From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E73EEC433E0 for ; Thu, 11 Mar 2021 13:26:40 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5958C64D74 for ; Thu, 11 Mar 2021 13:26:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5958C64D74 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=wLFiMeC7v5mLjcLvAHt5veTadDWRyw+S8n69UtomJfU=; b=FaunnLRVaNR3C0IittAMNTDdR mqw1hLqgB8cgDiZ1u9/UMyDPrLbSySmjYz7bLtoTYN7gfIDHlouP78DUn1qvpOLhgeAjt8D40G6K6 hZZe2NGCQqPz4+de83tLrqG8rd63YGJJm8cUyf9CnLQg5002gXLHI9jTsRbQPcJx0lMPUGe8LbXZ8 tTszSRj0/xLupXDvN7TxiA6U7j/12aVik0AZRJMGU/KlgAUIE2QZSbn3wiykfI+ng6zkafwKYfnbc Jz2fDt0ZOFOhFcxFRkwtKuPDeQxJB/l+o+zPiJXs9+Sv/ZTT+TUgoqPXpRquecLf7iLQwzKjA5HEG yuFjYo72w==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lKLJa-009DBU-Tf; Thu, 11 Mar 2021 13:25:23 +0000 Received: from mail.kernel.org ([198.145.29.99]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lKLJV-009DAo-LD for linux-arm-kernel@lists.infradead.org; Thu, 11 Mar 2021 13:25:20 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id A17A264E22; Thu, 11 Mar 2021 13:25:13 +0000 (UTC) Date: Thu, 11 Mar 2021 13:25:10 +0000 From: Catalin Marinas To: Vincenzo Frascino Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Andrew Morton , Will Deacon , Dmitry Vyukov , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Evgenii Stepanov , Branislav Rankov , Andrey Konovalov , Lorenzo Pieralisi Subject: Re: [PATCH v14 8/8] kselftest/arm64: Verify that TCO is enabled in load_unaligned_zeropad() Message-ID: <20210311132509.GB30821@arm.com> References: <20210308161434.33424-1-vincenzo.frascino@arm.com> <20210308161434.33424-9-vincenzo.frascino@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20210308161434.33424-9-vincenzo.frascino@arm.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210311_132518_385672_F168D565 X-CRM114-Status: GOOD ( 16.16 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, Mar 08, 2021 at 04:14:34PM +0000, Vincenzo Frascino wrote: > load_unaligned_zeropad() and __get/put_kernel_nofault() functions can > read passed some buffer limits which may include some MTE granule with a > different tag. > > When MTE async mode is enable, the load operation crosses the boundaries > and the next granule has a different tag the PE sets the TFSR_EL1.TF1 > bit as if an asynchronous tag fault is happened: > > ================================================================== > BUG: KASAN: invalid-access > Asynchronous mode enabled: no access details available > > CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc1-ge1045c86620d-dirty #8 > Hardware name: FVP Base RevC (DT) > Call trace: > dump_backtrace+0x0/0x1c0 > show_stack+0x18/0x24 > dump_stack+0xcc/0x14c > kasan_report_async+0x54/0x70 > mte_check_tfsr_el1+0x48/0x4c > exit_to_user_mode+0x18/0x38 > finish_ret_to_user+0x4/0x15c > ================================================================== > > Verify that Tag Check Override (TCO) is enabled in these functions before > the load and disable it afterwards to prevent this to happen. > > Note: The issue has been observed only with an MTE enabled userspace. The above bug is all about kernel buffers. While userspace can trigger the relevant code paths, it should not matter whether the user has MTE enabled or not. Can you please confirm that you can still triggered the fault with kernel-mode MTE but non-MTE user-space? If not, we may have a bug somewhere as the two are unrelated: load_unaligned_zeropad() only acts on kernel buffers and are subject to the kernel MTE tag check fault mode. I don't think we should have a user-space selftest for this. The bug is not about a user-kernel interface, so an in-kernel test is more appropriate. Could we instead add this to the kasan tests and calling load_unaligned_zeropad() and other functions directly? -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel