From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5ED91C07E95 for ; Wed, 7 Jul 2021 18:44:51 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 2585860720 for ; Wed, 7 Jul 2021 18:44:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2585860720 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version: Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=d98AG1U/tuujc+aX0rh3AFAZVofVJfS4URUyKnp7oDs=; b=Ths beM7u186x3vyct73LzG6npmluR6246Z4kY+emwmt3+dkUUmLfuANJj5Gn6j7FAlD7DI1cIWfQxW45 nasMYVbEOlJ39Jhb0YcJ4Qvih7FH7WDfNbckLQM4wJFx46nBmml28P1JChDVZegSyueurdRZPDDgp hrnU63aQALd3CUa5KDNjmfrc+vOMA+GLPRpF0v5Ia1++LAIZYPQ2gDMdQfXhSXaXnVRYBpZF3YvA/ NHgbbdj6aBqVtnrQ7M4jUDjRTfdvZONX52EWjXmdoh7lchd4pXpF4uv9Tn3642Dc1Qfqnmu5WXKxz xrQ6Z5cjICPGUpauw1xbit3VLgsfTlg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m1CW4-00FWt4-UT; Wed, 07 Jul 2021 18:43:25 +0000 Received: from mail-qv1-xf4a.google.com ([2607:f8b0:4864:20::f4a]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m1CW0-00FWof-H1 for linux-arm-kernel@lists.infradead.org; Wed, 07 Jul 2021 18:43:22 +0000 Received: by mail-qv1-xf4a.google.com with SMTP id q2-20020ad45ca20000b02902b1554c2318so2279177qvh.11 for ; Wed, 07 Jul 2021 11:43:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=; b=KTEq2G08z0KygBORnDNKjolOnRBesSfdEjOjFAlqb4xRshTUE+9W1NxVHwSwjKcbeh WuoNMOFmyoxRA0wsHluRTEBdfnmXU9ZkuhElMQmtIqPFaNThWYYqx8VH7y2r+aHMgmG8 tj2UAmWecVqpCSeL4cqj5sJzkawMsy21UUr1C6vcMNalqKBc8vX55Y10oVPVjhmISnMa o+uEqPrmls8JI0w8dj37Wp+dhGxWpLBXF0evZJaqU1ZkZIEQsN15bPWX+a/2YoZUMa4O QxLaLRtDSE/AH0VQMigqoR2DGZND5W66+xC/lU1B44NvSdxv1O50wrUSbNOPO9jVNOD/ KARA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=; b=A0JSFAMTw4Rz0VNvm0DiK+DvCP6eJRPfcKHLh0FlDZhE7ZZ49myf2gf9iqbBtXnNu+ 651UexJI791qPndJsDnxxEYKa3OOjhmwXsJ3MFH3RiS2h+fde7IuL+iPaJXPJygQjr+3 frRnCyL9cRbw72I6TeQg9k6gjz31sO2AMXqh+hVuoRtL9ViThc74Q95agpGZhnIfs0Yh pezZvPZx/7dbp8zbWM0ea5XNgFpTzWvcecwEunPs9BMz9mdnzbBtGt/UpzzxfBtxcVSW tbbRTrlT279o60NbN8accQjLdottkDmvTq6ldidFF4w/MD+FYwd7M/4zwWCBhztMOyeV +58w== X-Gm-Message-State: AOAM531/xVfXKRyKilAuClaFaDYSWV4AuEIPk8uEMiS1Bv9fFMNYb9O2 p43+oNXRaL6SY3zOxe0ncVOa764= X-Google-Smtp-Source: ABdhPJzip+f6PsQM2ye7QjMaeQwFz7yIYQnXWFcTHHmpqVJJRbHm9u0nXU1iQ3MIuP4Fxj93dlkmr10= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:3b71:8b83:5f3c:e3df]) (user=pcc job=sendgmr) by 2002:a05:6214:c48:: with SMTP id r8mr25587238qvj.62.1625683398494; Wed, 07 Jul 2021 11:43:18 -0700 (PDT) Date: Wed, 7 Jul 2021 11:43:11 -0700 Message-Id: <20210707184313.3697385-1-pcc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.32.0.93.g670b81a890-goog Subject: [PATCH v4 0/2] userfaultfd: do not untag user pointers From: Peter Collingbourne To: Catalin Marinas , Vincenzo Frascino , Dave Martin , Will Deacon , Andrew Morton , Andrea Arcangeli Cc: Peter Collingbourne , Alistair Delva , Lokesh Gidra , William McVicker , Evgenii Stepanov , Mitch Phillips , Linux ARM , linux-mm@kvack.org, Andrey Konovalov X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210707_114320_607652_8D52F320 X-CRM114-Status: GOOD ( 14.79 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org If a user program uses userfaultfd on ranges of heap memory, it may end up passing a tagged pointer to the kernel in the range.start field of the UFFDIO_REGISTER ioctl. This can happen when using an MTE-capable allocator, or on Android if using the Tagged Pointers feature for MTE readiness [1]. When a fault subsequently occurs, the tag is stripped from the fault address returned to the application in the fault.address field of struct uffd_msg. However, from the application's perspective, the tagged address *is* the memory address, so if the application is unaware of memory tags, it may get confused by receiving an address that is, from its point of view, outside of the bounds of the allocation. We observed this behavior in the kselftest for userfaultfd [2] but other applications could have the same problem. Address this by not untagging pointers passed to the userfaultfd ioctls. Instead, let the system call fail. Also change the kselftest to use mmap so that it doesn't encounter this problem. [1] https://source.android.com/devices/tech/debug/tagged-pointers [2] tools/testing/selftests/vm/userfaultfd.c Peter Collingbourne (2): userfaultfd: do not untag user pointers selftest: use mmap instead of posix_memalign to allocate memory Documentation/arm64/tagged-address-abi.rst | 26 +++++++++++++++------- fs/userfaultfd.c | 26 ++++++++++------------ tools/testing/selftests/vm/userfaultfd.c | 6 +++-- 3 files changed, 34 insertions(+), 24 deletions(-) -- 2.32.0.93.g670b81a890-goog _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.6 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F74AC11F67 for ; Wed, 7 Jul 2021 18:43:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A54FF61C81 for ; Wed, 7 Jul 2021 18:43:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A54FF61C81 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8C3A76B0089; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 873676B008A; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6ED886B008C; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0078.hostedemail.com [216.40.44.78]) by kanga.kvack.org (Postfix) with ESMTP id 437B36B0089 for ; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 98DFB267DC for ; Wed, 7 Jul 2021 18:43:19 +0000 (UTC) X-FDA: 78336664518.01.E0A4E51 Received: from mail-qv1-f73.google.com (mail-qv1-f73.google.com [209.85.219.73]) by imf01.hostedemail.com (Postfix) with ESMTP id 32F04500687C for ; Wed, 7 Jul 2021 18:43:19 +0000 (UTC) Received: by mail-qv1-f73.google.com with SMTP id k12-20020a0cfd6c0000b029020df9543019so2274044qvs.14 for ; Wed, 07 Jul 2021 11:43:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=; b=KTEq2G08z0KygBORnDNKjolOnRBesSfdEjOjFAlqb4xRshTUE+9W1NxVHwSwjKcbeh WuoNMOFmyoxRA0wsHluRTEBdfnmXU9ZkuhElMQmtIqPFaNThWYYqx8VH7y2r+aHMgmG8 tj2UAmWecVqpCSeL4cqj5sJzkawMsy21UUr1C6vcMNalqKBc8vX55Y10oVPVjhmISnMa o+uEqPrmls8JI0w8dj37Wp+dhGxWpLBXF0evZJaqU1ZkZIEQsN15bPWX+a/2YoZUMa4O QxLaLRtDSE/AH0VQMigqoR2DGZND5W66+xC/lU1B44NvSdxv1O50wrUSbNOPO9jVNOD/ KARA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=; b=s/RPl5/bIC0TGEk25/bACmk/Yq9WOvLp1CHkU1YQSNNrbopVOwDhc6ocL3QlDSKRQQ lcm1ipiJZ+/w+BR1X+V3/Nt1VwBJw4wZz5atPBp03e9CjvSwVxsdRlnznSHPNa6bj2yo tIUIjcouyShh+Smn7s1qXAHuQyUhHfF0ffeS//XL/5FYldpgf3/6xEqDWklbWd6cX0Eo MyFWmsJfbaBMMdaGVovyECiZtqNAIDzAG1kD3ezaiX9pJ00HjQvaK6d9CHeOT4C5gCjs PHmJP7/kEsotCNc3llSEHfRlo0HoxuS7i3c4Q897QeHHb7j4e8T/PpXLN5U7NIgKOKyu Pgxw== X-Gm-Message-State: AOAM530uLjXLKPj2utHsQS6jGICvP5S5JW64CGr31LCW9QlatNOqECgs 98JrxR5tdxiuZyuKW9spzyDJZOc= X-Google-Smtp-Source: ABdhPJzip+f6PsQM2ye7QjMaeQwFz7yIYQnXWFcTHHmpqVJJRbHm9u0nXU1iQ3MIuP4Fxj93dlkmr10= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:3b71:8b83:5f3c:e3df]) (user=pcc job=sendgmr) by 2002:a05:6214:c48:: with SMTP id r8mr25587238qvj.62.1625683398494; Wed, 07 Jul 2021 11:43:18 -0700 (PDT) Date: Wed, 7 Jul 2021 11:43:11 -0700 Message-Id: <20210707184313.3697385-1-pcc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.32.0.93.g670b81a890-goog Subject: [PATCH v4 0/2] userfaultfd: do not untag user pointers From: Peter Collingbourne To: Catalin Marinas , Vincenzo Frascino , Dave Martin , Will Deacon , Andrew Morton , Andrea Arcangeli Cc: Peter Collingbourne , Alistair Delva , Lokesh Gidra , William McVicker , Evgenii Stepanov , Mitch Phillips , Linux ARM , linux-mm@kvack.org, Andrey Konovalov Content-Type: text/plain; charset="UTF-8" X-Rspam-User: nil Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b=KTEq2G08; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf01.hostedemail.com: domain of 3xvXlYAMKCFcE115DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--pcc.bounces.google.com designates 209.85.219.73 as permitted sender) smtp.mailfrom=3xvXlYAMKCFcE115DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--pcc.bounces.google.com X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 32F04500687C X-Stat-Signature: otnp6eafefcszaofdrn7cz5ym3hzo9f8 X-HE-Tag: 1625683399-595671 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000809, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: If a user program uses userfaultfd on ranges of heap memory, it may end up passing a tagged pointer to the kernel in the range.start field of the UFFDIO_REGISTER ioctl. This can happen when using an MTE-capable allocator, or on Android if using the Tagged Pointers feature for MTE readiness [1]. When a fault subsequently occurs, the tag is stripped from the fault address returned to the application in the fault.address field of struct uffd_msg. However, from the application's perspective, the tagged address *is* the memory address, so if the application is unaware of memory tags, it may get confused by receiving an address that is, from its point of view, outside of the bounds of the allocation. We observed this behavior in the kselftest for userfaultfd [2] but other applications could have the same problem. Address this by not untagging pointers passed to the userfaultfd ioctls. Instead, let the system call fail. Also change the kselftest to use mmap so that it doesn't encounter this problem. [1] https://source.android.com/devices/tech/debug/tagged-pointers [2] tools/testing/selftests/vm/userfaultfd.c Peter Collingbourne (2): userfaultfd: do not untag user pointers selftest: use mmap instead of posix_memalign to allocate memory Documentation/arm64/tagged-address-abi.rst | 26 +++++++++++++++------- fs/userfaultfd.c | 26 ++++++++++------------ tools/testing/selftests/vm/userfaultfd.c | 6 +++-- 3 files changed, 34 insertions(+), 24 deletions(-) -- 2.32.0.93.g670b81a890-goog