From: Mark Rutland <mark.rutland@arm.com>
To: Will Deacon <will@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
kernel-team@android.com, Michael Ellerman <mpe@ellerman.id.au>,
Peter Zijlstra <peterz@infradead.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Segher Boessenkool <segher@kernel.crashing.org>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
Arnd Bergmann <arnd@arndb.de>,
Peter Oberparleiter <oberpar@linux.ibm.com>,
Masahiro Yamada <masahiroy@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Robin Murphy <robin.murphy@arm.com>
Subject: Re: [PATCH v3 05/12] arm64: csum: Disable KASAN for do_csum()
Date: Wed, 15 Apr 2020 18:28:14 +0100 [thread overview]
Message-ID: <20200415172813.GA2272@lakrids.cambridge.arm.com> (raw)
In-Reply-To: <20200415165218.20251-6-will@kernel.org>
Hi Will,
On Wed, Apr 15, 2020 at 05:52:11PM +0100, Will Deacon wrote:
> do_csum() over-reads the source buffer and therefore abuses
> READ_ONCE_NOCHECK() to avoid tripping up KASAN. In preparation for
> READ_ONCE_NOCHECK() becoming a macro, and therefore losing its
> '__no_sanitize_address' annotation, just annotate do_csum() explicitly
> and fall back to normal loads.
I'm confused by this. The whole point of READ_ONCE_NOCHECK() is that it
isn't checked by KASAN, so if that semantic is removed it has no reason
to exist.
Changing that will break the unwind/stacktrace code across multiple
architectures. IIRC they use READ_ONCE_NOCHECK() for two reasons:
1. Races with concurrent modification, as might happen when a thread's
stack is corrupted. Allowing the unwinder to bail out after a sanity
check means the resulting report is more useful than a KASAN splat in
the unwinder. I made the arm64 unwinder robust to this case.
2. I believe that the frame record itself /might/ be poisoned by KASAN,
since it's not meant to be an accessible object at the C langauge
level. I could be wrong about this, and would have to check.
I would like to keep the unwinding robust in the first case, even if the
second case doesn't apply, and I'd prefer to not mark the entirety of
the unwinding code as unchecked as that's sufficiently large an subtle
that it could have nasty bugs.
Is there any way we keep something like READ_ONCE_NOCHECK() around even
if we have to give it reduced functionality relative to READ_ONCE()?
I'm not enirely sure why READ_ONCE_NOCHECK() had to go, so if there's a
particular pain point I'm happy to take a look.
Thanks,
Mark.
>
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Robin Murphy <robin.murphy@arm.com>
> Signed-off-by: Will Deacon <will@kernel.org>
> ---
> arch/arm64/lib/csum.c | 20 ++++++++++++--------
> 1 file changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/arch/arm64/lib/csum.c b/arch/arm64/lib/csum.c
> index 60eccae2abad..78b87a64ca0a 100644
> --- a/arch/arm64/lib/csum.c
> +++ b/arch/arm64/lib/csum.c
> @@ -14,7 +14,11 @@ static u64 accumulate(u64 sum, u64 data)
> return tmp + (tmp >> 64);
> }
>
> -unsigned int do_csum(const unsigned char *buff, int len)
> +/*
> + * We over-read the buffer and this makes KASAN unhappy. Instead, disable
> + * instrumentation and call kasan explicitly.
> + */
> +unsigned int __no_sanitize_address do_csum(const unsigned char *buff, int len)
> {
> unsigned int offset, shift, sum;
> const u64 *ptr;
> @@ -42,7 +46,7 @@ unsigned int do_csum(const unsigned char *buff, int len)
> * odd/even alignment, and means we can ignore it until the very end.
> */
> shift = offset * 8;
> - data = READ_ONCE_NOCHECK(*ptr++);
> + data = *ptr++;
> #ifdef __LITTLE_ENDIAN
> data = (data >> shift) << shift;
> #else
> @@ -58,10 +62,10 @@ unsigned int do_csum(const unsigned char *buff, int len)
> while (unlikely(len > 64)) {
> __uint128_t tmp1, tmp2, tmp3, tmp4;
>
> - tmp1 = READ_ONCE_NOCHECK(*(__uint128_t *)ptr);
> - tmp2 = READ_ONCE_NOCHECK(*(__uint128_t *)(ptr + 2));
> - tmp3 = READ_ONCE_NOCHECK(*(__uint128_t *)(ptr + 4));
> - tmp4 = READ_ONCE_NOCHECK(*(__uint128_t *)(ptr + 6));
> + tmp1 = *(__uint128_t *)ptr;
> + tmp2 = *(__uint128_t *)(ptr + 2);
> + tmp3 = *(__uint128_t *)(ptr + 4);
> + tmp4 = *(__uint128_t *)(ptr + 6);
>
> len -= 64;
> ptr += 8;
> @@ -85,7 +89,7 @@ unsigned int do_csum(const unsigned char *buff, int len)
> __uint128_t tmp;
>
> sum64 = accumulate(sum64, data);
> - tmp = READ_ONCE_NOCHECK(*(__uint128_t *)ptr);
> + tmp = *(__uint128_t *)ptr;
>
> len -= 16;
> ptr += 2;
> @@ -100,7 +104,7 @@ unsigned int do_csum(const unsigned char *buff, int len)
> }
> if (len > 0) {
> sum64 = accumulate(sum64, data);
> - data = READ_ONCE_NOCHECK(*ptr);
> + data = *ptr;
> len -= 8;
> }
> /*
> --
> 2.26.0.110.g2183baf09c-goog
>
next prev parent reply other threads:[~2020-04-15 17:28 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-15 16:52 [PATCH v3 00/12] Rework READ_ONCE() to improve codegen Will Deacon
2020-04-15 16:52 ` [PATCH v3 01/12] compiler/gcc: Emit build-time warning for GCC prior to version 4.8 Will Deacon
2020-04-15 17:20 ` Masahiro Yamada
2020-04-15 16:52 ` [PATCH v3 02/12] netfilter: Avoid assigning 'const' pointer to non-const pointer Will Deacon
2020-04-15 16:52 ` [PATCH v3 03/12] net: tls: " Will Deacon
2020-04-15 16:52 ` [PATCH v3 04/12] fault_inject: Don't rely on "return value" from WRITE_ONCE() Will Deacon
2020-04-15 16:52 ` [PATCH v3 05/12] arm64: csum: Disable KASAN for do_csum() Will Deacon
2020-04-15 17:28 ` Mark Rutland [this message]
2020-04-15 18:42 ` Arnd Bergmann
2020-04-15 19:43 ` Will Deacon
2020-04-15 20:10 ` Will Deacon
2020-04-15 19:26 ` Will Deacon
2020-04-16 9:31 ` Mark Rutland
2020-04-16 11:53 ` Will Deacon
2020-04-16 12:11 ` Mark Rutland
2020-04-15 19:26 ` Robin Murphy
2020-04-15 16:52 ` [PATCH v3 06/12] READ_ONCE: Simplify implementations of {READ,WRITE}_ONCE() Will Deacon
2020-04-15 16:52 ` [PATCH v3 07/12] READ_ONCE: Enforce atomicity for {READ,WRITE}_ONCE() memory accesses Will Deacon
2020-04-15 16:52 ` [PATCH v3 08/12] READ_ONCE: Drop pointer qualifiers when reading from scalar types Will Deacon
2020-04-15 16:52 ` [PATCH v3 09/12] locking/barriers: Use '__unqual_scalar_typeof' for load-acquire macros Will Deacon
2020-04-15 16:52 ` [PATCH v3 10/12] arm64: barrier: Use '__unqual_scalar_typeof' for acquire/release macros Will Deacon
2020-04-15 16:52 ` [PATCH v3 11/12] compiler/gcc: Raise minimum GCC version for kernel builds to 4.8 Will Deacon
2020-04-15 18:37 ` Arnd Bergmann
2020-04-15 16:52 ` [PATCH v3 12/12] gcov: Remove old GCC 3.4 support Will Deacon
2020-04-16 12:30 ` [PATCH v3 00/12] Rework READ_ONCE() to improve codegen Christian Borntraeger
2020-04-16 12:48 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200415172813.GA2272@lakrids.cambridge.arm.com \
--to=mark.rutland@arm.com \
--cc=arnd@arndb.de \
--cc=borntraeger@de.ibm.com \
--cc=kernel-team@android.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luc.vanoostenryck@gmail.com \
--cc=masahiroy@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=ndesaulniers@google.com \
--cc=oberpar@linux.ibm.com \
--cc=peterz@infradead.org \
--cc=robin.murphy@arm.com \
--cc=segher@kernel.crashing.org \
--cc=torvalds@linux-foundation.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).