lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJF2gTSwE81vtSaCxrVnRk9NsYtT1ukptudLAdLs28MLDgTXrg@mail.gmail.com>
Date:   Sat, 7 Jan 2023 19:48:10 +0800
From:   Guo Ren <guoren@...nel.org>
To:     Mark Rutland <mark.rutland@....com>
Cc:     Alexandre Ghiti <alex@...ti.fr>, arnd@...db.de,
        palmer@...osinc.com, tglx@...utronix.de, peterz@...radead.org,
        luto@...nel.org, conor.dooley@...rochip.com, heiko@...ech.de,
        jszhang@...nel.org, lazyparser@...il.com, falcon@...ylab.org,
        chenhuacai@...nel.org, apatel@...tanamicro.com,
        atishp@...shpatra.org, ben@...adent.org.uk, bjorn@...nel.org,
        linux-arch@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-riscv@...ts.infradead.org,
        Guo Ren <guoren@...ux.alibaba.com>,
        Björn Töpel <bjorn@...osinc.com>
Subject: Re: [PATCH -next V12 3/7] riscv: entry: Add noinstr to prevent
 instrumentation inserted

On Wed, Jan 4, 2023 at 8:03 PM Mark Rutland <mark.rutland@....com> wrote:
>
> On Wed, Jan 04, 2023 at 09:40:38AM +0800, Guo Ren wrote:
> > On Tue, Jan 3, 2023 at 5:12 PM Alexandre Ghiti <alex@...ti.fr> wrote:
> > >
> > > Hi Guo,
> > >
> > > On 1/3/23 04:35, guoren@...nel.org wrote:
> > > > From: Guo Ren <guoren@...ux.alibaba.com>
> > > >
> > > > Without noinstr the compiler is free to insert instrumentation (think
> > > > all the k*SAN, KCov, GCov, ftrace etc..) which can call code we're not
> > > > yet ready to run this early in the entry path, for instance it could
> > > > rely on RCU which isn't on yet, or expect lockdep state. (by peterz)
> > > >
> > > > Link: https://lore.kernel.org/linux-riscv/YxcQ6NoPf3AH0EXe@hirez.programming.kicks-ass.net/
> > > > Reviewed-by: Björn Töpel <bjorn@...osinc.com>
> > > > Suggested-by: Peter Zijlstra <peterz@...radead.org>
> > > > Tested-by: Jisheng Zhang <jszhang@...nel.org>
> > > > Signed-off-by: Guo Ren <guoren@...ux.alibaba.com>
> > > > Signed-off-by: Guo Ren <guoren@...nel.org>
> > > > ---
> > > >   arch/riscv/kernel/traps.c | 4 ++--
> > > >   arch/riscv/mm/fault.c     | 2 +-
> > > >   2 files changed, 3 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c
> > > > index 549bde5c970a..96ec76c54ff2 100644
> > > > --- a/arch/riscv/kernel/traps.c
> > > > +++ b/arch/riscv/kernel/traps.c
> > > > @@ -95,9 +95,9 @@ static void do_trap_error(struct pt_regs *regs, int signo, int code,
> > > >   }
> > > >
> > > >   #if defined(CONFIG_XIP_KERNEL) && defined(CONFIG_RISCV_ALTERNATIVE)
> > > > -#define __trap_section               __section(".xip.traps")
> > > > +#define __trap_section __noinstr_section(".xip.traps")
> > > >   #else
> > > > -#define __trap_section
> > > > +#define __trap_section noinstr
> > > >   #endif
> > > >   #define DO_ERROR_INFO(name, signo, code, str)                               \
> > > >   asmlinkage __visible __trap_section void name(struct pt_regs *regs) \
> > > > diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
> > > > index d86f7cebd4a7..b26f68eac61c 100644
> > > > --- a/arch/riscv/mm/fault.c
> > > > +++ b/arch/riscv/mm/fault.c
> > > > @@ -204,7 +204,7 @@ static inline bool access_error(unsigned long cause, struct vm_area_struct *vma)
> > > >    * This routine handles page faults.  It determines the address and the
> > > >    * problem, and then passes it off to one of the appropriate routines.
> > > >    */
> > > > -asmlinkage void do_page_fault(struct pt_regs *regs)
> > > > +asmlinkage void noinstr do_page_fault(struct pt_regs *regs)
> > >
> > >
> > > (I dug the archive but can't find the series before v4, so sorry if it
> > > was already answered)
> > >
> > > I think we should not disable the instrumentation of those trap handlers
> > > as at least profiling them with ftrace would provide valuable
> > > information (and gcov would be nice too): why do we need to do that? A
> > > trap very early in the boot process is not recoverable anyway.
> > Everything that calls irqentry_enter() should be noinstr, and this
> > patch prepares for the next generic_entry convert.
> >
> > eg:
> > asmlinkage void noinstr do_page_fault(struct pt_regs *regs)
> > {
> >         irqentry_state_t state = irqentry_enter(regs);
> >
> >         __do_page_fault(regs);
> >
> >         local_irq_disable();
> >
> >         irqentry_exit(regs, state);
> > }
> > NOKPROBE_SYMBOL(do_page_fault);
> >
> > You still could profile __do_page_fault.
> >
> > >
> > > And I took a look at other architectures, none of them disables the
> > > instrumentation on do_page_fault.
> > That's not true, have a look at power & arm64. All of them have some
> > limitations at the entry of page_fault.
>
> Well, arm64's can't be kprobed, but is *can* be traced with ftrace, and *can*
> be instrumented with KASAN and friends. I'm not sure that we actually need to
> inhibit kprobes for do_page_fault, and we might be able to relax that.
>
> As a general thing, we've tried to centralize all the necesarily-noinstr bits
> in arch/arm64/kernel/entry-common.c, and keep everything else as instrumentable
> as possible.
>
> I'd recommend doing similar, and have a central file for any entry bits which
> can't live in the generic entry code, and keep the rest instrumentable. That
> will make it easier to maintain and verify.

Okay, here is the v13 [1]. I've centralized all the necesarily-noinstr
bits in arch/riscv/kernel/traps.c.

[1] https://lore.kernel.org/linux-riscv/20230107113838.3969149-1-guoren@kernel.org/

>
> Thanks,
> Mark.



-- 
Best Regards
 Guo Ren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ