Received: by 2002:ab2:710b:0:b0:1ef:a325:1205 with SMTP id z11csp281913lql;
        Mon, 11 Mar 2024 02:31:08 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXmbipSFPoP0tD4sTxTpuz6RHxfaRuwqFVx2CIa7fSA44mMTrvo2q6yhIh9oQfUmujnJK+xe4JZElolZbrMmWRlHzoLnFXwodCa4nZbDQ==
X-Google-Smtp-Source: AGHT+IFMWeMwJhKcFs5UxFdvNmXYjXV0f01NbaPweW5d8z3NiGj5/aIm0oEJCgCMKJQvVus5C9SP
X-Received: by 2002:a17:906:1950:b0:a45:f773:603e with SMTP id b16-20020a170906195000b00a45f773603emr3599365eje.51.1710149467817;
        Mon, 11 Mar 2024 02:31:07 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1710149467; cv=pass;
        d=google.com; s=arc-20160816;
        b=fKaB0UxVXr/lAtkAp04CeWDhCiNsoFoe4ODQamzcYH5uF7ZNsFyELrUm6gQcbJIpmE
         TSQZAx+Dn7P957lfhGSpZWs9pqIIdjBRxjhMC+j4EEskJOhKVQJ82e9k6LRiNZgIQ9Od
         ZwktKDIAGECF9VeEEmIzv1s0qUmN/+DQaFvkjskpMg0f3BN1O4qDY7Ba3Y9UbpxY5Alf
         mja7IVk/93LHC88bAlyClSg7Z8OhM/pT6P/j+ooSJ9xqZKxrC1U8v32jzae9mZpc+ktZ
         /ldnj62n1gQXHn9hgm0e0ImB5Xm7GlUD8QcWUtElTwFd5kyYK6mTHxy7Ti+czoz7Vlm+
         StTA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date;
        bh=OOREsHi53h0aMH3pJm8Hl9w4EN0sLOYVJ8BoshkfZD4=;
        fh=rFhXia1eMb2njlZBQ2+h96Vjll0tzf7z4xew2OluTME=;
        b=aK2wuG7i+J9WBONo1bfkVfqrVO1f3txDPUlArp8AqUgPiQmGzfdwogGw+yTPaysY43
         QSReGGwqLdJxE08V63SD1P97jrnzkuY2XAZQEPFxvE3kQMPhGgDlshComfnAGjFP6v+r
         L/a5c+o88pJsMC1fcnywNXYbvnD+gNTbCS7pTTiNKolKXNSx+icVBAiOE3jokpS4IJQy
         GZ0+ZCSMxNyilvNZGrK6L6iOifx4Xp8JHRWgqdAYEsPC+ZHbsjIoNBRq2wzJm+MGwyOv
         Zqr66GEY7uOP9h5icATnGy+Y53zXTLwTD8KA421z4LlljwtTHgrWvQYDlQOmF8iQuoEm
         MOvQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com);
       spf=pass (google.com: domain of linux-kernel+bounces-98622-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-98622-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel+bounces-98622-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id rp20-20020a170906d97400b00a456423c7e1si2349012ejb.692.2024.03.11.02.31.07
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 Mar 2024 02:31:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-98622-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com);
       spf=pass (google.com: domain of linux-kernel+bounces-98622-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-98622-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 8B7931F21BE5
	for <linux.lists.archive@gmail.com>; Mon, 11 Mar 2024 09:31:07 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id A739C18B15;
	Mon, 11 Mar 2024 09:30:54 +0000 (UTC)
Received: from szxga06-in.huawei.com (szxga06-in.huawei.com [45.249.212.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2C2B17561
	for <linux-kernel@vger.kernel.org>; Mon, 11 Mar 2024 09:30:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.32
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710149454; cv=none; b=p3MyCl1z6tEehAA/3OnuU2Dv6dy0fGIU7eLYLDGEBUFWFIESDnMvfD4gPCkVqpBKOYjxXoJtyhvfs2rdMr0Iy1O5t9tggeyvY0pUu+AHWHkah00+pXpoNtLje4+TsmXKDBqfj5BncMRWgtYQwS0GcFsDavHWfRlQqNVCPYf8V0s=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710149454; c=relaxed/simple;
	bh=8ubKSyzVaaBrztU45QKm/bQ8zC4NfIF1wOLHO3M3UQo=;
	h=Date:From:To:CC:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=g64NYwcVoI/citallzhQ/nM8wukVOxq0igMD4sn7kkRmi4SwJf49NcAAn7+oo7pWbVFPqRJy1EZ6Bbi+Kt0NT9MMfAGlmeKsLrrrn02C4UvLylUK1EpRZ9Sq1EIyN+ZpVBUDJ8Vyp/f1qqYrg99+DstqqQiT6Qe0nkjuXk5uDEM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.32
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com
Received: from mail.maildlp.com (unknown [172.19.163.17])
	by szxga06-in.huawei.com (SkyGuard) with ESMTP id 4TtWhR2Szvz3F0MV;
	Mon, 11 Mar 2024 17:29:59 +0800 (CST)
Received: from kwepemd100011.china.huawei.com (unknown [7.221.188.204])
	by mail.maildlp.com (Postfix) with ESMTPS id A72B11A0172;
	Mon, 11 Mar 2024 17:30:41 +0800 (CST)
Received: from M910t (10.110.54.157) by kwepemd100011.china.huawei.com
 (7.221.188.204) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Mon, 11 Mar
 2024 17:30:40 +0800
Date: Mon, 11 Mar 2024 17:30:36 +0800
From: Changbin Du <changbin.du@huawei.com>
To: Marco Elver <elver@google.com>
CC: Changbin Du <changbin.du@huawei.com>, Alexander Potapenko
	<glider@google.com>, Andrew Morton <akpm@linux-foundation.org>,
	<kasan-dev@googlegroups.com>, <linux-mm@kvack.org>,
	<linux-kernel@vger.kernel.org>
Subject: Re: [BUG] kmsan: instrumentation recursion problems
Message-ID: <20240311093036.44txy57hvhevybsu@M910t>
References: <20240308043448.masllzeqwht45d4j@M910t>
 <CANpmjNOc4Z6Qy_L3pjuW84BOxoiqXgLC1tWbJuZwRUZqs2ioMA@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CANpmjNOc4Z6Qy_L3pjuW84BOxoiqXgLC1tWbJuZwRUZqs2ioMA@mail.gmail.com>
X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To
 kwepemd100011.china.huawei.com (7.221.188.204)

On Fri, Mar 08, 2024 at 10:39:15AM +0100, Marco Elver wrote:
> On Fri, 8 Mar 2024 at 05:36, 'Changbin Du' via kasan-dev
> <kasan-dev@googlegroups.com> wrote:
> >
> > Hey, folks,
> > I found two instrumentation recursion issues on mainline kernel.
> >
> > 1. recur on preempt count.
> > __msan_metadata_ptr_for_load_4() -> kmsan_virt_addr_valid() -> preempt_disable() -> __msan_metadata_ptr_for_load_4()
> >
> > 2. recur in lockdep and rcu
> > __msan_metadata_ptr_for_load_4() -> kmsan_virt_addr_valid() -> pfn_valid() -> rcu_read_lock_sched() -> lock_acquire() -> rcu_is_watching() -> __msan_metadata_ptr_for_load_8()
> >
> >
> > Here is an unofficial fix, I don't know if it will generate false reports.
> >
> > $ git show
> > commit 7f0120b621c1cbb667822b0f7eb89f3c25868509 (HEAD -> master)
> > Author: Changbin Du <changbin.du@huawei.com>
> > Date:   Fri Mar 8 20:21:48 2024 +0800
> >
> >     kmsan: fix instrumentation recursions
> >
> >     Signed-off-by: Changbin Du <changbin.du@huawei.com>
> >
> > diff --git a/kernel/locking/Makefile b/kernel/locking/Makefile
> > index 0db4093d17b8..ea925731fa40 100644
> > --- a/kernel/locking/Makefile
> > +++ b/kernel/locking/Makefile
> > @@ -7,6 +7,7 @@ obj-y += mutex.o semaphore.o rwsem.o percpu-rwsem.o
> >
> >  # Avoid recursion lockdep -> sanitizer -> ... -> lockdep.
> >  KCSAN_SANITIZE_lockdep.o := n
> > +KMSAN_SANITIZE_lockdep.o := n
> 
> This does not result in false positives?
>
I saw a lot of reports but seems not related to this.

[    2.742743][    T0] BUG: KMSAN: uninit-value in unwind_next_frame+0x3729/0x48a0
[    2.744404][    T0]  unwind_next_frame+0x3729/0x48a0
[    2.745623][    T0]  arch_stack_walk+0x1d9/0x2a0
[    2.746838][    T0]  stack_trace_save+0xb8/0x100
[    2.747928][    T0]  set_track_prepare+0x88/0x120
[    2.749095][    T0]  __alloc_object+0x602/0xbe0
[    2.750200][    T0]  __create_object+0x3f/0x4e0
[    2.751332][    T0]  pcpu_alloc+0x1e18/0x2b00
[    2.752401][    T0]  mm_init+0x688/0xb20
[    2.753436][    T0]  mm_alloc+0xf4/0x180
[    2.754510][    T0]  poking_init+0x50/0x500
[    2.755594][    T0]  start_kernel+0x3b0/0xbf0
[    2.756724][    T0]  __pfx_reserve_bios_regions+0x0/0x10
[    2.758073][    T0]  x86_64_start_kernel+0x92/0xa0
[    2.759320][    T0]  secondary_startup_64_no_verify+0x176/0x17b


> Does
> KMSAN_ENABLE_CHECKS_lockdep.o := n
> work as well? If it does, that is preferred because it makes sure
> there are no false positives if the lockdep code unpoisons data that
> is passed and used outside lockdep.
> 
> lockdep has a serious impact on performance, and not sanitizing it
> with KMSAN is probably a reasonable performance trade-off.
> 
Disabling checks is not working here. The recursion become this:

__msan_metadata_ptr_for_load_4() -> kmsan_get_metadata() -> virt_to_page_or_null() -> pfn_valid() -> lock_acquire() -> __msan_unpoison_alloca() -> kmsan_get_metadata()

> >  ifdef CONFIG_FUNCTION_TRACER
> >  CFLAGS_REMOVE_lockdep.o = $(CC_FLAGS_FTRACE)
> > diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
> > index b2bccfd37c38..8935cc866e2d 100644
> > --- a/kernel/rcu/tree.c
> > +++ b/kernel/rcu/tree.c
> > @@ -692,7 +692,7 @@ static void rcu_disable_urgency_upon_qs(struct rcu_data *rdp)
> >   * Make notrace because it can be called by the internal functions of
> >   * ftrace, and making this notrace removes unnecessary recursion calls.
> >   */
> > -notrace bool rcu_is_watching(void)
> > +notrace __no_sanitize_memory bool rcu_is_watching(void)
> 
> For all of these, does __no_kmsan_checks instead of __no_sanitize_memory work?
> Again, __no_kmsan_checks (function-only counterpart to
> KMSAN_ENABLE_CHECKS_.... := n) is preferred if it works as it avoids
> any potential false positives that would be introduced by not
> instrumenting.
> 
This works because it is not unpoisoning local variables.

> >  {
> >         bool ret;
> >
> > diff --git a/kernel/sched/core.c b/kernel/sched/core.c
> > index 9116bcc90346..33aa4df8fd82 100644
> > --- a/kernel/sched/core.c
> > +++ b/kernel/sched/core.c
> > @@ -5848,7 +5848,7 @@ static inline void preempt_latency_start(int val)
> >         }
> >  }
> >
> > -void preempt_count_add(int val)
> > +void __no_sanitize_memory preempt_count_add(int val)
> >  {
> >  #ifdef CONFIG_DEBUG_PREEMPT
> >         /*
> > @@ -5880,7 +5880,7 @@ static inline void preempt_latency_stop(int val)
> >                 trace_preempt_on(CALLER_ADDR0, get_lock_parent_ip());
> >  }
> >
> > -void preempt_count_sub(int val)
> > +void __no_sanitize_memory preempt_count_sub(int val)
> >  {
> >  #ifdef CONFIG_DEBUG_PREEMPT
> >
> >
> > --
> > Cheers,
> > Changbin Du

-- 
Cheers,
Changbin Du