From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.3 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2705C432C0 for ; Fri, 22 Nov 2019 11:26:30 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 79D1F2070E for ; Fri, 22 Nov 2019 11:26:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="XiYJa43q" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 79D1F2070E Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 298D26B04C0; Fri, 22 Nov 2019 06:26:29 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 248856B04C1; Fri, 22 Nov 2019 06:26:29 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0E9A36B04C2; Fri, 22 Nov 2019 06:26:29 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0165.hostedemail.com [216.40.44.165]) by kanga.kvack.org (Postfix) with ESMTP id D89326B04C0 for ; Fri, 22 Nov 2019 06:26:28 -0500 (EST) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with SMTP id 7C85C824999B for ; Fri, 22 Nov 2019 11:26:28 +0000 (UTC) X-FDA: 76183685256.20.paste45_8fb9234d2d95c X-HE-Tag: paste45_8fb9234d2d95c X-Filterd-Recvd-Size: 16091 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) by imf29.hostedemail.com (Postfix) with ESMTP for ; Fri, 22 Nov 2019 11:26:27 +0000 (UTC) Received: by mail-wm1-f73.google.com with SMTP id i23so2941701wmb.3 for ; Fri, 22 Nov 2019 03:26:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=3RqXiV5CTxsBGyYeWgARZ6VEaTQTgnWZx9LdUclNpnQ=; b=XiYJa43qHLgIzB+jYMyigEIB694tmIv3WeGDuMFEdCvRMe166LM3X7MdZsOD3JNLR1 Q2WuvjaoOqeZ767w0XSYXrewCxxm2SnEBGSGVt2KQ4FzJ6BjDBNbdg7hwdKOGtvwqId7 yYbCgldhiyWaaLYDytRRewLL7dRbtQJ571m7no/4lgQoiok6PDDf6VMVG2UkBbolJIiH bTnlL73WaaxasijnxUIQwzbiwXYb5jGWm6Tq9nYynI/qDIHm/JTiju6G5ThStUkSIAFA eOWm/sLcC9tWB841sy5rqLngchiKtIlJW3LSi2sG4Ke5zW6mpZ08/nL8f0MEdwgWlBYT TE2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=3RqXiV5CTxsBGyYeWgARZ6VEaTQTgnWZx9LdUclNpnQ=; b=WqPLpFykvkFGaNn+NLAPWeHZHPPfwvLrpnttbY96iLYUim83fv6NUcm4HIzBfCNmwF OvbP/XfgoKWrpAXD6Mi52obkFUhfjn9CPMoQJMhf2X8/hecYgkabSEoLAnWHy5N8P8Gv xGu2dcj1YEvbZ0ZrerxqfQvTmc5o2kxVDGeS2ON/xTyBLi96+TWpu20fpaPZX3pv5HHL PrdDm28Fetce20gXgFXAsIMQ/4drcQvPLEZaT08iPmnMTCEAESJQhqTaI7/Sfga76rWG e3zRff4RDq0XeNCUQODyRydeXluGVPJ+7mkkdqX+GYuDoupcDcTGMIUbHuRljKc3RrKl 9K+Q== X-Gm-Message-State: APjAAAX032n8btrH324OcRq+9kGZsiDE/0EHdLGTq/u1/tCZeDKOPZt/ Gx2Ie2HlL629Z3UtQ1LgYPYtAqUFTic= X-Google-Smtp-Source: APXvYqyMBfIaUhMs8x/XhyZp3vi17MvO+T6pr4q5eItlLfu65ndi5YnAhoFj1TOSAzL5rK7jAD1E+2nSqlM= X-Received: by 2002:adf:c449:: with SMTP id a9mr16789403wrg.240.1574421985932; Fri, 22 Nov 2019 03:26:25 -0800 (PST) Date: Fri, 22 Nov 2019 12:25:45 +0100 Message-Id: <20191122112621.204798-1-glider@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.24.0.432.g9d3f5f5b63-goog Subject: [PATCH RFC v3 00/36] Add KernelMemorySanitizer infrastructure From: glider@google.com To: Alexander Viro , Andreas Dilger , Andrew Morton , Andrey Konovalov , Andrey Ryabinin , Andy Lutomirski , Ard Biesheuvel , Arnd Bergmann , Christoph Hellwig , Christoph Hellwig , "Darrick J. Wong" , "David S. Miller" , Dmitry Torokhov , Dmitry Vyukov , Eric Biggers , Eric Dumazet , Eric Van Hensbergen , Greg Kroah-Hartman , Harry Wentland , Herbert Xu , Ilya Leoshkevich , Ingo Molnar , Jason Wang , Jens Axboe , Marek Szyprowski , Marco Elver , Mark Rutland , "Martin K. Petersen" , Martin Schwidefsky , Matthew Wilcox , "Michael S. Tsirkin" , Michal Simek , Petr Mladek , Qian Cai , Randy Dunlap , Robin Murphy , Sergey Senozhatsky , Steven Rostedt , Takashi Iwai , "Theodore Ts'o" , Thomas Gleixner , Vasily Gorbik , Vegard Nossum , Wolfram Sang , linux-mm@kvack.org Cc: glider@google.com Content-Type: text/plain; charset="UTF-8" X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: KernelMemorySanitizer (KMSAN) is a detector of errors related to uses of uninitialized memory. It relies on compile-time Clang instrumentation (similar to MSan in the userspace: https://clang.llvm.org/docs/MemorySanitizer.html) and tracks the state of every bit of kernel memory, being able to report an error if uninitialized value is used in a condition, dereferenced or copied to userspace, USB or network. KMSAN has reported more than 200 bugs in the past two years, most of them with the help of syzkaller (http://syzkaller.appspot.com). The proposed patchset contains KMSAN runtime implementation together with small changes to other subsystems needed to make KMSAN work. The latter changes fall into several categories: - nice-to-have features that are independent from KMSAN but simplify its implementation (stackdepot changes, CONFIG_GENERIC_CSUM etc.); - Kconfig changes that prohibit options incompatible with KMSAN; - calls to KMSAN runtime functions that help KMSAN do the bookkeeping (e.g. tell it to allocate, copy or delete the metadata); - calls to KMSAN runtime functions that tell KMSAN to check memory escaping the kernel for uninitialized values. These are required to increase the number of true positive error reports; - calls to runtime functions that tell KMSAN to ignore certain memory ranges to avoid false negative reports. Most certainly there can be better ways to deal with every such report. This patchset allows one to boot and run a defconfig+KMSAN kernel on a QEMU without known major false positives. It however doesn't guarantee there are no false positives in drivers of certain devices or less tested subsystems, although KMSAN is actively tested on syzbot with quite a rich config. One may find it handy to review these patches in Gerrit: https://linux-review.googlesource.com/c/linux/kernel/git/torvalds/linux/+/1081 I've ensured the Change-Id: tags stay away from commit descriptions. The patchset was generated relative to Linux v5.4-rc5. I also apologize for not sending every patch in the previous series to all recipients of patches from that series. Note: checkpatch.pl complains a lot about the use of BUG_ON in KMSAN source. I don't have a strong opinion on this, but KMSAN is a debugging tool, so any runtime invariant violation in it renders the tool useless. Therefore it doesn't make much sense to not terminate after a bug in KMSAN. Alexander Potapenko (36): stackdepot: check depot_index before accessing the stack slab stackdepot: build with -fno-builtin kasan: stackdepot: move filter_irq_stacks() to stackdepot.c stackdepot: reserve 5 extra bits in depot_stack_handle_t kmsan: add ReST documentation kmsan: gfp: introduce __GFP_NO_KMSAN_SHADOW kmsan: introduce __no_sanitize_memory and __SANITIZE_MEMORY__ kmsan: reduce vmalloc space kmsan: add KMSAN bits to struct page and struct task_struct kmsan: add KMSAN runtime kmsan: stackdepot: don't allocate KMSAN metadata for stackdepot kmsan: define READ_ONCE_NOCHECK() kmsan: make READ_ONCE_TASK_STACK() return initialized values kmsan: x86: sync metadata pages on page fault kmsan: add tests for KMSAN crypto: kmsan: disable accelerated configs under KMSAN kmsan: x86: disable UNWINDER_ORC under KMSAN kmsan: disable LOCK_DEBUGGING_SUPPORT kmsan: x86/asm: add KMSAN hooks to entry_64.S kmsan: x86: increase stack sizes in KMSAN builds kmsan: disable KMSAN instrumentation for certain kernel parts kmsan: mm: call KMSAN hooks from SLUB code kmsan: call KMSAN hooks where needed kmsan: disable instrumentation of certain functions kmsan: unpoison |tlb| in arch_tlb_gather_mmu() kmsan: use __msan_memcpy() where possible. kmsan: hooks for copy_to_user() and friends kmsan: enable KMSAN builds kmsan: handle /dev/[u]random kmsan: virtio: check/unpoison scatterlist in vring_map_one_sg() kmsan: disable strscpy() optimization under KMSAN kmsan: add iomap support kmsan: dma: unpoison memory mapped by dma_direct_map_page() kmsan: disable physical page merging in biovec kmsan: ext4: skip block merging logic in ext4_mpage_readpages for KMSAN net: kasan: kmsan: support CONFIG_GENERIC_CSUM on x86, enable it for KASAN/KMSAN To: Alexander Potapenko Cc: Alexander Viro Cc: Andreas Dilger Cc: Andrew Morton Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Andy Lutomirski Cc: Ard Biesheuvel Cc: Arnd Bergmann Cc: Christoph Hellwig Cc: Christoph Hellwig Cc: Darrick J. Wong Cc: "David S. Miller" Cc: Dmitry Torokhov Cc: Dmitry Vyukov Cc: Eric Biggers Cc: Eric Dumazet Cc: Eric Van Hensbergen Cc: Greg Kroah-Hartman Cc: Harry Wentland Cc: Herbert Xu Cc: Ilya Leoshkevich Cc: Ingo Molnar Cc: Jason Wang Cc: Jens Axboe Cc: Marek Szyprowski Cc: Marco Elver Cc: Mark Rutland Cc: Martin K. Petersen Cc: Martin Schwidefsky Cc: Matthew Wilcox Cc: "Michael S. Tsirkin" Cc: Michal Simek Cc: Petr Mladek Cc: Qian Cai Cc: Randy Dunlap Cc: Robin Murphy Cc: Sergey Senozhatsky Cc: Steven Rostedt Cc: Takashi Iwai Cc: "Theodore Ts'o" Cc: Thomas Gleixner Cc: Vasily Gorbik Cc: Vegard Nossum Cc: Wolfram Sang Cc: linux-mm@kvack.org Documentation/dev-tools/index.rst | 1 + Documentation/dev-tools/kmsan.rst | 418 ++++++++++++++++++ Makefile | 3 +- arch/x86/Kconfig | 5 + arch/x86/Kconfig.debug | 3 + arch/x86/boot/Makefile | 2 + arch/x86/boot/compressed/Makefile | 2 + arch/x86/boot/compressed/misc.h | 1 + arch/x86/entry/common.c | 1 + arch/x86/entry/entry_64.S | 16 + arch/x86/entry/vdso/Makefile | 3 + arch/x86/include/asm/checksum.h | 10 +- arch/x86/include/asm/irq_regs.h | 1 + arch/x86/include/asm/kmsan.h | 117 +++++ arch/x86/include/asm/page_64.h | 13 + arch/x86/include/asm/page_64_types.h | 12 +- arch/x86/include/asm/pgtable_64_types.h | 15 + arch/x86/include/asm/string_64.h | 9 +- arch/x86/include/asm/syscall_wrapper.h | 1 + arch/x86/include/asm/uaccess.h | 12 + arch/x86/include/asm/unwind.h | 9 +- arch/x86/kernel/Makefile | 4 + arch/x86/kernel/apic/apic.c | 1 + arch/x86/kernel/cpu/Makefile | 1 + arch/x86/kernel/dumpstack_64.c | 1 + arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/traps.c | 12 +- arch/x86/kernel/uprobes.c | 7 +- arch/x86/lib/Makefile | 2 + arch/x86/mm/Makefile | 2 + arch/x86/mm/fault.c | 20 + arch/x86/mm/ioremap.c | 3 + arch/x86/realmode/rm/Makefile | 2 + block/blk.h | 7 + crypto/Kconfig | 52 +++ drivers/char/random.c | 6 + drivers/firmware/efi/libstub/Makefile | 1 + drivers/usb/core/urb.c | 2 + drivers/virtio/virtio_ring.c | 10 +- fs/ext4/readpage.c | 11 + include/asm-generic/cacheflush.h | 7 +- include/asm-generic/uaccess.h | 12 +- include/linux/compiler-clang.h | 8 + include/linux/compiler-gcc.h | 5 + include/linux/compiler.h | 13 +- include/linux/gfp.h | 4 +- include/linux/highmem.h | 4 + include/linux/kmsan-checks.h | 122 +++++ include/linux/kmsan.h | 143 ++++++ include/linux/mm_types.h | 9 + include/linux/sched.h | 5 + include/linux/stackdepot.h | 10 + include/linux/string.h | 2 + include/linux/uaccess.h | 32 +- init/main.c | 3 + kernel/Makefile | 1 + kernel/dma/direct.c | 1 + kernel/exit.c | 2 + kernel/fork.c | 2 + kernel/kthread.c | 2 + kernel/printk/printk.c | 6 + kernel/profile.c | 1 + kernel/sched/core.c | 6 + kernel/softirq.c | 5 + lib/Kconfig.debug | 5 + lib/Kconfig.kmsan | 22 + lib/Makefile | 6 + lib/iomap.c | 40 ++ lib/ioremap.c | 5 + lib/iov_iter.c | 6 + lib/stackdepot.c | 69 ++- lib/string.c | 5 +- lib/test_kmsan.c | 231 ++++++++++ lib/usercopy.c | 6 +- mm/Makefile | 1 + mm/compaction.c | 9 + mm/gup.c | 3 + mm/kasan/common.c | 23 - mm/kmsan/Makefile | 4 + mm/kmsan/kmsan.c | 563 ++++++++++++++++++++++++ mm/kmsan/kmsan.h | 146 ++++++ mm/kmsan/kmsan_entry.c | 118 +++++ mm/kmsan/kmsan_hooks.c | 422 ++++++++++++++++++ mm/kmsan/kmsan_init.c | 88 ++++ mm/kmsan/kmsan_instr.c | 259 +++++++++++ mm/kmsan/kmsan_report.c | 133 ++++++ mm/kmsan/kmsan_shadow.c | 543 +++++++++++++++++++++++ mm/kmsan/kmsan_shadow.h | 30 ++ mm/memory.c | 2 + mm/mmu_gather.c | 10 + mm/page_alloc.c | 16 + mm/slub.c | 34 +- mm/vmalloc.c | 23 +- net/sched/sch_generic.c | 2 + scripts/Makefile.kmsan | 12 + scripts/Makefile.lib | 6 + 96 files changed, 3983 insertions(+), 67 deletions(-) create mode 100644 Documentation/dev-tools/kmsan.rst create mode 100644 arch/x86/include/asm/kmsan.h create mode 100644 include/linux/kmsan-checks.h create mode 100644 include/linux/kmsan.h create mode 100644 lib/Kconfig.kmsan create mode 100644 lib/test_kmsan.c create mode 100644 mm/kmsan/Makefile create mode 100644 mm/kmsan/kmsan.c create mode 100644 mm/kmsan/kmsan.h create mode 100644 mm/kmsan/kmsan_entry.c create mode 100644 mm/kmsan/kmsan_hooks.c create mode 100644 mm/kmsan/kmsan_init.c create mode 100644 mm/kmsan/kmsan_instr.c create mode 100644 mm/kmsan/kmsan_report.c create mode 100644 mm/kmsan/kmsan_shadow.c create mode 100644 mm/kmsan/kmsan_shadow.h create mode 100644 scripts/Makefile.kmsan -- 2.24.0.432.g9d3f5f5b63-goog