Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1008736iob; Fri, 13 May 2022 19:26:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyEuX7uUvTmkCcIEpbW3SMKKwYAmIRAQykEzxWTQVHNdnprC9P9JGoOpSFPmyohHNtBz22j X-Received: by 2002:adf:fb05:0:b0:20a:e113:8f3f with SMTP id c5-20020adffb05000000b0020ae1138f3fmr6157332wrr.534.1652495219524; Fri, 13 May 2022 19:26:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652495219; cv=none; d=google.com; s=arc-20160816; b=T4zGLrrFNdo4mRXUVehUnQ9GfYMxZn8Lt2wYSwz5ST8VnTrCLA6JWSUdbvf5ZFDFtX j2ybVjia3BH3vgyJKIixQWjwDKYHCQelqZIRifGNCCm+ftQivgh32XWlyeCAAFPcVKV9 g+81lF0ZDQfXYnyJzITb86ynbApi/JPavp5Sn69OiMi4QWOeQS5y/0qV3VKb323mTOXD 2YAUBAP2W1dl6JKQO0cge1Z3bzQeUVnNyWVLcLVGAg1Z4WO3lQhUeazcxD5CJGbAT+Jw 7zDNiyxMWhnKwXDFI5lQs7oL2WvI/t42dqJnJ+4qnJhrCn2XsXQsSIxY3z6ubADfCO3J vKfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:dkim-signature:dkim-signature:from; bh=P3WA7a2LKBsvGjpHAfwHZrsdX5lPf+mXnzFb/W6CTG4=; b=xSeyASTksVPKyObReCIlHq+G6C96klB+mz+/xzIDby4ypfxeIDoT4QjAgTe9VNr+lk dYDHVHO3C8ri2icNZGIPpE0Jdu/JoNI7vAMV5fiXJgmNPAK3xjdilY3KTWRPa/uAINQ8 T0e1ku1wZMadF/l6c/t4dS5QAg0shGtxehHX/ftepxtIRy4aMTllgZwFeoqS2gIujOMV tN47j/RJPIxhjovF6A/+NUECI+vg0a/7mID66GlqewrGnrNGl3q7p6pAGK2q51TjxIm1 oC7luKeRzXWeFwk7NiXNL5VfHROWsluekLfiMlofkizrAzmn6Q1hOQ07kap4BeDHU5wp YhBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=M2SNi8xR; dkim=neutral (no key) header.i=@linutronix.de; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id m16-20020a7bcf30000000b00395b65ddecasi3793837wmg.133.2022.05.13.19.26.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 19:26:59 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=M2SNi8xR; dkim=neutral (no key) header.i=@linutronix.de; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E6BD64CFAF8; Fri, 13 May 2022 17:41:35 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356388AbiELQRT (ORCPT + 99 others); Thu, 12 May 2022 12:17:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356377AbiELQRP (ORCPT ); Thu, 12 May 2022 12:17:15 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2F3510B3CF; Thu, 12 May 2022 09:17:13 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1652372231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=P3WA7a2LKBsvGjpHAfwHZrsdX5lPf+mXnzFb/W6CTG4=; b=M2SNi8xRlFNsaTf4EnM632IULRDzo8Lh9IAaPhgFV1fYK8RqrQDWoPkNTF2vcwphpIqR8c lM0WdyegTuvPqzbzdNjo6FXwZOVH8SYmYie3wSCTCbQt9OAVR7VhT7snHk7EZZ4HSMiVNh YB6rIykaXznfefVPXXp55XmG4NMpCtoasCHoeWXHQQc1U4QPsS6pDRFmQhfG47a2QFvPyf dI5VgqJPpF8of7FJfUD/7R0i2q2kDJXELWPTg4fefEI0EW2vgMFIuYLFfWOSCQR2pwVJdS dHD2sTWVhsHJlsB4lAPZZ1xHYuEFG+ILoVEz5I7pb4/IbxyTZsCtAjyIp12QpA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1652372231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=P3WA7a2LKBsvGjpHAfwHZrsdX5lPf+mXnzFb/W6CTG4=; b=W90ZtdXlwRF+/ciwbpXvb7TIXlmhwJBIcwThOHIJql1Ajmtg8N8/gWVkSg1avC7iab1Fs1 rtsKmNIz8W8ezIAw== To: Alexander Potapenko Cc: Alexander Viro , Andrew Morton , Andrey Konovalov , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Christoph Hellwig , Christoph Lameter , David Rientjes , Dmitry Vyukov , Eric Dumazet , Greg Kroah-Hartman , Herbert Xu , Ilya Leoshkevich , Ingo Molnar , Jens Axboe , Joonsoo Kim , Kees Cook , Marco Elver , Mark Rutland , Matthew Wilcox , "Michael S. Tsirkin" , Pekka Enberg , Peter Zijlstra , Petr Mladek , Steven Rostedt , Vasily Gorbik , Vegard Nossum , Vlastimil Babka , kasan-dev , Linux Memory Management List , Linux-Arch , LKML Subject: Re: [PATCH v3 28/46] kmsan: entry: handle register passing from uninstrumented code In-Reply-To: References: <20220426164315.625149-1-glider@google.com> <20220426164315.625149-29-glider@google.com> <87a6c6y7mg.ffs@tglx> <87y1zjlhmj.ffs@tglx> <878rrfiqyr.ffs@tglx> <87k0ayhc43.ffs@tglx> <87h762h5c2.ffs@tglx> <871qx2r09k.ffs@tglx> Date: Thu, 12 May 2022 18:17:11 +0200 Message-ID: <87h75uvi7s.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 12 2022 at 14:24, Alexander Potapenko wrote: > On Mon, May 9, 2022 at 9:09 PM Thomas Gleixner wrote: >> > So in the case when `hardirq_count()>>HARDIRQ_SHIFT` is greater than >> > 1, kmsan_in_runtime() becomes a no-op, which leads to false positives. >> >> But, that'd only > 1 when there is a nested interrupt, which is not the >> case. Interrupt handlers keep interrupts disabled. The last exception from >> that rule was some legacy IDE driver which is gone by now. > > That's good to know, then we probably don't need this hardirq_count() > check anymore. > >> So no, not a good explanation either. > > After looking deeper I see that unpoisoning was indeed skipped because > kmsan_in_runtime() returned true, but I was wrong about the root > cause. > The problem was not caused by a nested hardirq, but rather by the fact > that the KMSAN hook in irqentry_enter() was called with in_task()==1. Argh, the preempt counter increment happens _after_ irqentry_enter(). > I think the best that can be done here is (as suggested above) to > provide some kmsan_unpoison_pt_regs() function that will only be > called from the entry points and won't be doing reentrancy checks. > It should be safe, because unpoisoning boils down to calculating > shadow/origin addresses and calling memset() on them, no instrumented > code will be involved. If you keep them where I placed them, then there is no need for a noinstr function. It's already instrumentable. > We could try to figure out the places in idtentry code where normal > kmsan_unpoison_memory() can be called in IRQ context, but as far as I > can see it will depend on the type of the entry point. NMI is covered as it increments before it invokes the unpoison(). Let me figure out why we increment the preempt count late for interrupts. IIRC it's for symmetry reasons related to softirq processing on return, but let me double check. > Another way to deal with the problem is to not rely on in_task(), but > rather use some per-cpu counter in irqentry_enter()/irqentry_exit() to > figure out whether we are in IRQ code already. Well, if you have a irqentry() specific unpoison, then you know the context, right? > However this is only possible irqentry_enter() itself guarantees that > the execution cannot be rescheduled to another CPU - is that the case? Obviously. It runs with interrupts disabled and eventually on a separate interrupt stack. Thanks, tglx