tTF6ZrXA3la7PCvVLkGhPyjsl4c2NbMfrhyqlxw7tCaGdP/oqOWoVvBhSfEtl h08iEDCo1JGNS1jnxFJH57FlG/mdkgMZyxciXmgNTEAFJ8jlZzyIF0L4RvHNwzrpiOqM L5tZ65yKOe+5JX5W8GxEOI0BFW8Z32n2uAeDaTba3hBa5vQ3VOrLCrv0/6J3W2DZXvn5 kqJ6vDUie2btZT6roNK653Cp9qI19pko/dbNJp5Qr1DRPsxZ4e04BM8Fi5//46doxDQb BLAQ== X-Gm-Message-State: AOJu0Yxndx5lRsI6Hu2fbP/H50AMG8CNF5Wnt78YVoKnyQNlC8RjDvwx qAiJcwL/LH7FyGTXDz4UE5qLD1mTbg== X-Google-Smtp-Source: AGHT+IGvyLGtUNPZhteOMFluIBpRP+ZKfeuN4QTlO0H17E3Cg5hxH+tKL22yhbgf3NaEi0/ZHPusNq4WxQ== X-Received: from elver.muc.corp.google.com ([2a00:79e0:9c:201:8dc0:5176:6fda:46a0]) (user=elver job=sendgmr) by 2002:a05:690c:709:b0:57a:118a:f31 with SMTP id bs9-20020a05690c070900b0057a118a0f31mr45931ywb.7.1691767203457; Fri, 11 Aug 2023 08:20:03 -0700 (PDT) Date: Fri, 11 Aug 2023 17:18:40 +0200 In-Reply-To: <20230811151847.1594958-1-elver@google.com> Mime-Version: 1.0 References: <20230811151847.1594958-1-elver@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Message-ID: <20230811151847.1594958-3-elver@google.com> Subject: [PATCH v4 3/4] list: Introduce CONFIG_LIST_HARDENED From: Marco Elver To: elver@google.com, Andrew Morton , Kees Cook Cc: Guenter Roeck , Peter Zijlstra , Mark Rutland , Steven Rostedt , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Arnd Bergmann , Greg Kroah-Hartman , Paul Moore , James Morris , "Serge E. Hallyn" , Nathan Chancellor , Nick Desaulniers , Tom Rix , Miguel Ojeda , Sami Tolvanen , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, llvm@lists.linux.dev, Dmitry Vyukov , Alexander Potapenko , kasan-dev@googlegroups.com, linux-toolchains@vger.kernel.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230811_082004_876538_69FBB20C X-CRM114-Status: GOOD ( 30.25 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Numerous production kernel configs (see [1, 2]) are choosing to enable CONFIG_DEBUG_LIST, which is also being recommended by KSPP for hardened configs [3]. The motivation behind this is that the option can be used as a security hardening feature (e.g. CVE-2019-2215 and CVE-2019-2025 are mitigated by the option [4]). The feature has never been designed with performance in mind, yet common list manipulation is happening across hot paths all over the kernel. Introduce CONFIG_LIST_HARDENED, which performs list pointer checking inline, and only upon list corruption calls the reporting slow path. To generate optimal machine code with CONFIG_LIST_HARDENED: 1. Elide checking for pointer values which upon dereference would result in an immediate access fault (i.e. minimal hardening checks). The trade-off is lower-quality error reports. 2. Use the __preserve_most function attribute (available with Clang, but not yet with GCC) to minimize the code footprint for calling the reporting slow path. As a result, function size of callers is reduced by avoiding saving registers before calling the rarely called reporting slow path. Note that all TUs in lib/Makefile already disable function tracing, including list_debug.c, and __preserve_most's implied notrace has no effect in this case. 3. Because the inline checks are a subset of the full set of checks in __list_*_valid_or_report(), always return false if the inline checks failed. This avoids redundant compare and conditional branch right after return from the slow path. As a side-effect of the checks being inline, if the compiler can prove some condition to always be true, it can completely elide some checks. Since DEBUG_LIST is functionally a superset of LIST_HARDENED, the Kconfig variables are changed to reflect that: DEBUG_LIST selects LIST_HARDENED, whereas LIST_HARDENED itself has no dependency on DEBUG_LIST. Running netperf with CONFIG_LIST_HARDENED (using a Clang compiler with "preserve_most") shows throughput improvements, in my case of ~7% on average (up to 20-30% on some test cases). Link: https://r.android.com/1266735 [1] Link: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/main/config [2] Link: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings [3] Link: https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html [4] Signed-off-by: Marco Elver --- v4: * Rename to CONFIG_LIST_HARDENED, which can independently be selected from CONFIG_DEBUG_LIST. * LKDTM test should just check CONFIG_LIST_HARDENED (which is also implied by DEBUG_LIST). * Comment word smithing. v3: * Rename ___list_*_valid() to __list_*_valid_or_report(). * More comments. v2: * Note that lib/Makefile disables function tracing for everything and __preserve_most's implied notrace is a noop here. --- arch/arm64/kvm/hyp/nvhe/Makefile | 2 +- arch/arm64/kvm/hyp/nvhe/list_debug.c | 2 + drivers/misc/lkdtm/bugs.c | 4 +- include/linux/list.h | 64 +++++++++++++++++++++++++--- lib/Kconfig.debug | 9 +++- lib/Makefile | 2 +- lib/list_debug.c | 5 ++- security/Kconfig.hardening | 13 ++++++ 8 files changed, 88 insertions(+), 13 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/Makefile b/arch/arm64/kvm/hyp/nvhe/Makefile index 9ddc025e4b86..2250253a6429 100644 --- a/arch/arm64/kvm/hyp/nvhe/Makefile +++ b/arch/arm64/kvm/hyp/nvhe/Makefile @@ -25,7 +25,7 @@ hyp-obj-y := timer-sr.o sysreg-sr.o debug-sr.o switch.o tlb.o hyp-init.o host.o cache.o setup.o mm.o mem_protect.o sys_regs.o pkvm.o stacktrace.o ffa.o hyp-obj-y += ../vgic-v3-sr.o ../aarch32.o ../vgic-v2-cpuif-proxy.o ../entry.o \ ../fpsimd.o ../hyp-entry.o ../exception.o ../pgtable.o -hyp-obj-$(CONFIG_DEBUG_LIST) += list_debug.o +hyp-obj-$(CONFIG_LIST_HARDENED) += list_debug.o hyp-obj-y += $(lib-objs) ## diff --git a/arch/arm64/kvm/hyp/nvhe/list_debug.c b/arch/arm64/kvm/hyp/nvhe/list_debug.c index 16266a939a4c..46a2d4f2b3c6 100644 --- a/arch/arm64/kvm/hyp/nvhe/list_debug.c +++ b/arch/arm64/kvm/hyp/nvhe/list_debug.c @@ -26,6 +26,7 @@ static inline __must_check bool nvhe_check_data_corruption(bool v) /* The predicates checked here are taken from lib/list_debug.c. */ +__list_valid_slowpath bool __list_add_valid_or_report(struct list_head *new, struct list_head *prev, struct list_head *next) { @@ -37,6 +38,7 @@ bool __list_add_valid_or_report(struct list_head *new, struct list_head *prev, return true; } +__list_valid_slowpath bool __list_del_entry_valid_or_report(struct list_head *entry) { struct list_head *prev, *next; diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c index 3c95600ab2f7..963b4dee6a7d 100644 --- a/drivers/misc/lkdtm/bugs.c +++ b/drivers/misc/lkdtm/bugs.c @@ -393,7 +393,7 @@ static void lkdtm_CORRUPT_LIST_ADD(void) pr_err("Overwrite did not happen, but no BUG?!\n"); else { pr_err("list_add() corruption not detected!\n"); - pr_expected_config(CONFIG_DEBUG_LIST); + pr_expected_config(CONFIG_LIST_HARDENED); } } @@ -420,7 +420,7 @@ static void lkdtm_CORRUPT_LIST_DEL(void) pr_err("Overwrite did not happen, but no BUG?!\n"); else { pr_err("list_del() corruption not detected!\n"); - pr_expected_config(CONFIG_DEBUG_LIST); + pr_expected_config(CONFIG_LIST_HARDENED); } } diff --git a/include/linux/list.h b/include/linux/list.h index 130c6a1bb45c..164b4d0e9d2a 100644 --- a/include/linux/list.h +++ b/include/linux/list.h @@ -38,39 +38,91 @@ static inline void INIT_LIST_HEAD(struct list_head *list) WRITE_ONCE(list->prev, list); } +#ifdef CONFIG_LIST_HARDENED + #ifdef CONFIG_DEBUG_LIST +# define __list_valid_slowpath +#else +# define __list_valid_slowpath __cold __preserve_most +#endif + /* * Performs the full set of list corruption checks before __list_add(). * On list corruption reports a warning, and returns false. */ -extern bool __list_add_valid_or_report(struct list_head *new, - struct list_head *prev, - struct list_head *next); +extern bool __list_valid_slowpath __list_add_valid_or_report(struct list_head *new, + struct list_head *prev, + struct list_head *next); /* * Performs list corruption checks before __list_add(). Returns false if a * corruption is detected, true otherwise. + * + * With CONFIG_LIST_HARDENED only, performs minimal list integrity checking + * inline to catch non-faulting corruptions, and only if a corruption is + * detected calls the reporting function __list_add_valid_or_report(). */ static __always_inline bool __list_add_valid(struct list_head *new, struct list_head *prev, struct list_head *next) { - return __list_add_valid_or_report(new, prev, next); + bool ret = true; + + if (!IS_ENABLED(CONFIG_DEBUG_LIST)) { + /* + * With the hardening version, elide checking if next and prev + * are NULL, since the immediate dereference of them below would + * result in a fault if NULL. + * + * With the reduced set of checks, we can afford to inline the + * checks, which also gives the compiler a chance to elide some + * of them completely if they can be proven at compile-time. If + * one of the pre-conditions does not hold, the slow-path will + * show a report which pre-condition failed. + */ + if (likely(next->prev == prev && prev->next == next && new != prev && new != next)) + return true; + ret = false; + } + + ret &= __list_add_valid_or_report(new, prev, next); + return ret; } /* * Performs the full set of list corruption checks before __list_del_entry(). * On list corruption reports a warning, and returns false. */ -extern bool __list_del_entry_valid_or_report(struct list_head *entry); +extern bool __list_valid_slowpath __list_del_entry_valid_or_report(struct list_head *entry); /* * Performs list corruption checks before __list_del_entry(). Returns false if a * corruption is detected, true otherwise. + * + * With CONFIG_LIST_HARDENED only, performs minimal list integrity checking + * inline to catch non-faulting corruptions, and only if a corruption is + * detected calls the reporting function __list_del_entry_valid_or_report(). */ static __always_inline bool __list_del_entry_valid(struct list_head *entry) { - return __list_del_entry_valid_or_report(entry); + bool ret = true; + + if (!IS_ENABLED(CONFIG_DEBUG_LIST)) { + struct list_head *prev = entry->prev; + struct list_head *next = entry->next; + + /* + * With the hardening version, elide checking if next and prev + * are NULL, LIST_POISON1 or LIST_POISON2, since the immediate + * dereference of them below would result in a fault. + */ + if (likely(prev->next == entry && next->prev == entry)) + return true; + ret = false; + } + + ret &= __list_del_entry_valid_or_report(entry); + return ret; } #else static inline bool __list_add_valid(struct list_head *new, diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index fbc89baf7de6..c38745ad46eb 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -1674,9 +1674,14 @@ menu "Debug kernel data structures" config DEBUG_LIST bool "Debug linked list manipulation" depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION + select LIST_HARDENED help - Enable this to turn on extended checks in the linked-list - walking routines. + Enable this to turn on extended checks in the linked-list walking + routines. + + This option trades better quality error reports for performance, and + is more suitable for kernel debugging. If you care about performance, + you should only enable CONFIG_LIST_HARDENED instead. If unsure, say N. diff --git a/lib/Makefile b/lib/Makefile index 1ffae65bb7ee..d1397785ec16 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -167,7 +167,7 @@ obj-$(CONFIG_BTREE) += btree.o obj-$(CONFIG_INTERVAL_TREE) += interval_tree.o obj-$(CONFIG_ASSOCIATIVE_ARRAY) += assoc_array.o obj-$(CONFIG_DEBUG_PREEMPT) += smp_processor_id.o -obj-$(CONFIG_DEBUG_LIST) += list_debug.o +obj-$(CONFIG_LIST_HARDENED) += list_debug.o obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o obj-$(CONFIG_BITREVERSE) += bitrev.o diff --git a/lib/list_debug.c b/lib/list_debug.c index 2def33b1491f..db602417febf 100644 --- a/lib/list_debug.c +++ b/lib/list_debug.c @@ -2,7 +2,8 @@ * Copyright 2006, Red Hat, Inc., Dave Jones * Released under the General Public License (GPL). * - * This file contains the linked list validation for DEBUG_LIST. + * This file contains the linked list validation and error reporting for + * LIST_HARDENED and DEBUG_LIST. */ #include @@ -17,6 +18,7 @@ * attempt). */ +__list_valid_slowpath bool __list_add_valid_or_report(struct list_head *new, struct list_head *prev, struct list_head *next) { @@ -39,6 +41,7 @@ bool __list_add_valid_or_report(struct list_head *new, struct list_head *prev, } EXPORT_SYMBOL(__list_add_valid_or_report); +__list_valid_slowpath bool __list_del_entry_valid_or_report(struct list_head *entry) { struct list_head *prev, *next; diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 0f295961e773..ffc3c702b461 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -279,6 +279,19 @@ config ZERO_CALL_USED_REGS endmenu +menu "Hardening of kernel data structures" + +config LIST_HARDENED + bool "Check integrity of linked list manipulation" + help + Minimal integrity checking in the linked-list manipulation routines + to catch memory corruptions that are not guaranteed to result in an + immediate access fault. + + If unsure, say N. + +endmenu + config CC_HAS_RANDSTRUCT def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) # Randstruct was first added in Clang 15, but it isn't safe to use until From patchwork Fri Aug 11 15:18:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marco Elver X-Patchwork-Id: 13351012 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id F053DC0015E for ; Fri, 11 Aug 2023 15:20:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: References:Mime-Version:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=3GPFTnWcL+WZfwugbLOI7qbyBugc7TrqZbQNdRuxQ2k=; b=qE55OjSL48mWyHbGavojHQFGxy zaJxQvq9qejM3X5iu96XaVnkCDoZdp861gpReBclxl1zIvElvEJX9iHo3wRpu6KWXvjzorrelLjfx efBAXG6J9a+y27c2W5yFvv7aSKogMwQ+greuFQABhptJa/fTu4Wve9FZbbfSTjIWEuHI64ZkAmlu6 B+SVe0oXX5mUzXqUzIw6iSZenxKEIOJ0PBQdq6jDlVjC+svFAMcrpe9QtREy8AuapB6ihGlLR/Q1a 1iTyFvBEKXFHxrJomb7Fm7SgMffY3XGzbm4fro56wB0hcJhG1qV1mT+TIyLjTgHYc+xzDO4mWzZu/ /vybppVA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qUTw3-00AwRM-0h; Fri, 11 Aug 2023 15:20:19 +0000 Received: from mail-wr1-x44a.google.com ([2a00:1450:4864:20::44a]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qUTvt-00AwNH-1o for linux-arm-kernel@lists.infradead.org; Fri, 11 Aug 2023 15:20:10 +0000 Received: by mail-wr1-x44a.google.com with SMTP id ffacd0b85a97d-313c930ee0eso1224128f8f.0 for ; Fri, 11 Aug 2023 08:20:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691767206; x=1692372006; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=qzePDYsycDhwr+IPrP4iKR8Awa/mk+LR9zGcfd9N2nE=; b=10PLZEHNHZ/ExNrV42MYDUP99UuAAVIdy55Hd7YOK/eHnLYUUyD7ve7NVrw3aO7CdM vWBMzbvzxgWLvhVnsphCgW8uohRzzBKAodzg63mpNv0kfIkeiZhzoClaIzj97HkkS2Lk iWbjWQuFhnLq9DvRa0wtjNDCeDyfnyv3WoXyhIp3GxwuB1sI2t8kz0UMxWfEap/n9djV /2cFEaEyzZxFkmBILF8aLsRKpkWrBu5Qa7Kzirz5w+TLtlCFMR/ay5oYyb0D9TOYaB/e ChrcClwsZwB85k4HDOSrHQdLnMpxjk/mslXOBnCi9KYIp7Vyxg9rq0If0NYuQ7ExjM+8 kQqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691767206; x=1692372006; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qzePDYsycDhwr+IPrP4iKR8Awa/mk+LR9zGcfd9N2nE=; b=kTlUFUcgp0gWOF5r2gw52xDiK3Kxj9cZW+hVCM2sF1nCNbpolD61MbJvgAsBGNY0BT eJieA1DjkDdPY/Gx5tNs4xkRxK7K0Hot1xC1hkOBMd6RJ+ddSM+KfF1GzoIk4kE/xwIN HkHmpN9tkl3Y3Xk+epw7jDPKF3R+SeXBmJzsefdAqDLICBEjMWipv9GvG/f0lBpLxLcP 4C51+jFz2wDG+TM5hqUImTwySOBJXInZ9nbJlcpEOEjG7ysQRp3ka06FhvxMkQ6PzzAb k4CeWo8m3sP1J1fCUTJDzrLNcUbp+fP4xl/aNwx8wDhxkhKCz5ap+tza9mwWLdHX0W2z wQBA== X-Gm-Message-State: AOJu0Ywu4LxiZhUtsr9uFt3fKBbgirlLUDNOEtpAGb0WP98CszKYItm8 TbK0/q5YvNn3XJKmLQtYTJyICVZGYA== X-Google-Smtp-Source: AGHT+IEGl+QWst925OBey2b/n22pg/pEC+s7Iu4Jwd9U6CEcZriGyM4oqqfEappi55i2VjBAWfl0++It4g== X-Received: from elver.muc.corp.google.com ([2a00:79e0:9c:201:8dc0:5176:6fda:46a0]) (user=elver job=sendgmr) by 2002:a05:6000:1819:b0:317:41be:d871 with SMTP id m25-20020a056000181900b0031741bed871mr16440wrh.14.1691767206297; Fri, 11 Aug 2023 08:20:06 -0700 (PDT) Date: Fri, 11 Aug 2023 17:18:41 +0200 In-Reply-To: <20230811151847.1594958-1-elver@google.com> Mime-Version: 1.0 References: <20230811151847.1594958-1-elver@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Message-ID: <20230811151847.1594958-4-elver@google.com> Subject: [PATCH v4 4/4] hardening: Move BUG_ON_DATA_CORRUPTION to hardening options From: Marco Elver To: elver@google.com, Andrew Morton , Kees Cook Cc: Guenter Roeck , Peter Zijlstra , Mark Rutland , Steven Rostedt , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Arnd Bergmann , Greg Kroah-Hartman , Paul Moore , James Morris , "Serge E. Hallyn" , Nathan Chancellor , Nick Desaulniers , Tom Rix , Miguel Ojeda , Sami Tolvanen , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, llvm@lists.linux.dev, Dmitry Vyukov , Alexander Potapenko , kasan-dev@googlegroups.com, linux-toolchains@vger.kernel.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230811_082009_597489_F79C374C X-CRM114-Status: GOOD ( 17.60 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org BUG_ON_DATA_CORRUPTION is turning detected corruptions of list data structures from WARNings into BUGs. This can be useful to stop further corruptions or even exploitation attempts. However, the option has less to do with debugging than with hardening. With the introduction of LIST_HARDENED, it makes more sense to move it to the hardening options, where it selects LIST_HARDENED instead. Without this change, combining BUG_ON_DATA_CORRUPTION with LIST_HARDENED alone wouldn't be possible, because DEBUG_LIST would always be selected by BUG_ON_DATA_CORRUPTION. Signed-off-by: Marco Elver --- v4: * New patch, after LIST_HARDENED was made independent of DEBUG_LIST, and now DEBUG_LIST depends on LIST_HARDENED. --- lib/Kconfig.debug | 12 +----------- security/Kconfig.hardening | 10 ++++++++++ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index c38745ad46eb..c7348d1fabe5 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -1673,7 +1673,7 @@ menu "Debug kernel data structures" config DEBUG_LIST bool "Debug linked list manipulation" - depends on DEBUG_KERNEL || BUG_ON_DATA_CORRUPTION + depends on DEBUG_KERNEL select LIST_HARDENED help Enable this to turn on extended checks in the linked-list walking @@ -1715,16 +1715,6 @@ config DEBUG_NOTIFIERS This is a relatively cheap check but if you care about maximum performance, say N. -config BUG_ON_DATA_CORRUPTION - bool "Trigger a BUG when data corruption is detected" - select DEBUG_LIST - help - Select this option if the kernel should BUG when it encounters - data corruption in kernel memory structures when they get checked - for validity. - - If unsure, say N. - config DEBUG_MAPLE_TREE bool "Debug maple trees" depends on DEBUG_KERNEL diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index ffc3c702b461..2cff851ebfd7 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -290,6 +290,16 @@ config LIST_HARDENED If unsure, say N. +config BUG_ON_DATA_CORRUPTION + bool "Trigger a BUG when data corruption is detected" + select LIST_HARDENED + help + Select this option if the kernel should BUG when it encounters + data corruption in kernel memory structures when they get checked + for validity. + + If unsure, say N. + endmenu config CC_HAS_RANDSTRUCT