Received: by 2002:a17:90a:9307:0:0:0:0 with SMTP id p7csp3962376pjo;
        Tue, 3 Mar 2020 10:09:30 -0800 (PST)
X-Google-Smtp-Source: ADFU+vvi8wZHhSYsIz6vqObbgXPf2U6vYLD0AY48joXppINJbMiMtbwI097pr4jHZbVfbRPe1/yd
X-Received: by 2002:a05:6808:98e:: with SMTP id a14mr3167901oic.8.1583258970438;
        Tue, 03 Mar 2020 10:09:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1583258970; cv=none;
        d=google.com; s=arc-20160816;
        b=TqQMYUWFd3+HL6ntUkEPz0+7lt75A5qVPuDDr+a1XHqGFn85kHeTUCodZ3F4f+hEmy
         8ll7+GYrSwSCEkGZ19BnUs4b3pfn7ussPTqKLvvYunX+CzFr2nwiJAdK0P5XVVNrSbCz
         Xh8AKChf45eysKzHHMpfZcOvbR+B36C4tu5Ffs5QWfPHhkmcqCtIGUry+A2lHvKxOneZ
         EYjRGuSYrGxs1OIeUBFDA+fEbLMGT0q0IbHo00tFR98EQ0ciISKr0bysHvTdsVnypjH6
         OZfQlPetD7uvSG11OeYqy2aWhzjwvVfTaYzjW7iyGmeXLpnpHhYEpk5TxfpQ3DjVFWyy
         moLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=1QskSzXkk1uR/gTFKte9PcDDhEgJX8WglHuzZL1T1G4=;
        b=qm+raNeV8hyHB3lWd5ufwUuGXKP5CZOl1MS2aCwSPyygY0aTuSP/9J/Ry7JqcBNJ5l
         HjzS2vkE84OAtZhB18x20+mL+OKZ3w0BPazPaH/XNqrlGs6VZDlrwkJ3MOl7zI1p4lAe
         7WsnneRygMaJBLuZKTa41/Fpq4UJlipJ8zETGDsYA4SkoTcddatXsgH4lxMi5CcSh98o
         MRzNql9Y7sgpztQkp+yWKAL6mpscFQsHbBHyzgB1NYcM1XdnLayILtkDWtF3Dix0f7GE
         pwRiB3otFhwnKtsAm3gXKxngz4uniqOZlZsjsn6Ipam938eos/Eyxd58VeqGcRD/09kF
         pXvw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="EkdAW6/g";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k16si8302321oiw.128.2020.03.03.10.09.17;
        Tue, 03 Mar 2020 10:09:30 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="EkdAW6/g";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388150AbgCCSId (ORCPT <rfc822;ulfalizer@gmail.com> + 99 others);
        Tue, 3 Mar 2020 13:08:33 -0500
Received: from mail-oi1-f194.google.com ([209.85.167.194]:45554 "EHLO
        mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730394AbgCCRxc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Mar 2020 12:53:32 -0500
Received: by mail-oi1-f194.google.com with SMTP id v19so3890045oic.12
        for <linux-kernel@vger.kernel.org>; Tue, 03 Mar 2020 09:53:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=1QskSzXkk1uR/gTFKte9PcDDhEgJX8WglHuzZL1T1G4=;
        b=EkdAW6/gbfcyTLcI6cTuLSxNcHGev64LQOUj5OAjNQw2Xj0vLIPKWYamrckOeGPLtq
         MhahHQt+YRF0QGMJZcGPkOWZV/8U8AknEZxlXU2VZ+FrViArmUtKhGfIaEUbH7F/gF4T
         04hPqBSpVHKtoGKcQNVvvSuZKE0Vy3OUl+JOHQR+tULqSkdsfOHK69X+FeNXTap9cvFf
         C/YFZiDDbNYtWupxyhH4d0URwyaCyd8kqZvCe5TE6eQtT1l4uTTY9eodjkNdGJDN0ujX
         +t9dGG48tMSUkTYHDv2NOPSrqgFzqNTMcYapNtcIFzhp5ASA9hiX7gzvkquAyM5Bko1n
         AiOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=1QskSzXkk1uR/gTFKte9PcDDhEgJX8WglHuzZL1T1G4=;
        b=JcpaGQzNZmnUUPRlps+OUZUQKD1OBC7HItzS7cQ4ayD53zVz1mD42rlItGZsHEaHrW
         bEY4zhYeJhViPCsqQw8K3gLz9bxLn7ypD3QE2UsekVCC++gLXG/BTysMvHDVogTiNoHd
         AiGc+apYT19BZhzydzrpk8E8WxJKcClrClCEc6grbjq6cQPus//IJuC3OwCDszQjRb17
         qNi5EP0AuS0Kgmc8vf8ens2+tmgwDHVV1ygloxliVcbFiOS4J4fdmJQr+vH+VAwAzBzW
         PL3qfY2P4aY+Eu1uxBlvbFs35MXZz2SIPlcAZcOWWtuwWEIKEf7XFiHisY8Rp8tF93+K
         oMtQ==
X-Gm-Message-State: ANhLgQ1lSQlDoCYOZkYRZRqPYfckyze/LAI01AGPT3VdRXlqkBIkX/Cf
        rSjrX6qZfADG6Ef0kY3eF7cMfE0eDxniiZP3QWtwr4ZcOUY=
X-Received: by 2002:aca:4cd8:: with SMTP id z207mr3096082oia.155.1583258011709;
 Tue, 03 Mar 2020 09:53:31 -0800 (PST)
MIME-Version: 1.0
References: <1583256049-15497-1-git-send-email-cai@lca.pw>
In-Reply-To: <1583256049-15497-1-git-send-email-cai@lca.pw>
From:   Marco Elver <elver@google.com>
Date:   Tue, 3 Mar 2020 18:53:20 +0100
Message-ID: <CANpmjNPJc_45+h_yJWwmw=YUuWduD6pPX2vdfPVekPvnnHd+_Q@mail.gmail.com>
Subject: Re: [PATCH -next] signal: annotate data races in sys_rt_sigaction
To:     Qian Cai <cai@lca.pw>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>, catalin.marinas@arm.com,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 3 Mar 2020 at 18:21, Qian Cai <cai@lca.pw> wrote:
>
> Kmemleak could scan task stacks while plain writes happens to those
> stack variables which could results in data races. For example, in
> sys_rt_sigaction and do_sigaction(), it could have plain writes in
> a 32-byte size. Since the kmemleak does not care about the actual values
> of a non-pointer and all do_sigaction() call sites only copy to stack
> variables, annotate them as intentional data races using the
> data_race() macro. The data races were reported by KCSAN,
>
>  BUG: KCSAN: data-race in _copy_from_user / scan_block
>
>  read to 0xffffb3074e61fe58 of 8 bytes by task 356 on cpu 19:
>   scan_block+0x6e/0x1a0
>   scan_block at mm/kmemleak.c:1251
>   kmemleak_scan+0xbea/0xd20
>   kmemleak_scan at mm/kmemleak.c:1482
>   kmemleak_scan_thread+0xcc/0xfa
>   kthread+0x1cd/0x1f0
>   ret_from_fork+0x3a/0x50

I think we should move the annotations to kmemleak instead of signal.c.

Because putting a "data_race()" on the accesses in signal.c just
because of Kmemleak feels wrong because then we might miss other more
serious issues. Kmemleak isn't normally enabled in a non-debug kernel.

I wonder if it'd be a better idea to just disable KCSAN on scan_block
with __no_kcsan? If Kmemleak only does reads, then __no_kcsan will do
the right thing here, because the reads are hidden completely from
KCSAN. With "data_race()" you would still have to mark both accesses
in signal.c and kmemleak (this is by design, so that we document all
intentionally data-racy accesses).

An alternative would be to just exempt kmemleak from KCSAN with
"KCSAN_SANITIZE_kmemleak.o := n". Given Kmemleak is a debugging tool
and it's expected to race with all kinds of accesses, maybe that's the
best option.

Thanks,
-- Marco

>  write to 0xffffb3074e61fe58 of 32 bytes by task 30208 on cpu 2:
>   _copy_from_user+0xb2/0xe0
>   copy_user_generic at arch/x86/include/asm/uaccess_64.h:37
>   (inlined by) raw_copy_from_user at arch/x86/include/asm/uaccess_64.h:71
>   (inlined by) _copy_from_user at lib/usercopy.c:15
>   __x64_sys_rt_sigaction+0x83/0x140
>   __do_sys_rt_sigaction at kernel/signal.c:4245
>   (inlined by) __se_sys_rt_sigaction at kernel/signal.c:4233
>   (inlined by) __x64_sys_rt_sigaction at kernel/signal.c:4233
>   do_syscall_64+0x91/0xb05
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Signed-off-by: Qian Cai <cai@lca.pw>
> ---
>  kernel/signal.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/signal.c b/kernel/signal.c
> index 5b2396350dd1..bf39078c8be1 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -3964,14 +3964,15 @@ int do_sigaction(int sig, struct k_sigaction *act, struct k_sigaction *oact)
>
>         spin_lock_irq(&p->sighand->siglock);
>         if (oact)
> -               *oact = *k;
> +               /* Kmemleak could scan the task stack. */
> +               data_race(*oact = *k);
>
>         sigaction_compat_abi(act, oact);
>
>         if (act) {
>                 sigdelsetmask(&act->sa.sa_mask,
>                               sigmask(SIGKILL) | sigmask(SIGSTOP));
> -               *k = *act;
> +               data_race(*k = *act);
>                 /*
>                  * POSIX 3.3.1.3:
>                  *  "Setting a signal action to SIG_IGN for a signal that is
> @@ -4242,7 +4243,9 @@ int __compat_save_altstack(compat_stack_t __user *uss, unsigned long sp)
>         if (sigsetsize != sizeof(sigset_t))
>                 return -EINVAL;
>
> -       if (act && copy_from_user(&new_sa.sa, act, sizeof(new_sa.sa)))
> +       if (act &&
> +           /* Kmemleak could scan the task stack. */
> +           data_race(copy_from_user(&new_sa.sa, act, sizeof(new_sa.sa))))
>                 return -EFAULT;
>
>         ret = do_sigaction(sig, act ? &new_sa : NULL, oact ? &old_sa : NULL);
> --
> 1.8.3.1
>