kasan: remove use after scope bugs detection.

Use after scope bugs detector seems to be almost entirely useless for the linux kernel. It exists over two years, but I've seen only one valid bug so far [1]. And the bug was fixed before it has been reported. There were some other use-after-scope reports, but they were false-positives due to different reasons like incompatibility with structleak plugin. This feature significantly increases stack usage, especially with GCC < 9 version, and causes a 32K stack overflow. It probably adds performance penalty too. Given all that, let's remove use-after-scope detector entirely. While preparing this patch I've noticed that we mistakenly enable use-after-scope detection for clang compiler regardless of CONFIG_KASAN_EXTRA setting. This is also fixed now. [1] http://lkml.kernel.org/r/<20171129052106.rhgbjhhis53hkgfn@wfg-t540p.sh.intel.com> Link: http://lkml.kernel.org/r/20190111185842.13978-1-aryabinin@virtuozzo.com Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Acked-by: Will Deacon <will.deacon@arm.com> [arm64] Cc: Qian Cai <cai@lca.pw> Cc: Alexander Potapenko <glider@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Andrey Ryabinin <aryabinin@virtuozzo.com> 2019-03-05 18:41:20 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2019-03-06 00:07:13 -0500
commit: 7771bdbbfd3d6f204631b6fd9e1bbc30cd15918e (patch)
tree: 1f715a5317669f6473d1d4ddb4f5bf761e918e71
parent: 46612b751c4941c5c0472ddf04027e877ae5990f (diff)
9 files changed, 0 insertions, 73 deletions
diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h
index 0c656850eeea..b01ef0180a03 100644
--- a/arch/arm64/include/asm/memory.h
+++ b/arch/arm64/include/asm/memory.h
@@ -80,11 +80,7 @@
 */
 #ifdef CONFIG_KASAN
 #define KASAN_SHADOW_SIZE       (UL(1) << (VA_BITS - KASAN_SHADOW_SCALE_SHIFT))
-#ifdef CONFIG_KASAN_EXTRA
-#define KASAN_THREAD_SHIFT      2
-#else
 #define KASAN_THREAD_SHIFT      1
-#endif /* CONFIG_KASAN_EXTRA */
 #else
 #define KASAN_SHADOW_SIZE       (0)
 #define KASAN_THREAD_SHIFT      0
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index d4df5b24d75e..a219f3488ad7 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -222,7 +222,6 @@ config ENABLE_MUST_CHECK
 config FRAME_WARN
        int "Warn for stack frames larger than (needs gcc 4.4)"
        range 0 8192
-        default 3072 if KASAN_EXTRA
        default 2048 if GCC_PLUGIN_LATENT_ENTROPY
        default 1280 if (!64BIT && PARISC)
        default 1024 if (!64BIT && !PARISC)
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan
index 9737059ec58b..9950b660e62d 100644
--- a/lib/Kconfig.kasan
+++ b/lib/Kconfig.kasan
@@ -78,16 +78,6 @@ config KASAN_SW_TAGS
 endchoice
-config KASAN_EXTRA
-        bool "KASAN: extra checks"
-        depends on KASAN_GENERIC && DEBUG_KERNEL && !COMPILE_TEST
-        help
-          This enables further checks in generic KASAN, for now it only
-          includes the address-use-after-scope check that can lead to
-          excessive kernel stack usage, frame size warnings and longer
-          compile time.
-          See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715
 choice
        prompt "Instrumentation type"
        depends on KASAN
diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index 51b78405bf24..7de2702621dc 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -480,29 +480,6 @@ static noinline void __init copy_user_test(void)
        kfree(kmem);
 }
-static noinline void __init use_after_scope_test(void)
-{
-        volatile char *volatile p;
-        pr_info("use-after-scope on int\n");
-        {
-                int local = 0;
-                p = (char *)&local;
-        }
-        p[0] = 1;
-        p[3] = 1;
-        pr_info("use-after-scope on array\n");
-        {
-                char local[1024] = {0};
-                p = local;
-        }
-        p[0] = 1;
-        p[1023] = 1;
-}
 static noinline void __init kasan_alloca_oob_left(void)
 {
        volatile int i = 10;
@@ -682,7 +659,6 @@ static int __init kmalloc_tests_init(void)
        kasan_alloca_oob_right();
        ksize_unpoisons_memory();
        copy_user_test();
-        use_after_scope_test();
        kmem_cache_double_free();
        kmem_cache_invalid_free();
        kasan_memchr();
diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index ccb6207276e3..504c79363a34 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -275,25 +275,6 @@ EXPORT_SYMBOL(__asan_storeN_noabort);
 void __asan_handle_no_return(void) {}
 EXPORT_SYMBOL(__asan_handle_no_return);
-/* Emitted by compiler to poison large objects when they go out of scope. */
-void __asan_poison_stack_memory(const void *addr, size_t size)
-{
-        /*
-         * Addr is KASAN_SHADOW_SCALE_SIZE-aligned and the object is surrounded
-         * by redzones, so we simply round up size to simplify logic.
-         */
-        kasan_poison_shadow(addr, round_up(size, KASAN_SHADOW_SCALE_SIZE),
-                            KASAN_USE_AFTER_SCOPE);
-}
-EXPORT_SYMBOL(__asan_poison_stack_memory);
-/* Emitted by compiler to unpoison large objects when they go into scope. */
-void __asan_unpoison_stack_memory(const void *addr, size_t size)
-{
-        kasan_unpoison_shadow(addr, size);
-}
-EXPORT_SYMBOL(__asan_unpoison_stack_memory);
 /* Emitted by compiler to poison alloca()ed objects. */
 void __asan_alloca_poison(unsigned long addr, size_t size)
 {
diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c
index 5e12035888f2..36c645939bc9 100644
--- a/mm/kasan/generic_report.c
+++ b/mm/kasan/generic_report.c
@@ -82,9 +82,6 @@ static const char *get_shadow_bug_type(struct kasan_access_info *info)
        case KASAN_KMALLOC_FREE:
                bug_type = "use-after-free";
                break;
-        case KASAN_USE_AFTER_SCOPE:
-                bug_type = "use-after-scope";
-                break;
        case KASAN_ALLOCA_LEFT:
        case KASAN_ALLOCA_RIGHT:
                bug_type = "alloca-out-of-bounds";
diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
index ea51b2d898ec..3e0c11f7d7a1 100644
--- a/mm/kasan/kasan.h
+++ b/mm/kasan/kasan.h
@@ -34,7 +34,6 @@
 #define KASAN_STACK_MID         0xF2
 #define KASAN_STACK_RIGHT       0xF3
 #define KASAN_STACK_PARTIAL     0xF4
-#define KASAN_USE_AFTER_SCOPE   0xF8
 /*
 * alloca redzone shadow values
@@ -187,8 +186,6 @@ void __asan_unregister_globals(struct kasan_global *globals, size_t size);
 void __asan_loadN(unsigned long addr, size_t size);
 void __asan_storeN(unsigned long addr, size_t size);
 void __asan_handle_no_return(void);
-void __asan_poison_stack_memory(const void *addr, size_t size);
-void __asan_unpoison_stack_memory(const void *addr, size_t size);
 void __asan_alloca_poison(unsigned long addr, size_t size);
 void __asan_allocas_unpoison(const void *stack_top, const void *stack_bottom);
diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan
index 6deabedc67fc..6410bd22fe38 100644
--- a/scripts/Makefile.kasan
+++ b/scripts/Makefile.kasan
@@ -27,14 +27,9 @@ else
         $(call cc-param,asan-globals=1) \
         $(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \
         $(call cc-param,asan-stack=$(CONFIG_KASAN_STACK)) \
-         $(call cc-param,asan-use-after-scope=1) \
         $(call cc-param,asan-instrument-allocas=1)
 endif
-ifdef CONFIG_KASAN_EXTRA
-CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope)
-endif
 endif # CONFIG_KASAN_GENERIC
 ifdef CONFIG_KASAN_SW_TAGS
diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index d45f7f36b859..d9fd9988ef27 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -68,10 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
 config GCC_PLUGIN_STRUCTLEAK
        bool "Force initialization of variables containing userspace addresses"
-        # Currently STRUCTLEAK inserts initialization out of live scope of
-        # variables from KASAN point of view. This leads to KASAN false
-        # positive reports. Prohibit this combination for now.
-        depends on !KASAN_EXTRA
        help
          This plugin zero-initializes any structures containing a
          __user attribute. This can prevent some classes of information
author	Andrey Ryabinin <aryabinin@virtuozzo.com>	2019-03-05 18:41:20 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2019-03-06 00:07:13 -0500
commit	7771bdbbfd3d6f204631b6fd9e1bbc30cd15918e (patch)
tree	1f715a5317669f6473d1d4ddb4f5bf761e918e71
parent	46612b751c4941c5c0472ddf04027e877ae5990f (diff)

diff --git a/arch/arm64/include/asm/memory.h b/arch/arm64/include/asm/memory.h index 0c656850eeea..b01ef0180a03 100644 --- a/arch/arm64/include/asm/memory.h +++ b/arch/arm64/include/asm/memory.h
@@ -80,11 +80,7 @@
80	*/	80	*/
81	#ifdef CONFIG_KASAN	81	#ifdef CONFIG_KASAN
82	#define KASAN_SHADOW_SIZE (UL(1) << (VA_BITS - KASAN_SHADOW_SCALE_SHIFT))	82	#define KASAN_SHADOW_SIZE (UL(1) << (VA_BITS - KASAN_SHADOW_SCALE_SHIFT))
83	#ifdef CONFIG_KASAN_EXTRA
84	#define KASAN_THREAD_SHIFT 2
85	#else
86	#define KASAN_THREAD_SHIFT 1	83	#define KASAN_THREAD_SHIFT 1
87	#endif /* CONFIG_KASAN_EXTRA */
88	#else	84	#else
89	#define KASAN_SHADOW_SIZE (0)	85	#define KASAN_SHADOW_SIZE (0)
90	#define KASAN_THREAD_SHIFT 0	86	#define KASAN_THREAD_SHIFT 0


diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index d4df5b24d75e..a219f3488ad7 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug
@@ -222,7 +222,6 @@ config ENABLE_MUST_CHECK
222	config FRAME_WARN	222	config FRAME_WARN
223	int "Warn for stack frames larger than (needs gcc 4.4)"	223	int "Warn for stack frames larger than (needs gcc 4.4)"
224	range 0 8192	224	range 0 8192
225	default 3072 if KASAN_EXTRA
226	default 2048 if GCC_PLUGIN_LATENT_ENTROPY	225	default 2048 if GCC_PLUGIN_LATENT_ENTROPY
227	default 1280 if (!64BIT && PARISC)	226	default 1280 if (!64BIT && PARISC)
228	default 1024 if (!64BIT && !PARISC)	227	default 1024 if (!64BIT && !PARISC)


diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 9737059ec58b..9950b660e62d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan
@@ -78,16 +78,6 @@ config KASAN_SW_TAGS
78		78
79	endchoice	79	endchoice
80		80
81	config KASAN_EXTRA
82	bool "KASAN: extra checks"
83	depends on KASAN_GENERIC && DEBUG_KERNEL && !COMPILE_TEST
84	help
85	This enables further checks in generic KASAN, for now it only
86	includes the address-use-after-scope check that can lead to
87	excessive kernel stack usage, frame size warnings and longer
88	compile time.
89	See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715
90
91	choice	81	choice
92	prompt "Instrumentation type"	82	prompt "Instrumentation type"
93	depends on KASAN	83	depends on KASAN


diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 51b78405bf24..7de2702621dc 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c
@@ -480,29 +480,6 @@ static noinline void __init copy_user_test(void)
480	kfree(kmem);	480	kfree(kmem);
481	}	481	}
482		482
483	static noinline void __init use_after_scope_test(void)
484	{
485	volatile char *volatile p;
486
487	pr_info("use-after-scope on int\n");
488	{
489	int local = 0;
490
491	p = (char *)&local;
492	}
493	p[0] = 1;
494	p[3] = 1;
495
496	pr_info("use-after-scope on array\n");
497	{
498	char local[1024] = {0};
499
500	p = local;
501	}
502	p[0] = 1;
503	p[1023] = 1;
504	}
505
506	static noinline void __init kasan_alloca_oob_left(void)	483	static noinline void __init kasan_alloca_oob_left(void)
507	{	484	{
508	volatile int i = 10;	485	volatile int i = 10;
@@ -682,7 +659,6 @@ static int __init kmalloc_tests_init(void)
682	kasan_alloca_oob_right();	659	kasan_alloca_oob_right();
683	ksize_unpoisons_memory();	660	ksize_unpoisons_memory();
684	copy_user_test();	661	copy_user_test();
685	use_after_scope_test();
686	kmem_cache_double_free();	662	kmem_cache_double_free();
687	kmem_cache_invalid_free();	663	kmem_cache_invalid_free();
688	kasan_memchr();	664	kasan_memchr();


diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c index ccb6207276e3..504c79363a34 100644 --- a/mm/kasan/generic.c +++ b/mm/kasan/generic.c
@@ -275,25 +275,6 @@ EXPORT_SYMBOL(__asan_storeN_noabort);
275	void __asan_handle_no_return(void) {}	275	void __asan_handle_no_return(void) {}
276	EXPORT_SYMBOL(__asan_handle_no_return);	276	EXPORT_SYMBOL(__asan_handle_no_return);
277		277
278	/* Emitted by compiler to poison large objects when they go out of scope. */
279	void __asan_poison_stack_memory(const void *addr, size_t size)
280	{
281	/*
282	* Addr is KASAN_SHADOW_SCALE_SIZE-aligned and the object is surrounded
283	* by redzones, so we simply round up size to simplify logic.
284	*/
285	kasan_poison_shadow(addr, round_up(size, KASAN_SHADOW_SCALE_SIZE),
286	KASAN_USE_AFTER_SCOPE);
287	}
288	EXPORT_SYMBOL(__asan_poison_stack_memory);
289
290	/* Emitted by compiler to unpoison large objects when they go into scope. */
291	void __asan_unpoison_stack_memory(const void *addr, size_t size)
292	{
293	kasan_unpoison_shadow(addr, size);
294	}
295	EXPORT_SYMBOL(__asan_unpoison_stack_memory);
296
297	/* Emitted by compiler to poison alloca()ed objects. */	278	/* Emitted by compiler to poison alloca()ed objects. */
298	void __asan_alloca_poison(unsigned long addr, size_t size)	279	void __asan_alloca_poison(unsigned long addr, size_t size)
299	{	280	{


diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c index 5e12035888f2..36c645939bc9 100644 --- a/mm/kasan/generic_report.c +++ b/mm/kasan/generic_report.c
@@ -82,9 +82,6 @@ static const char get_shadow_bug_type(struct kasan_access_info info)
82	case KASAN_KMALLOC_FREE:	82	case KASAN_KMALLOC_FREE:
83	bug_type = "use-after-free";	83	bug_type = "use-after-free";
84	break;	84	break;
85	case KASAN_USE_AFTER_SCOPE:
86	bug_type = "use-after-scope";
87	break;
88	case KASAN_ALLOCA_LEFT:	85	case KASAN_ALLOCA_LEFT:
89	case KASAN_ALLOCA_RIGHT:	86	case KASAN_ALLOCA_RIGHT:
90	bug_type = "alloca-out-of-bounds";	87	bug_type = "alloca-out-of-bounds";


diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h index ea51b2d898ec..3e0c11f7d7a1 100644 --- a/mm/kasan/kasan.h +++ b/mm/kasan/kasan.h
@@ -34,7 +34,6 @@
34	#define KASAN_STACK_MID 0xF2	34	#define KASAN_STACK_MID 0xF2
35	#define KASAN_STACK_RIGHT 0xF3	35	#define KASAN_STACK_RIGHT 0xF3
36	#define KASAN_STACK_PARTIAL 0xF4	36	#define KASAN_STACK_PARTIAL 0xF4
37	#define KASAN_USE_AFTER_SCOPE 0xF8
38		37
39	/*	38	/*
40	* alloca redzone shadow values	39	* alloca redzone shadow values
@@ -187,8 +186,6 @@ void __asan_unregister_globals(struct kasan_global *globals, size_t size);
187	void __asan_loadN(unsigned long addr, size_t size);	186	void __asan_loadN(unsigned long addr, size_t size);
188	void __asan_storeN(unsigned long addr, size_t size);	187	void __asan_storeN(unsigned long addr, size_t size);
189	void __asan_handle_no_return(void);	188	void __asan_handle_no_return(void);
190	void __asan_poison_stack_memory(const void *addr, size_t size);
191	void __asan_unpoison_stack_memory(const void *addr, size_t size);
192	void __asan_alloca_poison(unsigned long addr, size_t size);	189	void __asan_alloca_poison(unsigned long addr, size_t size);
193	void __asan_allocas_unpoison(const void stack_top, const void stack_bottom);	190	void __asan_allocas_unpoison(const void stack_top, const void stack_bottom);
194		191


diff --git a/scripts/Makefile.kasan b/scripts/Makefile.kasan index 6deabedc67fc..6410bd22fe38 100644 --- a/scripts/Makefile.kasan +++ b/scripts/Makefile.kasan
@@ -27,14 +27,9 @@ else
27	$(call cc-param,asan-globals=1) \	27	$(call cc-param,asan-globals=1) \
28	$(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \	28	$(call cc-param,asan-instrumentation-with-call-threshold=$(call_threshold)) \
29	$(call cc-param,asan-stack=$(CONFIG_KASAN_STACK)) \	29	$(call cc-param,asan-stack=$(CONFIG_KASAN_STACK)) \
30	$(call cc-param,asan-use-after-scope=1) \
31	$(call cc-param,asan-instrument-allocas=1)	30	$(call cc-param,asan-instrument-allocas=1)
32	endif	31	endif
33		32
34	ifdef CONFIG_KASAN_EXTRA
35	CFLAGS_KASAN += $(call cc-option, -fsanitize-address-use-after-scope)
36	endif
37
38	endif # CONFIG_KASAN_GENERIC	33	endif # CONFIG_KASAN_GENERIC
39		34
40	ifdef CONFIG_KASAN_SW_TAGS	35	ifdef CONFIG_KASAN_SW_TAGS


diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig index d45f7f36b859..d9fd9988ef27 100644 --- a/scripts/gcc-plugins/Kconfig +++ b/scripts/gcc-plugins/Kconfig
@@ -68,10 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
68		68
69	config GCC_PLUGIN_STRUCTLEAK	69	config GCC_PLUGIN_STRUCTLEAK
70	bool "Force initialization of variables containing userspace addresses"	70	bool "Force initialization of variables containing userspace addresses"
71	# Currently STRUCTLEAK inserts initialization out of live scope of
72	# variables from KASAN point of view. This leads to KASAN false
73	# positive reports. Prohibit this combination for now.
74	depends on !KASAN_EXTRA
75	help	71	help
76	This plugin zero-initializes any structures containing a	72	This plugin zero-initializes any structures containing a
77	__user attribute. This can prevent some classes of information	73	__user attribute. This can prevent some classes of information