On 10/13/2015 04:57 PM, Dmitry Vyukov wrote:
> On Tue, Oct 13, 2015 at 3:48 PM, Ingo Molnar <mi...@kernel.org> wrote:
>>
>> * Andrey Ryabinin <aryabi...@virtuozzo.com> wrote:
>>
>>> get_wchan() is racy by design, it may access volatile stack
>>> of running task, thus it may access redzone in a stack frame
>>> and cause KASAN to warn about this.
>>>
>>> Use READ_ONCE_NOCHECK() to silence these warnings.
>>>
>>> Reported-by: Sasha Levin <sasha.le...@oracle.com>
>>> Signed-off-by: Andrey Ryabinin <aryabi...@virtuozzo.com>
>>> ---
>>> arch/x86/kernel/process.c | 6 +++---
>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
>>> index 39e585a..e28db18 100644
>>> --- a/arch/x86/kernel/process.c
>>> +++ b/arch/x86/kernel/process.c
>>> @@ -550,14 +550,14 @@ unsigned long get_wchan(struct task_struct *p)
>>> if (sp < bottom || sp > top)
>>> return 0;
>>>
>>> - fp = READ_ONCE(*(unsigned long *)sp);
>>> + fp = READ_ONCE_NOCHECK(*(unsigned long *)sp);
>>> do {
>>> if (fp < bottom || fp > top)
>>> return 0;
>>> - ip = READ_ONCE(*(unsigned long *)(fp + sizeof(unsigned
>>> long)));
>>> + ip = READ_ONCE_NOCHECK(*(unsigned long *)(fp +
>>> sizeof(unsigned long)));
>>> if (!in_sched_functions(ip))
>>> return ip;
>>> - fp = READ_ONCE(*(unsigned long *)fp);
>>> + fp = READ_ONCE_NOCHECK(*(unsigned long *)fp);
>>> } while (count++ < 16 && p->state != TASK_RUNNING);
>>> return 0;
>>> }
>>
>> Hm, exactly how is the 'red zone' defined? Is this about the current task
>> mostly,
>> or when doing get_wchan() on other tasks?
>
>
> When code is compiled with AddressSanitizer, most variables on stack
> have redzones around them, on entry function "poisons" these redzones
> (any accesses to them will be flagged), on exit function "unpoisons"
> these redzones.
>
An example bellow (stolen from slides -
http://events.linuxfoundation.org/sites/events/files/slides/LinuxCon%20North%20America%202015%20KernelAddressSanitizer.pdf)
The following function:
void foo(void) {
char a[328];
...
a[i] = 0;
}
will be transform by GCC to something like this:
void foo(void) {
char redzone1[32];
char a[328];
char redzone2[24];
char redzone3[32];
int *shadow = (&redzone1 >> 3) + shadow_offset;
shadow[0] = 0xf1f1f1f1; // poison redzone1
shadow[11] = 0xf4f4f400; // poison redzone2
shadow[12] = 0xf3f3f3f3; // poison redzone3
...
__asan_store1(&a[i]); //check access to a[i]
a[i] = 0;
shadow[0] = shadow[11] = shadow[12] = 0; //unpoison redzones.
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
