linux/mm/kmsan/shadow.c

// SPDX-License-Identifier: GPL-2.0
/*
 * KMSAN shadow implementation.
 *
 * Copyright (C) 2017-2022 Google LLC
 * Author: Alexander Potapenko <glider@google.com>
 *
 */

#include <asm/kmsan.h>
#include <asm/tlbflush.h>
#include <linux/cacheflush.h>
#include <linux/memblock.h>
#include <linux/mm_types.h>
#include <linux/percpu-defs.h>
#include <linux/slab.h>
#include <linux/smp.h>
#include <linux/stddef.h>

#include "../internal.h"
#include "kmsan.h"

#define shadow_page_for(page) ((page)->kmsan_shadow)

#define origin_page_for(page) ((page)->kmsan_origin)

static void *shadow_ptr_for(struct page *page)
{
	return page_address(shadow_page_for(page));
}

static void *origin_ptr_for(struct page *page)
{
	return page_address(origin_page_for(page));
}

static bool page_has_metadata(struct page *page)
{
	return shadow_page_for(page) && origin_page_for(page);
}

static void set_no_shadow_origin_page(struct page *page)
{
	shadow_page_for(page) = NULL;
	origin_page_for(page) = NULL;
}

/*
 * Dummy load and store pages to be used when the real metadata is unavailable.
 * There are separate pages for loads and stores, so that every load returns a
 * zero, and every store doesn't affect other loads.
 */
static char dummy_load_page[PAGE_SIZE] __aligned(PAGE_SIZE);
static char dummy_store_page[PAGE_SIZE] __aligned(PAGE_SIZE);

static unsigned long vmalloc_meta(void *addr, bool is_origin)
{
	unsigned long addr64 = (unsigned long)addr, off;

	KMSAN_WARN_ON(is_origin && !IS_ALIGNED(addr64, KMSAN_ORIGIN_SIZE));
	if (kmsan_internal_is_vmalloc_addr(addr)) {
		off = addr64 - VMALLOC_START;
		return off + (is_origin ? KMSAN_VMALLOC_ORIGIN_START :
					  KMSAN_VMALLOC_SHADOW_START);
	}
	if (kmsan_internal_is_module_addr(addr)) {
		off = addr64 - MODULES_VADDR;
		return off + (is_origin ? KMSAN_MODULES_ORIGIN_START :
					  KMSAN_MODULES_SHADOW_START);
	}
	return 0;
}

static struct page *virt_to_page_or_null(void *vaddr)
{
	if (kmsan_virt_addr_valid(vaddr))
		return virt_to_page(vaddr);
	else
		return NULL;
}

struct shadow_origin_ptr kmsan_get_shadow_origin_ptr(void *address, u64 size,
						     bool store)
{
	struct shadow_origin_ptr ret;
	void *shadow;

	/*
	 * Even if we redirect this memory access to the dummy page, it will
	 * go out of bounds.
	 */
	KMSAN_WARN_ON(size > PAGE_SIZE);

	if (!kmsan_enabled)
		goto return_dummy;

	KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(address, size));
	shadow = kmsan_get_metadata(address, KMSAN_META_SHADOW);
	if (!shadow)
		goto return_dummy;

	ret.shadow = shadow;
	ret.origin = kmsan_get_metadata(address, KMSAN_META_ORIGIN);
	return ret;

return_dummy:
	if (store) {
		/* Ignore this store. */
		ret.shadow = dummy_store_page;
		ret.origin = dummy_store_page;
	} else {
		/* This load will return zero. */
		ret.shadow = dummy_load_page;
		ret.origin = dummy_load_page;
	}
	return ret;
}

/*
 * Obtain the shadow or origin pointer for the given address, or NULL if there's
 * none. The caller must check the return value for being non-NULL if needed.
 * The return value of this function should not depend on whether we're in the
 * runtime or not.
 */
void *kmsan_get_metadata(void *address, bool is_origin)
{
	u64 addr = (u64)address, pad, off;
	struct page *page;

	if (is_origin && !IS_ALIGNED(addr, KMSAN_ORIGIN_SIZE)) {
		pad = addr % KMSAN_ORIGIN_SIZE;
		addr -= pad;
	}
	address = (void *)addr;
	if (kmsan_internal_is_vmalloc_addr(address) ||
	    kmsan_internal_is_module_addr(address))
		return (void *)vmalloc_meta(address, is_origin);

	page = virt_to_page_or_null(address);
	if (!page)
		return NULL;
	if (!page_has_metadata(page))
		return NULL;
	off = addr % PAGE_SIZE;

	return (is_origin ? origin_ptr_for(page) : shadow_ptr_for(page)) + off;
}
kmsan: add KMSAN runtime core For each memory location KernelMemorySanitizer maintains two types of metadata: 1. The so-called shadow of that location - а byte:byte mapping describing whether or not individual bits of memory are initialized (shadow is 0) or not (shadow is 1). 2. The origins of that location - а 4-byte:4-byte mapping containing 4-byte IDs of the stack traces where uninitialized values were created. Each struct page now contains pointers to two struct pages holding KMSAN metadata (shadow and origins) for the original struct page. Utility routines in mm/kmsan/core.c and mm/kmsan/shadow.c handle the metadata creation, addressing, copying and checking. mm/kmsan/report.c performs error reporting in the cases an uninitialized value is used in a way that leads to undefined behavior. KMSAN compiler instrumentation is responsible for tracking the metadata along with the kernel memory. mm/kmsan/instrumentation.c provides the implementation for instrumentation hooks that are called from files compiled with -fsanitize=kernel-memory. To aid parameter passing (also done at instrumentation level), each task_struct now contains a struct kmsan_task_state used to track the metadata of function parameters and return values for that task. Finally, this patch provides CONFIG_KMSAN that enables KMSAN, and declares CFLAGS_KMSAN, which are applied to files compiled with KMSAN. The KMSAN_SANITIZE:=n Makefile directive can be used to completely disable KMSAN instrumentation for certain files. Similarly, KMSAN_ENABLE_CHECKS:=n disables KMSAN checks and makes newly created stack memory initialized. Users can also use functions from include/linux/kmsan-checks.h to mark certain memory regions as uninitialized or initialized (this is called "poisoning" and "unpoisoning") or check that a particular region is initialized. Link: https://lkml.kernel.org/r/20220915150417.722975-12-glider@google.com Signed-off-by: Alexander Potapenko <glider@google.com> Acked-by: Marco Elver <elver@google.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Andrey Konovalov <andreyknvl@gmail.com> Cc: Andrey Konovalov <andreyknvl@google.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Borislav Petkov <bp@alien8.de> Cc: Christoph Hellwig <hch@lst.de> Cc: Christoph Lameter <cl@linux.com> Cc: David Rientjes <rientjes@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Eric Biggers <ebiggers@google.com> Cc: Eric Biggers <ebiggers@kernel.org> Cc: Eric Dumazet <edumazet@google.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Ilya Leoshkevich <iii@linux.ibm.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Kees Cook <keescook@chromium.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Petr Mladek <pmladek@suse.com> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vasily Gorbik <gor@linux.ibm.com> Cc: Vegard Nossum <vegard.nossum@oracle.com> Cc: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2022-09-15 17:03:45 +02:00			`// SPDX-License-Identifier: GPL-2.0`
			`/*`
			`* KMSAN shadow implementation.`
			`*`
			`* Copyright (C) 2017-2022 Google LLC`
			`* Author: Alexander Potapenko <glider@google.com>`
			`*`
			`*/`

			`#include <asm/kmsan.h>`
			`#include <asm/tlbflush.h>`
			`#include <linux/cacheflush.h>`
			`#include <linux/memblock.h>`
			`#include <linux/mm_types.h>`
			`#include <linux/percpu-defs.h>`
			`#include <linux/slab.h>`
			`#include <linux/smp.h>`
			`#include <linux/stddef.h>`

			`#include "../internal.h"`
			`#include "kmsan.h"`

			`#define shadow_page_for(page) ((page)->kmsan_shadow)`

			`#define origin_page_for(page) ((page)->kmsan_origin)`

			`static void shadow_ptr_for(struct page page)`
			`{`
			`return page_address(shadow_page_for(page));`
			`}`

			`static void origin_ptr_for(struct page page)`
			`{`
			`return page_address(origin_page_for(page));`
			`}`

			`static bool page_has_metadata(struct page *page)`
			`{`
			`return shadow_page_for(page) && origin_page_for(page);`
			`}`

			`static void set_no_shadow_origin_page(struct page *page)`
			`{`
			`shadow_page_for(page) = NULL;`
			`origin_page_for(page) = NULL;`
			`}`

			`/*`
			`* Dummy load and store pages to be used when the real metadata is unavailable.`
			`* There are separate pages for loads and stores, so that every load returns a`
			`* zero, and every store doesn't affect other loads.`
			`*/`
			`static char dummy_load_page[PAGE_SIZE] __aligned(PAGE_SIZE);`
			`static char dummy_store_page[PAGE_SIZE] __aligned(PAGE_SIZE);`

			`static unsigned long vmalloc_meta(void *addr, bool is_origin)`
			`{`
			`unsigned long addr64 = (unsigned long)addr, off;`

			`KMSAN_WARN_ON(is_origin && !IS_ALIGNED(addr64, KMSAN_ORIGIN_SIZE));`
			`if (kmsan_internal_is_vmalloc_addr(addr)) {`
			`off = addr64 - VMALLOC_START;`
			`return off + (is_origin ? KMSAN_VMALLOC_ORIGIN_START :`
			`KMSAN_VMALLOC_SHADOW_START);`
			`}`
			`if (kmsan_internal_is_module_addr(addr)) {`
			`off = addr64 - MODULES_VADDR;`
			`return off + (is_origin ? KMSAN_MODULES_ORIGIN_START :`
			`KMSAN_MODULES_SHADOW_START);`
			`}`
			`return 0;`
			`}`

			`static struct page virt_to_page_or_null(void vaddr)`
			`{`
			`if (kmsan_virt_addr_valid(vaddr))`
			`return virt_to_page(vaddr);`
			`else`
			`return NULL;`
			`}`

			`struct shadow_origin_ptr kmsan_get_shadow_origin_ptr(void *address, u64 size,`
			`bool store)`
			`{`
			`struct shadow_origin_ptr ret;`
			`void *shadow;`

			`/*`
			`* Even if we redirect this memory access to the dummy page, it will`
			`* go out of bounds.`
			`*/`
			`KMSAN_WARN_ON(size > PAGE_SIZE);`

			`if (!kmsan_enabled)`
			`goto return_dummy;`

			`KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(address, size));`
			`shadow = kmsan_get_metadata(address, KMSAN_META_SHADOW);`
			`if (!shadow)`
			`goto return_dummy;`

			`ret.shadow = shadow;`
			`ret.origin = kmsan_get_metadata(address, KMSAN_META_ORIGIN);`
			`return ret;`

			`return_dummy:`
			`if (store) {`
			`/* Ignore this store. */`
			`ret.shadow = dummy_store_page;`
			`ret.origin = dummy_store_page;`
			`} else {`
			`/* This load will return zero. */`
			`ret.shadow = dummy_load_page;`
			`ret.origin = dummy_load_page;`
			`}`
			`return ret;`
			`}`

			`/*`
			`* Obtain the shadow or origin pointer for the given address, or NULL if there's`
			`* none. The caller must check the return value for being non-NULL if needed.`
			`* The return value of this function should not depend on whether we're in the`
			`* runtime or not.`
			`*/`
			`void kmsan_get_metadata(void address, bool is_origin)`
			`{`
			`u64 addr = (u64)address, pad, off;`
			`struct page *page;`

			`if (is_origin && !IS_ALIGNED(addr, KMSAN_ORIGIN_SIZE)) {`
			`pad = addr % KMSAN_ORIGIN_SIZE;`
			`addr -= pad;`
			`}`
			`address = (void *)addr;`
			`if (kmsan_internal_is_vmalloc_addr(address) \|\|`
			`kmsan_internal_is_module_addr(address))`
			`return (void *)vmalloc_meta(address, is_origin);`

			`page = virt_to_page_or_null(address);`
			`if (!page)`
			`return NULL;`
			`if (!page_has_metadata(page))`
			`return NULL;`
			`off = addr % PAGE_SIZE;`

			`return (is_origin ? origin_ptr_for(page) : shadow_ptr_for(page)) + off;`
			`}`