Received: by 10.223.176.5 with SMTP id f5csp4056400wra;
        Tue, 30 Jan 2018 01:13:16 -0800 (PST)
X-Google-Smtp-Source: AH8x224CwxyF4xx5K0n6YZdGOl7EAsfgrg/5I9VvpXZuHIAq38fQ73e29qZ+INjvaG+CgAvg6YVF
X-Received: by 10.98.62.69 with SMTP id l66mr29926414pfa.20.1517303596725;
        Tue, 30 Jan 2018 01:13:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517303596; cv=none;
        d=google.com; s=arc-20160816;
        b=DCmufXSzk18p/Xmlj72vaXb4qdXcjBujbdFDzB3Mn2fvGv1Ga/wyPR4uh1+N5sa+Wx
         0B8fE5zf4sO3F4WYMmkp2BheE9usiIzW9jlBNmP5FhLUmhraISwo0iRAAUZusSr67UNB
         v3l+1mGtt0K8JzuB+K8bSsyzwmw9KmhCUW4jmELhCyO55jICyN9yOhVGy1UMjiA0+R+e
         kgEbZqQZf3SFyIY7v3FGkgFIgr1xfVXbp9AFFpqffA0TzQRIm9tm/XzkX7Rf8T4Wi1Ek
         heGmT4RI8+K9wT9j8jZj2EdN/5/Tsk+KnMWmaX/efQ3m1gC1P0T+dfF0AN9Bbq7dDXrH
         7Fpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=80WLPkGN27WQrt5DvZAXkwVsL4VSuUGMDFM4hMAx+Pg=;
        b=Jxy5YiGEb2zA1t/DIbACAIWiLBjQf4JkkYnm/AAmJUr6k+DOn3KnNlseIAVW7Uh84y
         L1Rp6BueIOjLC9gGMtlvJVIpslJ6ezDQQ/WWmcoIkEo4+8QZrRfshYHJ/gpASnaDooG6
         awxBdHn3apcsnwj/u0h2gTmsf8zAoIzTE7LUJ76dciD6Zx+S2iyOtm4DWyee+VmFPD31
         Fo4lXKHRp8Hx7jY0r9Fjg6ba6VJYJ5tIocJGp0C3k4sUnHRP7czWZUzXcJx2oCAOBj+q
         D8Xp5VbhEo//W9xUWGkIkLxIWRO9iS0yqgZryokXDvXJonOTy/1MnENRshpmxPPf21EF
         fb0Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fRHKwr2S;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a23-v6si2372127pls.382.2018.01.30.01.13.02;
        Tue, 30 Jan 2018 01:13:16 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fRHKwr2S;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751567AbeA3JMj (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Tue, 30 Jan 2018 04:12:39 -0500
Received: from mail-pf0-f194.google.com ([209.85.192.194]:47047 "EHLO
        mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750959AbeA3JMf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Jan 2018 04:12:35 -0500
Received: by mail-pf0-f194.google.com with SMTP id y5so8266061pff.13
        for <linux-kernel@vger.kernel.org>; Tue, 30 Jan 2018 01:12:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=80WLPkGN27WQrt5DvZAXkwVsL4VSuUGMDFM4hMAx+Pg=;
        b=fRHKwr2SYTuMt9ULHIG52EVdEhl5aDqIIdKvWd40oLcjQ9EYnMw01grFqe6+BHCTEL
         k5NJbh1cwmEqxuUoUJNH3g2/kgHnqGH4a6FA/CtoGujt2JwDTKc+UVRd/npHCp3N/wFz
         evpjslXAAuvedThoemgcYU5nt7TQPb+KEnjL+aTlZl6niDmTXFDYEbuV/1Eo7Cnt1bhm
         hj52B3oWSOUuRFrQLk7rB3WRPqDGdH//gcCWASdNHZCoyw3XUEVfCJPJopDgl++fbmXR
         U5VrMPq58l1+VxFzK5Kz+AYThLhEZPjxR54j3wRQ8Qrf+93O3ZWPy8Ysdfx5+c13Gcbs
         63tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=80WLPkGN27WQrt5DvZAXkwVsL4VSuUGMDFM4hMAx+Pg=;
        b=SzHWg+g1542IMKiqczQvHAhnD3Upq7J+iZTNlB+67d+tZv5ZQaYsxJBEAd+2xxULDK
         v2R+mryHZ2CPH7Md/sOU70cmAhTtk8JTRY94IjC6q6Lle5pA/cT4s47tLCsC4H9XIXNQ
         dKg4+PfjSMwrpAp6V5H6wmqCX4QqVANGyd+0dKrB4WZwuCJ+7qUlUDI56EOrjAkg7Eml
         Pdw/RdkGiSjOce/FWutJNkJcMeSYRg99Vrz8tz8D64Q49FtQOsZ5I1M62guagoGPL31n
         pis0YYHVP+KSlxxmTw2AdjsDZqAJ7h2poWI8CfIk6+Q7EuTo3aZnt/vOFq8po4ZG3FyS
         fSIw==
X-Gm-Message-State: AKwxytc8cGzuWeEpgx1d9JNTBnYAvKKS4svdUQ08p2clQrjSPKRIeK5o
        d8YlgOO1R8fwq5JEtXGKlvT1kkHv3NuPv24CRQuS1w==
X-Received: by 2002:a17:902:76cc:: with SMTP id j12-v6mr22399255plt.120.1517303555087;
 Tue, 30 Jan 2018 01:12:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.140.151 with HTTP; Tue, 30 Jan 2018 01:12:14 -0800 (PST)
In-Reply-To: <0c502342-a4c5-846e-8ca1-ea5cb68f382c@virtuozzo.com>
References: <20180109163745.3692-1-aryabinin@virtuozzo.com>
 <50fcfba8-fc16-b4a1-d117-24ebbe959c0c@virtuozzo.com> <e6de0ec1-c59c-fea4-0335-4c5609e21656@prevas.dk>
 <CA+55aFwmVfiH4m1iBUN_HUYQ4RHN5Eg_4rq_bGysK-Ho0dFoeQ@mail.gmail.com>
 <CACT4Y+Y=NKgSLQqy0zrOuSOWOd2H2P0DcN09CnV+XnXuAgRF8Q@mail.gmail.com>
 <CA+55aFwqDxBSKf3u2Uv-90vrhx4WSoQunOPU3witzCAuNhYBhg@mail.gmail.com> <0c502342-a4c5-846e-8ca1-ea5cb68f382c@virtuozzo.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Tue, 30 Jan 2018 10:12:14 +0100
Message-ID: <CACT4Y+a0B=siu1Mk3dS1SdY8Qj240hhUYPcPNM+29aeqQ+PwxQ@mail.gmail.com>
Subject: Re: [PATCH] lib/strscpy: remove word-at-a-time optimization.
To:     Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc:     Linus Torvalds <torvalds@linux-foundation.org>,
        Rasmus Villemoes <rasmus.villemoes@prevas.dk>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Eryu Guan <eguan@redhat.com>,
        Alexander Potapenko <glider@google.com>,
        Chris Metcalf <metcalf@alum.mit.edu>,
        David Laight <David.Laight@aculab.com>,
        stable <stable@vger.kernel.org>,
        kasan-dev <kasan-dev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jan 25, 2018 at 8:13 PM, Andrey Ryabinin
<aryabinin@virtuozzo.com> wrote:
> On 01/25/2018 08:55 PM, Linus Torvalds wrote:
>> On Thu, Jan 25, 2018 at 12:32 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>> On Wed, Jan 24, 2018 at 6:52 PM, Linus Torvalds
>>> <torvalds@linux-foundation.org> wrote:
>>>>
>>>> So I'd *much* rather have some way to tell KASAN that word-at-a-time
>>>> is going on. Because that approach definitely makes a difference in
>>>> other places.
>>>
>>> The other option was to use READ_ONCE_NOCHECK().
>>
>> How about just using the same accessor that we do for the dcache case.
>> That gives a reasonable example of the whole word-at-a-time model, and
>> should be good.
>>
>
> If we also instrument load_unaligned_zeropad() with kasan_check_read(addr, 1),
> than it should be fine. We don't want completely unchecked read of a source string.
>
> But I also would like to revert df4c0e36f1b1 ("fs: dcache: manually unpoison dname after allocation to shut up kasan's reports")
> So I was going to send something like the hunk bellow (split in several patches).
>
> Or we could just use instrumented load_unalingned_zeropad() everywhere, but it seems wrong
> to use it to load *cs only to shut up KASAN.
>
>
> ---
>  fs/dcache.c              |  2 +-
>  include/linux/compiler.h | 11 +++++++++++
>  lib/string.c             |  2 +-
>  3 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/fs/dcache.c b/fs/dcache.c
> index 5c7df1df81ff..6aa7be55a96d 100644
> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -195,7 +195,7 @@ static inline int dentry_string_cmp(const unsigned char *cs, const unsigned char
>         unsigned long a,b,mask;
>
>         for (;;) {
> -               a = *(unsigned long *)cs;
> +               a = READ_PARTIAL_CHECK(*(unsigned long *)cs);
>                 b = load_unaligned_zeropad(ct);
>                 if (tcount < sizeof(unsigned long))
>                         break;
> diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> index 52e611ab9a6c..85b63c2e196e 100644
> --- a/include/linux/compiler.h
> +++ b/include/linux/compiler.h
> @@ -240,6 +240,7 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
>   * required ordering.
>   */
>  #include <asm/barrier.h>
> +#include <linux/kasan-checks.h>
>
>  #define __READ_ONCE(x, check)                                          \
>  ({                                                                     \
> @@ -259,6 +260,16 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
>   */
>  #define READ_ONCE_NOCHECK(x) __READ_ONCE(x, 0)
>
> +#ifdef CONFIG_KASAN
> +#define READ_PARTIAL_CHECK(x)          \
> +({                                     \
> +       kasan_check_read(&(x), 1);      \
> +       READ_ONCE_NOCHECK(x);           \
> +})
> +#else
> +#define READ_PARTIAL_CHECK(x) (x)
> +#endif
> +
>  #define WRITE_ONCE(x, val) \
>  ({                                                     \
>         union { typeof(x) __val; char __c[1]; } __u =   \
> diff --git a/lib/string.c b/lib/string.c
> index 64a9e33f1daa..2396856e4c56 100644
> --- a/lib/string.c
> +++ b/lib/string.c
> @@ -203,7 +203,7 @@ ssize_t strscpy(char *dest, const char *src, size_t count)
>         while (max >= sizeof(unsigned long)) {
>                 unsigned long c, data;
>
> -               c = *(unsigned long *)(src+res);
> +               c = READ_PARTIAL_CHECK(*(unsigned long *)(src+res));
>                 if (has_zero(c, &data, &constants)) {
>                         data = prep_zero_mask(c, data, &constants);
>                         data = create_zero_mask(data);


Looks good to me a general way to support word-at-a-time pattern.

This will also get rid of this in fs/dcache.c:

                if (IS_ENABLED(CONFIG_DCACHE_WORD_ACCESS))
                        kasan_unpoison_shadow(dname,
                                round_up(name->len + 1, sizeof(unsigned long)));