Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp5166104iob; Mon, 9 May 2022 10:01:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLBUdjXFDPvT3XCDyVnRdYUcC76Qx8+dVHnhpktjitzUMEUFCZQ7khTy41pBqqcXQPMn6E X-Received: by 2002:a05:6808:ecf:b0:2f9:f0b1:7ee8 with SMTP id q15-20020a0568080ecf00b002f9f0b17ee8mr7841168oiv.225.1652115663084; Mon, 09 May 2022 10:01:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652115663; cv=none; d=google.com; s=arc-20160816; b=xAdVlLXfcsk3s9NJvOwsLVFQOXVoJGej+RVyJdlxr/r6KtUaJvbBwTKmbtqtzEyvso P2u81mCU44E2BUntQn5HaSwliBbkHAvgdVNK4nTKNWQteehzGBjgAHE32EQ+Y1oJwE1e P5FNzkxKjQMJMaR3L65ogdqo7kJ+1Q8x3azVHTWeXo53GOLBxQtuSWp8e8OJZ4lnsp64 NMLweC1TsyLP2FClrAwy+Y47u8MoKUbEnTezljp9pysv/9n+fqSJjq1DW3DhrvrbbIX6 5svPp/DmxA2fr+K9w5pEf8bZLwVnd1Mj5dIUyWMSUXvJsYgY4X/YakqhaMxnhBI52pjz Zdgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=xv3YNr+ejtNXLt/3K/MJW1lmyFr4+HmU5M46knKl15A=; b=xAmLq3sbLiJ8ngy44V5CKWqmUGCAwP8e4ui3mfY3JctOVxU6TSKOTnGfXiJqRywPuQ ysemyaCaONoE7DrFsE3KjtVwZ3JYwZVDaSvKf81nVeTXYjfb4pU3Cr7AAdkJV+F5DUtd 3G2vpFZgHSbRgAq04VheiUc9jSCfLCAyniMXRXBo36vlR3S2SqJ3Rzfdok6OztNuwnFP cw90QHwljE1cxzqDmKnS7Rmo4pKZSSzTIQZVpmjuIE6q1PhAEZAqHv+R8aW2t1SfUhyw EVL3IaOrmd9RvY4z14SnoY6GsxUy+pU08a25J3Exeelr4vHixYxKHzAt+8Q+Mv7cXpRJ /t0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qzQQBeDI; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id n2-20020a056870844200b000e28d81a577si9439477oak.71.2022.05.09.10.01.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 May 2022 10:01:03 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qzQQBeDI; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D0A77189E6C; Mon, 9 May 2022 09:51:33 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239297AbiEIQzV (ORCPT + 99 others); Mon, 9 May 2022 12:55:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239292AbiEIQzT (ORCPT ); Mon, 9 May 2022 12:55:19 -0400 Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BBE1D132A03 for ; Mon, 9 May 2022 09:51:22 -0700 (PDT) Received: by mail-yb1-xb34.google.com with SMTP id y76so26069080ybe.1 for ; Mon, 09 May 2022 09:51:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=xv3YNr+ejtNXLt/3K/MJW1lmyFr4+HmU5M46knKl15A=; b=qzQQBeDIXPjgQg9o0N4Qf/md5IkN/vOjVl6fC5GVKpgiXu3VqQ/t2/oS949Ye1D/MP UoEvD6TzcTAbTEOWhMRa72QRymRlxd44YwrhzjfcdgXzCga+Om3dMx9Y+OSJQt5zRCw3 +MuxBTB3B0MvvcOO0cZ1OiXpyzKXU1QlXZmnNuwPOI1GJaPuCVDT73Opv7ihk/0krrY8 BC/rUoXJHVUJJXttPpWAOFWYLUYLpxOIpnTQzxAPE29v1qLwJyg8jx4Uj7aiUyLR7b7x g9MPBOkAhKiTuw3GTexW2rDM44fgqYj3KRXhFl+BHrBm7Llo4mUKfe4O72BYjWNiD5xd TPVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=xv3YNr+ejtNXLt/3K/MJW1lmyFr4+HmU5M46knKl15A=; b=ILA3boe691SmaA5v58nS3Q5ZC3HaP6IGFa4YxlbsWhfuk97EAjxtoV4EjL5IlzlwJz CKVxpJI1Gry4hHdyoEMzAz6t60rZHALz87++UxsFRwASLH/8XEstApjy+cXnwHSv71ei 4oUs65K16yJ5mgwnxotVopZNitfp4F7iYS99DGrWzbiwjBzkFzweJ9gi6jrUHFdvQhpL 4Z116nrrf0YjfJSqzESMqJsCyyd2zcumwKofEf9Vbu10Je55O+jkrTUIv9QT3ejbtJfS 3XfLeOKR05+r7h/dAwlfox6vYgrv1K1C8QZGhhDtY/YLIt70MxziVstiTbgsj4qLBzG8 r+ng== X-Gm-Message-State: AOAM532YOoJB7/8LxNY9jhXNg+mwLnuqPihJDQqalhynD1nJXimyYyvh PMPPVjPYSt/XbfQManNBqK3GOaqfupYjNcUnVwcP3A== X-Received: by 2002:a25:aa62:0:b0:648:590f:5a53 with SMTP id s89-20020a25aa62000000b00648590f5a53mr14674322ybi.5.1652115081586; Mon, 09 May 2022 09:51:21 -0700 (PDT) MIME-Version: 1.0 References: <20220426164315.625149-1-glider@google.com> <20220426164315.625149-29-glider@google.com> <87a6c6y7mg.ffs@tglx> <87y1zjlhmj.ffs@tglx> <878rrfiqyr.ffs@tglx> <87k0ayhc43.ffs@tglx> <87h762h5c2.ffs@tglx> In-Reply-To: <87h762h5c2.ffs@tglx> From: Alexander Potapenko Date: Mon, 9 May 2022 18:50:45 +0200 Message-ID: Subject: Re: [PATCH v3 28/46] kmsan: entry: handle register passing from uninstrumented code To: Thomas Gleixner Cc: Alexander Viro , Andrew Morton , Andrey Konovalov , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Christoph Hellwig , Christoph Lameter , David Rientjes , Dmitry Vyukov , Eric Dumazet , Greg Kroah-Hartman , Herbert Xu , Ilya Leoshkevich , Ingo Molnar , Jens Axboe , Joonsoo Kim , Kees Cook , Marco Elver , Mark Rutland , Matthew Wilcox , "Michael S. Tsirkin" , Pekka Enberg , Peter Zijlstra , Petr Mladek , Steven Rostedt , Vasily Gorbik , Vegard Nossum , Vlastimil Babka , kasan-dev , Linux Memory Management List , Linux-Arch , LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > The callchain is: > > asm_sysvec_apic_timer_interrupt <- ASM entry in gate > sysvec_apic_timer_interrupt(regs) <- noinstr C entry point > irqentry_enter(regs) <- unpoisons @reg > __sysvec_apic_timer_interrupt(regs) <- the actual handler > set_irq_regs(regs) <- stores regs > local_apic_timer_interrupt() > ... > tick_handler() <- One of the 4 variants > regs =3D get_irq_regs(); <- retrieves regs > update_process_times(user_tick =3D user_mode(regs)) > account_process_tick(user_tick) > irqtime_account_process_tick(user_tick) > line 382: } else if { user_tick } <- KMSAN complains > > I'm even more confused now. Ok, I think I know what's going on. Indeed, calling kmsan_unpoison_memory() in irqentry_enter() was supposed to be enough, but we have code in kmsan_unpoison_memory() (as well as other runtime functions) that checks for kmsan_in_runtime() and bails out to prevent potential recursion if KMSAN code starts calling itself. kmsan_in_runtime() is implemented as follows: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D static __always_inline bool kmsan_in_runtime(void) { if ((hardirq_count() >> HARDIRQ_SHIFT) > 1) return true; return kmsan_get_context()->kmsan_in_runtime; } =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D (see the code here: https://lore.kernel.org/lkml/20220426164315.625149-13-glider@google.com/#Z3= 1mm:kmsan:kmsan.h) If we are running in the task context (in_task()=3D=3Dtrue), kmsan_get_context() returns a per-task `struct *kmsan_ctx`. If `in_task()=3D=3Dfalse` and `hardirq_count()>>HARDIRQ_SHIFT=3D=3D1`, it returns a per-CPU one. Otherwise kmsan_in_runtime() is considered true to avoid dealing with nested interrupts. So in the case when `hardirq_count()>>HARDIRQ_SHIFT` is greater than 1, kmsan_in_runtime() becomes a no-op, which leads to false positives. The solution I currently have in mind is to provide a specialized version of kmsan_unpoison_memory() for entry.c, which will not perform the reentrancy checks. > > I guess handling those will require wrapping every interrupt gate into > > a function that performs register unpoisoning? > > No, guessing does not help here. > > The gates point to the ASM entry point, which then invokes the C entry > point. All C entry points use a DEFINE_IDTENTRY variant. Thanks for the explanation. I previously thought there were two different entry points, one with asm_ and one without, that ended up calling the same code. > Some of the DEFINE_IDTENTRY_* C entry points are not doing anything in > the macro, but the C function either invokes irqentry_enter() or > irqentry_nmi_enter() open coded _before_ invoking any instrumentable > function. So the unpoisoning of @regs in these functions should tell > KMSAN that @regs or something derived from @regs are not some random > uninitialized values. > > There should be no difference between unpoisoning @regs in > irqentry_enter() or in set_irq_regs(), right? > > If so, then the problem is definitely _not_ the idt entry code. > > > By the way, if it helps, I think we don't necessarily have to call > > kmsan_unpoison_memory() from within the > > instrumentation_begin()/instrumentation_end() region? > > We could move the call to the beginning of irqentry_enter(), removing > > unnecessary duplication. > > We could, but then you need to mark unpoison_memory() noinstr too and you > have to add the unpoison into the syscall code. No win and irrelevant to > the problem at hand. Makes sense, thank you! > Thanks, > > tglx > > --=20 Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Stra=C3=9Fe, 33 80636 M=C3=BCnchen Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Liana Sebastian Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Falls Sie diese f=C3=A4lschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, l=C3=B6schen Sie alle Kopien und Anh=C3=A4nge davon und lassen Sie = mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde. This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.