| Message ID | 20221102110611.1085175-5-glider@google.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp3556088wru;
Wed, 2 Nov 2022 04:16:13 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM5nYzT0Zi8Yj+ky3PwhQrHebqH8PkR51M0DkmHu/ZfWIKcO0SkODILGO7JLcSsdAoGCJeBo
X-Received: by 2002:a17:902:e902:b0:186:9c03:5f27 with SMTP id
k2-20020a170902e90200b001869c035f27mr24166874pld.16.1667387773082;
Wed, 02 Nov 2022 04:16:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667387773; cv=none;
d=google.com; s=arc-20160816;
b=0uIb2LVjx9VHzT3Cvuk1M+hvMkO4/glOg8cw3XsM7pWjBNmgC1HjpytJQLPEqBxQ76
qRs7CHlANES15y0fVzmaaEmhFD0pd5nVpTz2g+kYEcltIhjVxjgOj+9yOw1307ekjoJ5
Ds72+efTnbMMpIuKH8P3NUn3pSeRQmfn7ILE1RNNtrSxp5/n6rLG1MtIiJxetdcSbsOh
Wa2qYQOVyNwGhTfPBzvZGzMgWVlS9X/FIEDWq1tIJVcUb/bCIIimAFtcNDdRrD4+0G6T
FVbBe+vjBM/dqtjt07U0bJrJ1xVS6Gmpq3UgW/G2SQ0pl2FNgc5WQl/Zto9IgrW+bCJb
nhjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:cc:to:from:subject:message-id:references
:mime-version:in-reply-to:date:dkim-signature;
bh=Dk/dhHPL0qFVshysQ/N4gnrAp81kLluhRpZpiN1N26A=;
b=yx1xEGBf3+YktoU4198hAGqWMO0M4TZF64VQh8s2+lOJHzIJp2UQ2ztc10lffkPbt/
s8L7b1uFRdFD4X/tO0vd/bwwoYhabawDF5hV3pjAJz1cZJiUkxR671O417a/05g2kynX
HHwDG8ZfES8fbvFY2ObvIKNrfcO04HVDxMJTASvxhSKyVUiBX50w+8HlN8PCK32SF70F
ljohVCdFLwJfO82dPJ5O661TzhtLSd1IOPNKHtAWQM1eR2Iep1XC5Rk3s2sAoOftEV+Q
uvj/duR8Hb2OSjFmKyYiUBk8sRxw9Up2nrW6jYwZdTokfIMJdtyQvKre9hgUExMdQvqu
tsyA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@google.com header.s=20210112 header.b=BRXuAvLO;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
n3-20020a17090a5a8300b00212e738ac60si1877815pji.84.2022.11.02.04.16.00;
Wed, 02 Nov 2022 04:16:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@google.com header.s=20210112 header.b=BRXuAvLO;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230302AbiKBLGk (ORCPT <rfc822;billy.jones8454@gmail.com>
+ 99 others); Wed, 2 Nov 2022 07:06:40 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48502 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230342AbiKBLGd (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 2 Nov 2022 07:06:33 -0400
Received: from mail-ed1-x549.google.com (mail-ed1-x549.google.com
[IPv6:2a00:1450:4864:20::549])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70F9029C9A
for <linux-kernel@vger.kernel.org>;
Wed, 2 Nov 2022 04:06:28 -0700 (PDT)
Received: by mail-ed1-x549.google.com with SMTP id
v18-20020a056402349200b004622e273bbbso11777352edc.14
for <linux-kernel@vger.kernel.org>;
Wed, 02 Nov 2022 04:06:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=20210112;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:from:to:cc:subject:date:message-id:reply-to;
bh=Dk/dhHPL0qFVshysQ/N4gnrAp81kLluhRpZpiN1N26A=;
b=BRXuAvLOHF3g9+gYxk6eLf0iLGvj05paMev0jUBgMnN/5twd8iGLllzv5YJfGiXvxo
bbpa22yuLIs03sydQwA6d6FHWh1ns4oA9GlUYXwh/RQbSpseclTQoxYM356MlrCxyM/d
l7xAksNUDe2qS9tRUGAgfy+pCWc4utGI5Aty2dyjLc/3QuuQjIB0MOtKWoWhtakZ6Yli
rzVdmRwM0RTjlvJ/Zf6eD8WP9SwZrTA2aldlm9B/FxucwGXrXuxw2IjQDm4QRRrggsYe
oNPE1SV5IP9wsvvEx/aHSu69q3tQhoACudVb+Jy9nLyKvCVO3Fknl0VsdVPh0u+lG1Ta
aVsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
:date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=Dk/dhHPL0qFVshysQ/N4gnrAp81kLluhRpZpiN1N26A=;
b=TElqPd5Npt1rUPN5Kuxr5T9TD7OkEcegoxFibIKREEkDY2W7Z0t4It0QBf5R1Lh0Z2
MhQdqeWKgAvu7+xaNvOxgMTWKqGQL1Mw+jwgpTB9I2N9YhLbFKhXaPiGUAWTPI3ZGMyS
qf2864yDg5RmM3mbdbxNDRRq50PE7MuVv4L1AqMhD4dKta7we73OmOaEGzmpNwguxNJC
ydKxI7ic5eQrv89bA9b9kOLshPo0bLUqJFAOdjyGykXNQcGU8mxQ+k0K1oAnGzsYemEJ
pLqitAOZLnUDbkDw3KoquEnZYkhhQE8Cx+GbvwaYZc0LULx4PLqmkBLPYYOtWt99rzwB
/lwA==
X-Gm-Message-State: ACrzQf1dlAUOmR9kWRWL0ZKHMgy1Pb336soJoPpSWCJiKh2xU3Wn4fjx
FQfUnrpZs+GNAZrJLQzhoZ/PDUmQAIM=
X-Received: from glider.muc.corp.google.com
([2a00:79e0:9c:201:7f41:af20:8:a96d])
(user=glider job=sendgmr) by 2002:a17:907:a80f:b0:7ae:3f7:b612 with SMTP id
vo15-20020a170907a80f00b007ae03f7b612mr2514087ejc.421.1667387186488; Wed, 02
Nov 2022 04:06:26 -0700 (PDT)
Date: Wed, 2 Nov 2022 12:06:11 +0100
In-Reply-To: <20221102110611.1085175-1-glider@google.com>
Mime-Version: 1.0
References: <20221102110611.1085175-1-glider@google.com>
X-Mailer: git-send-email 2.38.1.273.g43a17bfeac-goog
Message-ID: <20221102110611.1085175-5-glider@google.com>
Subject: [PATCH 5/5] x86/traps: avoid KMSAN bugs originating from handle_bug()
From: Alexander Potapenko <glider@google.com>
To: glider@google.com
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Andrew Morton <akpm@linux-foundation.org>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>, x86@kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748382801674461265?=
X-GMAIL-MSGID: =?utf-8?q?1748382801674461265?=
|
| Series |
[1/5] kmsan: core: kmsan_in_runtime() should return true in NMI context
|
|
Commit Message
Alexander Potapenko
Nov. 2, 2022, 11:06 a.m. UTC
There is a case in exc_invalid_op handler that is executed outside the
irqentry_enter()/irqentry_exit() region when an UD2 instruction is used
to encode a call to __warn().
In that case the `struct pt_regs` passed to the interrupt handler is
never unpoisoned by KMSAN (this is normally done in irqentry_enter()),
which leads to false positives inside handle_bug().
Use kmsan_unpoison_entry_regs() to explicitly unpoison those registers
before using them.
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Signed-off-by: Alexander Potapenko <glider@google.com>
---
arch/x86/kernel/traps.c | 7 +++++++
1 file changed, 7 insertions(+)
Comments
On Wed, Nov 02, 2022 at 12:06:11PM +0100, Alexander Potapenko wrote: > There is a case in exc_invalid_op handler that is executed outside the > irqentry_enter()/irqentry_exit() region when an UD2 instruction is used > to encode a call to __warn(). > > In that case the `struct pt_regs` passed to the interrupt handler is > never unpoisoned by KMSAN (this is normally done in irqentry_enter()), > which leads to false positives inside handle_bug(). > > Use kmsan_unpoison_entry_regs() to explicitly unpoison those registers > before using them. As does poke_int3_handler(); does that need fixing up too? OTOH look *very very* carefully at the contraints there.
On Wed, Nov 2, 2022 at 1:51 PM Peter Zijlstra <peterz@infradead.org> wrote: > > On Wed, Nov 02, 2022 at 12:06:11PM +0100, Alexander Potapenko wrote: > > There is a case in exc_invalid_op handler that is executed outside the > > irqentry_enter()/irqentry_exit() region when an UD2 instruction is used > > to encode a call to __warn(). > > > > In that case the `struct pt_regs` passed to the interrupt handler is > > never unpoisoned by KMSAN (this is normally done in irqentry_enter()), > > which leads to false positives inside handle_bug(). > > > > Use kmsan_unpoison_entry_regs() to explicitly unpoison those registers > > before using them. > > As does poke_int3_handler(); does that need fixing up too? OTOH look > *very very* carefully at the contraints there. Fortunately poke_int3_handler() is a noinstr function, so KMSAN doesn't add any checks to it. It also does not pass regs to other instrumented functions, at least for now, so we're good.
On Wed, Nov 02, 2022 at 12:06:11PM +0100, Alexander Potapenko wrote: > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c > index 178015a820f08..d3fdec706f1d2 100644 > --- a/arch/x86/kernel/traps.c > +++ b/arch/x86/kernel/traps.c > @@ -15,6 +15,7 @@ > #include <linux/context_tracking.h> > #include <linux/interrupt.h> > #include <linux/kallsyms.h> > +#include <linux/kmsan.h> > #include <linux/spinlock.h> > #include <linux/kprobes.h> > #include <linux/uaccess.h> > @@ -301,6 +302,12 @@ static noinstr bool handle_bug(struct pt_regs *regs) > { > bool handled = false; > > + /* > + * Normally @regs are unpoisoned by irqentry_enter(), but handle_bug() > + * is a rare case that uses @regs without passing them to > + * irqentry_enter(). > + */ > + kmsan_unpoison_entry_regs(regs); > if (!is_valid_bugaddr(regs->ip)) > return handled; > Should we place this kmsan_unpoison_entry_regs() after the instrumentation_begin() ?
On Wed, Nov 02, 2022 at 02:37:19PM +0100, Alexander Potapenko wrote: > On Wed, Nov 2, 2022 at 1:51 PM Peter Zijlstra <peterz@infradead.org> wrote: > > > > On Wed, Nov 02, 2022 at 12:06:11PM +0100, Alexander Potapenko wrote: > > > There is a case in exc_invalid_op handler that is executed outside the > > > irqentry_enter()/irqentry_exit() region when an UD2 instruction is used > > > to encode a call to __warn(). > > > > > > In that case the `struct pt_regs` passed to the interrupt handler is > > > never unpoisoned by KMSAN (this is normally done in irqentry_enter()), > > > which leads to false positives inside handle_bug(). > > > > > > Use kmsan_unpoison_entry_regs() to explicitly unpoison those registers > > > before using them. > > > > As does poke_int3_handler(); does that need fixing up too? OTOH look > > *very very* carefully at the contraints there. > > Fortunately poke_int3_handler() is a noinstr function, so KMSAN > doesn't add any checks to it. > It also does not pass regs to other instrumented functions, at least > for now, so we're good. Ah indeed; because it is fully noinstr, nothing will trigger the lack of annotation.
On Thu, Nov 3, 2022 at 12:18 PM Peter Zijlstra <peterz@infradead.org> wrote: > > On Wed, Nov 02, 2022 at 12:06:11PM +0100, Alexander Potapenko wrote: > > > diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c > > index 178015a820f08..d3fdec706f1d2 100644 > > --- a/arch/x86/kernel/traps.c > > +++ b/arch/x86/kernel/traps.c > > @@ -15,6 +15,7 @@ > > #include <linux/context_tracking.h> > > #include <linux/interrupt.h> > > #include <linux/kallsyms.h> > > +#include <linux/kmsan.h> > > #include <linux/spinlock.h> > > #include <linux/kprobes.h> > > #include <linux/uaccess.h> > > @@ -301,6 +302,12 @@ static noinstr bool handle_bug(struct pt_regs *regs) > > { > > bool handled = false; > > > > + /* > > + * Normally @regs are unpoisoned by irqentry_enter(), but handle_bug() > > + * is a rare case that uses @regs without passing them to > > + * irqentry_enter(). > > + */ > > + kmsan_unpoison_entry_regs(regs); > > if (!is_valid_bugaddr(regs->ip)) > > return handled; > > > > Should we place this kmsan_unpoison_entry_regs() after the > instrumentation_begin() ? Agreed, let me send an update.
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 178015a820f08..d3fdec706f1d2 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -15,6 +15,7 @@ #include <linux/context_tracking.h> #include <linux/interrupt.h> #include <linux/kallsyms.h> +#include <linux/kmsan.h> #include <linux/spinlock.h> #include <linux/kprobes.h> #include <linux/uaccess.h> @@ -301,6 +302,12 @@ static noinstr bool handle_bug(struct pt_regs *regs) { bool handled = false; + /* + * Normally @regs are unpoisoned by irqentry_enter(), but handle_bug() + * is a rare case that uses @regs without passing them to + * irqentry_enter(). + */ + kmsan_unpoison_entry_regs(regs); if (!is_valid_bugaddr(regs->ip)) return handled;