Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1268096pxu; Mon, 23 Nov 2020 16:32:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJy9GFtjFjKBs0yv9+/5iDyxzlwM7QPovQGVevBVEYQjdYcyKMSpv1860p1VqFMIgKu4CytA X-Received: by 2002:aa7:c2d6:: with SMTP id m22mr1749078edp.368.1606177958090; Mon, 23 Nov 2020 16:32:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606177958; cv=none; d=google.com; s=arc-20160816; b=nj5c8fQ/LpJ9Qb1TUWEABzhopApLYbqnOCDNKjX3tisJFXHESANrTVbGqaE92FMyqt zMqLAqYkTowM1doAD4Z4BkQnsF4urScRNDL8XxpT3mW/3gTDX2gN3qW5IV8qJEnbRqcY PMkbAm+yHWuKmgZSCwvgFy576qD8aT6sbpZGzWGa0nLTh1OlrZjTXH2YAH8x5QG3Db7K f/A/3zuzvfiM9NvIlDp/vdLPDNzhZjjdHX8XoqM70qVmsM1G9N1wb8uGkRZhO8S1HXDV XeQT6T9dt3VLK5OZkb/UV9kNfIVuGpdUUTkEDoj7/Jh8JMzu0EfdvTIGslvBsdx2cv77 uHag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=01wWOa3KrZt/xsoNZQpghL+y/uBnQBFRvt5GfUXKKDw=; b=Jtw9wIHhkxcxUTEiexfttuKivnykU/gLIw/ufI2GtVwLRD/oYFpU+uZZACid+pxyaK GtBW37H1PVyiRrsDHjnJK7AsW9zP8vjAI+0xgvmCRcbPCvygA/b/UkG930FEgZvzRCaP R6cXY6CVRmMOpBn7rAX00+GBF61UlvyREgsuF8cGSzEDlf3jlZt87bSy1RujQRA26LIe wzy+cOR/ZFh+pAqGR8tziEJ9dnOm6RAt6glVQWrqy4ITHq7lykcBgu1r61JQbiBViKgz uS5IJ6CwmALvtTdLQJggZiq3IfBNCDAgKdEU6CB36aOroKX8KeU5Znk3LaUiuByMJLX9 7d4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=N84kzZfU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a22si8072156eds.497.2020.11.23.16.32.15; Mon, 23 Nov 2020 16:32:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=N84kzZfU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389411AbgKWPRN (ORCPT + 99 others); Mon, 23 Nov 2020 10:17:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732197AbgKWPRN (ORCPT ); Mon, 23 Nov 2020 10:17:13 -0500 Received: from mail-oo1-xc41.google.com (mail-oo1-xc41.google.com [IPv6:2607:f8b0:4864:20::c41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 257DAC0613CF for ; Mon, 23 Nov 2020 07:17:13 -0800 (PST) Received: by mail-oo1-xc41.google.com with SMTP id z13so4018954ooa.5 for ; Mon, 23 Nov 2020 07:17:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=01wWOa3KrZt/xsoNZQpghL+y/uBnQBFRvt5GfUXKKDw=; b=N84kzZfUdOIHKoskaZ7/SzxTFLGDBv9YekZbXOnpqwnqbnztxD2bTRRcgJOta4fqeU 8RCDVN4j+ocDqJHoG2wlk+DWZ165qH6ti74WoVXjWmk1RCGiRts3TUOO+7C1IgdVthtP CZ45M4LlRyjDvEH9otGlsACEHrdcNTb7eFA3bkfOiWrTjRuV0vrSMqEETASrsXu8MLXi WKacfnCmbcZvZ5WuF/6x/eZHabNfb4ORTnmBbFuq1zcIddxGOyvL4dw5iFmz7KEjVyUe M3zqufpX1p6P9c14ZaDVYn71EuiYmO5I5y7trk1O8fXfmV3Uau6/RI5Czxci98P4AbD3 18Ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=01wWOa3KrZt/xsoNZQpghL+y/uBnQBFRvt5GfUXKKDw=; b=d6RJORpd4aGa6cndHU0di+/bCI/RylCovua7B6rPgdy46JDCmy3kIwzFqZwvLswp76 QFKlzGFHlYwNxbbtxoiXpIQf1CwF1PNWSX9wNpiaPNJ35teDHbzMXS78wJchsl3O+c28 gDtPa9i9SM2ymh4nE7eiw+SYMJ9vKfC2Mm2ncMXzWYmtOIYdwTKQPjnEoUjWEDqWpGWC HgRS+ZDmlI0QZ70UAJ8KJFzZnp1mEMm6sP9j5BwqS0R60TWqM9gJOhjE0OpQoJ4W+z9N FnOn3D8CxQOFI6u57PsUCLTStn7X4CB+E6G3/r3IL3Bb70+I4nb5KN5kf5mI2zg6PYnY INuw== X-Gm-Message-State: AOAM530CnuoRlVENoQdsjtvRCTDiSUClgCUSLOexQ4uvNIoRsFqLBScb UOghJOhnYuxGmUneYN6HpPzuj09Ciy3y75RFTF2YMg== X-Received: by 2002:a4a:e4cc:: with SMTP id w12mr22858288oov.36.1606144632330; Mon, 23 Nov 2020 07:17:12 -0800 (PST) MIME-Version: 1.0 References: <20201123132300.1759342-1-elver@google.com> <20201123135512.GM3021@hirez.programming.kicks-ass.net> In-Reply-To: <20201123135512.GM3021@hirez.programming.kicks-ass.net> From: Marco Elver Date: Mon, 23 Nov 2020 16:17:00 +0100 Message-ID: Subject: Re: [PATCH v2] kcsan: Avoid scheduler recursion by using non-instrumented preempt_{disable,enable}() To: Peter Zijlstra Cc: "Paul E. McKenney" , Will Deacon , Thomas Gleixner , Ingo Molnar , Mark Rutland , Boqun Feng , Dmitry Vyukov , kasan-dev , LKML Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 23 Nov 2020 at 14:55, Peter Zijlstra wrote: > On Mon, Nov 23, 2020 at 02:23:00PM +0100, Marco Elver wrote: > > When enabling KCSAN for kernel/sched (remove KCSAN_SANITIZE := n from > > kernel/sched/Makefile), with CONFIG_DEBUG_PREEMPT=y, we can observe > > recursion due to: > > > > check_access() [via instrumentation] > > kcsan_setup_watchpoint() > > reset_kcsan_skip() > > kcsan_prandom_u32_max() > > get_cpu_var() > > preempt_disable() > > preempt_count_add() [in kernel/sched/core.c] > > check_access() [via instrumentation] > > > > Avoid this by rewriting kcsan_prandom_u32_max() to only use safe > > versions of preempt_disable() and preempt_enable() that do not call into > > scheduler code. > > > > Note, while this currently does not affect an unmodified kernel, it'd be > > good to keep a KCSAN kernel working when KCSAN_SANITIZE := n is removed > > from kernel/sched/Makefile to permit testing scheduler code with KCSAN > > if desired. > > > > Fixes: cd290ec24633 ("kcsan: Use tracing-safe version of prandom") > > Signed-off-by: Marco Elver > > --- > > v2: > > * Update comment to also point out preempt_enable(). > > --- > > kernel/kcsan/core.c | 15 ++++++++++++--- > > 1 file changed, 12 insertions(+), 3 deletions(-) > > > > diff --git a/kernel/kcsan/core.c b/kernel/kcsan/core.c > > index 3994a217bde7..10513f3e2349 100644 > > --- a/kernel/kcsan/core.c > > +++ b/kernel/kcsan/core.c > > @@ -284,10 +284,19 @@ should_watch(const volatile void *ptr, size_t size, int type, struct kcsan_ctx * > > */ > > static u32 kcsan_prandom_u32_max(u32 ep_ro) > > { > > - struct rnd_state *state = &get_cpu_var(kcsan_rand_state); > > - const u32 res = prandom_u32_state(state); > > + struct rnd_state *state; > > + u32 res; > > + > > + /* > > + * Avoid recursion with scheduler by using non-tracing versions of > > + * preempt_disable() and preempt_enable() that do not call into > > + * scheduler code. > > + */ > > + preempt_disable_notrace(); > > + state = raw_cpu_ptr(&kcsan_rand_state); > > + res = prandom_u32_state(state); > > + preempt_enable_no_resched_notrace(); > > This is a preemption bug. Does preempt_enable_notrace() not work? No it didn't, because we end up calling preempt_schedule_notrace(), which again might end in recursion. Normally we could surround this by kcsan_disable_current/kcsan_enable_current(), but that doesn't work because we have this sequence: reset_kcsan_skip(); if (!kcsan_is_enabled()) ... to avoid underflowing the skip counter if KCSAN is disabled. That could be solved by writing to the skip-counter twice: once with a non-random value, and if KCSAN is enabled with a random value. Would that be better? And I'd like to avoid adding __no_kcsan to scheduler functions. Any recommendation? Thanks, -- Marco > > > > > - put_cpu_var(kcsan_rand_state); > > return (u32)(((u64) res * ep_ro) >> 32); > > } > > > > -- > > 2.29.2.454.gaff20da3a2-goog > >