From patchwork Wed Jul 14 19:54:35 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 12377819
Return-Path: <SRS0=SYtF=MG=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-21.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0EB3EC12002
	for <linux-mm@archiver.kernel.org>; Wed, 14 Jul 2021 19:54:43 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id BC7A8613C3
	for <linux-mm@archiver.kernel.org>; Wed, 14 Jul 2021 19:54:42 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BC7A8613C3
Authentication-Results: mail.kernel.org;
 dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org;
 spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id C689D6B0078; Wed, 14 Jul 2021 15:54:42 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C187A6B007E; Wed, 14 Jul 2021 15:54:42 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id AB90F6B0080; Wed, 14 Jul 2021 15:54:42 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0213.hostedemail.com
 [216.40.44.213])
	by kanga.kvack.org (Postfix) with ESMTP id 848686B0078
	for <linux-mm@kvack.org>; Wed, 14 Jul 2021 15:54:42 -0400 (EDT)
Received: from smtpin06.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 5E1C519220
	for <linux-mm@kvack.org>; Wed, 14 Jul 2021 19:54:41 +0000 (UTC)
X-FDA: 78362245962.06.AD7FD34
Received: from mail-qv1-f74.google.com (mail-qv1-f74.google.com
 [209.85.219.74])
	by imf01.hostedemail.com (Postfix) with ESMTP id 13432500D2E9
	for <linux-mm@kvack.org>; Wed, 14 Jul 2021 19:54:40 +0000 (UTC)
Received: by mail-qv1-f74.google.com with SMTP id
 c5-20020a0562141465b02902e2f9404330so2480846qvy.9
        for <linux-mm@kvack.org>; Wed, 14 Jul 2021 12:54:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=;
        b=WErmltjqCScAeoL/1UWj5U7LaiDDlcwOlSqg7PsI1qfsp6dfr6f0V3Bu7D/khHRaH7
         yKF8pmaPPzYJ9h/WX//XlPXgzHasENBCeOQTYL4uuwUAUnJQxwT7TIzmrd0FIkaHWCxd
         AoVQ5kysRm8aPbKCxxjZEbhJZz8qoY3P0Vl1yisjxph3paCLD4ofOLxuLMnPgohoSzfY
         1l/Xbbk6oTX0c/pa/LKxVtwpasQOSb3TRrwCvrH4GJMNl/T1d5QUtbkrvC3V35cTzbE/
         SDYr9Sx2QlqzvSUX/aSv5bC3+ybtRhHnAnugbrqR5JndCERoOKwx9fCk9d4Ji4baKjJY
         3Tmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=B1SHSXMV0HwmC+9P5VFvVEWT1t8VGL6TFMbPuOOATxY=;
        b=Ua1ZXIN9jhtH4oQuy4aRFD8k7tGV8VDDg2MaMwSruQgr2YWyJPAyuSQwejBHp1MM4G
         U9SZGLg6Cr6IQjOo8b6MxT+9p8AsJzQSIDXP3mdawne1/iP6oG6/jEkXmGBLoHsich/8
         kliX+zUIAtnirS5yszF69jwqS9HTxGW++pi9cAFSe6V0fLl/f112RrhhMtzBpl4docWe
         6uvQ0htUSYyA09PBeIycUzOVC52BHPgJypXk2hyqb34GQO/4XtXWdnZVK7HUYGoJngCa
         0etyvKKS0e9Siq2vOwB61wPHTz+QXMZSxqERqgMJ1RlZ8rvtBhVJIAXa2sNTowu+b72n
         F1vA==
X-Gm-Message-State: AOAM530kLMj8xVn0Gham4R+4gTUA9XaX1V4tRUJ9sMsds9NwX0DETz6y
	rxbeoRyyU7FVuymMTck5jsA+sBo=
X-Google-Smtp-Source: 
 ABdhPJy0PeCqbjVg3gqhPUpwRDdjza+5edRKU6em6ovECOEIlTb62E9S5tR/JiBcbi04spxvfIqSTME=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2ce:200:a993:4290:ae1e:51db])
 (user=pcc job=sendgmr) by 2002:a05:6214:242b:: with SMTP id
 gy11mr12449501qvb.9.1626292480147; Wed, 14 Jul 2021 12:54:40 -0700 (PDT)
Date: Wed, 14 Jul 2021 12:54:35 -0700
Message-Id: <20210714195437.118982-1-pcc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.32.0.93.g670b81a890-goog
Subject: [PATCH v5 0/2] userfaultfd: do not untag user pointers
From: Peter Collingbourne <pcc@google.com>
To: Catalin Marinas <catalin.marinas@arm.com>,
 Vincenzo Frascino <vincenzo.frascino@arm.com>,
	Dave Martin <Dave.Martin@arm.com>, Will Deacon <will@kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
 Andrea Arcangeli <aarcange@redhat.com>
Cc: Peter Collingbourne <pcc@google.com>, Alistair Delva <adelva@google.com>,
	Lokesh Gidra <lokeshgidra@google.com>,
 William McVicker <willmcvicker@google.com>,
	Evgenii Stepanov <eugenis@google.com>, Mitch Phillips <mitchp@google.com>,
	Linux ARM <linux-arm-kernel@lists.infradead.org>, linux-mm@kvack.org,
	Andrey Konovalov <andreyknvl@gmail.com>
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: 13432500D2E9
X-Stat-Signature: zgx4iz9enn466ax4bsm4ijyi7hc8176s
Authentication-Results: imf01.hostedemail.com;
	dkim=pass header.d=google.com header.s=20161025 header.b=WErmltjq;
	spf=pass (imf01.hostedemail.com: domain of
 3AEHvYAMKCE04rrv33v0t.r310x29C-11zAprz.36v@flex--pcc.bounces.google.com
 designates 209.85.219.74 as permitted sender)
 smtp.mailfrom=3AEHvYAMKCE04rrv33v0t.r310x29C-11zAprz.36v@flex--pcc.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-HE-Tag: 1626292480-719319
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

If a user program uses userfaultfd on ranges of heap memory, it may
end up passing a tagged pointer to the kernel in the range.start
field of the UFFDIO_REGISTER ioctl. This can happen when using an
MTE-capable allocator, or on Android if using the Tagged Pointers
feature for MTE readiness [1].

When a fault subsequently occurs, the tag is stripped from the fault
address returned to the application in the fault.address field
of struct uffd_msg. However, from the application's perspective,
the tagged address *is* the memory address, so if the application
is unaware of memory tags, it may get confused by receiving an
address that is, from its point of view, outside of the bounds of the
allocation. We observed this behavior in the kselftest for userfaultfd
[2] but other applications could have the same problem.

Address this by not untagging pointers passed to the userfaultfd
ioctls. Instead, let the system call fail. Also change the kselftest
to use mmap so that it doesn't encounter this problem.

[1] https://source.android.com/devices/tech/debug/tagged-pointers
[2] tools/testing/selftests/vm/userfaultfd.c

Peter Collingbourne (2):
  userfaultfd: do not untag user pointers
  selftest: use mmap instead of posix_memalign to allocate memory

 Documentation/arm64/tagged-address-abi.rst | 26 +++++++++++++++-------
 fs/userfaultfd.c                           | 26 ++++++++++------------
 tools/testing/selftests/vm/userfaultfd.c   |  6 +++--
 3 files changed, 34 insertions(+), 24 deletions(-)