Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp246153iob; Mon, 2 May 2022 18:24:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzLITVOuBuBujGsnnjdaJ8/Hd74tK7uduyzmL4aFzAi9s197voq7LYwJp+KeyVl7G9ccRXc X-Received: by 2002:a05:6a00:2391:b0:50a:3ea9:e84d with SMTP id f17-20020a056a00239100b0050a3ea9e84dmr13824318pfc.21.1651541053167; Mon, 02 May 2022 18:24:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651541053; cv=none; d=google.com; s=arc-20160816; b=s932oMEJ032KaXOcc6tuSCT/BH6UN9hnm/1bzu4uyfd++KOsfagW8CJ0SY8ZsqEsMC ZF1ZtXdRYPVIr3IiswVcCLjEl+JTXelgR3Aq2bTHZx1sTY133jjcOKaW0fMqqJBIxIX0 izRltFHqdCq/wIZ699rHmOTDDcA31mgaUSx/Xq+iyF9TeY8OdOo/JCrQ+wFBdc1AkleS 5BUCmbrSEBSJFa5fUWwNJQo+qvvUuyFIaJRyQ5TSvfhZynIUl5LvecUzf8HNfV6THCXW PIJj9edo1BTbmG/P1vuwSizI3FpdxrL0mPBtKsdGf36zuVDWWZLWm1HOm65nZTv5EVeV RaSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:dkim-signature:dkim-signature:from; bh=S+6N0/e64EIdyK+q6LMgUsbq+bhYAt3HjkhVHWMdsus=; b=wqXieD17fv2/78wtMcszRnNm1GZhJKcY1fayzH3pQ+gQew9zg+VItcNnFs2nxho3H/ RrJ+raBH7fRhu7oFZUyIoVteJOHPS8qHoOtVFfEwZ+a4Hokdjt+TpGpWJEwP5qJs+ZDa bfIxZGw/vJ6uy+kd3yQxFAAAmkmiix6NxuC/7Wh/Pu7gc2gsq9D9sspFtpQH7A3kRHMh 1q6ef0+Bg9yD0CYUE/2dFDTzsNL9qvrllFskg3QOL4dbm4nhwHKj0xotCz+WOdug7ZZT tL3zcwD550z242pmB85REo+y1OoZ5N/CRto8Q+1JWo1TpeEvNGYO3B2kDmxAySxk6OQZ JeyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=J4ag3vPs; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id r5-20020a63e505000000b003abadb1ec17si14406737pgh.355.2022.05.02.18.24.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 May 2022 18:24:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=J4ag3vPs; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C2FC83C48B; Mon, 2 May 2022 18:03:20 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1387873AbiEBWGn (ORCPT + 99 others); Mon, 2 May 2022 18:06:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1387872AbiEBWEg (ORCPT ); Mon, 2 May 2022 18:04:36 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F25421121; Mon, 2 May 2022 15:00:38 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1651528836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=S+6N0/e64EIdyK+q6LMgUsbq+bhYAt3HjkhVHWMdsus=; b=J4ag3vPsEDwZL+oCRqsEO5q2bCVT/HCkvHwIg31PZIT8GAn+5OvAJ9MB0oE+dSl/FZn9lT 8VPpLDbIih1vFggASgksDtYmiVBbHSJwF/fubcT3vrCrUbbkVdHeGngVe0kLhHEucAvfGj Pyexx+cRTEiAtoXS5txfgqibNdzqinMk3iNHKba4cz7SLU/uFjbq9loqbmQWaWdX7kwDMd JD0HUcmMAB7CC4x/ovCypKg2bMkTHIJpPHY0BX920/Wh+q9EHwwnNq5+12TFhA2Boy6pxW hmtN4ct8VE5HfqtehZYAeCyycX8/yEfdLx276Zgg8Z7BShDGBYTzFqWcmVhk5A== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1651528836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=S+6N0/e64EIdyK+q6LMgUsbq+bhYAt3HjkhVHWMdsus=; b=CrQCUSltbRIGwTmnXdob0vtJs1is4KaNlYBouH31HPLXfAgPFVKmtpsZle3KY/3l9JTQXk UoH9SeEf65beUPAw== To: Alexander Potapenko Cc: Alexander Viro , Andrew Morton , Andrey Konovalov , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Christoph Hellwig , Christoph Lameter , David Rientjes , Dmitry Vyukov , Eric Dumazet , Greg Kroah-Hartman , Herbert Xu , Ilya Leoshkevich , Ingo Molnar , Jens Axboe , Joonsoo Kim , Kees Cook , Marco Elver , Mark Rutland , Matthew Wilcox , "Michael S. Tsirkin" , Pekka Enberg , Peter Zijlstra , Petr Mladek , Steven Rostedt , Vasily Gorbik , Vegard Nossum , Vlastimil Babka , kasan-dev , Linux Memory Management List , Linux-Arch , LKML Subject: Re: [PATCH v3 28/46] kmsan: entry: handle register passing from uninstrumented code In-Reply-To: References: <20220426164315.625149-1-glider@google.com> <20220426164315.625149-29-glider@google.com> <87a6c6y7mg.ffs@tglx> Date: Tue, 03 May 2022 00:00:36 +0200 Message-ID: <87y1zjlhmj.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Alexander, On Mon, May 02 2022 at 19:00, Alexander Potapenko wrote: > On Wed, Apr 27, 2022 at 3:32 PM Thomas Gleixner wrote: >> > --- a/kernel/entry/common.c >> > +++ b/kernel/entry/common.c >> > @@ -23,7 +23,7 @@ static __always_inline void __enter_from_user_mode(struct pt_regs *regs) >> > CT_WARN_ON(ct_state() != CONTEXT_USER); >> > user_exit_irqoff(); >> > >> > - instrumentation_begin(); >> > + instrumentation_begin_with_regs(regs); >> >> I can see what you are trying to do, but this will end up doing the same >> thing over and over. Let's just look at a syscall. >> >> __visible noinstr void do_syscall_64(struct pt_regs *regs, int nr) >> { >> ... >> nr = syscall_enter_from_user_mode(regs, nr) >> >> __enter_from_user_mode(regs) >> ..... >> instrumentation_begin_with_regs(regs); >> .... >> >> instrumentation_begin_with_regs(regs); >> .... >> >> instrumentation_begin_with_regs(regs); >> >> if (!do_syscall_x64(regs, nr) && !do_syscall_x32(regs, nr) && nr != -1) { >> /* Invalid system call, but still a system call. */ >> regs->ax = __x64_sys_ni_syscall(regs); >> } >> >> instrumentation_end(); >> >> syscall_exit_to_user_mode(regs); >> instrumentation_begin_with_regs(regs); >> __syscall_exit_to_user_mode_work(regs); >> instrumentation_end(); >> __exit_to_user_mode(); >> >> That means you memset state four times and unpoison regs four times. I'm >> not sure whether that's desired. > > Regarding the regs, you are right. It should be enough to unpoison the > regs at idtentry prologue instead. > I tried that initially, but IIRC it required patching each of the > DEFINE_IDTENTRY_XXX macros, which already use instrumentation_begin(). Exactly 4 instances :) > This decision can probably be revisited. It has to be revisited because the whole thing is incomplete if this is not addressed. > As for the state, what we are doing here is still not enough, although > it appears to work. > > Every time an instrumented function calls another function, it sets up > the metadata for the function arguments in the per-task struct > kmsan_context_state. > Similarly, every instrumented function expects its caller to put the > metadata into that structure. > Now, if a non-instrumented function (e.g. every `noinstr` function) > calls an instrumented one (which happens inside the > instrumentation_begin()/instrumentation_end() region), nobody sets up > the state for that instrumented function, so it may report false > positives when accessing its arguments, if there are leftover poisoned > values in the state. > > To overcome this problem, ideally we need to wipe kmsan_context_state > every time a call from the non-instrumented function occurs. > But this cannot be done automatically exactly because we cannot > instrument the named function :) > > We therefore apply an approximation, wiping the state at the point of > the first transition between instrumented and non-instrumented code. > Because poison values are generally rare, and instrumented regions > tend to be short, it is unlikely that further calls from the same > non-instrumented function will result in false positives. > Yet it is not completely impossible, so wiping the state for the > second/third etc. time won't hurt. Understood. But if I understand you correctly: > Similarly, every instrumented function expects its caller to put the > metadata into that structure. then instrumentation_begin(); foo(fargs...); bar(bargs...); instrumentation_end(); is a source of potential false positives because the state is not guaranteed to be correct, neither for foo() nor for bar(), even if you wipe the state in instrumentation_begin(), right? This approximation approach smells fishy and it's inevitably going to be a constant source of 'add yet another kmsan annotation/fixup' patches, which I'm not interested in at all. As this needs compiler support anyway, then why not doing the obvious: #define noinstr \ .... __kmsan_conditional #define instrumentation_begin() \ ..... __kmsan_cond_begin #define instrumentation_end() \ __kmsan_cond_end ....... and let the compiler stick whatever is required into that code section between instrumentation_begin() and instrumentation_end()? That's not violating any of the noinstr constraints at all. In fact we allow _any_ instrumentation to be placed between this two points. We have tracepoints there today. We could also allow breakpoints, kprobes or whatever, but handling this at that granularity level for a production kernel is just overkill and the code in those instrumentable sections is usually not that interesting as it's mostly function calls. But if the compiler converts instrumentation_begin(); foo(fargs...); bar(bargs...); instrumentation_end(); to instrumentation_begin(); kmsan_instr_begin_magic(); kmsan_magic(fargs...); foo(fargs...); kmsan_magic(bargs...); bar(bargs...); kmsan_instr_end_magic(); instrumentation_end(); for the kmsan case and leaves anything outside of these sections alone, then you have: - a minimal code change - the best possible coverage - the least false positive crap to chase and annotate IOW, a solution which is solid and future proof. I'm all for making use of advanced instrumentation, validation and debugging features, but this mindset of 'make the code comply to what the tool of today provides' is fundamentally wrong. Tools have to provide value to the programmer and not the other way round. Yes, it's more work on the tooling side, but the tooling side is mostly a one time effort while chasing the false positives is a long term nightmare. Thanks, tglx