From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA51FC11F67 for ; Thu, 1 Jul 2021 15:51:56 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4F6F46141C for ; Thu, 1 Jul 2021 15:51:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4F6F46141C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 9454B8D0006; Thu, 1 Jul 2021 11:51:55 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8CEA78D0001; Thu, 1 Jul 2021 11:51:55 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 748958D0006; Thu, 1 Jul 2021 11:51:55 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0034.hostedemail.com [216.40.44.34]) by kanga.kvack.org (Postfix) with ESMTP id 494F88D0001 for ; Thu, 1 Jul 2021 11:51:55 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 0988023E6F for ; Thu, 1 Jul 2021 15:51:55 +0000 (UTC) X-FDA: 78314459790.39.3EB393E Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf16.hostedemail.com (Postfix) with ESMTP id 9D19AF00008F for ; Thu, 1 Jul 2021 15:51:54 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id 9ECE661413; Thu, 1 Jul 2021 15:51:51 +0000 (UTC) Date: Thu, 1 Jul 2021 16:51:49 +0100 From: Catalin Marinas To: Peter Collingbourne Cc: Vincenzo Frascino , Dave Martin , Will Deacon , Andrew Morton , Andrea Arcangeli , Alistair Delva , Lokesh Gidra , William McVicker , Evgenii Stepanov , Mitch Phillips , Linux ARM , linux-mm@kvack.org, stable@vger.kernel.org Subject: Re: [PATCH v2] userfaultfd: preserve user-supplied address tag in struct uffd_msg Message-ID: <20210701155148.GB12484@arm.com> References: <20210630232931.3779403-1-pcc@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210630232931.3779403-1-pcc@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Authentication-Results: imf16.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf16.hostedemail.com: domain of cmarinas@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=cmarinas@kernel.org X-Rspamd-Server: rspam02 X-Stat-Signature: 4e6ogrppom4ng7mqog3rtehb3pgxiq6k X-Rspamd-Queue-Id: 9D19AF00008F X-HE-Tag: 1625154714-103831 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi Peter, On Wed, Jun 30, 2021 at 04:29:31PM -0700, Peter Collingbourne wrote: > If a user program uses userfaultfd on ranges of heap memory, it may > end up passing a tagged pointer to the kernel in the range.start > field of the UFFDIO_REGISTER ioctl. This can happen when using an > MTE-capable allocator, or on Android if using the Tagged Pointers > feature for MTE readiness [1]. When we added the tagged addr ABI, we realised it's nearly impossible to sort out all ioctls, so we added a note to the documentation that any address other than pointer to user structures as arguments to ioctl() should be untagged. Arguably, userfaultfd is not a random device but if we place it in the same category as mmap/mremap/brk, those don't allow tagged pointers either. And we do expect some apps to break when they rely on malloc() to return untagged pointers. > When a fault subsequently occurs, the tag is stripped from the fault > address returned to the application in the fault.address field > of struct uffd_msg. However, from the application's perspective, > the tagged address *is* the memory address, so if the application > is unaware of memory tags, it may get confused by receiving an > address that is, from its point of view, outside of the bounds of the > allocation. We observed this behavior in the kselftest for userfaultfd > [2] but other applications could have the same problem. Just curious, what's generating the tagged pointers in the kselftest? Is it posix_memalign()? > Fix this by remembering which tag was used to originally register the > userfaultfd and passing that tag back in fault.address. In a future > enhancement, we may want to pass back the original fault address, > but like SA_EXPOSE_TAGBITS, this should be guarded by a flag. I don't see exposing the tagged fault address vs making up a tag (from the original request) that different. I find the former cleaner from an ABI perspective, though it's a bit more intrusive to pass the tagged address via handle_mm_fault(). My preference is to fix this in user-space entirely, by explicit untagging of the malloc'ed pointer either before being passed to userfaultfd or when handling the userfaultfd message. How common is it for apps to register malloc'ed pointers with userfaultfd? I was hoping that's more of an (anonymous) mmap() play. -- Catalin