[kbuild] mm/kfence/core.c:839:9: sparse: sparse: context imbalance in 'kfence_handle_page_fault' - different lock contexts for basic block

Sat, 27 Feb 2021 09:39:42 -0800 

CC: [email protected]
CC: [email protected]
TO: Alexander Potapenko <[email protected]>
CC: Marco Elver <[email protected]>
CC: Dmitry Vyukov <[email protected]>
CC: Jann Horn <[email protected]>
CC: Andrew Morton <[email protected]>
CC: Linux Memory Management List <[email protected]>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 
master
head:   3fb6d0e00efc958d01c2f109c8453033a2d96796
commit: 1dc0da6e9ec0f8d735756374697912cd50f402cf x86, kfence: enable KFENCE for 
x86
date:   24 hours ago
:::::: branch date: 19 hours ago
:::::: commit date: 24 hours ago
config: i386-randconfig-s002-20210228 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
        # apt-get install sparse
        # sparse version: v0.6.3-241-geaceeafa-dirty
        # 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1dc0da6e9ec0f8d735756374697912cd50f402cf
        git remote add linus 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
        git fetch --no-tags linus master
        git checkout 1dc0da6e9ec0f8d735756374697912cd50f402cf
        # save the attached .config to linux build tree
        make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>


"sparse warnings: (new ones prefixed by >>)"
>> mm/kfence/core.c:839:9: sparse: sparse: context imbalance in 
>> 'kfence_handle_page_fault' - different lock contexts for basic block

vim +/kfence_handle_page_fault +839 mm/kfence/core.c

0ce20dd840897b Alexander Potapenko 2021-02-25  768  
0ce20dd840897b Alexander Potapenko 2021-02-25  769  bool 
kfence_handle_page_fault(unsigned long addr)
0ce20dd840897b Alexander Potapenko 2021-02-25  770  {
0ce20dd840897b Alexander Potapenko 2021-02-25  771      const int page_index = 
(addr - (unsigned long)__kfence_pool) / PAGE_SIZE;
0ce20dd840897b Alexander Potapenko 2021-02-25  772      struct kfence_metadata 
*to_report = NULL;
0ce20dd840897b Alexander Potapenko 2021-02-25  773      enum kfence_error_type 
error_type;
0ce20dd840897b Alexander Potapenko 2021-02-25  774      unsigned long flags;
0ce20dd840897b Alexander Potapenko 2021-02-25  775  
0ce20dd840897b Alexander Potapenko 2021-02-25  776      if 
(!is_kfence_address((void *)addr))
0ce20dd840897b Alexander Potapenko 2021-02-25  777              return false;
0ce20dd840897b Alexander Potapenko 2021-02-25  778  
0ce20dd840897b Alexander Potapenko 2021-02-25  779      if 
(!READ_ONCE(kfence_enabled)) /* If disabled at runtime ... */
0ce20dd840897b Alexander Potapenko 2021-02-25  780              return 
kfence_unprotect(addr); /* ... unprotect and proceed. */
0ce20dd840897b Alexander Potapenko 2021-02-25  781  
0ce20dd840897b Alexander Potapenko 2021-02-25  782      
atomic_long_inc(&counters[KFENCE_COUNTER_BUGS]);
0ce20dd840897b Alexander Potapenko 2021-02-25  783  
0ce20dd840897b Alexander Potapenko 2021-02-25  784      if (page_index % 2) {
0ce20dd840897b Alexander Potapenko 2021-02-25  785              /* This is a 
redzone, report a buffer overflow. */
0ce20dd840897b Alexander Potapenko 2021-02-25  786              struct 
kfence_metadata *meta;
0ce20dd840897b Alexander Potapenko 2021-02-25  787              int distance = 
0;
0ce20dd840897b Alexander Potapenko 2021-02-25  788  
0ce20dd840897b Alexander Potapenko 2021-02-25  789              meta = 
addr_to_metadata(addr - PAGE_SIZE);
0ce20dd840897b Alexander Potapenko 2021-02-25  790              if (meta && 
READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) {
0ce20dd840897b Alexander Potapenko 2021-02-25  791                      
to_report = meta;
0ce20dd840897b Alexander Potapenko 2021-02-25  792                      /* Data 
race ok; distance calculation approximate. */
0ce20dd840897b Alexander Potapenko 2021-02-25  793                      
distance = addr - data_race(meta->addr + meta->size);
0ce20dd840897b Alexander Potapenko 2021-02-25  794              }
0ce20dd840897b Alexander Potapenko 2021-02-25  795  
0ce20dd840897b Alexander Potapenko 2021-02-25  796              meta = 
addr_to_metadata(addr + PAGE_SIZE);
0ce20dd840897b Alexander Potapenko 2021-02-25  797              if (meta && 
READ_ONCE(meta->state) == KFENCE_OBJECT_ALLOCATED) {
0ce20dd840897b Alexander Potapenko 2021-02-25  798                      /* Data 
race ok; distance calculation approximate. */
0ce20dd840897b Alexander Potapenko 2021-02-25  799                      if 
(!to_report || distance > data_race(meta->addr) - addr)
0ce20dd840897b Alexander Potapenko 2021-02-25  800                              
to_report = meta;
0ce20dd840897b Alexander Potapenko 2021-02-25  801              }
0ce20dd840897b Alexander Potapenko 2021-02-25  802  
0ce20dd840897b Alexander Potapenko 2021-02-25  803              if (!to_report)
0ce20dd840897b Alexander Potapenko 2021-02-25  804                      goto 
out;
0ce20dd840897b Alexander Potapenko 2021-02-25  805  
0ce20dd840897b Alexander Potapenko 2021-02-25  806              
raw_spin_lock_irqsave(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25  807              
to_report->unprotected_page = addr;
0ce20dd840897b Alexander Potapenko 2021-02-25  808              error_type = 
KFENCE_ERROR_OOB;
0ce20dd840897b Alexander Potapenko 2021-02-25  809  
0ce20dd840897b Alexander Potapenko 2021-02-25  810              /*
0ce20dd840897b Alexander Potapenko 2021-02-25  811               * If the 
object was freed before we took the look we can still
0ce20dd840897b Alexander Potapenko 2021-02-25  812               * report this 
as an OOB -- the report will simply show the
0ce20dd840897b Alexander Potapenko 2021-02-25  813               * stacktrace 
of the free as well.
0ce20dd840897b Alexander Potapenko 2021-02-25  814               */
0ce20dd840897b Alexander Potapenko 2021-02-25  815      } else {
0ce20dd840897b Alexander Potapenko 2021-02-25  816              to_report = 
addr_to_metadata(addr);
0ce20dd840897b Alexander Potapenko 2021-02-25  817              if (!to_report)
0ce20dd840897b Alexander Potapenko 2021-02-25  818                      goto 
out;
0ce20dd840897b Alexander Potapenko 2021-02-25  819  
0ce20dd840897b Alexander Potapenko 2021-02-25  820              
raw_spin_lock_irqsave(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25  821              error_type = 
KFENCE_ERROR_UAF;
0ce20dd840897b Alexander Potapenko 2021-02-25  822              /*
0ce20dd840897b Alexander Potapenko 2021-02-25  823               * We may race 
with __kfence_alloc(), and it is possible that a
0ce20dd840897b Alexander Potapenko 2021-02-25  824               * freed object 
may be reallocated. We simply report this as a
0ce20dd840897b Alexander Potapenko 2021-02-25  825               * 
use-after-free, with the stack trace showing the place where
0ce20dd840897b Alexander Potapenko 2021-02-25  826               * the object 
was re-allocated.
0ce20dd840897b Alexander Potapenko 2021-02-25  827               */
0ce20dd840897b Alexander Potapenko 2021-02-25  828      }
0ce20dd840897b Alexander Potapenko 2021-02-25  829  
0ce20dd840897b Alexander Potapenko 2021-02-25  830  out:
0ce20dd840897b Alexander Potapenko 2021-02-25  831      if (to_report) {
0ce20dd840897b Alexander Potapenko 2021-02-25  832              
kfence_report_error(addr, to_report, error_type);
0ce20dd840897b Alexander Potapenko 2021-02-25  833              
raw_spin_unlock_irqrestore(&to_report->lock, flags);
0ce20dd840897b Alexander Potapenko 2021-02-25  834      } else {
0ce20dd840897b Alexander Potapenko 2021-02-25  835              /* This may be 
a UAF or OOB access, but we can't be sure. */
0ce20dd840897b Alexander Potapenko 2021-02-25  836              
kfence_report_error(addr, NULL, KFENCE_ERROR_INVALID);
0ce20dd840897b Alexander Potapenko 2021-02-25  837      }
0ce20dd840897b Alexander Potapenko 2021-02-25  838  
0ce20dd840897b Alexander Potapenko 2021-02-25 @839      return 
kfence_unprotect(addr); /* Unprotect and let access proceed. */

:::::: The code at line 839 was first introduced by commit
:::::: 0ce20dd840897b12ae70869c69f1ba34d6d16965 mm: add Kernel Electric-Fence 
infrastructure

:::::: TO: Alexander Potapenko <[email protected]>
:::::: CC: Linus Torvalds <[email protected]>

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

Attachment: .config.gz
Description: application/gzip

_______________________________________________
kbuild mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to