On Tue, Apr 26, 2022 at 06:42PM +0200, Alexander Potapenko wrote: > For each memory location KernelMemorySanitizer maintains two types of > metadata: > 1. The so-called shadow of that location - а byte:byte mapping describing > whether or not individual bits of memory are initialized (shadow is 0) > or not (shadow is 1). > 2. The origins of that location - а 4-byte:4-byte mapping containing > 4-byte IDs of the stack traces where uninitialized values were > created. > > Each struct page now contains pointers to two struct pages holding > KMSAN metadata (shadow and origins) for the original struct page. > Utility routines in mm/kmsan/core.c and mm/kmsan/shadow.c handle the > metadata creation, addressing, copying and checking. > mm/kmsan/report.c performs error reporting in the cases an uninitialized > value is used in a way that leads to undefined behavior. > > KMSAN compiler instrumentation is responsible for tracking the metadata > along with the kernel memory. mm/kmsan/instrumentation.c provides the > implementation for instrumentation hooks that are called from files > compiled with -fsanitize=kernel-memory. > > To aid parameter passing (also done at instrumentation level), each > task_struct now contains a struct kmsan_task_state used to track the > metadata of function parameters and return values for that task. > > Finally, this patch provides CONFIG_KMSAN that enables KMSAN, and > declares CFLAGS_KMSAN, which are applied to files compiled with KMSAN. > The KMSAN_SANITIZE:=n Makefile directive can be used to completely > disable KMSAN instrumentation for certain files. > > Similarly, KMSAN_ENABLE_CHECKS:=n disables KMSAN checks and makes newly > created stack memory initialized. > > Users can also use functions from include/linux/kmsan-checks.h to mark > certain memory regions as uninitialized or initialized (this is called > "poisoning" and "unpoisoning") or check that a particular region is > initialized. > > Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx> > --- > v2: > -- as requested by Greg K-H, moved hooks for different subsystems to respective patches, > rewrote the patch description; > -- addressed comments by Dmitry Vyukov; > -- added a note about KMSAN being not intended for production use. > -- fix case of unaligned dst in kmsan_internal_memmove_metadata() > > v3: > -- print build IDs in reports where applicable > -- drop redundant filter_irq_stacks(), unpoison the local passed to __stack_depot_save() > -- remove a stray BUG() > > Link: https://linux-review.googlesource.com/id/I9b71bfe3425466c97159f9de0062e5e8e4fec866 > --- > Makefile | 1 + > include/linux/kmsan-checks.h | 64 +++++ > include/linux/kmsan.h | 47 ++++ > include/linux/mm_types.h | 12 + > include/linux/sched.h | 5 + > lib/Kconfig.debug | 1 + > lib/Kconfig.kmsan | 23 ++ > mm/Makefile | 1 + > mm/kmsan/Makefile | 18 ++ > mm/kmsan/core.c | 458 +++++++++++++++++++++++++++++++++++ > mm/kmsan/hooks.c | 66 +++++ > mm/kmsan/instrumentation.c | 267 ++++++++++++++++++++ > mm/kmsan/kmsan.h | 183 ++++++++++++++ > mm/kmsan/report.c | 211 ++++++++++++++++ > mm/kmsan/shadow.c | 186 ++++++++++++++ > scripts/Makefile.kmsan | 1 + > scripts/Makefile.lib | 9 + > 17 files changed, 1553 insertions(+) > create mode 100644 include/linux/kmsan-checks.h > create mode 100644 include/linux/kmsan.h > create mode 100644 lib/Kconfig.kmsan > create mode 100644 mm/kmsan/Makefile > create mode 100644 mm/kmsan/core.c > create mode 100644 mm/kmsan/hooks.c > create mode 100644 mm/kmsan/instrumentation.c > create mode 100644 mm/kmsan/kmsan.h > create mode 100644 mm/kmsan/report.c > create mode 100644 mm/kmsan/shadow.c > create mode 100644 scripts/Makefile.kmsan > > diff --git a/Makefile b/Makefile > index c3ec1ea423797..d3c7dcd9f0fea 100644 > --- a/Makefile > +++ b/Makefile > @@ -1009,6 +1009,7 @@ include-y := scripts/Makefile.extrawarn > include-$(CONFIG_DEBUG_INFO) += scripts/Makefile.debug > include-$(CONFIG_KASAN) += scripts/Makefile.kasan > include-$(CONFIG_KCSAN) += scripts/Makefile.kcsan > +include-$(CONFIG_KMSAN) += scripts/Makefile.kmsan > include-$(CONFIG_UBSAN) += scripts/Makefile.ubsan > include-$(CONFIG_KCOV) += scripts/Makefile.kcov > include-$(CONFIG_GCC_PLUGINS) += scripts/Makefile.gcc-plugins > diff --git a/include/linux/kmsan-checks.h b/include/linux/kmsan-checks.h > new file mode 100644 > index 0000000000000..a6522a0c28df9 > --- /dev/null > +++ b/include/linux/kmsan-checks.h > @@ -0,0 +1,64 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * KMSAN checks to be used for one-off annotations in subsystems. > + * > + * Copyright (C) 2017-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > + > +#ifndef _LINUX_KMSAN_CHECKS_H > +#define _LINUX_KMSAN_CHECKS_H > + > +#include <linux/types.h> > + > +#ifdef CONFIG_KMSAN > + > +/** > + * kmsan_poison_memory() - Mark the memory range as uninitialized. > + * @address: address to start with. > + * @size: size of buffer to poison. > + * @flags: GFP flags for allocations done by this function. > + * > + * Until other data is written to this range, KMSAN will treat it as > + * uninitialized. Error reports for this memory will reference the call site of > + * kmsan_poison_memory() as origin. > + */ > +void kmsan_poison_memory(const void *address, size_t size, gfp_t flags); > + > +/** > + * kmsan_unpoison_memory() - Mark the memory range as initialized. > + * @address: address to start with. > + * @size: size of buffer to unpoison. > + * > + * Until other data is written to this range, KMSAN will treat it as > + * initialized. > + */ > +void kmsan_unpoison_memory(const void *address, size_t size); > + > +/** > + * kmsan_check_memory() - Check the memory range for being initialized. > + * @address: address to start with. > + * @size: size of buffer to check. > + * > + * If any piece of the given range is marked as uninitialized, KMSAN will report > + * an error. > + */ > +void kmsan_check_memory(const void *address, size_t size); > + > +#else > + > +static inline void kmsan_poison_memory(const void *address, size_t size, > + gfp_t flags) > +{ > +} > +static inline void kmsan_unpoison_memory(const void *address, size_t size) > +{ > +} > +static inline void kmsan_check_memory(const void *address, size_t size) > +{ > +} > + > +#endif > + > +#endif /* _LINUX_KMSAN_CHECKS_H */ > diff --git a/include/linux/kmsan.h b/include/linux/kmsan.h > new file mode 100644 > index 0000000000000..4e35f43eceaa9 > --- /dev/null > +++ b/include/linux/kmsan.h > @@ -0,0 +1,47 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * KMSAN API for subsystems. > + * > + * Copyright (C) 2017-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > +#ifndef _LINUX_KMSAN_H > +#define _LINUX_KMSAN_H > + > +#include <linux/gfp.h> > +#include <linux/kmsan-checks.h> > +#include <linux/stackdepot.h> > +#include <linux/types.h> > +#include <linux/vmalloc.h> > + > +struct page; > + > +#ifdef CONFIG_KMSAN > + > +/* These constants are defined in the MSan LLVM instrumentation pass. */ > +#define KMSAN_RETVAL_SIZE 800 > +#define KMSAN_PARAM_SIZE 800 > + > +struct kmsan_context_state { > + char param_tls[KMSAN_PARAM_SIZE]; > + char retval_tls[KMSAN_RETVAL_SIZE]; > + char va_arg_tls[KMSAN_PARAM_SIZE]; > + char va_arg_origin_tls[KMSAN_PARAM_SIZE]; > + u64 va_arg_overflow_size_tls; > + char param_origin_tls[KMSAN_PARAM_SIZE]; > + depot_stack_handle_t retval_origin_tls; > +}; > + > +#undef KMSAN_PARAM_SIZE > +#undef KMSAN_RETVAL_SIZE > + > +struct kmsan_ctx { > + struct kmsan_context_state cstate; > + int kmsan_in_runtime; > + bool allow_reporting; > +}; > + > +#endif > + > +#endif /* _LINUX_KMSAN_H */ > diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h > index 8834e38c06a4f..85c97a2145f7e 100644 > --- a/include/linux/mm_types.h > +++ b/include/linux/mm_types.h > @@ -218,6 +218,18 @@ struct page { > not kmapped, ie. highmem) */ > #endif /* WANT_PAGE_VIRTUAL */ > > +#ifdef CONFIG_KMSAN > + /* > + * KMSAN metadata for this page: > + * - shadow page: every bit indicates whether the corresponding > + * bit of the original page is initialized (0) or not (1); > + * - origin page: every 4 bytes contain an id of the stack trace > + * where the uninitialized value was created. > + */ > + struct page *kmsan_shadow; > + struct page *kmsan_origin; > +#endif > + > #ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS > int _last_cpupid; > #endif > diff --git a/include/linux/sched.h b/include/linux/sched.h > index a8911b1f35aad..9e53624cd73ac 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -14,6 +14,7 @@ > #include <linux/pid.h> > #include <linux/sem.h> > #include <linux/shm.h> > +#include <linux/kmsan.h> > #include <linux/mutex.h> > #include <linux/plist.h> > #include <linux/hrtimer.h> > @@ -1352,6 +1353,10 @@ struct task_struct { > #endif > #endif > > +#ifdef CONFIG_KMSAN > + struct kmsan_ctx kmsan_ctx; > +#endif > + > #if IS_ENABLED(CONFIG_KUNIT) > struct kunit *kunit_test; > #endif > diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug > index 075cd25363ac3..b81670878acae 100644 > --- a/lib/Kconfig.debug > +++ b/lib/Kconfig.debug > @@ -996,6 +996,7 @@ config DEBUG_STACKOVERFLOW > > source "lib/Kconfig.kasan" > source "lib/Kconfig.kfence" > +source "lib/Kconfig.kmsan" > > endmenu # "Memory Debugging" > > diff --git a/lib/Kconfig.kmsan b/lib/Kconfig.kmsan > new file mode 100644 > index 0000000000000..199f79d031f94 > --- /dev/null > +++ b/lib/Kconfig.kmsan > @@ -0,0 +1,23 @@ Missing SPDX-License-Identifier. > +config HAVE_ARCH_KMSAN > + bool > + > +config HAVE_KMSAN_COMPILER > + def_bool (CC_IS_CLANG && $(cc-option,-fsanitize=kernel-memory -mllvm -msan-disable-checks=1)) > + > +config KMSAN > + bool "KMSAN: detector of uninitialized values use" > + depends on HAVE_ARCH_KMSAN && HAVE_KMSAN_COMPILER > + depends on SLUB && DEBUG_KERNEL && !KASAN && !KCSAN > + depends on CC_IS_CLANG && CLANG_VERSION >= 140000 Shouldn't the "CC_IS_CLANG && CLANG_VERSION ..." check be a "depends on" in HAVE_KMSAN_COMPILER? That way all the compiler-related checks are confined to HAVE_KMSAN_COMPILER. I guess, it might also be worth mentioning why the version check is required at all (something about older compilers supporting fsanitize=kernel-memory, but not having all features we need). > + select STACKDEPOT > + select STACKDEPOT_ALWAYS_INIT > + help > + KernelMemorySanitizer (KMSAN) is a dynamic detector of uses of > + uninitialized values in the kernel. It is based on compiler > + instrumentation provided by Clang and thus requires Clang to build. > + > + An important note is that KMSAN is not intended for production use, > + because it drastically increases kernel memory footprint and slows > + the whole system down. > + > + See <file:Documentation/dev-tools/kmsan.rst> for more details. > diff --git a/mm/Makefile b/mm/Makefile > index 4cc13f3179a51..4da7eeaecc214 100644 > --- a/mm/Makefile > +++ b/mm/Makefile > @@ -89,6 +89,7 @@ obj-$(CONFIG_SLAB) += slab.o > obj-$(CONFIG_SLUB) += slub.o > obj-$(CONFIG_KASAN) += kasan/ > obj-$(CONFIG_KFENCE) += kfence/ > +obj-$(CONFIG_KMSAN) += kmsan/ > obj-$(CONFIG_FAILSLAB) += failslab.o > obj-$(CONFIG_MEMTEST) += memtest.o > obj-$(CONFIG_MIGRATION) += migrate.o > diff --git a/mm/kmsan/Makefile b/mm/kmsan/Makefile > new file mode 100644 > index 0000000000000..a80dde1de7048 > --- /dev/null > +++ b/mm/kmsan/Makefile > @@ -0,0 +1,18 @@ Makefile needs a SPDX-License-Identifier. > +obj-y := core.o instrumentation.o hooks.o report.o shadow.o > + > +KMSAN_SANITIZE := n > +KCOV_INSTRUMENT := n > +UBSAN_SANITIZE := n > + > +# Disable instrumentation of KMSAN runtime with other tools. > +CC_FLAGS_KMSAN_RUNTIME := -fno-stack-protector > +CC_FLAGS_KMSAN_RUNTIME += $(call cc-option,-fno-conserve-stack) > +CC_FLAGS_KMSAN_RUNTIME += -DDISABLE_BRANCH_PROFILING > + > +CFLAGS_REMOVE.o = $(CC_FLAGS_FTRACE) > + > +CFLAGS_core.o := $(CC_FLAGS_KMSAN_RUNTIME) > +CFLAGS_hooks.o := $(CC_FLAGS_KMSAN_RUNTIME) > +CFLAGS_instrumentation.o := $(CC_FLAGS_KMSAN_RUNTIME) > +CFLAGS_report.o := $(CC_FLAGS_KMSAN_RUNTIME) > +CFLAGS_shadow.o := $(CC_FLAGS_KMSAN_RUNTIME) > diff --git a/mm/kmsan/core.c b/mm/kmsan/core.c > new file mode 100644 > index 0000000000000..933d864d9d467 > --- /dev/null > +++ b/mm/kmsan/core.c > @@ -0,0 +1,458 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * KMSAN runtime library. > + * > + * Copyright (C) 2017-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > + > +#include <asm/page.h> > +#include <linux/compiler.h> > +#include <linux/export.h> > +#include <linux/highmem.h> > +#include <linux/interrupt.h> > +#include <linux/kernel.h> > +#include <linux/kmsan.h> > +#include <linux/memory.h> > +#include <linux/mm.h> > +#include <linux/mm_types.h> > +#include <linux/mmzone.h> > +#include <linux/percpu-defs.h> > +#include <linux/preempt.h> > +#include <linux/slab.h> > +#include <linux/stackdepot.h> > +#include <linux/stacktrace.h> > +#include <linux/types.h> > +#include <linux/vmalloc.h> > + > +#include "../slab.h" > +#include "kmsan.h" > + > +/* > + * Avoid creating too long origin chains, these are unlikely to participate in > + * real reports. > + */ > +#define MAX_CHAIN_DEPTH 7 > +#define NUM_SKIPPED_TO_WARN 10000 > + > +bool kmsan_enabled __read_mostly; > + > +/* > + * Per-CPU KMSAN context to be used in interrupts, where current->kmsan is > + * unavaliable. > + */ > +DEFINE_PER_CPU(struct kmsan_ctx, kmsan_percpu_ctx); > + > +void kmsan_internal_poison_memory(void *address, size_t size, gfp_t flags, > + unsigned int poison_flags) > +{ > + u32 extra_bits = > + kmsan_extra_bits(/*depth*/ 0, poison_flags & KMSAN_POISON_FREE); > + bool checked = poison_flags & KMSAN_POISON_CHECK; > + depot_stack_handle_t handle; > + > + handle = kmsan_save_stack_with_flags(flags, extra_bits); > + kmsan_internal_set_shadow_origin(address, size, -1, handle, checked); > +} > + > +void kmsan_internal_unpoison_memory(void *address, size_t size, bool checked) > +{ > + kmsan_internal_set_shadow_origin(address, size, 0, 0, checked); > +} > + > +depot_stack_handle_t kmsan_save_stack_with_flags(gfp_t flags, > + unsigned int extra) > +{ > + unsigned long entries[KMSAN_STACK_DEPTH]; > + unsigned int nr_entries; > + > + nr_entries = stack_trace_save(entries, KMSAN_STACK_DEPTH, 0); > + > + /* Don't sleep (see might_sleep_if() in __alloc_pages_nodemask()). */ > + flags &= ~__GFP_DIRECT_RECLAIM; > + > + return __stack_depot_save(entries, nr_entries, extra, flags, true); > +} > + > +/* Copy the metadata following the memmove() behavior. */ > +void kmsan_internal_memmove_metadata(void *dst, void *src, size_t n) > +{ > + depot_stack_handle_t old_origin = 0, new_origin = 0; > + int src_slots, dst_slots, i, iter, step, skip_bits; > + depot_stack_handle_t *origin_src, *origin_dst; > + void *shadow_src, *shadow_dst; > + u32 *align_shadow_src, shadow; > + bool backwards; > + > + shadow_dst = kmsan_get_metadata(dst, KMSAN_META_SHADOW); > + if (!shadow_dst) > + return; > + KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(dst, n)); > + > + shadow_src = kmsan_get_metadata(src, KMSAN_META_SHADOW); > + if (!shadow_src) { > + /* > + * |src| is untracked: zero out destination shadow, ignore the Probably doesn't matter too much, but for consistency elsewhere - @src? > + * origins, we're done. > + */ > + __memset(shadow_dst, 0, n); > + return; > + } > + KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(src, n)); > + > + __memmove(shadow_dst, shadow_src, n); > + > + origin_dst = kmsan_get_metadata(dst, KMSAN_META_ORIGIN); > + origin_src = kmsan_get_metadata(src, KMSAN_META_ORIGIN); > + KMSAN_WARN_ON(!origin_dst || !origin_src); > + src_slots = (ALIGN((u64)src + n, KMSAN_ORIGIN_SIZE) - > + ALIGN_DOWN((u64)src, KMSAN_ORIGIN_SIZE)) / > + KMSAN_ORIGIN_SIZE; > + dst_slots = (ALIGN((u64)dst + n, KMSAN_ORIGIN_SIZE) - > + ALIGN_DOWN((u64)dst, KMSAN_ORIGIN_SIZE)) / > + KMSAN_ORIGIN_SIZE; > + KMSAN_WARN_ON((src_slots < 1) || (dst_slots < 1)); > + KMSAN_WARN_ON((src_slots - dst_slots > 1) || > + (dst_slots - src_slots < -1)); > + > + backwards = dst > src; > + i = backwards ? min(src_slots, dst_slots) - 1 : 0; > + iter = backwards ? -1 : 1; > + > + align_shadow_src = > + (u32 *)ALIGN_DOWN((u64)shadow_src, KMSAN_ORIGIN_SIZE); > + for (step = 0; step < min(src_slots, dst_slots); step++, i += iter) { > + KMSAN_WARN_ON(i < 0); > + shadow = align_shadow_src[i]; > + if (i == 0) { > + /* > + * If |src| isn't aligned on KMSAN_ORIGIN_SIZE, don't > + * look at the first |src % KMSAN_ORIGIN_SIZE| bytes > + * of the first shadow slot. > + */ > + skip_bits = ((u64)src % KMSAN_ORIGIN_SIZE) * 8; > + shadow = (shadow >> skip_bits) << skip_bits; > + } > + if (i == src_slots - 1) { > + /* > + * If |src + n| isn't aligned on > + * KMSAN_ORIGIN_SIZE, don't look at the last > + * |(src + n) % KMSAN_ORIGIN_SIZE| bytes of the > + * last shadow slot. > + */ > + skip_bits = (((u64)src + n) % KMSAN_ORIGIN_SIZE) * 8; > + shadow = (shadow << skip_bits) >> skip_bits; > + } > + /* > + * Overwrite the origin only if the corresponding > + * shadow is nonempty. > + */ > + if (origin_src[i] && (origin_src[i] != old_origin) && shadow) { > + old_origin = origin_src[i]; > + new_origin = kmsan_internal_chain_origin(old_origin); > + /* > + * kmsan_internal_chain_origin() may return > + * NULL, but we don't want to lose the previous > + * origin value. > + */ > + if (!new_origin) > + new_origin = old_origin; > + } > + if (shadow) > + origin_dst[i] = new_origin; > + else > + origin_dst[i] = 0; > + } > + /* > + * If dst_slots is greater than src_slots (i.e. > + * dst_slots == src_slots + 1), there is an extra origin slot at the > + * beginning or end of the destination buffer, for which we take the > + * origin from the previous slot. > + * This is only done if the part of the source shadow corresponding to > + * slot is non-zero. > + * > + * E.g. if we copy 8 aligned bytes that are marked as uninitialized > + * and have origins o111 and o222, to an unaligned buffer with offset 1, > + * these two origins are copied to three origin slots, so one of then > + * needs to be duplicated, depending on the copy direction (@backwards) > + * > + * src shadow: |uuuu|uuuu|....| > + * src origin: |o111|o222|....| > + * > + * backwards = 0: > + * dst shadow: |.uuu|uuuu|u...| > + * dst origin: |....|o111|o222| - fill the empty slot with o111 > + * backwards = 1: > + * dst shadow: |.uuu|uuuu|u...| > + * dst origin: |o111|o222|....| - fill the empty slot with o222 > + */ > + if (src_slots < dst_slots) { > + if (backwards) { > + shadow = align_shadow_src[src_slots - 1]; > + skip_bits = (((u64)dst + n) % KMSAN_ORIGIN_SIZE) * 8; > + shadow = (shadow << skip_bits) >> skip_bits; > + if (shadow) > + /* src_slots > 0, therefore dst_slots is at least 2 */ > + origin_dst[dst_slots - 1] = origin_dst[dst_slots - 2]; > + } else { > + shadow = align_shadow_src[0]; > + skip_bits = ((u64)dst % KMSAN_ORIGIN_SIZE) * 8; > + shadow = (shadow >> skip_bits) << skip_bits; > + if (shadow) > + origin_dst[0] = origin_dst[1]; > + } > + } > +} > + > +depot_stack_handle_t kmsan_internal_chain_origin(depot_stack_handle_t id) > +{ > + unsigned long entries[3]; > + u32 extra_bits; > + int depth; > + bool uaf; > + > + if (!id) > + return id; > + /* > + * Make sure we have enough spare bits in |id| to hold the UAF bit and > + * the chain depth. > + */ > + BUILD_BUG_ON((1 << STACK_DEPOT_EXTRA_BITS) <= (MAX_CHAIN_DEPTH << 1)); > + > + extra_bits = stack_depot_get_extra_bits(id); > + depth = kmsan_depth_from_eb(extra_bits); > + uaf = kmsan_uaf_from_eb(extra_bits); > + > + if (depth >= MAX_CHAIN_DEPTH) { > + static atomic_long_t kmsan_skipped_origins; > + long skipped = atomic_long_inc_return(&kmsan_skipped_origins); > + > + if (skipped % NUM_SKIPPED_TO_WARN == 0) { > + pr_warn("not chained %ld origins\n", skipped); > + dump_stack(); > + kmsan_print_origin(id); > + } > + return id; > + } > + depth++; > + extra_bits = kmsan_extra_bits(depth, uaf); > + > + entries[0] = KMSAN_CHAIN_MAGIC_ORIGIN; > + entries[1] = kmsan_save_stack_with_flags(GFP_ATOMIC, 0); > + entries[2] = id; > + /* > + * @entries is a local var in non-instrumented code, so KMSAN does not > + * know it is initialized. Explicitly unpoison it to avoid false > + * positives when __stack_depot_save() passes it to instrumented code. > + */ > + kmsan_internal_unpoison_memory(entries, sizeof(entries), false); > + return __stack_depot_save(entries, ARRAY_SIZE(entries), extra_bits, > + GFP_ATOMIC, true); > +} > + > +void kmsan_internal_set_shadow_origin(void *addr, size_t size, int b, > + u32 origin, bool checked) > +{ > + u64 address = (u64)addr; > + void *shadow_start; > + u32 *origin_start; > + size_t pad = 0; > + int i; > + > + KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); > + shadow_start = kmsan_get_metadata(addr, KMSAN_META_SHADOW); > + if (!shadow_start) { > + /* > + * kmsan_metadata_is_contiguous() is true, so either all shadow > + * and origin pages are NULL, or all are non-NULL. > + */ > + if (checked) { > + pr_err("%s: not memsetting %ld bytes starting at %px, because the shadow is NULL\n", > + __func__, size, addr); > + KMSAN_WARN_ON(true); > + } > + return; > + } > + __memset(shadow_start, b, size); > + > + if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { > + pad = address % KMSAN_ORIGIN_SIZE; > + address -= pad; > + size += pad; > + } > + size = ALIGN(size, KMSAN_ORIGIN_SIZE); > + origin_start = > + (u32 *)kmsan_get_metadata((void *)address, KMSAN_META_ORIGIN); > + > + for (i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) > + origin_start[i] = origin; > +} > + > +struct page *kmsan_vmalloc_to_page_or_null(void *vaddr) > +{ > + struct page *page; > + > + if (!kmsan_internal_is_vmalloc_addr(vaddr) && > + !kmsan_internal_is_module_addr(vaddr)) > + return NULL; > + page = vmalloc_to_page(vaddr); > + if (pfn_valid(page_to_pfn(page))) > + return page; > + else > + return NULL; > +} > + > +void kmsan_internal_check_memory(void *addr, size_t size, const void *user_addr, > + int reason) > +{ > + depot_stack_handle_t cur_origin = 0, new_origin = 0; > + unsigned long addr64 = (unsigned long)addr; > + depot_stack_handle_t *origin = NULL; > + unsigned char *shadow = NULL; > + int cur_off_start = -1; > + int i, chunk_size; > + size_t pos = 0; > + > + if (!size) > + return; > + KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); > + while (pos < size) { > + chunk_size = min(size - pos, > + PAGE_SIZE - ((addr64 + pos) % PAGE_SIZE)); > + shadow = kmsan_get_metadata((void *)(addr64 + pos), > + KMSAN_META_SHADOW); > + if (!shadow) { > + /* > + * This page is untracked. If there were uninitialized > + * bytes before, report them. > + */ > + if (cur_origin) { > + kmsan_enter_runtime(); > + kmsan_report(cur_origin, addr, size, > + cur_off_start, pos - 1, user_addr, > + reason); > + kmsan_leave_runtime(); > + } > + cur_origin = 0; > + cur_off_start = -1; > + pos += chunk_size; > + continue; > + } > + for (i = 0; i < chunk_size; i++) { > + if (!shadow[i]) { > + /* > + * This byte is unpoisoned. If there were > + * poisoned bytes before, report them. > + */ > + if (cur_origin) { > + kmsan_enter_runtime(); > + kmsan_report(cur_origin, addr, size, > + cur_off_start, pos + i - 1, > + user_addr, reason); > + kmsan_leave_runtime(); > + } > + cur_origin = 0; > + cur_off_start = -1; > + continue; > + } > + origin = kmsan_get_metadata((void *)(addr64 + pos + i), > + KMSAN_META_ORIGIN); > + KMSAN_WARN_ON(!origin); > + new_origin = *origin; > + /* > + * Encountered new origin - report the previous > + * uninitialized range. > + */ > + if (cur_origin != new_origin) { > + if (cur_origin) { > + kmsan_enter_runtime(); > + kmsan_report(cur_origin, addr, size, > + cur_off_start, pos + i - 1, > + user_addr, reason); > + kmsan_leave_runtime(); > + } > + cur_origin = new_origin; > + cur_off_start = pos + i; > + } > + } > + pos += chunk_size; > + } > + KMSAN_WARN_ON(pos != size); > + if (cur_origin) { > + kmsan_enter_runtime(); > + kmsan_report(cur_origin, addr, size, cur_off_start, pos - 1, > + user_addr, reason); > + kmsan_leave_runtime(); > + } > +} > + > +bool kmsan_metadata_is_contiguous(void *addr, size_t size) > +{ > + char *cur_shadow = NULL, *next_shadow = NULL, *cur_origin = NULL, > + *next_origin = NULL; > + u64 cur_addr = (u64)addr, next_addr = cur_addr + PAGE_SIZE; > + depot_stack_handle_t *origin_p; > + bool all_untracked = false; > + > + if (!size) > + return true; > + > + /* The whole range belongs to the same page. */ > + if (ALIGN_DOWN(cur_addr + size - 1, PAGE_SIZE) == > + ALIGN_DOWN(cur_addr, PAGE_SIZE)) > + return true; > + > + cur_shadow = kmsan_get_metadata((void *)cur_addr, /*is_origin*/ false); > + if (!cur_shadow) > + all_untracked = true; > + cur_origin = kmsan_get_metadata((void *)cur_addr, /*is_origin*/ true); > + if (all_untracked && cur_origin) > + goto report; > + > + for (; next_addr < (u64)addr + size; > + cur_addr = next_addr, cur_shadow = next_shadow, > + cur_origin = next_origin, next_addr += PAGE_SIZE) { > + next_shadow = kmsan_get_metadata((void *)next_addr, false); > + next_origin = kmsan_get_metadata((void *)next_addr, true); > + if (all_untracked) { > + if (next_shadow || next_origin) > + goto report; > + if (!next_shadow && !next_origin) > + continue; > + } > + if (((u64)cur_shadow == ((u64)next_shadow - PAGE_SIZE)) && > + ((u64)cur_origin == ((u64)next_origin - PAGE_SIZE))) > + continue; > + goto report; > + } > + return true; > + > +report: > + pr_err("%s: attempting to access two shadow page ranges.\n", __func__); > + pr_err("Access of size %ld at %px.\n", size, addr); > + pr_err("Addresses belonging to different ranges: %px and %px\n", > + (void *)cur_addr, (void *)next_addr); > + pr_err("page[0].shadow: %px, page[1].shadow: %px\n", cur_shadow, > + next_shadow); > + pr_err("page[0].origin: %px, page[1].origin: %px\n", cur_origin, > + next_origin); > + origin_p = kmsan_get_metadata(addr, KMSAN_META_ORIGIN); > + if (origin_p) { > + pr_err("Origin: %08x\n", *origin_p); > + kmsan_print_origin(*origin_p); > + } else { > + pr_err("Origin: unavailable\n"); > + } > + return false; > +} > + > +bool kmsan_internal_is_module_addr(void *vaddr) > +{ > + return ((u64)vaddr >= MODULES_VADDR) && ((u64)vaddr < MODULES_END); > +} > + > +bool kmsan_internal_is_vmalloc_addr(void *addr) > +{ > + return ((u64)addr >= VMALLOC_START) && ((u64)addr < VMALLOC_END); > +} > diff --git a/mm/kmsan/hooks.c b/mm/kmsan/hooks.c > new file mode 100644 > index 0000000000000..4ac62fa67a02a > --- /dev/null > +++ b/mm/kmsan/hooks.c > @@ -0,0 +1,66 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * KMSAN hooks for kernel subsystems. > + * > + * These functions handle creation of KMSAN metadata for memory allocations. > + * > + * Copyright (C) 2018-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > + > +#include <linux/cacheflush.h> > +#include <linux/gfp.h> > +#include <linux/mm.h> > +#include <linux/mm_types.h> > +#include <linux/slab.h> > +#include <linux/uaccess.h> > + > +#include "../internal.h" > +#include "../slab.h" > +#include "kmsan.h" > + > +/* > + * Instrumented functions shouldn't be called under > + * kmsan_enter_runtime()/kmsan_leave_runtime(), because this will lead to > + * skipping effects of functions like memset() inside instrumented code. > + */ > + > +/* Functions from kmsan-checks.h follow. */ > +void kmsan_poison_memory(const void *address, size_t size, gfp_t flags) > +{ > + if (!kmsan_enabled || kmsan_in_runtime()) > + return; > + kmsan_enter_runtime(); > + /* The users may want to poison/unpoison random memory. */ > + kmsan_internal_poison_memory((void *)address, size, flags, > + KMSAN_POISON_NOCHECK); > + kmsan_leave_runtime(); > +} > +EXPORT_SYMBOL(kmsan_poison_memory); > + > +void kmsan_unpoison_memory(const void *address, size_t size) > +{ > + unsigned long ua_flags; > + > + if (!kmsan_enabled || kmsan_in_runtime()) > + return; > + > + ua_flags = user_access_save(); > + kmsan_enter_runtime(); > + /* The users may want to poison/unpoison random memory. */ > + kmsan_internal_unpoison_memory((void *)address, size, > + KMSAN_POISON_NOCHECK); > + kmsan_leave_runtime(); > + user_access_restore(ua_flags); > +} > +EXPORT_SYMBOL(kmsan_unpoison_memory); > + > +void kmsan_check_memory(const void *addr, size_t size) > +{ > + if (!kmsan_enabled) > + return; > + return kmsan_internal_check_memory((void *)addr, size, /*user_addr*/ 0, > + REASON_ANY); > +} > +EXPORT_SYMBOL(kmsan_check_memory); > diff --git a/mm/kmsan/instrumentation.c b/mm/kmsan/instrumentation.c > new file mode 100644 > index 0000000000000..fe062d123a76f > --- /dev/null > +++ b/mm/kmsan/instrumentation.c > @@ -0,0 +1,267 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * KMSAN compiler API. > + * > + * This file implements __msan_XXX hooks that Clang inserts into the code > + * compiled with -fsanitize=kernel-memory. > + * See Documentation/dev-tools/kmsan.rst for more information on how KMSAN > + * instrumentation works. > + * > + * Copyright (C) 2017-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > + > +#include "kmsan.h" > +#include <linux/gfp.h> > +#include <linux/mm.h> > +#include <linux/uaccess.h> > + > +static inline bool is_bad_asm_addr(void *addr, uintptr_t size, bool is_store) > +{ > + if ((u64)addr < TASK_SIZE) > + return true; > + if (!kmsan_get_metadata(addr, KMSAN_META_SHADOW)) > + return true; > + return false; > +} > + > +static inline struct shadow_origin_ptr > +get_shadow_origin_ptr(void *addr, u64 size, bool store) > +{ > + unsigned long ua_flags = user_access_save(); > + struct shadow_origin_ptr ret; > + > + ret = kmsan_get_shadow_origin_ptr(addr, size, store); > + user_access_restore(ua_flags); > + return ret; > +} > + > +/* Get shadow and origin pointers for a memory load with non-standard size. */ > +struct shadow_origin_ptr __msan_metadata_ptr_for_load_n(void *addr, > + uintptr_t size) > +{ > + return get_shadow_origin_ptr(addr, size, /*store*/ false); > +} > +EXPORT_SYMBOL(__msan_metadata_ptr_for_load_n); > + > +/* Get shadow and origin pointers for a memory store with non-standard size. */ > +struct shadow_origin_ptr __msan_metadata_ptr_for_store_n(void *addr, > + uintptr_t size) > +{ > + return get_shadow_origin_ptr(addr, size, /*store*/ true); > +} > +EXPORT_SYMBOL(__msan_metadata_ptr_for_store_n); > + > +/* > + * Declare functions that obtain shadow/origin pointers for loads and stores > + * with fixed size. > + */ > +#define DECLARE_METADATA_PTR_GETTER(size) \ > + struct shadow_origin_ptr __msan_metadata_ptr_for_load_##size( \ > + void *addr) \ > + { \ > + return get_shadow_origin_ptr(addr, size, /*store*/ false); \ > + } \ > + EXPORT_SYMBOL(__msan_metadata_ptr_for_load_##size); \ > + struct shadow_origin_ptr __msan_metadata_ptr_for_store_##size( \ > + void *addr) \ > + { \ > + return get_shadow_origin_ptr(addr, size, /*store*/ true); \ > + } \ > + EXPORT_SYMBOL(__msan_metadata_ptr_for_store_##size) > + > +DECLARE_METADATA_PTR_GETTER(1); > +DECLARE_METADATA_PTR_GETTER(2); > +DECLARE_METADATA_PTR_GETTER(4); > +DECLARE_METADATA_PTR_GETTER(8); > + > +/* > + * Handle a memory store performed by inline assembly. KMSAN conservatively > + * attempts to unpoison the outputs of asm() directives to prevent false > + * positives caused by missed stores. > + */ > +void __msan_instrument_asm_store(void *addr, uintptr_t size) > +{ > + unsigned long ua_flags; > + > + if (!kmsan_enabled || kmsan_in_runtime()) > + return; > + > + ua_flags = user_access_save(); > + /* > + * Most of the accesses are below 32 bytes. The two exceptions so far > + * are clwb() (64 bytes) and FPU state (512 bytes). > + * It's unlikely that the assembly will touch more than 512 bytes. > + */ > + if (size > 512) { > + WARN_ONCE(1, "assembly store size too big: %ld\n", size); > + size = 8; > + } > + if (is_bad_asm_addr(addr, size, /*is_store*/ true)) { > + user_access_restore(ua_flags); > + return; > + } > + kmsan_enter_runtime(); > + /* Unpoisoning the memory on best effort. */ > + kmsan_internal_unpoison_memory(addr, size, /*checked*/ false); > + kmsan_leave_runtime(); > + user_access_restore(ua_flags); > +} > +EXPORT_SYMBOL(__msan_instrument_asm_store); > + > +/* Handle llvm.memmove intrinsic. */ > +void *__msan_memmove(void *dst, const void *src, uintptr_t n) > +{ > + void *result; > + > + result = __memmove(dst, src, n); > + if (!n) > + /* Some people call memmove() with zero length. */ > + return result; > + if (!kmsan_enabled || kmsan_in_runtime()) > + return result; > + > + kmsan_internal_memmove_metadata(dst, (void *)src, n); > + > + return result; > +} > +EXPORT_SYMBOL(__msan_memmove); > + > +/* Handle llvm.memcpy intrinsic. */ > +void *__msan_memcpy(void *dst, const void *src, uintptr_t n) > +{ > + void *result; > + > + result = __memcpy(dst, src, n); > + if (!n) > + /* Some people call memcpy() with zero length. */ > + return result; > + > + if (!kmsan_enabled || kmsan_in_runtime()) > + return result; > + > + /* Using memmove instead of memcpy doesn't affect correctness. */ > + kmsan_internal_memmove_metadata(dst, (void *)src, n); > + > + return result; > +} > +EXPORT_SYMBOL(__msan_memcpy); > + > +/* Handle llvm.memset intrinsic. */ > +void *__msan_memset(void *dst, int c, uintptr_t n) > +{ > + void *result; > + > + result = __memset(dst, c, n); > + if (!kmsan_enabled || kmsan_in_runtime()) > + return result; > + > + kmsan_enter_runtime(); > + /* > + * Clang doesn't pass parameter metadata here, so it is impossible to > + * use shadow of @c to set up the shadow for @dst. > + */ > + kmsan_internal_unpoison_memory(dst, n, /*checked*/ false); > + kmsan_leave_runtime(); > + > + return result; > +} > +EXPORT_SYMBOL(__msan_memset); > + > +/* > + * Create a new origin from an old one. This is done when storing an > + * uninitialized value to memory. When reporting an error, KMSAN unrolls and > + * prints the whole chain of stores that preceded the use of this value. > + */ > +depot_stack_handle_t __msan_chain_origin(depot_stack_handle_t origin) > +{ > + depot_stack_handle_t ret = 0; > + unsigned long ua_flags; > + > + if (!kmsan_enabled || kmsan_in_runtime()) > + return ret; > + > + ua_flags = user_access_save(); > + > + /* Creating new origins may allocate memory. */ > + kmsan_enter_runtime(); > + ret = kmsan_internal_chain_origin(origin); > + kmsan_leave_runtime(); > + user_access_restore(ua_flags); > + return ret; > +} > +EXPORT_SYMBOL(__msan_chain_origin); > + > +/* Poison a local variable when entering a function. */ > +void __msan_poison_alloca(void *address, uintptr_t size, char *descr) > +{ > + depot_stack_handle_t handle; > + unsigned long entries[4]; > + unsigned long ua_flags; > + > + if (!kmsan_enabled || kmsan_in_runtime()) > + return; > + > + ua_flags = user_access_save(); > + entries[0] = KMSAN_ALLOCA_MAGIC_ORIGIN; > + entries[1] = (u64)descr; > + entries[2] = (u64)__builtin_return_address(0); > + /* > + * With frame pointers enabled, it is possible to quickly fetch the > + * second frame of the caller stack without calling the unwinder. > + * Without them, simply do not bother. > + */ > + if (IS_ENABLED(CONFIG_UNWINDER_FRAME_POINTER)) > + entries[3] = (u64)__builtin_return_address(1); > + else > + entries[3] = 0; > + > + /* stack_depot_save() may allocate memory. */ > + kmsan_enter_runtime(); > + handle = stack_depot_save(entries, ARRAY_SIZE(entries), GFP_ATOMIC); > + kmsan_leave_runtime(); > + > + kmsan_internal_set_shadow_origin(address, size, -1, handle, > + /*checked*/ true); > + user_access_restore(ua_flags); > +} > +EXPORT_SYMBOL(__msan_poison_alloca); > + > +/* Unpoison a local variable. */ > +void __msan_unpoison_alloca(void *address, uintptr_t size) > +{ > + if (!kmsan_enabled || kmsan_in_runtime()) > + return; > + > + kmsan_enter_runtime(); > + kmsan_internal_unpoison_memory(address, size, /*checked*/ true); > + kmsan_leave_runtime(); > +} > +EXPORT_SYMBOL(__msan_unpoison_alloca); > + > +/* > + * Report that an uninitialized value with the given origin was used in a way > + * that constituted undefined behavior. > + */ > +void __msan_warning(u32 origin) > +{ > + if (!kmsan_enabled || kmsan_in_runtime()) > + return; > + kmsan_enter_runtime(); > + kmsan_report(origin, /*address*/ 0, /*size*/ 0, > + /*off_first*/ 0, /*off_last*/ 0, /*user_addr*/ 0, > + REASON_ANY); > + kmsan_leave_runtime(); > +} > +EXPORT_SYMBOL(__msan_warning); > + > +/* > + * At the beginning of an instrumented function, obtain the pointer to > + * `struct kmsan_context_state` holding the metadata for function parameters. > + */ > +struct kmsan_context_state *__msan_get_context_state(void) > +{ > + return &kmsan_get_context()->cstate; > +} > +EXPORT_SYMBOL(__msan_get_context_state); > diff --git a/mm/kmsan/kmsan.h b/mm/kmsan/kmsan.h > new file mode 100644 > index 0000000000000..bfe38789950a6 > --- /dev/null > +++ b/mm/kmsan/kmsan.h > @@ -0,0 +1,183 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Functions used by the KMSAN runtime. > + * > + * Copyright (C) 2017-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > + > +#ifndef __MM_KMSAN_KMSAN_H > +#define __MM_KMSAN_KMSAN_H > + > +#include <asm/pgtable_64_types.h> > +#include <linux/irqflags.h> > +#include <linux/sched.h> > +#include <linux/stackdepot.h> > +#include <linux/stacktrace.h> > +#include <linux/nmi.h> > +#include <linux/mm.h> > +#include <linux/printk.h> > + > +#define KMSAN_ALLOCA_MAGIC_ORIGIN 0xabcd0100 > +#define KMSAN_CHAIN_MAGIC_ORIGIN 0xabcd0200 > + > +#define KMSAN_POISON_NOCHECK 0x0 > +#define KMSAN_POISON_CHECK 0x1 > +#define KMSAN_POISON_FREE 0x2 > + > +#define KMSAN_ORIGIN_SIZE 4 > + > +#define KMSAN_STACK_DEPTH 64 > + > +#define KMSAN_META_SHADOW (false) > +#define KMSAN_META_ORIGIN (true) > + > +extern bool kmsan_enabled; > +extern int panic_on_kmsan; > + > +/* > + * KMSAN performs a lot of consistency checks that are currently enabled by > + * default. BUG_ON is normally discouraged in the kernel, unless used for > + * debugging, but KMSAN itself is a debugging tool, so it makes little sense to > + * recover if something goes wrong. > + */ > +#define KMSAN_WARN_ON(cond) \ > + ({ \ > + const bool __cond = WARN_ON(cond); \ > + if (unlikely(__cond)) { \ > + WRITE_ONCE(kmsan_enabled, false); \ > + if (panic_on_kmsan) { \ > + /* Can't call panic() here because */ \ > + /* of uaccess checks.*/ \ space after '.' > + BUG(); \ > + } \ > + } \ > + __cond; \ > + }) > + > +/* > + * A pair of metadata pointers to be returned by the instrumentation functions. > + */ > +struct shadow_origin_ptr { > + void *shadow, *origin; > +}; > + > +struct shadow_origin_ptr kmsan_get_shadow_origin_ptr(void *addr, u64 size, > + bool store); > +void *kmsan_get_metadata(void *addr, bool is_origin); > + > +enum kmsan_bug_reason { > + REASON_ANY, > + REASON_COPY_TO_USER, > + REASON_SUBMIT_URB, > +}; > + > +void kmsan_print_origin(depot_stack_handle_t origin); > + > +/** > + * kmsan_report() - Report a use of uninitialized value. > + * @origin: Stack ID of the uninitialized value. > + * @address: Address at which the memory access happens. > + * @size: Memory access size. > + * @off_first: Offset (from @address) of the first byte to be reported. > + * @off_last: Offset (from @address) of the last byte to be reported. > + * @user_addr: When non-NULL, denotes the userspace address to which the kernel > + * is leaking data. > + * @reason: Error type from enum kmsan_bug_reason. > + * > + * kmsan_report() prints an error message for a consequent group of bytes > + * sharing the same origin. If an uninitialized value is used in a comparison, > + * this function is called once without specifying the addresses. When checking > + * a memory range, KMSAN may call kmsan_report() multiple times with the same > + * @address, @size, @user_addr and @reason, but different @off_first and > + * @off_last corresponding to different @origin values. > + */ > +void kmsan_report(depot_stack_handle_t origin, void *address, int size, > + int off_first, int off_last, const void *user_addr, > + enum kmsan_bug_reason reason); > + > +DECLARE_PER_CPU(struct kmsan_ctx, kmsan_percpu_ctx); > + > +static __always_inline struct kmsan_ctx *kmsan_get_context(void) > +{ > + return in_task() ? ¤t->kmsan_ctx : raw_cpu_ptr(&kmsan_percpu_ctx); > +} > + > +/* > + * When a compiler hook is invoked, it may make a call to instrumented code > + * and eventually call itself recursively. To avoid that, we protect the > + * runtime entry points with kmsan_enter_runtime()/kmsan_leave_runtime() and > + * exit the hook if kmsan_in_runtime() is true. > + */ > + > +static __always_inline bool kmsan_in_runtime(void) > +{ > + if ((hardirq_count() >> HARDIRQ_SHIFT) > 1) > + return true; > + return kmsan_get_context()->kmsan_in_runtime; > +} > + > +static __always_inline void kmsan_enter_runtime(void) > +{ > + struct kmsan_ctx *ctx; > + > + ctx = kmsan_get_context(); > + KMSAN_WARN_ON(ctx->kmsan_in_runtime++); > +} > + > +static __always_inline void kmsan_leave_runtime(void) > +{ > + struct kmsan_ctx *ctx = kmsan_get_context(); > + > + KMSAN_WARN_ON(--ctx->kmsan_in_runtime); > +} > + > +depot_stack_handle_t kmsan_save_stack(void); > +depot_stack_handle_t kmsan_save_stack_with_flags(gfp_t flags, > + unsigned int extra_bits); > + > +/* > + * Pack and unpack the origin chain depth and UAF flag to/from the extra bits > + * provided by the stack depot. > + * The UAF flag is stored in the lowest bit, followed by the depth in the upper > + * bits. > + * set_dsh_extra_bits() is responsible for clamping the value. > + */ > +static __always_inline unsigned int kmsan_extra_bits(unsigned int depth, > + bool uaf) > +{ > + return (depth << 1) | uaf; > +} > + > +static __always_inline bool kmsan_uaf_from_eb(unsigned int extra_bits) > +{ > + return extra_bits & 1; > +} > + > +static __always_inline unsigned int kmsan_depth_from_eb(unsigned int extra_bits) > +{ > + return extra_bits >> 1; > +} > + > +/* > + * kmsan_internal_ functions are supposed to be very simple and not require the > + * kmsan_in_runtime() checks. > + */ > +void kmsan_internal_memmove_metadata(void *dst, void *src, size_t n); > +void kmsan_internal_poison_memory(void *address, size_t size, gfp_t flags, > + unsigned int poison_flags); > +void kmsan_internal_unpoison_memory(void *address, size_t size, bool checked); > +void kmsan_internal_set_shadow_origin(void *address, size_t size, int b, > + u32 origin, bool checked); > +depot_stack_handle_t kmsan_internal_chain_origin(depot_stack_handle_t id); > + > +bool kmsan_metadata_is_contiguous(void *addr, size_t size); > +void kmsan_internal_check_memory(void *addr, size_t size, const void *user_addr, > + int reason); > +bool kmsan_internal_is_module_addr(void *vaddr); > +bool kmsan_internal_is_vmalloc_addr(void *addr); > + > +struct page *kmsan_vmalloc_to_page_or_null(void *vaddr); > + > +#endif /* __MM_KMSAN_KMSAN_H */ > diff --git a/mm/kmsan/report.c b/mm/kmsan/report.c > new file mode 100644 > index 0000000000000..f36fca452e313 > --- /dev/null > +++ b/mm/kmsan/report.c > @@ -0,0 +1,211 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * KMSAN error reporting routines. > + * > + * Copyright (C) 2019-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > + > +#include <linux/console.h> > +#include <linux/moduleparam.h> > +#include <linux/stackdepot.h> > +#include <linux/stacktrace.h> > +#include <linux/uaccess.h> > + > +#include "kmsan.h" > + > +static DEFINE_SPINLOCK(kmsan_report_lock); > +#define DESCR_SIZE 128 > +/* Protected by kmsan_report_lock */ > +static char report_local_descr[DESCR_SIZE]; > +int panic_on_kmsan __read_mostly; > + > +#ifdef MODULE_PARAM_PREFIX > +#undef MODULE_PARAM_PREFIX > +#endif > +#define MODULE_PARAM_PREFIX "kmsan." > +module_param_named(panic, panic_on_kmsan, int, 0); > + > +/* > + * Skip internal KMSAN frames. > + */ > +static int get_stack_skipnr(const unsigned long stack_entries[], > + int num_entries) > +{ > + int len, skip; > + char buf[64]; > + > + for (skip = 0; skip < num_entries; ++skip) { > + len = scnprintf(buf, sizeof(buf), "%ps", > + (void *)stack_entries[skip]); > + > + /* Never show __msan_* or kmsan_* functions. */ > + if ((strnstr(buf, "__msan_", len) == buf) || > + (strnstr(buf, "kmsan_", len) == buf)) > + continue; > + > + /* > + * No match for runtime functions -- @skip entries to skip to > + * get to first frame of interest. > + */ > + break; > + } > + > + return skip; > +} > + > +/* > + * Currently the descriptions of locals generated by Clang look as follows: > + * ----local_name@function_name > + * We want to print only the name of the local, as other information in that > + * description can be confusing. > + * The meaningful part of the description is copied to a global buffer to avoid > + * allocating memory. > + */ > +static char *pretty_descr(char *descr) > +{ > + int i, pos = 0, len = strlen(descr); > + > + for (i = 0; i < len; i++) { > + if (descr[i] == '@') > + break; > + if (descr[i] == '-') > + continue; > + report_local_descr[pos] = descr[i]; > + if (pos + 1 == DESCR_SIZE) > + break; > + pos++; > + } > + report_local_descr[pos] = 0; > + return report_local_descr; > +} > + > +void kmsan_print_origin(depot_stack_handle_t origin) > +{ > + unsigned long *entries = NULL, *chained_entries = NULL; > + unsigned int nr_entries, chained_nr_entries, skipnr; > + void *pc1 = NULL, *pc2 = NULL; > + depot_stack_handle_t head; > + unsigned long magic; > + char *descr = NULL; > + > + if (!origin) > + return; > + > + while (true) { > + nr_entries = stack_depot_fetch(origin, &entries); > + magic = nr_entries ? entries[0] : 0; > + if ((nr_entries == 4) && (magic == KMSAN_ALLOCA_MAGIC_ORIGIN)) { > + descr = (char *)entries[1]; > + pc1 = (void *)entries[2]; > + pc2 = (void *)entries[3]; > + pr_err("Local variable %s created at:\n", > + pretty_descr(descr)); > + if (pc1) > + pr_err(" %pSb\n", pc1); > + if (pc2) > + pr_err(" %pSb\n", pc2); > + break; > + } > + if ((nr_entries == 3) && (magic == KMSAN_CHAIN_MAGIC_ORIGIN)) { > + head = entries[1]; > + origin = entries[2]; > + pr_err("Uninit was stored to memory at:\n"); > + chained_nr_entries = > + stack_depot_fetch(head, &chained_entries); > + kmsan_internal_unpoison_memory( > + chained_entries, > + chained_nr_entries * sizeof(*chained_entries), > + /*checked*/ false); > + skipnr = get_stack_skipnr(chained_entries, > + chained_nr_entries); > + stack_trace_print(chained_entries + skipnr, > + chained_nr_entries - skipnr, 0); > + pr_err("\n"); > + continue; > + } > + pr_err("Uninit was created at:\n"); > + if (nr_entries) { > + skipnr = get_stack_skipnr(entries, nr_entries); > + stack_trace_print(entries + skipnr, nr_entries - skipnr, > + 0); > + } else { > + pr_err("(stack is not available)\n"); > + } > + break; > + } > +} > + > +void kmsan_report(depot_stack_handle_t origin, void *address, int size, > + int off_first, int off_last, const void *user_addr, > + enum kmsan_bug_reason reason) > +{ > + unsigned long stack_entries[KMSAN_STACK_DEPTH]; > + int num_stack_entries, skipnr; > + char *bug_type = NULL; > + unsigned long flags, ua_flags; > + bool is_uaf; > + > + if (!kmsan_enabled) > + return; > + if (!current->kmsan_ctx.allow_reporting) > + return; > + if (!origin) > + return; > + > + current->kmsan_ctx.allow_reporting = false; > + ua_flags = user_access_save(); > + spin_lock_irqsave(&kmsan_report_lock, flags); I think this might want to be a raw_spin_lock, since the reporting can be called from any context, including from within other raw_spin_lock'd critical sections (practically this will only matter in RT kernels). Also, do you have to do lockdep_off/on() (like kernel/kcsan/report.c does, see comment there)? > + pr_err("=====================================================\n"); > + is_uaf = kmsan_uaf_from_eb(stack_depot_get_extra_bits(origin)); > + switch (reason) { > + case REASON_ANY: > + bug_type = is_uaf ? "use-after-free" : "uninit-value"; > + break; > + case REASON_COPY_TO_USER: > + bug_type = is_uaf ? "kernel-infoleak-after-free" : > + "kernel-infoleak"; > + break; > + case REASON_SUBMIT_URB: > + bug_type = is_uaf ? "kernel-usb-infoleak-after-free" : > + "kernel-usb-infoleak"; > + break; > + } > + > + num_stack_entries = > + stack_trace_save(stack_entries, KMSAN_STACK_DEPTH, 1); > + skipnr = get_stack_skipnr(stack_entries, num_stack_entries); > + > + pr_err("BUG: KMSAN: %s in %pSb\n", > + bug_type, (void *)stack_entries[skipnr]); > + stack_trace_print(stack_entries + skipnr, num_stack_entries - skipnr, > + 0); > + pr_err("\n"); > + > + kmsan_print_origin(origin); > + > + if (size) { > + pr_err("\n"); > + if (off_first == off_last) > + pr_err("Byte %d of %d is uninitialized\n", off_first, > + size); > + else > + pr_err("Bytes %d-%d of %d are uninitialized\n", > + off_first, off_last, size); > + } > + if (address) > + pr_err("Memory access of size %d starts at %px\n", size, > + address); > + if (user_addr && reason == REASON_COPY_TO_USER) > + pr_err("Data copied to user address %px\n", user_addr); > + pr_err("\n"); > + dump_stack_print_info(KERN_ERR); > + pr_err("=====================================================\n"); > + add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); > + spin_unlock_irqrestore(&kmsan_report_lock, flags); > + if (panic_on_kmsan) > + panic("kmsan.panic set ...\n"); > + user_access_restore(ua_flags); > + current->kmsan_ctx.allow_reporting = true; > +} > diff --git a/mm/kmsan/shadow.c b/mm/kmsan/shadow.c > new file mode 100644 > index 0000000000000..de58cfbc55b9d > --- /dev/null > +++ b/mm/kmsan/shadow.c > @@ -0,0 +1,186 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * KMSAN shadow implementation. > + * > + * Copyright (C) 2017-2022 Google LLC > + * Author: Alexander Potapenko <glider@xxxxxxxxxx> > + * > + */ > + > +#include <asm/page.h> > +#include <asm/pgtable_64_types.h> > +#include <asm/tlbflush.h> > +#include <linux/cacheflush.h> > +#include <linux/memblock.h> > +#include <linux/mm_types.h> > +#include <linux/percpu-defs.h> > +#include <linux/slab.h> > +#include <linux/smp.h> > +#include <linux/stddef.h> > + > +#include "../internal.h" > +#include "kmsan.h" > + > +#define shadow_page_for(page) ((page)->kmsan_shadow) > + > +#define origin_page_for(page) ((page)->kmsan_origin) > + > +static void *shadow_ptr_for(struct page *page) > +{ > + return page_address(shadow_page_for(page)); > +} > + > +static void *origin_ptr_for(struct page *page) > +{ > + return page_address(origin_page_for(page)); > +} > + > +static bool page_has_metadata(struct page *page) > +{ > + return shadow_page_for(page) && origin_page_for(page); > +} > + > +static void set_no_shadow_origin_page(struct page *page) > +{ > + shadow_page_for(page) = NULL; > + origin_page_for(page) = NULL; > +} > + > +/* > + * Dummy load and store pages to be used when the real metadata is unavailable. > + * There are separate pages for loads and stores, so that every load returns a > + * zero, and every store doesn't affect other loads. > + */ > +static char dummy_load_page[PAGE_SIZE] __aligned(PAGE_SIZE); > +static char dummy_store_page[PAGE_SIZE] __aligned(PAGE_SIZE); > + > +/* > + * Taken from arch/x86/mm/physaddr.h to avoid using an instrumented version. > + */ > +static int kmsan_phys_addr_valid(unsigned long addr) int -> bool ? (it already deviates from the original by using IS_ENABLED instead of #ifdef) > +{ > + if (IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT)) > + return !(addr >> boot_cpu_data.x86_phys_bits); > + else > + return 1; > +} > + > +/* > + * Taken from arch/x86/mm/physaddr.c to avoid using an instrumented version. > + */ > +static bool kmsan_virt_addr_valid(void *addr) > +{ > + unsigned long x = (unsigned long)addr; > + unsigned long y = x - __START_KERNEL_map; > + > + /* use the carry flag to determine if x was < __START_KERNEL_map */ > + if (unlikely(x > y)) { > + x = y + phys_base; > + > + if (y >= KERNEL_IMAGE_SIZE) > + return false; > + } else { > + x = y + (__START_KERNEL_map - PAGE_OFFSET); > + > + /* carry flag will be set if starting x was >= PAGE_OFFSET */ > + if ((x > y) || !kmsan_phys_addr_valid(x)) > + return false; > + } > + > + return pfn_valid(x >> PAGE_SHIFT); > +} These seem quite x86-specific - to ease eventual porting to other architectures, it would make sense to introduce <asm/kmsan.h> which will have these 2 functions (and if there's anything else arch-specific like this, moving to <asm/kmsan.h> would help eventual ports). > +static unsigned long vmalloc_meta(void *addr, bool is_origin) > +{ > + unsigned long addr64 = (unsigned long)addr, off; > + > + KMSAN_WARN_ON(is_origin && !IS_ALIGNED(addr64, KMSAN_ORIGIN_SIZE)); > + if (kmsan_internal_is_vmalloc_addr(addr)) { > + off = addr64 - VMALLOC_START; > + return off + (is_origin ? KMSAN_VMALLOC_ORIGIN_START : > + KMSAN_VMALLOC_SHADOW_START); > + } > + if (kmsan_internal_is_module_addr(addr)) { > + off = addr64 - MODULES_VADDR; > + return off + (is_origin ? KMSAN_MODULES_ORIGIN_START : > + KMSAN_MODULES_SHADOW_START); > + } > + return 0; > +} > + > +static struct page *virt_to_page_or_null(void *vaddr) > +{ > + if (kmsan_virt_addr_valid(vaddr)) > + return virt_to_page(vaddr); > + else > + return NULL; > +} > + > +struct shadow_origin_ptr kmsan_get_shadow_origin_ptr(void *address, u64 size, > + bool store) > +{ > + struct shadow_origin_ptr ret; > + void *shadow; > + > + /* > + * Even if we redirect this memory access to the dummy page, it will > + * go out of bounds. > + */ > + KMSAN_WARN_ON(size > PAGE_SIZE); > + > + if (!kmsan_enabled || kmsan_in_runtime()) > + goto return_dummy; > + > + KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(address, size)); > + shadow = kmsan_get_metadata(address, KMSAN_META_SHADOW); > + if (!shadow) > + goto return_dummy; > + > + ret.shadow = shadow; > + ret.origin = kmsan_get_metadata(address, KMSAN_META_ORIGIN); > + return ret; > + > +return_dummy: > + if (store) { > + /* Ignore this store. */ > + ret.shadow = dummy_store_page; > + ret.origin = dummy_store_page; > + } else { > + /* This load will return zero. */ > + ret.shadow = dummy_load_page; > + ret.origin = dummy_load_page; > + } > + return ret; > +} > + > +/* > + * Obtain the shadow or origin pointer for the given address, or NULL if there's > + * none. The caller must check the return value for being non-NULL if needed. > + * The return value of this function should not depend on whether we're in the > + * runtime or not. > + */ > +void *kmsan_get_metadata(void *address, bool is_origin) > +{ > + u64 addr = (u64)address, pad, off; > + struct page *page; > + void *ret; > + > + if (is_origin && !IS_ALIGNED(addr, KMSAN_ORIGIN_SIZE)) { > + pad = addr % KMSAN_ORIGIN_SIZE; > + addr -= pad; > + } > + address = (void *)addr; > + if (kmsan_internal_is_vmalloc_addr(address) || > + kmsan_internal_is_module_addr(address)) > + return (void *)vmalloc_meta(address, is_origin); > + > + page = virt_to_page_or_null(address); > + if (!page) > + return NULL; > + if (!page_has_metadata(page)) > + return NULL; > + off = addr % PAGE_SIZE; > + > + ret = (is_origin ? origin_ptr_for(page) : shadow_ptr_for(page)) + off; Just return this and avoid 'ret'? > + return ret; > +} > diff --git a/scripts/Makefile.kmsan b/scripts/Makefile.kmsan > new file mode 100644 > index 0000000000000..9793591f9855c > --- /dev/null > +++ b/scripts/Makefile.kmsan > @@ -0,0 +1 @@ Makefile.kmsan needs SPDX-License-Identifier. > +export CFLAGS_KMSAN := -fsanitize=kernel-memory > diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib > index 9f69ecdd7977a..49e6e57fdf4c8 100644 > --- a/scripts/Makefile.lib > +++ b/scripts/Makefile.lib > @@ -157,6 +157,15 @@ _c_flags += $(if $(patsubst n%,, \ > endif > endif > > +ifeq ($(CONFIG_KMSAN),y) > +_c_flags += $(if $(patsubst n%,, \ > + $(KMSAN_SANITIZE_$(basetarget).o)$(KMSAN_SANITIZE)y), \ > + $(CFLAGS_KMSAN)) > +_c_flags += $(if $(patsubst n%,, \ > + $(KMSAN_ENABLE_CHECKS_$(basetarget).o)$(KMSAN_ENABLE_CHECKS)y), \ > + , -mllvm -msan-disable-checks=1) > +endif > + > ifeq ($(CONFIG_UBSAN),y) > _c_flags += $(if $(patsubst n%,, \ > $(UBSAN_SANITIZE_$(basetarget).o)$(UBSAN_SANITIZE)$(CONFIG_UBSAN_SANITIZE_ALL)), \ > -- > 2.36.0.rc2.479.g8af0fa9b8e-goog >