Add support for Kernel Memory Sanitizer (kMSan). It detects uninitialized

memory used by the kernel at run time, and just like kASan and kCSan, it is an excellent feature. It has already detected 38 uninitialized variables in the kernel during my testing, which I have since discreetly fixed. We use two shadows: - "shad", to track uninitialized memory with a bit granularity (1:1). Each bit set to 1 in the shad corresponds to one uninitialized bit of real kernel memory. - "orig", to track the origin of the memory with a 4-byte granularity (1:1). Each uint32_t cell in the orig indicates the origin of the associated uint32_t of real kernel memory. The memory consumption of these shadows is consequent, so at least 4GB of RAM is recommended to run kMSan. The compiler inserts calls to specific __msan_* functions on each memory access, to manage both the shad and the orig and detect uninitialized memory accesses that change the execution flow (like an "if" on an uninitialized variable). We mark as uninit several types of memory buffers (stack, pools, kmem, malloc, uvm_km), and check each buffer passed to copyout, copyoutstr, bwrite, if_transmit_lock and DMA operations, to detect uninitialized memory that leaves the system. This allows us to detect kernel info leaks in a way that is more efficient and also more user-friendly than KLEAK. Contrary to kASan, kMSan requires comprehensive coverage, ie we cannot tolerate having one non-instrumented function, because this could cause false positives. kMSan cannot instrument ASM functions, so I converted most of them to __asm__ inlines, which kMSan is able to instrument. Those that remain receive special treatment. Contrary to kASan again, kMSan uses a TLS, so we must context-switch this TLS during interrupts. We use different contexts depending on the interrupt level. The orig tracks precisely the origin of a buffer. We use a special encoding for the orig values, and pack together in each uint32_t cell of the orig: - a code designating the type of memory (Stack, Pool, etc), and - a compressed pointer, which points either (1) to a string containing the name of the variable associated with the cell, or (2) to an area in the kernel .text section which we resolve to a symbol name + offset. This encoding allows us not to consume extra memory for associating information with each cell, and produces a precise output, that can tell for example the name of an uninitialized variable on the stack, the function in which it was pushed on the stack, and the function where we accessed this uninitialized variable. kMSan is available with LLVM, but not with GCC. The code is organized in a way that is similar to kASan and kCSan, so it means that other architectures than amd64 can be supported.
2019-11-14 16:23:52 +00:00 · 2019-11-14 16:23:52 +00:00 · 10c5b02320
commit 10c5b02320
parent b76c9f8f6f
37 changed files with 2198 additions and 61 deletions
--- a/sys/arch/amd64/amd64/amd64_trap.S
+++ b/sys/arch/amd64/amd64/amd64_trap.S
@ -1,4 +1,4 @@
-/*	$NetBSD: amd64_trap.S,v 1.49 2019/10/12 06:31:03 maxv Exp $	*/
+/*	$NetBSD: amd64_trap.S,v 1.50 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 1998, 2007, 2008, 2017 The NetBSD Foundation, Inc.
@ -224,6 +224,7 @@ IDTVEC(trap01)
 	cld
 	SMAP_ENABLE
 	IBRS_ENTER
+	KMSAN_ENTER
 	movw	%gs,TF_GS(%rsp)
 	movw	%fs,TF_FS(%rsp)
 	movw	%es,TF_ES(%rsp)
@ -267,6 +268,7 @@ IDTVEC(trap02)
 	movw	%ds,TF_DS(%rsp)

 	SVS_ENTER_NMI
+	KMSAN_ENTER

 	movl	$MSR_GSBASE,%ecx
 	rdmsr
@ -292,6 +294,7 @@ IDTVEC(trap02)
 	IBRS_LEAVE
 1:

+	KMSAN_LEAVE
 	SVS_LEAVE_NMI
 	INTR_RESTORE_GPRS
 	addq	$TF_REGSIZE+16,%rsp
@ -668,6 +671,7 @@ calltrap:
 	movl	$T_ASTFLT,TF_TRAPNO(%rsp)
 	movq	%rsp,%rdi
 	incq	CPUVAR(NTRAP)
+	KMSAN_INIT_ARG(8)
 	call	_C_LABEL(trap)
 	jmp	.Lalltraps_checkast	/* re-check ASTs */
 3:	CHECK_DEFERRED_SWITCH
--- a/sys/arch/amd64/amd64/busfunc.S
+++ b/sys/arch/amd64/amd64/busfunc.S
@ -1,4 +1,4 @@
-/*	$NetBSD: busfunc.S,v 1.11 2013/06/22 05:20:57 uebayasi Exp $	*/
+/*	$NetBSD: busfunc.S,v 1.12 2019/11/14 16:23:52 maxv Exp $	*/

 /*-
 * Copyright (c) 2007, 2008 The NetBSD Foundation, Inc.
@ -30,6 +30,7 @@
 */

 #include <machine/asm.h>
+#include <machine/frameasm.h>

 #include "assym.h"

@ -47,10 +48,12 @@ ENTRY(bus_space_read_1)
 	cmpl	$X86_BUS_SPACE_IO, BST_TYPE(%rdi)
 	je	1f
 	movzbl	(%rdx), %eax
+	KMSAN_INIT_RET(1)
 	ret
 1:
 	xorl	%eax, %eax
 	inb	%dx, %al
+	KMSAN_INIT_RET(1)
 	ret
 END(bus_space_read_1)

@ -63,10 +66,12 @@ ENTRY(bus_space_read_2)
 	cmpl	$X86_BUS_SPACE_IO, BST_TYPE(%rdi)
 	je	1f
 	movzwl	(%rdx), %eax
+	KMSAN_INIT_RET(2)
 	ret
 1:
 	xorl	%eax, %eax
 	inw	%dx, %ax
+	KMSAN_INIT_RET(2)
 	ret
 END(bus_space_read_2)

@ -79,9 +84,11 @@ ENTRY(bus_space_read_4)
 	cmpl	$X86_BUS_SPACE_IO, BST_TYPE(%rdi)
 	je	1f
 	movl	(%rdx), %eax
+	KMSAN_INIT_RET(4)
 	ret
 1:
 	inl	%dx, %eax
+	KMSAN_INIT_RET(4)
 	ret
 END(bus_space_read_4)

@ -94,6 +101,7 @@ ENTRY(bus_space_read_8)
 	cmpl	$X86_BUS_SPACE_IO, BST_TYPE(%rdi)
 	je	.Ldopanic
 	movq	(%rdx), %rax
+	KMSAN_INIT_RET(8)
 	ret
 END(bus_space_read_8)

--- a/sys/arch/amd64/amd64/cpu_in_cksum.S
+++ b/sys/arch/amd64/amd64/cpu_in_cksum.S
@ -1,4 +1,4 @@
-/* $NetBSD: cpu_in_cksum.S,v 1.3 2015/06/30 21:08:24 christos Exp $ */
+/* $NetBSD: cpu_in_cksum.S,v 1.4 2019/11/14 16:23:52 maxv Exp $ */

 /*-
 * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
@ -30,6 +30,7 @@
 */

 #include <machine/asm.h>
+#include <machine/frameasm.h>
 #include "assym.h"

 ENTRY(cpu_in_cksum)
@ -282,6 +283,7 @@ ENTRY(cpu_in_cksum)
 .Mreturn:
 	popq	%rbx
 	popq	%rbp
+	KMSAN_INIT_RET(4)
 	ret

 .Mout_of_mbufs:
--- a/sys/arch/amd64/amd64/cpufunc.S
+++ b/sys/arch/amd64/amd64/cpufunc.S
@ -1,4 +1,4 @@
-/*	$NetBSD: cpufunc.S,v 1.46 2019/10/30 17:06:57 maxv Exp $	*/
+/*	$NetBSD: cpufunc.S,v 1.47 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 1998, 2007, 2008 The NetBSD Foundation, Inc.
@ -153,6 +153,7 @@ END(setusergs)
 ENTRY(x86_read_flags)
 	pushfq
 	popq	%rax
+	KMSAN_INIT_RET(8)
 	ret
 END(x86_read_flags)

@ -174,6 +175,7 @@ ENTRY(tsc_get_timecount)
 	addl	CPUVAR(CC_SKEW), %eax
 	cmpq	%rdi, L_NCSW(%rcx)
 	jne	2f
+	KMSAN_INIT_RET(4)
 	ret
 2:
 	jmp	1b
@ -194,6 +196,13 @@ ENTRY(rdmsr_safe)

 	xorq	%rax, %rax
 	movq	%rax, PCB_ONFAULT(%r8)
+#ifdef KMSAN
+	movq	%rsi,%rdi
+	movq	$8,%rsi
+	xorq	%rdx,%rdx
+	callq	_C_LABEL(kmsan_mark)
+#endif
+	KMSAN_INIT_RET(4)
 	ret
 END(rdmsr_safe)

@ -211,12 +220,14 @@ ENTRY(cpu_counter)
 	shlq	$32, %rdx
 	orq	%rdx, %rax
 	addq	CPUVAR(CC_SKEW), %rax
+	KMSAN_INIT_RET(8)
 	ret
 END(cpu_counter)

 ENTRY(cpu_counter32)
 	rdtsc
 	addl	CPUVAR(CC_SKEW), %eax
+	KMSAN_INIT_RET(4)
 	ret
 END(cpu_counter32)

@ -230,11 +241,13 @@ END(breakpoint)

 ENTRY(x86_curcpu)
 	movq	%gs:(CPU_INFO_SELF), %rax
+	KMSAN_INIT_RET(8)
 	ret
 END(x86_curcpu)

 ENTRY(x86_curlwp)
 	movq	%gs:(CPU_INFO_CURLWP), %rax
+	KMSAN_INIT_RET(8)
 	ret
 END(x86_curlwp)

@ -246,12 +259,14 @@ END(cpu_set_curpri)
 ENTRY(__byte_swap_u32_variable)
 	movl	%edi, %eax
 	bswapl	%eax
+	KMSAN_INIT_RET(4)
 	ret
 END(__byte_swap_u32_variable)

 ENTRY(__byte_swap_u16_variable)
 	movl	%edi, %eax
 	xchgb	%al, %ah
+	KMSAN_INIT_RET(2)
 	ret
 END(__byte_swap_u16_variable)

@ -330,6 +345,7 @@ ENTRY(inb)
 	movq	%rdi, %rdx
 	xorq	%rax, %rax
 	inb	%dx, %al
+	KMSAN_INIT_RET(1)
 	ret
 END(inb)

@ -346,6 +362,7 @@ ENTRY(inw)
 	movq	%rdi, %rdx
 	xorq	%rax, %rax
 	inw	%dx, %ax
+	KMSAN_INIT_RET(2)
 	ret
 END(inw)

@ -362,6 +379,7 @@ ENTRY(inl)
 	movq	%rdi, %rdx
 	xorq	%rax, %rax
 	inl	%dx, %eax
+	KMSAN_INIT_RET(4)
 	ret
 END(inl)

--- a/sys/arch/amd64/amd64/lock_stubs.S
+++ b/sys/arch/amd64/amd64/lock_stubs.S
@ -1,4 +1,4 @@
-/*	$NetBSD: lock_stubs.S,v 1.32 2019/09/05 12:57:30 maxv Exp $	*/
+/*	$NetBSD: lock_stubs.S,v 1.33 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 2006, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@ -343,6 +343,7 @@ ENTRY(__cpu_simple_lock_try)
 	cmpxchgb %ah, (%rdi)
 	movl	$0, %eax
 	setz	%al
+	KMSAN_INIT_RET(4)
 	RET
 END(__cpu_simple_lock_try)

--- a/sys/arch/amd64/amd64/locore.S
+++ b/sys/arch/amd64/amd64/locore.S
@ -1,4 +1,4 @@
-/*	$NetBSD: locore.S,v 1.189 2019/10/12 06:31:03 maxv Exp $	*/
+/*	$NetBSD: locore.S,v 1.190 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright-o-rama!
@ -1235,6 +1235,7 @@ ENTRY(cpu_switchto)

 .Lswitch_return:
 	/* Return to the new LWP, returning 'oldlwp' in %rax. */
+	KMSAN_INIT_RET(8)
 	movq	%r13,%rax
 	popq	%r15
 	popq	%r14
@ -1321,6 +1322,7 @@ ENTRY(handle_syscall)
 	STI(si)
 	/* Pushed T_ASTFLT into tf_trapno on entry. */
 	movq	%rsp,%rdi
+	KMSAN_INIT_ARG(8)
 	call	_C_LABEL(trap)
 	jmp	.Lsyscall_checkast	/* re-check ASTs */
 END(handle_syscall)
@ -1336,8 +1338,10 @@ ENTRY(lwp_trampoline)
 	movq	%rbp,%r14	/* for .Lsyscall_checkast */
 	movq	%rax,%rdi
 	xorq	%rbp,%rbp
+	KMSAN_INIT_ARG(16)
 	call	_C_LABEL(lwp_startup)
 	movq	%r13,%rdi
+	KMSAN_INIT_ARG(8)
 	call	*%r12
 	jmp	.Lsyscall_checkast
 END(lwp_trampoline)
@ -1410,6 +1414,7 @@ IDTVEC(\name)
 	.if	\is_svs
 		SVS_ENTER
 	.endif
+	KMSAN_ENTER
 	jmp	handle_syscall
 IDTVEC_END(\name)
 .endm
@ -1453,6 +1458,7 @@ IDTVEC_END(osyscall)
 	TEXT_USER_BEGIN
 	_ALIGN_TEXT
 LABEL(syscall_sysret)
+	KMSAN_LEAVE
 	MDS_LEAVE
 	SVS_LEAVE
 	IBRS_LEAVE
@ -1501,10 +1507,12 @@ ENTRY(sse2_idlezero_page)
 	sfence
 	incl	%eax
 	popq	%rbp
+	KMSAN_INIT_RET(1)
 	ret
 2:
 	sfence
 	popq	%rbp
+	KMSAN_INIT_RET(1)
 	ret
 END(sse2_idlezero_page)

@ -1546,6 +1554,7 @@ END(pagezero)
 	.type intrfastexit,@function
 LABEL(intrfastexit)
 	NOT_XEN(cli;)
+	KMSAN_LEAVE

 	testb	$SEL_UPL,TF_CS(%rsp)
 	jz	.Lkexit
--- a/sys/arch/amd64/amd64/machdep.c
+++ b/sys/arch/amd64/amd64/machdep.c
@ -1,4 +1,4 @@
-/*	$NetBSD: machdep.c,v 1.338 2019/11/05 20:19:17 maxv Exp $	*/
+/*	$NetBSD: machdep.c,v 1.339 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 1996, 1997, 1998, 2000, 2006, 2007, 2008, 2011
@ -110,7 +110,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.338 2019/11/05 20:19:17 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.339 2019/11/14 16:23:52 maxv Exp $");

 #include "opt_modular.h"
 #include "opt_user_ldt.h"
@ -153,6 +153,7 @@ __KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.338 2019/11/05 20:19:17 maxv Exp $");
 #include <sys/proc.h>
 #include <sys/asan.h>
 #include <sys/csan.h>
+#include <sys/msan.h>

 #ifdef KGDB
 #include <sys/kgdb.h>
@ -1637,6 +1638,13 @@ init_slotspace(void)
 	slotspace.area[SLAREA_ASAN].active = true;
 #endif

+#ifdef KMSAN
+	/* MSAN. */
+	slotspace.area[SLAREA_MSAN].sslot = L4_SLOT_KMSAN;
+	slotspace.area[SLAREA_MSAN].nslot = NL4_SLOT_KMSAN;
+	slotspace.area[SLAREA_MSAN].active = true;
+#endif
+
 	/* Kernel. */
 	slotspace.area[SLAREA_KERN].sslot = L4_SLOT_KERNBASE;
 	slotspace.area[SLAREA_KERN].nslot = 1;
@ -1763,6 +1771,7 @@ init_x86_64(paddr_t first_avail)
 	kasan_init();
 #endif
 	kcsan_init();
+	kmsan_init((void *)lwp0uarea);

 	pmap_growkernel(VM_MIN_KERNEL_ADDRESS + 32 * 1024 * 1024);

--- a/sys/arch/amd64/amd64/mptramp.S
+++ b/sys/arch/amd64/amd64/mptramp.S
@ -1,4 +1,4 @@
-/*	$NetBSD: mptramp.S,v 1.27 2019/11/05 20:19:17 maxv Exp $	*/
+/*	$NetBSD: mptramp.S,v 1.28 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 2000, 2016 The NetBSD Foundation, Inc.
@ -76,6 +76,7 @@

 #include "assym.h"
 #include "opt_kcsan.h"
+#include "opt_kmsan.h"
 #include <machine/asm.h>
 #include <machine/specialreg.h>
 #include <machine/segments.h>
@ -245,7 +246,7 @@ _C_LABEL(cpu_spinup_trampoline_end):	/* end of code copied to MP_TRAMPOLINE */
 	movl	PCB_CR0(%rsi),%eax
 	movq	%rax,%cr0

-#ifdef KCSAN
+#if defined(KCSAN) || defined(KMSAN)
 	/*
 	 * The C instrumentation uses GS.base, so initialize it right now. It
 	 * gets re-initialized later, that's fine.
--- a/sys/arch/amd64/amd64/spl.S
+++ b/sys/arch/amd64/amd64/spl.S
@ -1,4 +1,4 @@
-/*	$NetBSD: spl.S,v 1.41 2019/10/12 06:31:03 maxv Exp $	*/
+/*	$NetBSD: spl.S,v 1.42 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 2003 Wasabi Systems, Inc.
@ -66,6 +66,7 @@

 #include "opt_ddb.h"
 #include "opt_kasan.h"
+#include "opt_kmsan.h"

 #define ALIGN_TEXT	.align 16,0x90

@ -86,6 +87,7 @@ ENTRY(splraise)
 	cmpl	%edi,%eax
 	cmoval	%eax,%edi
 	movl	%edi,CPUVAR(ILEVEL)
+	KMSAN_INIT_RET(4)
 	ret
 END(splraise)

@ -128,6 +130,16 @@ IDTVEC(softintr)
 	popq	%rax
 #endif

+#ifdef KMSAN
+	pushq	%rax
+	pushq	%rdx
+	pushq	%rcx
+	callq	_C_LABEL(kmsan_softint)
+	popq	%rcx
+	popq	%rdx
+	popq	%rax
+#endif
+
 	/* save old context */
 	movq	%rsp,PCB_RSP(%rcx)
 	movq	%rbp,PCB_RBP(%rcx)
@ -187,6 +199,7 @@ IDTVEC(recurse_preempt)
 	movl	$IPL_PREEMPT,CPUVAR(ILEVEL)
 	sti
 	xorq	%rdi,%rdi
+	KMSAN_INIT_ARG(8)
 	call	_C_LABEL(kpreempt)
 	cli
 	jmp	*%r13			/* back to Xspllower */
@ -203,6 +216,7 @@ IDTVEC(resume_preempt)
 	testq	$SEL_RPL,TF_CS(%rsp)
 	jnz	1f
 	movq	TF_RIP(%rsp),%rdi
+	KMSAN_INIT_ARG(8)
 	call	_C_LABEL(kpreempt)	/* from kernel */
 	cli
 	jmp	*%r13			/* back to Xdoreti */
@ -391,6 +405,7 @@ LABEL(doreti_checkast)
 	movl	$T_ASTFLT,TF_TRAPNO(%rsp)	/* XXX undo later.. */
 	/* Pushed T_ASTFLT into tf_trapno on entry. */
 	movq	%rsp,%rdi
+	KMSAN_INIT_ARG(8)
 	call	_C_LABEL(trap)
 	CLI(si)
 	jmp	doreti_checkast
--- a/sys/arch/amd64/conf/GENERIC
+++ b/sys/arch/amd64/conf/GENERIC
@ -1,4 +1,4 @@
-# $NetBSD: GENERIC,v 1.545 2019/11/05 20:19:17 maxv Exp $
+# $NetBSD: GENERIC,v 1.546 2019/11/14 16:23:52 maxv Exp $
 #
 # GENERIC machine description file
 #
@ -22,7 +22,7 @@ include 	"arch/amd64/conf/std.amd64"

 options 	INCLUDE_CONFIG_FILE	# embed config file in kernel binary

-#ident		"GENERIC-$Revision: 1.545 $"
+#ident		"GENERIC-$Revision: 1.546 $"

 maxusers	64		# estimated number of users

@ -133,6 +133,17 @@ options 	KDTRACE_HOOKS	# kernel DTrace hooks
 #options 	KCSAN		# mandatory
 #options 	KCSAN_PANIC	# optional

+# Kernel Memory Sanitizer (kMSan). You need to disable SVS and kernel modules
+# to use it. The quarantine is optional and can help KMSAN find uninitialized
+# memory in pool caches. Note that KMSAN requires at least 4GB of RAM.
+#makeoptions 	KMSAN=1		# mandatory
+#options 	KMSAN		# mandatory
+#no options	SVS		# mandatory
+#no options 	MODULAR		# mandatory
+#no options 	MODULAR_DEFAULT_AUTOLOAD	# mandatory
+#options	POOL_QUARANTINE	# optional
+#options 	KMSAN_PANIC	# optional
+
 # Kernel Info Leak Detector.
 #makeoptions 	KLEAK=1
 #options 	KLEAK
--- a/sys/arch/amd64/conf/Makefile.amd64
+++ b/sys/arch/amd64/conf/Makefile.amd64
@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.amd64,v 1.79 2019/11/05 20:19:17 maxv Exp $
+#	$NetBSD: Makefile.amd64,v 1.80 2019/11/14 16:23:52 maxv Exp $

 # Makefile for NetBSD
 #
@ -69,6 +69,14 @@ KCSANFLAGS.${f}=	# empty
 CFLAGS+=	${KCSANFLAGS.${.IMPSRC:T}:U${KCSANFLAGS}}
 .endif

+.if ${KMSAN:U0} > 0 && ${HAVE_LLVM:Uno} == "yes"
+KMSANFLAGS=	-fsanitize=kernel-memory
+.for f in subr_msan.c
+KMSANFLAGS.${f}=	# empty
+.endfor
+CFLAGS+=	${KMSANFLAGS.${.IMPSRC:T}:U${KMSANFLAGS}}
+.endif
+
 ##
 ## (3) libkern and compat
 ##
--- a/sys/arch/amd64/include/cpu.h
+++ b/sys/arch/amd64/include/cpu.h
@ -1,4 +1,4 @@
-/*	$NetBSD: cpu.h,v 1.64 2019/02/11 14:59:32 cherry Exp $	*/
+/*	$NetBSD: cpu.h,v 1.65 2019/11/14 16:23:52 maxv Exp $	*/

 /*-
 * Copyright (c) 1990 The Regents of the University of California.
@ -43,7 +43,19 @@

 #ifdef _KERNEL

+#ifdef _KERNEL_OPT
+#include "opt_kmsan.h"
+#endif
+
 #if defined(__GNUC__) && !defined(_MODULE)
+
+/*
+ * KMSAN: disable the inlines below, to force the use of the ASM functions,
+ * where no KMSAN instrumentation is added. This is because the instrumentation
+ * does not handle the segment registers correctly. And there appears to be no
+ * way to tell LLVM not to add KMSAN instrumentation in these __asm blocks.
+ */
+#if !defined(KMSAN) || defined(KMSAN_NO_INST)
 static struct cpu_info *x86_curcpu(void);
 static lwp_t *x86_curlwp(void);

@ -81,6 +93,12 @@ cpu_set_curpri(int pri)
 	    "r" (pri)
 	);
 }
+#else
+struct cpu_info *x86_curcpu(void);
+lwp_t *x86_curlwp(void);
+void cpu_set_curpri(int);
+#endif
+
 #endif	/* __GNUC__ && !_MODULE */

 #ifdef XENPV
--- a/sys/arch/amd64/include/frameasm.h
+++ b/sys/arch/amd64/include/frameasm.h
@ -1,4 +1,4 @@
-/*	$NetBSD: frameasm.h,v 1.45 2019/10/12 06:31:03 maxv Exp $	*/
+/*	$NetBSD: frameasm.h,v 1.46 2019/11/14 16:23:52 maxv Exp $	*/

 #ifndef _AMD64_MACHINE_FRAMEASM_H
 #define _AMD64_MACHINE_FRAMEASM_H
@ -6,6 +6,7 @@
 #ifdef _KERNEL_OPT
 #include "opt_xen.h"
 #include "opt_svs.h"
+#include "opt_kmsan.h"
 #endif

 /*
@ -205,6 +206,67 @@
 #define SVS_LEAVE_ALTSTACK	/* nothing */
 #endif

+#ifdef KMSAN
+#define KMSAN_ENTER	\
+	movq	%rsp,%rdi		; \
+	movq	$TF_REGSIZE+16+40,%rsi	; \
+	xorq	%rdx,%rdx		; \
+	callq	kmsan_mark		; \
+	callq	kmsan_intr_enter
+#define KMSAN_LEAVE	\
+	pushq	%rbp			; \
+	movq	%rsp,%rbp		; \
+	callq	kmsan_intr_leave	; \
+	popq	%rbp
+#define KMSAN_INIT_ARG(sz)	\
+	pushq	%rax			; \
+	pushq	%rcx			; \
+	pushq	%rdx			; \
+	pushq	%rsi			; \
+	pushq	%rdi			; \
+	pushq	%r8			; \
+	pushq	%r9			; \
+	pushq	%r10			; \
+	pushq	%r11			; \
+	movq	$sz,%rdi		; \
+	callq	_C_LABEL(kmsan_init_arg); \
+	popq	%r11			; \
+	popq	%r10			; \
+	popq	%r9			; \
+	popq	%r8			; \
+	popq	%rdi			; \
+	popq	%rsi			; \
+	popq	%rdx			; \
+	popq	%rcx			; \
+	popq	%rax
+#define KMSAN_INIT_RET(sz)	\
+	pushq	%rax			; \
+	pushq	%rcx			; \
+	pushq	%rdx			; \
+	pushq	%rsi			; \
+	pushq	%rdi			; \
+	pushq	%r8			; \
+	pushq	%r9			; \
+	pushq	%r10			; \
+	pushq	%r11			; \
+	movq	$sz,%rdi		; \
+	callq	_C_LABEL(kmsan_init_ret); \
+	popq	%r11			; \
+	popq	%r10			; \
+	popq	%r9			; \
+	popq	%r8			; \
+	popq	%rdi			; \
+	popq	%rsi			; \
+	popq	%rdx			; \
+	popq	%rcx			; \
+	popq	%rax
+#else
+#define KMSAN_ENTER		/* nothing */
+#define KMSAN_LEAVE		/* nothing */
+#define KMSAN_INIT_ARG(sz)	/* nothing */
+#define KMSAN_INIT_RET(sz)	/* nothing */
+#endif
+
 #define	INTRENTRY \
 	subq	$TF_REGSIZE,%rsp	; \
 	INTR_SAVE_GPRS			; \
@ -219,7 +281,7 @@
 	movw	%fs,TF_FS(%rsp)		; \
 	movw	%es,TF_ES(%rsp)		; \
 	movw	%ds,TF_DS(%rsp)		; \
-98:
+98:	KMSAN_ENTER

 #define INTRFASTEXIT \
 	jmp	intrfastexit
@ -238,7 +300,8 @@
 #define INTR_RECURSE_ENTRY \
 	subq	$TF_REGSIZE,%rsp	; \
 	INTR_SAVE_GPRS			; \
-	cld
+	cld				; \
+	KMSAN_ENTER

 #define	CHECK_DEFERRED_SWITCH \
 	cmpl	$0, CPUVAR(WANT_PMAPLOAD)
--- a/sys/arch/amd64/include/msan.h
+++ b/sys/arch/amd64/include/msan.h
@ -0,0 +1,241 @@
+/*	$NetBSD: msan.h,v 1.1 2019/11/14 16:23:52 maxv Exp $	*/
+
+/*
+ * Copyright (c) 2019 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Maxime Villard.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/ksyms.h>
+
+#include <amd64/pmap.h>
+#include <amd64/vmparam.h>
+
+#ifdef __HAVE_PCPU_AREA
+#error "PCPU area not allowed with KMSAN"
+#endif
+#ifdef __HAVE_DIRECT_MAP
+#error "DMAP not allowed with KMSAN"
+#endif
+
+/*
+ * One big shadow, divided in two sub-shadows (SHAD and ORIG), themselves
+ * divided in two regions (MAIN and KERN).
+ */
+
+#define __MD_SHADOW_SIZE	0x20000000000ULL	/* 4 * NBPD_L4 */
+#define __MD_SHADOW_START	(VA_SIGN_NEG((L4_SLOT_KMSAN * NBPD_L4)))
+#define __MD_SHADOW_END		(__MD_SHADOW_START + __MD_SHADOW_SIZE)
+
+#define __MD_SHAD_MAIN_START	(__MD_SHADOW_START)
+#define __MD_SHAD_KERN_START	(__MD_SHADOW_START + 0x8000000000ULL)
+
+#define __MD_ORIG_MAIN_START	(__MD_SHAD_KERN_START + 0x8000000000ULL)
+#define __MD_ORIG_KERN_START	(__MD_ORIG_MAIN_START + 0x8000000000ULL)
+
+#define __MD_PTR_BASE		0xFFFFFFFF80000000ULL
+#define __MD_ORIG_TYPE		__BITS(31,28)
+
+static inline int8_t *
+kmsan_md_addr_to_shad(const void *addr)
+{
+	vaddr_t va = (vaddr_t)addr;
+
+	if (va >= vm_min_kernel_address && va < vm_max_kernel_address) {
+		return (int8_t *)(__MD_SHAD_MAIN_START + (va - vm_min_kernel_address));
+	} else if (va >= KERNBASE) {
+		return (int8_t *)(__MD_SHAD_KERN_START + (va - KERNBASE));
+	} else {
+		panic("%s: impossible, va=%p", __func__, (void *)va);
+	}
+}
+
+static inline int8_t *
+kmsan_md_addr_to_orig(const void *addr)
+{
+	vaddr_t va = (vaddr_t)addr;
+
+	if (va >= vm_min_kernel_address && va < vm_max_kernel_address) {
+		return (int8_t *)(__MD_ORIG_MAIN_START + (va - vm_min_kernel_address));
+	} else if (va >= KERNBASE) {
+		return (int8_t *)(__MD_ORIG_KERN_START + (va - KERNBASE));
+	} else {
+		panic("%s: impossible, va=%p", __func__, (void *)va);
+	}
+}
+
+static inline bool
+kmsan_md_unsupported(vaddr_t addr)
+{
+	return (addr >= (vaddr_t)PTE_BASE &&
+	    addr < ((vaddr_t)PTE_BASE + NBPD_L4));
+}
+
+static inline paddr_t
+__md_palloc(void)
+{
+	return pmap_get_physpage();
+}
+
+static void
+kmsan_md_shadow_map_page(vaddr_t va)
+{
+	paddr_t pa;
+
+	KASSERT(va >= __MD_SHADOW_START && va < __MD_SHADOW_END);
+
+	if (!pmap_valid_entry(L4_BASE[pl4_i(va)])) {
+		pa = __md_palloc();
+		L4_BASE[pl4_i(va)] = pa | PTE_W | pmap_pg_nx | PTE_P;
+	}
+	if (!pmap_valid_entry(L3_BASE[pl3_i(va)])) {
+		pa = __md_palloc();
+		L3_BASE[pl3_i(va)] = pa | PTE_W | pmap_pg_nx | PTE_P;
+	}
+	if (!pmap_valid_entry(L2_BASE[pl2_i(va)])) {
+		pa = __md_palloc();
+		L2_BASE[pl2_i(va)] = pa | PTE_W | pmap_pg_nx | PTE_P;
+	}
+	if (!pmap_valid_entry(L1_BASE[pl1_i(va)])) {
+		pa = __md_palloc();
+		L1_BASE[pl1_i(va)] = pa | PTE_W | pmap_pg_g | pmap_pg_nx | PTE_P;
+	}
+}
+
+static void
+kmsan_md_init(void)
+{
+	extern struct bootspace bootspace;
+	size_t i;
+
+	CTASSERT((__MD_SHADOW_SIZE / NBPD_L4) == NL4_SLOT_KMSAN);
+
+	/* Kernel. */
+	for (i = 0; i < BTSPACE_NSEGS; i++) {
+		if (bootspace.segs[i].type == BTSEG_NONE) {
+			continue;
+		}
+		kmsan_shadow_map((void *)bootspace.segs[i].va,
+		    bootspace.segs[i].sz);
+	}
+
+	/* Boot region. */
+	kmsan_shadow_map((void *)bootspace.boot.va, bootspace.boot.sz);
+
+	/* Module map. */
+	kmsan_shadow_map((void *)bootspace.smodule,
+	    (size_t)(bootspace.emodule - bootspace.smodule));
+
+	/* The bootstrap spare va. */
+	kmsan_shadow_map((void *)bootspace.spareva, PAGE_SIZE);
+}
+
+static inline msan_orig_t
+kmsan_md_orig_encode(int type, uintptr_t ptr)
+{
+	msan_orig_t ret;
+
+	ret = (ptr & 0xFFFFFFFF) & ~__MD_ORIG_TYPE;
+	ret |= __SHIFTIN(type, __MD_ORIG_TYPE);
+
+	return ret;
+}
+
+static inline void
+kmsan_md_orig_decode(msan_orig_t orig, int *type, uintptr_t *ptr)
+{
+	*type = __SHIFTOUT(orig, __MD_ORIG_TYPE);
+	*ptr = (uintptr_t)(orig & ~__MD_ORIG_TYPE) | __MD_PTR_BASE;
+}
+
+static inline bool
+kmsan_md_is_pc(uintptr_t ptr)
+{
+	extern uint8_t __rodata_start;
+
+	return (ptr < (uintptr_t)&__rodata_start);
+}
+
+static inline bool
+__md_unwind_end(const char *name)
+{
+	if (!strcmp(name, "syscall") ||
+	    !strcmp(name, "alltraps") ||
+	    !strcmp(name, "handle_syscall") ||
+	    !strncmp(name, "Xtrap", 5) ||
+	    !strncmp(name, "Xintr", 5) ||
+	    !strncmp(name, "Xhandle", 7) ||
+	    !strncmp(name, "Xresume", 7) ||
+	    !strncmp(name, "Xstray", 6) ||
+	    !strncmp(name, "Xhold", 5) ||
+	    !strncmp(name, "Xrecurse", 8) ||
+	    !strcmp(name, "Xdoreti") ||
+	    !strncmp(name, "Xsoft", 5)) {
+		return true;
+	}
+
+	return false;
+}
+
+static void
+kmsan_md_unwind(void)
+{
+	uint64_t *rbp, rip;
+	const char *mod;
+	const char *sym;
+	size_t nsym;
+	int error;
+
+	rbp = (uint64_t *)__builtin_frame_address(0);
+	nsym = 0;
+
+	while (1) {
+		/* 8(%rbp) contains the saved %rip. */
+		rip = *(rbp + 1);
+
+		if (rip < KERNBASE) {
+			break;
+		}
+		error = ksyms_getname(&mod, &sym, (vaddr_t)rip, KSYMS_PROC);
+		if (error) {
+			break;
+		}
+		kmsan_printf("#%zu %p in %s <%s>\n", nsym, (void *)rip, sym, mod);
+		if (__md_unwind_end(sym)) {
+			break;
+		}
+
+		rbp = (uint64_t *)*(rbp);
+		if (rbp == 0) {
+			break;
+		}
+		nsym++;
+
+		if (nsym >= 15) {
+			break;
+		}
+	}
+}
--- a/sys/arch/amd64/include/param.h
+++ b/sys/arch/amd64/include/param.h
@ -1,4 +1,4 @@
-/*	$NetBSD: param.h,v 1.32 2019/09/28 15:11:53 christos Exp $	*/
+/*	$NetBSD: param.h,v 1.33 2019/11/14 16:23:52 maxv Exp $	*/

 #ifdef __x86_64__

@ -12,6 +12,7 @@
 #if defined(_KERNEL_OPT)
 #include "opt_kasan.h"
 #include "opt_kleak.h"
+#include "opt_kmsan.h"
 #endif
 #endif

@ -44,7 +45,11 @@
 /*
 * Maximum physical memory supported by the implementation.
 */
+#if defined(KMSAN)
+#define MAXPHYSMEM	0x008000000000ULL /* 512GB */
+#else
 #define MAXPHYSMEM	0x100000000000ULL /* 16TB */
+#endif

 /*
 * XXXfvdl change this (after bootstrap) to take # of bits from
@ -63,7 +68,7 @@
 #define	SSIZE		1		/* initial stack size/NBPG */
 #define	SINCR		1		/* increment of stack/NBPG */

-#if defined(KASAN) || defined(KLEAK)
+#if defined(KASAN) || defined(KLEAK) || defined(KMSAN)
 #define	UPAGES		8
 #elif defined(DIAGNOSTIC)
 #define	UPAGES		5		/* pages of u-area (1 for redzone) */
--- a/sys/arch/amd64/include/pmap.h
+++ b/sys/arch/amd64/include/pmap.h
@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.h,v 1.63 2019/11/01 15:11:43 maxv Exp $	*/
+/*	$NetBSD: pmap.h,v 1.64 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 1997 Charles D. Cranor and Washington University.
@ -68,6 +68,7 @@
 #if defined(_KERNEL_OPT)
 #include "opt_xen.h"
 #include "opt_kasan.h"
+#include "opt_kmsan.h"
 #include "opt_kubsan.h"
 #endif

@ -98,6 +99,11 @@
 #define NL4_SLOT_KASAN		32
 #endif

+#ifdef KMSAN
+#define L4_SLOT_KMSAN		256
+#define NL4_SLOT_KMSAN		4
+#endif
+
 #define NL4_SLOT_DIRECT		32

 #ifndef XENPV
@ -133,14 +139,18 @@ extern pt_entry_t *pte_base;

 #define PDP_BASE	L4_BASE

+#if defined(KMSAN)
+#define NKL4_MAX_ENTRIES	(unsigned long)1	/* 512GB only */
+#else
 #define NKL4_MAX_ENTRIES	(unsigned long)64
+#endif
 #define NKL3_MAX_ENTRIES	(unsigned long)(NKL4_MAX_ENTRIES * 512)
 #define NKL2_MAX_ENTRIES	(unsigned long)(NKL3_MAX_ENTRIES * 512)
 #define NKL1_MAX_ENTRIES	(unsigned long)(NKL2_MAX_ENTRIES * 512)

 #define NKL4_KIMG_ENTRIES	1
 #define NKL3_KIMG_ENTRIES	1
-#if defined(KUBSAN)
+#if defined(KUBSAN) || defined(KMSAN)
 #define NKL2_KIMG_ENTRIES	64	/* really big kernel */
 #else
 #define NKL2_KIMG_ENTRIES	48
--- a/sys/arch/amd64/include/types.h
+++ b/sys/arch/amd64/include/types.h
@ -1,4 +1,4 @@
-/*	$NetBSD: types.h,v 1.63 2019/10/04 06:27:42 maxv Exp $	*/
+/*	$NetBSD: types.h,v 1.64 2019/11/14 16:23:52 maxv Exp $	*/

 /*-
 * Copyright (c) 1990 The Regents of the University of California.
@ -106,12 +106,13 @@ typedef	unsigned char		__cpu_simple_lock_nv_t;

 #include "opt_xen.h"
 #include "opt_kasan.h"
+#include "opt_kmsan.h"
 #ifdef KASAN
 #define __HAVE_KASAN_INSTR_BUS
 #define __HAVE_KASAN_INSTR_DMA
 #endif
 #if defined(__x86_64__) && !defined(XENPV)
-#if !defined(KASAN)
+#if !defined(KASAN) && !defined(KMSAN)
 #define	__HAVE_PCPU_AREA 1
 #define	__HAVE_DIRECT_MAP 1
 #endif
--- a/sys/arch/x86/include/bus_defs.h
+++ b/sys/arch/x86/include/bus_defs.h
@ -1,4 +1,4 @@
-/*	$NetBSD: bus_defs.h,v 1.4 2019/10/04 06:27:42 maxv Exp $	*/
+/*	$NetBSD: bus_defs.h,v 1.5 2019/11/14 16:23:52 maxv Exp $	*/

 /*-
 * Copyright (c) 1996, 1997, 1998, 2001 The NetBSD Foundation, Inc.
@ -66,6 +66,7 @@

 #ifdef _KERNEL_OPT
 #include "opt_kasan.h"
+#include "opt_kmsan.h"
 #endif

 #include <x86/busdefs.h>
@ -145,7 +146,7 @@ struct x86_bus_dmamap {
 	/*
 	 * PUBLIC MEMBERS: these are used by machine-independent code.
 	 */
-#if defined(KASAN)
+#if defined(KASAN) || defined(KMSAN)
 	void		*dm_buf;
 	bus_size_t	dm_buflen;
 	int		dm_buftype;
--- a/sys/arch/x86/include/pmap.h
+++ b/sys/arch/x86/include/pmap.h
@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.h,v 1.104 2019/11/13 12:55:10 maxv Exp $	*/
+/*	$NetBSD: pmap.h,v 1.105 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 1997 Charles D. Cranor and Washington University.
@ -172,8 +172,9 @@ struct bootspace {
 #define SLAREA_DMAP	4
 #define SLAREA_HYPV	5
 #define SLAREA_ASAN	6
-#define SLAREA_KERN	7
-#define SLSPACE_NAREAS	8
+#define SLAREA_MSAN	7
+#define SLAREA_KERN	8
+#define SLSPACE_NAREAS	9

 struct slotspace {
 	struct {
--- a/sys/arch/x86/x86/bus_dma.c
+++ b/sys/arch/x86/x86/bus_dma.c
@ -1,4 +1,4 @@
-/*	$NetBSD: bus_dma.c,v 1.80 2019/10/04 06:27:42 maxv Exp $	*/
+/*	$NetBSD: bus_dma.c,v 1.81 2019/11/14 16:23:52 maxv Exp $	*/

 /*-
 * Copyright (c) 1996, 1997, 1998, 2007 The NetBSD Foundation, Inc.
@ -31,7 +31,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bus_dma.c,v 1.80 2019/10/04 06:27:42 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bus_dma.c,v 1.81 2019/11/14 16:23:52 maxv Exp $");

 /*
 * The following is included because _bus_dma_uiomove is derived from
@ -96,6 +96,7 @@ __KERNEL_RCSID(0, "$NetBSD: bus_dma.c,v 1.80 2019/10/04 06:27:42 maxv Exp $");
 #include <sys/mbuf.h>
 #include <sys/proc.h>
 #include <sys/asan.h>
+#include <sys/msan.h>

 #include <sys/bus.h>
 #include <machine/bus_private.h>
@ -1329,6 +1330,7 @@ bus_dmamap_sync(bus_dma_tag_t t, bus_dmamap_t p, bus_addr_t o, bus_size_t l,
 	bus_dma_tag_t it;

 	kasan_dma_sync(p, o, l, ops);
+	kmsan_dma_sync(p, o, l, ops);

 	if ((t->bdt_exists & BUS_DMAMAP_OVERRIDE_SYNC) == 0)
 		;	/* skip override */
@ -1390,6 +1392,7 @@ bus_dmamap_load(bus_dma_tag_t t, bus_dmamap_t dmam, void *buf,
 	bus_dma_tag_t it;

 	kasan_dma_load(dmam, buf, buflen, KASAN_DMA_LINEAR);
+	kmsan_dma_load(dmam, buf, buflen, KMSAN_DMA_LINEAR);

 	if ((t->bdt_exists & BUS_DMAMAP_OVERRIDE_LOAD) == 0)
 		;	/* skip override */
@ -1410,6 +1413,7 @@ bus_dmamap_load_mbuf(bus_dma_tag_t t, bus_dmamap_t dmam,
 	bus_dma_tag_t it;

 	kasan_dma_load(dmam, chain, 0, KASAN_DMA_MBUF);
+	kmsan_dma_load(dmam, chain, 0, KMSAN_DMA_MBUF);

 	if ((t->bdt_exists & BUS_DMAMAP_OVERRIDE_LOAD_MBUF) == 0)
 		;	/* skip override */
@ -1430,6 +1434,7 @@ bus_dmamap_load_uio(bus_dma_tag_t t, bus_dmamap_t dmam,
 	bus_dma_tag_t it;

 	kasan_dma_load(dmam, uio, 0, KASAN_DMA_UIO);
+	kmsan_dma_load(dmam, uio, 0, KMSAN_DMA_UIO);

 	if ((t->bdt_exists & BUS_DMAMAP_OVERRIDE_LOAD_UIO) == 0)
 		;	/* skip override */
@ -1451,6 +1456,7 @@ bus_dmamap_load_raw(bus_dma_tag_t t, bus_dmamap_t dmam,
 	bus_dma_tag_t it;

 	kasan_dma_load(dmam, NULL, 0, KASAN_DMA_RAW);
+	kmsan_dma_load(dmam, NULL, 0, KMSAN_DMA_RAW);

 	if ((t->bdt_exists & BUS_DMAMAP_OVERRIDE_LOAD_RAW) == 0)
 		;	/* skip override */
--- a/sys/arch/x86/x86/pmap.c
+++ b/sys/arch/x86/x86/pmap.c
@ -1,4 +1,4 @@
-/*	$NetBSD: pmap.c,v 1.338 2019/11/13 12:55:10 maxv Exp $	*/
+/*	$NetBSD: pmap.c,v 1.339 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 2008, 2010, 2016, 2017 The NetBSD Foundation, Inc.
@ -130,7 +130,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.338 2019/11/13 12:55:10 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.339 2019/11/14 16:23:52 maxv Exp $");

 #include "opt_user_ldt.h"
 #include "opt_lockdebug.h"
@ -151,6 +151,7 @@ __KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.338 2019/11/13 12:55:10 maxv Exp $");
 #include <sys/xcall.h>
 #include <sys/kcore.h>
 #include <sys/asan.h>
+#include <sys/msan.h>

 #include <uvm/uvm.h>
 #include <uvm/pmap/pmap_pvt.h>
@ -1299,7 +1300,7 @@ pmap_pagetree_nentries_range(vaddr_t startva, vaddr_t endva, size_t pgsz)
 }
 #endif

-#if defined(__HAVE_DIRECT_MAP) || defined(KASAN)
+#if defined(__HAVE_DIRECT_MAP) || defined(KASAN) || defined(KMSAN)
 static inline void
 slotspace_copy(int type, pd_entry_t *dst, pd_entry_t *src)
 {
@ -2283,6 +2284,9 @@ pmap_pdp_ctor(void *arg, void *v, int flags)
 #ifdef KASAN
 	slotspace_copy(SLAREA_ASAN, pdir, PDP_BASE);
 #endif
+#ifdef KMSAN
+	slotspace_copy(SLAREA_MSAN, pdir, PDP_BASE);
+#endif
 #endif /* XENPV  && __x86_64__*/

 #ifdef XENPV
@ -4574,6 +4578,9 @@ pmap_growkernel(vaddr_t maxkvaddr)
 	    (size_t)(maxkvaddr - pmap_maxkvaddr));
 #endif

+	kmsan_shadow_map((void *)pmap_maxkvaddr,
+	    (size_t)(maxkvaddr - pmap_maxkvaddr));
+
 	pmap_alloc_level(cpm, pmap_maxkvaddr, needed_kptp);

 	/*
--- a/sys/conf/files
+++ b/sys/conf/files
@ -1,4 +1,4 @@
-#	$NetBSD: files,v 1.1243 2019/11/11 04:04:29 msaitoh Exp $
+#	$NetBSD: files,v 1.1244 2019/11/14 16:23:52 maxv Exp $
 #	@(#)files.newconf	7.5 (Berkeley) 5/10/93

 version 	20171118
@ -33,6 +33,8 @@ defflag				KASAN
 defflag opt_kasan.h		KASAN_PANIC
 defflag				KCSAN
 defflag opt_kcsan.h		KCSAN_PANIC
+defflag				KMSAN
+defflag opt_kmsan.h		KMSAN_PANIC
 defflag				KLEAK
 defflag				KCOV
 defflag opt_pool.h		POOL_QUARANTINE
--- a/sys/kern/files.kern
+++ b/sys/kern/files.kern
@ -1,4 +1,4 @@
-#	$NetBSD: files.kern,v 1.36 2019/11/05 20:19:17 maxv Exp $
+#	$NetBSD: files.kern,v 1.37 2019/11/14 16:23:52 maxv Exp $

 #
 # kernel sources
@ -132,6 +132,7 @@ file	kern/subr_localcount.c		kern
 file	kern/subr_lockdebug.c		kern
 file	kern/subr_log.c			kern
 file	kern/subr_lwp_specificdata.c	kern
+file	kern/subr_msan.c		kmsan
 file	kern/subr_once.c		kern
 file	kern/subr_optstr.c		kern
 file	kern/subr_pcq.c			kern
--- a/sys/kern/kern_lwp.c
+++ b/sys/kern/kern_lwp.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_lwp.c,v 1.207 2019/11/10 23:39:03 joerg Exp $	*/
+/*	$NetBSD: kern_lwp.c,v 1.208 2019/11/14 16:23:52 maxv Exp $	*/

 /*-
 * Copyright (c) 2001, 2006, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@ -211,7 +211,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_lwp.c,v 1.207 2019/11/10 23:39:03 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_lwp.c,v 1.208 2019/11/14 16:23:52 maxv Exp $");

 #include "opt_ddb.h"
 #include "opt_lockdebug.h"
@ -244,6 +244,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_lwp.c,v 1.207 2019/11/10 23:39:03 joerg Exp $")
 #include <sys/uidinfo.h>
 #include <sys/sysctl.h>
 #include <sys/psref.h>
+#include <sys/msan.h>

 #include <uvm/uvm_extern.h>
 #include <uvm/uvm_object.h>
@ -844,6 +845,7 @@ lwp_create(lwp_t *l1, proc_t *p2, vaddr_t uaddr, int flags,
 	l2->l_pflag = LP_MPSAFE;
 	TAILQ_INIT(&l2->l_ld_locks);
 	l2->l_psrefs = 0;
+	kmsan_lwp_alloc(l2);

 	/*
 	 * For vfork, borrow parent's lwpctl context if it exists.
@ -1298,6 +1300,7 @@ lwp_free(struct lwp *l, bool recycle, bool last)
 	if (l->l_name != NULL)
 		kmem_free(l->l_name, MAXCOMLEN);

+	kmsan_lwp_free(l);
 	cpu_lwp_free2(l);
 	uvm_lwp_exit(l);

--- a/sys/kern/kern_malloc.c
+++ b/sys/kern/kern_malloc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_malloc.c,v 1.157 2019/04/07 09:20:04 maxv Exp $	*/
+/*	$NetBSD: kern_malloc.c,v 1.158 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 1987, 1991, 1993
@ -70,12 +70,13 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.157 2019/04/07 09:20:04 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_malloc.c,v 1.158 2019/11/14 16:23:52 maxv Exp $");

 #include <sys/param.h>
 #include <sys/malloc.h>
 #include <sys/kmem.h>
 #include <sys/asan.h>
+#include <sys/msan.h>

 /*
 * Built-in malloc types.  Note: ought to be removed.
@ -129,6 +130,9 @@ kern_malloc(unsigned long reqsize, int flags)
 	if (p == NULL)
 		return NULL;

+	kmsan_mark(p, allocsize, KMSAN_STATE_UNINIT);
+	kmsan_orig(p, allocsize, KMSAN_TYPE_MALLOC, __RET_ADDR);
+
 	if ((flags & M_ZERO) != 0) {
 		memset(p, 0, allocsize);
 	}
@ -155,11 +159,16 @@ kern_free(void *addr)
 	kasan_mark(addr, mh->mh_size - sizeof(struct malloc_header),
 	    mh->mh_size - sizeof(struct malloc_header), KASAN_MALLOC_REDZONE);

-	if (mh->mh_size >= PAGE_SIZE + sizeof(struct malloc_header))
+	if (mh->mh_size >= PAGE_SIZE + sizeof(struct malloc_header)) {
+		kmsan_mark((char *)addr - PAGE_SIZE,
+		    mh->mh_size + PAGE_SIZE - sizeof(struct malloc_header),
+		    KMSAN_STATE_INITED);
 		kmem_intr_free((char *)addr - PAGE_SIZE,
 		    mh->mh_size + PAGE_SIZE - sizeof(struct malloc_header));
-	else
+	} else {
+		kmsan_mark(mh, mh->mh_size, KMSAN_STATE_INITED);
 		kmem_intr_free(mh, mh->mh_size);
+	}
 }

 void *
--- a/sys/kern/subr_kmem.c
+++ b/sys/kern/subr_kmem.c
@ -1,4 +1,4 @@
-/*	$NetBSD: subr_kmem.c,v 1.76 2019/08/15 12:06:42 maxv Exp $	*/
+/*	$NetBSD: subr_kmem.c,v 1.77 2019/11/14 16:23:52 maxv Exp $	*/

 /*
 * Copyright (c) 2009-2015 The NetBSD Foundation, Inc.
@ -78,7 +78,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_kmem.c,v 1.76 2019/08/15 12:06:42 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_kmem.c,v 1.77 2019/11/14 16:23:52 maxv Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_kmem.h"
@ -92,6 +92,7 @@ __KERNEL_RCSID(0, "$NetBSD: subr_kmem.c,v 1.76 2019/08/15 12:06:42 maxv Exp $");
 #include <sys/lockdebug.h>
 #include <sys/cpu.h>
 #include <sys/asan.h>
+#include <sys/msan.h>

 #include <uvm/uvm_extern.h>
 #include <uvm/uvm_map.h>
@ -304,6 +305,10 @@ kmem_alloc(size_t size, km_flag_t kmflags)
 	KASSERTMSG((!cpu_intr_p() && !cpu_softintr_p()),
 	    "kmem(9) should not be used from the interrupt context");
 	v = kmem_intr_alloc(size, kmflags);
+	if (__predict_true(v != NULL)) {
+		kmsan_mark(v, size, KMSAN_STATE_UNINIT);
+		kmsan_orig(v, size, KMSAN_TYPE_KMEM, __RET_ADDR);
+	}
 	KASSERT(v || (kmflags & KM_NOSLEEP) != 0);
 	return v;
 }
@ -334,6 +339,7 @@ kmem_free(void *p, size_t size)
 	KASSERT(!cpu_intr_p());
 	KASSERT(!cpu_softintr_p());
 	kmem_intr_free(p, size);
+	kmsan_mark(p, size, KMSAN_STATE_INITED);
 }

 static size_t
--- a/sys/kern/subr_msan.c
+++ b/sys/kern/subr_msan.c
--- a/sys/kern/subr_pool.c
+++ b/sys/kern/subr_pool.c
@ -1,4 +1,4 @@
-/*	$NetBSD: subr_pool.c,v 1.261 2019/10/16 18:29:49 christos Exp $	*/
+/*	$NetBSD: subr_pool.c,v 1.262 2019/11/14 16:23:53 maxv Exp $	*/

 /*
 * Copyright (c) 1997, 1999, 2000, 2002, 2007, 2008, 2010, 2014, 2015, 2018
@ -33,7 +33,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_pool.c,v 1.261 2019/10/16 18:29:49 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_pool.c,v 1.262 2019/11/14 16:23:53 maxv Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_ddb.h"
@ -58,6 +58,7 @@ __KERNEL_RCSID(0, "$NetBSD: subr_pool.c,v 1.261 2019/10/16 18:29:49 christos Exp
 #include <sys/cpu.h>
 #include <sys/atomic.h>
 #include <sys/asan.h>
+#include <sys/msan.h>

 #include <uvm/uvm_extern.h>

@ -83,7 +84,7 @@ static struct pool phpool[PHPOOL_MAX];
 #define	PHPOOL_FREELIST_NELEM(idx) \
 	(((idx) == 0) ? BITMAP_MIN_SIZE : BITMAP_SIZE * (1 << (idx)))

-#if defined(DIAGNOSTIC) || defined(KASAN)
+#if !defined(KMSAN) && (defined(DIAGNOSTIC) || defined(KASAN))
 #define POOL_REDZONE
 #endif

@ -104,6 +105,18 @@ static void pool_cache_redzone_check(pool_cache_t, void *);
 # define pool_cache_redzone_check(pc, ptr)	__nothing
 #endif

+#ifdef KMSAN
+static inline void pool_get_kmsan(struct pool *, void *);
+static inline void pool_put_kmsan(struct pool *, void *);
+static inline void pool_cache_get_kmsan(pool_cache_t, void *);
+static inline void pool_cache_put_kmsan(pool_cache_t, void *);
+#else
+#define pool_get_kmsan(pp, ptr)		__nothing
+#define pool_put_kmsan(pp, ptr)		__nothing
+#define pool_cache_get_kmsan(pc, ptr)	__nothing
+#define pool_cache_put_kmsan(pc, ptr)	__nothing
+#endif
+
 #ifdef KLEAK
 static void pool_kleak_fill(struct pool *, void *);
 static void pool_cache_kleak_fill(pool_cache_t, void *);
@ -128,10 +141,8 @@ static bool pool_cache_put_quarantine(pool_cache_t, void *, paddr_t);
 #define NO_CTOR	__FPTRCAST(int (*)(void *, void *, int), nullop)
 #define NO_DTOR	__FPTRCAST(void (*)(void *, void *), nullop)

-#if defined(KASAN) || defined(KLEAK)
 #define pc_has_ctor(pc) ((pc)->pc_ctor != NO_CTOR)
 #define pc_has_dtor(pc) ((pc)->pc_dtor != NO_DTOR)
-#endif

 /*
 * Pool backend allocators.
@ -1194,6 +1205,7 @@ pool_get(struct pool *pp, int flags)
 	KASSERT((((vaddr_t)v) & (pp->pr_align - 1)) == 0);
 	FREECHECK_OUT(&pp->pr_freecheck, v);
 	pool_redzone_fill(pp, v);
+	pool_get_kmsan(pp, v);
 	if (flags & PR_ZERO)
 		memset(v, 0, pp->pr_reqsize);
 	else
@ -1211,6 +1223,7 @@ pool_do_put(struct pool *pp, void *v, struct pool_pagelist *pq)

 	KASSERT(mutex_owned(&pp->pr_lock));
 	pool_redzone_check(pp, v);
+	pool_put_kmsan(pp, v);
 	FREECHECK_IN(&pp->pr_freecheck, v);
 	LOCKDEBUG_MEM_CHECK(v, pp->pr_size);

@ -2563,6 +2576,7 @@ pool_cache_get_paddr(pool_cache_t pc, int flags, paddr_t *pap)
 			splx(s);
 			FREECHECK_OUT(&pc->pc_freecheck, object);
 			pool_redzone_fill(&pc->pc_pool, object);
+			pool_cache_get_kmsan(pc, object);
 			pool_cache_kleak_fill(pc, object);
 			return object;
 		}
@ -2712,6 +2726,7 @@ pool_cache_put_paddr(pool_cache_t pc, void *object, paddr_t pa)
 	int s;

 	KASSERT(object != NULL);
+	pool_cache_put_kmsan(pc, object);
 	pool_cache_redzone_check(pc, object);
 	FREECHECK_IN(&pc->pc_freecheck, object);

@ -2896,6 +2911,36 @@ pool_page_free_meta(struct pool *pp, void *v)
 	vmem_free(kmem_meta_arena, (vmem_addr_t)v, pp->pr_alloc->pa_pagesz);
 }

+#ifdef KMSAN
+static inline void
+pool_get_kmsan(struct pool *pp, void *p)
+{
+	kmsan_orig(p, pp->pr_size, KMSAN_TYPE_POOL, __RET_ADDR);
+	kmsan_mark(p, pp->pr_size, KMSAN_STATE_UNINIT);
+}
+
+static inline void
+pool_put_kmsan(struct pool *pp, void *p)
+{
+	kmsan_mark(p, pp->pr_size, KMSAN_STATE_INITED);
+}
+
+static inline void
+pool_cache_get_kmsan(pool_cache_t pc, void *p)
+{
+	if (__predict_false(pc_has_ctor(pc))) {
+		return;
+	}
+	pool_get_kmsan(&pc->pc_pool, p);
+}
+
+static inline void
+pool_cache_put_kmsan(pool_cache_t pc, void *p)
+{
+	pool_put_kmsan(&pc->pc_pool, p);
+}
+#endif
+
 #ifdef KLEAK
 static void
 pool_kleak_fill(struct pool *pp, void *p)
--- a/sys/lib/libkern/libkern.h
+++ b/sys/lib/libkern/libkern.h
@ -1,4 +1,4 @@
-/*	$NetBSD: libkern.h,v 1.133 2019/11/05 20:19:18 maxv Exp $	*/
+/*	$NetBSD: libkern.h,v 1.134 2019/11/14 16:23:53 maxv Exp $	*/

 /*-
 * Copyright (c) 1992, 1993
@ -384,6 +384,13 @@ void	*kcsan_memset(void *, int, size_t);
 #define	memcpy(d, s, l)		kcsan_memcpy(d, s, l)
 #define	memcmp(a, b, l)		kcsan_memcmp(a, b, l)
 #define	memset(d, v, l)		kcsan_memset(d, v, l)
+#elif defined(_KERNEL) && defined(KMSAN)
+void	*kmsan_memcpy(void *, const void *, size_t);
+int	 kmsan_memcmp(const void *, const void *, size_t);
+void	*kmsan_memset(void *, int, size_t);
+#define	memcpy(d, s, l)		kmsan_memcpy(d, s, l)
+#define	memcmp(a, b, l)		kmsan_memcmp(a, b, l)
+#define	memset(d, v, l)		kmsan_memset(d, v, l)
 #else
 #define	memcpy(d, s, l)		__builtin_memcpy(d, s, l)
 #define	memcmp(a, b, l)		__builtin_memcmp(a, b, l)
@ -411,6 +418,13 @@ size_t	 kcsan_strlen(const char *);
 #define	strcpy(d, s)		kcsan_strcpy(d, s)
 #define	strcmp(a, b)		kcsan_strcmp(a, b)
 #define	strlen(a)		kcsan_strlen(a)
+#elif defined(_KERNEL) && defined(KMSAN)
+char	*kmsan_strcpy(char *, const char *);
+int	 kmsan_strcmp(const char *, const char *);
+size_t	 kmsan_strlen(const char *);
+#define	strcpy(d, s)		kmsan_strcpy(d, s)
+#define	strcmp(a, b)		kmsan_strcmp(a, b)
+#define	strlen(a)		kmsan_strlen(a)
 #else
 #define	strcpy(d, s)		__builtin_strcpy(d, s)
 #define	strcmp(a, b)		__builtin_strcmp(a, b)
@ -460,6 +474,9 @@ void	*kasan_memmove(void *, const void *, size_t);
 #elif defined(_KERNEL) && defined(KCSAN)
 void	*kcsan_memmove(void *, const void *, size_t);
 #define	memmove(d, s, l)	kcsan_memmove(d, s, l)
+#elif defined(_KERNEL) && defined(KMSAN)
+void	*kmsan_memmove(void *, const void *, size_t);
+#define	memmove(d, s, l)	kmsan_memmove(d, s, l)
 #endif

 int	 pmatch(const char *, const char *, const char **);
--- a/sys/net/if.c
+++ b/sys/net/if.c
@ -1,4 +1,4 @@
-/*	$NetBSD: if.c,v 1.464 2019/11/13 02:51:22 ozaki-r Exp $	*/
+/*	$NetBSD: if.c,v 1.465 2019/11/14 16:23:53 maxv Exp $	*/

 /*-
 * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@ -90,7 +90,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.464 2019/11/13 02:51:22 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.465 2019/11/14 16:23:53 maxv Exp $");

 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@ -121,6 +121,7 @@ __KERNEL_RCSID(0, "$NetBSD: if.c,v 1.464 2019/11/13 02:51:22 ozaki-r Exp $");
 #include <sys/intr.h>
 #include <sys/module_hook.h>
 #include <sys/compat_stub.h>
+#include <sys/msan.h>

 #include <net/if.h>
 #include <net/if_dl.h>
@ -3610,6 +3611,8 @@ if_transmit_lock(struct ifnet *ifp, struct mbuf *m)
 {
 	int error;

+	kmsan_check_mbuf(m);
+
 #ifdef ALTQ
 	KERNEL_LOCK(1, NULL);
 	if (ALTQ_IS_ENABLED(&ifp->if_snd)) {
--- a/sys/sys/atomic.h
+++ b/sys/sys/atomic.h
@ -1,4 +1,4 @@
-/*	$NetBSD: atomic.h,v 1.16 2019/11/05 20:19:18 maxv Exp $	*/
+/*	$NetBSD: atomic.h,v 1.17 2019/11/14 16:23:53 maxv Exp $	*/

 /*-
 * Copyright (c) 2007, 2008 The NetBSD Foundation, Inc.
@ -40,6 +40,7 @@
 #if defined(_KERNEL) && defined(_KERNEL_OPT)
 #include "opt_kasan.h"
 #include "opt_kcsan.h"
+#include "opt_kmsan.h"
 #endif

 #if defined(KASAN)
@ -84,6 +85,27 @@
 #define ATOMIC_PROTO_INC(name, tret, targ1) \
 	void kcsan_atomic_inc_##name(volatile targ1 *); \
 	tret kcsan_atomic_inc_##name##_nv(volatile targ1 *)
+#elif defined(KMSAN)
+#define ATOMIC_PROTO_ADD(name, tret, targ1, targ2) \
+	void kmsan_atomic_add_##name(volatile targ1 *, targ2); \
+	tret kmsan_atomic_add_##name##_nv(volatile targ1 *, targ2)
+#define ATOMIC_PROTO_AND(name, tret, targ1, targ2) \
+	void kmsan_atomic_and_##name(volatile targ1 *, targ2); \
+	tret kmsan_atomic_and_##name##_nv(volatile targ1 *, targ2)
+#define ATOMIC_PROTO_OR(name, tret, targ1, targ2) \
+	void kmsan_atomic_or_##name(volatile targ1 *, targ2); \
+	tret kmsan_atomic_or_##name##_nv(volatile targ1 *, targ2)
+#define ATOMIC_PROTO_CAS(name, tret, targ1, targ2) \
+	tret kmsan_atomic_cas_##name(volatile targ1 *, targ2, targ2); \
+	tret kmsan_atomic_cas_##name##_ni(volatile targ1 *, targ2, targ2)
+#define ATOMIC_PROTO_SWAP(name, tret, targ1, targ2) \
+	tret kmsan_atomic_swap_##name(volatile targ1 *, targ2)
+#define ATOMIC_PROTO_DEC(name, tret, targ1) \
+	void kmsan_atomic_dec_##name(volatile targ1 *); \
+	tret kmsan_atomic_dec_##name##_nv(volatile targ1 *)
+#define ATOMIC_PROTO_INC(name, tret, targ1) \
+	void kmsan_atomic_inc_##name(volatile targ1 *); \
+	tret kmsan_atomic_inc_##name##_nv(volatile targ1 *)
 #else
 #define ATOMIC_PROTO_ADD(name, tret, targ1, targ2) \
 	void atomic_add_##name(volatile targ1 *, targ2); \
@ -297,6 +319,68 @@ __END_DECLS
 #define atomic_inc_ulong_nv	kcsan_atomic_inc_ulong_nv
 #define atomic_inc_ptr_nv	kcsan_atomic_inc_ptr_nv
 #define atomic_inc_64_nv	kcsan_atomic_inc_64_nv
+#elif defined(KMSAN)
+#define atomic_add_32		kmsan_atomic_add_32
+#define atomic_add_int		kmsan_atomic_add_int
+#define atomic_add_long		kmsan_atomic_add_long
+#define atomic_add_ptr		kmsan_atomic_add_ptr
+#define atomic_add_64		kmsan_atomic_add_64
+#define atomic_add_32_nv	kmsan_atomic_add_32_nv
+#define atomic_add_int_nv	kmsan_atomic_add_int_nv
+#define atomic_add_long_nv	kmsan_atomic_add_long_nv
+#define atomic_add_ptr_nv	kmsan_atomic_add_ptr_nv
+#define atomic_add_64_nv	kmsan_atomic_add_64_nv
+#define atomic_and_32		kmsan_atomic_and_32
+#define atomic_and_uint		kmsan_atomic_and_uint
+#define atomic_and_ulong	kmsan_atomic_and_ulong
+#define atomic_and_64		kmsan_atomic_and_64
+#define atomic_and_32_nv	kmsan_atomic_and_32_nv
+#define atomic_and_uint_nv	kmsan_atomic_and_uint_nv
+#define atomic_and_ulong_nv	kmsan_atomic_and_ulong_nv
+#define atomic_and_64_nv	kmsan_atomic_and_64_nv
+#define atomic_or_32		kmsan_atomic_or_32
+#define atomic_or_uint		kmsan_atomic_or_uint
+#define atomic_or_ulong		kmsan_atomic_or_ulong
+#define atomic_or_64		kmsan_atomic_or_64
+#define atomic_or_32_nv		kmsan_atomic_or_32_nv
+#define atomic_or_uint_nv	kmsan_atomic_or_uint_nv
+#define atomic_or_ulong_nv	kmsan_atomic_or_ulong_nv
+#define atomic_or_64_nv		kmsan_atomic_or_64_nv
+#define atomic_cas_32		kmsan_atomic_cas_32
+#define atomic_cas_uint		kmsan_atomic_cas_uint
+#define atomic_cas_ulong	kmsan_atomic_cas_ulong
+#define atomic_cas_ptr		kmsan_atomic_cas_ptr
+#define atomic_cas_64		kmsan_atomic_cas_64
+#define atomic_cas_32_ni	kmsan_atomic_cas_32_ni
+#define atomic_cas_uint_ni	kmsan_atomic_cas_uint_ni
+#define atomic_cas_ulong_ni	kmsan_atomic_cas_ulong_ni
+#define atomic_cas_ptr_ni	kmsan_atomic_cas_ptr_ni
+#define atomic_cas_64_ni	kmsan_atomic_cas_64_ni
+#define atomic_swap_32		kmsan_atomic_swap_32
+#define atomic_swap_uint	kmsan_atomic_swap_uint
+#define atomic_swap_ulong	kmsan_atomic_swap_ulong
+#define atomic_swap_ptr		kmsan_atomic_swap_ptr
+#define atomic_swap_64		kmsan_atomic_swap_64
+#define atomic_dec_32		kmsan_atomic_dec_32
+#define atomic_dec_uint		kmsan_atomic_dec_uint
+#define atomic_dec_ulong	kmsan_atomic_dec_ulong
+#define atomic_dec_ptr		kmsan_atomic_dec_ptr
+#define atomic_dec_64		kmsan_atomic_dec_64
+#define atomic_dec_32_nv	kmsan_atomic_dec_32_nv
+#define atomic_dec_uint_nv	kmsan_atomic_dec_uint_nv
+#define atomic_dec_ulong_nv	kmsan_atomic_dec_ulong_nv
+#define atomic_dec_ptr_nv	kmsan_atomic_dec_ptr_nv
+#define atomic_dec_64_nv	kmsan_atomic_dec_64_nv
+#define atomic_inc_32		kmsan_atomic_inc_32
+#define atomic_inc_uint		kmsan_atomic_inc_uint
+#define atomic_inc_ulong	kmsan_atomic_inc_ulong
+#define atomic_inc_ptr		kmsan_atomic_inc_ptr
+#define atomic_inc_64		kmsan_atomic_inc_64
+#define atomic_inc_32_nv	kmsan_atomic_inc_32_nv
+#define atomic_inc_uint_nv	kmsan_atomic_inc_uint_nv
+#define atomic_inc_ulong_nv	kmsan_atomic_inc_ulong_nv
+#define atomic_inc_ptr_nv	kmsan_atomic_inc_ptr_nv
+#define atomic_inc_64_nv	kmsan_atomic_inc_64_nv
 #endif

 #endif /* ! _SYS_ATOMIC_H_ */
--- a/sys/sys/bus_proto.h
+++ b/sys/sys/bus_proto.h
@ -1,4 +1,4 @@
-/*	$NetBSD: bus_proto.h,v 1.10 2019/11/05 20:19:18 maxv Exp $	*/
+/*	$NetBSD: bus_proto.h,v 1.11 2019/11/14 16:23:53 maxv Exp $	*/

 /*-
 * Copyright (c) 1996, 1997, 1998, 2001, 2007 The NetBSD Foundation, Inc.
@ -67,6 +67,7 @@
 #ifdef _KERNEL_OPT
 #include "opt_kasan.h"
 #include "opt_kcsan.h"
+#include "opt_kmsan.h"
 #endif

 /*
@ -185,6 +186,32 @@ void kcsan_bus_space_read_region_stream_##bytes(bus_space_tag_t,		\
 #define bus_space_read_region_stream_2 kcsan_bus_space_read_region_stream_2
 #define bus_space_read_region_stream_4 kcsan_bus_space_read_region_stream_4
 #define bus_space_read_region_stream_8 kcsan_bus_space_read_region_stream_8
+#elif defined(KMSAN)
+#define BUS_SPACE_READ_MEM_PROTOS(bytes, bits)					\
+void kmsan_bus_space_read_multi_##bytes(bus_space_tag_t, bus_space_handle_t,	\
+    bus_size_t, uint##bits##_t *, bus_size_t);					\
+void kmsan_bus_space_read_multi_stream_##bytes(bus_space_tag_t,			\
+    bus_space_handle_t, bus_size_t, uint##bits##_t *, bus_size_t);		\
+void kmsan_bus_space_read_region_##bytes(bus_space_tag_t, bus_space_handle_t,	\
+    bus_size_t, uint##bits##_t *, bus_size_t);					\
+void kmsan_bus_space_read_region_stream_##bytes(bus_space_tag_t,		\
+    bus_space_handle_t, bus_size_t, uint##bits##_t *, bus_size_t);
+#define bus_space_read_multi_1 kmsan_bus_space_read_multi_1
+#define bus_space_read_multi_2 kmsan_bus_space_read_multi_2
+#define bus_space_read_multi_4 kmsan_bus_space_read_multi_4
+#define bus_space_read_multi_8 kmsan_bus_space_read_multi_8
+#define bus_space_read_multi_stream_1 kmsan_bus_space_read_multi_stream_1
+#define bus_space_read_multi_stream_2 kmsan_bus_space_read_multi_stream_2
+#define bus_space_read_multi_stream_4 kmsan_bus_space_read_multi_stream_4
+#define bus_space_read_multi_stream_8 kmsan_bus_space_read_multi_stream_8
+#define bus_space_read_region_1 kmsan_bus_space_read_region_1
+#define bus_space_read_region_2 kmsan_bus_space_read_region_2
+#define bus_space_read_region_4 kmsan_bus_space_read_region_4
+#define bus_space_read_region_8 kmsan_bus_space_read_region_8
+#define bus_space_read_region_stream_1 kmsan_bus_space_read_region_stream_1
+#define bus_space_read_region_stream_2 kmsan_bus_space_read_region_stream_2
+#define bus_space_read_region_stream_4 kmsan_bus_space_read_region_stream_4
+#define bus_space_read_region_stream_8 kmsan_bus_space_read_region_stream_8
 #else
 #define BUS_SPACE_READ_MEM_PROTOS(bytes, bits)				\
 void bus_space_read_multi_##bytes(bus_space_tag_t, bus_space_handle_t,	\
@ -274,6 +301,32 @@ void kcsan_bus_space_write_region_stream_##bytes(bus_space_tag_t,		\
 #define bus_space_write_region_stream_2 kcsan_bus_space_write_region_stream_2
 #define bus_space_write_region_stream_4 kcsan_bus_space_write_region_stream_4
 #define bus_space_write_region_stream_8 kcsan_bus_space_write_region_stream_8
+#elif defined(KMSAN)
+#define BUS_SPACE_WRITE_MEM_PROTOS(bytes, bits)					\
+void kmsan_bus_space_write_multi_##bytes(bus_space_tag_t, bus_space_handle_t,	\
+    bus_size_t, const uint##bits##_t *, bus_size_t);				\
+void kmsan_bus_space_write_multi_stream_##bytes(bus_space_tag_t,		\
+    bus_space_handle_t, bus_size_t, const uint##bits##_t *, bus_size_t);	\
+void kmsan_bus_space_write_region_##bytes(bus_space_tag_t, bus_space_handle_t,	\
+    bus_size_t, const uint##bits##_t *, bus_size_t);				\
+void kmsan_bus_space_write_region_stream_##bytes(bus_space_tag_t,		\
+    bus_space_handle_t, bus_size_t, const uint##bits##_t *, bus_size_t);
+#define bus_space_write_multi_1 kmsan_bus_space_write_multi_1
+#define bus_space_write_multi_2 kmsan_bus_space_write_multi_2
+#define bus_space_write_multi_4 kmsan_bus_space_write_multi_4
+#define bus_space_write_multi_8 kmsan_bus_space_write_multi_8
+#define bus_space_write_multi_stream_1 kmsan_bus_space_write_multi_stream_1
+#define bus_space_write_multi_stream_2 kmsan_bus_space_write_multi_stream_2
+#define bus_space_write_multi_stream_4 kmsan_bus_space_write_multi_stream_4
+#define bus_space_write_multi_stream_8 kmsan_bus_space_write_multi_stream_8
+#define bus_space_write_region_1 kmsan_bus_space_write_region_1
+#define bus_space_write_region_2 kmsan_bus_space_write_region_2
+#define bus_space_write_region_4 kmsan_bus_space_write_region_4
+#define bus_space_write_region_8 kmsan_bus_space_write_region_8
+#define bus_space_write_region_stream_1 kmsan_bus_space_write_region_stream_1
+#define bus_space_write_region_stream_2 kmsan_bus_space_write_region_stream_2
+#define bus_space_write_region_stream_4 kmsan_bus_space_write_region_stream_4
+#define bus_space_write_region_stream_8 kmsan_bus_space_write_region_stream_8
 #else
 #define BUS_SPACE_WRITE_MEM_PROTOS(bytes, bits)				\
 void bus_space_write_multi_##bytes(bus_space_tag_t, bus_space_handle_t,	\
--- a/sys/sys/cdefs.h
+++ b/sys/sys/cdefs.h
@ -1,4 +1,4 @@
-/*	$NetBSD: cdefs.h,v 1.148 2019/11/05 20:19:18 maxv Exp $	*/
+/*	$NetBSD: cdefs.h,v 1.149 2019/11/14 16:23:53 maxv Exp $	*/

 /* * Copyright (c) 1991, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -348,6 +348,12 @@
 #define	__nocsan	/* nothing */
 #endif

+#if defined(__clang__) && defined(KMSAN)
+#define	__nomsan	__attribute__((no_sanitize("memory")))
+#else
+#define	__nomsan	/* nothing */
+#endif
+
 #if defined(__clang__)
 #define __noubsan	__attribute__((no_sanitize("undefined")))
 #elif __GNUC_PREREQ__(4, 9)
--- a/sys/sys/lwp.h
+++ b/sys/sys/lwp.h
@ -1,4 +1,4 @@
-/*	$NetBSD: lwp.h,v 1.187 2019/10/03 22:26:43 kamil Exp $	*/
+/*	$NetBSD: lwp.h,v 1.188 2019/11/14 16:23:53 maxv Exp $	*/

 /*
 * Copyright (c) 2001, 2006, 2007, 2008, 2009, 2010
@ -53,6 +53,9 @@ struct lwp;
 /* forward declare this for <machine/cpu.h> so it can get l_cpu. */
 static __inline struct cpu_info *lwp_getcpu(struct lwp *);
 #include <machine/cpu.h>		/* curcpu() and cpu_info */
+#ifdef _KERNEL_OPT
+#include "opt_kmsan.h"
+#endif
 #endif

 #include <machine/proc.h>		/* Machine-dependent proc substruct. */
@ -204,6 +207,10 @@ struct lwp {
 	uint64_t	*l_syscall_counter; /* !: counter for current process */

 	struct kdtrace_thread *l_dtrace; /* (: DTrace-specific data. */
+
+#ifdef KMSAN
+	void		*l_kmsan; /* !: KMSAN private data. */
+#endif
 };

 /*
--- a/sys/sys/msan.h
+++ b/sys/sys/msan.h
@ -0,0 +1,85 @@
+/*	$NetBSD: msan.h,v 1.1 2019/11/14 16:23:53 maxv Exp $	*/
+
+/*
+ * Copyright (c) 2019 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Maxime Villard.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SYS_MSAN_H_
+#define _SYS_MSAN_H_
+
+#ifdef _KERNEL_OPT
+#include "opt_kmsan.h"
+#endif
+
+#ifdef KMSAN
+#include <sys/types.h>
+#include <sys/bus.h>
+
+#define KMSAN_STATE_UNINIT	0xFF
+#define KMSAN_STATE_INITED	0x00
+
+#define KMSAN_TYPE_STACK	0
+#define KMSAN_TYPE_KMEM		1
+#define KMSAN_TYPE_MALLOC	2
+#define KMSAN_TYPE_POOL		3
+#define KMSAN_TYPE_UVM		4
+
+#define KMSAN_DMA_LINEAR	1
+#define KMSAN_DMA_MBUF		2
+#define KMSAN_DMA_UIO		3
+#define KMSAN_DMA_RAW		4
+
+#define __RET_ADDR		(uintptr_t)__builtin_return_address(0)
+
+void kmsan_init(void *);
+void kmsan_shadow_map(void *, size_t);
+
+void kmsan_lwp_alloc(struct lwp *);
+void kmsan_lwp_free(struct lwp *);
+
+void kmsan_dma_sync(bus_dmamap_t, bus_addr_t, bus_size_t, int);
+void kmsan_dma_load(bus_dmamap_t, void *, bus_size_t, int);
+
+void kmsan_orig(void *, size_t, int, uintptr_t);
+void kmsan_mark(void *, size_t, uint8_t);
+void kmsan_check_mbuf(void *);
+void kmsan_check_buf(void *);
+#else
+#define kmsan_init(u)			__nothing
+#define kmsan_shadow_map(a, s)		__nothing
+#define kmsan_lwp_alloc(l)		__nothing
+#define kmsan_lwp_free(l)		__nothing
+#define kmsan_dma_sync(m, a, s, o)	__nothing
+#define kmsan_dma_load(m, b, s, o)	__nothing
+#define kmsan_orig(p, l, c, a)		__nothing
+#define kmsan_mark(p, l, c)		__nothing
+#define kmsan_check_mbuf(m)		__nothing
+#define kmsan_check_buf(b)		__nothing
+#endif
+
+#endif /* !_SYS_MSAN_H_ */
--- a/sys/sys/systm.h
+++ b/sys/sys/systm.h
@ -1,4 +1,4 @@
-/*	$NetBSD: systm.h,v 1.288 2019/11/05 20:19:18 maxv Exp $	*/
+/*	$NetBSD: systm.h,v 1.289 2019/11/14 16:23:53 maxv Exp $	*/

 /*-
 * Copyright (c) 1982, 1988, 1991, 1993
@ -271,6 +271,9 @@ int	kasan_kcopy(const void *, void *, size_t);
 #elif defined(_KERNEL) && defined(KCSAN)
 int	kcsan_kcopy(const void *, void *, size_t);
 #define kcopy		kcsan_kcopy
+#elif defined(_KERNEL) && defined(KMSAN)
+int	kmsan_kcopy(const void *, void *, size_t);
+#define kcopy		kmsan_kcopy
 #else
 int	kcopy(const void *, void *, size_t);
 #endif
@ -286,6 +289,7 @@ int	kasan_copystr(const void *, void *, size_t, size_t *);
 int	kasan_copyinstr(const void *, void *, size_t, size_t *);
 int	kasan_copyoutstr(const void *, void *, size_t, size_t *);
 int	kasan_copyin(const void *, void *, size_t);
+int	copyout(const void *, void *, size_t);
 #define copystr		kasan_copystr
 #define copyinstr	kasan_copyinstr
 #define copyoutstr	kasan_copyoutstr
@ -295,17 +299,29 @@ int	kcsan_copystr(const void *, void *, size_t, size_t *);
 int	kcsan_copyinstr(const void *, void *, size_t, size_t *);
 int	kcsan_copyoutstr(const void *, void *, size_t, size_t *);
 int	kcsan_copyin(const void *, void *, size_t);
+int	copyout(const void *, void *, size_t);
 #define copystr		kcsan_copystr
 #define copyinstr	kcsan_copyinstr
 #define copyoutstr	kcsan_copyoutstr
 #define copyin		kcsan_copyin
+#elif defined(_KERNEL) && defined(KMSAN)
+int	kmsan_copystr(const void *, void *, size_t, size_t *);
+int	kmsan_copyinstr(const void *, void *, size_t, size_t *);
+int	kmsan_copyoutstr(const void *, void *, size_t, size_t *);
+int	kmsan_copyin(const void *, void *, size_t);
+int	kmsan_copyout(const void *, void *, size_t);
+#define copystr		kmsan_copystr
+#define copyinstr	kmsan_copyinstr
+#define copyoutstr	kmsan_copyoutstr
+#define copyin		kmsan_copyin
+#define copyout		kmsan_copyout
 #else
 int	copystr(const void *, void *, size_t, size_t *);
 int	copyinstr(const void *, void *, size_t, size_t *);
 int	copyoutstr(const void *, void *, size_t, size_t *);
 int	copyin(const void *, void *, size_t);
-#endif
 int	copyout(const void *, void *, size_t);
+#endif

 #ifdef KLEAK
 #define copyout		kleak_copyout
--- a/sys/uvm/uvm_km.c
+++ b/sys/uvm/uvm_km.c
@ -1,4 +1,4 @@
-/*	$NetBSD: uvm_km.c,v 1.146 2018/12/02 21:00:13 maxv Exp $	*/
+/*	$NetBSD: uvm_km.c,v 1.147 2019/11/14 16:23:53 maxv Exp $	*/

 /*
 * Copyright (c) 1997 Charles D. Cranor and Washington University.
@ -152,7 +152,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_km.c,v 1.146 2018/12/02 21:00:13 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_km.c,v 1.147 2019/11/14 16:23:53 maxv Exp $");

 #include "opt_uvmhist.h"

@ -182,6 +182,7 @@ __KERNEL_RCSID(0, "$NetBSD: uvm_km.c,v 1.146 2018/12/02 21:00:13 maxv Exp $");
 #include <sys/vmem.h>
 #include <sys/vmem_impl.h>
 #include <sys/kmem.h>
+#include <sys/msan.h>

 #include <uvm/uvm.h>

@ -224,7 +225,9 @@ kmeminit_nkmempages(void)
 		return;
 	}

-#if defined(PMAP_MAP_POOLPAGE)
+#if defined(KMSAN)
+	npages = (physmem / 8);
+#elif defined(PMAP_MAP_POOLPAGE)
 	npages = (physmem / 4);
 #else
 	npages = (physmem / 3) * 2;
@ -703,6 +706,8 @@ uvm_km_alloc(struct vm_map *map, vsize_t size, vsize_t align, uvm_flag_t flags)

 	if ((flags & UVM_KMF_ZERO) == 0) {
 		kleak_fill_area((void *)kva, size);
+		kmsan_orig((void *)kva, size, KMSAN_TYPE_UVM, __RET_ADDR);
+		kmsan_mark((void *)kva, size, KMSAN_STATE_UNINIT);
 	}

 	UVMHIST_LOG(maphist,"<- done (kva=0x%jx)", kva,0,0,0);