From: Ilya Leoshkevich <iii@linux.ibm.com>
To: Alexander Gordeev <agordeev@linux.ibm.com>,
Alexander Potapenko <glider@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
David Rientjes <rientjes@google.com>,
Heiko Carstens <hca@linux.ibm.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Marco Elver <elver@google.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Pekka Enberg <penberg@kernel.org>,
Steven Rostedt <rostedt@goodmis.org>,
Vasily Gorbik <gor@linux.ibm.com>,
Vlastimil Babka <vbabka@suse.cz>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>,
Dmitry Vyukov <dvyukov@google.com>,
Hyeonggon Yoo <42.hyeyoo@gmail.com>,
kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, linux-s390@vger.kernel.org,
linux-trace-kernel@vger.kernel.org,
Mark Rutland <mark.rutland@arm.com>,
Roman Gushchin <roman.gushchin@linux.dev>,
Sven Schnelle <svens@linux.ibm.com>,
Ilya Leoshkevich <iii@linux.ibm.com>
Subject: [PATCH v2 30/33] s390/uaccess: Add KMSAN support to put_user() and get_user()
Date: Tue, 21 Nov 2023 23:01:24 +0100 [thread overview]
Message-ID: <20231121220155.1217090-31-iii@linux.ibm.com> (raw)
In-Reply-To: <20231121220155.1217090-1-iii@linux.ibm.com>
put_user() uses inline assembly with precise constraints, so Clang is
in principle capable of instrumenting it automatically. Unfortunately,
one of the constraints contains a dereferenced user pointer, and Clang
does not currently distinguish user and kernel pointers. Therefore
KMSAN attempts to access shadow for user pointers, which is not a right
thing to do.
An obvious fix to add __no_sanitize_memory to __put_user_fn() does not
work, since it's __always_inline. And __always_inline cannot be removed
due to the __put_user_bad() trick.
A different obvious fix of using the "a" instead of the "+Q" constraint
degrades the code quality, which is very important here, since it's a
hot path.
Instead, repurpose the __put_user_asm() macro to define
__put_user_{char,short,int,long}_noinstr() functions and mark them with
__no_sanitize_memory. For the non-KMSAN builds make them
__always_inline in order to keep the generated code quality. Also
define __put_user_{char,short,int,long}() functions, which call the
aforementioned ones and which *are* instrumented, because they call
KMSAN hooks, which may be implemented as macros.
The same applies to get_user() as well.
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
---
arch/s390/include/asm/uaccess.h | 110 ++++++++++++++++++++++----------
1 file changed, 78 insertions(+), 32 deletions(-)
diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
index 81ae8a98e7ec..b0715b88b55a 100644
--- a/arch/s390/include/asm/uaccess.h
+++ b/arch/s390/include/asm/uaccess.h
@@ -78,13 +78,23 @@ union oac {
int __noreturn __put_user_bad(void);
-#define __put_user_asm(to, from, size) \
-({ \
+#ifdef CONFIG_KMSAN
+#define GET_PUT_USER_NOINSTR_ATTRIBUTES inline __no_sanitize_memory
+#else
+#define GET_PUT_USER_NOINSTR_ATTRIBUTES __always_inline
+#endif
+
+#define DEFINE_PUT_USER(type) \
+static GET_PUT_USER_NOINSTR_ATTRIBUTES int \
+__put_user_##type##_noinstr(unsigned type __user *to, \
+ unsigned type *from, \
+ unsigned long size) \
+{ \
union oac __oac_spec = { \
.oac1.as = PSW_BITS_AS_SECONDARY, \
.oac1.a = 1, \
}; \
- int __rc; \
+ int rc; \
\
asm volatile( \
" lr 0,%[spec]\n" \
@@ -93,12 +103,28 @@ int __noreturn __put_user_bad(void);
"2:\n" \
EX_TABLE_UA_STORE(0b, 2b, %[rc]) \
EX_TABLE_UA_STORE(1b, 2b, %[rc]) \
- : [rc] "=&d" (__rc), [_to] "+Q" (*(to)) \
+ : [rc] "=&d" (rc), [_to] "+Q" (*(to)) \
: [_size] "d" (size), [_from] "Q" (*(from)), \
[spec] "d" (__oac_spec.val) \
: "cc", "0"); \
- __rc; \
-})
+ return rc; \
+} \
+ \
+static __always_inline int \
+__put_user_##type(unsigned type __user *to, unsigned type *from, \
+ unsigned long size) \
+{ \
+ int rc; \
+ \
+ rc = __put_user_##type##_noinstr(to, from, size); \
+ instrument_put_user(*from, to, size); \
+ return rc; \
+}
+
+DEFINE_PUT_USER(char);
+DEFINE_PUT_USER(short);
+DEFINE_PUT_USER(int);
+DEFINE_PUT_USER(long);
static __always_inline int __put_user_fn(void *x, void __user *ptr, unsigned long size)
{
@@ -106,24 +132,24 @@ static __always_inline int __put_user_fn(void *x, void __user *ptr, unsigned lon
switch (size) {
case 1:
- rc = __put_user_asm((unsigned char __user *)ptr,
- (unsigned char *)x,
- size);
+ rc = __put_user_char((unsigned char __user *)ptr,
+ (unsigned char *)x,
+ size);
break;
case 2:
- rc = __put_user_asm((unsigned short __user *)ptr,
- (unsigned short *)x,
- size);
+ rc = __put_user_short((unsigned short __user *)ptr,
+ (unsigned short *)x,
+ size);
break;
case 4:
- rc = __put_user_asm((unsigned int __user *)ptr,
+ rc = __put_user_int((unsigned int __user *)ptr,
(unsigned int *)x,
size);
break;
case 8:
- rc = __put_user_asm((unsigned long __user *)ptr,
- (unsigned long *)x,
- size);
+ rc = __put_user_long((unsigned long __user *)ptr,
+ (unsigned long *)x,
+ size);
break;
default:
__put_user_bad();
@@ -134,13 +160,17 @@ static __always_inline int __put_user_fn(void *x, void __user *ptr, unsigned lon
int __noreturn __get_user_bad(void);
-#define __get_user_asm(to, from, size) \
-({ \
+#define DEFINE_GET_USER(type) \
+static GET_PUT_USER_NOINSTR_ATTRIBUTES int \
+__get_user_##type##_noinstr(unsigned type *to, \
+ unsigned type __user *from, \
+ unsigned long size) \
+{ \
union oac __oac_spec = { \
.oac2.as = PSW_BITS_AS_SECONDARY, \
.oac2.a = 1, \
}; \
- int __rc; \
+ int rc; \
\
asm volatile( \
" lr 0,%[spec]\n" \
@@ -149,13 +179,29 @@ int __noreturn __get_user_bad(void);
"2:\n" \
EX_TABLE_UA_LOAD_MEM(0b, 2b, %[rc], %[_to], %[_ksize]) \
EX_TABLE_UA_LOAD_MEM(1b, 2b, %[rc], %[_to], %[_ksize]) \
- : [rc] "=&d" (__rc), "=Q" (*(to)) \
+ : [rc] "=&d" (rc), "=Q" (*(to)) \
: [_size] "d" (size), [_from] "Q" (*(from)), \
[spec] "d" (__oac_spec.val), [_to] "a" (to), \
[_ksize] "K" (size) \
: "cc", "0"); \
- __rc; \
-})
+ return rc; \
+} \
+ \
+static __always_inline int \
+__get_user_##type(unsigned type *to, unsigned type __user *from, \
+ unsigned long size) \
+{ \
+ int rc; \
+ \
+ rc = __get_user_##type##_noinstr(to, from, size); \
+ instrument_get_user(*to); \
+ return rc; \
+}
+
+DEFINE_GET_USER(char);
+DEFINE_GET_USER(short);
+DEFINE_GET_USER(int);
+DEFINE_GET_USER(long);
static __always_inline int __get_user_fn(void *x, const void __user *ptr, unsigned long size)
{
@@ -163,24 +209,24 @@ static __always_inline int __get_user_fn(void *x, const void __user *ptr, unsign
switch (size) {
case 1:
- rc = __get_user_asm((unsigned char *)x,
- (unsigned char __user *)ptr,
- size);
+ rc = __get_user_char((unsigned char *)x,
+ (unsigned char __user *)ptr,
+ size);
break;
case 2:
- rc = __get_user_asm((unsigned short *)x,
- (unsigned short __user *)ptr,
- size);
+ rc = __get_user_short((unsigned short *)x,
+ (unsigned short __user *)ptr,
+ size);
break;
case 4:
- rc = __get_user_asm((unsigned int *)x,
+ rc = __get_user_int((unsigned int *)x,
(unsigned int __user *)ptr,
size);
break;
case 8:
- rc = __get_user_asm((unsigned long *)x,
- (unsigned long __user *)ptr,
- size);
+ rc = __get_user_long((unsigned long *)x,
+ (unsigned long __user *)ptr,
+ size);
break;
default:
__get_user_bad();
--
2.41.0
next prev parent reply other threads:[~2023-11-21 22:03 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-21 22:00 [PATCH v2 00/33] kmsan: Enable on s390 Ilya Leoshkevich
2023-11-21 22:00 ` [PATCH v2 01/33] ftrace: Unpoison ftrace_regs in ftrace_ops_list_func() Ilya Leoshkevich
2023-11-22 23:32 ` Steven Rostedt
2023-12-08 14:16 ` Alexander Potapenko
2023-12-08 14:31 ` Steven Rostedt
2023-12-12 2:05 ` Ilya Leoshkevich
2023-11-21 22:00 ` [PATCH v2 02/33] kmsan: Make the tests compatible with kmsan.panic=1 Ilya Leoshkevich
2023-11-21 22:00 ` [PATCH v2 03/33] kmsan: Disable KMSAN when DEFERRED_STRUCT_PAGE_INIT is enabled Ilya Leoshkevich
2023-11-21 22:00 ` [PATCH v2 04/33] kmsan: Increase the maximum store size to 4096 Ilya Leoshkevich
2023-12-08 16:31 ` Alexander Potapenko
2023-11-21 22:00 ` [PATCH v2 05/33] kmsan: Fix is_bad_asm_addr() on arches with overlapping address spaces Ilya Leoshkevich
2023-12-11 9:52 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 06/33] kmsan: Fix kmsan_copy_to_user() " Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 07/33] kmsan: Remove a useless assignment from kmsan_vmap_pages_range_noflush() Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 08/33] kmsan: Remove an x86-specific #include from kmsan.h Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 09/33] kmsan: Introduce kmsan_memmove_metadata() Ilya Leoshkevich
2023-12-08 16:51 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 10/33] kmsan: Expose kmsan_get_metadata() Ilya Leoshkevich
2023-12-11 10:07 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 11/33] kmsan: Export panic_on_kmsan Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 12/33] kmsan: Allow disabling KMSAN checks for the current task Ilya Leoshkevich
2023-12-11 11:50 ` Alexander Potapenko
2023-12-13 15:01 ` Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 13/33] kmsan: Introduce memset_no_sanitize_memory() Ilya Leoshkevich
2023-12-08 13:48 ` Alexander Potapenko
2023-12-08 14:07 ` Ilya Leoshkevich
2023-12-08 15:25 ` Alexander Potapenko
2023-12-13 1:31 ` Ilya Leoshkevich
2023-12-13 11:32 ` Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 14/33] kmsan: Support SLAB_POISON Ilya Leoshkevich
2023-12-08 13:51 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 15/33] kmsan: Use ALIGN_DOWN() in kmsan_get_metadata() Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 16/33] mm: slub: Let KMSAN access metadata Ilya Leoshkevich
2023-11-30 15:26 ` Vlastimil Babka
2023-11-21 22:01 ` [PATCH v2 17/33] mm: kfence: Disable KMSAN when checking the canary Ilya Leoshkevich
2023-12-08 12:53 ` Alexander Potapenko
2023-12-08 13:55 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 18/33] lib/string: Add KMSAN support to strlcpy() and strlcat() Ilya Leoshkevich
2023-12-08 16:50 ` Alexander Potapenko
2023-12-13 0:53 ` Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 19/33] lib/zlib: Unpoison DFLTCC output buffers Ilya Leoshkevich
2023-12-08 13:32 ` Alexander Potapenko
2023-12-08 14:14 ` Ilya Leoshkevich
2023-12-08 14:25 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 20/33] kmsan: Accept ranges starting with 0 on s390 Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 21/33] s390: Turn off KMSAN for boot, vdso and purgatory Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 22/33] s390: Use a larger stack for KMSAN Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 23/33] s390/boot: Add the KMSAN runtime stub Ilya Leoshkevich
2023-12-08 16:56 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 24/33] s390/checksum: Add a KMSAN check Ilya Leoshkevich
2023-12-08 13:38 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 25/33] s390/cpacf: Unpoison the results of cpacf_trng() Ilya Leoshkevich
2023-12-11 10:36 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 26/33] s390/ftrace: Unpoison ftrace_regs in kprobe_ftrace_handler() Ilya Leoshkevich
2023-12-08 14:18 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 27/33] s390/mm: Define KMSAN metadata for vmalloc and modules Ilya Leoshkevich
2023-12-11 10:13 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 28/33] s390/string: Add KMSAN support Ilya Leoshkevich
2023-12-11 10:49 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 29/33] s390/traps: Unpoison the kernel_stack_overflow()'s pt_regs Ilya Leoshkevich
2023-11-21 22:01 ` Ilya Leoshkevich [this message]
2023-12-11 10:46 ` [PATCH v2 30/33] s390/uaccess: Add KMSAN support to put_user() and get_user() Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 31/33] s390/unwind: Disable KMSAN checks Ilya Leoshkevich
2023-11-21 22:01 ` [PATCH v2 32/33] s390: Implement the architecture-specific kmsan functions Ilya Leoshkevich
2023-12-11 10:26 ` Alexander Potapenko
2023-12-11 10:39 ` Ilya Leoshkevich
2023-12-11 10:45 ` Alexander Potapenko
2023-11-21 22:01 ` [PATCH v2 33/33] kmsan: Enable on s390 Ilya Leoshkevich
2023-11-29 9:19 ` Alexander Potapenko
2023-11-29 9:58 ` Ilya Leoshkevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231121220155.1217090-31-iii@linux.ibm.com \
--to=iii@linux.ibm.com \
--cc=42.hyeyoo@gmail.com \
--cc=agordeev@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=borntraeger@linux.ibm.com \
--cc=cl@linux.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mhiramat@kernel.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=roman.gushchin@linux.dev \
--cc=rostedt@goodmis.org \
--cc=svens@linux.ibm.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).