From patchwork Fri Jan 11 18:58:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Ryabinin X-Patchwork-Id: 10760547 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 19CFA13B4 for ; Fri, 11 Jan 2019 18:58:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0563F288A0 for ; Fri, 11 Jan 2019 18:58:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E6E5F2A061; Fri, 11 Jan 2019 18:58:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B4426288A0 for ; Fri, 11 Jan 2019 18:58:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A4D228E0004; Fri, 11 Jan 2019 13:58:35 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 9FC298E0001; Fri, 11 Jan 2019 13:58:35 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 89ED38E0004; Fri, 11 Jan 2019 13:58:35 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-lj1-f197.google.com (mail-lj1-f197.google.com [209.85.208.197]) by kanga.kvack.org (Postfix) with ESMTP id 19C6E8E0001 for ; Fri, 11 Jan 2019 13:58:35 -0500 (EST) Received: by mail-lj1-f197.google.com with SMTP id x18-v6so4005503lji.0 for ; Fri, 11 Jan 2019 10:58:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:mime-version:content-transfer-encoding; bh=F+7e/3dekdAboV6Ly7tJXANTRXCLgcD5fkqQc0MusQM=; b=pfUxMR6wDjf/0Z8Ek8XJFpzazLwplTCR7AQL82tcMnjShLH4pqBNXTbp8dS90On9gU ju6G4u9rQAnWtqsLHq2ohOOnHQqMJvjDlso6uu7GpJqWZzHEtOogBCKMJ4aD8FVZepXC XbBacAfmdAnBUbtghZKIOmW51cgP4syoW4W/Y8uJkCJVaCQYA7Yq5kFHPtCjGYejcwGY SXkce2UAVBafNsPLvvrczo5gYhsDPnKKeS4DYWLtRSBYnpWMc+RBMgnLS01ap+h+vPLv N0GLpXyrVf95FsPeXrHCYcs73jw804CrFIlrlKo+Hfp8DF9xKz05A7YsRfc7Brej1ssj q2Cg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of aryabinin@virtuozzo.com designates 185.231.240.75 as permitted sender) smtp.mailfrom=aryabinin@virtuozzo.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com X-Gm-Message-State: AJcUukc2ACwqVJDOQVUh9YFNClOTpiIfvtcL6o8AIe8QJIu3GckIZnyK NImFiMKdTBjO5A6RNyjTdRK+4UO/VVMxpP/4qos29l2q2GpGPsDmKlB7q6zbzX+u1rsAbmX40Uc zpX1lqikDZVGlXnN2wvD2st1gSs50/PNvXXcJq3XxrQc7Wao3qTWkbpZpzqGWwHTrpw== X-Received: by 2002:a2e:81d3:: with SMTP id s19-v6mr8087487ljg.138.1547233114390; Fri, 11 Jan 2019 10:58:34 -0800 (PST) X-Google-Smtp-Source: ALg8bN795yNby2B6FAiwNFG06NrNkLOzR83vyZCnt5m9K2rFEJbNx3laCiNe66iBZgshjebauOFx X-Received: by 2002:a2e:81d3:: with SMTP id s19-v6mr8087460ljg.138.1547233113031; Fri, 11 Jan 2019 10:58:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547233112; cv=none; d=google.com; s=arc-20160816; b=e1qL5F/aB9kfNCgYnZ6h4RREhIRuNfWSizszWc66u8i518mvuPwS8viOu4RDXk8jXe 69m5aDUV/pdtBx5VqHoE+S2tXvru2MCZO/zuHrw6vqu/fhbBIdsfUxuN3R23Du/zYTbM ZJCYS97OFg3T2U21V89Cpb5sgRXOGpwNXIeJ3A+nYBfEqiGwO1MorC9BQvzdAchZ45C6 brckbF8MdaTjddv3DWaBIZaj5uii6DaJpkgLEQ1j1D/s87+XNcVEx5k5jzKbhVQl4Je0 eyBAN9tmDubHKs8F5MlS0DKt7wU6PDb+/l6NkVkqq7+jlbg4sBJIggscLlRSvcdJl1g2 uGFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=F+7e/3dekdAboV6Ly7tJXANTRXCLgcD5fkqQc0MusQM=; b=xP7zk8fcUQntWaT6H3HdUjyif8170DRveIyxT1trbkMAM3VdATmIDkwFsNF4wYSVZv i9Iw0+vcyDx0rfe7pgUsjsWGHB+kWA0DAXCV+pRICrgrdPBV4wnU3dPQ81mU0VVV6fkx Atx/b0oMclhVcaA/8gJBZrA/hLavnrAEQTlTbhIlc+QujE54Mqg885teHvv/QROdVus0 RW5wU69l3a4p90Buv5oS7uTREIPCwVxg3woiqpaGn2FZSHZSDJdiaLItH1Lxm4lUGVlH OxqjzANXaJDf006HVB7IyPDFXojQUGniZlOjR5XKBuHJTb+dExFFrTdcAAWBCmsvhnJ3 Ej0A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of aryabinin@virtuozzo.com designates 185.231.240.75 as permitted sender) smtp.mailfrom=aryabinin@virtuozzo.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: from relay.sw.ru (relay.sw.ru. [185.231.240.75]) by mx.google.com with ESMTPS id y29si58212219lfj.45.2019.01.11.10.58.32 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Jan 2019 10:58:32 -0800 (PST) Received-SPF: pass (google.com: domain of aryabinin@virtuozzo.com designates 185.231.240.75 as permitted sender) client-ip=185.231.240.75; Authentication-Results: mx.google.com; spf=pass (google.com: domain of aryabinin@virtuozzo.com designates 185.231.240.75 as permitted sender) smtp.mailfrom=aryabinin@virtuozzo.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: from [172.16.25.12] (helo=i7.sw.ru) by relay.sw.ru with esmtp (Exim 4.91) (envelope-from ) id 1gi20f-0006j6-CF; Fri, 11 Jan 2019 21:58:25 +0300 From: Andrey Ryabinin To: akpm@linux-foundation.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, Andrey Ryabinin , Qian Cai , Alexander Potapenko , Dmitry Vyukov , Catalin Marinas , Will Deacon Subject: [PATCH] kasan: Remove use after scope bugs detection. Date: Fri, 11 Jan 2019 21:58:42 +0300 Message-Id: <20190111185842.13978-1-aryabinin@virtuozzo.com> X-Mailer: git-send-email 2.19.2 MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Use after scope bugs detector seems to be almost entirely useless for the linux kernel. It exists over two years, but I've seen only one valid bug so far [1]. And the bug was fixed before it has been reported. There were some other use-after-scope reports, but they were false-positives due to different reasons like incompatibility with structleak plugin. This feature significantly increases stack usage, especially with GCC < 9 version, and causes a 32K stack overflow. It probably adds performance penalty too. Given all that, let's remove use-after-scope detector entirely. While preparing this patch I've noticed that we mistakenly enable use-after-scope detection for clang compiler regardless of CONFIG_KASAN_EXTRA setting. This is also fixed now. [1] http://lkml.kernel.org/r/<20171129052106.rhgbjhhis53hkgfn@wfg-t540p.sh.intel.com> Signed-off-by: Andrey Ryabinin Cc: Qian Cai Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Catalin Marinas Cc: Will Deacon Acked-by: Will Deacon --- arch/arm64/include/asm/memory.h | 4 ---- lib/Kconfig.debug | 1 - lib/Kconfig.kasan | 10 ---------- lib/test_kasan.c | 24 ------------------------ mm/kasan/generic.c | 19 ------------------- mm/kasan/generic_report.c | 3 --- mm/kasan/kasan.h | 3 --- scripts/Makefile.kasan | 5 ----- scripts/gcc-plugins/Kconfig | 4 ---- 9 files changed, 73 deletions(-) diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h index e1ec947e7c0c..0e236a99b3ef 100644 --- a/arch/arm64/include/asm/memory.h +++ b/arch/arm64/include/asm/memory.h @@ -80,11 +80,7 @@ */ #ifdef CONFIG_KASAN #define KASAN_SHADOW_SIZE (UL(1) << (VA_BITS - KASAN_SHADOW_SCALE_SHIFT)) -#ifdef CONFIG_KASAN_EXTRA -#define KASAN_THREAD_SHIFT 2 -#else #define KASAN_THREAD_SHIFT 1 -#endif /* CONFIG_KASAN_EXTRA */ #else #define KASAN_SHADOW_SIZE (0) #define KASAN_THREAD_SHIFT 0 diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index d4df5b24d75e..a219f3488ad7 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -222,7 +222,6 @@ config ENABLE_MUST_CHECK config FRAME_WARN int "Warn for stack frames larger than (needs gcc 4.4)" range 0 8192 - default 3072 if KASAN_EXTRA default 2048 if GCC_PLUGIN_LATENT_ENTROPY default 1280 if (!64BIT && PARISC) default 1024 if (!64BIT && !PARISC) diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index d8c474b6691e..67d7d1309c52 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -78,16 +78,6 @@ config KASAN_SW_TAGS endchoice -config KASAN_EXTRA - bool "KASAN: extra checks" - depends on KASAN_GENERIC && DEBUG_KERNEL && !COMPILE_TEST - help - This enables further checks in generic KASAN, for now it only - includes the address-use-after-scope check that can lead to - excessive kernel stack usage, frame size warnings and longer - compile time. - See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 - choice prompt "Instrumentation type" depends on KASAN diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 51b78405bf24..7de2702621dc 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -480,29 +480,6 @@ static noinline void __init copy_user_test(void) kfree(kmem); } -static noinline void __init use_after_scope_test(void) -{ - volatile char *volatile p; - - pr_info("use-after-scope on int\n"); - { - int local = 0; - - p = (char *)&local; - } - p[0] = 1; - p[3] = 1; - - pr_info("use-after-scope on array\n"); - { - char local[1024] = {0}; - - p = local; - } - p[0] = 1; - p[1023] = 1; -} - static noinline void __init kasan_alloca_oob_left(void) { volatile int i = 10; @@ -682,7 +659,6 @@ static int __init kmalloc_tests_init(void) kasan_alloca_oob_right(); ksize_unpoisons_memory(); copy_user_test(); - use_after_scope_test(); kmem_cache_double_free(); kmem_cache_invalid_free(); kasan_memchr(); diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c index ccb6207276e3..504c79363a34 100644 --- a/mm/kasan/generic.c +++ b/mm/kasan/generic.c @@ -275,25 +275,6 @@ EXPORT_SYMBOL(__asan_storeN_noabort); void __asan_handle_no_return(void) {} EXPORT_SYMBOL(__asan_handle_no_return); -/* Emitted by compiler to poison large objects when they go out of scope. */ -void __asan_poison_stack_memory(const void *addr, size_t size) -{ - /* - * Addr is KASAN_SHADOW_SCALE_SIZE-aligned and the object is surrounded - * by redzones, so we simply round up size to simplify logic. - */ - kasan_poison_shadow(addr, round_up(size, KASAN_SHADOW_SCALE_SIZE), - KASAN_USE_AFTER_SCOPE); -} -EXPORT_SYMBOL(__asan_poison_stack_memory); - -/* Emitted by compiler to unpoison large objects when they go into scope. */ -void __asan_unpoison_stack_memory(const void *addr, size_t size) -{ - kasan_unpoison_shadow(addr, size); -} -EXPORT_SYMBOL(__asan_unpoison_stack_memory); - /* Emitted by compiler to poison alloca()ed objects. */ void __asan_alloca_poison(unsigned long addr, size_t size) { diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c index 5e12035888f2..36c645939bc9 100644 --- a/mm/kasan/generic_report.c +++ b/mm/kasan/generic_report.c @@ -82,9 +82,6 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info) case KASAN_KMALLOC_FREE: bug_type = "use-after-free"; break; - case KASAN_USE_AFTER_SCOPE: - bug_type = "use-after-scope"; - break; case KASAN_ALLOCA_LEFT: case KASAN_ALLOCA_RIGHT: bug_type = "alloca-out-of-bounds"; diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index ea51b2d898ec..3e0c11f7d7a1 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h @@ -34,7 +34,6 @@ #define KASAN_STACK_MID 0xF2 #define KASAN_STACK_RIGHT 0xF3 #define KASAN_STACK_PARTIAL 0xF4 -#define KASAN_USE_AFTER_SCOPE 0xF8 /* * alloca redzone shadow values @@ -187,8 +186,6 @@ void __asan_unregister_globals(struct kasan_global *globals, size_t size); void __asan_loadN(unsigned long addr, size_t size); void __asan_storeN(unsigned long addr, size_t size); void __asan_handle_no_return(void); -void __asan_poison_stack_memory(const void *addr, size_t size); -void __asan_unpoison_stack_memory(const void *addr, size_t size); void __asan_alloca_poison(unsigned long addr, size_t size); void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom); diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan index 25c259df8ffa..f1fb8e502657 100644 --- a/scripts/Makefile.kasan +++ b/scripts/Makefile.kasan @@ -27,14 +27,9 @@ else $(call cc-param,asan-globals=1) \ $(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \ $(call cc-param,asan-stack=1) \ - $(call cc-param,asan-use-after-scope=1) \ $(call cc-param,asan-instrument-allocas=1) endif -ifdef CONFIG_KASAN_EXTRA -CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope) -endif - endif # CONFIG_KASAN_GENERIC ifdef CONFIG_KASAN_SW_TAGS diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index d45f7f36b859..d9fd9988ef27 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig @@ -68,10 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY config GCC_PLUGIN_STRUCTLEAK bool "Force initialization of variables containing userspace addresses" - # Currently STRUCTLEAK inserts initialization out of live scope of - # variables from KASAN point of view. This leads to KASAN false - # positive reports. Prohibit this combination for now. - depends on !KASAN_EXTRA help This plugin zero-initializes any structures containing a __user attribute. This can prevent some classes of information