From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=GDT+=2K=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT,
	USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 43674C43603
	for <linux-mm@archiver.kernel.org>; Fri, 20 Dec 2019 18:51:33 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id E150D206D8
	for <linux-mm@archiver.kernel.org>; Fri, 20 Dec 2019 18:51:32 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IcAnJ9SJ"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E150D206D8
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 933008E01BF; Fri, 20 Dec 2019 13:51:32 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 90A278E019D; Fri, 20 Dec 2019 13:51:32 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7F9368E01BF; Fri, 20 Dec 2019 13:51:32 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0104.hostedemail.com [216.40.44.104])
	by kanga.kvack.org (Postfix) with ESMTP id 69CCA8E019D
	for <linux-mm@kvack.org>; Fri, 20 Dec 2019 13:51:32 -0500 (EST)
Received: from smtpin11.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with SMTP id 254DF8249980
	for <linux-mm@kvack.org>; Fri, 20 Dec 2019 18:51:32 +0000 (UTC)
X-FDA: 76286413224.11.pear51_81b80a365051f
X-HE-Tag: pear51_81b80a365051f
X-Filterd-Recvd-Size: 12110
Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73])
	by imf31.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Fri, 20 Dec 2019 18:51:31 +0000 (UTC)
Received: by mail-wr1-f73.google.com with SMTP id c17so1481575wrp.10
        for <linux-mm@kvack.org>; Fri, 20 Dec 2019 10:51:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:in-reply-to:message-id:mime-version:references:subject:from:to
         :cc;
        bh=CEWPKg+VIzBgaJ1sFdeYqKIzyW7qnwOLxsLBPw/qGxM=;
        b=IcAnJ9SJFWCmdf/H3Dm1i6/29G4MphnW232aXvx0P2frF0HxxS+vMzG3mJsZtl0hMe
         wnZOAMGp+3lCcDFu74R/21uGnmhlMnobu6f0jsEI0IXIYKVPsgYJUgJNCXKcqO9H35/3
         8m++gGduGQ0HfpaoT21PMoQBT4YAYjDSu90nOfUUe1lRdTBhBIEQVjGqDqKdRvub0qSa
         XimnuSdVLUNBy4dhrVWbrnKa8VWOjbD+SFilggfc3EgyiVR4wfjWJVWRaHEzYW8swzel
         qJ5PRQBcaHooKkYuOKtUV/ELc8sdTzz3bAPf9h1Ye88RCo3B0ZBfn0Dda3GJxYGWg6sm
         5sUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:in-reply-to:message-id:mime-version
         :references:subject:from:to:cc;
        bh=CEWPKg+VIzBgaJ1sFdeYqKIzyW7qnwOLxsLBPw/qGxM=;
        b=O9xLk6Bg6tSajm02lP+o04G50wsa3CtMs8F8/Fp3wFcWC/6UQ5JEwPBZ4Ez/8FrKQo
         jAMyDVwckX1RXhaG2buGCec+xRNGzYpUkuj3XbADnPcMxHp15PuasaSiOwuc6aYYqLF0
         QhRZQTQOYGKZjaUk02e4nDwK3qxGjEJeT26kU0FcrELpVeJQNCB1gkUVix/K45sjohVh
         Zc1Y7ROWGjV7rl67xNx8MOiOlGI6WojLKs7RQHqzJtYu2R3DU6PPKSIWrJHiO21W2OBG
         UdWWyBxwtatYPcMPRahB7jIpbceaHvpuGHb0YqK3mh2qoVWYw8PqlcIqX5omubHoVZkB
         J2qg==
X-Gm-Message-State: APjAAAWSsjp9FJploqUQ/Cse/gNq93oO5DzbIKKLQEzzJxdIUYKgaFny
	4atjT+uHcCHRv66kPS83KeZYFdNw8yQ=
X-Google-Smtp-Source: APXvYqyccBbyzOAEfCQXNCY5TT8VcDui7KO9AvHkDWnEPQAFgPnae+xUWcpy1FOTOw2su0mwV5kcbPmNkOw=
X-Received: by 2002:adf:f382:: with SMTP id m2mr16723226wro.163.1576867889897;
 Fri, 20 Dec 2019 10:51:29 -0800 (PST)
Date: Fri, 20 Dec 2019 19:49:41 +0100
In-Reply-To: <20191220184955.223741-1-glider@google.com>
Message-Id: <20191220184955.223741-29-glider@google.com>
Mime-Version: 1.0
References: <20191220184955.223741-1-glider@google.com>
X-Mailer: git-send-email 2.24.1.735.g03f4e72817-goog
Subject: [PATCH RFC v4 28/42] kmsan: disable instrumentation of certain functions
From: glider@google.com
To: Thomas Gleixner <tglx@linutronix.de>, Andrew Morton <akpm@linux-foundation.org>, 
	Vegard Nossum <vegard.nossum@oracle.com>, Dmitry Vyukov <dvyukov@google.com>, 
	Marco Elver <elver@google.com>, Andrey Konovalov <andreyknvl@google.com>, linux-mm@kvack.org
Cc: glider@google.com, viro@zeniv.linux.org.uk, adilger.kernel@dilger.ca, 
	aryabinin@virtuozzo.com, luto@kernel.org, ard.biesheuvel@linaro.org, 
	arnd@arndb.de, hch@infradead.org, hch@lst.de, darrick.wong@oracle.com, 
	davem@davemloft.net, dmitry.torokhov@gmail.com, ebiggers@google.com, 
	edumazet@google.com, ericvh@gmail.com, gregkh@linuxfoundation.org, 
	harry.wentland@amd.com, herbert@gondor.apana.org.au, iii@linux.ibm.com, 
	mingo@elte.hu, jasowang@redhat.com, axboe@kernel.dk, m.szyprowski@samsung.com, 
	mark.rutland@arm.com, martin.petersen@oracle.com, schwidefsky@de.ibm.com, 
	willy@infradead.org, mst@redhat.com, mhocko@suse.com, monstr@monstr.eu, 
	pmladek@suse.com, cai@lca.pw, rdunlap@infradead.org, robin.murphy@arm.com, 
	sergey.senozhatsky@gmail.com, rostedt@goodmis.org, tiwai@suse.com, 
	tytso@mit.edu, gor@linux.ibm.com, wsa@the-dreams.de
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Some functions are called from handwritten assembly, and therefore don't
have their arguments' metadata fully set up by the instrumentation code.
Mark them with __no_sanitize_memory to avoid false positives from
spreading further.
Certain functions perform task switching, so that the value of |current|
is different as they proceed. Because KMSAN state pointer is only read
once at the beginning of the function, touching it after |current| has
changed may be dangerous.

Signed-off-by: Alexander Potapenko <glider@google.com>
To: Alexander Potapenko <glider@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: linux-mm@kvack.org
---
v3:
 - removed TODOs from comments

v4:
 - updated the comments, dropped __no_sanitize_memory from idle_cpu(),
   sched_init(), profile_tick()
 - split away the uprobes part as requested by Andrey Konovalov

Change-Id: I684d23dac5a22eb0a4cea71993cb934302b17cea
---
 arch/x86/entry/common.c                |  2 ++
 arch/x86/include/asm/irq_regs.h        |  2 ++
 arch/x86/include/asm/syscall_wrapper.h |  2 ++
 arch/x86/kernel/apic/apic.c            |  3 +++
 arch/x86/kernel/dumpstack_64.c         |  5 +++++
 arch/x86/kernel/process_64.c           |  5 +++++
 arch/x86/kernel/traps.c                | 13 +++++++++++--
 kernel/sched/core.c                    | 22 ++++++++++++++++++++++
 8 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
index 9747876980b5..7707b5b65ee0 100644
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -279,6 +279,8 @@ __visible inline void syscall_return_slowpath(struct pt_regs *regs)
 }
 
 #ifdef CONFIG_X86_64
+/* Tell KMSAN to not instrument this function and to initialize |regs|. */
+__no_sanitize_memory
 __visible void do_syscall_64(unsigned long nr, struct pt_regs *regs)
 {
 	struct thread_info *ti;
diff --git a/arch/x86/include/asm/irq_regs.h b/arch/x86/include/asm/irq_regs.h
index 187ce59aea28..a6fc1641e286 100644
--- a/arch/x86/include/asm/irq_regs.h
+++ b/arch/x86/include/asm/irq_regs.h
@@ -14,6 +14,8 @@
 
 DECLARE_PER_CPU(struct pt_regs *, irq_regs);
 
+/* Tell KMSAN to return an initialized struct pt_regs. */
+__no_sanitize_memory
 static inline struct pt_regs *get_irq_regs(void)
 {
 	return __this_cpu_read(irq_regs);
diff --git a/arch/x86/include/asm/syscall_wrapper.h b/arch/x86/include/asm/syscall_wrapper.h
index e2389ce9bf58..098b1a8d6bc4 100644
--- a/arch/x86/include/asm/syscall_wrapper.h
+++ b/arch/x86/include/asm/syscall_wrapper.h
@@ -196,6 +196,8 @@ struct pt_regs;
 	ALLOW_ERROR_INJECTION(__x64_sys##name, ERRNO);			\
 	static long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__));	\
 	static inline long __do_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__));\
+	/* Tell KMSAN to initialize |regs|. */				\
+	__no_sanitize_memory						\
 	asmlinkage long __x64_sys##name(const struct pt_regs *regs)	\
 	{								\
 		return __se_sys##name(SC_X86_64_REGS_TO_ARGS(x,__VA_ARGS__));\
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index 28446fa6bf18..e8e55a6661f9 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1118,6 +1118,9 @@ static void local_apic_timer_interrupt(void)
  * [ if a single-CPU system runs an SMP kernel then we call the local
  *   interrupt as well. Thus we cannot inline the local irq ... ]
  */
+
+/* Tell KMSAN to initialize |regs|. */
+__no_sanitize_memory
 __visible void __irq_entry smp_apic_timer_interrupt(struct pt_regs *regs)
 {
 	struct pt_regs *old_regs = set_irq_regs(regs);
diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
index 87b97897a881..3d1691f81cad 100644
--- a/arch/x86/kernel/dumpstack_64.c
+++ b/arch/x86/kernel/dumpstack_64.c
@@ -150,6 +150,11 @@ static bool in_irq_stack(unsigned long *stack, struct stack_info *info)
 	return true;
 }
 
+/*
+ * This function may touch stale uninitialized values on stack. Do not
+ * instrument it with KMSAN to avoid false positives.
+ */
+__no_sanitize_memory
 int get_stack_info(unsigned long *stack, struct task_struct *task,
 		   struct stack_info *info, unsigned long *visit_mask)
 {
diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
index 506d66830d4d..310bf00a0351 100644
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -425,6 +425,11 @@ void compat_start_thread(struct pt_regs *regs, u32 new_ip, u32 new_sp)
  * Kprobes not supported here. Set the probe on schedule instead.
  * Function graph tracer not supported too.
  */
+/*
+ * Avoid touching KMSAN state or reporting anything here, as __switch_to() does
+ * weird things with tasks.
+ */
+__no_sanitize_memory
 __visible __notrace_funcgraph struct task_struct *
 __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
 {
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 05da6b5b167b..e46e34a4893a 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -622,7 +622,11 @@ NOKPROBE_SYMBOL(do_int3);
  * Help handler running on a per-cpu (IST or entry trampoline) stack
  * to switch to the normal thread stack if the interrupted code was in
  * user mode. The actual stack switch is done in entry_64.S
+ *
  */
+
+/* This function switches the registers - don't instrument it with KMSAN. */
+__no_sanitize_memory
 asmlinkage __visible notrace struct pt_regs *sync_regs(struct pt_regs *eregs)
 {
 	struct pt_regs *regs = (struct pt_regs *)this_cpu_read(cpu_current_top_of_stack) - 1;
@@ -638,6 +642,11 @@ struct bad_iret_stack {
 };
 
 asmlinkage __visible notrace
+/*
+ * Dark magic happening here, let's not instrument this function.
+ * Also avoid copying any metadata by using raw __memmove().
+ */
+__no_sanitize_memory
 struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
 {
 	/*
@@ -652,10 +661,10 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
 		(struct bad_iret_stack *)this_cpu_read(cpu_tss_rw.x86_tss.sp0) - 1;
 
 	/* Copy the IRET target to the new stack. */
-	memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
+	__memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
 
 	/* Copy the remainder of the stack from the current stack. */
-	memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
+	__memmove(new_stack, s, offsetof(struct bad_iret_stack, regs.ip));
 
 	BUG_ON(!user_mode(&new_stack->regs));
 	return new_stack;
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 90e4b00ace89..c49f729baeed 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -476,6 +476,11 @@ void wake_q_add_safe(struct wake_q_head *head, struct task_struct *task)
 		put_task_struct(task);
 }
 
+/*
+ * Context switch here may lead to KMSAN task state corruption. Disable KMSAN
+ * instrumentation.
+ */
+__no_sanitize_memory
 void wake_up_q(struct wake_q_head *head)
 {
 	struct wake_q_node *node = head->first;
@@ -3181,6 +3186,12 @@ prepare_task_switch(struct rq *rq, struct task_struct *prev,
  * past. prev == current is still correct but we need to recalculate this_rq
  * because prev may have moved to another CPU.
  */
+
+/*
+ * Context switch here may lead to KMSAN task state corruption. Disable KMSAN
+ * instrumentation.
+ */
+__no_sanitize_memory
 static struct rq *finish_task_switch(struct task_struct *prev)
 	__releases(rq->lock)
 {
@@ -3998,6 +4009,12 @@ pick_next_task(struct rq *rq, struct task_struct *prev, struct rq_flags *rf)
  *
  * WARNING: must be called with preemption disabled!
  */
+
+/*
+ * Context switch here may lead to KMSAN task state corruption. Disable KMSAN
+ * instrumentation.
+ */
+__no_sanitize_memory
 static void __sched notrace __schedule(bool preempt)
 {
 	struct task_struct *prev, *next;
@@ -6736,6 +6753,11 @@ static inline int preempt_count_equals(int preempt_offset)
 	return (nested == preempt_offset);
 }
 
+/*
+ * This function might be called from code that is not instrumented with KMSAN.
+ * Nevertheless, treat its arguments as initialized.
+ */
+__no_sanitize_memory
 void __might_sleep(const char *file, int line, int preempt_offset)
 {
 	/*
-- 
2.24.1.735.g03f4e72817-goog