| Message ID | 20191122112621.204798-1-glider@google.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Add KernelMemorySanitizer infrastructure | expand |
On Fri, 22 Nov 2019 at 12:26, <glider@google.com> wrote: > > KernelMemorySanitizer (KMSAN) is a detector of errors related to uses of > uninitialized memory. It relies on compile-time Clang instrumentation > (similar to MSan in the userspace: > https://clang.llvm.org/docs/MemorySanitizer.html) > and tracks the state of every bit of kernel memory, being able to report > an error if uninitialized value is used in a condition, dereferenced or > copied to userspace, USB or network. > > KMSAN has reported more than 200 bugs in the past two years, most of > them with the help of syzkaller (http://syzkaller.appspot.com). > > The proposed patchset contains KMSAN runtime implementation together > with small changes to other subsystems needed to make KMSAN work. > The latter changes fall into several categories: > - nice-to-have features that are independent from KMSAN but simplify > its implementation (stackdepot changes, CONFIG_GENERIC_CSUM etc.); > - Kconfig changes that prohibit options incompatible with KMSAN; > - calls to KMSAN runtime functions that help KMSAN do the bookkeeping > (e.g. tell it to allocate, copy or delete the metadata); > - calls to KMSAN runtime functions that tell KMSAN to check memory > escaping the kernel for uninitialized values. These are required to > increase the number of true positive error reports; > - calls to runtime functions that tell KMSAN to ignore certain memory > ranges to avoid false negative reports. Most certainly there can be > better ways to deal with every such report. > > This patchset allows one to boot and run a defconfig+KMSAN kernel on a QEMU > without known major false positives. It however doesn't guarantee there > are no false positives in drivers of certain devices or less tested > subsystems, although KMSAN is actively tested on syzbot with quite a > rich config. > > One may find it handy to review these patches in Gerrit: > https://linux-review.googlesource.com/c/linux/kernel/git/torvalds/linux/+/1081 > I've ensured the Change-Id: tags stay away from commit descriptions. > > The patchset was generated relative to Linux v5.4-rc5. > > I also apologize for not sending every patch in the previous series > to all recipients of patches from that series. > > Note: checkpatch.pl complains a lot about the use of BUG_ON in KMSAN > source. I don't have a strong opinion on this, but KMSAN is a debugging > tool, so any runtime invariant violation in it renders the tool useless. > Therefore it doesn't make much sense to not terminate after a bug in > KMSAN. > > Alexander Potapenko (36): > stackdepot: check depot_index before accessing the stack slab > stackdepot: build with -fno-builtin > kasan: stackdepot: move filter_irq_stacks() to stackdepot.c > stackdepot: reserve 5 extra bits in depot_stack_handle_t > kmsan: add ReST documentation > kmsan: gfp: introduce __GFP_NO_KMSAN_SHADOW > kmsan: introduce __no_sanitize_memory and __SANITIZE_MEMORY__ > kmsan: reduce vmalloc space > kmsan: add KMSAN bits to struct page and struct task_struct > kmsan: add KMSAN runtime > kmsan: stackdepot: don't allocate KMSAN metadata for stackdepot > kmsan: define READ_ONCE_NOCHECK() > kmsan: make READ_ONCE_TASK_STACK() return initialized values > kmsan: x86: sync metadata pages on page fault > kmsan: add tests for KMSAN > crypto: kmsan: disable accelerated configs under KMSAN > kmsan: x86: disable UNWINDER_ORC under KMSAN > kmsan: disable LOCK_DEBUGGING_SUPPORT > kmsan: x86/asm: add KMSAN hooks to entry_64.S > kmsan: x86: increase stack sizes in KMSAN builds > kmsan: disable KMSAN instrumentation for certain kernel parts > kmsan: mm: call KMSAN hooks from SLUB code > kmsan: call KMSAN hooks where needed > kmsan: disable instrumentation of certain functions > kmsan: unpoison |tlb| in arch_tlb_gather_mmu() > kmsan: use __msan_memcpy() where possible. > kmsan: hooks for copy_to_user() and friends > kmsan: enable KMSAN builds > kmsan: handle /dev/[u]random > kmsan: virtio: check/unpoison scatterlist in vring_map_one_sg() > kmsan: disable strscpy() optimization under KMSAN > kmsan: add iomap support > kmsan: dma: unpoison memory mapped by dma_direct_map_page() > kmsan: disable physical page merging in biovec > kmsan: ext4: skip block merging logic in ext4_mpage_readpages for > KMSAN > net: kasan: kmsan: support CONFIG_GENERIC_CSUM on x86, enable it for > KASAN/KMSAN > > To: Alexander Potapenko <glider@google.com> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Andreas Dilger <adilger.kernel@dilger.ca> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Andrey Konovalov <andreyknvl@google.com> > Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> > Cc: Andy Lutomirski <luto@kernel.org> > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> > Cc: Arnd Bergmann <arnd@arndb.de> > Cc: Christoph Hellwig <hch@infradead.org> > Cc: Christoph Hellwig <hch@lst.de> > Cc: Darrick J. Wong <darrick.wong@oracle.com> > Cc: "David S. Miller" <davem@davemloft.net> > Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> > Cc: Dmitry Vyukov <dvyukov@google.com> > Cc: Eric Biggers <ebiggers@google.com> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Eric Van Hensbergen <ericvh@gmail.com> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > Cc: Harry Wentland <harry.wentland@amd.com> > Cc: Herbert Xu <herbert@gondor.apana.org.au> > Cc: Ilya Leoshkevich <iii@linux.ibm.com> > Cc: Ingo Molnar <mingo@elte.hu> > Cc: Jason Wang <jasowang@redhat.com> > Cc: Jens Axboe <axboe@kernel.dk> > Cc: Marek Szyprowski <m.szyprowski@samsung.com> > Cc: Marco Elver <elver@google.com> > Cc: Mark Rutland <mark.rutland@arm.com> > Cc: Martin K. Petersen <martin.petersen@oracle.com> > Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> > Cc: Matthew Wilcox <willy@infradead.org> > Cc: "Michael S. Tsirkin" <mst@redhat.com> > Cc: Michal Simek <monstr@monstr.eu> > Cc: Petr Mladek <pmladek@suse.com> > Cc: Qian Cai <cai@lca.pw> > Cc: Randy Dunlap <rdunlap@infradead.org> > Cc: Robin Murphy <robin.murphy@arm.com> > Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> > Cc: Steven Rostedt <rostedt@goodmis.org> > Cc: Takashi Iwai <tiwai@suse.com> > Cc: "Theodore Ts'o" <tytso@mit.edu> > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Vasily Gorbik <gor@linux.ibm.com> > Cc: Vegard Nossum <vegard.nossum@oracle.com> > Cc: Wolfram Sang <wsa@the-dreams.de> > Cc: linux-mm@kvack.org > > Documentation/dev-tools/index.rst | 1 + > Documentation/dev-tools/kmsan.rst | 418 ++++++++++++++++++ > Makefile | 3 +- > arch/x86/Kconfig | 5 + > arch/x86/Kconfig.debug | 3 + > arch/x86/boot/Makefile | 2 + > arch/x86/boot/compressed/Makefile | 2 + > arch/x86/boot/compressed/misc.h | 1 + > arch/x86/entry/common.c | 1 + > arch/x86/entry/entry_64.S | 16 + > arch/x86/entry/vdso/Makefile | 3 + > arch/x86/include/asm/checksum.h | 10 +- > arch/x86/include/asm/irq_regs.h | 1 + > arch/x86/include/asm/kmsan.h | 117 +++++ > arch/x86/include/asm/page_64.h | 13 + > arch/x86/include/asm/page_64_types.h | 12 +- > arch/x86/include/asm/pgtable_64_types.h | 15 + > arch/x86/include/asm/string_64.h | 9 +- > arch/x86/include/asm/syscall_wrapper.h | 1 + > arch/x86/include/asm/uaccess.h | 12 + > arch/x86/include/asm/unwind.h | 9 +- > arch/x86/kernel/Makefile | 4 + > arch/x86/kernel/apic/apic.c | 1 + > arch/x86/kernel/cpu/Makefile | 1 + > arch/x86/kernel/dumpstack_64.c | 1 + > arch/x86/kernel/process_64.c | 5 + > arch/x86/kernel/traps.c | 12 +- > arch/x86/kernel/uprobes.c | 7 +- > arch/x86/lib/Makefile | 2 + > arch/x86/mm/Makefile | 2 + > arch/x86/mm/fault.c | 20 + > arch/x86/mm/ioremap.c | 3 + > arch/x86/realmode/rm/Makefile | 2 + > block/blk.h | 7 + > crypto/Kconfig | 52 +++ > drivers/char/random.c | 6 + > drivers/firmware/efi/libstub/Makefile | 1 + > drivers/usb/core/urb.c | 2 + > drivers/virtio/virtio_ring.c | 10 +- > fs/ext4/readpage.c | 11 + > include/asm-generic/cacheflush.h | 7 +- > include/asm-generic/uaccess.h | 12 +- > include/linux/compiler-clang.h | 8 + > include/linux/compiler-gcc.h | 5 + > include/linux/compiler.h | 13 +- > include/linux/gfp.h | 4 +- > include/linux/highmem.h | 4 + > include/linux/kmsan-checks.h | 122 +++++ > include/linux/kmsan.h | 143 ++++++ > include/linux/mm_types.h | 9 + > include/linux/sched.h | 5 + > include/linux/stackdepot.h | 10 + > include/linux/string.h | 2 + > include/linux/uaccess.h | 32 +- > init/main.c | 3 + > kernel/Makefile | 1 + > kernel/dma/direct.c | 1 + > kernel/exit.c | 2 + > kernel/fork.c | 2 + > kernel/kthread.c | 2 + > kernel/printk/printk.c | 6 + > kernel/profile.c | 1 + > kernel/sched/core.c | 6 + > kernel/softirq.c | 5 + > lib/Kconfig.debug | 5 + > lib/Kconfig.kmsan | 22 + > lib/Makefile | 6 + > lib/iomap.c | 40 ++ > lib/ioremap.c | 5 + > lib/iov_iter.c | 6 + > lib/stackdepot.c | 69 ++- > lib/string.c | 5 +- > lib/test_kmsan.c | 231 ++++++++++ > lib/usercopy.c | 6 +- > mm/Makefile | 1 + > mm/compaction.c | 9 + > mm/gup.c | 3 + > mm/kasan/common.c | 23 - > mm/kmsan/Makefile | 4 + > mm/kmsan/kmsan.c | 563 ++++++++++++++++++++++++ > mm/kmsan/kmsan.h | 146 ++++++ > mm/kmsan/kmsan_entry.c | 118 +++++ > mm/kmsan/kmsan_hooks.c | 422 ++++++++++++++++++ > mm/kmsan/kmsan_init.c | 88 ++++ > mm/kmsan/kmsan_instr.c | 259 +++++++++++ > mm/kmsan/kmsan_report.c | 133 ++++++ > mm/kmsan/kmsan_shadow.c | 543 +++++++++++++++++++++++ > mm/kmsan/kmsan_shadow.h | 30 ++ > mm/memory.c | 2 + > mm/mmu_gather.c | 10 + > mm/page_alloc.c | 16 + > mm/slub.c | 34 +- > mm/vmalloc.c | 23 +- > net/sched/sch_generic.c | 2 + > scripts/Makefile.kmsan | 12 + > scripts/Makefile.lib | 6 + > 96 files changed, 3983 insertions(+), 67 deletions(-) > create mode 100644 Documentation/dev-tools/kmsan.rst > create mode 100644 arch/x86/include/asm/kmsan.h > create mode 100644 include/linux/kmsan-checks.h > create mode 100644 include/linux/kmsan.h > create mode 100644 lib/Kconfig.kmsan > create mode 100644 lib/test_kmsan.c > create mode 100644 mm/kmsan/Makefile > create mode 100644 mm/kmsan/kmsan.c > create mode 100644 mm/kmsan/kmsan.h > create mode 100644 mm/kmsan/kmsan_entry.c > create mode 100644 mm/kmsan/kmsan_hooks.c > create mode 100644 mm/kmsan/kmsan_init.c > create mode 100644 mm/kmsan/kmsan_instr.c > create mode 100644 mm/kmsan/kmsan_report.c > create mode 100644 mm/kmsan/kmsan_shadow.c > create mode 100644 mm/kmsan/kmsan_shadow.h > create mode 100644 scripts/Makefile.kmsan There are currently lots of UACCESS warnings -- should the core runtime functions be added to the whitelist in tools/objtool/check.c? Thanks, -- Marco
On Fri, Nov 29, 2019 at 3:39 PM Marco Elver <elver@google.com> wrote: > > On Fri, 22 Nov 2019 at 12:26, <glider@google.com> wrote: > > > > KernelMemorySanitizer (KMSAN) is a detector of errors related to uses of > > uninitialized memory. It relies on compile-time Clang instrumentation > > (similar to MSan in the userspace: > > https://clang.llvm.org/docs/MemorySanitizer.html) > > and tracks the state of every bit of kernel memory, being able to report > > an error if uninitialized value is used in a condition, dereferenced or > > copied to userspace, USB or network. > > > > KMSAN has reported more than 200 bugs in the past two years, most of > > them with the help of syzkaller (http://syzkaller.appspot.com). > > > > The proposed patchset contains KMSAN runtime implementation together > > with small changes to other subsystems needed to make KMSAN work. > > The latter changes fall into several categories: > > - nice-to-have features that are independent from KMSAN but simplify > > its implementation (stackdepot changes, CONFIG_GENERIC_CSUM etc.); > > - Kconfig changes that prohibit options incompatible with KMSAN; > > - calls to KMSAN runtime functions that help KMSAN do the bookkeeping > > (e.g. tell it to allocate, copy or delete the metadata); > > - calls to KMSAN runtime functions that tell KMSAN to check memory > > escaping the kernel for uninitialized values. These are required to > > increase the number of true positive error reports; > > - calls to runtime functions that tell KMSAN to ignore certain memory > > ranges to avoid false negative reports. Most certainly there can be > > better ways to deal with every such report. > > > > This patchset allows one to boot and run a defconfig+KMSAN kernel on a QEMU > > without known major false positives. It however doesn't guarantee there > > are no false positives in drivers of certain devices or less tested > > subsystems, although KMSAN is actively tested on syzbot with quite a > > rich config. > > > > One may find it handy to review these patches in Gerrit: > > https://linux-review.googlesource.com/c/linux/kernel/git/torvalds/linux/+/1081 > > I've ensured the Change-Id: tags stay away from commit descriptions. > > > > The patchset was generated relative to Linux v5.4-rc5. > > > > I also apologize for not sending every patch in the previous series > > to all recipients of patches from that series. > > > > Note: checkpatch.pl complains a lot about the use of BUG_ON in KMSAN > > source. I don't have a strong opinion on this, but KMSAN is a debugging > > tool, so any runtime invariant violation in it renders the tool useless. > > Therefore it doesn't make much sense to not terminate after a bug in > > KMSAN. > > > > Alexander Potapenko (36): > > stackdepot: check depot_index before accessing the stack slab > > stackdepot: build with -fno-builtin > > kasan: stackdepot: move filter_irq_stacks() to stackdepot.c > > stackdepot: reserve 5 extra bits in depot_stack_handle_t > > kmsan: add ReST documentation > > kmsan: gfp: introduce __GFP_NO_KMSAN_SHADOW > > kmsan: introduce __no_sanitize_memory and __SANITIZE_MEMORY__ > > kmsan: reduce vmalloc space > > kmsan: add KMSAN bits to struct page and struct task_struct > > kmsan: add KMSAN runtime > > kmsan: stackdepot: don't allocate KMSAN metadata for stackdepot > > kmsan: define READ_ONCE_NOCHECK() > > kmsan: make READ_ONCE_TASK_STACK() return initialized values > > kmsan: x86: sync metadata pages on page fault > > kmsan: add tests for KMSAN > > crypto: kmsan: disable accelerated configs under KMSAN > > kmsan: x86: disable UNWINDER_ORC under KMSAN > > kmsan: disable LOCK_DEBUGGING_SUPPORT > > kmsan: x86/asm: add KMSAN hooks to entry_64.S > > kmsan: x86: increase stack sizes in KMSAN builds > > kmsan: disable KMSAN instrumentation for certain kernel parts > > kmsan: mm: call KMSAN hooks from SLUB code > > kmsan: call KMSAN hooks where needed > > kmsan: disable instrumentation of certain functions > > kmsan: unpoison |tlb| in arch_tlb_gather_mmu() > > kmsan: use __msan_memcpy() where possible. > > kmsan: hooks for copy_to_user() and friends > > kmsan: enable KMSAN builds > > kmsan: handle /dev/[u]random > > kmsan: virtio: check/unpoison scatterlist in vring_map_one_sg() > > kmsan: disable strscpy() optimization under KMSAN > > kmsan: add iomap support > > kmsan: dma: unpoison memory mapped by dma_direct_map_page() > > kmsan: disable physical page merging in biovec > > kmsan: ext4: skip block merging logic in ext4_mpage_readpages for > > KMSAN > > net: kasan: kmsan: support CONFIG_GENERIC_CSUM on x86, enable it for > > KASAN/KMSAN > > > > To: Alexander Potapenko <glider@google.com> > > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > > Cc: Andreas Dilger <adilger.kernel@dilger.ca> > > Cc: Andrew Morton <akpm@linux-foundation.org> > > Cc: Andrey Konovalov <andreyknvl@google.com> > > Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> > > Cc: Andy Lutomirski <luto@kernel.org> > > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> > > Cc: Arnd Bergmann <arnd@arndb.de> > > Cc: Christoph Hellwig <hch@infradead.org> > > Cc: Christoph Hellwig <hch@lst.de> > > Cc: Darrick J. Wong <darrick.wong@oracle.com> > > Cc: "David S. Miller" <davem@davemloft.net> > > Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> > > Cc: Dmitry Vyukov <dvyukov@google.com> > > Cc: Eric Biggers <ebiggers@google.com> > > Cc: Eric Dumazet <edumazet@google.com> > > Cc: Eric Van Hensbergen <ericvh@gmail.com> > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> > > Cc: Harry Wentland <harry.wentland@amd.com> > > Cc: Herbert Xu <herbert@gondor.apana.org.au> > > Cc: Ilya Leoshkevich <iii@linux.ibm.com> > > Cc: Ingo Molnar <mingo@elte.hu> > > Cc: Jason Wang <jasowang@redhat.com> > > Cc: Jens Axboe <axboe@kernel.dk> > > Cc: Marek Szyprowski <m.szyprowski@samsung.com> > > Cc: Marco Elver <elver@google.com> > > Cc: Mark Rutland <mark.rutland@arm.com> > > Cc: Martin K. Petersen <martin.petersen@oracle.com> > > Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> > > Cc: Matthew Wilcox <willy@infradead.org> > > Cc: "Michael S. Tsirkin" <mst@redhat.com> > > Cc: Michal Simek <monstr@monstr.eu> > > Cc: Petr Mladek <pmladek@suse.com> > > Cc: Qian Cai <cai@lca.pw> > > Cc: Randy Dunlap <rdunlap@infradead.org> > > Cc: Robin Murphy <robin.murphy@arm.com> > > Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> > > Cc: Steven Rostedt <rostedt@goodmis.org> > > Cc: Takashi Iwai <tiwai@suse.com> > > Cc: "Theodore Ts'o" <tytso@mit.edu> > > Cc: Thomas Gleixner <tglx@linutronix.de> > > Cc: Vasily Gorbik <gor@linux.ibm.com> > > Cc: Vegard Nossum <vegard.nossum@oracle.com> > > Cc: Wolfram Sang <wsa@the-dreams.de> > > Cc: linux-mm@kvack.org > > > > Documentation/dev-tools/index.rst | 1 + > > Documentation/dev-tools/kmsan.rst | 418 ++++++++++++++++++ > > Makefile | 3 +- > > arch/x86/Kconfig | 5 + > > arch/x86/Kconfig.debug | 3 + > > arch/x86/boot/Makefile | 2 + > > arch/x86/boot/compressed/Makefile | 2 + > > arch/x86/boot/compressed/misc.h | 1 + > > arch/x86/entry/common.c | 1 + > > arch/x86/entry/entry_64.S | 16 + > > arch/x86/entry/vdso/Makefile | 3 + > > arch/x86/include/asm/checksum.h | 10 +- > > arch/x86/include/asm/irq_regs.h | 1 + > > arch/x86/include/asm/kmsan.h | 117 +++++ > > arch/x86/include/asm/page_64.h | 13 + > > arch/x86/include/asm/page_64_types.h | 12 +- > > arch/x86/include/asm/pgtable_64_types.h | 15 + > > arch/x86/include/asm/string_64.h | 9 +- > > arch/x86/include/asm/syscall_wrapper.h | 1 + > > arch/x86/include/asm/uaccess.h | 12 + > > arch/x86/include/asm/unwind.h | 9 +- > > arch/x86/kernel/Makefile | 4 + > > arch/x86/kernel/apic/apic.c | 1 + > > arch/x86/kernel/cpu/Makefile | 1 + > > arch/x86/kernel/dumpstack_64.c | 1 + > > arch/x86/kernel/process_64.c | 5 + > > arch/x86/kernel/traps.c | 12 +- > > arch/x86/kernel/uprobes.c | 7 +- > > arch/x86/lib/Makefile | 2 + > > arch/x86/mm/Makefile | 2 + > > arch/x86/mm/fault.c | 20 + > > arch/x86/mm/ioremap.c | 3 + > > arch/x86/realmode/rm/Makefile | 2 + > > block/blk.h | 7 + > > crypto/Kconfig | 52 +++ > > drivers/char/random.c | 6 + > > drivers/firmware/efi/libstub/Makefile | 1 + > > drivers/usb/core/urb.c | 2 + > > drivers/virtio/virtio_ring.c | 10 +- > > fs/ext4/readpage.c | 11 + > > include/asm-generic/cacheflush.h | 7 +- > > include/asm-generic/uaccess.h | 12 +- > > include/linux/compiler-clang.h | 8 + > > include/linux/compiler-gcc.h | 5 + > > include/linux/compiler.h | 13 +- > > include/linux/gfp.h | 4 +- > > include/linux/highmem.h | 4 + > > include/linux/kmsan-checks.h | 122 +++++ > > include/linux/kmsan.h | 143 ++++++ > > include/linux/mm_types.h | 9 + > > include/linux/sched.h | 5 + > > include/linux/stackdepot.h | 10 + > > include/linux/string.h | 2 + > > include/linux/uaccess.h | 32 +- > > init/main.c | 3 + > > kernel/Makefile | 1 + > > kernel/dma/direct.c | 1 + > > kernel/exit.c | 2 + > > kernel/fork.c | 2 + > > kernel/kthread.c | 2 + > > kernel/printk/printk.c | 6 + > > kernel/profile.c | 1 + > > kernel/sched/core.c | 6 + > > kernel/softirq.c | 5 + > > lib/Kconfig.debug | 5 + > > lib/Kconfig.kmsan | 22 + > > lib/Makefile | 6 + > > lib/iomap.c | 40 ++ > > lib/ioremap.c | 5 + > > lib/iov_iter.c | 6 + > > lib/stackdepot.c | 69 ++- > > lib/string.c | 5 +- > > lib/test_kmsan.c | 231 ++++++++++ > > lib/usercopy.c | 6 +- > > mm/Makefile | 1 + > > mm/compaction.c | 9 + > > mm/gup.c | 3 + > > mm/kasan/common.c | 23 - > > mm/kmsan/Makefile | 4 + > > mm/kmsan/kmsan.c | 563 ++++++++++++++++++++++++ > > mm/kmsan/kmsan.h | 146 ++++++ > > mm/kmsan/kmsan_entry.c | 118 +++++ > > mm/kmsan/kmsan_hooks.c | 422 ++++++++++++++++++ > > mm/kmsan/kmsan_init.c | 88 ++++ > > mm/kmsan/kmsan_instr.c | 259 +++++++++++ > > mm/kmsan/kmsan_report.c | 133 ++++++ > > mm/kmsan/kmsan_shadow.c | 543 +++++++++++++++++++++++ > > mm/kmsan/kmsan_shadow.h | 30 ++ > > mm/memory.c | 2 + > > mm/mmu_gather.c | 10 + > > mm/page_alloc.c | 16 + > > mm/slub.c | 34 +- > > mm/vmalloc.c | 23 +- > > net/sched/sch_generic.c | 2 + > > scripts/Makefile.kmsan | 12 + > > scripts/Makefile.lib | 6 + > > 96 files changed, 3983 insertions(+), 67 deletions(-) > > create mode 100644 Documentation/dev-tools/kmsan.rst > > create mode 100644 arch/x86/include/asm/kmsan.h > > create mode 100644 include/linux/kmsan-checks.h > > create mode 100644 include/linux/kmsan.h > > create mode 100644 lib/Kconfig.kmsan > > create mode 100644 lib/test_kmsan.c > > create mode 100644 mm/kmsan/Makefile > > create mode 100644 mm/kmsan/kmsan.c > > create mode 100644 mm/kmsan/kmsan.h > > create mode 100644 mm/kmsan/kmsan_entry.c > > create mode 100644 mm/kmsan/kmsan_hooks.c > > create mode 100644 mm/kmsan/kmsan_init.c > > create mode 100644 mm/kmsan/kmsan_instr.c > > create mode 100644 mm/kmsan/kmsan_report.c > > create mode 100644 mm/kmsan/kmsan_shadow.c > > create mode 100644 mm/kmsan/kmsan_shadow.h > > create mode 100644 scripts/Makefile.kmsan > > There are currently lots of UACCESS warnings -- should the core > runtime functions be added to the whitelist in tools/objtool/check.c? I've tried to do this properly, but failed. What I consider to be an intuitive solution is to add KMSAN interface functions (e.g. __msan_metadata_ptr_for_load_X) to the whitelist in tools/objtool/check.c. None of these functions is expected to touch userspace memory, but they can be called in the uaccess context, as the compiler adds them to every memory access. Turns out however it's not enough to whitelist those functions, as they are viral: after whitelisting them I get warnings about their callees. The list of functions called by e.g. kmsan_get_shadow_origin_ptr() include __warn_printk() and other non-KMSAN stuff, so I have to call user_access_save()/user_access_restore() to keep those warnings from spreading. But this slows the whole runtime down by ~50% for no reason. > Thanks, > -- Marco
KernelMemorySanitizer (KMSAN) is a detector of errors related to uses of uninitialized memory. It relies on compile-time Clang instrumentation (similar to MSan in the userspace: https://clang.llvm.org/docs/MemorySanitizer.html) and tracks the state of every bit of kernel memory, being able to report an error if uninitialized value is used in a condition, dereferenced or copied to userspace, USB or network. KMSAN has reported more than 200 bugs in the past two years, most of them with the help of syzkaller (http://syzkaller.appspot.com). The proposed patchset contains KMSAN runtime implementation together with small changes to other subsystems needed to make KMSAN work. The latter changes fall into several categories: - nice-to-have features that are independent from KMSAN but simplify its implementation (stackdepot changes, CONFIG_GENERIC_CSUM etc.); - Kconfig changes that prohibit options incompatible with KMSAN; - calls to KMSAN runtime functions that help KMSAN do the bookkeeping (e.g. tell it to allocate, copy or delete the metadata); - calls to KMSAN runtime functions that tell KMSAN to check memory escaping the kernel for uninitialized values. These are required to increase the number of true positive error reports; - calls to runtime functions that tell KMSAN to ignore certain memory ranges to avoid false negative reports. Most certainly there can be better ways to deal with every such report. This patchset allows one to boot and run a defconfig+KMSAN kernel on a QEMU without known major false positives. It however doesn't guarantee there are no false positives in drivers of certain devices or less tested subsystems, although KMSAN is actively tested on syzbot with quite a rich config. One may find it handy to review these patches in Gerrit: https://linux-review.googlesource.com/c/linux/kernel/git/torvalds/linux/+/1081 I've ensured the Change-Id: tags stay away from commit descriptions. The patchset was generated relative to Linux v5.4-rc5. I also apologize for not sending every patch in the previous series to all recipients of patches from that series. Note: checkpatch.pl complains a lot about the use of BUG_ON in KMSAN source. I don't have a strong opinion on this, but KMSAN is a debugging tool, so any runtime invariant violation in it renders the tool useless. Therefore it doesn't make much sense to not terminate after a bug in KMSAN. Alexander Potapenko (36): stackdepot: check depot_index before accessing the stack slab stackdepot: build with -fno-builtin kasan: stackdepot: move filter_irq_stacks() to stackdepot.c stackdepot: reserve 5 extra bits in depot_stack_handle_t kmsan: add ReST documentation kmsan: gfp: introduce __GFP_NO_KMSAN_SHADOW kmsan: introduce __no_sanitize_memory and __SANITIZE_MEMORY__ kmsan: reduce vmalloc space kmsan: add KMSAN bits to struct page and struct task_struct kmsan: add KMSAN runtime kmsan: stackdepot: don't allocate KMSAN metadata for stackdepot kmsan: define READ_ONCE_NOCHECK() kmsan: make READ_ONCE_TASK_STACK() return initialized values kmsan: x86: sync metadata pages on page fault kmsan: add tests for KMSAN crypto: kmsan: disable accelerated configs under KMSAN kmsan: x86: disable UNWINDER_ORC under KMSAN kmsan: disable LOCK_DEBUGGING_SUPPORT kmsan: x86/asm: add KMSAN hooks to entry_64.S kmsan: x86: increase stack sizes in KMSAN builds kmsan: disable KMSAN instrumentation for certain kernel parts kmsan: mm: call KMSAN hooks from SLUB code kmsan: call KMSAN hooks where needed kmsan: disable instrumentation of certain functions kmsan: unpoison |tlb| in arch_tlb_gather_mmu() kmsan: use __msan_memcpy() where possible. kmsan: hooks for copy_to_user() and friends kmsan: enable KMSAN builds kmsan: handle /dev/[u]random kmsan: virtio: check/unpoison scatterlist in vring_map_one_sg() kmsan: disable strscpy() optimization under KMSAN kmsan: add iomap support kmsan: dma: unpoison memory mapped by dma_direct_map_page() kmsan: disable physical page merging in biovec kmsan: ext4: skip block merging logic in ext4_mpage_readpages for KMSAN net: kasan: kmsan: support CONFIG_GENERIC_CSUM on x86, enable it for KASAN/KMSAN To: Alexander Potapenko <glider@google.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Andreas Dilger <adilger.kernel@dilger.ca> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andrey Konovalov <andreyknvl@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Christoph Hellwig <hch@infradead.org> Cc: Christoph Hellwig <hch@lst.de> Cc: Darrick J. Wong <darrick.wong@oracle.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Eric Biggers <ebiggers@google.com> Cc: Eric Dumazet <edumazet@google.com> Cc: Eric Van Hensbergen <ericvh@gmail.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Harry Wentland <harry.wentland@amd.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Ilya Leoshkevich <iii@linux.ibm.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Jason Wang <jasowang@redhat.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Marek Szyprowski <m.szyprowski@samsung.com> Cc: Marco Elver <elver@google.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Martin K. Petersen <martin.petersen@oracle.com> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Michal Simek <monstr@monstr.eu> Cc: Petr Mladek <pmladek@suse.com> Cc: Qian Cai <cai@lca.pw> Cc: Randy Dunlap <rdunlap@infradead.org> Cc: Robin Murphy <robin.murphy@arm.com> Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Takashi Iwai <tiwai@suse.com> Cc: "Theodore Ts'o" <tytso@mit.edu> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Vegard Nossum <vegard.nossum@oracle.com> Cc: Wolfram Sang <wsa@the-dreams.de> Cc: linux-mm@kvack.org Documentation/dev-tools/index.rst | 1 + Documentation/dev-tools/kmsan.rst | 418 ++++++++++++++++++ Makefile | 3 +- arch/x86/Kconfig | 5 + arch/x86/Kconfig.debug | 3 + arch/x86/boot/Makefile | 2 + arch/x86/boot/compressed/Makefile | 2 + arch/x86/boot/compressed/misc.h | 1 + arch/x86/entry/common.c | 1 + arch/x86/entry/entry_64.S | 16 + arch/x86/entry/vdso/Makefile | 3 + arch/x86/include/asm/checksum.h | 10 +- arch/x86/include/asm/irq_regs.h | 1 + arch/x86/include/asm/kmsan.h | 117 +++++ arch/x86/include/asm/page_64.h | 13 + arch/x86/include/asm/page_64_types.h | 12 +- arch/x86/include/asm/pgtable_64_types.h | 15 + arch/x86/include/asm/string_64.h | 9 +- arch/x86/include/asm/syscall_wrapper.h | 1 + arch/x86/include/asm/uaccess.h | 12 + arch/x86/include/asm/unwind.h | 9 +- arch/x86/kernel/Makefile | 4 + arch/x86/kernel/apic/apic.c | 1 + arch/x86/kernel/cpu/Makefile | 1 + arch/x86/kernel/dumpstack_64.c | 1 + arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/traps.c | 12 +- arch/x86/kernel/uprobes.c | 7 +- arch/x86/lib/Makefile | 2 + arch/x86/mm/Makefile | 2 + arch/x86/mm/fault.c | 20 + arch/x86/mm/ioremap.c | 3 + arch/x86/realmode/rm/Makefile | 2 + block/blk.h | 7 + crypto/Kconfig | 52 +++ drivers/char/random.c | 6 + drivers/firmware/efi/libstub/Makefile | 1 + drivers/usb/core/urb.c | 2 + drivers/virtio/virtio_ring.c | 10 +- fs/ext4/readpage.c | 11 + include/asm-generic/cacheflush.h | 7 +- include/asm-generic/uaccess.h | 12 +- include/linux/compiler-clang.h | 8 + include/linux/compiler-gcc.h | 5 + include/linux/compiler.h | 13 +- include/linux/gfp.h | 4 +- include/linux/highmem.h | 4 + include/linux/kmsan-checks.h | 122 +++++ include/linux/kmsan.h | 143 ++++++ include/linux/mm_types.h | 9 + include/linux/sched.h | 5 + include/linux/stackdepot.h | 10 + include/linux/string.h | 2 + include/linux/uaccess.h | 32 +- init/main.c | 3 + kernel/Makefile | 1 + kernel/dma/direct.c | 1 + kernel/exit.c | 2 + kernel/fork.c | 2 + kernel/kthread.c | 2 + kernel/printk/printk.c | 6 + kernel/profile.c | 1 + kernel/sched/core.c | 6 + kernel/softirq.c | 5 + lib/Kconfig.debug | 5 + lib/Kconfig.kmsan | 22 + lib/Makefile | 6 + lib/iomap.c | 40 ++ lib/ioremap.c | 5 + lib/iov_iter.c | 6 + lib/stackdepot.c | 69 ++- lib/string.c | 5 +- lib/test_kmsan.c | 231 ++++++++++ lib/usercopy.c | 6 +- mm/Makefile | 1 + mm/compaction.c | 9 + mm/gup.c | 3 + mm/kasan/common.c | 23 - mm/kmsan/Makefile | 4 + mm/kmsan/kmsan.c | 563 ++++++++++++++++++++++++ mm/kmsan/kmsan.h | 146 ++++++ mm/kmsan/kmsan_entry.c | 118 +++++ mm/kmsan/kmsan_hooks.c | 422 ++++++++++++++++++ mm/kmsan/kmsan_init.c | 88 ++++ mm/kmsan/kmsan_instr.c | 259 +++++++++++ mm/kmsan/kmsan_report.c | 133 ++++++ mm/kmsan/kmsan_shadow.c | 543 +++++++++++++++++++++++ mm/kmsan/kmsan_shadow.h | 30 ++ mm/memory.c | 2 + mm/mmu_gather.c | 10 + mm/page_alloc.c | 16 + mm/slub.c | 34 +- mm/vmalloc.c | 23 +- net/sched/sch_generic.c | 2 + scripts/Makefile.kmsan | 12 + scripts/Makefile.lib | 6 + 96 files changed, 3983 insertions(+), 67 deletions(-) create mode 100644 Documentation/dev-tools/kmsan.rst create mode 100644 arch/x86/include/asm/kmsan.h create mode 100644 include/linux/kmsan-checks.h create mode 100644 include/linux/kmsan.h create mode 100644 lib/Kconfig.kmsan create mode 100644 lib/test_kmsan.c create mode 100644 mm/kmsan/Makefile create mode 100644 mm/kmsan/kmsan.c create mode 100644 mm/kmsan/kmsan.h create mode 100644 mm/kmsan/kmsan_entry.c create mode 100644 mm/kmsan/kmsan_hooks.c create mode 100644 mm/kmsan/kmsan_init.c create mode 100644 mm/kmsan/kmsan_instr.c create mode 100644 mm/kmsan/kmsan_report.c create mode 100644 mm/kmsan/kmsan_shadow.c create mode 100644 mm/kmsan/kmsan_shadow.h create mode 100644 scripts/Makefile.kmsan