From: Catalin Marinas <catalin.marinas@arm.com>
To: Peter Collingbourne <pcc@google.com>
Cc: "Qun-wei Lin (林群崴)" <Qun-wei.Lin@mediatek.com>,
"andreyknvl@gmail.com" <andreyknvl@gmail.com>,
"Kuan-Ying Lee (李冠穎)" <Kuan-Ying.Lee@mediatek.com>,
"Guangye Yang (杨光业)" <guangye.yang@mediatek.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"Chinwen Chang (張錦文)" <chinwen.chang@mediatek.com>,
"kasan-dev@googlegroups.com" <kasan-dev@googlegroups.com>,
"ryabinin.a.a@gmail.com" <ryabinin.a.a@gmail.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"vincenzo.frascino@arm.com" <vincenzo.frascino@arm.com>,
"will@kernel.org" <will@kernel.org>
Subject: Re: [PATCH v2 0/4] kasan: Fix ordering between MTE tag colouring and page->flags
Date: Fri, 10 Feb 2023 18:28:12 +0000 [thread overview]
Message-ID: <Y+aMvBozFxma3A/q@arm.com> (raw)
In-Reply-To: <Y+Xh6IuBFCYZhQIj@google.com>
Hi Peter,
On Thu, Feb 09, 2023 at 10:19:20PM -0800, Peter Collingbourne wrote:
> Thanks for the information. We encountered a similar issue internally
> with the Android 5.15 common kernel. We tracked it down to an issue
> with page migration, where the source page was a userspace page with
> MTE tags, and the target page was allocated using KASAN (i.e. having
> a non-zero KASAN tag). This caused tag check faults when the page was
> subsequently accessed by the kernel as a result of the mismatching tags
> from userspace. Given the number of different ways that page migration
> target pages can be allocated, the simplest fix that we could think of
> was to synchronize the KASAN tag in copy_highpage().
>
> Can you try the patch below and let us know whether it fixes the issue?
>
> diff --git a/arch/arm64/mm/copypage.c b/arch/arm64/mm/copypage.c
> index 24913271e898c..87ed38e9747bd 100644
> --- a/arch/arm64/mm/copypage.c
> +++ b/arch/arm64/mm/copypage.c
> @@ -23,6 +23,8 @@ void copy_highpage(struct page *to, struct page *from)
>
> if (system_supports_mte() && test_bit(PG_mte_tagged, &from->flags)) {
> set_bit(PG_mte_tagged, &to->flags);
> + if (kasan_hw_tags_enabled())
> + page_kasan_tag_set(to, page_kasan_tag(from));
> mte_copy_page_tags(kto, kfrom);
Why not just page_kasan_tag_reset(to)? If PG_mte_tagged is set on the
'from' page, the tags are random anyway and page_kasan_tag(from) should
already be 0xff. It makes more sense to do the same for the 'to' page
rather than copying the tag from the 'from' page. IOW, we are copying
user-controlled tags into a page, the kernel should have a match-all tag
in page->flags.
> Catalin, please let us know what you think of the patch above. It
> effectively partially undoes commit 20794545c146 ("arm64: kasan: Revert
> "arm64: mte: reset the page tag in page->flags""), but this seems okay
> to me because the mentioned race condition shouldn't affect "new" pages
> such as those being used as migration targets. The smp_wmb() that was
> there before doesn't seem necessary for the same reason.
>
> If the patch is okay, we should apply it to the 6.1 stable kernel. The
> problem appears to be "fixed" in the mainline kernel because of
> a bad merge conflict resolution on my part; when I rebased commit
> e059853d14ca ("arm64: mte: Fix/clarify the PG_mte_tagged semantics")
> past commit 20794545c146, it looks like I accidentally brought back the
> page_kasan_tag_reset() line removed in the latter. But we should align
> the mainline kernel with whatever we decide to do on 6.1.
Happy accident ;). When I reverted such calls in commit 20794545c146, my
assumption was that we always get a page that went through
post_alloc_hook() and the tags were reset. But it seems that's not
always the case (and probably wasteful anyway if we have to zero the
tags and data on a page we know we are going to override via
copy_highpage() anyway). The barrier doesn't help, so we shouldn't add
it back.
So, I'm fine with a stable fix but I wonder whether we should backport
the whole "Fix/clarify the PG_mte_tagged semantics" series instead.
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Peter Collingbourne <pcc@google.com>
Cc: "Qun-wei Lin (林群崴)" <Qun-wei.Lin@mediatek.com>,
"andreyknvl@gmail.com" <andreyknvl@gmail.com>,
"Kuan-Ying Lee (李冠穎)" <Kuan-Ying.Lee@mediatek.com>,
"Guangye Yang (杨光业)" <guangye.yang@mediatek.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"Chinwen Chang (張錦文)" <chinwen.chang@mediatek.com>,
"kasan-dev@googlegroups.com" <kasan-dev@googlegroups.com>,
"ryabinin.a.a@gmail.com" <ryabinin.a.a@gmail.com>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"vincenzo.frascino@arm.com" <vincenzo.frascino@arm.com>,
"will@kernel.org" <will@kernel.org>
Subject: Re: [PATCH v2 0/4] kasan: Fix ordering between MTE tag colouring and page->flags
Date: Fri, 10 Feb 2023 18:28:12 +0000 [thread overview]
Message-ID: <Y+aMvBozFxma3A/q@arm.com> (raw)
In-Reply-To: <Y+Xh6IuBFCYZhQIj@google.com>
Hi Peter,
On Thu, Feb 09, 2023 at 10:19:20PM -0800, Peter Collingbourne wrote:
> Thanks for the information. We encountered a similar issue internally
> with the Android 5.15 common kernel. We tracked it down to an issue
> with page migration, where the source page was a userspace page with
> MTE tags, and the target page was allocated using KASAN (i.e. having
> a non-zero KASAN tag). This caused tag check faults when the page was
> subsequently accessed by the kernel as a result of the mismatching tags
> from userspace. Given the number of different ways that page migration
> target pages can be allocated, the simplest fix that we could think of
> was to synchronize the KASAN tag in copy_highpage().
>
> Can you try the patch below and let us know whether it fixes the issue?
>
> diff --git a/arch/arm64/mm/copypage.c b/arch/arm64/mm/copypage.c
> index 24913271e898c..87ed38e9747bd 100644
> --- a/arch/arm64/mm/copypage.c
> +++ b/arch/arm64/mm/copypage.c
> @@ -23,6 +23,8 @@ void copy_highpage(struct page *to, struct page *from)
>
> if (system_supports_mte() && test_bit(PG_mte_tagged, &from->flags)) {
> set_bit(PG_mte_tagged, &to->flags);
> + if (kasan_hw_tags_enabled())
> + page_kasan_tag_set(to, page_kasan_tag(from));
> mte_copy_page_tags(kto, kfrom);
Why not just page_kasan_tag_reset(to)? If PG_mte_tagged is set on the
'from' page, the tags are random anyway and page_kasan_tag(from) should
already be 0xff. It makes more sense to do the same for the 'to' page
rather than copying the tag from the 'from' page. IOW, we are copying
user-controlled tags into a page, the kernel should have a match-all tag
in page->flags.
> Catalin, please let us know what you think of the patch above. It
> effectively partially undoes commit 20794545c146 ("arm64: kasan: Revert
> "arm64: mte: reset the page tag in page->flags""), but this seems okay
> to me because the mentioned race condition shouldn't affect "new" pages
> such as those being used as migration targets. The smp_wmb() that was
> there before doesn't seem necessary for the same reason.
>
> If the patch is okay, we should apply it to the 6.1 stable kernel. The
> problem appears to be "fixed" in the mainline kernel because of
> a bad merge conflict resolution on my part; when I rebased commit
> e059853d14ca ("arm64: mte: Fix/clarify the PG_mte_tagged semantics")
> past commit 20794545c146, it looks like I accidentally brought back the
> page_kasan_tag_reset() line removed in the latter. But we should align
> the mainline kernel with whatever we decide to do on 6.1.
Happy accident ;). When I reverted such calls in commit 20794545c146, my
assumption was that we always get a page that went through
post_alloc_hook() and the tags were reset. But it seems that's not
always the case (and probably wasteful anyway if we have to zero the
tags and data on a page we know we are going to override via
copy_highpage() anyway). The barrier doesn't help, so we shouldn't add
it back.
So, I'm fine with a stable fix but I wonder whether we should backport
the whole "Fix/clarify the PG_mte_tagged semantics" series instead.
--
Catalin
next prev parent reply other threads:[~2023-02-10 18:29 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-10 15:21 [PATCH v2 0/4] kasan: Fix ordering between MTE tag colouring and page->flags Catalin Marinas
2022-06-10 15:21 ` Catalin Marinas
2022-06-10 15:21 ` [PATCH v2 1/4] mm: kasan: Ensure the tags are visible before the tag in page->flags Catalin Marinas
2022-06-10 15:21 ` Catalin Marinas
2022-06-16 8:31 ` Vincenzo Frascino
2022-06-16 8:31 ` Vincenzo Frascino
2022-07-07 9:22 ` Will Deacon
2022-07-07 9:22 ` Will Deacon
2022-07-07 11:44 ` Catalin Marinas
2022-07-07 11:44 ` Catalin Marinas
2022-06-10 15:21 ` [PATCH v2 2/4] mm: kasan: Skip unpoisoning of user pages Catalin Marinas
2022-06-10 15:21 ` Catalin Marinas
2022-06-11 19:40 ` Andrey Konovalov
2022-06-11 19:40 ` Andrey Konovalov
2022-06-16 8:42 ` Vincenzo Frascino
2022-06-16 8:42 ` Vincenzo Frascino
2022-06-16 17:40 ` Catalin Marinas
2022-06-16 17:40 ` Catalin Marinas
2022-06-10 15:21 ` [PATCH v2 3/4] mm: kasan: Skip page unpoisoning only if __GFP_SKIP_KASAN_UNPOISON Catalin Marinas
2022-06-10 15:21 ` Catalin Marinas
2022-06-11 19:40 ` Andrey Konovalov
2022-06-11 19:40 ` Andrey Konovalov
2022-06-16 8:43 ` Vincenzo Frascino
2022-06-16 8:43 ` Vincenzo Frascino
2022-06-10 15:21 ` [PATCH v2 4/4] arm64: kasan: Revert "arm64: mte: reset the page tag in page->flags" Catalin Marinas
2022-06-10 15:21 ` Catalin Marinas
2022-06-11 19:40 ` Andrey Konovalov
2022-06-11 19:40 ` Andrey Konovalov
2022-06-16 8:44 ` Vincenzo Frascino
2022-06-16 8:44 ` Vincenzo Frascino
2022-07-07 10:33 ` [PATCH v2 0/4] kasan: Fix ordering between MTE tag colouring and page->flags Will Deacon
2022-07-07 10:33 ` Will Deacon
2022-07-08 13:31 ` Will Deacon
2022-07-08 13:31 ` Will Deacon
2023-02-02 5:25 ` Kuan-Ying Lee (李冠穎)
2023-02-02 5:25 ` Kuan-Ying Lee (李冠穎)
2023-02-02 12:59 ` Andrey Konovalov
2023-02-02 12:59 ` Andrey Konovalov
2023-02-03 3:41 ` Kuan-Ying Lee (李冠穎)
2023-02-03 3:41 ` Kuan-Ying Lee (李冠穎)
2023-02-03 17:51 ` Andrey Konovalov
2023-02-03 17:51 ` Andrey Konovalov
2023-02-08 5:41 ` Qun-wei Lin (林群崴)
2023-02-08 5:41 ` Qun-wei Lin (林群崴)
2023-02-10 6:19 ` Peter Collingbourne
2023-02-10 6:19 ` Peter Collingbourne
2023-02-10 18:28 ` Catalin Marinas [this message]
2023-02-10 18:28 ` Catalin Marinas
2023-02-10 19:03 ` Peter Collingbourne
2023-02-10 19:03 ` Peter Collingbourne
2023-02-13 18:47 ` Catalin Marinas
2023-02-13 18:47 ` Catalin Marinas
2023-02-14 1:56 ` Peter Collingbourne
2023-02-14 1:56 ` Peter Collingbourne
2023-02-13 1:56 ` Qun-wei Lin (林群崴)
2023-02-13 1:56 ` Qun-wei Lin (林群崴)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+aMvBozFxma3A/q@arm.com \
--to=catalin.marinas@arm.com \
--cc=Kuan-Ying.Lee@mediatek.com \
--cc=Qun-wei.Lin@mediatek.com \
--cc=andreyknvl@gmail.com \
--cc=chinwen.chang@mediatek.com \
--cc=guangye.yang@mediatek.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=pcc@google.com \
--cc=ryabinin.a.a@gmail.com \
--cc=vincenzo.frascino@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.