From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 430CDC433F5
	for <linux-mm@archiver.kernel.org>; Thu, 14 Apr 2022 15:31:13 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 9C4586B0071; Thu, 14 Apr 2022 11:31:12 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 973E16B0073; Thu, 14 Apr 2022 11:31:12 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7EDDD6B0074; Thu, 14 Apr 2022 11:31:12 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.27])
	by kanga.kvack.org (Postfix) with ESMTP id 6A0076B0071
	for <linux-mm@kvack.org>; Thu, 14 Apr 2022 11:31:12 -0400 (EDT)
Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay13.hostedemail.com (Postfix) with ESMTP id 4DC3D63004
	for <linux-mm@kvack.org>; Thu, 14 Apr 2022 15:31:12 +0000 (UTC)
X-FDA: 79355873184.05.5CFDB72
Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181])
	by imf11.hostedemail.com (Postfix) with ESMTP id 922F240003
	for <linux-mm@kvack.org>; Thu, 14 Apr 2022 15:31:11 +0000 (UTC)
Received: by mail-yb1-f181.google.com with SMTP id z33so10087496ybh.5
        for <linux-mm@kvack.org>; Thu, 14 Apr 2022 08:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=HR/ftlsqI378Y2hlslX/Z4aCZL3sE1x2s8Wqdee+G3g=;
        b=fDAyvyMsu+sHOH1K5/fH8eyTcXafQ/8lAOvhgH0TdEaqhgTNxeTuQMxtHxypwSUD/X
         h4u38IOSIAL66XVT5Q9mOFWhPMbD965CxxMEhc5qCPty+GsF+3cXyDlEDhEb3FlMXlBe
         My9r6wGmQlOYC+jq7HetEtj3vj/2kFvv1o+Yktzf7+WeTTRue1B2YTdtv233c1qJ2idl
         xyC+Mc+9e8M5X0SSKSIOP3ChnmBoPYku4uzJyXG1Zp6nD7TPph7RHK2EFR/opTnSb8vG
         94ZXKYvF94/ywFoVY0VJrWZx4jcNBJ5w5qMmtBeeT4u8Cc/wPTrt4W2ShNO6oCEpC9/O
         RKgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=HR/ftlsqI378Y2hlslX/Z4aCZL3sE1x2s8Wqdee+G3g=;
        b=PVoevV62z9TPORztnKeekroYXdrX5s+ifTMTAyKGhjKX121XPi+QrkF07AAk4WKJYF
         F77T/gDRkAmi7B/mX/ryuh4oTyvXlzpSMzOqtGLt5if7FaW+cAM2Wc8wOsyY4AfjCUGd
         9fzwYw+K0VIgG1Mzc25z97CqatmYiCWn17CvkEEkllhiHr59GR9ayFOyLVYA/Pl/UNy+
         r2r32DBLDjqs4K3dxaPP7DWgYOoaHpdB49G+RjsJ+3kspZOxUAK+YUm68PKJ21GVny0z
         8rhheulFy6il+hN5IKCy08NAq91RylgRH39D8zVpUA5DPXqAlIn3gTjGOw8a2ijVyQnP
         hxLw==
X-Gm-Message-State: AOAM532/fnXZWgPK3bB2yRCQV0CPa0PGpK41zjnKPfgIA9397oozaA3H
	H5Br3w//eYpxbPWX8knJHGz4y9brM66V6WQ4VmRh2g==
X-Google-Smtp-Source: ABdhPJx/J+tQSERRySBqIdz/WcrnPlO8MtewNudPPfCSqrv/sLWoIOYKTdeIZF2gFv0pZEdSpTh2Xop+KMcv0qj42Lk=
X-Received: by 2002:a25:d255:0:b0:641:6426:83f5 with SMTP id
 j82-20020a25d255000000b00641642683f5mr2066902ybg.147.1649950270595; Thu, 14
 Apr 2022 08:31:10 -0700 (PDT)
MIME-Version: 1.0
References: <20220329124017.737571-1-glider@google.com> <20220329124017.737571-39-glider@google.com>
 <20220330084615.GH8939@worktop.programming.kicks-ass.net>
In-Reply-To: <20220330084615.GH8939@worktop.programming.kicks-ass.net>
From: Alexander Potapenko <glider@google.com>
Date: Thu, 14 Apr 2022 17:30:34 +0200
Message-ID: <CAG_fn=UzshCuwbq7pZ93v7+eVUgFq1dZ4L_9nEWhYnotmyZtJg@mail.gmail.com>
Subject: Re: [PATCH v2 38/48] objtool: kmsan: list KMSAN API functions as uaccess-safe
To: Peter Zijlstra <peterz@infradead.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, 
	Andrey Konovalov <andreyknvl@google.com>, Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>, 
	Borislav Petkov <bp@alien8.de>, Christoph Hellwig <hch@lst.de>, Christoph Lameter <cl@linux.com>, 
	David Rientjes <rientjes@google.com>, Dmitry Vyukov <dvyukov@google.com>, 
	Eric Dumazet <edumazet@google.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, 
	Herbert Xu <herbert@gondor.apana.org.au>, Ilya Leoshkevich <iii@linux.ibm.com>, 
	Ingo Molnar <mingo@redhat.com>, Jens Axboe <axboe@kernel.dk>, Joonsoo Kim <iamjoonsoo.kim@lge.com>, 
	Kees Cook <keescook@chromium.org>, Marco Elver <elver@google.com>, 
	Mark Rutland <mark.rutland@arm.com>, Matthew Wilcox <willy@infradead.org>, 
	"Michael S. Tsirkin" <mst@redhat.com>, Pekka Enberg <penberg@kernel.org>, Petr Mladek <pmladek@suse.com>, 
	Steven Rostedt <rostedt@goodmis.org>, Thomas Gleixner <tglx@linutronix.de>, 
	Vasily Gorbik <gor@linux.ibm.com>, Vegard Nossum <vegard.nossum@oracle.com>, 
	Vlastimil Babka <vbabka@suse.cz>, Linux Memory Management List <linux-mm@kvack.org>, 
	Linux-Arch <linux-arch@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>
Content-Type: multipart/alternative; boundary="000000000000c70b0005dc9efb68"
X-Stat-Signature: y9173mr1g6k1nybxxa9sd5gcnxjsj645
Authentication-Results: imf11.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=fDAyvyMs;
	spf=pass (imf11.hostedemail.com: domain of glider@google.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=glider@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspam-User: 
X-Rspamd-Server: rspam08
X-Rspamd-Queue-Id: 922F240003
X-HE-Tag: 1649950271-926608
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

--000000000000c70b0005dc9efb68
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Mar 30, 2022 at 10:46 AM Peter Zijlstra <peterz@infradead.org>
wrote:

> On Tue, Mar 29, 2022 at 02:40:07PM +0200, Alexander Potapenko wrote:
> > KMSAN inserts API function calls in a lot of places (function entries
> > and exits, local variables, memory accesses), so they may get called
> > from the uaccess regions as well.
>
> That's insufficient. Explain how you did the right thing and made these
> functions actually safe to be called in this context.
>
> KMSAN API functions are used to update the metadata (shadow/origin pages)
for kernel memory accesses.
The metadata pages for kernel pointers are also located in the kernel
memory, so touching them is not a problem.
For userspace pointers, no metadata is allocated.

If an API function is supposed to read or modify the metadata, it does so
for kernel pointers and ignores userspace pointers.
If an API function is supposed to return a pair of metadata pointers for
the instrumentation to use (like all __msan_metadata_ptr_for_TYPE_SIZE()
functions do), it returns the allocated metadata for kernel pointers and
special dummy buffers residing in the kernel memory for userspace pointers.

As a result, none of KMSAN API functions perform userspace accesses, but
since they might be called from UACCESS regions they
use user_access_save/restore().

Does this make sense?


> > Signed-off-by: Alexander Potapenko <glider@google.com>
> > ---
> > Link:
> https://linux-review.googlesource.com/id/I242bc9816273fecad4ea3d977393784=
396bb3c35
> > ---
> >  tools/objtool/check.c | 19 +++++++++++++++++++
> >  1 file changed, 19 insertions(+)
> >
> > diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> > index 7c33ec67c4a95..8518eaf05bff0 100644
> > --- a/tools/objtool/check.c
> > +++ b/tools/objtool/check.c
> > @@ -943,6 +943,25 @@ static const char *uaccess_safe_builtin[] =3D {
> >       "__sanitizer_cov_trace_cmp4",
> >       "__sanitizer_cov_trace_cmp8",
> >       "__sanitizer_cov_trace_switch",
> > +     /* KMSAN */
> > +     "kmsan_copy_to_user",
> > +     "kmsan_report",
> > +     "kmsan_unpoison_memory",
> > +     "__msan_chain_origin",
> > +     "__msan_get_context_state",
> > +     "__msan_instrument_asm_store",
> > +     "__msan_metadata_ptr_for_load_1",
> > +     "__msan_metadata_ptr_for_load_2",
> > +     "__msan_metadata_ptr_for_load_4",
> > +     "__msan_metadata_ptr_for_load_8",
> > +     "__msan_metadata_ptr_for_load_n",
> > +     "__msan_metadata_ptr_for_store_1",
> > +     "__msan_metadata_ptr_for_store_2",
> > +     "__msan_metadata_ptr_for_store_4",
> > +     "__msan_metadata_ptr_for_store_8",
> > +     "__msan_metadata_ptr_for_store_n",
> > +     "__msan_poison_alloca",
> > +     "__msan_warning",
> >       /* UBSAN */
> >       "ubsan_type_mismatch_common",
> >       "__ubsan_handle_type_mismatch",
> > --
> > 2.35.1.1021.g381101b075-goog
> >
>


--=20
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Stra=C3=9Fe, 33
80636 M=C3=BCnchen

Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Liana Sebastian
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg

Diese E-Mail ist vertraulich. Falls Sie diese f=C3=A4lschlicherweise erhalt=
en
haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter,
l=C3=B6schen Sie alle Kopien und Anh=C3=A4nge davon und lassen Sie mich bit=
te wissen,
dass die E-Mail an die falsche Person gesendet wurde.


This e-mail is confidential. If you received this communication by mistake,
please don't forward it to anyone else, please erase all copies and
attachments, and please let me know that it has gone to the wrong person.

--000000000000c70b0005dc9efb68
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Wed, Mar 30, 2022 at 10:46 AM Pete=
r Zijlstra &lt;<a href=3D"mailto:peterz@infradead.org">peterz@infradead.org=
</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
On Tue, Mar 29, 2022 at 02:40:07PM +0200, Alexander Potapenko wrote:<br>
&gt; KMSAN inserts API function calls in a lot of places (function entries<=
br>
&gt; and exits, local variables, memory accesses), so they may get called<b=
r>
&gt; from the uaccess regions as well.<br>
<br>
That&#39;s insufficient. Explain how you did the right thing and made these=
<br>
functions actually safe to be called in this context.<br>
<br></blockquote><div>KMSAN API functions are used to update the metadata (=
shadow/origin pages) for kernel memory accesses.</div><div>The metadata pag=
es for kernel pointers are also located in the kernel memory, so touching t=
hem is not a problem.</div><div>For userspace pointers, no metadata is allo=
cated.<div><br></div><div>If an API function is supposed to read or modify =
the metadata, it does so for kernel pointers and ignores userspace pointers=
.<div>If an API function is supposed to return a pair of metadata pointers =
for the instrumentation to use (like all=C2=A0__msan_metadata_ptr_for_TYPE_=
SIZE() functions do), it returns the allocated metadata for kernel pointers=
 and special dummy buffers residing in the kernel memory for userspace poin=
ters.</div><div><br></div><div>As a result, none of KMSAN API functions per=
form userspace accesses, but since they might be called from UACCESS region=
s they use=C2=A0user_access_save/restore().</div></div></div><div><br></div=
><div>Does this make sense?</div><div>=C2=A0</div><blockquote class=3D"gmai=
l_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,20=
4,204);padding-left:1ex">
&gt; Signed-off-by: Alexander Potapenko &lt;<a href=3D"mailto:glider@google=
.com" target=3D"_blank">glider@google.com</a>&gt;<br>
&gt; ---<br>
&gt; Link: <a href=3D"https://linux-review.googlesource.com/id/I242bc981627=
3fecad4ea3d977393784396bb3c35" rel=3D"noreferrer" target=3D"_blank">https:/=
/linux-review.googlesource.com/id/I242bc9816273fecad4ea3d977393784396bb3c35=
</a><br>
&gt; ---<br>
&gt;=C2=A0 tools/objtool/check.c | 19 +++++++++++++++++++<br>
&gt;=C2=A0 1 file changed, 19 insertions(+)<br>
&gt; <br>
&gt; diff --git a/tools/objtool/check.c b/tools/objtool/check.c<br>
&gt; index 7c33ec67c4a95..8518eaf05bff0 100644<br>
&gt; --- a/tools/objtool/check.c<br>
&gt; +++ b/tools/objtool/check.c<br>
&gt; @@ -943,6 +943,25 @@ static const char *uaccess_safe_builtin[] =3D {<b=
r>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0&quot;__sanitizer_cov_trace_cmp4&quot;,<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0&quot;__sanitizer_cov_trace_cmp8&quot;,<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0&quot;__sanitizer_cov_trace_switch&quot;,<br=
>
&gt; +=C2=A0 =C2=A0 =C2=A0/* KMSAN */<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;kmsan_copy_to_user&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;kmsan_report&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;kmsan_unpoison_memory&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_chain_origin&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_get_context_state&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_instrument_asm_store&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_load_1&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_load_2&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_load_4&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_load_8&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_load_n&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_store_1&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_store_2&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_store_4&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_store_8&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_metadata_ptr_for_store_n&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_poison_alloca&quot;,<br>
&gt; +=C2=A0 =C2=A0 =C2=A0&quot;__msan_warning&quot;,<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0/* UBSAN */<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0&quot;ubsan_type_mismatch_common&quot;,<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0&quot;__ubsan_handle_type_mismatch&quot;,<br=
>
&gt; -- <br>
&gt; 2.35.1.1021.g381101b075-goog<br>
&gt; <br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"gmail_signature"><div dir=3D"ltr">Alexander Potapenko<br>Software=
 Engineer<br><br>Google Germany GmbH<br>Erika-Mann-Stra=C3=9Fe, 33<br>80636=
 M=C3=BCnchen<br><br>Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Liana Sebasti=
an<br>Registergericht und -nummer: Hamburg, HRB 86891<br>Sitz der Gesellsch=
aft: Hamburg<br><br>Diese E-Mail ist vertraulich. Falls Sie diese f=C3=A4ls=
chlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jeman=
d anderes weiter, l=C3=B6schen Sie alle Kopien und Anh=C3=A4nge davon und l=
assen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet=
 wurde.<br><br><br>This e-mail is confidential. If you received this commun=
ication by mistake, please don&#39;t forward it to anyone else, please eras=
e all copies and attachments, and please let me know that it has gone to th=
e wrong person.</div></div></div>

--000000000000c70b0005dc9efb68--