From patchwork Fri Jul  2 22:57:03 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 12356773
Return-Path: <SRS0=ixrD=L2=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-21.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5B1F8C07E95
	for <linux-mm@archiver.kernel.org>; Fri,  2 Jul 2021 22:57:17 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id DA45661416
	for <linux-mm@archiver.kernel.org>; Fri,  2 Jul 2021 22:57:16 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org DA45661416
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 577686B0083; Fri,  2 Jul 2021 18:57:16 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 54EDD8D0007; Fri,  2 Jul 2021 18:57:16 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 421FA8D0005; Fri,  2 Jul 2021 18:57:16 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0235.hostedemail.com
 [216.40.44.235])
	by kanga.kvack.org (Postfix) with ESMTP id 1EA296B0083
	for <linux-mm@kvack.org>; Fri,  2 Jul 2021 18:57:16 -0400 (EDT)
Received: from smtpin35.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id B4FC6181B9494
	for <linux-mm@kvack.org>; Fri,  2 Jul 2021 22:57:15 +0000 (UTC)
X-FDA: 78319160430.35.6713210
Received: from mail-qt1-f201.google.com (mail-qt1-f201.google.com
 [209.85.160.201])
	by imf21.hostedemail.com (Postfix) with ESMTP id 67669D0087AC
	for <linux-mm@kvack.org>; Fri,  2 Jul 2021 22:57:15 +0000 (UTC)
Received: by mail-qt1-f201.google.com with SMTP id
 d7-20020ac811870000b02901e65f85117bso6622550qtj.18
        for <linux-mm@kvack.org>; Fri, 02 Jul 2021 15:57:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=q6oJXWoSbdh9DKmt+Y+qpS8IucJtkdxemYnuR6oTvQc=;
        b=nE9wSK4xxSgJEZb4/xybh8kaXzE3i7ed1OuAV21sdD7AZv8npeDOVjvM+UQUgOxrC7
         6ueoeB/gkGLrUCeq9U5p+pY52L53wBZQxuwhRTGmbrtHdg22tjuH+ooC9Xs5dI2Xcdxi
         91PhzB4Brt6bvs2g3CTffSgNb3ZSKOdaPha2TJUrwgswlhylQytKyRscPIFSoSzJWHF7
         OJ/DRLZMbMA+EAhVTKyxjazGWBtXwtMcJo5HW9PUafrFGkUucIbqKcZ5AQ971XO85kqe
         +O7NRdUHlTi4ykRWpuj4IsXdm8IS/sJZ1HrM36P30+7n6ldaA4ClmNoc09B+3ukEYCuS
         AZgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=q6oJXWoSbdh9DKmt+Y+qpS8IucJtkdxemYnuR6oTvQc=;
        b=cHUFeiXnPBCQ8DFS5kXsRC0DKaHWUEGh2c5IY88FUjgYUeTgFSoHYl7j5F8akjnVK4
         65MgI+7MVSAX7uB+vL7kH/BlZceyFymXjFBjURmLa2yOsjof3ti/+/tF/hF39LPRS3PJ
         8S5MCFlqSwX+UZliicJz1UM/fLYz1rJZrQLGqz1fhuj8Lj4zS2+eAoaKzxBJ762GR4Nd
         JLvUA88FIquaEOQkUa/b10SsJNN7/iGS9W2kA9qnQ39TCU8+Uck0OUCS/a1ppkMC5eN2
         KXbw52Czv3iod01xwknFfm5wTferTnGI0xEIHrj+fol4O3rHo97+AkCn+VX7iyDHUwSF
         Illg==
X-Gm-Message-State: AOAM533XYzTnP3bQFw59tvgnSSvmLOSNTlCr0k0Ty7LvpYqgFm4bCWfP
	6S09VdTzfzzT6irWy+OZnvjdGxc=
X-Google-Smtp-Source: 
 ABdhPJyeSEMOF1C2P2XJyPoVkOCVBoSc/e8woW84EmQNd/Z3T3sB4eK6/hA6KRgvbGJRi0+PUpgyRjM=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2ce:200:7c5b:5407:a2db:c8fb])
 (user=pcc job=sendgmr) by 2002:a0c:b450:: with SMTP id
 e16mr1736597qvf.25.1625266634596;
 Fri, 02 Jul 2021 15:57:14 -0700 (PDT)
Date: Fri,  2 Jul 2021 15:57:03 -0700
Message-Id: <20210702225705.2477947-1-pcc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.32.0.93.g670b81a890-goog
Subject: [PATCH v3 0/2] userfaultfd: do not untag user pointers
From: Peter Collingbourne <pcc@google.com>
To: Catalin Marinas <catalin.marinas@arm.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>,
	Dave Martin <Dave.Martin@arm.com>, Will Deacon <will@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
 Andrea Arcangeli <aarcange@redhat.com>
Cc: Peter Collingbourne <pcc@google.com>, Alistair Delva <adelva@google.com>,
	Lokesh Gidra <lokeshgidra@google.com>,
 William McVicker <willmcvicker@google.com>,
	Evgenii Stepanov <eugenis@google.com>, Mitch Phillips <mitchp@google.com>,
	Linux ARM <linux-arm-kernel@lists.infradead.org>, linux-mm@kvack.org,
	Andrey Konovalov <andreyknvl@gmail.com>
Authentication-Results: imf21.hostedemail.com;
	dkim=pass header.d=google.com header.s=20161025 header.b=nE9wSK4x;
	spf=pass (imf21.hostedemail.com: domain of
 3ypnfYAMKCIk2ppt11tyr.p1zyv07A-zzx8npx.14t@flex--pcc.bounces.google.com
 designates 209.85.160.201 as permitted sender)
 smtp.mailfrom=3ypnfYAMKCIk2ppt11tyr.p1zyv07A-zzx8npx.14t@flex--pcc.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Stat-Signature: 6pnmy88u5brjfjb71dogb4fdqrhnegqw
X-Rspamd-Queue-Id: 67669D0087AC
X-Rspamd-Server: rspam06
X-HE-Tag: 1625266635-10501
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

If a user program uses userfaultfd on ranges of heap memory, it may
end up passing a tagged pointer to the kernel in the range.start
field of the UFFDIO_REGISTER ioctl. This can happen when using an
MTE-capable allocator, or on Android if using the Tagged Pointers
feature for MTE readiness [1].

When a fault subsequently occurs, the tag is stripped from the fault
address returned to the application in the fault.address field
of struct uffd_msg. However, from the application's perspective,
the tagged address *is* the memory address, so if the application
is unaware of memory tags, it may get confused by receiving an
address that is, from its point of view, outside of the bounds of the
allocation. We observed this behavior in the kselftest for userfaultfd
[2] but other applications could have the same problem.

Address this by not untagging pointers passed to the userfaultfd
ioctls. Instead, let the system call fail. Also change the kselftest
to use mmap so that it doesn't encounter this problem.

[1] https://source.android.com/devices/tech/debug/tagged-pointers
[2] tools/testing/selftests/vm/userfaultfd.c

Peter Collingbourne (2):
  userfaultfd: do not untag user pointers
  selftest: use mmap instead of posix_memalign to allocate memory

 Documentation/arm64/tagged-address-abi.rst | 25 +++++++++++++++-------
 fs/userfaultfd.c                           | 22 +++++++++----------
 tools/testing/selftests/vm/userfaultfd.c   |  6 ++++--
 3 files changed, 31 insertions(+), 22 deletions(-)