From patchwork Tue May 17 18:09:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 12852828 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6519C433FE for ; Tue, 17 May 2022 18:09:56 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 776788D0001; Tue, 17 May 2022 14:09:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6FE566B0074; Tue, 17 May 2022 14:09:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5D3EB8D0001; Tue, 17 May 2022 14:09:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 49AAD6B0073 for ; Tue, 17 May 2022 14:09:56 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 25BAE961 for ; Tue, 17 May 2022 18:09:56 +0000 (UTC) X-FDA: 79476023592.12.BC1AD61 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf31.hostedemail.com (Postfix) with ESMTP id 9DBA4200AF for ; Tue, 17 May 2022 18:09:27 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 8451FCE1BD4; Tue, 17 May 2022 18:09:51 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04ADBC34100; Tue, 17 May 2022 18:09:47 +0000 (UTC) From: Catalin Marinas To: Andrey Ryabinin , Andrey Konovalov Cc: Will Deacon , Vincenzo Frascino , Peter Collingbourne , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org Subject: [PATCH 0/3] kasan: Fix ordering between MTE tag colouring and page->flags Date: Tue, 17 May 2022 19:09:42 +0100 Message-Id: <20220517180945.756303-1-catalin.marinas@arm.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Authentication-Results: imf31.hostedemail.com; dkim=none; spf=pass (imf31.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=cmarinas@kernel.org; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none) X-Rspam-User: X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 9DBA4200AF X-Stat-Signature: 6ncp3un7jh58bcckcfiy33gpjhw3hesr X-HE-Tag: 1652810967-912715 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi, That's more of an RFC to get a discussion started. I plan to eventually apply the third patch reverting the page_kasan_tag_reset() calls under arch/arm64 since they don't cover all cases (the race is rare and we haven't hit anything yet but it's possible). On a system with MTE and KASAN_HW_TAGS enabled, when a page is allocated kasan_unpoison_pages() sets a random tag and saves it in page->flags so that page_to_virt() re-creates the correct tagged pointer. We need to ensure that the in-memory tags are visible before setting the page->flags: P0 (__kasan_unpoison_range): P1 (access via virt_to_page): Wtags=x Rflags=x | | | DMB | address dependency V V Wflags=x Rtags=x The first patch changes the order of page unpoisoning with the tag storing in page->flags. page_kasan_tag_set() has the right barriers through try_cmpxchg(). If such page is mapped in user-space with PROT_MTE, the architecture code will set the tag to 0 and a subsequent page_to_virt() dereference will fault. We currently try to fix this by resetting the tag in page->flags so that it is 0xff (match-all, not faulting). However, setting the tags and flags can race with another CPU reading the flags (page_to_virt()) and barriers can't help, e.g.: P0 (mte_sync_page_tags): P1 (memcpy from virt_to_page): Rflags!=0xff Wflags=0xff DMB (doesn't help) Wtags=0 Rtags=0 // fault Since clearing the flags in the arch code doesn't work, try to do this at page allocation time by a new flag added to GFP_USER. Could we instead add __GFP_SKIP_KASAN_UNPOISON rather than a new flag? Thanks. Catalin Marinas (3): mm: kasan: Ensure the tags are visible before the tag in page->flags mm: kasan: Reset the tag on pages intended for user arm64: kasan: Revert "arm64: mte: reset the page tag in page->flags" arch/arm64/kernel/hibernate.c | 5 ----- arch/arm64/kernel/mte.c | 9 --------- arch/arm64/mm/copypage.c | 9 --------- arch/arm64/mm/fault.c | 1 - arch/arm64/mm/mteswap.c | 9 --------- include/linux/gfp.h | 10 +++++++--- mm/kasan/common.c | 3 ++- mm/page_alloc.c | 9 ++++++--- 8 files changed, 15 insertions(+), 40 deletions(-)