[PATCH RFC v3 30/35] arm64: mte: ptrace: Handle pages with missing tag storage

[PATCH RFC v3 00/35] Add support for arm64 MTE dynamic tag storage reuse · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 01/35] mm: page_alloc: Add gfp_flags parameter to arch_alloc_page() · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 01/35] mm: page_alloc: Add gfp_flags parameter to arch_alloc_page() · Anshuman Khandual <hidden> · 2024-01-29
Re: [PATCH RFC v3 01/35] mm: page_alloc: Add gfp_flags parameter to arch_alloc_page() · Alexandru Elisei <hidden> · 2024-01-29
Re: [PATCH RFC v3 01/35] mm: page_alloc: Add gfp_flags parameter to arch_alloc_page() · Anshuman Khandual <hidden> · 2024-01-30
Re: [PATCH RFC v3 01/35] mm: page_alloc: Add gfp_flags parameter to arch_alloc_page() · Alexandru Elisei <hidden> · 2024-01-30
[PATCH RFC v3 02/35] mm: page_alloc: Add an arch hook early in free_pages_prepare() · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 02/35] mm: page_alloc: Add an arch hook early in free_pages_prepare() · Anshuman Khandual <hidden> · 2024-01-29
Re: [PATCH RFC v3 02/35] mm: page_alloc: Add an arch hook early in free_pages_prepare() · Alexandru Elisei <hidden> · 2024-01-29
[PATCH RFC v3 03/35] mm: page_alloc: Add an arch hook to filter MIGRATE_CMA allocations · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 03/35] mm: page_alloc: Add an arch hook to filter MIGRATE_CMA allocations · Anshuman Khandual <hidden> · 2024-01-29
Re: [PATCH RFC v3 03/35] mm: page_alloc: Add an arch hook to filter MIGRATE_CMA allocations · Alexandru Elisei <hidden> · 2024-01-29
[PATCH RFC v3 04/35] mm: page_alloc: Partially revert "mm: page_alloc: remove stale CMA guard code" · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 04/35] mm: page_alloc: Partially revert "mm: page_alloc: remove stale CMA guard code" · Anshuman Khandual <hidden> · 2024-01-29
Re: [PATCH RFC v3 04/35] mm: page_alloc: Partially revert "mm: page_alloc: remove stale CMA guard code" · Alexandru Elisei <hidden> · 2024-01-29
Re: [PATCH RFC v3 04/35] mm: page_alloc: Partially revert "mm: page_alloc: remove stale CMA guard code" · Anshuman Khandual <hidden> · 2024-01-30
Re: [PATCH RFC v3 04/35] mm: page_alloc: Partially revert "mm: page_alloc: remove stale CMA guard code" · Alexandru Elisei <hidden> · 2024-01-30
Re: [PATCH RFC v3 04/35] mm: page_alloc: Partially revert "mm: page_alloc: remove stale CMA guard code" · Anshuman Khandual <hidden> · 2024-01-31
[PATCH RFC v3 05/35] mm: cma: Don't append newline when generating CMA area name · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 05/35] mm: cma: Don't append newline when generating CMA area name · Anshuman Khandual <hidden> · 2024-01-29
Re: [PATCH RFC v3 05/35] mm: cma: Don't append newline when generating CMA area name · Alexandru Elisei <hidden> · 2024-01-29
[PATCH RFC v3 06/35] mm: cma: Make CMA_ALLOC_SUCCESS/FAIL count the number of pages · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 06/35] mm: cma: Make CMA_ALLOC_SUCCESS/FAIL count the number of pages · Anshuman Khandual <hidden> · 2024-01-29
Re: [PATCH RFC v3 06/35] mm: cma: Make CMA_ALLOC_SUCCESS/FAIL count the number of pages · Alexandru Elisei <hidden> · 2024-01-29
Re: [PATCH RFC v3 06/35] mm: cma: Make CMA_ALLOC_SUCCESS/FAIL count the number of pages · Anshuman Khandual <hidden> · 2024-01-30
Re: [PATCH RFC v3 06/35] mm: cma: Make CMA_ALLOC_SUCCESS/FAIL count the number of pages · Alexandru Elisei <hidden> · 2024-01-30
Re: [PATCH RFC v3 06/35] mm: cma: Make CMA_ALLOC_SUCCESS/FAIL count the number of pages · Anshuman Khandual <hidden> · 2024-01-31
Re: [PATCH RFC v3 06/35] mm: cma: Make CMA_ALLOC_SUCCESS/FAIL count the number of pages · Alexandru Elisei <hidden> · 2024-01-31
[PATCH RFC v3 07/35] mm: cma: Add CMA_RELEASE_{SUCCESS,FAIL} events · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 07/35] mm: cma: Add CMA_RELEASE_{SUCCESS,FAIL} events · Anshuman Khandual <hidden> · 2024-01-29
Re: [PATCH RFC v3 07/35] mm: cma: Add CMA_RELEASE_{SUCCESS,FAIL} events · Alexandru Elisei <hidden> · 2024-01-29
Re: [PATCH RFC v3 07/35] mm: cma: Add CMA_RELEASE_{SUCCESS,FAIL} events · Anshuman Khandual <hidden> · 2024-01-31
[PATCH RFC v3 08/35] mm: cma: Introduce cma_alloc_range() · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 08/35] mm: cma: Introduce cma_alloc_range() · Anshuman Khandual <hidden> · 2024-01-30
Re: [PATCH RFC v3 08/35] mm: cma: Introduce cma_alloc_range() · Alexandru Elisei <hidden> · 2024-01-30
Re: [PATCH RFC v3 08/35] mm: cma: Introduce cma_alloc_range() · Anshuman Khandual <hidden> · 2024-01-31
Re: [PATCH RFC v3 08/35] mm: cma: Introduce cma_alloc_range() · Alexandru Elisei <hidden> · 2024-01-31
[PATCH RFC v3 09/35] mm: cma: Introduce cma_remove_mem() · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 09/35] mm: cma: Introduce cma_remove_mem() · Anshuman Khandual <hidden> · 2024-01-30
Re: [PATCH RFC v3 09/35] mm: cma: Introduce cma_remove_mem() · Alexandru Elisei <hidden> · 2024-01-30
Re: [PATCH RFC v3 09/35] mm: cma: Introduce cma_remove_mem() · Anshuman Khandual <hidden> · 2024-01-31
Re: [PATCH RFC v3 09/35] mm: cma: Introduce cma_remove_mem() · Alexandru Elisei <hidden> · 2024-01-31
[PATCH RFC v3 10/35] mm: cma: Fast track allocating memory when the pages are free · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 10/35] mm: cma: Fast track allocating memory when the pages are free · Anshuman Khandual <hidden> · 2024-01-30
Re: [PATCH RFC v3 10/35] mm: cma: Fast track allocating memory when the pages are free · Alexandru Elisei <hidden> · 2024-01-30
[PATCH RFC v3 11/35] mm: Allow an arch to hook into folio allocation when VMA is known · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 11/35] mm: Allow an arch to hook into folio allocation when VMA is known · Peter Collingbourne <hidden> · 2024-01-26
Re: [PATCH RFC v3 11/35] mm: Allow an arch to hook into folio allocation when VMA is known · Alexandru Elisei <hidden> · 2024-01-29
Re: [PATCH RFC v3 11/35] mm: Allow an arch to hook into folio allocation when VMA is known · Anshuman Khandual <hidden> · 2024-01-30
Re: [PATCH RFC v3 11/35] mm: Allow an arch to hook into folio allocation when VMA is known · Alexandru Elisei <hidden> · 2024-01-30
Re: [PATCH RFC v3 11/35] mm: Allow an arch to hook into folio allocation when VMA is known · Anshuman Khandual <hidden> · 2024-01-31
Re: [PATCH RFC v3 11/35] mm: Allow an arch to hook into folio allocation when VMA is known · Alexandru Elisei <hidden> · 2024-01-31
[PATCH RFC v3 12/35] mm: Call arch_swap_prepare_to_restore() before arch_swap_restore() · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 12/35] mm: Call arch_swap_prepare_to_restore() before arch_swap_restore() · Anshuman Khandual <hidden> · 2024-02-01
Re: [PATCH RFC v3 12/35] mm: Call arch_swap_prepare_to_restore() before arch_swap_restore() · Alexandru Elisei <hidden> · 2024-02-01
[PATCH RFC v3 13/35] mm: memory: Introduce fault-on-access mechanism for pages · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 13/35] mm: memory: Introduce fault-on-access mechanism for pages · Anshuman Khandual <hidden> · 2024-02-01
Re: [PATCH RFC v3 13/35] mm: memory: Introduce fault-on-access mechanism for pages · Alexandru Elisei <hidden> · 2024-02-01
[PATCH RFC v3 14/35] of: fdt: Return the region size in of_flat_dt_translate_address() · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 15/35] of: fdt: Add of_flat_read_u32() · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 16/35] KVM: arm64: Don't deny VM_PFNMAP VMAs when kvm_has_mte() · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 17/35] arm64: mte: Rework naming for tag manipulation functions · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 18/35] arm64: mte: Rename __GFP_ZEROTAGS to __GFP_TAGGED · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 19/35] arm64: mte: Discover tag storage memory · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 19/35] arm64: mte: Discover tag storage memory · Krzysztof Kozlowski <krzk@kernel.org> · 2024-01-26
Re: [PATCH RFC v3 19/35] arm64: mte: Discover tag storage memory · Alexandru Elisei <hidden> · 2024-01-26
[PATCH RFC v3 20/35] arm64: mte: Add tag storage memory to CMA · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 21/35] arm64: mte: Disable dynamic tag storage management if HW KASAN is enabled · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 22/35] arm64: mte: Enable tag storage if CMA areas have been activated · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 22/35] arm64: mte: Enable tag storage if CMA areas have been activated · Evgenii Stepanov <hidden> · 2024-02-02
Re: [PATCH RFC v3 22/35] arm64: mte: Enable tag storage if CMA areas have been activated · Alexandru Elisei <hidden> · 2024-02-05
[PATCH RFC v3 23/35] arm64: mte: Try to reserve tag storage in arch_alloc_page() · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 23/35] arm64: mte: Try to reserve tag storage in arch_alloc_page() · Peter Collingbourne <hidden> · 2024-01-30
Re: [PATCH RFC v3 23/35] arm64: mte: Try to reserve tag storage in arch_alloc_page() · Alexandru Elisei <hidden> · 2024-01-30
[PATCH RFC v3 24/35] arm64: mte: Perform CMOs for tag blocks · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 25/35] arm64: mte: Reserve tag block for the zero page · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 26/35] arm64: mte: Use fault-on-access to reserve missing tag storage · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 27/35] arm64: mte: Handle tag storage pages mapped in an MTE VMA · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 28/35] arm64: mte: swap: Handle tag restoring when missing tag storage · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 28/35] arm64: mte: swap: Handle tag restoring when missing tag storage · Peter Collingbourne <hidden> · 2024-02-02
Re: [PATCH RFC v3 28/35] arm64: mte: swap: Handle tag restoring when missing tag storage · Alexandru Elisei <hidden> · 2024-02-02
Re: [PATCH RFC v3 28/35] arm64: mte: swap: Handle tag restoring when missing tag storage · Evgenii Stepanov <hidden> · 2024-02-03
Re: [PATCH RFC v3 28/35] arm64: mte: swap: Handle tag restoring when missing tag storage · Peter Collingbourne <hidden> · 2024-02-03
[PATCH RFC v3 29/35] arm64: mte: copypage: Handle tag restoring when missing tag storage · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 30/35] arm64: mte: ptrace: Handle pages with missing tag storage · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 30/35] arm64: mte: ptrace: Handle pages with missing tag storage · Anshuman Khandual <hidden> · 2024-02-01
Re: [PATCH RFC v3 30/35] arm64: mte: ptrace: Handle pages with missing tag storage · Alexandru Elisei <hidden> · 2024-02-01
[PATCH RFC v3 31/35] khugepaged: arm64: Don't collapse MTE enabled VMAs · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 31/35] khugepaged: arm64: Don't collapse MTE enabled VMAs · Anshuman Khandual <hidden> · 2024-02-01
Re: [PATCH RFC v3 31/35] khugepaged: arm64: Don't collapse MTE enabled VMAs · Alexandru Elisei <hidden> · 2024-02-01
[PATCH RFC v3 32/35] KVM: arm64: mte: Reserve tag storage for virtual machines with MTE · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 33/35] KVM: arm64: mte: Introduce VM_MTE_KVM VMA flag · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 34/35] arm64: mte: Enable dynamic tag storage management · Alexandru Elisei <hidden> · 2024-01-25
[PATCH RFC v3 35/35] HACK! arm64: dts: Add fake tag storage to fvp-base-revc.dts · Alexandru Elisei <hidden> · 2024-01-25
Re: [PATCH RFC v3 00/35] Add support for arm64 MTE dynamic tag storage reuse · Steven Rostedt <rostedt@goodmis.org> · 2024-01-25

STALE847d

Revisions (2)

2023-08-23 rfc [diff vs current]
2024-01-25 v3 current

From: Alexandru Elisei <hidden>
Date: 2024-01-25 16:45:41
Also in: kvmarm, linux-arch, linux-arm-kernel, linux-fsdevel, linux-mm, lkml
Subsystem: arm64 port (aarch64 architecture), the rest · Maintainers: Catalin Marinas, Will Deacon, Linus Torvalds

A page can end up mapped in a MTE enabled VMA without the corresponding tag
storage block reserved. Tag accesses made by ptrace in this case can lead
to the wrong tags being read or memory corruption for the process that is
using the tag storage memory as data.

Reserve tag storage by treating ptrace accesses like a fault.

Signed-off-by: Alexandru Elisei <redacted>
---

Changes since rfc v2:

* New patch, issue reported by Peter Collingbourne.

 arch/arm64/kernel/mte.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
index faf09da3400a..b1fa02dad4fd 100644
--- a/arch/arm64/kernel/mte.c
+++ b/arch/arm64/kernel/mte.c

@@ -412,10 +412,13 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr,
 	while (len) {
 		struct vm_area_struct *vma;
 		unsigned long tags, offset;
+		unsigned int fault_flags;
+		struct page *page;
+		vm_fault_t ret;
 		void *maddr;
-		struct page *page = get_user_page_vma_remote(mm, addr,
-							     gup_flags, &vma);
 
+get_page:
+		page = get_user_page_vma_remote(mm, addr, gup_flags, &vma);
 		if (IS_ERR(page)) {
 			err = PTR_ERR(page);
 			break;

@@ -433,6 +436,25 @@ static int __access_remote_tags(struct mm_struct *mm, unsigned long addr,
 			put_page(page);
 			break;
 		}
+
+		if (tag_storage_enabled() && !page_tag_storage_reserved(page)) {
+			fault_flags = FAULT_FLAG_DEFAULT | \
+				      FAULT_FLAG_USER | \
+				      FAULT_FLAG_REMOTE | \
+				      FAULT_FLAG_ALLOW_RETRY | \
+				      FAULT_FLAG_RETRY_NOWAIT;
+			if (write)
+				fault_flags |= FAULT_FLAG_WRITE;
+
+			put_page(page);
+			ret = handle_mm_fault(vma, addr, fault_flags, NULL);
+			if (ret & VM_FAULT_ERROR) {
+				err = -EFAULT;
+				break;
+			}
+			goto get_page;
+		}
+
 		WARN_ON_ONCE(!page_mte_tagged(page));
 
 		/* limit access to the end of the page */

-- 
2.43.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help