diff mbox series

[V4,4/8] riscv: traps: Add noinstr to prevent instrumentation inserted

Message ID 20220908022506.1275799-5-guoren@kernel.org (mailing list archive)
State New, archived
Headers show
Series riscv: Add GENERIC_ENTRY, irq stack support | expand

Commit Message

Guo Ren Sept. 8, 2022, 2:25 a.m. UTC 
From: Guo Ren <guoren@linux.alibaba.com>

Without noinstr the compiler is free to insert instrumentation (think
all the k*SAN, KCov, GCov, ftrace etc..) which can call code we're not
yet ready to run this early in the entry path, for instance it could
rely on RCU which isn't on yet, or expect lockdep state. (by peterz)

Link: https://lore.kernel.org/linux-riscv/YxcQ6NoPf3AH0EXe@hirez.programming.kicks-ass.net/raw
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Signed-off-by: Guo Ren <guoren@kernel.org>
---
 arch/riscv/kernel/traps.c | 8 ++++----
 arch/riscv/mm/fault.c     | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

Comments

Peter Zijlstra Sept. 8, 2022, 7:33 a.m. UTC | #1 
On Wed, Sep 07, 2022 at 10:25:02PM -0400, guoren@kernel.org wrote:
> From: Guo Ren <guoren@linux.alibaba.com>
> 
> Without noinstr the compiler is free to insert instrumentation (think
> all the k*SAN, KCov, GCov, ftrace etc..) which can call code we're not
> yet ready to run this early in the entry path, for instance it could
> rely on RCU which isn't on yet, or expect lockdep state. (by peterz)
> 
> Link: https://lore.kernel.org/linux-riscv/YxcQ6NoPf3AH0EXe@hirez.programming.kicks-ass.net/raw
> Suggested-by: Peter Zijlstra <peterz@infradead.org>
> Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
> Signed-off-by: Guo Ren <guoren@kernel.org>
> ---
>  arch/riscv/kernel/traps.c | 8 ++++----
>  arch/riscv/mm/fault.c     | 2 +-
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> index 635e6ec26938..3ed3dbec250d 100644
> --- a/arch/riscv/kernel/traps.c
> +++ b/arch/riscv/kernel/traps.c
> @@ -97,7 +97,7 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code,
>  #define __trap_section
>  #endif
>  #define DO_ERROR_INFO(name, signo, code, str)				\
> -asmlinkage __visible __trap_section void name(struct pt_regs *regs)	\
> +asmlinkage __visible __trap_section void noinstr name(struct pt_regs *regs)	\

But now you have __trap_section and noinstr both adding a section
attribute.
Guo Ren Sept. 10, 2022, 9:17 a.m. UTC | #2 
On Thu, Sep 8, 2022 at 3:34 PM Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Wed, Sep 07, 2022 at 10:25:02PM -0400, guoren@kernel.org wrote:
> > From: Guo Ren <guoren@linux.alibaba.com>
> >
> > Without noinstr the compiler is free to insert instrumentation (think
> > all the k*SAN, KCov, GCov, ftrace etc..) which can call code we're not
> > yet ready to run this early in the entry path, for instance it could
> > rely on RCU which isn't on yet, or expect lockdep state. (by peterz)
> >
> > Link: https://lore.kernel.org/linux-riscv/YxcQ6NoPf3AH0EXe@hirez.programming.kicks-ass.net/raw
> > Suggested-by: Peter Zijlstra <peterz@infradead.org>
> > Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
> > Signed-off-by: Guo Ren <guoren@kernel.org>
> > ---
> >  arch/riscv/kernel/traps.c | 8 ++++----
> >  arch/riscv/mm/fault.c     | 2 +-
> >  2 files changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> > index 635e6ec26938..3ed3dbec250d 100644
> > --- a/arch/riscv/kernel/traps.c
> > +++ b/arch/riscv/kernel/traps.c
> > @@ -97,7 +97,7 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code,
> >  #define __trap_section
> >  #endif
> >  #define DO_ERROR_INFO(name, signo, code, str)                                \
> > -asmlinkage __visible __trap_section void name(struct pt_regs *regs)  \
> > +asmlinkage __visible __trap_section void noinstr name(struct pt_regs *regs)  \
>
> But now you have __trap_section and noinstr both adding a section
> attribute.

Oops, thx for correcting. Here is my solution.

diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 635e6ec26938..eba744caa711 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -92,9 +92,11 @@ static void do_trap_error(struct pt_regs *regs, int
signo, int code,
 }

 #if defined(CONFIG_XIP_KERNEL) && defined(CONFIG_RISCV_ALTERNATIVE)
-#define __trap_section         __section(".xip.traps")
+#define __trap_section                                                 \
+       noinline notrace __attribute((__section__(".xip.traps")))       \
+       __no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage
 #else
-#define __trap_section
+#define __trap_section noinstr
 #endif
Guo Ren Sept. 10, 2022, 12:46 p.m. UTC | #3 
On Sat, Sep 10, 2022 at 5:17 PM Guo Ren <guoren@kernel.org> wrote:
>
> On Thu, Sep 8, 2022 at 3:34 PM Peter Zijlstra <peterz@infradead.org> wrote:
> >
> > On Wed, Sep 07, 2022 at 10:25:02PM -0400, guoren@kernel.org wrote:
> > > From: Guo Ren <guoren@linux.alibaba.com>
> > >
> > > Without noinstr the compiler is free to insert instrumentation (think
> > > all the k*SAN, KCov, GCov, ftrace etc..) which can call code we're not
> > > yet ready to run this early in the entry path, for instance it could
> > > rely on RCU which isn't on yet, or expect lockdep state. (by peterz)
> > >
> > > Link: https://lore.kernel.org/linux-riscv/YxcQ6NoPf3AH0EXe@hirez.programming.kicks-ass.net/raw
> > > Suggested-by: Peter Zijlstra <peterz@infradead.org>
> > > Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
> > > Signed-off-by: Guo Ren <guoren@kernel.org>
> > > ---
> > >  arch/riscv/kernel/traps.c | 8 ++++----
> > >  arch/riscv/mm/fault.c     | 2 +-
> > >  2 files changed, 5 insertions(+), 5 deletions(-)
> > >
> > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> > > index 635e6ec26938..3ed3dbec250d 100644
> > > --- a/arch/riscv/kernel/traps.c
> > > +++ b/arch/riscv/kernel/traps.c
> > > @@ -97,7 +97,7 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code,
> > >  #define __trap_section
> > >  #endif
> > >  #define DO_ERROR_INFO(name, signo, code, str)                                \
> > > -asmlinkage __visible __trap_section void name(struct pt_regs *regs)  \
> > > +asmlinkage __visible __trap_section void noinstr name(struct pt_regs *regs)  \
> >
> > But now you have __trap_section and noinstr both adding a section
> > attribute.
>
> Oops, thx for correcting. Here is my solution.
>
> diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> index 635e6ec26938..eba744caa711 100644
> --- a/arch/riscv/kernel/traps.c
> +++ b/arch/riscv/kernel/traps.c
> @@ -92,9 +92,11 @@ static void do_trap_error(struct pt_regs *regs, int
> signo, int code,
>  }
>
>  #if defined(CONFIG_XIP_KERNEL) && defined(CONFIG_RISCV_ALTERNATIVE)
> -#define __trap_section         __section(".xip.traps")
> +#define __trap_section                                                 \
> +       noinline notrace __attribute((__section__(".xip.traps")))       \
> +       __no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage
How about let __section(".xip.traps") replace the __section__(".noinstr.text")?
+#define __trap_section noinstr __attribute(__section(".xip.traps"))

>  #else
> -#define __trap_section
> +#define __trap_section noinstr
>  #endif
>
>
> --
> Best Regards
>  Guo Ren
Peter Zijlstra Sept. 11, 2022, 3:09 p.m. UTC | #4 
On Sat, Sep 10, 2022 at 05:17:44PM +0800, Guo Ren wrote:

> > > -asmlinkage __visible __trap_section void name(struct pt_regs *regs)  \
> > > +asmlinkage __visible __trap_section void noinstr name(struct pt_regs *regs)  \
> >
> > But now you have __trap_section and noinstr both adding a section
> > attribute.
> 
> Oops, thx for correcting. Here is my solution.
> 
> diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> index 635e6ec26938..eba744caa711 100644
> --- a/arch/riscv/kernel/traps.c
> +++ b/arch/riscv/kernel/traps.c
> @@ -92,9 +92,11 @@ static void do_trap_error(struct pt_regs *regs, int
> signo, int code,
>  }
> 
>  #if defined(CONFIG_XIP_KERNEL) && defined(CONFIG_RISCV_ALTERNATIVE)
> -#define __trap_section         __section(".xip.traps")
> +#define __trap_section                                                 \
> +       noinline notrace __attribute((__section__(".xip.traps")))       \
> +       __no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage
>  #else
> -#define __trap_section
> +#define __trap_section noinstr
>  #endif

This is almost guaranteed to get out of sync when the compiler guys add
yet another sanitizier. Please consider picking up this patch:

  https://lore.kernel.org/all/20211110115736.3776-7-jiangshanlai@gmail.com/

and using __noinstr_section(".xip.traps")
Guo Ren Sept. 11, 2022, 4:20 p.m. UTC | #5 
On Sun, Sep 11, 2022 at 11:09 PM Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Sat, Sep 10, 2022 at 05:17:44PM +0800, Guo Ren wrote:
>
> > > > -asmlinkage __visible __trap_section void name(struct pt_regs *regs)  \
> > > > +asmlinkage __visible __trap_section void noinstr name(struct pt_regs *regs)  \
> > >
> > > But now you have __trap_section and noinstr both adding a section
> > > attribute.
> >
> > Oops, thx for correcting. Here is my solution.
> >
> > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> > index 635e6ec26938..eba744caa711 100644
> > --- a/arch/riscv/kernel/traps.c
> > +++ b/arch/riscv/kernel/traps.c
> > @@ -92,9 +92,11 @@ static void do_trap_error(struct pt_regs *regs, int
> > signo, int code,
> >  }
> >
> >  #if defined(CONFIG_XIP_KERNEL) && defined(CONFIG_RISCV_ALTERNATIVE)
> > -#define __trap_section         __section(".xip.traps")
> > +#define __trap_section                                                 \
> > +       noinline notrace __attribute((__section__(".xip.traps")))       \
> > +       __no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage
> >  #else
> > -#define __trap_section
> > +#define __trap_section noinstr
> >  #endif
>
> This is almost guaranteed to get out of sync when the compiler guys add
> yet another sanitizier. Please consider picking up this patch:
>
>   https://lore.kernel.org/all/20211110115736.3776-7-jiangshanlai@gmail.com/
Thx, that is what I want.

>
> and using __noinstr_section(".xip.traps")
diff mbox series

Patch

diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
index 635e6ec26938..3ed3dbec250d 100644
--- a/arch/riscv/kernel/traps.c
+++ b/arch/riscv/kernel/traps.c
@@ -97,7 +97,7 @@  static void do_trap_error(struct pt_regs *regs, int signo, int code,
 #define __trap_section
 #endif
 #define DO_ERROR_INFO(name, signo, code, str)				\
-asmlinkage __visible __trap_section void name(struct pt_regs *regs)	\
+asmlinkage __visible __trap_section void noinstr name(struct pt_regs *regs)	\
 {									\
 	do_trap_error(regs, signo, code, regs->epc, "Oops - " str);	\
 }
@@ -121,7 +121,7 @@  DO_ERROR_INFO(do_trap_store_misaligned,
 int handle_misaligned_load(struct pt_regs *regs);
 int handle_misaligned_store(struct pt_regs *regs);
 
-asmlinkage void __trap_section do_trap_load_misaligned(struct pt_regs *regs)
+asmlinkage __trap_section void noinstr do_trap_load_misaligned(struct pt_regs *regs)
 {
 	if (!handle_misaligned_load(regs))
 		return;
@@ -129,7 +129,7 @@  asmlinkage void __trap_section do_trap_load_misaligned(struct pt_regs *regs)
 		      "Oops - load address misaligned");
 }
 
-asmlinkage void __trap_section do_trap_store_misaligned(struct pt_regs *regs)
+asmlinkage __trap_section void noinstr do_trap_store_misaligned(struct pt_regs *regs)
 {
 	if (!handle_misaligned_store(regs))
 		return;
@@ -156,7 +156,7 @@  static inline unsigned long get_break_insn_length(unsigned long pc)
 	return GET_INSN_LENGTH(insn);
 }
 
-asmlinkage __visible __trap_section void do_trap_break(struct pt_regs *regs)
+asmlinkage __visible __trap_section void noinstr do_trap_break(struct pt_regs *regs)
 {
 #ifdef CONFIG_KPROBES
 	if (kprobe_single_step_handler(regs))
diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
index f2fbd1400b7c..c7829289e806 100644
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -203,7 +203,7 @@  static inline bool access_error(unsigned long cause, struct vm_area_struct *vma)
  * This routine handles page faults.  It determines the address and the
  * problem, and then passes it off to one of the appropriate routines.
  */
-asmlinkage void do_page_fault(struct pt_regs *regs)
+asmlinkage void noinstr do_page_fault(struct pt_regs *regs)
 {
 	struct task_struct *tsk;
 	struct vm_area_struct *vma;