From patchwork Thu Apr 20 21:09:45 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 13219185
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 9A57CC77B73
	for <linux-arm-kernel@archiver.kernel.org>;
 Thu, 20 Apr 2023 21:10:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=rX8r8SCam3JMB9ssPLuxIcBgqGGOvYYG/2HZf4ReSns=; b=UP8
	ZkdEM3czgLhsc5Fub+h8nnw8ucsxOD/Ys37vkvdW+VRcxEv+NucYALHEJjC6cC84+mCOG+ZtpKqzB
	iIMMspiP6VXxQ4T5kBiwcx4dRcXp28dq9Dg+B0CgQmgP2YzDe9gtGbIe7JOmw1vUcZiWA7ZQMMjWu
	lAwS73ZDDzevOyszOCpp0+Im74eFcQ03fwbdfy2J/lrhn0F52EGMWWEvYyZZPoU0bm+MeQVDCHTZ0
	lzaqildbnU5dprzGpLuiYpPsDE+cGj+jDaLKsHFLMjY3WbScRL1AO7z+uoG8oju6zRLTdluNSXMWM
	ZtnlSSO9+u+9pcZVCtBvl6QAkUbH1hw==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux))
	id 1ppbXY-0090uA-2p;
	Thu, 20 Apr 2023 21:10:04 +0000
Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49])
	by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux))
	id 1ppbXW-0090t6-29
	for linux-arm-kernel@lists.infradead.org;
	Thu, 20 Apr 2023 21:10:04 +0000
Received: by mail-yb1-xb49.google.com with SMTP id
 3f1490d57ef6-b98ef5b557fso176413276.2
        for <linux-arm-kernel@lists.infradead.org>;
 Thu, 20 Apr 2023 14:10:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1682025000; x=1684617000;
        h=cc:to:from:subject:mime-version:message-id:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=z8h/G6KklbzPNQ9jczk/GigGAZbyVMnEE1fOx6AWhk0=;
        b=Tsfu7N3sgp7w1vKNJM9c81o728KVru0BquBWnMQY/b0rj89/J7YDKEvS0qTHAxya8o
         Dzx598eMlhbDY1y7Vsp1bFSwyCiXLS46NE+zJwUvgWx4/0830zIDiWgClXVhidYUy4g/
         1Sq6rO+y8jIi9tsI/n0Zh+hFlb7z6CCrUyG1u9y4zllMqsoALTUu9MBE54/EGabk62uw
         m2ulxPu1ZJjFH0tl98CKI+NczD04CyPP9ho0xRDgp6V9CeOW6xN/cH9AwqUanFLKKR5z
         3AAdyGky/r2mC1b1VMT5AGyu79grJ75LGGHokL7aJMin3FbAbG9rz6wezsXePG49VskW
         eyVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1682025000; x=1684617000;
        h=cc:to:from:subject:mime-version:message-id:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=z8h/G6KklbzPNQ9jczk/GigGAZbyVMnEE1fOx6AWhk0=;
        b=e9aLw4KAV0PTol3bvwmyFUhz6H4X4qVBm+jouX3zjLG5F5HH7QNQbUrqLUNYHl5CCY
         3ll9HQbQRs8RWCLQVjPVUeOd7PWM0GXe+UltBr28ExReA7hRMAR8no7vYr3j0ANrsf9g
         C5FonNhSJPpoGPNC/ppbsu1Z9STMscla4pypABw2AVhiJNEeyJc2c4Jli2wTt+wcKMTB
         IgiWhO3hxiKfIIPvIOmV1/4odakKHMqMjOsKrWMeZegWdpRcgdQftOJihJkr/1Vt99Cb
         3J10GjT/ePH3gDQiTUbEzl7eQpv1T/CyzprOSzY292uEsYLikr1Bc7ypLklgyLU2H0at
         OmJQ==
X-Gm-Message-State: AAQBX9cXUCzF+spUdn6h9UOB2rK9wzUIYYepA/T8IkdiiTqx9xUpUL6H
	3EQm17eVrZuKk8/t5n+PHf4YcUA=
X-Google-Smtp-Source: 
 AKy350aKMhHVQ7iipV9l0amJ4UENFSScgBz98TKfwb3TKU8QIOIzHCJygyFU0PqVoUYPVprNhXly068=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2d3:205:651e:f743:4850:3ce])
 (user=pcc job=sendgmr) by 2002:a25:e097:0:b0:b95:4128:bff6 with SMTP id
 x145-20020a25e097000000b00b954128bff6mr274448ybg.1.1682025000734; Thu, 20 Apr
 2023 14:10:00 -0700 (PDT)
Date: Thu, 20 Apr 2023 14:09:45 -0700
Message-Id: <20230420210945.2313627-1-pcc@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.40.0.396.gfff15efe05-goog
Subject: [PATCH] arm64: Also reset KASAN tag if page is not PG_mte_tagged
From: Peter Collingbourne <pcc@google.com>
To: catalin.marinas@arm.com, andreyknvl@gmail.com
Cc: Peter Collingbourne <pcc@google.com>,  " =?utf-8?b?UXVuLXdlaSBMaW4gKA==?=
	=?utf-8?b?5p6X576k5bS0KQ==?= " <Qun-wei.Lin@mediatek.com>,  "
	=?utf-8?b?R3Vhbmd5ZSBZYW5nICjmnajlhYnkuJop?= " <guangye.yang@mediatek.com>,
 linux-mm@kvack.org,
  " =?utf-8?b?Q2hpbndlbiBDaGFuZyAo5by16Yym5paHKQ==?= "
 <chinwen.chang@mediatek.com>,
 kasan-dev@googlegroups.com,  ryabinin.a.a@gmail.com,
 linux-arm-kernel@lists.infradead.org,  vincenzo.frascino@arm.com,
 will@kernel.org, eugenis@google.com,  stable@vger.kernel.org
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20230420_141002_710564_792694F5 
X-CRM114-Status: GOOD (  15.33  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Consider the following sequence of events:

1) A page in a PROT_READ|PROT_WRITE VMA is faulted.
2) Page migration allocates a page with the KASAN allocator,
   causing it to receive a non-match-all tag, and uses it
   to replace the page faulted in 1.
3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1.

As a result of step 3, we are left with a non-match-all tag for a page
with tags accessible to userspace, which can lead to the same kind of
tag check faults that commit e74a68468062 ("arm64: Reset KASAN tag in
copy_highpage with HW tags only") intended to fix.

The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED
is that they cannot have a non-match-all tag. As a result of step 2, the
invariant is broken. This means that the fix in the referenced commit
was incomplete and we also need to reset the tag for pages without
PG_mte_tagged.

Fixes: e5b8d9218951 ("arm64: mte: reset the page tag in page->flags")
Cc: <stable@vger.kernel.org> # 5.15
Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff
Signed-off-by: Peter Collingbourne <pcc@google.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
---
 arch/arm64/mm/copypage.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/mm/copypage.c b/arch/arm64/mm/copypage.c
index 4aadcfb01754..a7bb20055ce0 100644
--- a/arch/arm64/mm/copypage.c
+++ b/arch/arm64/mm/copypage.c
@@ -21,9 +21,10 @@ void copy_highpage(struct page *to, struct page *from)
 
 	copy_page(kto, kfrom);
 
+	if (kasan_hw_tags_enabled())
+		page_kasan_tag_reset(to);
+
 	if (system_supports_mte() && page_mte_tagged(from)) {
-		if (kasan_hw_tags_enabled())
-			page_kasan_tag_reset(to);
 		/* It's a new page, shouldn't have been tagged yet */
 		WARN_ON_ONCE(!try_page_mte_tagging(to));
 		mte_copy_page_tags(kto, kfrom);