Received: by 2002:a19:771d:0:0:0:0:0 with SMTP id s29csp1259899lfc; Wed, 1 Jun 2022 13:22:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJys7tnmLziFJWQkaj81JheAGsHRySktKNA0jB+68EGMSGkFdhY11NdOdG3RKfZzTxlRvYMa X-Received: by 2002:a63:d446:0:b0:3fc:1370:798a with SMTP id i6-20020a63d446000000b003fc1370798amr1015966pgj.190.1654114964391; Wed, 01 Jun 2022 13:22:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654114964; cv=none; d=google.com; s=arc-20160816; b=YVVE2JSeHFFZhlGhipDX8+BQS8mnB3r3jRDYTVx2MReVrBpu+fybPCGqX6/0wWVoTi FCl5qqzuAwHXyL8KduuQel910jFKc443pQjjQFzoW8Kgn64Kzx/A3JDcea2RMeG7YyCO K6q/bkWQSSHKVaJ2cIO5NBH7gEmBsMgzzkjr9XTqSEHnmZClIxgoiniXWYoYxFYH9Qnr s9PhUqUwnYYCPlzTpPZj+sX3SHsxHDXtNJ2cb+UUI5tP5UHjsIkBd7SsRJOYCwzmlPXU k5jXX5f+lneeGRS4q8+LfcnHxl8poXKeyoQuTLVPuDgKwss5UG8ZCkaZ6AS2mbd+werO B1hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=tDA6PuH6NICvxSpkxUN08aIv7E1lLbWtwbYMOmp3DFc=; b=ehP7ICn4sPsyckuoqfxbPuhDYc6NFqPeZGaAtoZeVDYYEHBi0EKkzkyaN7ST44FhSm kjZ49GuqVGlX3no14Bqot8za2g5YL1QF7hxaKAGOY3eLqbyOP/KuxTsvCB3c3BSt96Vc HWo0eFhud4giAWUB0I2gdmcxOJfR/XLodyL1N+Bi1yRmuPmKP29oJ1tX12sRPFWlM14I 49HIUnCeJg6zYBvq/loonNNIgqigoVnTNdYZKrKN2BVxUNkdf3LwvvEdYkzGVdJoSi2V /oqyZjBb5yhOxWQIH5eJo+x8oGdGmXK8mdoa1WAgVuLfgi3gNfc+WAYTzdZPVFV6lsij 7DoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qZ4wk7dY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id p16-20020a170902b09000b001614cd9cc52si3363087plr.197.2022.06.01.13.22.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Jun 2022 13:22:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=qZ4wk7dY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C4AFE19FF52; Wed, 1 Jun 2022 12:34:54 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352656AbiFAL2g (ORCPT + 99 others); Wed, 1 Jun 2022 07:28:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56896 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352644AbiFAL2f (ORCPT ); Wed, 1 Jun 2022 07:28:35 -0400 Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4648E5C879 for ; Wed, 1 Jun 2022 04:28:33 -0700 (PDT) Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-30c143c41e5so15013077b3.3 for ; Wed, 01 Jun 2022 04:28:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tDA6PuH6NICvxSpkxUN08aIv7E1lLbWtwbYMOmp3DFc=; b=qZ4wk7dYHXk+svmWhmtwD5F01nOrHanF/nZcd2rNt/sATC0umgD7nFxlyirkk7t7yt /5NSe+GKx657K37eu29ixICiLnZ+U5EhmxLGckjho8BnQPOSc1PytOmMl6dueOaOkRfp DK5IdYHqNZRD8IyzEHTH+X04qE9G9cXrdrwM7Gd2ldpCMdWe/bhKK0FJ+oJcIm+1NXnd 1c5MqLPnhnJ3tz9ErQexOBcfjZPLSbQweY61tDKiErca+u+a4dbYtfvmsF3W9dTrjtkf 9GPnypBdkQvxxu/eYpcMAJS42Y+VITDDdkbpWf4+uiNiaR6Na/D7SpKNUJAX1i+IgkSv VNvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tDA6PuH6NICvxSpkxUN08aIv7E1lLbWtwbYMOmp3DFc=; b=g8+uMjNL5i5Cb0cuVQxPUrJjm3jvx/D2KCipit9Rza0jOTi1xiXue1Fso4R8bu/Gdl HWe4/kbbAmt08FHCqhg3r8veDhqtVXhpDUtHiHsSg4qjRBaEqe4xC56HtjwwETjYaDmD mNsEawuCiolfHumrRlOF9asz4SdwNj9z0l0dWeGkKZhKO0Z2JRJBA22qaS9DF/3JZS7a hw4edpdpuMV2VQLgcrMDaAoOzn9a8X31/KIlXPIQUD1o93H5EZc5KABMj40UKAPwBpA3 UtgJSfKWKHgHKQItgV1UWuCJvjzmOeRJUkR4q1y6KYsyvpZQscV+byDTurVsARfM/7wT 1VVw== X-Gm-Message-State: AOAM5325cxC3x6Yfvt66RNQCKJKAQxV9PYRJnSLV0OQOmGw5cNkLY/tN tRlDdUfqsFUI8AdpsvA5+FXWi2qqYSLVFb5wjjGm/A== X-Received: by 2002:a81:1f8b:0:b0:2f8:5846:445e with SMTP id f133-20020a811f8b000000b002f85846445emr69247959ywf.50.1654082912126; Wed, 01 Jun 2022 04:28:32 -0700 (PDT) MIME-Version: 1.0 References: <20220426164315.625149-1-glider@google.com> <20220426164315.625149-29-glider@google.com> <87a6c6y7mg.ffs@tglx> <87y1zjlhmj.ffs@tglx> <878rrfiqyr.ffs@tglx> <87k0ayhc43.ffs@tglx> <87h762h5c2.ffs@tglx> <871qx2r09k.ffs@tglx> <87h75uvi7s.ffs@tglx> <87ee0yvgrd.ffs@tglx> In-Reply-To: <87ee0yvgrd.ffs@tglx> From: Alexander Potapenko Date: Wed, 1 Jun 2022 13:27:56 +0200 Message-ID: Subject: Re: [PATCH v3 28/46] kmsan: entry: handle register passing from uninstrumented code To: Thomas Gleixner Cc: Alexander Viro , Andrew Morton , Andrey Konovalov , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Christoph Hellwig , Christoph Lameter , David Rientjes , Dmitry Vyukov , Eric Dumazet , Greg Kroah-Hartman , Herbert Xu , Ilya Leoshkevich , Ingo Molnar , Jens Axboe , Joonsoo Kim , Kees Cook , Marco Elver , Mark Rutland , Matthew Wilcox , "Michael S. Tsirkin" , Pekka Enberg , Peter Zijlstra , Petr Mladek , Steven Rostedt , Vasily Gorbik , Vegard Nossum , Vlastimil Babka , kasan-dev , Linux Memory Management List , Linux-Arch , LKML Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 12, 2022 at 6:48 PM Thomas Gleixner wrote: > > On Thu, May 12 2022 at 18:17, Thomas Gleixner wrote: > > On Thu, May 12 2022 at 14:24, Alexander Potapenko wrote: > >> We could try to figure out the places in idtentry code where normal > >> kmsan_unpoison_memory() can be called in IRQ context, but as far as I > >> can see it will depend on the type of the entry point. > > > > NMI is covered as it increments before it invokes the unpoison(). > > > > Let me figure out why we increment the preempt count late for > > interrupts. IIRC it's for symmetry reasons related to softirq processing > > on return, but let me double check. > > It's even documented: > > https://www.kernel.org/doc/html/latest/core-api/entry.html#interrupts-and-regular-exceptions > > But who reads documentation? :) > > So, I think the simplest and least intrusive solution is to have special > purpose unpoison functions. See the patch below for illustration. This patch works well and I am going to adopt it for my series. But the problem with occasional calls of instrumented functions from noinstr still persists: if there is a noinstr function foo() and an instrumented function bar() called from foo() with one or more arguments, bar() must wipe its kmsan_context_state before using the arguments. I have a solution for this problem described in https://reviews.llvm.org/D126385 The plan is to pass __builtin_return_address(0) to __msan_get_context_state_caller() at the beginning of each instrumented function. Then KMSAN runtime can check the passed return address and wipe the context if it belongs to the .noinstr code section. Alternatively, we could employ MSan's -fsanitize-memory-param-retval flag, that will report supplying uninitialized parameters when calling functions. Doing so is currently allowed in the kernel, but Clang aggressively applies the noundef attribute (see https://llvm.org/docs/LangRef.html) to function arguments, which effectively makes passing uninit values as function parameters an UB. So if we make KMSAN detect such cases as well, we can ultimately get rid of all cases when uninits are passed to functions. As a result, kmsan_context_state will become unnecessary, because it will never contain nonzero values. > The reasons why I used specific ones: > > 1) User entry > > Whether that's a syscall or interrupt/exception does not > matter. It's always on the task stack and your machinery cannot be > running at that point because it came from user space. > > 2) Interrupt/exception/NMI entry kernel > > Those can nest into an already active context, so you really want > to unpoison @regs. > > Also while regular interrupts cannot nest because of interrupts > staying disabled, exceptions triggered in the interrupt handler and > NMIs can nest. > > -> device interrupt() > irqentry_enter(regs) > > -> NMI() > irqentry_nmi_enter(regs) > > -> fault() > irqentry_enter(regs) > > --> debug_exception() > irqentry_nmi_enter(regs) > > Soft interrupt processing on return from interrupt makes it more > interesting: > > interrupt() > handler() > do_softirq() > local_irq_enable() > interrupt() > NMI > .... > > And everytime you get a new @regs pointer to deal with. > > Wonderful, isn't it? > > Thanks, > > tglx >