From patchwork Wed Jul 7 18:43:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12363761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.6 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F74AC11F67 for ; Wed, 7 Jul 2021 18:43:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A54FF61C81 for ; Wed, 7 Jul 2021 18:43:20 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A54FF61C81 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8C3A76B0089; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 873676B008A; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6ED886B008C; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0078.hostedemail.com [216.40.44.78]) by kanga.kvack.org (Postfix) with ESMTP id 437B36B0089 for ; Wed, 7 Jul 2021 14:43:20 -0400 (EDT) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 98DFB267DC for ; Wed, 7 Jul 2021 18:43:19 +0000 (UTC) X-FDA: 78336664518.01.E0A4E51 Received: from mail-qv1-f73.google.com (mail-qv1-f73.google.com [209.85.219.73]) by imf01.hostedemail.com (Postfix) with ESMTP id 32F04500687C for ; Wed, 7 Jul 2021 18:43:19 +0000 (UTC) Received: by mail-qv1-f73.google.com with SMTP id k12-20020a0cfd6c0000b029020df9543019so2274044qvs.14 for ; Wed, 07 Jul 2021 11:43:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=; b=KTEq2G08z0KygBORnDNKjolOnRBesSfdEjOjFAlqb4xRshTUE+9W1NxVHwSwjKcbeh WuoNMOFmyoxRA0wsHluRTEBdfnmXU9ZkuhElMQmtIqPFaNThWYYqx8VH7y2r+aHMgmG8 tj2UAmWecVqpCSeL4cqj5sJzkawMsy21UUr1C6vcMNalqKBc8vX55Y10oVPVjhmISnMa o+uEqPrmls8JI0w8dj37Wp+dhGxWpLBXF0evZJaqU1ZkZIEQsN15bPWX+a/2YoZUMa4O QxLaLRtDSE/AH0VQMigqoR2DGZND5W66+xC/lU1B44NvSdxv1O50wrUSbNOPO9jVNOD/ KARA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=; b=s/RPl5/bIC0TGEk25/bACmk/Yq9WOvLp1CHkU1YQSNNrbopVOwDhc6ocL3QlDSKRQQ lcm1ipiJZ+/w+BR1X+V3/Nt1VwBJw4wZz5atPBp03e9CjvSwVxsdRlnznSHPNa6bj2yo tIUIjcouyShh+Smn7s1qXAHuQyUhHfF0ffeS//XL/5FYldpgf3/6xEqDWklbWd6cX0Eo MyFWmsJfbaBMMdaGVovyECiZtqNAIDzAG1kD3ezaiX9pJ00HjQvaK6d9CHeOT4C5gCjs PHmJP7/kEsotCNc3llSEHfRlo0HoxuS7i3c4Q897QeHHb7j4e8T/PpXLN5U7NIgKOKyu Pgxw== X-Gm-Message-State: AOAM530uLjXLKPj2utHsQS6jGICvP5S5JW64CGr31LCW9QlatNOqECgs 98JrxR5tdxiuZyuKW9spzyDJZOc= X-Google-Smtp-Source: ABdhPJzip+f6PsQM2ye7QjMaeQwFz7yIYQnXWFcTHHmpqVJJRbHm9u0nXU1iQ3MIuP4Fxj93dlkmr10= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:3b71:8b83:5f3c:e3df]) (user=pcc job=sendgmr) by 2002:a05:6214:c48:: with SMTP id r8mr25587238qvj.62.1625683398494; Wed, 07 Jul 2021 11:43:18 -0700 (PDT) Date: Wed, 7 Jul 2021 11:43:11 -0700 Message-Id: <20210707184313.3697385-1-pcc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.32.0.93.g670b81a890-goog Subject: [PATCH v4 0/2] userfaultfd: do not untag user pointers From: Peter Collingbourne To: Catalin Marinas , Vincenzo Frascino , Dave Martin , Will Deacon , Andrew Morton , Andrea Arcangeli Cc: Peter Collingbourne , Alistair Delva , Lokesh Gidra , William McVicker , Evgenii Stepanov , Mitch Phillips , Linux ARM , linux-mm@kvack.org, Andrey Konovalov X-Rspam-User: nil Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b=KTEq2G08; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf01.hostedemail.com: domain of 3xvXlYAMKCFcE115DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--pcc.bounces.google.com designates 209.85.219.73 as permitted sender) smtp.mailfrom=3xvXlYAMKCFcE115DD5A3.1DBA7CJM-BB9Kz19.DG5@flex--pcc.bounces.google.com X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 32F04500687C X-Stat-Signature: otnp6eafefcszaofdrn7cz5ym3hzo9f8 X-HE-Tag: 1625683399-595671 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000809, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: If a user program uses userfaultfd on ranges of heap memory, it may end up passing a tagged pointer to the kernel in the range.start field of the UFFDIO_REGISTER ioctl. This can happen when using an MTE-capable allocator, or on Android if using the Tagged Pointers feature for MTE readiness [1]. When a fault subsequently occurs, the tag is stripped from the fault address returned to the application in the fault.address field of struct uffd_msg. However, from the application's perspective, the tagged address *is* the memory address, so if the application is unaware of memory tags, it may get confused by receiving an address that is, from its point of view, outside of the bounds of the allocation. We observed this behavior in the kselftest for userfaultfd [2] but other applications could have the same problem. Address this by not untagging pointers passed to the userfaultfd ioctls. Instead, let the system call fail. Also change the kselftest to use mmap so that it doesn't encounter this problem. [1] https://source.android.com/devices/tech/debug/tagged-pointers [2] tools/testing/selftests/vm/userfaultfd.c Peter Collingbourne (2): userfaultfd: do not untag user pointers selftest: use mmap instead of posix_memalign to allocate memory Documentation/arm64/tagged-address-abi.rst | 26 +++++++++++++++------- fs/userfaultfd.c | 26 ++++++++++------------ tools/testing/selftests/vm/userfaultfd.c | 6 +++-- 3 files changed, 34 insertions(+), 24 deletions(-)