From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6BA29C10F25 for ; Mon, 9 Mar 2020 19:05:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3D34220873 for ; Mon, 9 Mar 2020 19:05:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583780738; bh=heicvJqO/GtMXfDPR7KvF5QrLChk/HgFXlTA7BeTKGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=hXwtzNRHD5iW5XwMm0/iCM5nnHAQbn/mu5A3vlK6PY144lUtj2fvngde/fmvub0E5 htD62wr07ReXP7/wIcKWlr9tdCSaOwW6xCLtcXcIJvt61qs11esPIKY9uZ9rubB1HF 5898t0dJHEvMyGDvNJJmVdfRGPZBjPQBH16uy/3U= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727890AbgCITFh (ORCPT ); Mon, 9 Mar 2020 15:05:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:47662 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727594AbgCITE0 (ORCPT ); Mon, 9 Mar 2020 15:04:26 -0400 Received: from paulmck-ThinkPad-P72.home (50-39-105-78.bvtn.or.frontiernet.net [50.39.105.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CDDCA2253D; Mon, 9 Mar 2020 19:04:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583780666; bh=heicvJqO/GtMXfDPR7KvF5QrLChk/HgFXlTA7BeTKGM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ou5GJgW0GlYbv+6WTSYcS/resHBac/SWpXBuHWhW1DZmxhCsLo4x1vNl/+V/zEXEO URPH3tQ9xhwCbGTT+i0kz3vTO4qpIDxJx9hGGacw8b1eTMMWP4Ns99GOgNpgO82A8A xe4lHWnG2HfDfgcieEAIDYof1H+DK5euQE6C443k= From: paulmck@kernel.org To: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kernel-team@fb.com, mingo@kernel.org Cc: elver@google.com, andreyknvl@google.com, glider@google.com, dvyukov@google.com, cai@lca.pw, boqun.feng@gmail.com, "Paul E . McKenney" Subject: [PATCH kcsan 15/32] kcsan: Fix 0-sized checks Date: Mon, 9 Mar 2020 12:04:03 -0700 Message-Id: <20200309190420.6100-15-paulmck@kernel.org> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20200309190359.GA5822@paulmck-ThinkPad-P72> References: <20200309190359.GA5822@paulmck-ThinkPad-P72> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marco Elver Instrumentation of arbitrary memory-copy functions, such as user-copies, may be called with size of 0, which could lead to false positives. To avoid this, add a comparison in check_access() for size==0, which will be optimized out for constant sized instrumentation (__tsan_{read,write}N), and therefore not affect the common-case fast-path. Signed-off-by: Marco Elver Signed-off-by: Paul E. McKenney --- kernel/kcsan/core.c | 7 +++++++ kernel/kcsan/test.c | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/kernel/kcsan/core.c b/kernel/kcsan/core.c index e3c7d8f..82c2bef 100644 --- a/kernel/kcsan/core.c +++ b/kernel/kcsan/core.c @@ -456,6 +456,13 @@ static __always_inline void check_access(const volatile void *ptr, size_t size, long encoded_watchpoint; /* + * Do nothing for 0 sized check; this comparison will be optimized out + * for constant sized instrumentation (__tsan_{read,write}N). + */ + if (unlikely(size == 0)) + return; + + /* * Avoid user_access_save in fast-path: find_watchpoint is safe without * user_access_save, as the address that ptr points to is only used to * check if a watchpoint exists; ptr is never dereferenced. diff --git a/kernel/kcsan/test.c b/kernel/kcsan/test.c index cc60002..d26a052 100644 --- a/kernel/kcsan/test.c +++ b/kernel/kcsan/test.c @@ -92,6 +92,16 @@ static bool test_matching_access(void) return false; if (WARN_ON(matching_access(9, 1, 10, 1))) return false; + + /* + * An access of size 0 could match another access, as demonstrated here. + * Rather than add more comparisons to 'matching_access()', which would + * end up in the fast-path for *all* checks, check_access() simply + * returns for all accesses of size 0. + */ + if (WARN_ON(!matching_access(8, 8, 12, 0))) + return false; + return true; } -- 2.9.5