From patchwork Thu Apr 20 21:43:27 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 13219203
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id F0D7BC7618E
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 20 Apr 2023 21:44:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=3TUO30uLlPyPa117egmpcSHW079FYJvdMR/W+ifZNm0=; b=BPj
	yGjiGmDWUEWlorf6WfJWqQCIED52l0WhvWIw8aC5SKf4S3l3Fom9J/+F3O4UryYGbn3jrjbyMC90J
	Lc2ZbIIxnRc3xYZIyekNTeIL+gic8fhDel5D41PHZp7+5RtfA67vbmipQXif7Cl6Uwo+/NySV1Pzd
	zxob5a2M//DcDX80eucx3BOFY1EFpQAUEftxFGhnMnA/Zj7webeeKN9P4qPbvPEjYCV6swdKaXp1h
	VYTiTkf1vNoqnL9v4zrdHd/e/w1KoGOJnruN3PVoqiigc3K87aWIIpObSqTGt6LZmgDAM38GrgIS8
	T2ZiDt200ZLQfyoMVUDuUWxs+tuI7KQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux))
	id 1ppc40-0094Hk-0I;
	Thu, 20 Apr 2023 21:43:36 +0000
Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49])
	by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux))
	id 1ppc3w-0094Gh-1b
	for linux-arm-kernel@lists.infradead.org;
	Thu, 20 Apr 2023 21:43:33 +0000
Received: by mail-yb1-xb49.google.com with SMTP id
 3f1490d57ef6-b96bc8abc1dso1953598276.2
        for <linux-arm-kernel@lists.infradead.org>;
 Thu, 20 Apr 2023 14:43:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1682027011; x=1684619011;
        h=cc:to:from:subject:mime-version:message-id:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=EPJuk2RlKQF5rplKbsjJK9PAjVUfFiyP3bT14lsF7K8=;
        b=fmPg674BTKUN2oub2+nb9wQQoygkYpn6h+vAxLJOP3QX27gct75QuGg2ougN0gC/OM
         GE30DrVbbbt17XVy68xXvBSNrb9hMtoT726Vu30eWQoCs7K24p1MX7wAs4S3tNehrv6e
         Qe4lX63kCJi1hKBG3MTAtuXyJD7qtJrt2uxJTZGV2Ap/eE491NvAtLfW4ridFAFmixjS
         LAbmKMoEruHCXk9nFoWIyBZPXLkjSw5gyx5WQchkdj/5mbrSUENlBar/s0gaWIVdryMo
         Dg32zaC1aBp1+DoZIuH2fWdy6NKicIVEAklhCwU9/dMYmoxP6aANfb/qnexN+uYM0llX
         NdNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682027011; x=1684619011;
        h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=EPJuk2RlKQF5rplKbsjJK9PAjVUfFiyP3bT14lsF7K8=;
        b=WoOZQmSfN+HsTC7eP12LIeaxrsoqMYXNy3o/szywKKvhxeGDX3u9g/aKwgqSs6WNzR
         yfWbd9FX4XwRIP6EUqOqMf1+Siqb0ALKTm4dTpgbprIStXBXxj5RLLmMqjaT/hN1RSKx
         mZeIEGGHhYbVEcOMYPiGM8xmgkIOJSdJH7/LeQE/hR70CtBhoJDUHE8XAYPU+J5mmMjF
         nKBQnosf5kgKcvVS+0bHgJbkhIe7+on+RXOPW+jYds81VYrp4kRpqFOXAHKeUcDeLlbA
         rXwA57sUGPhFhvY22NI9/yvKIEAOaFDrT325ErluWjBcVC8mMKMXSl7dz5c3QraeitHa
         V0eQ==
X-Gm-Message-State: AAQBX9fK5+0wYK7xI3JkmzEY5Nl63BeLmfnNgEiAufJ0nzR1h/s6I6lJ
	basc6/w18Q3Fbma6tcZ1avEYW1M=
X-Google-Smtp-Source: 
 AKy350ZGowUjD2oNzGIQ3zGuwTVrIdWfjJeCh71ZWLiGoZvKEWoG8xY6aER2YSQZqr2VBs16IpEktxs=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2d3:205:651e:f743:4850:3ce])
 (user=pcc job=sendgmr) by 2002:a25:d246:0:b0:b98:6352:be22 with SMTP id
 j67-20020a25d246000000b00b986352be22mr220549ybg.8.1682027011012; Thu, 20 Apr
 2023 14:43:31 -0700 (PDT)
Date: Thu, 20 Apr 2023 14:43:27 -0700
Message-Id: <20230420214327.2357985-1-pcc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.40.0.634.g4ca3ef3211-goog
Subject: [PATCH] arm64: mte: Do not set PG_mte_tagged if tags were not
 initialized
From: Peter Collingbourne <pcc@google.com>
To: catalin.marinas@arm.com
Cc: Peter Collingbourne <pcc@google.com>,
 linux-arm-kernel@lists.infradead.org,
	vincenzo.frascino@arm.com, will@kernel.org, eugenis@google.com,
	stable@vger.kernel.org
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20230420_144332_551463_3B4941CE 
X-CRM114-Status: GOOD (  13.99  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

The mte_sync_page_tags() function sets PG_mte_tagged if it initializes
page tags. Then we return to mte_sync_tags(), which sets PG_mte_tagged
again. At best, this is redundant. However, it is possible for
mte_sync_page_tags() to return without having initialized tags for the
page, i.e. in the case where check_swap is true (non-compound page),
is_swap_pte(old_pte) is false and pte_is_tagged is false. So at worst,
we set PG_mte_tagged on a page with uninitialized tags. This can happen
if, for example, page migration causes a PTE for an untagged page to
be replaced. If the userspace program subsequently uses mprotect() to
enable PROT_MTE for that page, the uninitialized tags will be exposed
to userspace.

Fix it by removing the redundant call to set_page_mte_tagged().

Fixes: e059853d14ca ("arm64: mte: Fix/clarify the PG_mte_tagged semantics")
Signed-off-by: Peter Collingbourne <pcc@google.com>
Cc: <stable@vger.kernel.org> # 6.1
Link: https://linux-review.googlesource.com/id/Ib02d004d435b2ed87603b858ef7480f7b1463052
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
---
 arch/arm64/kernel/mte.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
index f5bcb0dc6267..7e89968bd282 100644
--- a/arch/arm64/kernel/mte.c
+++ b/arch/arm64/kernel/mte.c
@@ -66,13 +66,10 @@ void mte_sync_tags(pte_t old_pte, pte_t pte)
 		return;
 
 	/* if PG_mte_tagged is set, tags have already been initialised */
-	for (i = 0; i < nr_pages; i++, page++) {
-		if (!page_mte_tagged(page)) {
+	for (i = 0; i < nr_pages; i++, page++)
+		if (!page_mte_tagged(page))
 			mte_sync_page_tags(page, old_pte, check_swap,
 					   pte_is_tagged);
-			set_page_mte_tagged(page);
-		}
-	}
 
 	/* ensure the tags are visible before the PTE is set */
 	smp_wmb();