[RFC,v3,07/36] kmsan: introduce __no_sanitize_memory and __SANITIZE_MEMORY__

Commit Message

Alexander Potapenko Nov. 22, 2019, 11:25 a.m. UTC

__no_sanitize_memory is a function attribute that makes KMSAN
ignore the uninitialized values coming from the function's
inputs, and initialize the function's outputs.

Functions marked with this attribute can't be inlined into functions
not marked with it, and vice versa.

__SANITIZE_MEMORY__ is a macro that's defined iff the file is
instrumented with KMSAN. This is not the same as CONFIG_KMSAN, which is
defined for every file.

Signed-off-by: Alexander Potapenko <glider@google.com>
To: Alexander Potapenko <glider@google.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: linux-mm@kvack.org

---

Change-Id: I1f1672652c8392f15f7ca8ac26cd4e71f9cc1e4b
---
 include/linux/compiler-clang.h | 8 ++++++++
 include/linux/compiler-gcc.h   | 5 +++++
 2 files changed, 13 insertions(+)

Comments

Marco Elver Nov. 28, 2019, 1:13 p.m. UTC | #1

On Fri, 22 Nov 2019 at 12:26, <glider@google.com> wrote:
>
> __no_sanitize_memory is a function attribute that makes KMSAN
> ignore the uninitialized values coming from the function's
> inputs, and initialize the function's outputs.
>
> Functions marked with this attribute can't be inlined into functions
> not marked with it, and vice versa.
>
> __SANITIZE_MEMORY__ is a macro that's defined iff the file is
> instrumented with KMSAN. This is not the same as CONFIG_KMSAN, which is
> defined for every file.
>
> Signed-off-by: Alexander Potapenko <glider@google.com>
> To: Alexander Potapenko <glider@google.com>
> Cc: Vegard Nossum <vegard.nossum@oracle.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: linux-mm@kvack.org

Acked-by: Marco Elver <elver@google.com>

> ---
>
> Change-Id: I1f1672652c8392f15f7ca8ac26cd4e71f9cc1e4b
> ---
>  include/linux/compiler-clang.h | 8 ++++++++
>  include/linux/compiler-gcc.h   | 5 +++++
>  2 files changed, 13 insertions(+)
>
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index 333a6695a918..edba13a069a6 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -24,6 +24,14 @@
>  #define __no_sanitize_address
>  #endif
>
> +/* KMSAN is a Clang-only tool, thus putting the defines here */

The comment is a bit confusing, because compiler-gcc.h also has a
define. I assume that if GCC ever supports KMSAN, the definition here
wouldn't change?

> +#if __has_feature(memory_sanitizer)
> +# define __SANITIZE_MEMORY__
> +# define __no_sanitize_memory __attribute__((no_sanitize("kernel-memory")))
> +#else
> +# define __no_sanitize_memory
> +#endif
> +
>  /*
>   * Not all versions of clang implement the the type-generic versions
>   * of the builtin overflow checkers. Fortunately, clang implements
> diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> index d7ee4c6bad48..e5ebc788dde4 100644
> --- a/include/linux/compiler-gcc.h
> +++ b/include/linux/compiler-gcc.h
> @@ -145,6 +145,11 @@
>  #define __no_sanitize_address
>  #endif
>
> +/*
> + * GCC doesn't support KMSAN.
> + */
> +#define __no_sanitize_memory
> +
>  #if GCC_VERSION >= 50100
>  #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
>  #endif
> --
> 2.24.0.432.g9d3f5f5b63-goog
>

Andrey Konovalov Nov. 29, 2019, 4:09 p.m. UTC | #2

On Fri, Nov 22, 2019 at 12:26 PM <glider@google.com> wrote:
>
> __no_sanitize_memory is a function attribute that makes KMSAN
> ignore the uninitialized values coming from the function's
> inputs, and initialize the function's outputs.
>
> Functions marked with this attribute can't be inlined into functions
> not marked with it, and vice versa.
>
> __SANITIZE_MEMORY__ is a macro that's defined iff the file is
> instrumented with KMSAN. This is not the same as CONFIG_KMSAN, which is
> defined for every file.
>
> Signed-off-by: Alexander Potapenko <glider@google.com>
> To: Alexander Potapenko <glider@google.com>
> Cc: Vegard Nossum <vegard.nossum@oracle.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: linux-mm@kvack.org
>
> ---
>
> Change-Id: I1f1672652c8392f15f7ca8ac26cd4e71f9cc1e4b
> ---
>  include/linux/compiler-clang.h | 8 ++++++++
>  include/linux/compiler-gcc.h   | 5 +++++
>  2 files changed, 13 insertions(+)
>
> diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> index 333a6695a918..edba13a069a6 100644
> --- a/include/linux/compiler-clang.h
> +++ b/include/linux/compiler-clang.h
> @@ -24,6 +24,14 @@
>  #define __no_sanitize_address
>  #endif
>
> +/* KMSAN is a Clang-only tool, thus putting the defines here */

I'm not sure if this comment is useful here.

> +#if __has_feature(memory_sanitizer)
> +# define __SANITIZE_MEMORY__
> +# define __no_sanitize_memory __attribute__((no_sanitize("kernel-memory")))
> +#else
> +# define __no_sanitize_memory
> +#endif
> +
>  /*
>   * Not all versions of clang implement the the type-generic versions
>   * of the builtin overflow checkers. Fortunately, clang implements
> diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
> index d7ee4c6bad48..e5ebc788dde4 100644
> --- a/include/linux/compiler-gcc.h
> +++ b/include/linux/compiler-gcc.h
> @@ -145,6 +145,11 @@
>  #define __no_sanitize_address
>  #endif
>
> +/*
> + * GCC doesn't support KMSAN.
> + */
> +#define __no_sanitize_memory
> +
>  #if GCC_VERSION >= 50100
>  #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
>  #endif
> --
> 2.24.0.432.g9d3f5f5b63-goog
>

Alexander Potapenko Dec. 16, 2019, 11:35 a.m. UTC | #3

On Fri, Nov 29, 2019 at 5:09 PM Andrey Konovalov <andreyknvl@google.com> wrote:
>
> On Fri, Nov 22, 2019 at 12:26 PM <glider@google.com> wrote:
> >
> > __no_sanitize_memory is a function attribute that makes KMSAN
> > ignore the uninitialized values coming from the function's
> > inputs, and initialize the function's outputs.
> >
> > Functions marked with this attribute can't be inlined into functions
> > not marked with it, and vice versa.
> >
> > __SANITIZE_MEMORY__ is a macro that's defined iff the file is
> > instrumented with KMSAN. This is not the same as CONFIG_KMSAN, which is
> > defined for every file.
> >
> > Signed-off-by: Alexander Potapenko <glider@google.com>
> > To: Alexander Potapenko <glider@google.com>
> > Cc: Vegard Nossum <vegard.nossum@oracle.com>
> > Cc: Dmitry Vyukov <dvyukov@google.com>
> > Cc: linux-mm@kvack.org
> >
> > ---
> >
> > Change-Id: I1f1672652c8392f15f7ca8ac26cd4e71f9cc1e4b
> > ---
> >  include/linux/compiler-clang.h | 8 ++++++++
> >  include/linux/compiler-gcc.h   | 5 +++++
> >  2 files changed, 13 insertions(+)
> >
> > diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
> > index 333a6695a918..edba13a069a6 100644
> > --- a/include/linux/compiler-clang.h
> > +++ b/include/linux/compiler-clang.h
> > @@ -24,6 +24,14 @@
> >  #define __no_sanitize_address
> >  #endif
> >
> > +/* KMSAN is a Clang-only tool, thus putting the defines here */
>
> I'm not sure if this comment is useful here.

Dropped the comment in v4.

Patch

diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index 333a6695a918..edba13a069a6 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -24,6 +24,14 @@ 
 #define __no_sanitize_address
 #endif
 
+/* KMSAN is a Clang-only tool, thus putting the defines here */
+#if __has_feature(memory_sanitizer)
+# define __SANITIZE_MEMORY__
+# define __no_sanitize_memory __attribute__((no_sanitize("kernel-memory")))
+#else
+# define __no_sanitize_memory
+#endif
+
 /*
  * Not all versions of clang implement the the type-generic versions
  * of the builtin overflow checkers. Fortunately, clang implements
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index d7ee4c6bad48..e5ebc788dde4 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -145,6 +145,11 @@ 
 #define __no_sanitize_address
 #endif
 
+/*
+ * GCC doesn't support KMSAN.
+ */
+#define __no_sanitize_memory
+
 #if GCC_VERSION >= 50100
 #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
 #endif