From: Peter Zijlstra <peterz@infradead.org>
To: Jann Horn <jannh@google.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
linux-kernel@vger.kernel.org, x86@kernel.org,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
kasan-dev@googlegroups.com,
Dan Williams <dan.j.williams@intel.com>,
Tony Luck <tony.luck@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>
Subject: Re: [PATCH] objtool: Permit __kasan_check_{read,write} under UACCESS
Date: Tue, 29 Sep 2020 09:05:44 +0200 [thread overview]
Message-ID: <20200929070544.GI2628@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <20200928224916.2101563-1-jannh@google.com>
On Tue, Sep 29, 2020 at 12:49:16AM +0200, Jann Horn wrote:
> Building linux-next with JUMP_LABEL=n and KASAN=y, I got this objtool
> warning:
>
> arch/x86/lib/copy_mc.o: warning: objtool: copy_mc_to_user()+0x22: call to
> __kasan_check_read() with UACCESS enabled
>
> What happens here is that copy_mc_to_user() branches on a static key in a
> UACCESS region:
>
> __uaccess_begin();
> if (static_branch_unlikely(©_mc_fragile_key))
> ret = copy_mc_fragile(to, from, len);
> ret = copy_mc_generic(to, from, len);
> __uaccess_end();
>
> and the !CONFIG_JUMP_LABEL version of static_branch_unlikely() uses
> static_key_enabled(), which uses static_key_count(), which uses
> atomic_read(), which calls instrument_atomic_read(), which uses
> kasan_check_read(), which is __kasan_check_read().
>
> Let's permit these KASAN helpers in UACCESS regions - static keys should
> probably work under UACCESS, I think.
It's not a matter of permitting, it's a matter of being safe and
correct. In this case it is, because it's a thin wrapper around
check_memory_region() which was already marked safe.
check_memory_region() is correct because the only thing it ends up
calling is kasa_report() and that is also marked safe because that is
annotated with user_access_save/restore() before it does anything else.
On top of that, all of KASAN is noinstr, so nothing in here will end up
in tracing and/or call schedule() before the user_access_save().
> Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
> ---
> Calling atomic_read() on a global under UACCESS should probably be fine,
> right?
Yes, per the above.
> tools/objtool/check.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index a88fb05242d5..1141a8e26c1e 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -583,6 +583,8 @@ static const char *uaccess_safe_builtin[] = {
> "__asan_store4_noabort",
> "__asan_store8_noabort",
> "__asan_store16_noabort",
> + "__kasan_check_read",
> + "__kasan_check_write",
> /* KASAN in-line */
> "__asan_report_load_n_noabort",
> "__asan_report_load1_noabort",
>
> base-commit: 0248dedd12d43035bf53c326633f0610a49d7134
> --
> 2.28.0.709.gb0816b6eb0-goog
>
prev parent reply other threads:[~2020-09-29 7:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-28 22:49 [PATCH] objtool: Permit __kasan_check_{read,write} under UACCESS Jann Horn
2020-09-29 7:05 ` Peter Zijlstra [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200929070544.GI2628@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=aryabinin@virtuozzo.com \
--cc=dan.j.williams@intel.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=jannh@google.com \
--cc=jpoimboe@redhat.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tony.luck@intel.com \
--cc=vishal.l.verma@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox