From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81F76C77B7C for ; Sun, 28 May 2023 19:49:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231322AbjE1Ts7 (ORCPT ); Sun, 28 May 2023 15:48:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231383AbjE1Ts7 (ORCPT ); Sun, 28 May 2023 15:48:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3AF7A8 for ; Sun, 28 May 2023 12:48:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 90F8162004 for ; Sun, 28 May 2023 19:48:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B0396C433D2; Sun, 28 May 2023 19:48:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1685303337; bh=Uu+fF8Crn82Ytf5deX/AeunyvlnF0e3FQ4ZeX7rN6Mw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JOU2yiLAUU1lychiWNSuGOQDl5Ou8AhFQ+PlVLrQwCDqgUblSYvddtfheqM8D7M6d uV1d86W8Br0/7dt1I2F1+Gkt23wGdD1rwCGUuR8hVKL83vQKUB5yiOwXhrl1XZPenx WCrvd6FSZ3t0GclSWjVOf8pR+DAhmw5NuKZmfRNY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Peter Collingbourne , Catalin Marinas , Will Deacon Subject: [PATCH 5.15 10/69] arm64: Also reset KASAN tag if page is not PG_mte_tagged Date: Sun, 28 May 2023 20:11:30 +0100 Message-Id: <20230528190828.729602333@linuxfoundation.org> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230528190828.358612414@linuxfoundation.org> References: <20230528190828.358612414@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Peter Collingbourne commit 2efbafb91e12ff5a16cbafb0085e4c10c3fca493 upstream. Consider the following sequence of events: 1) A page in a PROT_READ|PROT_WRITE VMA is faulted. 2) Page migration allocates a page with the KASAN allocator, causing it to receive a non-match-all tag, and uses it to replace the page faulted in 1. 3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1. As a result of step 3, we are left with a non-match-all tag for a page with tags accessible to userspace, which can lead to the same kind of tag check faults that commit e74a68468062 ("arm64: Reset KASAN tag in copy_highpage with HW tags only") intended to fix. The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED is that they cannot have a non-match-all tag. As a result of step 2, the invariant is broken. This means that the fix in the referenced commit was incomplete and we also need to reset the tag for pages without PG_mte_tagged. Fixes: e5b8d9218951 ("arm64: mte: reset the page tag in page->flags") Cc: # 5.15 Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff Signed-off-by: Peter Collingbourne Reviewed-by: Catalin Marinas Link: https://lore.kernel.org/r/20230420210945.2313627-1-pcc@google.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman --- arch/arm64/mm/copypage.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/arm64/mm/copypage.c +++ b/arch/arm64/mm/copypage.c @@ -21,9 +21,10 @@ void copy_highpage(struct page *to, stru copy_page(kto, kfrom); + page_kasan_tag_reset(to); + if (system_supports_mte() && test_bit(PG_mte_tagged, &from->flags)) { set_bit(PG_mte_tagged, &to->flags); - page_kasan_tag_reset(to); /* * We need smp_wmb() in between setting the flags and clearing the * tags because if another thread reads page->flags and builds a