From patchwork Fri Sep 22 21:29:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 114107 Delivered-To: patch@linaro.org Received: by 10.140.106.117 with SMTP id d108csp3758298qgf; Fri, 22 Sep 2017 14:33:24 -0700 (PDT) X-Google-Smtp-Source: AOwi7QBoh60G8zLx6+8EzB8Rp1hGyfI2Jt+jLUqRVe1yFAkT4rxkgzoh4tNA6zy1k2Q7Lfznwuo4 X-Received: by 10.99.97.5 with SMTP id v5mr396405pgb.89.1506116004023; Fri, 22 Sep 2017 14:33:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1506116004; cv=none; d=google.com; s=arc-20160816; b=mxPzbM91agLcNZNTt/1G8ZjaZcMQgEP79ANdY07W2oO4r6wl+wvJ52gsBQ2spx7CQT S5QjGGqnLG7gRb7OYnjuqi0Kz+EmLnJN7w4nf2PS0nVNwH1Rr/A/Q9/78OnW5il/wAKC cmNJSMQdtX33yEQUpw8nL+OYcVzLsRB7KlIcDVyACTcbdeYNESa4d3YpQtCy4WPmX74S Swbv7+FRJw1/TfLngomxHrwxgqlUIvUV5E32Ckmx4avCbfp14seNuCojdCE+JSGw1bPb b4khbkRS4/TAyzgEBsghzIJVxPTP8o1Of6qSL/DvLIeViXYi/Zfk9SaAcwXlYK9S38iF 4xkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=1ootMdF2rucGaH46jJ9GrM3GRSUTNLGvO0JBfauQWYs=; b=d7sgWoXvE6EzmjCMSzkoaRbic9GmMASIa0ekn117p1rx6OnptD8R+fYQ8b0h1Wa9gl d/ZF0YfW0aB+oz215y0xjOANqioK5xzjbcKjcjJW60T4f8EXzgtZ+4tl0C5VA2K/yCbY +EnnVK3aUOJSAhKPcIsnTSP7JGJo2RqNVTu2etadZN7XjY01UyCJrT1BSACc6DLLV9lf YGl+w+sJjMnpqRnSgJC17o867ZTeZoCPxDGuRoX14De9m7WrEi5vt6tab7uM4LzLr2Gi 3yXHsqcmpWOk6nTFgAyTR6gxRjWWlYmgOpXdvN+TcazO2xspu2UvHAhFDC5GY2PaPxXl BTTg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l73si403454pfi.84.2017.09.22.14.33.23; Fri, 22 Sep 2017 14:33:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752873AbdIVVdV (ORCPT + 26 others); Fri, 22 Sep 2017 17:33:21 -0400 Received: from mout.kundenserver.de ([212.227.126.134]:60659 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752325AbdIVVdR (ORCPT ); Fri, 22 Sep 2017 17:33:17 -0400 Received: from wuerfel.lan ([95.208.190.237]) by mrelayeu.kundenserver.de (mreue002 [212.227.15.129]) with ESMTPA (Nemesis) id 0MYGci-1drEDi0O4O-00UtyA; Fri, 22 Sep 2017 23:31:46 +0200 From: Arnd Bergmann To: Andrey Ryabinin , Masahiro Yamada , Michal Marek , Andrew Morton Cc: Arnd Bergmann , Mauro Carvalho Chehab , Jiri Pirko , Arend van Spriel , Kalle Valo , "David S. Miller" , Alexander Potapenko , Dmitry Vyukov , Kees Cook , Geert Uytterhoeven , Greg Kroah-Hartman , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, brcm80211-dev-list@cypress.com, kasan-dev@googlegroups.com, linux-kbuild@vger.kernel.org, Jakub Jelinek , =?utf-8?q?Martin_Li=C5=A1ka?= Subject: [PATCH v4 9/9] kasan: rework Kconfig settings Date: Fri, 22 Sep 2017 23:29:20 +0200 Message-Id: <20170922212930.620249-10-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20170922212930.620249-1-arnd@arndb.de> References: <20170922212930.620249-1-arnd@arndb.de> X-Provags-ID: V03:K0:E/22O72qXCfDFZnPJoBKmFmUNxpwmX7z8uOwJ+VpmZKhgIgTR2D HeQTtggISI0nVHxvLXpkmx4czai3ULCgFT+nix/RTB38Jq2fbt5KNwTaqLeZA7iOMkydqeb Y8C3uEGCGipgusGCeIU8GZC50/mWXSvpK/DbHge0rRFKSpYcDVLm3p8FTz8TizyI6erQm41 3gjg2IV6IXPyV0BwcmRjw== X-UI-Out-Filterresults: notjunk:1; V01:K0:mRWjQFpXM1w=:+Du9FlkZ79sFZCGUid/LS6 1wNS26/3aeSYWLRV90FFGw8uSCgqk8TtFhKEBNbttuUbb5QlzhQb7pxC3Yqf2VhuvXCrt0AY2 upP+3DUHSQmseQv4M08xUzhkYKp9pjCtgKtt714tDhugk4sE31jh4Aig0owtOgmglgo5/KQ8K gxMyuDXcGJGFlLo+5Cr8md8oDr/GL6YSc7F1VYxMgGRS6vp3M6kH4H6sfV1b+m1UWlryHLuGc x8J9wAojR9jFvlAEQIYGG1pvNOnG2aP6gzVZv/C5BWoeoT0U3TogFFAUgWYXzfkkWxt3+qS55 KUUxNR5Qc4F9M7dcgh1RKkpfDJqvNkpKk9urOVJUYTsmoT+qr9BxBRJG+J9yCnnMkDM8KwVl7 GZY48Gf2iWznbPwd7l7tJbyxlT55MhhiVdJo3n8tsrXUTi0JJ6kUCwRwnOxClwg3v5HZi321z /2hqefaueSGkvnDyqcEmX4it7K9olKYAg1B/Gv/OFUx7TRQ3Ma+n049MxMzvakz1XtoHAezUC /jNpzyhk81+SE3ublLwXrcHetngNeb9XnhL+96AEW6cERrJ2iFIjaoZFHRKJ4A4+VpGgIPdHs GFTMaFBew1DpLkKrgVcsFU9cFl2RYSFbUAlwfxqQDOZrQmxd70XIxyT4vArwdGuBFg0PtQM1F Uyn+XhYwiOyizIJxUErrMi1r/Eajtc5hwZ79K7izHAnnD2fAOuxJraUTUbwjZowaj+kIhNDXd /YlXCuN+8BGKtFKOii3ZMmPJ5vUzcinzuZBAqQ== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We get a lot of very large stack frames using gcc-7.0.1 with the default -fsanitize-address-use-after-scope --param asan-stack=1 options, which can easily cause an overflow of the kernel stack, e.g. drivers/gpu/drm/i915/gvt/handlers.c:2407:1: error: the frame size of 31216 bytes is larger than 2048 bytes drivers/net/wireless/ralink/rt2x00/rt2800lib.c:5650:1: error: the frame size of 23632 bytes is larger than 2048 bytes drivers/scsi/fnic/fnic_trace.c:451:1: error: the frame size of 5152 bytes is larger than 2048 bytes fs/btrfs/relocation.c:1202:1: error: the frame size of 4256 bytes is larger than 2048 bytes fs/fscache/stats.c:287:1: error: the frame size of 6552 bytes is larger than 2048 bytes lib/atomic64_test.c:250:1: error: the frame size of 12616 bytes is larger than 2048 bytes mm/vmscan.c:1367:1: error: the frame size of 5080 bytes is larger than 2048 bytes net/wireless/nl80211.c:1905:1: error: the frame size of 4232 bytes is larger than 2048 bytes To reduce this risk, -fsanitize-address-use-after-scope is now split out into a separate CONFIG_KASAN_EXTRA Kconfig option, leading to stack frames that are smaller than 2 kilobytes most of the time on x86_64. An earlier version of this patch also prevented combining KASAN_EXTRA with KASAN_INLINE, but that is no longer necessary with gcc-7.0.1. A lot of warnings with KASAN_EXTRA go away if we disable KMEMCHECK, as -fsanitize-address-use-after-scope seems to understand the builtin memcpy, but adds checking code around an extern memcpy call. I had to work around a circular dependency, as DEBUG_SLAB/SLUB depended on !KMEMCHECK, while KASAN did it the other way round. Now we handle both the same way and make KASAN and KMEMCHECK mutually exclusive. All patches to get the frame size below 2048 bytes with CONFIG_KASAN=y and CONFIG_KASAN_EXTRA=n have been submitted along with this patch, so we can bring back that default now. KASAN_EXTRA=y still causes lots of warnings but now defaults to !COMPILE_TEST to disable it in allmodconfig, and it remains disabled in all other defconfigs since it is a new option. I arbitrarily raise the warning limit for KASAN_EXTRA to 3072 to reduce the noise, but an allmodconfig kernel still has around 50 warnings on gcc-7. I experimented a bit more with smaller stack frames and have another follow-up series that reduces the warning limit for 64-bit architectures to 1280 bytes (without CONFIG_KASAN). With earlier versions of this patch series, I also had patches to address the warnings we get with KASAN and/or KASAN_EXTRA, using a "noinline_if_stackbloat" annotation. That annotation now got replaced with a gcc-8 bugfix (see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715) and a workaround for older compilers, which means that KASAN_EXTRA is now just as bad as before and will lead to an instant stack overflow in a few extreme cases. This reverts parts of commit commit 3f181b4 ("lib/Kconfig.debug: disable -Wframe-larger-than warnings with KASAN=y"). Signed-off-by: Arnd Bergmann --- lib/Kconfig.debug | 4 ++-- lib/Kconfig.kasan | 13 ++++++++++++- lib/Kconfig.kmemcheck | 1 + scripts/Makefile.kasan | 3 +++ 4 files changed, 18 insertions(+), 3 deletions(-) -- 2.9.0 Acked-by: Andrey Ryabinin diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index b19c491cbc4e..5755875d4a80 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -217,7 +217,7 @@ config ENABLE_MUST_CHECK config FRAME_WARN int "Warn for stack frames larger than (needs gcc 4.4)" range 0 8192 - default 0 if KASAN + default 3072 if KASAN_EXTRA default 2048 if GCC_PLUGIN_LATENT_ENTROPY default 1024 if !64BIT default 2048 if 64BIT @@ -503,7 +503,7 @@ config DEBUG_OBJECTS_ENABLE_DEFAULT config DEBUG_SLAB bool "Debug slab memory allocations" - depends on DEBUG_KERNEL && SLAB && !KMEMCHECK + depends on DEBUG_KERNEL && SLAB && !KMEMCHECK && !KASAN help Say Y here to have the kernel do limited verification on memory allocation as well as poisoning memory on free to catch use of freed diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index bd38aab05929..db799e6e9dba 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -5,7 +5,7 @@ if HAVE_ARCH_KASAN config KASAN bool "KASan: runtime memory debugger" - depends on SLUB || (SLAB && !DEBUG_SLAB) + depends on SLUB || SLAB select CONSTRUCTORS select STACKDEPOT help @@ -20,6 +20,17 @@ config KASAN Currently CONFIG_KASAN doesn't work with CONFIG_DEBUG_SLAB (the resulting kernel does not boot). +config KASAN_EXTRA + bool "KAsan: extra checks" + depends on KASAN && DEBUG_KERNEL && !COMPILE_TEST + help + This enables further checks in the kernel address sanitizer, for now + it only includes the address-use-after-scope check that can lead + to excessive kernel stack usage, frame size warnings and longer + compile time. + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715 has more + + choice prompt "Instrumentation type" depends on KASAN diff --git a/lib/Kconfig.kmemcheck b/lib/Kconfig.kmemcheck index 846e039a86b4..1a534e638635 100644 --- a/lib/Kconfig.kmemcheck +++ b/lib/Kconfig.kmemcheck @@ -7,6 +7,7 @@ menuconfig KMEMCHECK bool "kmemcheck: trap use of uninitialized memory" depends on DEBUG_KERNEL depends on !X86_USE_3DNOW + depends on !KASAN depends on SLUB || SLAB depends on !CC_OPTIMIZE_FOR_SIZE depends on !FUNCTION_TRACER diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan index 9576775a86f6..3b3148faf866 100644 --- a/scripts/Makefile.kasan +++ b/scripts/Makefile.kasan @@ -29,5 +29,8 @@ else endif endif +ifdef CONFIG_KASAN_EXTRA CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope) endif + +endif