1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * KMSAN hooks for kernel subsystems. 4 * 5 * These functions handle creation of KMSAN metadata for memory allocations. 6 * 7 * Copyright (C) 2018-2022 Google LLC 8 * Author: Alexander Potapenko <glider@google.com> 9 * 10 */ 11 12 #include <linux/cacheflush.h> 13 #include <linux/dma-direction.h> 14 #include <linux/gfp.h> 15 #include <linux/kmsan.h> 16 #include <linux/mm.h> 17 #include <linux/mm_types.h> 18 #include <linux/scatterlist.h> 19 #include <linux/slab.h> 20 #include <linux/uaccess.h> 21 #include <linux/usb.h> 22 23 #include "../internal.h" 24 #include "../slab.h" 25 #include "kmsan.h" 26 27 /* 28 * Instrumented functions shouldn't be called under 29 * kmsan_enter_runtime()/kmsan_leave_runtime(), because this will lead to 30 * skipping effects of functions like memset() inside instrumented code. 31 */ 32 33 void kmsan_task_create(struct task_struct *task) 34 { 35 kmsan_enter_runtime(); 36 kmsan_internal_task_create(task); 37 kmsan_leave_runtime(); 38 } 39 40 void kmsan_task_exit(struct task_struct *task) 41 { 42 if (!kmsan_enabled || kmsan_in_runtime()) 43 return; 44 45 kmsan_disable_current(); 46 } 47 48 void kmsan_slab_alloc(struct kmem_cache *s, void *object, gfp_t flags) 49 { 50 if (unlikely(object == NULL)) 51 return; 52 if (!kmsan_enabled || kmsan_in_runtime()) 53 return; 54 /* 55 * There's a ctor or this is an RCU cache - do nothing. The memory 56 * status hasn't changed since last use. 57 */ 58 if (s->ctor || (s->flags & SLAB_TYPESAFE_BY_RCU)) 59 return; 60 61 kmsan_enter_runtime(); 62 if (flags & __GFP_ZERO) 63 kmsan_internal_unpoison_memory(object, s->object_size, 64 KMSAN_POISON_CHECK); 65 else 66 kmsan_internal_poison_memory(object, s->object_size, flags, 67 KMSAN_POISON_CHECK); 68 kmsan_leave_runtime(); 69 } 70 71 void kmsan_slab_free(struct kmem_cache *s, void *object) 72 { 73 if (!kmsan_enabled || kmsan_in_runtime()) 74 return; 75 76 /* RCU slabs could be legally used after free within the RCU period */ 77 if (unlikely(s->flags & SLAB_TYPESAFE_BY_RCU)) 78 return; 79 /* 80 * If there's a constructor, freed memory must remain in the same state 81 * until the next allocation. We cannot save its state to detect 82 * use-after-free bugs, instead we just keep it unpoisoned. 83 */ 84 if (s->ctor) 85 return; 86 kmsan_enter_runtime(); 87 kmsan_internal_poison_memory(object, s->object_size, GFP_KERNEL, 88 KMSAN_POISON_CHECK | KMSAN_POISON_FREE); 89 kmsan_leave_runtime(); 90 } 91 92 void kmsan_kmalloc_large(const void *ptr, size_t size, gfp_t flags) 93 { 94 if (unlikely(ptr == NULL)) 95 return; 96 if (!kmsan_enabled || kmsan_in_runtime()) 97 return; 98 kmsan_enter_runtime(); 99 if (flags & __GFP_ZERO) 100 kmsan_internal_unpoison_memory((void *)ptr, size, 101 /*checked*/ true); 102 else 103 kmsan_internal_poison_memory((void *)ptr, size, flags, 104 KMSAN_POISON_CHECK); 105 kmsan_leave_runtime(); 106 } 107 108 void kmsan_kfree_large(const void *ptr) 109 { 110 struct page *page; 111 112 if (!kmsan_enabled || kmsan_in_runtime()) 113 return; 114 kmsan_enter_runtime(); 115 page = virt_to_head_page((void *)ptr); 116 KMSAN_WARN_ON(ptr != page_address(page)); 117 kmsan_internal_poison_memory((void *)ptr, page_size(page), GFP_KERNEL, 118 KMSAN_POISON_CHECK | KMSAN_POISON_FREE); 119 kmsan_leave_runtime(); 120 } 121 122 static unsigned long vmalloc_shadow(unsigned long addr) 123 { 124 return (unsigned long)kmsan_get_metadata((void *)addr, 125 KMSAN_META_SHADOW); 126 } 127 128 static unsigned long vmalloc_origin(unsigned long addr) 129 { 130 return (unsigned long)kmsan_get_metadata((void *)addr, 131 KMSAN_META_ORIGIN); 132 } 133 134 void kmsan_vunmap_range_noflush(unsigned long start, unsigned long end) 135 { 136 __vunmap_range_noflush(vmalloc_shadow(start), vmalloc_shadow(end)); 137 __vunmap_range_noflush(vmalloc_origin(start), vmalloc_origin(end)); 138 flush_cache_vmap(vmalloc_shadow(start), vmalloc_shadow(end)); 139 flush_cache_vmap(vmalloc_origin(start), vmalloc_origin(end)); 140 } 141 142 /* 143 * This function creates new shadow/origin pages for the physical pages mapped 144 * into the virtual memory. If those physical pages already had shadow/origin, 145 * those are ignored. 146 */ 147 int kmsan_ioremap_page_range(unsigned long start, unsigned long end, 148 phys_addr_t phys_addr, pgprot_t prot, 149 unsigned int page_shift) 150 { 151 gfp_t gfp_mask = GFP_KERNEL | __GFP_ZERO; 152 struct page *shadow, *origin; 153 unsigned long off = 0; 154 int nr, err = 0, clean = 0, mapped; 155 156 if (!kmsan_enabled || kmsan_in_runtime()) 157 return 0; 158 159 nr = (end - start) / PAGE_SIZE; 160 kmsan_enter_runtime(); 161 for (int i = 0; i < nr; i++, off += PAGE_SIZE, clean = i) { 162 shadow = alloc_pages(gfp_mask, 1); 163 origin = alloc_pages(gfp_mask, 1); 164 if (!shadow || !origin) { 165 err = -ENOMEM; 166 goto ret; 167 } 168 mapped = __vmap_pages_range_noflush( 169 vmalloc_shadow(start + off), 170 vmalloc_shadow(start + off + PAGE_SIZE), prot, &shadow, 171 PAGE_SHIFT); 172 if (mapped) { 173 err = mapped; 174 goto ret; 175 } 176 shadow = NULL; 177 mapped = __vmap_pages_range_noflush( 178 vmalloc_origin(start + off), 179 vmalloc_origin(start + off + PAGE_SIZE), prot, &origin, 180 PAGE_SHIFT); 181 if (mapped) { 182 __vunmap_range_noflush( 183 vmalloc_shadow(start + off), 184 vmalloc_shadow(start + off + PAGE_SIZE)); 185 err = mapped; 186 goto ret; 187 } 188 origin = NULL; 189 } 190 /* Page mapping loop finished normally, nothing to clean up. */ 191 clean = 0; 192 193 ret: 194 if (clean > 0) { 195 /* 196 * Something went wrong. Clean up shadow/origin pages allocated 197 * on the last loop iteration, then delete mappings created 198 * during the previous iterations. 199 */ 200 if (shadow) 201 __free_pages(shadow, 1); 202 if (origin) 203 __free_pages(origin, 1); 204 __vunmap_range_noflush( 205 vmalloc_shadow(start), 206 vmalloc_shadow(start + clean * PAGE_SIZE)); 207 __vunmap_range_noflush( 208 vmalloc_origin(start), 209 vmalloc_origin(start + clean * PAGE_SIZE)); 210 } 211 flush_cache_vmap(vmalloc_shadow(start), vmalloc_shadow(end)); 212 flush_cache_vmap(vmalloc_origin(start), vmalloc_origin(end)); 213 kmsan_leave_runtime(); 214 return err; 215 } 216 217 void kmsan_iounmap_page_range(unsigned long start, unsigned long end) 218 { 219 unsigned long v_shadow, v_origin; 220 struct page *shadow, *origin; 221 int nr; 222 223 if (!kmsan_enabled || kmsan_in_runtime()) 224 return; 225 226 nr = (end - start) / PAGE_SIZE; 227 kmsan_enter_runtime(); 228 v_shadow = (unsigned long)vmalloc_shadow(start); 229 v_origin = (unsigned long)vmalloc_origin(start); 230 for (int i = 0; i < nr; 231 i++, v_shadow += PAGE_SIZE, v_origin += PAGE_SIZE) { 232 shadow = kmsan_vmalloc_to_page_or_null((void *)v_shadow); 233 origin = kmsan_vmalloc_to_page_or_null((void *)v_origin); 234 __vunmap_range_noflush(v_shadow, vmalloc_shadow(end)); 235 __vunmap_range_noflush(v_origin, vmalloc_origin(end)); 236 if (shadow) 237 __free_pages(shadow, 1); 238 if (origin) 239 __free_pages(origin, 1); 240 } 241 flush_cache_vmap(vmalloc_shadow(start), vmalloc_shadow(end)); 242 flush_cache_vmap(vmalloc_origin(start), vmalloc_origin(end)); 243 kmsan_leave_runtime(); 244 } 245 246 void kmsan_copy_to_user(void __user *to, const void *from, size_t to_copy, 247 size_t left) 248 { 249 unsigned long ua_flags; 250 251 if (!kmsan_enabled || kmsan_in_runtime()) 252 return; 253 /* 254 * At this point we've copied the memory already. It's hard to check it 255 * before copying, as the size of actually copied buffer is unknown. 256 */ 257 258 /* copy_to_user() may copy zero bytes. No need to check. */ 259 if (!to_copy) 260 return; 261 /* Or maybe copy_to_user() failed to copy anything. */ 262 if (to_copy <= left) 263 return; 264 265 ua_flags = user_access_save(); 266 if (!IS_ENABLED(CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE) || 267 (u64)to < TASK_SIZE) { 268 /* This is a user memory access, check it. */ 269 kmsan_internal_check_memory((void *)from, to_copy - left, to, 270 REASON_COPY_TO_USER); 271 } else { 272 /* Otherwise this is a kernel memory access. This happens when a 273 * compat syscall passes an argument allocated on the kernel 274 * stack to a real syscall. 275 * Don't check anything, just copy the shadow of the copied 276 * bytes. 277 */ 278 kmsan_enter_runtime(); 279 kmsan_internal_memmove_metadata((void *)to, (void *)from, 280 to_copy - left); 281 kmsan_leave_runtime(); 282 } 283 user_access_restore(ua_flags); 284 } 285 EXPORT_SYMBOL(kmsan_copy_to_user); 286 287 void kmsan_memmove(void *to, const void *from, size_t size) 288 { 289 if (!kmsan_enabled || kmsan_in_runtime()) 290 return; 291 292 kmsan_enter_runtime(); 293 kmsan_internal_memmove_metadata(to, (void *)from, size); 294 kmsan_leave_runtime(); 295 } 296 EXPORT_SYMBOL(kmsan_memmove); 297 298 /* Helper function to check an URB. */ 299 void kmsan_handle_urb(const struct urb *urb, bool is_out) 300 { 301 if (!urb) 302 return; 303 if (is_out) 304 kmsan_internal_check_memory(urb->transfer_buffer, 305 urb->transfer_buffer_length, 306 /*user_addr*/ NULL, 307 REASON_SUBMIT_URB); 308 else 309 kmsan_internal_unpoison_memory(urb->transfer_buffer, 310 urb->transfer_buffer_length, 311 /*checked*/ false); 312 } 313 EXPORT_SYMBOL_GPL(kmsan_handle_urb); 314 315 static void kmsan_handle_dma_page(const void *addr, size_t size, 316 enum dma_data_direction dir) 317 { 318 switch (dir) { 319 case DMA_BIDIRECTIONAL: 320 kmsan_internal_check_memory((void *)addr, size, 321 /*user_addr*/ NULL, REASON_ANY); 322 kmsan_internal_unpoison_memory((void *)addr, size, 323 /*checked*/ false); 324 break; 325 case DMA_TO_DEVICE: 326 kmsan_internal_check_memory((void *)addr, size, 327 /*user_addr*/ NULL, REASON_ANY); 328 break; 329 case DMA_FROM_DEVICE: 330 kmsan_internal_unpoison_memory((void *)addr, size, 331 /*checked*/ false); 332 break; 333 case DMA_NONE: 334 break; 335 } 336 } 337 338 /* Helper function to handle DMA data transfers. */ 339 void kmsan_handle_dma(struct page *page, size_t offset, size_t size, 340 enum dma_data_direction dir) 341 { 342 u64 page_offset, to_go, addr; 343 344 if (PageHighMem(page)) 345 return; 346 addr = (u64)page_address(page) + offset; 347 /* 348 * The kernel may occasionally give us adjacent DMA pages not belonging 349 * to the same allocation. Process them separately to avoid triggering 350 * internal KMSAN checks. 351 */ 352 while (size > 0) { 353 page_offset = offset_in_page(addr); 354 to_go = min(PAGE_SIZE - page_offset, (u64)size); 355 kmsan_handle_dma_page((void *)addr, to_go, dir); 356 addr += to_go; 357 size -= to_go; 358 } 359 } 360 EXPORT_SYMBOL_GPL(kmsan_handle_dma); 361 362 void kmsan_handle_dma_sg(struct scatterlist *sg, int nents, 363 enum dma_data_direction dir) 364 { 365 struct scatterlist *item; 366 int i; 367 368 for_each_sg(sg, item, nents, i) 369 kmsan_handle_dma(sg_page(item), item->offset, item->length, 370 dir); 371 } 372 373 /* Functions from kmsan-checks.h follow. */ 374 375 /* 376 * To create an origin, kmsan_poison_memory() unwinds the stacks and stores it 377 * into the stack depot. This may cause deadlocks if done from within KMSAN 378 * runtime, therefore we bail out if kmsan_in_runtime(). 379 */ 380 void kmsan_poison_memory(const void *address, size_t size, gfp_t flags) 381 { 382 if (!kmsan_enabled || kmsan_in_runtime()) 383 return; 384 kmsan_enter_runtime(); 385 /* The users may want to poison/unpoison random memory. */ 386 kmsan_internal_poison_memory((void *)address, size, flags, 387 KMSAN_POISON_NOCHECK); 388 kmsan_leave_runtime(); 389 } 390 EXPORT_SYMBOL(kmsan_poison_memory); 391 392 /* 393 * Unlike kmsan_poison_memory(), this function can be used from within KMSAN 394 * runtime, because it does not trigger allocations or call instrumented code. 395 */ 396 void kmsan_unpoison_memory(const void *address, size_t size) 397 { 398 unsigned long ua_flags; 399 400 if (!kmsan_enabled) 401 return; 402 403 ua_flags = user_access_save(); 404 /* The users may want to poison/unpoison random memory. */ 405 kmsan_internal_unpoison_memory((void *)address, size, 406 KMSAN_POISON_NOCHECK); 407 user_access_restore(ua_flags); 408 } 409 EXPORT_SYMBOL(kmsan_unpoison_memory); 410 411 /* 412 * Version of kmsan_unpoison_memory() called from IRQ entry functions. 413 */ 414 void kmsan_unpoison_entry_regs(const struct pt_regs *regs) 415 { 416 kmsan_unpoison_memory((void *)regs, sizeof(*regs)); 417 } 418 419 void kmsan_check_memory(const void *addr, size_t size) 420 { 421 if (!kmsan_enabled) 422 return; 423 return kmsan_internal_check_memory((void *)addr, size, 424 /*user_addr*/ NULL, REASON_ANY); 425 } 426 EXPORT_SYMBOL(kmsan_check_memory); 427 428 void kmsan_enable_current(void) 429 { 430 KMSAN_WARN_ON(current->kmsan_ctx.depth == 0); 431 current->kmsan_ctx.depth--; 432 } 433 EXPORT_SYMBOL(kmsan_enable_current); 434 435 void kmsan_disable_current(void) 436 { 437 current->kmsan_ctx.depth++; 438 KMSAN_WARN_ON(current->kmsan_ctx.depth == 0); 439 } 440 EXPORT_SYMBOL(kmsan_disable_current); 441