From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53DE7C48286 for ; Thu, 1 Feb 2024 17:38:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B78186B0087; Thu, 1 Feb 2024 12:38:15 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B01CD6B0088; Thu, 1 Feb 2024 12:38:15 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9A27B6B0089; Thu, 1 Feb 2024 12:38:15 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 8B4E36B0087 for ; Thu, 1 Feb 2024 12:38:15 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 4F1F7A0D38 for ; Thu, 1 Feb 2024 17:38:15 +0000 (UTC) X-FDA: 81743943750.21.B04B740 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by imf01.hostedemail.com (Postfix) with ESMTP id 8803840021 for ; Thu, 1 Feb 2024 17:38:13 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=none; spf=pass (imf01.hostedemail.com: domain of alexandru.elisei@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=alexandru.elisei@arm.com; dmarc=pass (policy=none) header.from=arm.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706809093; a=rsa-sha256; cv=none; b=W8pwBPCdJr/NxW7gSBcoWwUken9QlBeHzdfZji+nS0d5TJjqu9gEs7S4MWWBbb+n7xMF42 aaqLvQk63ZmYSUdXNv1pty2rbYwtccxnrAfbA/Dj2xr8ZfP70L1RaIG/VfkaJNQbqKh7mP kzjrP1OWKGRwI58MvXvmLdEF+9kFSFs= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=none; spf=pass (imf01.hostedemail.com: domain of alexandru.elisei@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=alexandru.elisei@arm.com; dmarc=pass (policy=none) header.from=arm.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706809093; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=P7Cr3eoFJFexUhZSNrUfuKemaM/eZ2LeK7pNS/kHI+E=; b=J61AtvjuoU9cQheEPPHJ5M+fhGdfjlE5WX/gi1NLrTabfmIxnPsy+Eu1/oCQvA/x9xjBIe lIIysmYfGQjGfGSgxf2+WMH0PyMN5MXj5adJnMbULWuxNsxWjkrArSNW6vh3z+QlyfmF1S odrolqK5vfeZRp2mSX5KZyyhdvxmPmI= Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 01D83DA7; Thu, 1 Feb 2024 09:38:55 -0800 (PST) Received: from raptor (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 50C163F738; Thu, 1 Feb 2024 09:38:07 -0800 (PST) Date: Thu, 1 Feb 2024 17:38:04 +0000 From: Alexandru Elisei To: Anshuman Khandual Cc: catalin.marinas@arm.com, will@kernel.org, oliver.upton@linux.dev, maz@kernel.org, james.morse@arm.com, suzuki.poulose@arm.com, yuzenghui@huawei.com, arnd@arndb.de, akpm@linux-foundation.org, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de, bristot@redhat.com, vschneid@redhat.com, mhiramat@kernel.org, rppt@kernel.org, hughd@google.com, pcc@google.com, steven.price@arm.com, vincenzo.frascino@arm.com, david@redhat.com, eugenis@google.com, kcc@google.com, hyesoo.yu@samsung.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-trace-kernel@vger.kernel.org Subject: Re: [PATCH RFC v3 30/35] arm64: mte: ptrace: Handle pages with missing tag storage Message-ID: References: <20240125164256.4147-1-alexandru.elisei@arm.com> <20240125164256.4147-31-alexandru.elisei@arm.com> <30278898-c4b2-4dd6-ba68-a19575f81a65@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <30278898-c4b2-4dd6-ba68-a19575f81a65@arm.com> X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 8803840021 X-Stat-Signature: 33ucjx47o419tsa515ydywqyrbxnrgjw X-HE-Tag: 1706809093-435601 X-HE-Meta: U2FsdGVkX1/OPfvwRp+YNzgt+N66w4qfQM8eC5IOOFmXym6mPHZuQnZekqKi0g4TF/pBF8bHtejNfy3aQXxXzEht8UXRLg5agKO+Xw6D5xZJ54YOFCkSpWmk9kH4aKoxHzHvX+BM0uilSJCCznNdRwKsXjy7cbDziLfRLlWdzrGMHh1YlxLwGGD7Fzeh+pDwTH8lw374b9IwZhnB3GjwHFz2LxF3ZwOqNkuzK7eOSfnSA4lWd8Va7lhw2ji/j3RzEXt+soZfes+lCzfoS2skaqXNu/lw5amCFqzNtMgeZWpWaZO21UJW+1qWh6F7IDiroEJ6C1OVFDQs5IC7TvSHWNxCHs/VHW+SqsQeSVUsJPRk0cxCqzUPZ+UbiWM9bob8K2gWPxNzRx4qmqUaZzjnacJppI0VcRSxGhSx0yfcFYiCHLg9TW8IQDboGklWP+JfOC+4QP+oiPxi3lglm4sZcklbYDqZGKV/FdN2+2Z9bEcVzWETQyvA+Lgkq8He3MDwri34tuaR6vVosgZ3w9abpb/s6xnOkLKCxh8pAVxI2iYuUYsmMbgjaQlZnOfRxvRG7KChLWZnQYFcAAAW0Z8MudRD6kcHPNkm/ayut2G9BSB0Qj6gm0Q5SEcis3fLiKVkCU4VYOEiV+rRWW1YxbclJ7kMFNGID8yRm4wHUAUzHsQUKdaXs4xHLSepE/rV5g1VAEjXYFImNkBj+wcI4KVpg6BfG5Vz7/gqIMIGO1CT4voH1eyytM1GDQfaEutnm1Ye5CeF7D70T2YFXce+/RMh0Z9HJGqGGQcYVtBPL7vgdUs23m/Yj16TPJsU2l/lL+rSpmh9HG1xmlyexL9AccMAwFT8bjFGmSzQYG6PCdA/dAFFFlf01S6fr3khtDipyhxqwYDBqlLW3+TPIXVOysI5fch1Q0GDQV0FgfOa4QQjZQuORwNttN8p2DfpLQW4X2XXFI8kdU4OMTp8kF0dQTy 3v3QWnVO tQf8pkcekoV8m4axQA4D3CKnRkmYT+1N5ipuJtSL9YPO7WEMkz4y63JX9TJfnwiuFMxFA/mH7DAjd1biDBRq3+iLa0M8fSBfGiaGy8v4ogbisK5F758LDVzZbgprbbEiAI+2o/y1g1lUlWerHUeOvoaibNFmAgFjf/ury X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, On Thu, Feb 01, 2024 at 02:51:39PM +0530, Anshuman Khandual wrote: > > > On 1/25/24 22:12, Alexandru Elisei wrote: > > A page can end up mapped in a MTE enabled VMA without the corresponding tag > > storage block reserved. Tag accesses made by ptrace in this case can lead > > to the wrong tags being read or memory corruption for the process that is > > using the tag storage memory as data. > > > > Reserve tag storage by treating ptrace accesses like a fault. > > > > Signed-off-by: Alexandru Elisei > > --- > > > > Changes since rfc v2: > > > > * New patch, issue reported by Peter Collingbourne. > > > > arch/arm64/kernel/mte.c | 26 ++++++++++++++++++++++++-- > > 1 file changed, 24 insertions(+), 2 deletions(-) > > > > diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c > > index faf09da3400a..b1fa02dad4fd 100644 > > --- a/arch/arm64/kernel/mte.c > > +++ b/arch/arm64/kernel/mte.c > > @@ -412,10 +412,13 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr, > > while (len) { > > struct vm_area_struct *vma; > > unsigned long tags, offset; > > + unsigned int fault_flags; > > + struct page *page; > > + vm_fault_t ret; > > void *maddr; > > - struct page *page = get_user_page_vma_remote(mm, addr, > > - gup_flags, &vma); > > > > +get_page: > > + page = get_user_page_vma_remote(mm, addr, gup_flags, &vma); > > But if there is valid page returned here in the first GUP attempt, will there > still be a subsequent handle_mm_fault() on the same vma and addr ? Only if it's missing tag storage. If it's missing tag storage, the page has been mapped as arch_fault_on_access_pte(), and handle_mm_fault()->..->arch_handle_folio_fault_on_access() will either reserve tag storage, or migrate it. > > > if (IS_ERR(page)) { > > err = PTR_ERR(page); > > break; > > @@ -433,6 +436,25 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr, > > put_page(page); > > break; > > } > > + > > + if (tag_storage_enabled() && !page_tag_storage_reserved(page)) { > > Should not '!page' be checked here as well ? I was under the impression that get_user_page_vma_remote() returns an error pointer if gup couldn't pin the page. Thanks, Alex > > > + fault_flags = FAULT_FLAG_DEFAULT | \ > > + FAULT_FLAG_USER | \ > > + FAULT_FLAG_REMOTE | \ > > + FAULT_FLAG_ALLOW_RETRY | \ > > + FAULT_FLAG_RETRY_NOWAIT; > > + if (write) > > + fault_flags |= FAULT_FLAG_WRITE; > > + > > + put_page(page); > > + ret = handle_mm_fault(vma, addr, fault_flags, NULL); > > + if (ret & VM_FAULT_ERROR) { > > + err = -EFAULT; > > + break; > > + } > > + goto get_page; > > + } > > + > > WARN_ON_ONCE(!page_mte_tagged(page)); > > > > /* limit access to the end of the page */