lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 29 Nov 2021 16:47:27 +0800
From:   Boqun Feng <boqun.feng@...il.com>
To:     Marco Elver <elver@...gle.com>
Cc:     "Paul E. McKenney" <paulmck@...nel.org>,
        Alexander Potapenko <glider@...gle.com>,
        Borislav Petkov <bp@...en8.de>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Ingo Molnar <mingo@...nel.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        Mark Rutland <mark.rutland@....com>,
        Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Waiman Long <longman@...hat.com>,
        Will Deacon <will@...nel.org>, kasan-dev@...glegroups.com,
        linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
        linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org, x86@...nel.org
Subject: Re: [PATCH v2 03/23] kcsan: Avoid checking scoped accesses from
 nested contexts

Hi Marco,

On Thu, Nov 18, 2021 at 09:10:07AM +0100, Marco Elver wrote:
> Avoid checking scoped accesses from nested contexts (such as nested
> interrupts or in scheduler code) which share the same kcsan_ctx.
> 
> This is to avoid detecting false positive races of accesses in the same

Could you provide an example for a false positive?

I think we do want to detect the following race:

	static int v = SOME_VALUE; // a percpu variable.
	static int other_v = ... ;

	void foo(..)
	{
		int tmp;
		int other_tmp;

		preempt_disable();
		{
			ASSERT_EXCLUSIVE_ACCESSS_SCOPED(v);
			tmp = v;
			
			other_tmp = other_v; // int_handler() may run here
			
			v = tmp + 2;
		}
		preempt_enabled();
	}

	void int_handler() // an interrupt handler
	{
		v++;
	}

, if I understand correctly, we can detect this currently, but with this
patch, we cannot detect this if the interrupt happens while we're doing
the check for "other_tmp = other_v;", right? Of course, running tests
multiple times may eventually catch this, but I just want to understand
what's this patch for, thanks!

Regards,
Boqun

> thread with currently scoped accesses: consider setting up a watchpoint
> for a non-scoped (normal) access that also "conflicts" with a current
> scoped access. In a nested interrupt (or in the scheduler), which shares
> the same kcsan_ctx, we cannot check scoped accesses set up in the parent
> context -- simply ignore them in this case.
> 
> With the introduction of kcsan_ctx::disable_scoped, we can also clean up
> kcsan_check_scoped_accesses()'s recursion guard, and do not need to
> modify the list's prev pointer.
> 
> Signed-off-by: Marco Elver <elver@...gle.com>
> ---
>  include/linux/kcsan.h |  1 +
>  kernel/kcsan/core.c   | 18 +++++++++++++++---
>  2 files changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/include/linux/kcsan.h b/include/linux/kcsan.h
> index fc266ecb2a4d..13cef3458fed 100644
> --- a/include/linux/kcsan.h
> +++ b/include/linux/kcsan.h
> @@ -21,6 +21,7 @@
>   */
>  struct kcsan_ctx {
>  	int disable_count; /* disable counter */
> +	int disable_scoped; /* disable scoped access counter */
>  	int atomic_next; /* number of following atomic ops */
>  
>  	/*
> diff --git a/kernel/kcsan/core.c b/kernel/kcsan/core.c
> index e34a1710b7bc..bd359f8ee63a 100644
> --- a/kernel/kcsan/core.c
> +++ b/kernel/kcsan/core.c
> @@ -204,15 +204,17 @@ check_access(const volatile void *ptr, size_t size, int type, unsigned long ip);
>  static noinline void kcsan_check_scoped_accesses(void)
>  {
>  	struct kcsan_ctx *ctx = get_ctx();
> -	struct list_head *prev_save = ctx->scoped_accesses.prev;
>  	struct kcsan_scoped_access *scoped_access;
>  
> -	ctx->scoped_accesses.prev = NULL;  /* Avoid recursion. */
> +	if (ctx->disable_scoped)
> +		return;
> +
> +	ctx->disable_scoped++;
>  	list_for_each_entry(scoped_access, &ctx->scoped_accesses, list) {
>  		check_access(scoped_access->ptr, scoped_access->size,
>  			     scoped_access->type, scoped_access->ip);
>  	}
> -	ctx->scoped_accesses.prev = prev_save;
> +	ctx->disable_scoped--;
>  }
>  
>  /* Rules for generic atomic accesses. Called from fast-path. */
> @@ -465,6 +467,15 @@ kcsan_setup_watchpoint(const volatile void *ptr, size_t size, int type, unsigned
>  		goto out;
>  	}
>  
> +	/*
> +	 * Avoid races of scoped accesses from nested interrupts (or scheduler).
> +	 * Assume setting up a watchpoint for a non-scoped (normal) access that
> +	 * also conflicts with a current scoped access. In a nested interrupt,
> +	 * which shares the context, it would check a conflicting scoped access.
> +	 * To avoid, disable scoped access checking.
> +	 */
> +	ctx->disable_scoped++;
> +
>  	/*
>  	 * Save and restore the IRQ state trace touched by KCSAN, since KCSAN's
>  	 * runtime is entered for every memory access, and potentially useful
> @@ -578,6 +589,7 @@ kcsan_setup_watchpoint(const volatile void *ptr, size_t size, int type, unsigned
>  	if (!kcsan_interrupt_watcher)
>  		local_irq_restore(irq_flags);
>  	kcsan_restore_irqtrace(current);
> +	ctx->disable_scoped--;
>  out:
>  	user_access_restore(ua_flags);
>  }
> -- 
> 2.34.0.rc2.393.gf8c9666880-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ