From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 466723BAD91
	for <linux-kernel@vger.kernel.org>; Mon, 11 May 2026 08:21:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778487691; cv=none; b=a9G/lj5kQzQ9W/Gk2keq7nlt3zXj5DbIuUGKGvPzFUPnDWP/j6RF/IXbf3B53DL0cnlU5+llL0Svol4eDAo7/tN9GmI8O6g4LpcALibuu5SeuhpeAt05AkFQX+UptnxiaHwwkmX0iuz3gt0tA5ovAYxgCqUWmgVnLLz2qeCQUU8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778487691; c=relaxed/simple;
	bh=bg8M6thrZ7uAmdqkDBj1hRGcR/Z9WWcS5pXtDoLvg8c=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=bgXqN2to03dGR7wUcuHDHvuyQF8vjRYRaLEPLiDtR5LJe4GuabZ/CiNg8Wo+qgc1pZnz78PINw3MFjN/v+IK3YN8VHrdCZKS4GwaRUWmjNm6knrRweecaSBM1oRcu3DM7By81QF8jRznhv9E/OKQsHJyjWdjZ67QW2AKEg+YKX8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; dkim=pass (1024-bit key) header.d=arm.com header.i=@arm.com header.b=D4gYe2xc; arc=none smtp.client-ip=217.140.110.172
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=arm.com header.i=@arm.com header.b="D4gYe2xc"
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 60E5F1713;
	Mon, 11 May 2026 01:21:15 -0700 (PDT)
Received: from J2N7QTR9R3 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CE5FE3F7B4;
	Mon, 11 May 2026 01:21:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1778487680; bh=bg8M6thrZ7uAmdqkDBj1hRGcR/Z9WWcS5pXtDoLvg8c=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=D4gYe2xc8RbmU80Upl1ZO7tExuL3ccH2s/qYgHplfbFO7pvkE8ir6P1yRhAlqMtIk
	 +B2lfjp/kRoJVoCLNEZi2+FicXeaH0Sw0bNNxKmXpqEJsrtGV4P5/HSDyVUKUSSS0U
	 xwxEDcHN/QT9bF1Wf3W4QvTGJz1IgrMQBUjDuTb8=
Date: Mon, 11 May 2026 09:21:11 +0100
From: Mark Rutland <mark.rutland@arm.com>
To: Alexander Potapenko <glider@google.com>
Cc: akpm@linux-foundation.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
	elver@google.com, Dmitry Vyukov <dvyukov@google.com>,
	Jinjie Ruan <ruanjinjie@huawei.com>,
	Kuniyuki Iwashima <kuniyu@google.com>,
	"Matthieu Baerts (NGI0)" <matttbe@kernel.org>,
	Paolo Abeni <pabeni@redhat.com>,
	syzbot+cdcfd55737fe43eeb3a3@syzkaller.appspotmail.com,
	Thomas Gleixner <tglx@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Andy Lutomirski <luto@kernel.org>
Subject: Re: [PATCH v1] entry: Fix KMSAN false positives in IRQ and NMI exit
 code
Message-ID: <agGRd-XZx6MqCwN5@J2N7QTR9R3>
References: <20260508124315.2526312-1-glider@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20260508124315.2526312-1-glider@google.com>

For some reason, the entry maintainers (Thomas, Peter, Andy) weren't on
Cc. I've added them now, but given the various subtle concerns in this
code, please make sure that they are Cc'd in future.

There are a some entry fixes scheduled to go through the tip tree in the
near future, so this should probably be picked up with those and go via
the tip tree.

Minor comments below.

On Fri, May 08, 2026 at 02:43:15PM +0200, Alexander Potapenko wrote:
> syzbot reported a KMSAN uninit-value warning in
> irqentry_exit_to_kernel_mode_preempt(). This is a false positive caused
> by the initialization of `ret` in irqentry_enter_from_kernel_mode()
> occurring in uninstrumented (noinstr) code. Because the initialization
> is untracked, KMSAN considers the state variable uninitialized when it
> is later passed into the instrumented code of
> irqentry_exit_to_kernel_mode_preempt().
> 
> The same issue exists in irqentry_nmi_enter(), where `irq_state` is
> initialized in noinstr code and later passed to the instrumented
> irqentry_nmi_exit().
> 
> Fix this by explicitly calling kmsan_unpoison_memory() on the `ret`
> and `irq_state` objects inside the instrumentation_begin() blocks of
> irqentry_enter_from_kernel_mode() and irqentry_nmi_enter(), respectively,
> immediately alongside the kmsan_unpoison_entry_regs() calls.
> 
> Fixes: c5538d0141b3 ("entry: Split kernel mode logic from irqentry_{enter,exit}()")

Surely that should be:

  041aa7a85390 ("entry: Split preemption from irqentry_exit_to_kernel_mode()")

... ?

That's the commit which adds irqentry_exit_to_kernel_mode_preempt().

The commit which split the logic kept everything as noinstr (or
__always_inline only called from noinstr), so I don't think that commit
alone introduced any breakage, but maybe I'm missing something? Did a
bisect finger that?

Other than the above, the patch below looks right to me.

Mark.

> Fixes: 6cae637fa26d ("entry: kmsan: introduce kmsan_unpoison_entry_regs()")
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: Jinjie Ruan <ruanjinjie@huawei.com>
> Cc: Kuniyuki Iwashima <kuniyu@google.com>
> Cc: Matthieu Baerts (NGI0) <matttbe@kernel.org>
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Paolo Abeni <pabeni@redhat.com>
> Reported-by: syzbot+cdcfd55737fe43eeb3a3@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69e7ee1f.a00a0220.17a17.001d.GAE@google.com/T/
> Signed-off-by: Alexander Potapenko <glider@google.com>
> ---
>  include/linux/irq-entry-common.h | 2 ++
>  kernel/entry/common.c            | 1 +
>  2 files changed, 3 insertions(+)
> 
> diff --git a/include/linux/irq-entry-common.h b/include/linux/irq-entry-common.h
> index 167fba7dbf04..be47d430d521 100644
> --- a/include/linux/irq-entry-common.h
> +++ b/include/linux/irq-entry-common.h
> @@ -427,6 +427,7 @@ static __always_inline irqentry_state_t irqentry_enter_from_kernel_mode(struct p
>  		ct_irq_enter();
>  		instrumentation_begin();
>  		kmsan_unpoison_entry_regs(regs);
> +		kmsan_unpoison_memory(&ret, sizeof(ret));
>  		trace_hardirqs_off_finish();
>  		instrumentation_end();
>  
> @@ -443,6 +444,7 @@ static __always_inline irqentry_state_t irqentry_enter_from_kernel_mode(struct p
>  	lockdep_hardirqs_off(CALLER_ADDR0);
>  	instrumentation_begin();
>  	kmsan_unpoison_entry_regs(regs);
> +	kmsan_unpoison_memory(&ret, sizeof(ret));
>  	rcu_irq_enter_check_tick();
>  	trace_hardirqs_off_finish();
>  	instrumentation_end();
> diff --git a/kernel/entry/common.c b/kernel/entry/common.c
> index 19d2244a9fef..390364943f92 100644
> --- a/kernel/entry/common.c
> +++ b/kernel/entry/common.c
> @@ -177,6 +177,7 @@ irqentry_state_t noinstr irqentry_nmi_enter(struct pt_regs *regs)
>  
>  	instrumentation_begin();
>  	kmsan_unpoison_entry_regs(regs);
> +	kmsan_unpoison_memory(&irq_state, sizeof(irq_state));
>  	trace_hardirqs_off_finish();
>  	ftrace_nmi_enter();
>  	instrumentation_end();
> -- 
> 2.54.0.563.g4f69b47b94-goog
>