* mm/kfence/core.c:839:9: sparse: sparse: context imbalance in 'kfence_handle_page_fault' - different lock contexts for basic block
@ 2021-02-27 17:39 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2021-02-27 17:39 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 8046 bytes --]
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Alexander Potapenko <glider@google.com>
CC: Marco Elver <elver@google.com>
CC: Dmitry Vyukov <dvyukov@google.com>
CC: Jann Horn <jannh@google.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Linux Memory Management List <linux-mm@kvack.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 3fb6d0e00efc958d01c2f109c8453033a2d96796
commit: 1dc0da6e9ec0f8d735756374697912cd50f402cf x86, kfence: enable KFENCE for x86
date: 24 hours ago
:::::: branch date: 19 hours ago
:::::: commit date: 24 hours ago
config: i386-randconfig-s002-20210228 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.3-241-geaceeafa-dirty
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1dc0da6e9ec0f8d735756374697912cd50f402cf
git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
git fetch --no-tags linus master
git checkout 1dc0da6e9ec0f8d735756374697912cd50f402cf
# save the attached .config to linux build tree
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
"sparse warnings: (new ones prefixed by >>)"
>> mm/kfence/core.c:839:9: sparse: sparse: context imbalance in 'kfence_handle_page_fault' - different lock contexts for basic block
vim +/kfence_handle_page_fault +839 mm/kfence/core.c
0ce20dd840897b Alexander Potapenko 2021-02-25 768
0ce20dd840897b Alexander Potapenko 2021-02-25 769 bool kfence_handle_page_fault(unsigned long addr)
0ce20dd840897b Alexander Potapenko 2021-02-25 770 {
0ce20dd840897b Alexander Potapenko 2021-02-25 771 const int page_index = (addr - (unsigned long)__kfence_pool) / PAGE_SIZE;
0ce20dd840897b Alexander Potapenko 2021-02-25 772 struct kfence_metadata *to_report = NULL;
0ce20dd840897b Alexander Potapenko 2021-02-25 773 enum kfence_error_type error_type;
0ce20dd840897b Alexander Potapenko 2021-02-25 774 unsigned long flags;
0ce20dd840897b Alexander Potapenko 2021-02-25 775
0ce20dd840897b Alexander Potapenko 2021-02-25 776 if (!is_kfence_address((void *)addr))
0ce20dd840897b Alexander Potapenko 2021-02-25 777 return false;
0ce20dd840897b Alexander Potapenko 2021-02-25 778
0ce20dd840897b Alexander Potapenko 2021-02-25 779 if (!READ_ONCE(kfence_enabled)) /* If disabled at runtime ... */
0ce20dd840897b Alexander Potapenko 2021-02-25 780 return kfence_unprotect(addr); /* ... unprotect and proceed. */
0ce20dd840897b Alexander Potapenko 2021-02-25 781
0ce20dd840897b Alexander Potapenko 2021-02-25 782 atomic_long_inc(&counters[KFENCE_COUNTER_BUGS]);
0ce20dd840897b Alexander Potapenko 2021-02-25 783
0ce20dd840897b Alexander Potapenko 2021-02-25 784 if (page_index % 2) {
0ce20dd840897b Alexander Potapenko 2021-02-25 785 /* This is a redzone, report a buffer overflow. */
0ce20dd840897b Alexander Potapenko 2021-02-25 786 struct kfence_metadata *meta;
0ce20dd840897b Alexander Potapenko 2021-02-25 787 int distance = 0;
0ce20dd840897b Alexander Potapenko 2021-02-25 788
0ce20dd840897b Alexander Potapenko 2021-02-25 789 meta = addr_to_metadata(addr - PAGE_SIZE);
0ce20dd840897b Alexander Potapenko 2021-02-25 790 if (meta && READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) {
0ce20dd840897b Alexander Potapenko 2021-02-25 791 to_report = meta;
0ce20dd840897b Alexander Potapenko 2021-02-25 792 /* Data race ok; distance calculation approximate. */
0ce20dd840897b Alexander Potapenko 2021-02-25 793 distance = addr - data_race(meta->addr + meta->size);
0ce20dd840897b Alexander Potapenko 2021-02-25 794 }
0ce20dd840897b Alexander Potapenko 2021-02-25 795
0ce20dd840897b Alexander Potapenko 2021-02-25 796 meta = addr_to_metadata(addr + PAGE_SIZE);
0ce20dd840897b Alexander Potapenko 2021-02-25 797 if (meta && READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) {
0ce20dd840897b Alexander Potapenko 2021-02-25 798 /* Data race ok; distance calculation approximate. */
0ce20dd840897b Alexander Potapenko 2021-02-25 799 if (!to_report || distance > data_race(meta->addr) - addr)
0ce20dd840897b Alexander Potapenko 2021-02-25 800 to_report = meta;
0ce20dd840897b Alexander Potapenko 2021-02-25 801 }
0ce20dd840897b Alexander Potapenko 2021-02-25 802
0ce20dd840897b Alexander Potapenko 2021-02-25 803 if (!to_report)
0ce20dd840897b Alexander Potapenko 2021-02-25 804 goto out;
0ce20dd840897b Alexander Potapenko 2021-02-25 805
0ce20dd840897b Alexander Potapenko 2021-02-25 806 raw_spin_lock_irqsave(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25 807 to_report->unprotected_page = addr;
0ce20dd840897b Alexander Potapenko 2021-02-25 808 error_type = KFENCE_ERROR_OOB;
0ce20dd840897b Alexander Potapenko 2021-02-25 809
0ce20dd840897b Alexander Potapenko 2021-02-25 810 /*
0ce20dd840897b Alexander Potapenko 2021-02-25 811 * If the object was freed before we took the look we can still
0ce20dd840897b Alexander Potapenko 2021-02-25 812 * report this as an OOB -- the report will simply show the
0ce20dd840897b Alexander Potapenko 2021-02-25 813 * stacktrace of the free as well.
0ce20dd840897b Alexander Potapenko 2021-02-25 814 */
0ce20dd840897b Alexander Potapenko 2021-02-25 815 } else {
0ce20dd840897b Alexander Potapenko 2021-02-25 816 to_report = addr_to_metadata(addr);
0ce20dd840897b Alexander Potapenko 2021-02-25 817 if (!to_report)
0ce20dd840897b Alexander Potapenko 2021-02-25 818 goto out;
0ce20dd840897b Alexander Potapenko 2021-02-25 819
0ce20dd840897b Alexander Potapenko 2021-02-25 820 raw_spin_lock_irqsave(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25 821 error_type = KFENCE_ERROR_UAF;
0ce20dd840897b Alexander Potapenko 2021-02-25 822 /*
0ce20dd840897b Alexander Potapenko 2021-02-25 823 * We may race with __kfence_alloc(), and it is possible that a
0ce20dd840897b Alexander Potapenko 2021-02-25 824 * freed object may be reallocated. We simply report this as a
0ce20dd840897b Alexander Potapenko 2021-02-25 825 * use-after-free, with the stack trace showing the place where
0ce20dd840897b Alexander Potapenko 2021-02-25 826 * the object was re-allocated.
0ce20dd840897b Alexander Potapenko 2021-02-25 827 */
0ce20dd840897b Alexander Potapenko 2021-02-25 828 }
0ce20dd840897b Alexander Potapenko 2021-02-25 829
0ce20dd840897b Alexander Potapenko 2021-02-25 830 out:
0ce20dd840897b Alexander Potapenko 2021-02-25 831 if (to_report) {
0ce20dd840897b Alexander Potapenko 2021-02-25 832 kfence_report_error(addr, to_report, error_type);
0ce20dd840897b Alexander Potapenko 2021-02-25 833 raw_spin_unlock_irqrestore(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25 834 } else {
0ce20dd840897b Alexander Potapenko 2021-02-25 835 /* This may be a UAF or OOB access, but we can't be sure. */
0ce20dd840897b Alexander Potapenko 2021-02-25 836 kfence_report_error(addr, NULL, KFENCE_ERROR_INVALID);
0ce20dd840897b Alexander Potapenko 2021-02-25 837 }
0ce20dd840897b Alexander Potapenko 2021-02-25 838
0ce20dd840897b Alexander Potapenko 2021-02-25 @839 return kfence_unprotect(addr); /* Unprotect and let access proceed. */
:::::: The code at line 839 was first introduced by commit
:::::: 0ce20dd840897b12ae70869c69f1ba34d6d16965 mm: add Kernel Electric-Fence infrastructure
:::::: TO: Alexander Potapenko <glider@google.com>
:::::: CC: Linus Torvalds <torvalds@linux-foundation.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 31595 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-02-27 17:39 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-27 17:39 mm/kfence/core.c:839:9: sparse: sparse: context imbalance in 'kfence_handle_page_fault' - different lock contexts for basic block kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.