tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

asm-generic, x86: add bitops instrumentation for KASAN

This adds a new header to asm-generic to allow optionally instrumenting
architecture-specific asm implementations of bitops.

This change includes the required change for x86 as reference and
changes the kernel API doc to point to bitops-instrumented.h instead.
Rationale: the functions in x86's bitops.h are no longer the kernel API
functions, but instead the arch_ prefixed functions, which are then
instrumented via bitops-instrumented.h.

Other architectures can similarly add support for asm implementations of
bitops.

The documentation text was derived from x86 and existing bitops
asm-generic versions: 1) references to x86 have been removed; 2) as a
result, some of the text had to be reworded for clarity and consistency.

Tested using lib/test_kasan with bitops tests (pre-requisite patch).
Bugzilla ref: https://bugzilla.kernel.org/show_bug.cgi?id=198439

Link: http://lkml.kernel.org/r/20190613125950.197667-4-elver@google.com
Signed-off-by: Marco Elver <elver@google.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Marco Elver and committed by
Linus Torvalds 751ad98d ff661350

+302 -152
+1 -1
Documentation/core-api/kernel-api.rst
··· 54 54 Bit Operations 55 55 -------------- 56 56 57 - .. kernel-doc:: arch/x86/include/asm/bitops.h 57 + .. kernel-doc:: include/asm-generic/bitops-instrumented.h 58 58 :internal: 59 59 60 60 Bitmap Operations
+38 -151
arch/x86/include/asm/bitops.h
··· 49 49 #define CONST_MASK_ADDR(nr, addr) WBYTE_ADDR((void *)(addr) + ((nr)>>3)) 50 50 #define CONST_MASK(nr) (1 << ((nr) & 7)) 51 51 52 - /** 53 - * set_bit - Atomically set a bit in memory 54 - * @nr: the bit to set 55 - * @addr: the address to start counting from 56 - * 57 - * This function is atomic and may not be reordered. See __set_bit() 58 - * if you do not require the atomic guarantees. 59 - * 60 - * Note: there are no guarantees that this function will not be reordered 61 - * on non x86 architectures, so if you are writing portable code, 62 - * make sure not to rely on its reordering guarantees. 63 - * 64 - * Note that @nr may be almost arbitrarily large; this function is not 65 - * restricted to acting on a single-word quantity. 66 - */ 67 52 static __always_inline void 68 - set_bit(long nr, volatile unsigned long *addr) 53 + arch_set_bit(long nr, volatile unsigned long *addr) 69 54 { 70 55 if (IS_IMMEDIATE(nr)) { 71 56 asm volatile(LOCK_PREFIX "orb %1,%0" ··· 63 78 } 64 79 } 65 80 66 - /** 67 - * __set_bit - Set a bit in memory 68 - * @nr: the bit to set 69 - * @addr: the address to start counting from 70 - * 71 - * Unlike set_bit(), this function is non-atomic and may be reordered. 72 - * If it's called on the same region of memory simultaneously, the effect 73 - * may be that only one operation succeeds. 74 - */ 75 - static __always_inline void __set_bit(long nr, volatile unsigned long *addr) 81 + static __always_inline void 82 + arch___set_bit(long nr, volatile unsigned long *addr) 76 83 { 77 84 asm volatile(__ASM_SIZE(bts) " %1,%0" : : ADDR, "Ir" (nr) : "memory"); 78 85 } 79 86 80 - /** 81 - * clear_bit - Clears a bit in memory 82 - * @nr: Bit to clear 83 - * @addr: Address to start counting from 84 - * 85 - * clear_bit() is atomic and may not be reordered. However, it does 86 - * not contain a memory barrier, so if it is used for locking purposes, 87 - * you should call smp_mb__before_atomic() and/or smp_mb__after_atomic() 88 - * in order to ensure changes are visible on other processors. 89 - */ 90 87 static __always_inline void 91 - clear_bit(long nr, volatile unsigned long *addr) 88 + arch_clear_bit(long nr, volatile unsigned long *addr) 92 89 { 93 90 if (IS_IMMEDIATE(nr)) { 94 91 asm volatile(LOCK_PREFIX "andb %1,%0" ··· 82 115 } 83 116 } 84 117 85 - /* 86 - * clear_bit_unlock - Clears a bit in memory 87 - * @nr: Bit to clear 88 - * @addr: Address to start counting from 89 - * 90 - * clear_bit() is atomic and implies release semantics before the memory 91 - * operation. It can be used for an unlock. 92 - */ 93 - static __always_inline void clear_bit_unlock(long nr, volatile unsigned long *addr) 118 + static __always_inline void 119 + arch_clear_bit_unlock(long nr, volatile unsigned long *addr) 94 120 { 95 121 barrier(); 96 - clear_bit(nr, addr); 122 + arch_clear_bit(nr, addr); 97 123 } 98 124 99 - static __always_inline void __clear_bit(long nr, volatile unsigned long *addr) 125 + static __always_inline void 126 + arch___clear_bit(long nr, volatile unsigned long *addr) 100 127 { 101 128 asm volatile(__ASM_SIZE(btr) " %1,%0" : : ADDR, "Ir" (nr) : "memory"); 102 129 } 103 130 104 - static __always_inline bool clear_bit_unlock_is_negative_byte(long nr, volatile unsigned long *addr) 131 + static __always_inline bool 132 + arch_clear_bit_unlock_is_negative_byte(long nr, volatile unsigned long *addr) 105 133 { 106 134 bool negative; 107 135 asm volatile(LOCK_PREFIX "andb %2,%1" ··· 105 143 : "ir" ((char) ~(1 << nr)) : "memory"); 106 144 return negative; 107 145 } 146 + #define arch_clear_bit_unlock_is_negative_byte \ 147 + arch_clear_bit_unlock_is_negative_byte 108 148 109 - // Let everybody know we have it 110 - #define clear_bit_unlock_is_negative_byte clear_bit_unlock_is_negative_byte 111 - 112 - /* 113 - * __clear_bit_unlock - Clears a bit in memory 114 - * @nr: Bit to clear 115 - * @addr: Address to start counting from 116 - * 117 - * __clear_bit() is non-atomic and implies release semantics before the memory 118 - * operation. It can be used for an unlock if no other CPUs can concurrently 119 - * modify other bits in the word. 120 - */ 121 - static __always_inline void __clear_bit_unlock(long nr, volatile unsigned long *addr) 149 + static __always_inline void 150 + arch___clear_bit_unlock(long nr, volatile unsigned long *addr) 122 151 { 123 - __clear_bit(nr, addr); 152 + arch___clear_bit(nr, addr); 124 153 } 125 154 126 - /** 127 - * __change_bit - Toggle a bit in memory 128 - * @nr: the bit to change 129 - * @addr: the address to start counting from 130 - * 131 - * Unlike change_bit(), this function is non-atomic and may be reordered. 132 - * If it's called on the same region of memory simultaneously, the effect 133 - * may be that only one operation succeeds. 134 - */ 135 - static __always_inline void __change_bit(long nr, volatile unsigned long *addr) 155 + static __always_inline void 156 + arch___change_bit(long nr, volatile unsigned long *addr) 136 157 { 137 158 asm volatile(__ASM_SIZE(btc) " %1,%0" : : ADDR, "Ir" (nr) : "memory"); 138 159 } 139 160 140 - /** 141 - * change_bit - Toggle a bit in memory 142 - * @nr: Bit to change 143 - * @addr: Address to start counting from 144 - * 145 - * change_bit() is atomic and may not be reordered. 146 - * Note that @nr may be almost arbitrarily large; this function is not 147 - * restricted to acting on a single-word quantity. 148 - */ 149 - static __always_inline void change_bit(long nr, volatile unsigned long *addr) 161 + static __always_inline void 162 + arch_change_bit(long nr, volatile unsigned long *addr) 150 163 { 151 164 if (IS_IMMEDIATE(nr)) { 152 165 asm volatile(LOCK_PREFIX "xorb %1,%0" ··· 133 196 } 134 197 } 135 198 136 - /** 137 - * test_and_set_bit - Set a bit and return its old value 138 - * @nr: Bit to set 139 - * @addr: Address to count from 140 - * 141 - * This operation is atomic and cannot be reordered. 142 - * It also implies a memory barrier. 143 - */ 144 - static __always_inline bool test_and_set_bit(long nr, volatile unsigned long *addr) 199 + static __always_inline bool 200 + arch_test_and_set_bit(long nr, volatile unsigned long *addr) 145 201 { 146 202 return GEN_BINARY_RMWcc(LOCK_PREFIX __ASM_SIZE(bts), *addr, c, "Ir", nr); 147 203 } 148 204 149 - /** 150 - * test_and_set_bit_lock - Set a bit and return its old value for lock 151 - * @nr: Bit to set 152 - * @addr: Address to count from 153 - * 154 - * This is the same as test_and_set_bit on x86. 155 - */ 156 205 static __always_inline bool 157 - test_and_set_bit_lock(long nr, volatile unsigned long *addr) 206 + arch_test_and_set_bit_lock(long nr, volatile unsigned long *addr) 158 207 { 159 - return test_and_set_bit(nr, addr); 208 + return arch_test_and_set_bit(nr, addr); 160 209 } 161 210 162 - /** 163 - * __test_and_set_bit - Set a bit and return its old value 164 - * @nr: Bit to set 165 - * @addr: Address to count from 166 - * 167 - * This operation is non-atomic and can be reordered. 168 - * If two examples of this operation race, one can appear to succeed 169 - * but actually fail. You must protect multiple accesses with a lock. 170 - */ 171 - static __always_inline bool __test_and_set_bit(long nr, volatile unsigned long *addr) 211 + static __always_inline bool 212 + arch___test_and_set_bit(long nr, volatile unsigned long *addr) 172 213 { 173 214 bool oldbit; 174 215 ··· 157 242 return oldbit; 158 243 } 159 244 160 - /** 161 - * test_and_clear_bit - Clear a bit and return its old value 162 - * @nr: Bit to clear 163 - * @addr: Address to count from 164 - * 165 - * This operation is atomic and cannot be reordered. 166 - * It also implies a memory barrier. 167 - */ 168 - static __always_inline bool test_and_clear_bit(long nr, volatile unsigned long *addr) 245 + static __always_inline bool 246 + arch_test_and_clear_bit(long nr, volatile unsigned long *addr) 169 247 { 170 248 return GEN_BINARY_RMWcc(LOCK_PREFIX __ASM_SIZE(btr), *addr, c, "Ir", nr); 171 249 } 172 250 173 - /** 174 - * __test_and_clear_bit - Clear a bit and return its old value 175 - * @nr: Bit to clear 176 - * @addr: Address to count from 177 - * 178 - * This operation is non-atomic and can be reordered. 179 - * If two examples of this operation race, one can appear to succeed 180 - * but actually fail. You must protect multiple accesses with a lock. 181 - * 251 + /* 182 252 * Note: the operation is performed atomically with respect to 183 253 * the local CPU, but not other CPUs. Portable code should not 184 254 * rely on this behaviour. ··· 171 271 * accessed from a hypervisor on the same CPU if running in a VM: don't change 172 272 * this without also updating arch/x86/kernel/kvm.c 173 273 */ 174 - static __always_inline bool __test_and_clear_bit(long nr, volatile unsigned long *addr) 274 + static __always_inline bool 275 + arch___test_and_clear_bit(long nr, volatile unsigned long *addr) 175 276 { 176 277 bool oldbit; 177 278 ··· 183 282 return oldbit; 184 283 } 185 284 186 - /* WARNING: non atomic and it can be reordered! */ 187 - static __always_inline bool __test_and_change_bit(long nr, volatile unsigned long *addr) 285 + static __always_inline bool 286 + arch___test_and_change_bit(long nr, volatile unsigned long *addr) 188 287 { 189 288 bool oldbit; 190 289 ··· 196 295 return oldbit; 197 296 } 198 297 199 - /** 200 - * test_and_change_bit - Change a bit and return its old value 201 - * @nr: Bit to change 202 - * @addr: Address to count from 203 - * 204 - * This operation is atomic and cannot be reordered. 205 - * It also implies a memory barrier. 206 - */ 207 - static __always_inline bool test_and_change_bit(long nr, volatile unsigned long *addr) 298 + static __always_inline bool 299 + arch_test_and_change_bit(long nr, volatile unsigned long *addr) 208 300 { 209 301 return GEN_BINARY_RMWcc(LOCK_PREFIX __ASM_SIZE(btc), *addr, c, "Ir", nr); 210 302 } ··· 220 326 return oldbit; 221 327 } 222 328 223 - #if 0 /* Fool kernel-doc since it doesn't do macros yet */ 224 - /** 225 - * test_bit - Determine whether a bit is set 226 - * @nr: bit number to test 227 - * @addr: Address to start counting from 228 - */ 229 - static bool test_bit(int nr, const volatile unsigned long *addr); 230 - #endif 231 - 232 - #define test_bit(nr, addr) \ 329 + #define arch_test_bit(nr, addr) \ 233 330 (__builtin_constant_p((nr)) \ 234 331 ? constant_test_bit((nr), (addr)) \ 235 332 : variable_test_bit((nr), (addr))) ··· 388 503 #include <asm/arch_hweight.h> 389 504 390 505 #include <asm-generic/bitops/const_hweight.h> 506 + 507 + #include <asm-generic/bitops-instrumented.h> 391 508 392 509 #include <asm-generic/bitops/le.h> 393 510
+263
include/asm-generic/bitops-instrumented.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + 3 + /* 4 + * This file provides wrappers with sanitizer instrumentation for bit 5 + * operations. 6 + * 7 + * To use this functionality, an arch's bitops.h file needs to define each of 8 + * the below bit operations with an arch_ prefix (e.g. arch_set_bit(), 9 + * arch___set_bit(), etc.). 10 + */ 11 + #ifndef _ASM_GENERIC_BITOPS_INSTRUMENTED_H 12 + #define _ASM_GENERIC_BITOPS_INSTRUMENTED_H 13 + 14 + #include <linux/kasan-checks.h> 15 + 16 + /** 17 + * set_bit - Atomically set a bit in memory 18 + * @nr: the bit to set 19 + * @addr: the address to start counting from 20 + * 21 + * This is a relaxed atomic operation (no implied memory barriers). 22 + * 23 + * Note that @nr may be almost arbitrarily large; this function is not 24 + * restricted to acting on a single-word quantity. 25 + */ 26 + static inline void set_bit(long nr, volatile unsigned long *addr) 27 + { 28 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 29 + arch_set_bit(nr, addr); 30 + } 31 + 32 + /** 33 + * __set_bit - Set a bit in memory 34 + * @nr: the bit to set 35 + * @addr: the address to start counting from 36 + * 37 + * Unlike set_bit(), this function is non-atomic. If it is called on the same 38 + * region of memory concurrently, the effect may be that only one operation 39 + * succeeds. 40 + */ 41 + static inline void __set_bit(long nr, volatile unsigned long *addr) 42 + { 43 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 44 + arch___set_bit(nr, addr); 45 + } 46 + 47 + /** 48 + * clear_bit - Clears a bit in memory 49 + * @nr: Bit to clear 50 + * @addr: Address to start counting from 51 + * 52 + * This is a relaxed atomic operation (no implied memory barriers). 53 + */ 54 + static inline void clear_bit(long nr, volatile unsigned long *addr) 55 + { 56 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 57 + arch_clear_bit(nr, addr); 58 + } 59 + 60 + /** 61 + * __clear_bit - Clears a bit in memory 62 + * @nr: the bit to clear 63 + * @addr: the address to start counting from 64 + * 65 + * Unlike clear_bit(), this function is non-atomic. If it is called on the same 66 + * region of memory concurrently, the effect may be that only one operation 67 + * succeeds. 68 + */ 69 + static inline void __clear_bit(long nr, volatile unsigned long *addr) 70 + { 71 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 72 + arch___clear_bit(nr, addr); 73 + } 74 + 75 + /** 76 + * clear_bit_unlock - Clear a bit in memory, for unlock 77 + * @nr: the bit to set 78 + * @addr: the address to start counting from 79 + * 80 + * This operation is atomic and provides release barrier semantics. 81 + */ 82 + static inline void clear_bit_unlock(long nr, volatile unsigned long *addr) 83 + { 84 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 85 + arch_clear_bit_unlock(nr, addr); 86 + } 87 + 88 + /** 89 + * __clear_bit_unlock - Clears a bit in memory 90 + * @nr: Bit to clear 91 + * @addr: Address to start counting from 92 + * 93 + * This is a non-atomic operation but implies a release barrier before the 94 + * memory operation. It can be used for an unlock if no other CPUs can 95 + * concurrently modify other bits in the word. 96 + */ 97 + static inline void __clear_bit_unlock(long nr, volatile unsigned long *addr) 98 + { 99 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 100 + arch___clear_bit_unlock(nr, addr); 101 + } 102 + 103 + /** 104 + * change_bit - Toggle a bit in memory 105 + * @nr: Bit to change 106 + * @addr: Address to start counting from 107 + * 108 + * This is a relaxed atomic operation (no implied memory barriers). 109 + * 110 + * Note that @nr may be almost arbitrarily large; this function is not 111 + * restricted to acting on a single-word quantity. 112 + */ 113 + static inline void change_bit(long nr, volatile unsigned long *addr) 114 + { 115 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 116 + arch_change_bit(nr, addr); 117 + } 118 + 119 + /** 120 + * __change_bit - Toggle a bit in memory 121 + * @nr: the bit to change 122 + * @addr: the address to start counting from 123 + * 124 + * Unlike change_bit(), this function is non-atomic. If it is called on the same 125 + * region of memory concurrently, the effect may be that only one operation 126 + * succeeds. 127 + */ 128 + static inline void __change_bit(long nr, volatile unsigned long *addr) 129 + { 130 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 131 + arch___change_bit(nr, addr); 132 + } 133 + 134 + /** 135 + * test_and_set_bit - Set a bit and return its old value 136 + * @nr: Bit to set 137 + * @addr: Address to count from 138 + * 139 + * This is an atomic fully-ordered operation (implied full memory barrier). 140 + */ 141 + static inline bool test_and_set_bit(long nr, volatile unsigned long *addr) 142 + { 143 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 144 + return arch_test_and_set_bit(nr, addr); 145 + } 146 + 147 + /** 148 + * __test_and_set_bit - Set a bit and return its old value 149 + * @nr: Bit to set 150 + * @addr: Address to count from 151 + * 152 + * This operation is non-atomic. If two instances of this operation race, one 153 + * can appear to succeed but actually fail. 154 + */ 155 + static inline bool __test_and_set_bit(long nr, volatile unsigned long *addr) 156 + { 157 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 158 + return arch___test_and_set_bit(nr, addr); 159 + } 160 + 161 + /** 162 + * test_and_set_bit_lock - Set a bit and return its old value, for lock 163 + * @nr: Bit to set 164 + * @addr: Address to count from 165 + * 166 + * This operation is atomic and provides acquire barrier semantics if 167 + * the returned value is 0. 168 + * It can be used to implement bit locks. 169 + */ 170 + static inline bool test_and_set_bit_lock(long nr, volatile unsigned long *addr) 171 + { 172 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 173 + return arch_test_and_set_bit_lock(nr, addr); 174 + } 175 + 176 + /** 177 + * test_and_clear_bit - Clear a bit and return its old value 178 + * @nr: Bit to clear 179 + * @addr: Address to count from 180 + * 181 + * This is an atomic fully-ordered operation (implied full memory barrier). 182 + */ 183 + static inline bool test_and_clear_bit(long nr, volatile unsigned long *addr) 184 + { 185 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 186 + return arch_test_and_clear_bit(nr, addr); 187 + } 188 + 189 + /** 190 + * __test_and_clear_bit - Clear a bit and return its old value 191 + * @nr: Bit to clear 192 + * @addr: Address to count from 193 + * 194 + * This operation is non-atomic. If two instances of this operation race, one 195 + * can appear to succeed but actually fail. 196 + */ 197 + static inline bool __test_and_clear_bit(long nr, volatile unsigned long *addr) 198 + { 199 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 200 + return arch___test_and_clear_bit(nr, addr); 201 + } 202 + 203 + /** 204 + * test_and_change_bit - Change a bit and return its old value 205 + * @nr: Bit to change 206 + * @addr: Address to count from 207 + * 208 + * This is an atomic fully-ordered operation (implied full memory barrier). 209 + */ 210 + static inline bool test_and_change_bit(long nr, volatile unsigned long *addr) 211 + { 212 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 213 + return arch_test_and_change_bit(nr, addr); 214 + } 215 + 216 + /** 217 + * __test_and_change_bit - Change a bit and return its old value 218 + * @nr: Bit to change 219 + * @addr: Address to count from 220 + * 221 + * This operation is non-atomic. If two instances of this operation race, one 222 + * can appear to succeed but actually fail. 223 + */ 224 + static inline bool __test_and_change_bit(long nr, volatile unsigned long *addr) 225 + { 226 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 227 + return arch___test_and_change_bit(nr, addr); 228 + } 229 + 230 + /** 231 + * test_bit - Determine whether a bit is set 232 + * @nr: bit number to test 233 + * @addr: Address to start counting from 234 + */ 235 + static inline bool test_bit(long nr, const volatile unsigned long *addr) 236 + { 237 + kasan_check_read(addr + BIT_WORD(nr), sizeof(long)); 238 + return arch_test_bit(nr, addr); 239 + } 240 + 241 + #if defined(arch_clear_bit_unlock_is_negative_byte) 242 + /** 243 + * clear_bit_unlock_is_negative_byte - Clear a bit in memory and test if bottom 244 + * byte is negative, for unlock. 245 + * @nr: the bit to clear 246 + * @addr: the address to start counting from 247 + * 248 + * This operation is atomic and provides release barrier semantics. 249 + * 250 + * This is a bit of a one-trick-pony for the filemap code, which clears 251 + * PG_locked and tests PG_waiters, 252 + */ 253 + static inline bool 254 + clear_bit_unlock_is_negative_byte(long nr, volatile unsigned long *addr) 255 + { 256 + kasan_check_write(addr + BIT_WORD(nr), sizeof(long)); 257 + return arch_clear_bit_unlock_is_negative_byte(nr, addr); 258 + } 259 + /* Let everybody know we have it. */ 260 + #define clear_bit_unlock_is_negative_byte clear_bit_unlock_is_negative_byte 261 + #endif 262 + 263 + #endif /* _ASM_GENERIC_BITOPS_INSTRUMENTED_H */