From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: mm/kfence/core.c:839:9: sparse: sparse: context imbalance in 'kfence_handle_page_fault' - different lock contexts for basic block
Date: Sun, 28 Feb 2021 01:39:09 +0800 [thread overview]
Message-ID: <202102280106.qKP9gWgL-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 8046 bytes --]
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Alexander Potapenko <glider@google.com>
CC: Marco Elver <elver@google.com>
CC: Dmitry Vyukov <dvyukov@google.com>
CC: Jann Horn <jannh@google.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 3fb6d0e00efc958d01c2f109c8453033a2d96796
commit: 1dc0da6e9ec0f8d735756374697912cd50f402cf x86, kfence: enable KFENCE for x86
date: 24 hours ago
:::::: branch date: 19 hours ago
:::::: commit date: 24 hours ago
config: i386-randconfig-s002-20210228 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.3-241-geaceeafa-dirty
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1dc0da6e9ec0f8d735756374697912cd50f402cf
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout 1dc0da6e9ec0f8d735756374697912cd50f402cf
# save the attached .config to linux build tree
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
"sparse warnings: (new ones prefixed by >>)"
>> mm/kfence/core.c:839:9: sparse: sparse: context imbalance in 'kfence_handle_page_fault' - different lock contexts for basic block
vim +/kfence_handle_page_fault +839 mm/kfence/core.c
0ce20dd840897b Alexander Potapenko 2021-02-25 768
0ce20dd840897b Alexander Potapenko 2021-02-25 769 bool kfence_handle_page_fault(unsigned long addr)
0ce20dd840897b Alexander Potapenko 2021-02-25 770 {
0ce20dd840897b Alexander Potapenko 2021-02-25 771 const int page_index = (addr - (unsigned long)__kfence_pool) / PAGE_SIZE;
0ce20dd840897b Alexander Potapenko 2021-02-25 772 struct kfence_metadata *to_report = NULL;
0ce20dd840897b Alexander Potapenko 2021-02-25 773 enum kfence_error_type error_type;
0ce20dd840897b Alexander Potapenko 2021-02-25 774 unsigned long flags;
0ce20dd840897b Alexander Potapenko 2021-02-25 775
0ce20dd840897b Alexander Potapenko 2021-02-25 776 if (!is_kfence_address((void *)addr))
0ce20dd840897b Alexander Potapenko 2021-02-25 777 return false;
0ce20dd840897b Alexander Potapenko 2021-02-25 778
0ce20dd840897b Alexander Potapenko 2021-02-25 779 if (!READ_ONCE(kfence_enabled)) /* If disabled at runtime ... */
0ce20dd840897b Alexander Potapenko 2021-02-25 780 return kfence_unprotect(addr); /* ... unprotect and proceed. */
0ce20dd840897b Alexander Potapenko 2021-02-25 781
0ce20dd840897b Alexander Potapenko 2021-02-25 782 atomic_long_inc(&counters[KFENCE_COUNTER_BUGS]);
0ce20dd840897b Alexander Potapenko 2021-02-25 783
0ce20dd840897b Alexander Potapenko 2021-02-25 784 if (page_index % 2) {
0ce20dd840897b Alexander Potapenko 2021-02-25 785 /* This is a redzone, report a buffer overflow. */
0ce20dd840897b Alexander Potapenko 2021-02-25 786 struct kfence_metadata *meta;
0ce20dd840897b Alexander Potapenko 2021-02-25 787 int distance = 0;
0ce20dd840897b Alexander Potapenko 2021-02-25 788
0ce20dd840897b Alexander Potapenko 2021-02-25 789 meta = addr_to_metadata(addr - PAGE_SIZE);
0ce20dd840897b Alexander Potapenko 2021-02-25 790 if (meta && READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) {
0ce20dd840897b Alexander Potapenko 2021-02-25 791 to_report = meta;
0ce20dd840897b Alexander Potapenko 2021-02-25 792 /* Data race ok; distance calculation approximate. */
0ce20dd840897b Alexander Potapenko 2021-02-25 793 distance = addr - data_race(meta->addr + meta->size);
0ce20dd840897b Alexander Potapenko 2021-02-25 794 }
0ce20dd840897b Alexander Potapenko 2021-02-25 795
0ce20dd840897b Alexander Potapenko 2021-02-25 796 meta = addr_to_metadata(addr + PAGE_SIZE);
0ce20dd840897b Alexander Potapenko 2021-02-25 797 if (meta && READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) {
0ce20dd840897b Alexander Potapenko 2021-02-25 798 /* Data race ok; distance calculation approximate. */
0ce20dd840897b Alexander Potapenko 2021-02-25 799 if (!to_report || distance > data_race(meta->addr) - addr)
0ce20dd840897b Alexander Potapenko 2021-02-25 800 to_report = meta;
0ce20dd840897b Alexander Potapenko 2021-02-25 801 }
0ce20dd840897b Alexander Potapenko 2021-02-25 802
0ce20dd840897b Alexander Potapenko 2021-02-25 803 if (!to_report)
0ce20dd840897b Alexander Potapenko 2021-02-25 804 goto out;
0ce20dd840897b Alexander Potapenko 2021-02-25 805
0ce20dd840897b Alexander Potapenko 2021-02-25 806 raw_spin_lock_irqsave(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25 807 to_report->unprotected_page = addr;
0ce20dd840897b Alexander Potapenko 2021-02-25 808 error_type = KFENCE_ERROR_OOB;
0ce20dd840897b Alexander Potapenko 2021-02-25 809
0ce20dd840897b Alexander Potapenko 2021-02-25 810 /*
0ce20dd840897b Alexander Potapenko 2021-02-25 811 * If the object was freed before we took the look we can still
0ce20dd840897b Alexander Potapenko 2021-02-25 812 * report this as an OOB -- the report will simply show the
0ce20dd840897b Alexander Potapenko 2021-02-25 813 * stacktrace of the free as well.
0ce20dd840897b Alexander Potapenko 2021-02-25 814 */
0ce20dd840897b Alexander Potapenko 2021-02-25 815 } else {
0ce20dd840897b Alexander Potapenko 2021-02-25 816 to_report = addr_to_metadata(addr);
0ce20dd840897b Alexander Potapenko 2021-02-25 817 if (!to_report)
0ce20dd840897b Alexander Potapenko 2021-02-25 818 goto out;
0ce20dd840897b Alexander Potapenko 2021-02-25 819
0ce20dd840897b Alexander Potapenko 2021-02-25 820 raw_spin_lock_irqsave(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25 821 error_type = KFENCE_ERROR_UAF;
0ce20dd840897b Alexander Potapenko 2021-02-25 822 /*
0ce20dd840897b Alexander Potapenko 2021-02-25 823 * We may race with __kfence_alloc(), and it is possible that a
0ce20dd840897b Alexander Potapenko 2021-02-25 824 * freed object may be reallocated. We simply report this as a
0ce20dd840897b Alexander Potapenko 2021-02-25 825 * use-after-free, with the stack trace showing the place where
0ce20dd840897b Alexander Potapenko 2021-02-25 826 * the object was re-allocated.
0ce20dd840897b Alexander Potapenko 2021-02-25 827 */
0ce20dd840897b Alexander Potapenko 2021-02-25 828 }
0ce20dd840897b Alexander Potapenko 2021-02-25 829
0ce20dd840897b Alexander Potapenko 2021-02-25 830 out:
0ce20dd840897b Alexander Potapenko 2021-02-25 831 if (to_report) {
0ce20dd840897b Alexander Potapenko 2021-02-25 832 kfence_report_error(addr, to_report, error_type);
0ce20dd840897b Alexander Potapenko 2021-02-25 833 raw_spin_unlock_irqrestore(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25 834 } else {
0ce20dd840897b Alexander Potapenko 2021-02-25 835 /* This may be a UAF or OOB access, but we can't be sure. */
0ce20dd840897b Alexander Potapenko 2021-02-25 836 kfence_report_error(addr, NULL, KFENCE_ERROR_INVALID);
0ce20dd840897b Alexander Potapenko 2021-02-25 837 }
0ce20dd840897b Alexander Potapenko 2021-02-25 838
0ce20dd840897b Alexander Potapenko 2021-02-25 @839 return kfence_unprotect(addr); /* Unprotect and let access proceed. */
:::::: The code at line 839 was first introduced by commit
:::::: 0ce20dd840897b12ae70869c69f1ba34d6d16965 mm: add Kernel Electric-Fence infrastructure
:::::: TO: Alexander Potapenko <glider@google.com>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 31595 bytes --]
reply other threads:[~2021-02-27 17:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202102280106.qKP9gWgL-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.